1

Create VLAN

esr(config)# vlan <VID>

<VID> – VLAN identifier, set in the range of [2..4094].

It is also possible to create multiple vlan (with a comma) or vlan range (with a hyphen).

2

Specify vlan name (optionally)

esr(config-vlan)# name <vlan-name>

<vlan-name> – up to 255 characters.

3

Disable monitoring of the status of interfaces on which processing of the given VLAN Ethernet frames is allowed (optionally)

esr(config-vlan)# force-up

4

Disable the processing of incoming untagged Ethernet frames based on the default VLAN's switching table (VLAN-ID – 1) (optionally)

esr(config-if-gi)# no switchport forbidden default-vlan

5

Set L2 interface operation mode

esr(config-if-gi)# mode switchport

6

Set L2 interface operation mode

esr(config-if-gi)# switchport access

Only for ESR-10/12V(F)/14VF/20/21/100/200.

This mode is the default mode and is not displayed in the configuration.

esr(config-if-gi)# switchport trunk

Only for ESR-10/12V(F)/14VF/20/21/100/200.

esr(config-gi)# switchport general

Only for ESR-1000/1200/1500/1510/1700.

This mode is the default mode and is not displayed in the configuration.

7

Configure VLAN list on the interface in tagged mode

esr(config-if-gi)# switchport trunk allowed vlan add <VID>

For ESR-10/12V(F)/14VF/20/21/100/200.

<VID> – VLAN identifier, set in the range of [2..4094].

It is also possible to create multiple vlan (with a comma) or vlan range (with a hyphen).

esr(config-if-gi)# switchport general allowed vlan add <VID> tagged

For ESR-1000/1200/1500/1510/1700.

<VID> – VLAN identifier, set in the range of [2..4094].

It is also possible to create multiple vlan (with a comma) or vlan range (with a hyphen).

8

Configure VLAN on the interface in tagged mode (optionally)

esr(config-if-gi)# switchport trunk native-vlan <VID>

For ESR-10/12V(F)/14VF/20/21/100/200.

<VID> – VLAN identifier, set in the range of [2..4094].

esr(config-if-gi)# switchport general allowed vlan add <VID> untagged

For ESR-1000/1200/1500/1510/1700.

<VID> – VLAN identifier, set in the range of [2..4094].

9

Enable the processing of Ethernet frames of all created VLANs on the interface (optionally)

esr(config-if-gi)# switchport trunk allowed vlan auto-all

Only for ESR-10/12V(F)/14VF/20/21/100/200.

esr(config-if-gi)# switchport general allowed vlan auto-all

Only for ESR-1000/1200/1500/1510/1700.

1

Enable LLDP on the router

esr(config)# lldp enable

2

Set the period during which the router keeps the information received via LLDP (optionally)

esr(config)# lldp hold-multiplier <SEC>

<SEC> – time interval in seconds, takes values of [1..10].

3

Set IP address which will be transmitted to LLDP TLV as the management-address (optionally).

esr(config)# lldp management-address <ADDR>

<ADDR> – IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].

One of the existent is set by default

4

Set the system-description field which will be transmitted to LLDP TLV as the system-description (optionally).

esr(config)# lldp system-description <DESCRIPTION>

<DESCRIPTION> – system description, set by the string of up to 255 characters.

By default contains the information of the router model and firmware version.

5

Set the system-name field which will be transmitted to LLDP TLV as the system-name (optionally).

esr(config)# lldp system-name <NAME>

<NAME> – system name, set by the string of up to 255 characters.

By default coincides with the specified hostname

6

Set the LLDPDU sending period (optionally).

esr(config)# lldp timer <SEC>

<SEC> – time interval in seconds, takes values of [1..32768].

7

Enable the LLDPDU receiving and proceeding on the physical interface.

esr(config-if-gi)# lldp receive

8

Enable LLDPDU transmission on the physical interface.

esr(config-if-gi)# lldp transmit

1

Enable LLDP on the router

esr(config)# lldp enable

2

Enable MED LLDP enhancement on the router

esr(config)# lldp med fast-start enable

3

Create network policy

esr(config)# network-policy <NAME>

<NAME> – network-policy name, set by the string of up to 31 characters.

4

Specify the application type

esr(config-net-policy)# application <APP_TYPE>

<APP-TYPE> – type of the application for which network-policy will be enabled.
Takes the following values:

• voice,
• voice-signaling,
• guest-voice,
• guest-voice-signaling,
• softphone-voice,
• video-conferencing,
• streaming-video,
• video-signaling.

5

Set DSCP value

esr(config-net-policy)# dscp <DSCP>

<DSCP> – DSCP code value, takes values in the range of [0..63].

6

Set COS value

esr(config-net-policy)# priority  <PRIORITY>

<COS> – priority value, takes the following values:

• best-effort – COS0;
• background – COS1;
• excellent-effort – COS2;
• critical-applications – COS3;
• video – COS4;
• voice – COS5;
• internetwork-control – COS6;
• network-control – COS7.

7

Set
VLAN ID value

esr(config-net-policy)# vlan <VID> [tagged]

<VID>  – VLAN ID, takes values of [1..4094];

• tagged – key, during the installation of which, the subscriber device will send Ethernet frames of the specified application in a tagged form.

8

Set a network policy on the interface

esr(config-if-gi)# lldp network-policy <NAME>

<NAME> – network-policy name, set by the string of up to 31 characters.

9

Enable LLDPDU transmission on the physical interface.

esr(config-if-gi)# lldp transmit

1

Create a sub-interface of a physical interface (possible if the physical interface is in routeport mode).

esr(config)# interface gigabitethernet <PORT>.<S-VLAN>

or

interface tengigabitethernet <PORT>.<S-VLAN>

or

interface port-channel <CH>.<S-VLAN>

<PORT> – physical interface number.

<CH> – aggregated interface number.

<S-VLAN> – identifier of created S-VLAN.

If a physical interface is included in bridge-group, it will be impossible to create sub-interface.

2

Specify sub-interface description (optionally).

esr(config-subif)# description <DESCRIPTION>

<DESCRIPTION> – interface description, set by the string of up to 255 characters.

3

Specify VRF instance, in which the given sub-interface will operate (optionally).

esr(config- subif )# ip vrf forwarding <VRF>

<VRF> – VRF name, set by the string of up to 31 characters.

4

Set the time interval during which statistics on the sub-interface load is collected. (optionally).

esr(config-subif)# load-average <TIME>

<TIME> – interval in seconds, takes values of [5..150].

5

Enable bridge-group sub-interface (optionally).

esr(config-subif)#bridge-group <BRIDGE-ID>

<BRIDGE-ID> – bridge identifying number.

6

Set the lifetime of IPv4/IPv6 entries in the ARP table studied on the given interface (optionally).

esr(config-subif)# ip arp reachable-time <TIME>

or

ipv6 nd reachable-time <TIME>

<TIME> – lifetime of dynamic MAC addresses, in milliseconds. Allowed values are from 5000 to 100000000 milliseconds. Real time of the entry update varies from [0,5;1,5]*<TIME>.

1

Create a sub-interface of a physical interface (possible if the physical interface is in routeport mode).

esr(config)# interface gigabitethernet <PORT>.<S-VLAN>

or

interface tengigabitethernet <PORT>.<S-VLAN>

or

interface port-channel <CH>.<S-VLAN>

<PORT> – physical interface number.

<CH> – aggregated interface number.

<S-VLAN> – identifier of created S-VLAN.

2

Create Q-in-Q interface.

esr(config)# interface gigabitethernet <PORT>.<S-VLAN>.<C-VLAN>

or

esr(config)# interface tengigabitethernet <PORT>.<S-VLAN>.<C-VLAN>

or

esr(config)# interface port-channel <CH>.<S-VLAN>.<C-VLAN>

<PORT> – physical interface number.

<CH> – aggregated interface number.

<S-VLAN> – identifier of created S-VLAN.

<C-VLAN> – identifier of created C-VLAN.

If a physical interface or a sub-interface is included in bridge-group, it will be impossible to create sub-interface.

3

Specify Q-in-Q interface description (optionally).

esr(config-qinq-if)# description <DESCRIPTION>

<DESCRIPTION> – interface description, set by the string of up to 255 characters.

4

Specify VRF instance, in which the given Q-in-Q interface will operate (optionally).

esr(config- qinq-if) # ip vrf forwarding <VRF>

<VRF> – VRF name, set by the string of up to 31 characters.

5

Set the time interval during which statistics on the Q-in-Q interface load is collected. (optionally).

esr(config-qinq-if)# load-average <TIME>

<TIME> – interval in seconds, takes values of [5..150].

6

Enable bridge-group Q-in-Q interface (optionally).

esr(config-qinq-if)#bridge-group <BRIDGE-ID>

<BRIDGE-ID> – bridge identifying number.

7

Set the lifetime of IPv4/IPv6 entries in the ARP table studied on the given Q-in-Q interface (optionally).

esr(config-qinq-if)# ip arp reachable-time <TIME>

or

ipv6 nd reachable-time <TIME>

1

After USB modem connection, wail until the system detects the connected device

2

Define which number of the device is allocated to the connected USB modem

esr# show cellulars status modem

The connected device identifier will be specified in 'USB port' field

3

Create parameter profile for USB modem and switch to the profile configuration mode

esr(config)# cellular profile <ID>

<ID> – identifier of USB modem parameter profile, set in the range of [1..10].

4

Specify parameter profile description (optionally).

esr(config-cellular-profile)# description <DESCRIPTION>

<DESCRIPTION> – interface description, set by the string of up to 255 characters.

5

Set mobile network access point

esr(config-cellular-profile)# apn <NAME>

<NAME> – mobile network access point, set by the string of up to 31 characters.

6

Set the name of mobile network user (if required by cellular carrier)

esr(config-cellular-profile)# user <NAME>

<NAME> – user name, set by the string of up to 31 characters.

7

Set the password of mobile network user (if required by cellular carrier)

esr(config-user)# password ascii-text { <CLEAR-TEXT> | encrypted <ENCRYPTED-TEXT> }

<CLEAR-TEXT> – unencrypted password, set by the string of [1..64] characters, may include [0-9a-fA-F] characters.

<ENCRYPTED-TEXT> – unencrypted password, set by the string of [2..128] characters.

8

Set the dial-up number for connection to the mobile network

esr(config-cellular-profile)# number <WORD>

<WORD> – dial-up number for connection to a mobile network, set by the string of up to 15 characters.

9

Set the method of user authentication in the mobile network (optionally)

esr(config-cellular-profile)# allowed-auth <TYPE>

<TYPE> – method of user authentication in a mobile network [none, PAP, CHAP, MSCHAP, MSCHAPv2, EAP].

10

Limit the possibility of the use of IP addresses in mobile network.

esr(config-cellular-profile)# ip-version
{ ipv4 | ipv6 }

• ipv4 – IPv4 family;
• ipv6 – IPv6 family;

11

Create USB modem in the router configuration and switch to the modem configuration mode

esr(config)# cellular modem <ID>

<ID> – USB modem identifier, set in the range of [1..10].

12

Specify VRF instance, in which the given modem will operate (optionally).

esr(config-cellular-modem)# ip vrf forwarding <VRF>

<VRF> – VRF name, set by the string of up to 31 characters.

13

Set USB modem identifier allocated by the system (specified in item 2)

esr(config-cellular-modem)# device <WORD>

<WORD> – identifier of connected modem’s USB port, set in the range of [1..12].

14

Set the previously established parameter profile to the USB modem

esr(config-cellular-modem)# profile <ID>

<ID> – identifier of USB modem parameter profile, set in the range of [1..10].

15

Set SIM card unlock code (if necessary)

esr(config-cellular-modem)# pin <WORD>

<WORD> – SIM card unblock code [4..8]. Only digits are allowed.

16

Allow the use of any USB modem operation mode (optionally)

esr(config-cellular-modem)# allowed-mode <MODE>

<MODE> – acceptable USB modem operation mode [2g, 3g, 4g].

By default: all modes supported by the modem are allowed.

17

Set the size of the largest received packet (optionally)

esr(config-cellular-modem)# mru { <MRU> }

<MRU> – MRU value, takes values in the range of [128..16383].

18

Set the preferable USB modem operation mode in the mobile network (optionally)

esr(config-cellular-modem)# preferred-mode { <MODE> }

<MODE> – preferable USB modem operation mode [2g, 3g, 4g].

19

Activate USB modem

esr(config-cellular-modem)# enable

1

Set local as authentication method.

esr(config)# aaa authentication login { default | <NAME> } <METHOD 1> [ <METHOD 2> ] [ <METHOD 3> ] [ <METHOD 4> ]

<NAME> – list name, set by the string of up to 31 characters.

Authentication methods:

• local – authentication by local user base;
• tacacs – authentication by TACACS server list;
• radius – authentication by RADIUS server list;
• ldap – authentication by LDAP server list.

2

Set enable as authentication method of user privileges elevation.

esr(config)# aaa authentication enable <NAME><METHOD 1>

[ <METHOD 2> ]

[ <METHOD 3> ]

[ <METHOD 4> ]

<NAME> – list name, set by the string of up to 31 characters.

Authentication methods:

• local – authentication by local user base;
• tacacs – authentication by TACACS server list;
• radius – authentication by RADIUS server list;
• ldap – authentication by LDAP server list.

3

Set the method for iterating over authentication methods (optionally).

esr(config)# aaa authentication mode <MODE>

<MODE> –  options of iterating over methods:

• chain – if the server returned FAIL, proceed to the following authentication method in the chain;
• break – if the server returned FAIL, abandon authentication attempts. If the server is unavailable, continue authentication attempts by the following methods in the chain.

Default value: chain.

4

Specify the number of failed authentication attempts to block the user login and time of the lock (optionally)

esr(config)# aaa authentication attempts max-fail <COUNT> <TIME>

<COUNT> – amount of failed authentication attempts after which a user is blocked, takes the values of [1..65535];

<TIME> – user blocking time in minutes, takes the values of [1..65535].

Default value:
<COUNT> – 5; <TIME> – 300

5

Enable request for change the default password for the ‘admin’ user (optionally)

esr(config)# security passwords default-expired

6

Enable the inhibit mode on the use of previously set local user passwords (optionally)

esr(config)# security passwords history <COUNT>

<COUNT> – number of passwords saved in the router memory. Takes values in the range of [1..15].

Default value: 0

7

Set the lifetime of local user password (optionally)

esr(config)# security passwords lifetime <TIME>

<TIME> – password lifetime in days. Takes values in the range of [1..365].

By default: The lifetime of local user password is unlimited.

8

Set a limit on the minimum length of local user password and ENABLE password (optionally)

esr(config)# security passwords min-length <NUM>

<NUM> – minimum number of characters in the password. Takes values in the range of [8..128].

Default value: 0

9

Set a limit on the maximum length of local user password and ENABLE password (optionally)

esr(config)# security passwords max-length <NUM>

<NUM> – maximum number of characters in the password. Takes values in the range of [8..128].

Default value: not limited.

10

Set the minimum number of character types that must be present in the local user password and ENABLE password (optionally)

esr(config)# security passwords symbol-types <COUNT>

<COUNT> – minimum number of character types in the password. Takes values in the range of [1..4].

Default value: 1

11

Set the minimum number of lower case letters in the local user password and ENABLE password (optionally)

esr(config)# security passwords lower-case <COUNT>

<COUNT> – minimum number of lower case letters in the local user password and ENABLE password. Takes values in the range of [0..128].

Default value: 0

12

Set the minimum number of upper case letters in the local user password and ENABLE password (optionally)

esr(config)# security passwords upper-case <COUNT>

<COUNT> – minimum number of upper case letters in the password. Takes values in the range of [0..128].

Default value: 0

13

Set the minimum number of digits in the local user password and ENABLE password (optionally)

esr(config)# security passwords numeric-count <COUNT>

<COUNT> – minimum number of digits in the password. Takes values in the range of [0..128].

Default value: 0

14

Set the minimum number of special characters in the local user password and ENABLE password (optionally)

esr(config)# security passwords special-case <COUNT>

<COUNT> – minimum number of special characters in the password. Takes values in the range of [0..128].

Default value: 0

15

Add user in the local database and switch to the user parameters configuration mode

esr(config)# username <name>

<NAME> – user name, set by the string of up to 31 characters.

16

Set user password

esr(config-user)# password { <CLEAR-TEXT> | encrypted <HASH_SHA512> }

<CLEAR-TEXT> – password, set by the string of 8 to 32 characters, takes the value of [0-9a-fA-F];

<HASH_SHA512> – hash password via sha512 algorithm, set by the string of 110 characters.

17

Set user privileges level

esr(config-user)# privilege <PRIV>

<PRIV> – required privilege level. Takes values in the range of [1..15].

18

Switch to the corresponding terminal configuration mode

esr(config)# line console

or

esr(config)# line telnet

or

esr(config)# line ssh

19

Activate user login authentication list

esr(config-line-ssh)# login authentication <NAME>

<NAME> – list name, set by the string of up to 31 characters.

20

Activate authentication list of user privileges elevation

esr(config-line-ssh)# enable authentication <NAME>

<NAME> – list name, set by the string of up to 31 characters.

21

Set the interval after which the idle session will be terminated

esr(config-line-ssh)# exec-timeout <SEC>

<SEC> – time interval in minutes, takes values of [1..65535].

1

Set the DSCP code global value for the use in IP headers of RADIUS server egress packets (optionally).

esr(config)# radius-server dscp <DSCP>

<DSCP> – DSCP code value, takes values in the range of [0..63].

Default value: 63.

2

Set the global number of iterative queries to the last active RADIUS server (optionally).

esr(config)# radius-server retransmit <COUNT>

<COUNT> – amount of iterative requests to RADIUS server, takes values of [1..10].

Default value: 1.

3

Set the global value of the interval after which the router assumes that the RADIUS server is not available (optional).

esr(config)# radius-server timeout <SEC>

<SEC> – time interval in seconds, takes values of [1..30].

Default value: 3 seconds.

4

Add RADIUS server to the list of used servers and switch to its configuration mode.

esr(config)# radius-server host { <IP-ADDR> | <IPV6-ADDR> } [ vrf <VRF> ]
esr(config-radius-server)#

<IP-ADDR> – RADIUS server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of  [0..255];

<IPV6-ADDR> – RADIUS server IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF]

<VRF> – VRF instance name, set by the string of up to 31 characters.

5

Specify the number of failed authentication attempts to block the user login and time of the lock (optionally).

aaa authentication attempts max-fail <COUNT> <TIME>

<COUNT> – amount of failed authentication attempts after which a user is blocked, takes the values of [1..65535];

<TIME> – user blocking time in seconds, takes the values of [1..65535].

Default value:

<COUNT> – 5; <TIME> – 300

6

Set the password for authentication on remote RADIUS server.

esr(config-radius-server)# key ascii-text { <TEXT> | encrypted <ENCRYPTED-TEXT> }

<TEXT> – string [8..16] ASCII characters;

<ENCRYPTED-TEXT> – encrypted password, [8..16] bytes size, set by the string of [16..32] characters.

7

Prioritize the use of a remote RADIUS server (optionally).

esr(config-radius-server)# priority <PRIORITY>

<PRIORITY> – remote server priority, takes values in the range of [1..65535].

The lower value, the higher the priority of server is.

Default value: 1.

8

Set the interval after which the router assumes that the RADIUS server is not available (optional).

esr(config-radius-server)# timeout <SEC>

<SEC> – time interval in seconds, takes values of [1..30].

Default value: global timer value is used.

9

Set IPv4/IPv6 address that will be used as source IPv4/IPv6 address in transmitted RADIUS packets.

esr(config-radius-server)# source-address { <ADDR> | <IPV6-ADDR> }

<ADDR> – source IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];

<IPV6-ADDR> – source IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF].

10

Set radius as authentication method.

esr(config)# aaa authentication login { default | <NAME> } <METHOD 1> [ <METHOD 2> ] [ <METHOD 3> ] [ <METHOD 4> ]

<NAME> – list name, set by the string of up to 31 characters.

Authentication methods:

• local – authentication by local user base;
• tacacs – authentication by TACACS server list;
• radius – authentication by RADIUS server list;
• ldap – authentication by LDAP server list.

11

Set radius as authentication method of user privileges elevation.

esr(config)# aaa authentication enable <NAME><METHOD 1>
[ <METHOD 2> ]
[ <METHOD 3> ]
[ <METHOD 4> ]

<NAME> – list name, set by the string of up to 31 characters;

• default – default list name.

<METHOD> – authentication methods:

• enable – authentication by enable passwords;
• tacacs – authentication by TACACS;
• radius – authentication by RADIUS;
• ldap – authentication by LDAP.

12

Set the method for iterating over authentication methods (optionally).

esr(config)# aaa authentication mode <MODE>

<MODE> –  options of iterating over methods:

• chain – if the server returned FAIL, proceed to the following authentication method in the chain;
• break – if the server returned FAIL, abandon authentication attempts. If the server is unavailable, continue authentication attempts by the following methods in the chain.

Default value: chain.

13

Configure radius in the list of user session accounting methods (optionally).

esr(config)# aaa accounting login start-stop <METHOD 1>
[ <METHOD 2> ]

<METHOD> – accounting methods:

• tacacs – session accounting by TACACS;
• radius – session accounting by RADIUS.

14

Switch to the corresponding terminal configuration mode.

esr(config)# line <TYPE>

<TYPE> – console type:

• console – local console;
• ssh – secure remote console.

15

Activate user login authentication list.

esr(config-line-console)# login authentication <NAME>

<NAME> – list name, set by the string of up to 31 characters. Created in step 8.

16

Activate authentication list of user privileges elevation.

esr(config-line-console)# enable authentication <NAME>

<NAME> – list name, set by the string of up to 31 characters. Created in step 9.

1

Set the DSCP code global value for the use in IP headers of TACACS server egress packets (optionally).

esr(config)# tacacs-server dscp <DSCP>

<DSCP> – DSCP code value, takes values in the range of [0..63].

Default value: 63.

2

Set the global value of the interval after which the router assumes that the TACACS server is not available (optional).

esr(config)# tacacs-server timeout <SEC>

<SEC> – time interval in seconds, takes values of [1..30].

Default value: 3 seconds.

3

Add TACACS server to the list of used servers and switch to its configuration mode.

esr(config)# tacacs -server host { <IP-ADDR> | <IPV6-ADDR> } [ vrf <VRF> ]

esr(config- tacacs -server)#

<IP-ADDR> – TACACS server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]

<IPV6-ADDR> – TACACS server IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF]

<VRF> – VRF instance name, set by the string of up to 31 characters.

4

Specify the number of failed authentication attempts to block the user login and time of the lock (optionally)

aaa authentication attempts max-fail <COUNT> <TIME>

<COUNT> – amount of failed authentication attempts after which a user is blocked, takes the values of [1..65535];

<TIME> – user blocking time in minutes, takes the values of [1..65535].

Default value:

<COUNT> – 5; <TIME> – 300

5

Set the password for authentication on remote TACACS server.

esr(config-tacacs-server)# key ascii-text { <TEXT> | encrypted <ENCRYPTED-TEXT> }

<TEXT> – string [8..16] ASCII characters;

<ENCRYPTED-TEXT> – encrypted password, [8..16] bytes size, set by the string of [16..32] characters.

6

Set the port number to communicate with remote TACACS server (optionally).

esr(config-tacacs-server)# port <PORT>

<PORT> – number of TCP port to exchange data with a remote server, takes values of [1..65535].

Default value: 49 for TACACS server.

7

Prioritize the use of a remote TACACS server (optionally).

esr(config-tacacs-server)# priority <PRIORITY>

<PRIORITY> – remote server priority, takes values in the range of [1..65535].

The lower value, the higher the priority of server is.

Default value: 1.

8

Set IPv4/IPv6 address that will be used as source IPv4/IPv6 address in transmitted TACACS packets.

esr(config-radius-tacacs)# source-address { <ADDR> | <IPV6-ADDR> }

<ADDR> – source IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];

9

Set TACACS as authentication method of user privileges elevation.

esr(config)# aaa authentication enable <NAME><METHOD 1> [ <METHOD 2> ] [ <METHOD 3> ] [ <METHOD 4> ]

<NAME> – list name, set by the string of up to 31 characters;

• default – default list name.

<METHOD> – authentication methods:

• enable – authentication by enable passwords;
• tacacs – authentication by TACACS;
• radius – authentication by RADIUS;
• ldap – authentication by LDAP.

10

Set the method for iterating over authentication methods (optionally).

esr(config)# aaa authentication mode <MODE>

<MODE> –  options of iterating over methods:

• chain – if the server returned FAIL, proceed to the following authentication method in the chain;
• break – if the server returned FAIL, abandon authentication attempts. If the server is unavailable, continue authentication attempts by the following methods in the chain.

Default value: chain.

11

Configure the list of CLI commands accounting methods (optionally).

esr(config)# aaa accounting commands stop-only tacacs

12

Configure tacacs in the list of user session accounting methods (optionally).

esr(config)# aaa accounting login start-stop <METHOD 1> [ <METHOD 2> ]

<METHOD> – accounting methods:

• tacacs – session accounting by TACACS;
• radius – session accounting by RADIUS.

13

Switch to the corresponding terminal configuration mode.

esr(config)# line <TYPE>

<TYPE> – console type:

• console – local console;
• ssh – secure remote console.

14

Activate user login authentication list.

esr(config-line-console)# login authentication <NAME>

<NAME> – list name, set by the string of up to 31 characters. Created in step 7.

15

Activate authentication list of user privileges elevation.

esr(config-line-console)# enable authentication <NAME>

<NAME> – list name, set by the string of up to 31 characters. Created in step 8.

1

Specify basic DN (Distinguished name) which will be used when searching for users.

esr(config)# ldap-server base-dn <NAME>

<NAME> – basic DN, set by the string of up to 255 characters.

2

Set the interval after which the router assumes that the LDAP server is not available (optionally).

esr(config)# ldap-server bind timeout <SEC>

<SEC> – time interval in seconds, takes values of [1..30].

Default value: 3 seconds.

3

Specify the DN (Distinguished name) of a user with administrator rights, under which authorization will take place on the LDAP server when searching for users.

esr(config)# ldap-server bind authenticate root-dn <NAME>

<NAME> – DN of a user with administration rights, set by the string of up to 255 characters.

4

Specify the password of a user with administrator rights, under which authorization will take place on the LDAP server when searching for users.

esr(config)# ldap-server bind authenticate root-password ascii-text { <TEXT> | encrypted <ENCRYPTED-TEXT> }

<TEXT> – string [8..16] ASCII characters;

<ENCRYPTED-TEXT> – encrypted password, [8..16] bytes size, set by the string of [16..32] characters.

5

Specify a class name of the objects among which it is necessary to search for users on LDAP server (optionally).

esr(config)# ldap-server search filter user-object-class <NAME>

<NAME> – object class name, set by the string of up to 127 characters.

Default value: posixAccount.

6

Specify the user search scope in LDAP server tree (optionally).

esr(config)# ldap-server search scope <SCOPE>

<SCOPE> – user search scope on LDAP server, takes the following values:

onelevel – search through the objects on the level following a basic DN tree in LDAP server tree;

subtree – search through all objects of basic DN subtree in LDAP server tree.

Default value: subtree.

7

Specify the interval after which the device assumes that LDAP server has not found users entries satisfying the search condition (optionally).

esr(config)# ldap-server search timeout <SEC>

<SEC> – time interval in seconds, takes values of [0..30]

Default value: 0 – device is waiting for search completion and response from LDAP server.

8

Specify an attribute name of the object which is compared with the name of the desired user on LDAP server (optional).

esr(config)# ldap-server naming-attribute <NAME>

<NAME> – object attribute name, set by the string of up to 127 characters.

Default value: uid.

9

Specify the object attribute name which is compared with the name of a desired user on LDAP server (optionally).

esr(config)# ldap-server privilege-level-attribute <NAME>

<NAME> – object attribute name, set by the string of up to 127 characters.

Default value: priv-lvl

10

Set the DSCP code global value for the use in IP headers of LDAP server egress packets (optionally).

esr(config)# ldap-server dscp <DSCP>

<DSCP> – DSCP code value, takes values in the range of [0..63].

Default value: 63

11

Add LDAP server to the list of used servers and switch to its configuration mode.

esr(config)# ldap -server host { <IP-ADDR> | <IPV6-ADDR> } [ vrf <VRF> ]

esr(config- tacacs -server)#

<IP-ADDR> – LDAP server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]

<IPV6-ADDR> – TACACS server IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF]

<VRF> – VRF instance name, set by the string of up to 31 characters.

12

Specify the number of failed authentication attempts to block the user login and time of the lock (optionally)

aaa authentication attempts max-fail <COUNT> <TIME>

<COUNT> – amount of failed authentication attempts after which a user is blocked, takes the values of [1..65535];

<TIME> – user blocking time in minutes, takes the values of [1..65535].

Default value:

<COUNT> – 5; <TIME> – 300

13

Set the port number to communicate with remote LDAP server (optionally).

esr(config-ldap-server)# port <PORT>

<PORT> – number of TCP port to exchange data with a remote server, takes values of [1..65535].

Default value: 389 for LDAP server.

14

Prioritize the use of a remote LDAP server (optionally).

esr(config-ldap-server)# priority <PRIORITY>

<PRIORITY> – remote server priority, takes values in the range of [1..65535].

The lower value, the higher the priority of server is.

Default value: 1.

15

Set IPv4/IPv6 address that will be used as source IPv4/IPv6 address in transmitted LDAP packets.

esr(config-ldap-server)# source-address { <ADDR> | <IPV6-ADDR> }

<ADDR> – source IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];

<IPV6-ADDR> – source IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF].

16

Set LDAP as authentication method.

esr(config)# aaa authentication login { default | <NAME> } <METHOD 1> [ <METHOD 2> ] [ <METHOD 3> ] [ <METHOD 4> ]

<NAME> – list name, set by the string of up to 31 characters.

Authentication methods:

• local – authentication by local user base;
• tacacs – authentication by TACACS server list;
• radius – authentication by RADIUS server list;
• ldap – authentication by LDAP server list.

17

Set LDAP as authentication method of user privileges elevation.

esr(config)# aaa authentication enable <NAME><METHOD 1> [ <METHOD 2> ] [ <METHOD 3> ] [ <METHOD 4> ]

<NAME> – list name, set by the string of up to 31 characters;

• default – default list name.

<METHOD> – authentication methods:

• enable – authentication by enable passwords;
• tacacs – authentication by TACACS;
• radius – authentication by RADIUS;
• ldap – authentication by LDAP.

18

Set the method for iterating over authentication methods.

esr(config)# aaa authentication mode <MODE>

<MODE> –  options of iterating over methods:

• chain – if the server returned FAIL, proceed to the following authentication method in the chain;
• break – if the server returned FAIL, abandon authentication attempts. If the server is unavailable, continue authentication attempts by the following methods in the chain.

Default value: chain.

19

Switch to the corresponding terminal configuration mode.

esr(config)# line <TYPE>

<TYPE> – console type:

• console – local console;
• ssh – secure remote console.

20

Activate user login authentication list.

esr(config-line-console)# login authentication <NAME>

<NAME> – list name, set by the string of up to 31 characters. Created in step 14.

21

Activate authentication list of user privileges elevation.

esr(config-line-console)# enable authentication <NAME>

<NAME> – list name, set by the string of up to 31 characters. Created in step 15.

Step

Description

Command

Keys

1

Enable IPv4/IPv6 DHCP server.

esr(config)# ip dhcp-server [vrf <VRF>]

<VRF> – VRF instance name, set by the string of up to 31 characters, within which the NTP server will operate. Set by the string of up to 31 characters.

esr(config)# ipv6 dhcp-server [vrf <VRF>]

2

Set the DSCP code value for the use in IP headers of DHCP server egress packets (optionally).

esr(config)# ip dhcp-server dscp <DSCP>

<DSCP> – DSCP code value, takes values in the range of [0..63].

Default value: 61.

3

Create pool of DHCP server IPv4/IPv6 addresses and switch to its configuration mode.

esr(config)# ip dhcp-server pool <NAME> [vrf <VRF>]

<NAME> – IPv4/IPv6 server profile name, set by the string of up to 31 characters.

<VRF> – VRF instance name, within which the NTP server will operate. Set by the string of up to 31 characters.

esr(config)# ipv6 dhcp-server pool <NAME> [vrf <VRF>]

4

Specify IPv4/IPv6 address and mask for the subnet from which IPv4/IPv6 addresses pool will be allocated.

esr(config-dhcp-server)# network <ADDR/LEN>

<ADDR/LEN> – IP address and prefix of a subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32].

esr(config-ipv6-dhcp-server)# network <IPV6-ADDR/LEN>

<IPV6-ADDR/LEN> – IP address and prefix of a subnet, defined as X:X:X:X::X/EE where each X part takes values in hexadecimal format [0..FFFF] and EE takes values of [1..128].

5

Add IPv4/IPv6 addresses range to the address pool of configurable DHCP server.

esr(config-dhcp-server)# address-range <FROM-ADDR>-<TO-ADDR>

<FROM-ADDR> – range starting IP address;

<TO-ADDR> – range ending IP address;

The addresses are defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].

You can specify up to 32 IP addresses separated by commas.

esr(config-ipv6-dhcp-server)# address-range <FROM-ADDR>-<TO-ADDR>

<FROM-ADDR> – range starting IP address;

<TO-ADDR> – range ending IP address;

The addresses are defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF].

6

Add IPv4/IPv6 address for a specific physical address to the address pool of configurable DHCP server (optionally).

esr(config-dhcp-server)# address <ADDR> {mac-address <MAC> | client-identifier <CI>}

<ADDR> – client IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];

<MAC> – MAC address of the client, which will be given the IP address, is defined as XX: XX: XX: XX: XX: XX where each part takes the values of [00..FF].

<CI> – client identifier according to DHCPOption61. Can be specified as follows:

• HH:HH:HH:HH:HH:HH:HH: – client identifier in hexadecimal format and client MAC address;
• STRING – text string from 1 to 64 characters.

esr(config-ipv6-dhcp-server)# address <ADDR> mac-address <MAC>

<IPV6-ADDR> – client IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF];

<MAC> – MAC address of the client, which will be given the IP address, defined as XX: XX: XX: XX: XX: XX where each part takes the values of [00..FF].

7

Specify the list of default gateway IPv4 addresses which will be transmitted by DHCP server to clients through DHCP option 3.

esr(config-dhcp-server)# default-router <ADDR>

<ADDR> – default gateway IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]; You can specify up to 8 IP addresses separated by commas.

8

Specify network domain DNS name. Domain name is transmitted to clients as part of DHCP option 15 (optionally).

esr(config-dhcp-server)# domain-name <NAME>

<NAME> – router domain name, set by the string from 1 to 255 characters.

esr(config-ipv6-dhcp-server)# domain-name <NAME>

9

Specify DNS server IPv4/IPv6 addresses list. The list is transmitted to clients as part of DHCP option 6 (optionally).

esr(config-dhcp-server)# dns-server <ADDR>

<ADDR> – DNS server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. You can specify up to 8 IP addresses separated by commas.

esr(config-ipv6-dhcp-server)# dns-server <IPV6-ADDR>

<IPV6-ADDR> – DNS server IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF]. You can specify up to 8 IP addresses separated by commas.

10

Specify maximum IP addresses lease time (optionally).

If the DHCP client requests a lease time that exceeds the maximum value, the time specified by this command will be set.

esr(config-dhcp-server)# max-lease-time <TIME>

<TIME> – maximal IP address lease time, sets in format DD:HH:MM, where:

• DD – amount of days, takes values of [0..364];
• HH – amount of hours, takes values of [0..23];
• MM – amount of minutes, takes the value of [0 ..59]

Default value: 1 day

esr(config-ipv6-dhcp-server)# max-lease-time <TIME>

11

Specify the lease time for which a client will be given IP address (optionally).

This time will be used if a client did not request the certain lease time.

esr(config-dhcp-server)# default-lease-time <TIME>

<TIME> – maximal IP address lease time, sets in format DD:HH:MM, where:

• DD – amount of days, takes values of [0..364];
• HH – amount of hours, takes values of [0..23];
• MM – amount of minutes, takes the value of [0 ..59]

Default value: 12 hours.

esr(config-ipv6-dhcp-server)# default-lease-time <TIME>

12

Create supplier class identifier (DHCP Option 60) (optionally).

esr(config)# ip dhcp-server vendor-class-id <NAME>

<NAME> – carrier class identifier, set by the string of up to 31 characters.

esr(config)# ipv6 dhcp-server vendor-class-id <NAME>

13

Specify specific supplier information (DHCP Option 43).

esr(config-dhcp-vendor-id)# vendor-specific-options <HEX>

<HEX> – vendor-specific information, specified in hexadecimal format up to 128 symbols.

esr(config-ipv6-dhcp-vendor-id)# vendor-specific-options <HEX>

14

Specify NetBIOS server IP address (DHCP option 44) (optionally).

esr(config-dhcp-server)# netbios-name-server <ADDR>

<ADDR> – NetBIOS server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. You can set up to 4 IP addresses.

15

Specify tftp server IP address (DHCP option 150) (optionally).

esr(config-dhcp-server)# tftp-server <ADDR>

<ADDR> – DNS server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].

1

Switch to the configuration mode of destination address translation service.

esr(config)# nat destination

2

Create a pool of IP addresses and/or TCP/UDP ports with a specific name (optionally).

esr(config-dnat)# pool <NAME>

<NAME> – NAT addresses pool name, set by the string of up to 31 characters.

3

Set the internal IP address which will replace a destination IP address.

esr(config-dnat-pool)# ip address <ADDR>

<ADDR> – IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].

4

Set the internal TCP/UDP port which will replace a destination TCP/UDP port.

esr(config-dnat-pool)# ip port <PORT>

<PORT> – TCP/UDP port, takes values of [1..65535].

5

Create a rule group with a specific name.

esr(config-dnat)# ruleset <NAME>

<NAME> – rule group name, set by the string of up to 31 characters.

6

Specify VRF instance, in which the given rule group will operate (optionally).

esr(config-dnat-ruleset)# ip vrf forwarding <VRF>

<VRF> – VRF name, set by the string of up to 31 characters.

7

Set the rule group scope. The rules will be applied only to traffic coming from a certain zone or interface.

esr(config-dnat-ruleset)# from { zone <NAME> | interface <IF> | tunnel <TUN> | default }

<NAME> – isolation zone name;

<IF> – device interface name;

<TUN> – device tunnel name;

default – denotes a group of rules for all traffic, the source of which did not fall under the criteria of other groups of rules.

8

Specify a rule with a certain number. The rules are proceeded in ascending order.

esr(config-dnat-ruleset)# rule <ORDER>

<ORDER>  – rule number, takes values of [1..10000].

9

Specify the profile of IP addresses {sender | recipient} for which the rule should work.

esr(config-dnat-rule)# match [not] ¹  {source | destination}-address <OBJ-GROUP-NETWORK-NAME>

<OBJ-GROUP-NETWORK-NAME> – IP addresses profile name, set by the string of up to 31 characters.

“Any” value points at any source IP address.

10

Specify the profile of services (tcp/udp ports) {sender | recipient} for which the rule should work (optionally).

esr(config-dnat-rule)# match [not] ¹  {source | destination}-port <PORT-SET-NAME>

<PORT-SET-NAME> – port profile name, set by the string of up to 31 characters. “Any” value points at any source TCP/UDP port.

11

Set name or number of IP for which the rule should work (optionally).

esr(config-dnat-rule)# match [not] ¹  {protocol <TYPE> | protocol-id <ID> }

<TYPE> – protocol type, takes the following values: esp, icmp, ah, eigrp, ospf, igmp, ipip, tcp, pim, udp, vrrp, rdp, l2tp, gre. “Any” value points at any protocol type.

<ID> – IP identification number, takes values of [0x00-0xFF].

12

Specify the type and code of ICMP messages for which the rule should work (if ICMP is selected as protocol) (optionally).

esr(config-dnat-rule)# match [not] ¹ icmp {<ICMP_TYPE><ICMP_CODE> | <TYPE-NAME>}

<ICMP_TYPE> – ICMP message type, takes values of [0..255].

<ICMP_CODE> – ICMP message code, takes values of [0..255]. “Any” value points at any message code.

<TYPE-NAME> – ICMP message type name.

13

Specify the action “translation of source address and port” for the traffic meeting the requirements of “match” commands.

esr(config-dnat-rule)# action destination-nat { off | pool <NAME> | netmap <ADDR/LEN> }

off – translation is disabled;

pool<NAME> – name of the pool that contains IP addresses and/or TCP/UDP ports set;

netmap <ADDR/LEN> – subnet IP address and mask used during translation. The parameter is defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32].

14

Activate a configured rule.

esr(config-dnat-rule)# enable

1

Switch to the configuration mode of source address translation service.

esr(config)# nat source

2

Create a pool of IP addresses and/or TCP/UDP ports with a specific name (optionally).

esr(config-snat)# pool <NAME>

<NAME> – NAT addresses pool name, set by the string of up to 31 characters.

3

Set the range of IP addresses which will replace a source IP address.

esr(config-snat-pool)# ip address-range <IP>[-<ENDIP>]

<IP> – IP address of the beginning of the range, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];

<ENDIP> – IP address of the end of the range, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. If IP address of the end of the range is not specified, only IP address of the beginning of the range is used as IP address for translation.

4

Specify the range of external TCP/UDP ports which will replace a source TCP/UDP port.

esr(config-snat-pool)# ip port-range <PORT>[-<ENDPORT>]

<PORT> – TCP/UDP port of the beginning of range, takes values of [1..65535].

<ENDPORT> – TCP/UDP port of the end of range, takes values of [1..65535]. If TCP/UDP port of the end of the range is not specified, only TCP/UDP port of the beginning of the range is used as TCP/UDP port for translation.

5

Set the internal TCP/UDP port which will replace a source TCP/UDP port.

esr(config-snat-pool)# ip port <PORT>

<PORT> – TCP/UDP port, takes values of [1..65535].

6

Enable NAT persistent functions.

esr(config-snat-pool)# persistent

7

Create a rule group with a specific name.

esr(config-snat)# ruleset <NAME>

<NAME> – rule group name, set by the string of up to 31 characters.

8

Specify VRF instance, in which the given rule group will operate (optionally).

esr(config-snat-ruleset)# ip vrf forwarding <VRF>

<VRF> – VRF name, set by the string of up to 31 characters.

9

Set the rule group scope. The rules will be applied only to traffic coming to a certain zone or interface.

esr(config-snat-ruleset)# to { zone <NAME> | interface <IF> tunnel <TUN> | | default }

<NAME> – isolation zone name;

<IF> – device interface name;

<TUN> – device tunnel name
default – denotes a group of rules for all traffic, the source of which did not fall under the criteria of other groups of rules.

10

Specify a rule with a certain number. The rules are proceeded in ascending order.

esr(config-snat-ruleset)# rule <ORDER>

<ORDER>  – rule number, takes values of [1..10000].

11

Specify the profile of IP addresses {sender | recipient} for which the rule should work.

esr(config-snat-rule)# match [not] ¹  {source | destination}-address <OBJ-GROUP-NETWORK-NAME>

<OBJ-GROUP-NETWORK-NAME> – IP addresses profile name, set by the string of up to 31 characters.

“Any” value points at any source IP address.

12

Specify the profile of IP addresses {sender| recipient} for which the rule should work (optionally).

esr(config-snat-rule)# match [not] ¹  {source | destination}-port <PORT-SET-NAME>

<PORT-SET-NAME> – port profile name, set by the string of up to 31 characters. “Any” value points at any source TCP/UDP port.

13

Set name or number of IP for which the rule should work (optionally).

esr(config-snat-rule)# match [not] ¹  {protocol | protocol-id} <TYPE>

<TYPE> – protocol type, takes the following values: esp, icmp, ah, eigrp, ospf, igmp, ipip, tcp, pim, udp, vrrp, rdp, l2tp, gre. “Any” value points at any protocol type.

<ID> – IP identification number, takes values of [0x00-0xFF].

14

Specify the type and code of ICMP messages for which the rule should work (optionally).

esr(config-snat-rule)# match [not] icmp {<ICMP_TYPE><ICMP_CODE> | <TYPE-NAME>}

<ICMP_TYPE> – ICMP message type, takes values of [0..255].

<ICMP_CODE> – ICMP message code, takes values of [0..255]. “Any” value points at any message code.

<TYPE-NAME> – ICMP message type name

15

Specify the action “translation of source address and port” for the traffic meeting the requirements of “match” command.

esr(config-snat-rule)# action source-nat { off | pool <NAME> | netmap <ADDR/LEN> [static] | interface [FIRST_PORT – LAST_PORT] }

off – translation is disabled;

pool<NAME> – name of the pool that contains IP addresses and/or TCP/UDP ports set;

netmap <ADDR/LEN> – subnet IP address and mask used during translation; static – option for static NAT organization.

The parameter is defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32].

interface [FIRST_PORT – LAST_PORT] – specify the translation to the interface IP address. If the range of TCP/UDP ports is additionally specified, the translation will occur only for the sender TCP/UDP ports included in the specified range.

16

Activate a configured rule.

esr(config-snat-rule)# enable

1

Create an object with a URL

esr(config)# object-group url <NAME>

2

Specify the set

esr(config-object-group-url)# url <URL>

<URL> – web page, site address.

3

Create proxy profile

esr(config)# ip http profile <NAME>

<NAME> – profile name.

4

Choose default action

esr(config-profile)# default action {deny|permit|redirect} [redirect-url <URL>]

<URL> – address of the host to which requests will be sent.

5

Specify description (optionally).

esr(config-profile)# description <description>

<description> – up to 255 characters.

6

Specify a remote or local URL list and type of operation (block/traffic pass/redirect) (optional)

esr(config-profile)# urls {local|remote} <URL_OBJ_GROUP_NAME> action {deny|permit|redirect} [redirect-url <URL>]

<URL_OBJ_GROUP_NAME> – specify the name of the object containing the URL set.

7

Specify the remote server where the necessary URL lists are (optional)

esr(config)# ip http proxy server-url <URL> 

<URL> – server address where remote url lists will be taken from.

8

Specify a listening port for proxying (optional)

esr(config)# ip http proxy listen-ports <OBJ_GROUP_NAME>

<OBJ_GROUP_NAME> – port profile name, set by string of up to 31 characters.

9

Specify a listening port for proxying (optional)

esr(config)# ip https proxy listen-ports <OBJ_GROUP_NAME>

<OBJ_GROUP_NAME> – port profile name, set by string of up to 31 characters.

10

Enable proxying on the interface based on the selected HTTP profile

esr(config-if)# ip http proxy <PROFILE_NAME>

<PROFILE_NAME> – profile name

11

Enable proxying on the interface based on the selected HTTPS profile

esr(config-if)# ip https proxy <PROFILE_NAME>     

<PROFILE_NAME> – profile name

12

Create services lists which will be used during filtration.

esr(config)# object-group service <obj-group-name>

<obj-group-name> – service profile name, set by the string of up to 31 characters.

13

Specify services list description (optionally).

esr(config-object-group-service)# description <description>

<description> – profile description, set by the string of up to 255 characters.

14

Add necessary services (tcp/udp ports) to the list.

esr(config-object-group-service)# port-range 3129-3134

The ESR proxy server uses ports 3129, 3130, 3133 and 3134 for its operation. 

15

Create an interzone interaction rule set.

esr(config)# security zone-pair <src-zone-name1> self

<src-zone-name> – security zone in which the interfaces with the ip http proxy or ip https proxy function are located.

self – a predefined security zone for traffic entering the ESR itself.

16

Create an interzone interaction rule set.

esr(config-zone-pair)# rule <rule-number>

<rule-number> – 1..10000.

17

Specify rule description (optionally).

esr(config-zone-rule)# description <description>

<description> – up to 255 characters..

18

Specify the given rule force.

esr(config-zone-rule)# action <action> [ log ]

<action> – permit

log – activation key for logging of sessions established according to this rule.

19

Set name of IP protocol for which the rule should work.

esr(config-zone-rule)# match   protocol <protocol-type>

<protocol-type> – tcp

ESR proxy server uses ESR protocol.

20

Set the destination TCP/UDP ports profile for which the rule should work (if the protocol is specified).

esr(config-zone-rule)# match [not] ¹ destination-port <obj-group-name>

<obj-group-name> – name of the service profile created in step 12.

21

Create an interzone interaction rule.

esr(config-zone-rule)# enable

1

Enable protection against ICMP flood attacks.

esr(config)# ip firewall screen dos-defense icmp-threshold { <NUM> }

<NUM> – amount of ICMP packets per second, set in the range of [1..10000]

2

Enable protection against land attacks.

esr(config)# firewall screen dos-defense land

3

Enable the limitation on amount of simultaneous sessions based on the destination address

esr(config)# ip firewall screen dos-defense limit-session-destination { <NUM> }

<NUM> – limitation on amount of
IP sessions, set in the range of [1..10000].

4

Enable the limitation on the amount of simultaneous sessions, based on the source address, that mitigates DoS attacks.

esr(config)# ip firewall screen dos-defense limit-session-source { <NUM> }

<NUM> – limitation on amount of
IP sessions, set in the range of [1..10000].

5

Enable protection against SYN flood attacks.

esr(config)# ip firewall screen dos-defense syn-flood { <NUM> } [src-dsr]

<NUM> – maximum amount of TCP packets with the set SYN flag per second, set in the range of [1..10000].

src-dst – limitation on the amount of TCP packets with the SYN flag set, based on the source and destination addresses.

6

Enable protection against UDP flood attacks.

esr(config)# ip firewall screen dos-defense udp-threshold { <NUM> }

<NUM> – maximum amount of UDP packets per second, set in the range of [1..10000].

7

.Enable protection against winnuke attacks.

esr(config)# ip firewall screen dos-defense winnuke

8

Enable the blocking of TCP packets with the FIN flag set and the ACK flag not set.

esr(config)# ip firewall screen spy-blocking fin-no-ack

9

Enable the blocking of various type ICMP packets.

esr(config)# ip firewall screen spy-blocking icmp-type

<TYPE> – ICMP type, may take the following values:

• destination-unreachable
• echo-request
• reserved
• source-quench
• time-exceeded

10

Enable the protection against IP-sweep attacks.

esr(config)# ip firewall screen spy-blocking ip-sweep { <NUM> }

<NUM> – ip sweep attack detection time, set in milliseconds [1..1000000].

11

Enable protection against port scan attacks.

esr(config)# ip firewall screen spy-blocking port-scan { <threshold> } [ <TIME> ]

<threshold> – interval in milliseconds during which the port scan attack will be recorded [1..1000000].

<TIME> – blocking time in milliseconds [1..1000000].

12

Enable the protection against IP spoofing attacks.

esr(config)# ip firewall screen spy-blocking spoofing

13

Enable the blocking of TCP packets, with the SYN and FIN flags set.

esr(config)# ip firewall screen spy-blocking syn-fin

14

Enable the blocking of TCP packets, with all flags or with the set of flags: FIN, PSH, URG. The given command provides the protection against XMAS attack

esr(config)# ip firewall screen spy-blocking tcp-all-flag

15

Enable the blocking of TCP packets, with the zero “flags” field.

esr(config)# ip firewall screen spy-blocking tcp-no-flag

16

Enable the blocking of fragmented
ICMP packets.

esr(config)# ip firewall screen suspicious-packets icmp-fragment

17

Enable the blocking of fragmented IP packets.

esr(config)# ip firewall screen suspicious-packets ip-fragment

18

Enable the blocking of ICMP packets more than 1024 bytes.

esr(config)# ip firewall screen suspicious-packets icmp-fragment

19

Enable the blocking of fragmented TCP packets, with the SYN flag.

esr(config)# ip firewall screen suspicious-packets syn-fragment

20

Enable the blocking of fragmented UDP packets.

esr(config)# ip firewall screen suspicious-packets udp-fragment

21

Enable the blocking of packets, with the protocol ID contained in IP header equal to 137 and more.

esr(config)# ip firewall screen suspicious-packets unknown-protocols

22

Set the frequency of notification (via SNMP, syslog and in CLI) of detected and blocked network attacks.

esr(config)# ip firewall logging interval <NUM>

<NUM> – time interval in seconds [30 .. 2147483647]

23

Enable more detailed message output about detected and blocked network attacks in the CLI.

esr(config)# logging firewall screen detailed

24

Enable mechanism of DoS attacks detection and logging via CLI, syslog and SNMP.

esr(config)# logging firewall screen dos-defense <ATACK_TYPE>

<ATACK_TYPE> – DoS attack type, takes the following values: icmp-threshold, land, limit-session-destination, limit-session-source, syn-flood, udp-threshold, winnuke.

25

Enable mechanism of espionage activity detection and logging via CLI, syslog and SNMP.

esr(config)# logging firewall screen spy-blocking { <ATACK_TYPE> | icmp-type <ICMP_TYPE> }

<ATACK_TYPE> – espionage activity type, takes the following values: fin-no-ack, ip-sweep, port-scan, spoofing, syn-fin, tcp-all-flag, tcp-no-flag.

<ICMP_TYPE> – icmp type, takes values: destination-unreachable, echo-request, reserved, source-quench, time-exceeded.

26

Enable mechanism of specialized packets detection and logging via CLI, syslog and SNMP.

esr(config)#  logging firewall screen suspicious-packets <PACKET_TYPE>

<PACKET_TYPE> – specialized packets type, takes the following values: icmp-fragment, ip-fragment, large-icmp, syn-fragment, udp-fragment, unknown-protocols.

Step

Description

Command

Keys

1

Create security zones.

esr(config)# security zone <zone-name1>

esr(config)# security zone <zone-name2>

<zone-name> – up to 12 characters.

2

Specify a security zone description.

esr(config-zone)# description <description>

<description> – up to 255 characters..

3

Specify VRF instance, in which the given security zone will operate (optionally).

esr(config- zone )# ip vrf forwarding <VRF>

<VRF> – VRF name, set by the string of up to 31 characters.

4

Enable session counters for NAT and Firewall (optionally, may reduce the performance).

esr(config)# ip firewall sessions counters

5

Disable filtration of packets for which it was not possible to determine belonging to any known connection and which are not the beginning of a new connection (optionally, may reduce the performance).

esr(config)# ip firewall sessions allow-unknown

6

Select firewall operation mode (optionally)

esr(config)# ip firewall mode <MODE>

<MODE> – firewall operation mode, may take the following values:  stateful, stateless.

Default value: stateful

7

Determine the session lifetime for unsupported protocols (optionally).

esr(config)# ip firewall sessions generic-timeout <TIME>

<TIME> – session lifetime for unsupported protocols, takes values in seconds [1..8553600].

By default: 60 seconds.

8

Determine ICMP session lifetime after which it is considered to be outdated (optionally).

esr(config)# ip firewall sessions icmp-timeout <TIME>

<TIME> – ICMP session lifetime, takes values in seconds [1..8553600].

By default: 30 seconds.

9

Determine ICMPv6 session lifetime after which it is considered to be outdated (optionally).

esr(config)# ip firewall sessions icmpv6-timeout <TIME>

<TIME> – ICMP session lifetime, takes values in seconds [1..8553600].

By default: 30 seconds.

10

Determine the size of outstanding sessions table (optionally).

esr(config)# ip firewall sessions max-expect <COUNT>

<COUNT> – table size, takes values of [1..8553600].

By default: 256.

11

Determine the size of trackable sessions table (optionally).

esr(config)# ip firewall sessions max-tracking <COUNT>

<COUNT> – table size, takes values of [1..8553600].
By default: 512000.

12

Determine the lifetime of TCP session in “connection is being established” state after which it is considered to be outdated (optionally).

esr(config)# ip firewall sessions tcp-connect-timeout <TIME>

<TIME> – lifetime of TCP session in 'connection is being established' state, takes values in seconds [1..8553600].

By default: 60 seconds.

13

Determine the lifetime of TCP session in 'connection is being closed' state after which it is considered to be outdated (optionally).

esr(config)# ip firewall sessions tcp-disconnect-timeout <TIME>

<TIME> – lifetime of TCP session in 'connection is being closed' state, takes values in seconds [1..8553600].
By default: 30 seconds.

14

Determine the lifetime of TCP session in “connection is being established” state after which it is considered to be outdated (optionally).

esr(config)# ip firewall sessions tcp-established-timeout <TIME>

<TIME> – lifetime of TCP session in 'connection is being established' state, takes values in seconds [1..8553600].

By default: 120 seconds.

15

Determine the timeout after which the closed TCP session is actually deleted from the table of trackable sessions (optionally).

esr(config)# ip firewall sessions tcp-latecome-timeout <TIME>

<TIME> – timeout, takes value in seconds [1..8553600].

By default: 120 seconds.

16

Enable application-level session tracking for certain protocols (optionally).

esr(config)# ip firewall sessions tracking e;

<PROTOCOL> - application-level protocol [ftp, h323, pptp, netbios-ns, tftp] sessions of which should be tracked.

<OBJECT-GROUP-SERVICE> – sip session TCP/UDP ports’ profile name, set by the string of up to 31 characters. If a group is not specified, sip sessions monitoring will be performed for 5060 port.

Instead of a certain protocol you can use the 'all' key that enables application-level session tracking for all available protocols.

By default - disabled for all protocols.

17

Determine the lifetime of UDP session in “connection is confirmed” state after which it is considered to be outdated (optionally).

esr(config)# ip firewall sessions udp-assured-timeout <TIME>

<TIME> – lifetime of UDP session in “connection is confirmed” state, takes values in seconds [1..8553600].

By default: 180 seconds.

18

Determine the lifetime of UDP session in 'connection is not confirmed' state after which it is considered to be outdated.

esr(config)# ip firewall sessions udp-wait-timeout <TIME>

<TIME> – lifetime of UDP session in 'connection is not confirmed' state, takes values in seconds [1..8553600].

By default: 30 seconds.

19

Create IP addresses lists which will be used during filtration.

esr(config)# object-group network <obj-group-name>

<obj-group-name> – up to 31 characters.

20

Specify IP addresses list description (optionally).

esr(config-object-group-network)# description <description>

<description> – profile description, set by the string of up to 255 characters.

21

Add necessary IPv4/IPv6 addresses to the list.

esr(config-object-group-network)# ip prefix <ADDR/LEN>

<ADDR/LEN> – subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32].

esr(config-object-group-network)# ip address-range <FROM-ADDR>-<TO-ADDR>

<FROM-ADDR> – range starting IP address;

<TO-ADDR> – range ending IP address, optional parameter; If the parameter is not specified, a single IP address is set by the command.

The addresses are defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].

esr(config-object-group-network)# ipv6 prefix <IPV6-ADDR/LEN>

<IPV6-ADDR/LEN> – IP address and mask of a subnet, defined as X:X:X:X::X/EE where each X part takes values in hexadecimal format [0..FFFF] and EE takes values of [1..128].

esr(config-object-group-network)# ipv6 address-range <FROM-ADDR>-<TO-ADDR>

<FROM-ADDR> – range starting IPv6 address;

<TO-ADDR> – range ending IPv6 address, optional parameter. If the parameter is not specified, a single IPv6 address is set by the command.

The addresses are defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF].

22

Create services lists which will be used during filtration.

esr(config)# object-group service <obj-group-name>

<obj-group-name> – service profile name, set by the string of up to 31 characters.

23

Specify services list description (optionally).

esr(config-object-group-service)# description <description>

<description> – profile description, set by the string of up to 255 characters.

24

Add necessary services (tcp/udp ports) to the list.

esr(config-object-group-service)# port-range <port>

<port> – takes values in the range of [1..65535].

You can specify several ports separated by commas ',' or you can specify the range of ports with '-'.

25

Create applications lists which will be used in DPI mechanism.

esr(config)# object-group application <NAME>

<NAME> – application profile name, set by the string of up to 31 characters.

26

Specify applications list description (optionally).

esr(config-object-group-application)# description <description>

<description> – profile description, set by the string of up to 255 characters.

27

Add necessary applications to the lists.

esr(config-object-group-application)# application < APPLICATION >

<APPLICATION> – specifies the application covered by the given profile

28

Add interfaces (physical, logical, E1/Multilink and connected), remote-access server (l2tp, openvpn, pptp) or tunnels (gre, ip4ip4, l2tp, lt, pppoe, pptp) into security zones (optionally).

esr(config-if-gi)# security-zone <zone-name>

<zone-name> – up to 12 characters.

Disable Firewall functions on the network interface (physical, logical, E1/Multilink and connected), remote-access server (l2tp, openvpn, pptp) or tunnels (gre, ip4ip4, l2tp, lt, pppoe, pptp) (optionally).

esr(config-if-gi)# ip firewall disable

29

Create an interzone interaction rule set.

esr(config)# security zone-pair <src-zone-name1> <dst-zone-name2>

<src-zone-name> – up to 12 characters.

<dst-zone-name> – up to 12 characters.

30

Create an interzone interaction rule set.

esr(config-zone-pair)# rule <rule-number>

<rule-number> – 1..10000.

31

Specify rule description (optionally).

esr(config-zone-rule)# description <description>

<description> – up to 255 characters..

32

Specify the given rule force.

esr(config-zone-rule)# action <action> [ log ]

<action> – permit/deny/reject/netflow-sample/sflow-sample

log – activation key for logging of sessions established according to this rule.

33

Set name or number of IP for which the rule should work (optionally).

esr(config-zone-rule)# match [not] ¹ protocol <protocol-type>

<protocol-type> – protocol type, takes the following values: esp, icmp, ah, eigrp, ospf, igmp, ipip, tcp, pim, udp, vrrp, rdp, l2tp, gre.

When specifying the “any” value, the rule will work for any protocols.

esr(config-zone-rule)# match [not] ¹  protocol-id <protocol-id>

<protocol-id> – IP identification number, takes values of [0x00-0xFF].

34

Specify the profile of transmitter IP addresses for which the rule should work (optional).

esr(config-zone-rule)# match [not] ¹  source-address <OBJ-GROUP-NETWORK-NAME>

<OBJ-GROUP-NETWORK-NAME> – IP addresses profile name, set by the string of up to 31 characters. When specifying the “any” value, the rule will work for any sender/recipient IP address.

35

Set the profile of destination IP addresses for which the rule should work (optionally).

esr(config-zone-rule)# match [not] ¹  destination-address <OBJ-GROUP-NETWORK-NAME>

36

Set source MAC address for which the rule should work (optionally).

esr(config-zone-rule)# match [not] ¹  source-mac <mac-addr>

<mac-addr> – defined as XX:XX:XX:XX:XX:XX where each part takes the values of [00..FF].

37

Set sender MAC address for which the rule should work (optionally).

esr(config-zone-rule)# match [not] ¹  

destination-mac <mac-addr>

38

Set TCP/UDP ports profile for which the rule should work (if the protocol is specified).

esr(config-zone-rule)# match [not] ¹  source-port <PORT-SET-NAME>

<PORT-SET-NAME> – set by the string of up to 31 characters. When specifying the “any” value, the rule will work for any sender/recipient TCP/UDP port.

39

Set the destination TCP/UDP ports profile for which the rule should work (if the protocol is specified).

esr(config-zone-rule)# match [not] ¹  destination-port <PORT-SET-NAME>

40

Specify the type and code of ICMP messages for which the rule should work (if ICMP is selected as protocol) (optionally).

esr(config-zone-rule)# match [not] ¹  icmp <ICMP_TYPE> <ICMP_CODE>

<ICMP_TYPE> – ICMP message type, takes values of [0..255].

<ICMP_CODE> – ICMP message code, takes values of [0..255]. When specifying the 'any' value, the rule will work for any ICMP message code.

41

Set the limitation under which the rule will only work for traffic modified by the IP address and destination ports translation service.

esr(config-zone-rule)# match [not] ¹  destination-nat

42

Set the maximum packet rate (optionally, available only for zone-pair any self and zone-pair <zone-name> any).

esr(config-zone-pair-rule)# rate-limit pps <rate-pps>

<rate-pps> – maximum amount of packets that can be transmitted. Takes values in the range of [1..10000].

43

Set the filtration only for fragmented IP packets (optionally, available only for zone-pair any self and zone-pair <zone-name> any).

esr(config-zone-pair-rule)# match [not] ¹  fragment

44

Set the filtration only for IP packets including ip-option (optionally, available only for zone-pair any self and zone-pair <zone-name> any).

esr(config-zone-pair-rule)# match [not] ¹  ip-option

45

Create an interzone interaction rule.

esr(config-zone-rule)# enable

46

Enable the filtration and session tracking mode while packets are transmitted between one Bridge group participants (optionally, available only for ESR-1000/1200/1500/1510/1700)

esr(config-bridge)# ports firewall enable

Step

Description

Command

Keys

1

Create access control list and switch to its configuration mode.

esr(config)# ip access-list extended <NAME>

<NAME> – access control list name, set by the string of up to 31 characters.

2

Specify the description of a configurable access control list (optionally).

esr(config-acl)# description <DESCRIPTION>

<DESCRIPTION> – access control list description, set by the string of up to 255 characters.

3

Create a rule and switch to its configuration mode.

The rules are proceeded by the router in number ascending order.

esr(config-acl)# rule <ORDER>

<ORDER>  – rule number, takes values of [1..4094].

4

Specify the action that should be applied for the traffic meeting the given requirements.

esr(config-acl-rule)# action <ACT>

<ACT> – allocated action:

• permit – traffic transfer is permitted;
• deny – traffic transfer is denied.

5

Set name of protocol for which the rule should work (optionally).

esr(config-acl-rule)# match protocol <TYPE>

<TYPE> – protocol type, takes the following values: esp, icmp, ah, eigrp, ospf, igmp, ipip, tcp, pim, udp, vrrp, rdp, l2tp, gre. When specifying the 'any' value, the rule will work for any protocols.

esr(config-acl-rule)# match protocol-id <ID>

<ID> – IP identification number, takes values of [0x00-0xFF].

6

Set sender IP addresses for which the rule should work (optionally).

esr(config-acl-rule)# match source-address { <ADDR> <MASK> | any }

<ADDR> – source IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];

<MASK> – IP address mask, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. Mask bits, set to zero, specify IP address bits excluded from the comparison when searching.

When specifying the “any” value, the rule will work for any sender/recipient IP address.

7

Set destination IP addresses for which the rule should work (optionally).

esr(config-acl-rule)# match destination-address { <ADDR> <MASK> | any }

8

Set sender MAC addresses for which the rule should work (optionally).

esr(config-acl-rule)# match source-mac <ADDR><WILDCARD>

<ADDR> – source MAC address, defined as XX:XX:XX:XX:XX:XX where each part takes the values of [00..FF].

<WILDCARD> – MAC address mask, defined as XX:XX:XX:XX:XX:XX where each part takes the values of [00..FF]. Mask bits, set to zero, specify MAC address bits excluded from the comparison when searching.

9

Set destination MAC addresses for which the rule should work (optionally).

esr(config-acl-rule)# match destination-mac <ADDR><WILDCARD>

10

Set the number of sender TCP/UDP ports for which the rule should work (if the protocol is specified).

esr(config-acl-rule)# match source-port { <PORT> | any }

<PORT> – number of source TCP/UDP port, takes values of [1..65535]. When specifying the 'any' value, the rule will be triggered for any source TCP/UDP port.

11

Set the destination TCP/UDP ports number for which the rule should work (if the protocol is specified).

esr(config-acl-rule)# match destination-port { <PORT> | any }

12

Set priority 802.1p value for which the rule should work (optionally).

esr(config-acl-rule)# match c os <COS>

<COS>  – priority 802.1p value, takes values of [0..7].

13

Set DSCP code value for which the rule should work (optionally). Can not be used with IP Precedence.

esr(config-acl-rule)# match dscp <DSCP>

<DSCP> – DSCP code value, takes values in the range of [0..63].

14

Set IP Precedence code for which the rule should work (optionally). Can not be used with DSCP.

esr(config-acl-rule)# match ip-precedence <IPP>

<IPP> – IP Precedence code value, takes values in the range of [0..7].

15

Set VLAN ID for which the rule should work (optionally).

esr(config-acl-rule)# match vlan <VID>

<VID>  – VLAN ID, takes values of [1..4094].

16

Activate a rule.

esr(config-acl-rule)# enable

17

Specify access control list for the configured interface to filtrate incoming traffic.

esr(config-if-gi)# service-acl input <NAME>

<NAME> – access control list name, set by the string of up to 31 characters.

1

Put physical interface in switch mode

esr(config-if-gi)# mode switchport

2

Set the operation mode of the e1 interface

esr(config-if-gi)# switchport mode e1

3

Set the synchronization source

esr(config-if-gi)# switchport e1 clock source <SOURCE>

<SOURCE> – synchronization source:

• Internal (default) – synchronize with an internal source;
• line – synchronize with a linear signal.

4

Specify MTU (Maximum Transmition Unit) size for physical interfaces

esr(config-if-gi)# mtu <MTU>

<MTU> – MTU value, for E1 and Multilink interfaces may take values in the range of [128..1500].

5

Specify frame check hash algorithm (optionally)

esr(config-if-gi)# switchport e1 crc <FCS>

<FCS> – frame check sequence:

• 16 (default) – FCS16;
• 32 – FCS32.

6

Set check for transmission errors (optionally)

esr(config-if-gi)# switchport e1 framing <CRC>

<CRC> – cyclic redundancy check:

• crc-4 – use CRC-4 algorithm;
• no-crc4 (default) – do not use check.

7

Set transmitting bits inversion (optionally)

esr(config-if-gi)# switchport e1 invert data

8

Set linear encoding type (optionally)

esr(config-if-gi)# switchport e1 linecode <CODE>

<CODE> – linear encoding type;

• ami – alternate mark inversion;
• hdb3 (default) – high density bipolar of order 3.

9

Set amount of timeslots

esr(config-if-gi)# switchport e1 timeslots <RANGE>

<RANGE> – amount of timeslots

10

Use E1 as a single entity, without time slots (optional)

esr(config-if-gi)# switchport e1 unframed

11

Configure E1

esr(config)# interface e1 1/<SLOT>/1

<SLOT> – slot number.

12

Enable CHAP authentication for PPP (optionally)

esr(config-e1)# ppp authentication chap

13

Specify the router name that is sent to a remote party for CHAP authentication (optionally)

esr(config-e1)# ppp chap hostname <NAME>

<NAME> – router name

14

Set authentication password (optionally)

esr(config-e1)# ppp chap password ascii-text <CLEAR-TEXT>

<CLEAR-TEXT> – unencrypted password, set by the string of [1..64] characters, may include [0-9a-fA-F] characters

15

Enable authentication override (optionally)

esr(config-e1)# ppp chap refuse

16

Set authentication username (optionally)

esr(config-e1)# ppp chap username <NAME>

<NAME> – user name

17

Allow any non-null IP address to be accepted as a local IP address from the neighbour (optionally)

esr(config-e1)# ppp ipcp accept-address

18

Set IP address that is sent to a remote party for the further allocation (optionally)

esr(config-e1)# ppp ipcp remote-address <ADDR>

<ADDR> – IP address of a remote gateway

19

Set the amount of attempts to send Configure-Request packets before the remote peer is found to be unable to respond (optionally) 

esr(config-e1)# ppp max-configure <VALUE>

<VALUE> – number of retries

20

Set the amount of attempts to send Configure-NAK packets before all options are confirmed (optionally)

esr(config-e1)# ppp max-failure <VALUE>

<VALUE> – number of retries

21

Set the amount of attempts to send Terminate-Request packets before the session is aborted (optionally)

esr(config-e1)# ppp max-terminate <VALUE>

<VALUE> – number of retries

22

Set MRU (Maximum Receive Unit) size for the interface (optionally)

esr(config-e1)# ppp mru <MRU>

<MRU> – MRU value

23

Enable MLPPP mode (optionally)

esr(config-e1)# ppp multilink

24

Add the group to MLPPP (optionally)

esr(config-e1)# ppp multilink-group <GROUP-ID>

<GROUP-ID> – group number

25

Specify the time interval in seconds after which the router sends a keepalive message (optionally)

esr(config-e1)# ppp timeout keepalive <TIME>

<TIME> – time in seconds

26

Specify the interval after which the router sends a keepalive message (optionally)

esr(config-e1)# ppp timeout retry <TIME>

<TIME> – time in seconds

1

Configure aggregation group.

esr(config)# interface multilink <IF>

<IF> – interface name.

2

Specify the description of configured aggregation group (optionally).

esr(config- multilink )# description <DESCRIPTION>

<DESCRIPTION> – aggregation group description, set by the string of up to 255 characters.

3

Specify the time interval during which the statistics on the aggregation group load is averaged (optionally).

esr(config- multilink )# load-average <TIME>

<TIME> – interval in seconds, takes values of [5..150].

Default value: 5.

4

Specify MTU (Maximum Transmission Unit) size for the aggregation group (optionally). MTU above 1500 will be active only when using the "system jumbo-frames” command.

esr(config- multilink )# mtu <MTU>

<MTU> – MTU value, takes values in the range of [1280..1500].

Default value: 1500.

5

Enable CHAP authentication.

esr(config-multilink)# ppp authentication chap

6

Enable authentication override (optionally).

esr(config-multilink)# ppp chap refuse

7

Specify the router name that is sent to a remote party for CHAP authentication.

esr(config-multilink)# ppp chap hostname <NAME>

<NAME> – router name, set by the string of up to 31 characters.

8

Specify the password that is sent with the router name to a remote party for CHAP authentication.

esr(config-multilink)# ppp chap password ascii-text { <CLEAR-TEXT> | encrypted <ENCRYPTED-TEXT> }

<CLEAR-TEXT> – unencrypted password, set by the string of [8..64] characters, may include [0-9a-fA-F] characters.

<ENCRYPTED-TEXT> – unencrypted password, set by the string of [16..128] characters.

9

Allow any non-null IP address to be accepted as a local IP address from the neighbour (optionally).

esr(config-multilink)# ppp ipcp accept-address

10

Set IP address that is sent to a remote party for the further allocation.

esr(config-multilink)# ppp iccp remote-address <ADDR>

<ADDR> – IP address of a remote gateway.

11

Specify a user for remote party authentication and switch to the specified user configuration mode

esr(config-multilink)# chap username <NAME>

<NAME> – user name, set by the string of up to 31 characters.

12

Set encrypted or unencrypted password for a specific user to authenticate the remote party.

esr(config-ppp-user)# password ascii-text { <CLEAR-TEXT> | encrypted <ENCRYPTED-TEXT> }

<CLEAR-TEXT> – unencrypted password, set by the string of [8..64] characters, may include [0-9a-fA-F] characters.

<ENCRYPTED-TEXT> – unencrypted password, set by the string of [16..128] characters.

13

Set the amount of attempts to send Configure-Request packets before the remote peer is found to be unable to respond
(optionally)

esr(config-multilink)# ppp max-configure <VALUE>

<VALUE> – time in seconds, takes values of [1..255].

Default value: 10.

14

Set the amount of attempts to send Configure-NAK packets before all options are confirmed (optionally).

esr(config-multilink)# ppp max-failure <VALUE>

<VALUE> – time in seconds, takes values of [1..255].

15

Set the amount of attempts to send Terminate-Request packets before the session is aborted (optionally).

esr(config-multilink)# ppp max-terminate <VALUE>

<VALUE> – time in seconds, takes values of [1..255].

Default value: 2.

16

Set MRU (Maximum Receive Unit) size for the interface.

esr(config-multilink)# ppp mru <MRU>

<MRU> – MRU value, takes values in the range of [128..1485].

Default value: 1500.

17

Specify the time interval in seconds after which the router sends a keepalive message (optionally).

esr(config-multilink)# ppp timeout keepalive <TIME>

<TIME> – time in seconds, takes values of [1..32767].

Default value: 10.

18

Specify the time interval in seconds after which the router sends a keepalive message (optionally).

esr(config-multilink)# ppp timeout retry <TIME>

<TIME> – time in seconds, takes values of [1..255].

Default value: 3.

19

Specify the maximum packet size for MLPP interface.

esr(config-multilink)# mrru <MRRU>

<MRRU> – maximum size of a received packet for MLPP interface, takes value in the range of [1500..10000].

20

Bind e1 port to the physical interface.

esr(config-if-gi)# switchport e1 <SLOT>

<SLOT> – slot identifier, takes values in the range of [0..3].

21

Put the physical port into SFPe1 module operation mode.

esr(config-if-gi)# switchport mode e1

22

Enable MLPPP mode on E1 interface.

esr(config-e1)# ppp multilink

23

Include E1 interface in the aggregation group.

esr(config-e1)# ppp multilink-group <GROUP-ID>

<GROUP-ID> – group identifier, takes values in the range of [1..4].

Step

Description

Command

Keys

1

Configure RIP precedence for the main routing table (optionally).

esr(config)# ip protocols rip preference <VALUE>

<VALUE> – protocol precedence, takes values in the range of [1..255].

Default value: RIP (100).

2

Configure RIP routing tables capacity (optionally).

esr(config)# ip protocols rip max-routes <VALUE>

<VALUE> – amount of RIP routes in the routing table, takes values in the range of[ 1..10000];
Default value:

10000.

3

Create IP subnets lists that will be used for further filtration of advertised and received IP routes.

esr(config)# ip prefix-list <NAME>

<NAME> – name of a subnet list being configured, set by the string of up to 31 characters.

4

Permit or deny the prefixes lists.

esr(config-pl)# permit {object-group <OBJ-GROUP-NETWORK-NAME> [ { eq <LEN> | le <LEN> | ge <LEN> [ le <LEN> ] } ]|default-route}

<OBJ-GROUP-NETWORK-NAME> – IP addresses profile name, set by the string of up to 31 characters;

<LEN> – prefix length, takes values of [1..32] in prefix IP lists;

• eq – when specifying the command, the prefix length mast match the specified one;
• le – when specifying the command, the prefix length mast be less than or match the specified one;
• ge – when specifying the command, the prefix length mast be more than or match the specified one;
• default-route – default route filtration.

esr(config-pl)# deny {object-group <OBJ-GROUP-NETWORK-NAME> [ { eq <LEN> | le <LEN> | ge <LEN> [ le <LEN> ] } ] | default-route}

5

Switch to the RIP process configuration mode.

esr(config)# router rip

esr(config-rip)#

6

Enable RIP.

esr(config-rip)# enable

7

Specify RIP authentication algorithm (optionally).

esr(config-rip)# authentication algorithm { cleartext | md5 }

• cleartext – password, transmitted in clear text;
• md5 – password is hashed by md5 algorithm.

8

Set the password for neighbour authentication (optionally).

esr(config-rip)# authentication key ascii-text { <CLEAR-TEXT> | encrypted <ENCRYPTED-TEXT> }

<CLEAR-TEXT> – password, sets by string from 8 to 16 characters;

<ENCRYPTED-TEXT> – encrypted password from 8 bytes to 16 bytes (16 to 32 characters) in hexadecimal format (0xYYYY...) or (YYYY...).

9

Specify the list of passwords for authentication via md5 hashing algorithm (optionally).

esr(config-rip)# authentication key-chain <KEYCHAIN>

<KEYCHAIN> – key list identifier, set by the string of up to 16 characters.

10

Disable routes advertising on the interfaces/tunnels/bridge where it is not necessary (optionally).

esr(config-rip)# passive-interface {<IF> | <TUN> }

<IF> – interface and identifier;

<TUN> – tunnel name and number.

11

Set time interval after which the advertising is carried out (optionally).

esr(config-rip)# timers update <TIME>

<TIME> – time in seconds, takes values of [1..65535].

Default value: 180 seconds.

12

Set time interval of route entry correctness without updating (optionally).

esr(config-rip)# timers invalid <TIME>

<TIME> – time in seconds, takes values of [1..65535].

Default value: 180 seconds.

13

Set time interval after which the route removing is carried out (optionally).

esr(config-rip)# timers flush <TIME>

<TIME> – time in seconds, takes values of [1..65535].

When setting the value, consider the following rule: «timersinvalid + 60»

Default value: 240 seconds.

14

Enable subnets advertising.

esr(config-rip)# network <ADDR/LEN>

<ADDR/LEN> – subnet address, set in the following format:

AAA.BBB.CCC.DDD/NN – network IP address with prefix mask, where AAA-DDD take values of [0..255] and EE takes values of [1..32].

15

Add subnets filtration in incoming or outgoing updates (optionally).

esr(config-rip)# prefix-list <PREFIX-LIST-NAME> { in | out }

<PREFIX-LIST-NAME> – name of a subnet list being configured, set by the string of up to 31 characters.

• in – incoming routes filtration;
• out – advertised routes filtration.

16

Enable advertising of routes received in an alternative way (optionally).

esr(config-rip)# redistribute static [ route-map <NAME> ]

<NAME> – name of the route map that will be used for advertised static routes filtration and modification, set by the string of up to 31 characters.

esr(config-rip)# redistribute connected [ route-map <NAME> ]

<NAME> – name of the route map that will be used for filtration and modification of advertised directly connected subnets, set by the string of up to 31 characters.

esr(config-rip)# redistribute ospf <ID><ROUTE-TYPE> [ route-map <NAME> ]

<ID>  – process number, takes values of [1..65535].

<ROUTE-TYPE> – route type:

• intra-area – OSPF process routes advertising within a zone;
• inter-area – OSPF process routes advertising between zones;
• external1 – OSPF format 1 external routes advertising;
• external2 – OSPF format 2 external routes advertising;

<NAME> – name of the route map that will be used for advertised OSFP routes filtration and modification, set by the string of up to 31 characters.

esr(config-rip)# redistribute bgp <AS> [ route-map <NAME> ]

<AS>  – autonomous system number, takes values of [1..4294967295].

<NAME> – name of the route map that will be used for advertised BGP routes filtration and modification, set by the string of up to 31 characters.

17

Switch to the interface/tunnel/network bridge configuration mode.

esr(config)# interface <IF-TYPE><IF-NUM>

<IF-TYPE> – interface type;

<IF-NUM> – F/S/P – F frame (1), S – slot (0), P – port.

esr(config)# tunnel <TUN-TYPE><TUN-NUM>

<TUN-TYPE> – tunnel type;

<TUN-NUM> – tunnel number.

esr(config)# bridge <BR-NUM>

<BR-NUM> – bridge number.

18

Set RIP routes metric value on the interface (optionally).

esr(config-if-gi)# ip rip metric <VALUE>

<VALUE> – metric size, takes values of [0..32767].

Default value: 5.

19

Set the routes advertising mode via RIP (optionally).

esr(config-if-gi)# ip rip mode <MODE>

<MODE> – route advertising mode:

multicast – routes are advertised in multicast mode;

broadcast – routes are advertised in broadcast mode;

unicast – routes are advertised to the neighbours in unicast mode;

Default value: multicast.

20

Specify a neighbour’s IP address for establishment of a relation in routes advertising unicast mode (optionally).

esr(config-if-gi)# ip rip neighbor <ADDR>

<ADDR> – IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].

21

Enable subnet summarization (optionally).

esr(config-if-gi)# ip rip summary-address <ADDR/LEN>

<ADDR/LEN> – IP address and mask of a subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32].

Step

Description

Command

Keys

1

Configure OSFP precedence for the main routing table (optionally).

esr(config)# ip protocols ospf preference <VALUE>

<VALUE> – protocol precedence, takes values in the range of [1..255].

Default value: 150.

esr(config-vrf)# ip protocols ospf preference <VALUE>

2

Configure OSFP routing tables capacity (optionally).

esr(config)# ip protocols ospf max-routes <VALUE>

<VALUE> – amount of OSPF routes in the routing table, takes values in the range of:

• for ESR-1000/1200/1500/1510/1700 [1..500000];
• for ESR-20/21/100/200 [1..300000];
• for ESR-10/12V(F)/14VF – [1..30000]

Default value for the global mode:

• for ESR-1000/1200/1500/1510/1700 – (500000);
• for ESR-20/21/100/200 – (300000);
• for ESR-10/12V(F)/14VF – (30000).

Default value for VRF: 0

esr(config)# ipv6 protocols ospf max-routes <VALUE>

3

Enable the output of OSPF neighbor state information (optionally).

esr(config)# router ospf log-adjacency-changes

esr(config)# ipv6 router ospf log-adjacency-changes

4

Create IP subnets lists that will be used for further filtration of advertised and received IP routes.

esr(config)# ip prefix-list <NAME>

<NAME> – name of a subnet list being configured, set by the string of up to 31 characters.

esr(config)# ipv6 prefix-list <NAME>

5

Permit or deny the prefixes lists.

esr(config-pl)# permit {object-group <OBJ-GROUP-NETWORK-NAME> [ { eq <LEN> | le <LEN> | ge <LEN> [ le <LEN> ] } ]|default-route}

<OBJ-GROUP-NETWORK-NAME> – IP addresses profile name, set by the string of up to 31 characters;

<LEN> – prefix length, takes values of [1..32] in prefix IP lists;

• eq – when specifying the command, the prefix length mast match the specified one;
• le – when specifying the command, the prefix length mast be less than or match the specified one;
• ge – when specifying the command, the prefix length mast be more than or match the specified one;
• default-route – default route filtration.

esr(config-pl)# deny {object-group <OBJ-GROUP-NETWORK-NAME> [ { eq <LEN> | le <LEN> | ge <LEN> [ le <LEN> ] } ] | default-route}

esr(config-ipv6-pl)# permit {object-group <OBJ-GROUP-NETWORK-NAME> [ { eq <LEN> | le <LEN> | ge <LEN> [ le <LEN> ] } ]|default-route}

esr(config-ipv6-pl)# deny object-group <OBJ-GROUP-NETWORK-NAME> [ { eq <LEN> | le <LEN> | ge <LEN> [ le <LEN> ] } ] | default-route}

6

Add OSFP process to the system and switch to the OSFP process parameters configuration mode.

esr(config)# router ospf <ID> [vrf <VRF>]

<ID>  – stand alone system number, takes values of [1..65535].

<VRF> – VRF instance name, set by the string of up to 31 characters, within which the routing protocol will operate.

esr(config)# ipv6 router ospf <ID> [vrf <VRF>]

7

Set the router identifier for the given OSFP process.

esr(config-ospf)# router-id <ID>

<ID> – router identifier, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].

esr(config-ipv6-ospf)# router-id <ID>

8

Define OSFP process routes precedence.

esr(config-ospf)# preference <VALUE>

<VALUE> – OSPF process routes precedence, takes values in the range of [1..255].

Default value: 10.

esr(config-ipv6-ospf)# preference <VALUE>

9

Enable compatibility with RFC 1583 (optionally).

esr(config-ospf)# compatible rfc1583

esr(config-ipv6-ospf)# compatible rfc1583

11

Add subnets filtration in incoming or outgoing updates (optionally).

esr(config-ospf)# prefix-list <PREFIX-LIST-NAME> { in | out }

<PREFIX-LIST-NAME> – name of a subnet list being configured, set by the string of up to 31 characters.

• in – incoming routes filtration;
• out – advertised routes filtration.

esr(config-ipv6-ospf)# prefix-list <PREFIX-LIST-NAME> { in | out }

12

Enable advertising of routes received in an alternative way (optionally).

esr(config-ospf)# redistribute static [ route-map <NAME> ]

<NAME> – name of the route map that will be used for advertised static routes filtration and modification, set by the string of up to 31 characters.

esr(config-ipv6-ospf)# redistribute static [ route-map <NAME> ]

esr(config-ospf)# redistribute connected [ route-map <NAME> ]

<NAME> – name of the route map that will be used for filtration and modification of advertised directly connected subnets, set by the string of up to 31 characters.

esr(config-ipv6-ospf)# redistribute connected [ route-map <NAME> ]

esr(config-ospf)# redistribute rip [ route-map <NAME> ]

<NAME> – name of the route map that will be used for advertised RIP routes filtration and modification, set by the string of up to 31 characters.

esr(config-ospf)# redistribute bgp <AS> [ route-map <NAME> ]

<AS>  – autonomous system number, takes values of [1..4294967295].

<NAME> – name of the route map that will be used for advertised BGP routes filtration and modification, set by the string of up to 31 characters.

esr(config-ipv6-ospf)# redistribute bgp <AS> [ route-map <NAME> ]

13

Enable OSFP process.

esr(config-ospf)# enable

esr(config-ipv6-ospf)# enable

14

Create OSFP area and switch to the scope configuration mode.

esr(config-ospf)# area <AREA_ID>

<AREA_ID> – area identifier, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].

esr(config-ipv6-ospf)# area <AREA_ID>

15

Enable subnets advertising.

esr(config-ospf-area)# network <ADDR/LEN>

<ADDR/LEN> – subnet address, set in the following format:

AAA.BBB.CCC.DDD/NN – network IP address with prefix mask, where AAA-DDD take values of [0..255] and EE takes values of [1..32].

esr(config-ipv6-ospf-area)# network <IPV6-ADDR/LEN>

<IPV6-ADDR/LEN> – IPv6 address and mask of a subnet, defined as X:X:X:X::X/EE where each X part takes values in hexadecimal format [0..FFFF] and EE takes values of [1..128].

16

Specify the area type

esr(config-ospf-area)# area-type <TYPE> [ no-summary ]

<TYPE> – area type:

• stub – sets stub value (stub area);
  no-summary – command in conjunction with the 'stub' parameter forms the 'totallystubby' area (only the default route is used to transfer information outside the area).
• nssa – sets nssa value (NSSA area);
  no-summary – command in conjunction with the 'nssa' parameter forms the 'totallynssa' area (by default the route is generated as an inter-place one).

esr(config-ipv6-ospf-area)# area-type <TYPE> [ no-summary ]

17

Enable the default route generation for NSSA area and its advertising as NSSA-LSA.

esr(config-ospf-area)# default-information-originate

esr(config-ipv6-ospf-area)# default-information-originate

18

Enable the subnet summarization or hiding.

esr(config-ospf-area)# summary-address <ADDR/LEN> { advertise | not-advertise }

<ADDR/LEN> – IP address and mask of a subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32];

• advertise – if a command is specified, instead of the specified subnets, the total subnet will be advertised;
• not-advertise – when specifying the command, the subnets included in a subnet specified will not be advertised.

esr(config-ipv6-ospf-area)# summary-address <IPV6-ADDR/LEN> { advertise | not-advertise }

<IPV6-ADDR/LEN> – IPv6 address and mask of a subnet, defined as X:X:X:X::X/EE where each X part takes values in hexadecimal format [0..FFFF] and EE takes values of [1..128];

• advertise – when specifying the command instead of the subnets included in a subnet specified, a total subnet will be advertised;
• not-advertise – the subnets included in a subnet specified will not be advertised.

19

Enable OSFP area.

esr(config-ospf-area)# enable

esr(config-ipv6-ospf-area)# enable

20

Establish a virtual connection between the main and remote areas having several areas between them.

esr(config-ospf-area)# virtual-link <ID>

<ID> – router identifier with which virtual connection is establishing, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].

esr(config-ipv6-ospf-area)# virtual-link <ID>

21

Set the time interval in seconds after which the router re-sends a packet that has not received a delivery confirmation (for example, a DatabaseDescription packet or LinkStateRequest packets).

esr(config-ospf- vlink)# restransmit-interval <TIME>

<TIME> – time in seconds, takes values of [1..65535].

Default value: 5 seconds.

esr(config-ipv6-ospf- vlink)# restransmit-interval <TIME>

22

Set the time interval in seconds after which the router sends the next hello packet.

esr(config-ospf- vlink)# hello-interval <TIME>

<TIME> – time in seconds, takes values of [1..65535].

Default value: 10 seconds.

esr(config-ipv6-ospf- vlink)# hello-interval <TIME>

23

Set the time interval in seconds after which the neighbor is considered to be idle. This interval should be a multiple of the ‘hello interval’ value.

esr(config-ospf- vlink)# dead-interval <TIME>

<TIME> – time in seconds, takes values of [1..65535].

Default value: 40 seconds.

esr(config-ipv6-ospf- vlink)# dead-interval <TIME>

24

Set the time interval in seconds after which the router selects DR in the network.

esr(config-ospf- vlink)# wait-interval <TIME>

<TIME> – time in seconds, takes values of [1..65535].
Default value: 40 seconds

esr(config-ipv6-ospf- vlink)# wait-interval <TIME>

25

Define authentication algorithm.

esr(config-ospf- vlink)# authentication algorithm <ALGORITHM>

<ALGORITHM> – authentication algorithm:

• cleartext – password, transmitted in unencrypted form (available only for RIP and OSPF-VLINK);
• md5 – password is hashed by md5 algorithm.

26

Set the password for neighbour authentication.

esr(config-ospf- vlink)# authentication key ascii-text { <CLEAR-TEXT> | encrypted <ENCRYPTED-TEXT> }

<CLEAR-TEXT> – password, set by the string of 8 to 16 characters.

<ENCRYPTED-TEXT> – encrypted password from 8 bytes to 16 bytes (16 to 32 characters) in hexadecimal format (0xYYYY...) or (YYYY...).

27

Specify the list of passwords for authentication via md5 hashing algorithm.

esr(config-ospf- vlink)# authentication key chain <KEYCHAIN>

<KEYCHAIN> – key list identifier, set by the string of up to 16 characters.

28

Enable virtual connection.

esr(config-ospf- vlink)# enable

29

Switch to the interface/tunnel/network bridge configuration mode.

esr(config)# interface <IF-TYPE><IF-NUM>

<IF-TYPE> – interface type;

<IF-NUM> – F/S/P – F frame (1), S – slot (0), P – port.

esr(config)# tunnel <TUN-TYPE><TUN-NUM>

<TUN-TYPE> – tunnel type;

<TUN-NUM> – tunnel number.

esr(config)# bridge <BR-NUM>

<BR-NUM> – bridge number.

30

Define the interface / tunnel / network bridge inherence to a specific OSPF process.

esr(config-if-gi)# ip ospf instance <ID>

<ID> – process number, takes values of [1..65535].

esr(config-if-gi)# ipv6 ospf instance <ID>

31

Define the interface inherence to a specific OSPF process area.

esr(config-if-gi)# ip ospf area <AREA_ID>

<AREA_ID> – area identifier, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].

esr(config-if-gi)# ipv6 ospf area <AREA_ID>

32

Enable the routing via OSFP on the interface.

esr(config-if-gi)# ip ospf

esr(config-if-gi)# ipv6 ospf

33

Enable the mode in which the OSPF process will ignore MTU interface value in incoming Database Description packets.

esr(config-if-gi)# ip ospf mtu-ignore

esr(config-if-gi)# ipv6 ospf mtu-ignore

34

Specify OSFP authentication algorithm.

esr(config-if-gi)# ip ospf authentication algorithm <ALGORITHM>

<ALGORITHM> – authentication algorithm:

• cleartext – password, transmitted in clear text;
• md5 – password is hashed by md5 algorithm.

35

Set the password for OSPF neighbor authentication when transmitting an unencrypted password.

esr(config-if-gi)# ip ospf authentication key ascii-text { <CLEAR-TEXT> | encrypted <ENCRYPTED-TEXT> }

<CLEAR-TEXT> – password, sets by string from 8 to 16 characters;

<ENCRYPTED-TEXT> – encrypted password from 8 bytes to 16 bytes (16 to 32 characters) in hexadecimal format (0xYYYY...) or (YYYY...).

36

Specify the list of passwords for neighbor authentication via md5 hashing algorithm.

esr(config-if-gi)# ip ospf authentication key-chain <KEYCHAIN>

<KEYCHAIN> – key list identifier, set by the string of up to 16 characters.

37

Set the time interval in seconds after which the router selects DR in the network.

esr(config-if-gi)# ip ospf wait-interval <TIME>

<TIME> – time in seconds, takes values of [1..65535].

Default value: 40 seconds.

esr(config-if-gi)# ipv6 ospf wait-interval <TIME>

38

Set the time interval in seconds after which the router re-sends a packet that has not received a delivery confirmation (for example, a DatabaseDescription packet or LinkStateRequest packets).

esr(config-if-gi)# ip ospf restransmit-interval <TIME>

<TIME> – time in seconds, takes values of [1..65535].

Default value: 5 seconds.

esr(config-if-gi)# ipv6 ospf restransmit-interval <TIME>

39

Set the time interval in seconds after which the router sends the next hello packet.

esr(config-if-gi)# ip ospf hello-interval <TIME>

<TIME> – time in seconds, takes values of [1..65535].

Default value: 10 seconds.

esr(config-if-gi)# ipv6 ospf hello-interval <TIME>

40

Set the time interval in seconds after which the neighbor is considered to be idle. This interval should be a multiple of the ‘hello interval’ value.

esr(config-if-gi)# ip dead-interval <TIME>

<TIME> – time in seconds, takes values of [1..65535].

Default value: 40 seconds.

esr(config-if-gi)# ipv6 dead-interval <TIME>

41

Set the time interval during which NBMA interface waits before sending a HELLO packet to a neighbor, even if the neighbor is idle.

esr(config-if-gi)# ip poll-interval <TIME>

<TIME> – time in seconds, takes values of [1..65535].

Default value: 120 seconds.

esr(config-if-gi)# ipv6 poll-interval <TIME>

42

Set static IP address of a neighbor to establish a relation in NMBA and P2MP (Point-to-MultiPoint) networks.

esr(config-if-gi)# ip ospf neighbor <IP> [ eligible ]

<IP> – neighbor IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].

eligible – optional parameter, allows the device to take part in DR selection process in NMBA networks. The interface priority should be greater than zero.

esr(config-if-gi)# ip ospf neighbor <IP> [ eligible ]

<IPV6-ADDR> – neighbor’s IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF];

eligible – optional parameter, allows the device to take part in DR selection process in NMBA networks. The interface priority should be greater than zero.

43

Define the network type for OSPF neighborhood establishment.

esr(config-if-gi)# ip ospf network <TYPE>

<TYPE> – network type:

• broadcast – broadcast connection type;
• non-broadcast – NBMA connection type;
• point-to-multipoint – point-to-multipoint connection type;
• point-to-multipoint non-broadcast – point-to-multipoint NBMA connection type;
• point-to-point – point-to-point connection type.

Default value: broadcast.

esr(config-if-gi)# ipv6 ospf network <TYPE>

44

Set the router priority that is used for DR and BDR selection.

esr(config-if-gi)# ip ospf priority <VALUE>

<VALUE> – interface priority, takes values of [1..65535].

Default value: 120.

esr(config-if-gi)# ipv6 ospf priority <VALUE>

45

Set the metric size on the interface or tunnel.

esr(config-if-gi)# ip ospf cost <VALUE>

<VALUE> – metric size, takes values of [0..32767].

Default value: 150.

esr(config-if-gi)# ipv6 ospf cost <VALUE>

47

Enable BFD protocol for OSPF protocol.

esr(config-if-gi)# ip ospf bfd-enable

esr(config-if-gi)# ipv6 ospf bfd-enable

1

Configure BGP precedence for the main routing table (optionally).

esr(config)# ip protocols bgp preference <VALUE>

<VALUE> – protocol precedence, takes values in the range of [1..255].

Default value: BGP (170).

2

Configure BGP routing tables capacity (optionally).

esr(config)# ip protocols bgp max-routes <VALUE>

<VALUE> – amount of BGP routes in the routing table, takes values in the range of:

• for ESR-1700 [1..5000000];
• for ESR-1000/1200/1500/1510 [1..3000000];
• for ESR-20/21/100/200 [1..1500000];
• for ESR-10/12V(F)/14VF [1..800000]

Default value:

• for ESR-1700 (5000000);
• for ESR-1000/1200/1500/1510/1700 (3000000);
• for ESR-20/21/100/200 (1500000);
• for ESR-10/12V/12VF/14VF (800000).

esr(config)# ipv6 protocols bgp max-routes <VALUE>

esr(config-vrf)# ip protocols bgp max-routes <VALUE>

esr(config-vrf)# ipv6 protocols bgp max-routes <VALUE>

3

Enable the output of BGP neighbor state information (optionally).

esr(config)# router bgp log-neighbor-changes

esr(config)# ipv6 router bgp log-neighbor-changes

4

Enable ECMP and define the maximum amount of equal routes to a destination point.

esr(config)# router bgp maximum-paths <VALUE>

<VALUE> – amount of valid equal routes to the target, takes the values of [1..16].

5

Create IP subnets lists that will be used for further filtration of advertised and received IP routes.

esr(config)# ip prefix-list <NAME>

<NAME> – name of a subnet list being configured, set by the string of up to 31 characters.

esr(config)# ipv6 prefix-list <NAME>

6

Permit or deny the prefixes lists.

esr(config-pl)# permit {object-group <OBJ-GROUP-NETWORK-NAME> [ { eq <LEN> | le <LEN> | ge <LEN> [ le <LEN> ] } ]|default-route}

<OBJ-GROUP-NETWORK-NAME> – IP addresses profile name, set by the string of up to 31 characters;

<LEN> – prefix length, takes values of [1..32] in prefix IP lists;

• eq – when specifying the command, the prefix length mast match the specified one;
• le – when specifying the command, the prefix length mast be less than or match the specified one;
• ge – when specifying the command, the prefix length mast be more than or match the specified one;
• default-route – default route filtration.

esr(config-pl)# deny {object-group <OBJ-GROUP-NETWORK-NAME> [ { eq <LEN> | le <LEN> | ge <LEN> [ le <LEN> ] } ] | default-route}

7

Add BGP process to the system and switch to the BGP process parameters configuration mode.

esr(config)# router bgp <AS>

<AS> – autonomous system number, takes values of [1..4294967295].

8

Define the type of configured routing information and switch to this configuration mode.

esr(config-bgp)# address-family { ipv4 | ipv6 } [ vrf <VRF> ]

• ipv 4 – IPv4 family;
• ipv 6 – IPv6 family;

<VRF> – VRF instance name, set by the string of up to 31 characters, within which the routing protocol will operate.

9

Set the router identifier.

esr(config-bgp-af)# router-id <ID>

<ID> – router identifier, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].

esr(config-ipv6-bgp-af)# router-id <ID>

10

Set the time interval after which the connection with the opposing party is checked.

esr(config-bgp-af)# timers keepalive <TIME>

<TIME> – time in seconds, takes values of [1..65535].

Default value: 60 seconds.

esr(config-ipv6-bgp-af)# timers keepalive <TIME>

11

Set time interval after which the opposing party is considered to be unavailable.

esr(config-bgp-af)# timers holdtime <TIME>

<TIME> – time in seconds, takes values of [1..65535].

Default value: 180 seconds.

esr(config-ipv6-bgp-af)# timers holdtime <TIME>

12

Set the time of minimum and maximum delay during which it is prohibited to establish a connection in order to prevent frequent disconnections.

esr(config-bgp-af)# timers error-wait <TIME1> <TIME2>

<TIME1> – minimum delay time in seconds, takes values of [1..65535].

<TIME2> – maximum delay time in seconds, takes values of [1..65535].

esr(config-ipv6-bgp-af)# timers error-wait <TIME1> <TIME2>

13

Set the Route-Reflector identifier of the cluster to which the router BGP process belongs.

esr(config-bgp-af)# cluster-id <ID>

<ID> – Route-Reflector cluster identifier, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].

esr(config-ipv6-bgp-af)# cluster-id <ID>

14

Define the global algorithm of neighbor authentication.

esr(config-bgp-af)# authentication algorithm <ALGORITHM>

<ALGORITHM> – encryption algorithm:

md5 – password is encrypted by md5 algorithm.

esr(config-ipv6-bgp-af)# authentication algorithm <ALGORITHM>

15

Set the global password for neighbour authentication.

esr(config-bgp-af)# authentication key ascii-text { <CLEAR-TEXT> | encrypted <ENCRYPTED-TEXT> }

<CLEAR-TEXT> – password, sets by string from 8 to 16 characters;

<ENCRYPTED-TEXT> – encrypted password from 8 bytes to 16 bytes (16 to 32 characters) in hexadecimal format (0xYYYY...) or (YYYY...).

esr(config-ipv6-bgp-af)# authentication key ascii-text { <CLEAR-TEXT> | encrypted <ENCRYPTED-TEXT> }

16

Enable BGP process.

esr(config-bgp-af)# enable

esr(config-ipv6-bgp-af)# enable

17

Enable the advertising of static routes received in an alternative way.

esr(config-bgp-af)# redistribute static [ route-map <NAME> ]

<NAME> – name of the route map that will be used for advertised static routes filtration and modification, set by the string of up to 31 characters.

esr(config-ipv6-bgp-af)# redistribute static [ route-map <NAME> ]

esr(config-bgp-af)# redistribute connected [ route-map <NAME> ]

<NAME> – name of the route map that will be used for filtration and modification of advertised directly connected subnets, set by the string of up to 31 characters.

esr(config-ipv6-bgp-af)# redistribute connected [ route-map <NAME> ]

esr(config-bgp-af)# redistribute rip [ route-map <NAME> ]

<NAME> – name of the route map that will be used for advertised RIP routes filtration and modification, set by the string of up to 31 characters.

esr(config-ipv6-bgp-af)# redistribute rip [ route-map <NAME> ]

esr(config-bgp-af)# redistribute ospf <ID> <ROUTE-TYPE> [ route-map <NAME> ]

<ID>  – process number, takes values of [1..65535].

<ROUTE-TYPE> – route type:

• intra-area – OSPF process routes advertising within a zone;
• inter-area – OSPF process routes advertising between zones;
• external1 – OSPF format 1 external routes advertising;
• external2 – OSPF format 2 external routes advertising;

<NAME> – name of the route map that will be used for advertised OSFP routes filtration and modification, set by the string of up to 31 characters.

esr(config-ipv6-bgp-af)# redistribute ospf <ID> <ROUTE-TYPE> [ route-map <NAME> ]

esr(config-bgp-af)# redistribute bgp <AS> [ route-map <NAME> ]

<AS>  – autonomous system number, takes values of [1..4294967295].

<NAME> – name of the route map that will be used for advertised BGP routes filtration and modification, set by the string of up to 31 characters.

esr(config-ipv6-bgp-af)# redistribute bgp <AS> [ route-map <NAME> ]

18

Enable subnets advertising.

esr(config-bgp-af)# network <ADDR/LEN>

<ADDR/LEN> – subnet address, set in the following format:

AAA.BBB.CCC.DDD/NN – network IP address with prefix mask, where AAA-DDD take values of [0..255] and EE takes values of [1..32].

esr(config-ipv6-bgp-af)# network <ADDR/LEN>

X:X:X:X::X/EE – IPv6 address and mask of a subnet, where each X part takes values in hexadecimal format [0..FFFF] and EE takes values of [1..128].

19

Add subnets filtration in incoming or outgoing updates (optionally).

esr(config-bgp-af)# prefix-list <PREFIX-LIST-NAME> { in | out }

<PREFIX-LIST-NAME> – name of a subnet list being configured, set by the string of up to 31 characters.

• in – incoming routes filtration;
• out – advertised routes filtration.

20

Add BGP neighbor and switch to the BGP process parameters configuration mode.

esr(config-bgp-af)# neighbor <ADDR>

<ADDR> – neighbor’s IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].

esr(config-ipv6-bgp-af)# neighbor <IPV6-ADDR>

<IPV6-ADDR> – client IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF].

21

Specify neighbor description (optionally).

esr(config-bgp-neighbor)# description <DESCRIPTION>

<DESCRIPTION> – neighbor description, set by the string of up to 255 characters.

22

Set the time interval after which the connection with the opposing party is checked.
(optionally).

esr(config-bgp-neighbor)# timers keepalive <TIME>

<TIME> – time in seconds, takes values of [1..65535].

Default value: 60 seconds.

esr(config-ipv6-bgp-neighbor)# timers keepalive <TIME>

23

Set time interval after which the opposing party is considered to be unavailable (optionally).

esr(config-bgp- neighbor)# timers holdtime <TIME>

<TIME> – time in seconds, takes values of [1..65535].

Default value: 180 seconds.

esr(config-ipv6-bgp- neighbor)# timers holdtime <TIME>

24

Set the time of minimum and maximum delay during which it is prohibited to establish a connection in order to prevent frequent disconnections (optionally).

esr(config-bgp-af)# timers error-wait <TIME1> <TIME2>

<TIME1> – minimum delay time in seconds, takes values of [1..65535].

<TIME2> – maximum delay time in seconds, takes values of [1..65535].

Default value: 60 and 300 seconds

esr(config-ipv6-bgp-af)# timers error-wait <TIME1> <TIME2>

25

Set the number of BGP neighbor stand alone system.

esr(config-bgp- neighbor)# remote-as <AS>

<AS> – autonomous system number, takes values of [1..4294967295].

esr(config-ipv6-bgp- neighbor)# remote-as <AS>

26

Allow connections to neighbors that are located not in directly connected subnets. (optionally)

esr(config-bgp- neighbor)# ebgp-multihop <NUM>

<NUM> – maximum amount of hops when installing EBGP (used for TTL).

esr(config-ipv6-bgp- neighbor)# ebgp-multihop <NUM>

27

Set the mode in which all updates are sent to BGP neighbor with the IP address of a local router outgoing interface as the next-hop.
(optionally)

esr(config-bgp- neighbor)# next-hop-self

esr(config-ipv6-bgp- neighbor)# next-hop-self

28

Set the mode in which private numbers of autonomous systems are removed from the AS Path routes BGP attribute before sending an update (in accordance with RFC 6996). (optionally)

esr(config-bgp- neighbor)# remove-private-as

esr(config-ipv6-bgp- neighbor)# remove-private-as

29

Set the mode in which the default route is always sent to the BGP neighbor in the update along with other routes. (optionally)

esr(config-bgp- neighbor)# default-originate

esr(config-ipv6-bgp- neighbor)# default-originate

30

Enable generation and sending of a default route, if the default route is in the FIB routing table. (optionally)

esr(config-bgp-af)# default-information-originate

31

Specify BGP neighbor as a Route-Reflector client. (optionally)

esr(config-bgp- neighbor)# route-reflector-client

esr(config-ipv6-bgp- neighbor)# route-reflector-client

32

Define the precedence of the routes received from a neighbor. (optionally)

esr(config-bgp- neighbor)# preference <VALUE>

<VALUE> – neighbor routes precedence, takes values in the range of [1..255].

Default value: 170.

esr(config-ipv6-bgp- neighbor)# preference <VALUE>

33

Set IP/IPv6 router address that will be used as source IP/IPv6 address in transmitted BGP route information updates. (optionally)

esr(config-bgp- neighbor)# update-source { <ADDR> | <IPV6-ADDR> }

<ADDR> – source IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];

esr(config-ipv6-bgp- neighbor)# update-source <ADDR>

<IPV6-ADDR> – source IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF].

34

Enable the mode in which the reception of routes in the BGP attribute, AS Path of which includes the numbers of process stand alone system, is allowed. (optionally)

esr(config-bgp- neighbor)# allow-local-as <NUMBER>

<NUMBER> – threshold amount of instances of autonomous system number in the AS Path attribute at which the route will be accepted, the range of acceptable values [1..10].

esr(config-bgp- neighbor)# allow-local-as <NUMBER>

35

Enable BFD protocol on the BGP neighbor being configured. (optionally)

esr(config-bgp- neighbor)# bfd-enable

esr(config-ipv6-bgp- neighbor)# bfd-enable

36

Specify neighbor authentication algorithm (optionally).

esr(config-bgp- neighbor)# authentication algorithm <ALGORITHM>

<ALGORITHM> – encryption algorithm:

md5 – password is encrypted by md5 algorithm.

esr(config-ipv6-bgp- neighbor)# authentication algorithm <ALGORITHM>

37

Set the password for neighbour authentication (optionally).

esr(config-bgp- neighbor)# authentication key ascii-text { <CLEAR-TEXT> | encrypted <ENCRYPTED-TEXT> }

<CLEAR-TEXT> – password, sets by string from 8 to 16 characters;

<ENCRYPTED-TEXT> – encrypted password from 8 bytes to 16 bytes (16 to 32 characters) in hexadecimal format (0xYYYY...) or (YYYY...).

esr(config-ipv6-bgp- neighbor)# authentication key ascii-text { <CLEAR-TEXT> | encrypted <ENCRYPTED-TEXT> }

1

Enable BFD for OSFP on the interface

esr(config-if-gi)# ip ospf bfd-enable

2

Enable BFD for BGP neighbor on the interface

esr(config-bgp-neighbor)# bfd-enable

3

Set the interval after which the BFD message is sent to the neighbor. Globally
(optionally)

esr(config)# ip bfd idle-tx-interval <TIMEOUT>

<TIMEOUT> – interval after which the BFD packet should be sent, takes values in milliseconds in the range of [200..65535] for ESR-1000/1200/1500/1510/1700 and [300..65535] for ESR-10/12V(F)/14VF/20/21/100/200

By default, 1 second

4

Enable the logging of BFD protocol state changes (optionally)

esr(config)# ip bfd log-adjacency-changes

5

Set the minimum interval after which the neighbor should generate BFD message.
Globally
(optionally)

esr(config)# ip bfd min-rx-interval <TIMEOUT>

<TIMEOUT> – interval after which the BFD message should be sent by the neighbor, takes values in milliseconds in the range of
[200..65535] for ESR-1000/1200/1500/1510/1700 and [300..65535] for ESR-10/12V(F)/20/21/100/200

By default:

• 300 ms on ESR-10/12V(F)/14VF/20/21/100/200
• 200 ms on ESR-1000/1200/1500/1510/1700