Router configuration examples
VLAN Configuration
VLAN (Virtual Local Area Network) is a logical (virtual) local area network that represents a group of devices, which communicate on channel level regardless of their physical location. VLAN operation is based on the use of additional Ethernet header fields according to 802.1q standard. In fact, VLAN isolates the broadcast domain by limiting the switching of only those Ethernet frames which have the same VLAN-ID in the Ethernet header.
Configuration algorithm
Step | Description | Command | Keys |
---|---|---|---|
1 | Create VLAN | esr(config)# vlan <VID> | <VID> – VLAN identifier, set in the range of [2..4094]. It is also possible to create multiple vlan (with a comma) or vlan range (with a hyphen). |
2 | Specify vlan name (optionally) | esr(config-vlan)# name <vlan-name> | <vlan-name> – up to 255 characters. |
3 | Disable monitoring of the status of interfaces on which processing of the given VLAN Ethernet frames is allowed (optionally) | esr(config-vlan)# force-up | |
4 | Disable the processing of incoming untagged Ethernet frames based on the default VLAN's switching table (VLAN-ID – 1) (optionally) | esr(config-if-gi)# no switchport forbidden default-vlan | |
5 | Set L2 interface operation mode | esr(config-if-gi)# mode switchport | |
6 | Set L2 interface operation mode | esr(config-if-gi)# switchport access | Only for ESR-10/12V(F)/14VF/20/21/100/200. This mode is the default mode and is not displayed in the configuration. |
esr(config-if-gi)# switchport trunk | Only for ESR-10/12V(F)/14VF/20/21/100/200. | ||
esr(config-gi)# switchport general | Only for ESR-1000/1200/1500/1510/1700. This mode is the default mode and is not displayed in the configuration. | ||
7 | Configure VLAN list on the interface in tagged mode | esr(config-if-gi)# switchport trunk allowed vlan add <VID> | For ESR-10/12V(F)/14VF/20/21/100/200. <VID> – VLAN identifier, set in the range of [2..4094]. It is also possible to create multiple vlan (with a comma) or vlan range (with a hyphen). |
esr(config-if-gi)# switchport general allowed vlan add <VID> tagged | For ESR-1000/1200/1500/1510/1700. <VID> – VLAN identifier, set in the range of [2..4094]. It is also possible to create multiple vlan (with a comma) or vlan range (with a hyphen). | ||
8 | Configure VLAN on the interface in tagged mode (optionally) | esr(config-if-gi)# switchport trunk native-vlan <VID> | For ESR-10/12V(F)/14VF/20/21/100/200. <VID> – VLAN identifier, set in the range of [2..4094]. |
esr(config-if-gi)# switchport general allowed vlan add <VID> untagged | For ESR-1000/1200/1500/1510/1700. <VID> – VLAN identifier, set in the range of [2..4094]. | ||
9 | Enable the processing of Ethernet frames of all created VLANs on the interface (optionally) | esr(config-if-gi)# switchport trunk allowed vlan auto-all | Only for ESR-10/12V(F)/14VF/20/21/100/200. |
esr(config-if-gi)# switchport general allowed vlan auto-all | Only for ESR-1000/1200/1500/1510/1700. |
Configuration example 1. VLAN removal from the interface
Objective :
On the basis of the factory configuration, remove gi1/0/1 p Advanced QoS
ort from VLAN 2.
Figure 1 – Network structure
Solution:
Remove VLAN2 from gi1/0/1 port:
esr(config)# interface gi 1/0/1 esr(config-if-gi)# switchport general allowed vlan remove 2 untagged esr(config-if-gi)# no switchport general pvid
Configuration example 2. Enabling VLAN processing in tagged mode
Objective :
Configure gi1/0/1 and gi1/0/2 ports for packet transmission and reception in VLAN 2, VLAN 64, VLAN 2000.
Figure 2 – Network structure
Solution:
Create VLAN 2, VLAN 64, VLAN 2000 on ESR-1000:
esr-1000(config)# vlan 2,64,2000
Specify VLAN 2, VLAN 64, VLAN 2000 for gi1/0/1-2 port:
esr-1000(config)# interface gi1/0/1 esr-1000(config-if-gi)# mode switchport esr-1000(config-if-gi)# switchport forbidden default-vlan esr-1000(config-if-gi)# switchport general allowed vlan add 2,64,2000 tagged
Configuration example 3. Enabling VLAN processing in tagged and untagged modes
Objective :
Configure gi1/0/1 ports for packet transmission and reception in VLAN 2, VLAN 64, VLAN 2000 in trunk mode, configure gi1/0/2 port in access mode for VLAN 2 on ESR-100/ESR -200.
Figure 3 – Network structure
Solution:
Create VLAN 2, VLAN 64, VLAN 2000 on ESR-100/ ESR-200:
esr(config)# vlan 2,64,2000
Specify VLAN 2, VLAN 64, VLAN 2000 for gi1/0/1 port:
esr(config)# interface gi1/0/1 esr(config-if-gi)# mode switchport esr(config-if-gi)# switchport forbidden default-vlan esr(config-if-gi)# switchport mode trunk esr(config-if-gi)# switchport trunk allowed vlan add 2,64,2000
Specify VLAN 2 on port gi1/0/2:
esr(config)# interface gi1/0/2 esr(config-if-gi)# mode switchport esr(config-if-gi)# switchport access vlan 2
LLDP configuration
Link Layer Discovery Protocol (LLDP) is a data link layer protocol allowing network equipment to notify the devices operating in a local network of its existence and to transmit parameters to it as well as to receive similar information.
Configuration algorithm
Step | Description | Command | Keys |
---|---|---|---|
1 | Enable LLDP on the router | esr(config)# lldp enable | |
2 | Set the period during which the router keeps the information received via LLDP (optionally) | esr(config)# lldp hold-multiplier <SEC> | <SEC> – time interval in seconds, takes values of [1..10]. |
3 | Set IP address which will be transmitted to LLDP TLV as the management-address (optionally). | esr(config)# lldp management-address <ADDR> | <ADDR> – IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. One of the existent is set by default |
4 | Set the system-description field which will be transmitted to LLDP TLV as the system-description (optionally). | esr(config)# lldp system-description <DESCRIPTION> | <DESCRIPTION> – system description, set by the string of up to 255 characters. By default contains the information of the router model and firmware version. |
5 | Set the system-name field which will be transmitted to LLDP TLV as the system-name (optionally). | esr(config)# lldp system-name <NAME> | <NAME> – system name, set by the string of up to 255 characters. By default coincides with the specified hostname |
6 | Set the LLDPDU sending period (optionally). | esr(config)# lldp timer <SEC> | <SEC> – time interval in seconds, takes values of [1..32768]. |
7 | Enable the LLDPDU receiving and proceeding on the physical interface. | esr(config-if-gi)# lldp receive | |
8 | Enable LLDPDU transmission on the physical interface. | esr(config-if-gi)# lldp transmit |
Configuration example
Objective :
Organize the LLDPDU exchange and proceeding between ESR-1 and ESR-2 routers.
Figure 4 – Network structure
Solution:
R1 configuration
Enable LLDP globally on the router:esr(config)# lldp enable
Enable the receiving and transmission of LLDPDU on the gi 1/0/1 interface.
esr(config)# interface gigabitethernet 1/0/1 esr(config-if-gi)# lldp receive esr(config-if-gi)# lldp transmit
- R2 configuration
Enable LLDP globally on the router:
esr(config)# lldp enable
Enable the receiving and transmission of LLDPDU on the gi 1/0/1 interface.
esr(config)# interface gigabitethernet 1/0/1 esr(config-if-gi)# lldp receive esr(config-if-gi)# lldp transmit
To view LLDP neighbors information, use the following command:
esr# show lldp neighbors
To view more detailed information on the certain interface neighbor, use the following command:
esr# show lldp neighbors gigabitethernet 1/0/1
To view LLDP statistics, use the following command:
esr# show lldp statistics
LLDP MED configuration
LLDP MED — LLDP standard enhancement which allows to transmit network policies: VLAN ID, DSCP, priority.
Configuration algorithm
Step | Description | Command | Keys |
---|---|---|---|
1 | Enable LLDP on the router | esr(config)# lldp enable | |
2 | Enable MED LLDP enhancement on the router | esr(config)# lldp med fast-start enable | |
3 | Create network policy | esr(config)# network-policy <NAME> | <NAME> – network-policy name, set by the string of up to 31 characters. |
4 | Specify the application type | esr(config-net-policy)# application <APP_TYPE> | <APP-TYPE> – type of the application for which network-policy will be enabled.
|
5 | Set DSCP value | esr(config-net-policy)# dscp <DSCP> | <DSCP> – DSCP code value, takes values in the range of [0..63]. |
6 | Set COS value | esr(config-net-policy)# priority <PRIORITY> | <COS> – priority value, takes the following values:
|
7 | Set | esr(config-net-policy)# vlan <VID> [tagged] | <VID> – VLAN ID, takes values of [1..4094];
|
8 | Set a network policy on the interface | esr(config-if-gi)# lldp network-policy <NAME> | <NAME> – network-policy name, set by the string of up to 31 characters. |
9 | Enable LLDPDU transmission on the physical interface. | esr(config-if-gi)# lldp transmit |
Voice VLAN configuration example
Voice VLAN — VLAN ID, in receiving of which an IP phone switches to the trunk mode with the specified VLAN ID for VoIP traffic reception and transmission. VLAN ID transmission is performed by LLDP MED enhancement.
Objective:
VoIP traffic and data traffic should be grouped in different VLANs - vid 10 for data and vid 20 for VoIP - and the sending of Voice VLAN from the gi 1/0/1 ESR port should be configured. Voice VLAN should be supported and enabled on the IP phone.
Figure 5 – Network structure
Solution:
First create VLAN 10 and 20 and configure the gi 1/0/1 interface in the trunk mode:
esr(config)# vlan 10,20 esr(config-vlan)# exit esr(config)# interface gigabitethernet 1/0/1 esr(config-if-gi)# mode switchport esr(config-if-gi)# switchport mode trunk esr(config-if-gi)# switchport trunk allowed vlan add 10,30 esr(config-if-gi)# exit
Enable LLDP and MED capability in LLDP globally on the router:
esr(config)# lldp enable esr(config)# lldp med fast-start enable
Create and configure network policy in the way that VLAN ID 20 is specified for the voice application:
esr(config)# network-policy VOICE_VLAN esr(config-net-policy)# application voice esr(config-net-policy)# vlan 20 tagged esr(config-net-policy)# exit
Configure LLDP on the interface and set a network policy:
esr(config)# interface gigabitethernet 1/0/1 esr(config-if-gi)# lldp transmit esr(config-if-gi)# lldp receive esr(config-if-gi)# lldp network-policy VOICE_VLAN esr(config-if-gi)# exit
Sub-interface termination configuration
To terminate Ethernet frames of a certain VLAN on a specific physical interface, you need to create a sub-interface with the number of VLAN, frames of which will be terminated. When creating two sub-interfaces having the same VLAN but located on different physical/aggregated interfaces, switching of Ethernet frames between these sub-interfaces will not be possible as external segments will be separate broadcast domains. For data exchange between subscribers of different sub-interfaces (even with the same VLAN-ID) routing will be used, i.e. data exchange will occur at the third level of the OSI model.
Configuration algorithm
Step | Description | Command | Keys |
---|---|---|---|
1 | Create a sub-interface of a physical interface (possible if the physical interface is in routeport mode). | esr(config)# interface gigabitethernet <PORT>.<S-VLAN> or interface tengigabitethernet <PORT>.<S-VLAN> or interface port-channel <CH>.<S-VLAN> | <PORT> – physical interface number. <CH> – aggregated interface number. <S-VLAN> – identifier of created S-VLAN. If a physical interface is included in bridge-group, it will be impossible to create sub-interface. |
2 | Specify sub-interface description (optionally). | esr(config-subif)# description <DESCRIPTION> | <DESCRIPTION> – interface description, set by the string of up to 255 characters. |
3 | Specify VRF instance, in which the given sub-interface will operate (optionally). | esr(config- subif )# ip vrf forwarding <VRF> | <VRF> – VRF name, set by the string of up to 31 characters. |
4 | Set the time interval during which statistics on the sub-interface load is collected. (optionally). | esr(config-subif)# load-average <TIME> | <TIME> – interval in seconds, takes values of [5..150]. |
5 | Enable bridge-group sub-interface (optionally). | esr(config-subif)#bridge-group <BRIDGE-ID> | <BRIDGE-ID> – bridge identifying number. |
6 | Set the lifetime of IPv4/IPv6 entries in the ARP table studied on the given interface (optionally). | esr(config-subif)# ip arp reachable-time <TIME> or ipv6 nd reachable-time <TIME> | <TIME> – lifetime of dynamic MAC addresses, in milliseconds. Allowed values are from 5000 to 100000000 milliseconds. Real time of the entry update varies from [0,5;1,5]*<TIME>. |
Sub-interface configuration example
Objective:
Configure 192.168.3.1/24 network termination in VLAN: 828 on gigabitethernet 1/0/1 physical interface.
Solution:
Create sub-interface for VLAN: 828
esr(config)# interface gigabitethernet 1/0/1.828
Configure IP address from necessary subnet.
esr(config)# interface gigabitethernet 1/0/1.828 esr(config-subif)# ip address 192.168.3.1/24 esr(config-subif)# exit
In addition to assigning an IP address, you must either disable the firewall or configure the corresponding security zone on the sub interface.
Q-in-Q termination configuration
Q-in-Q is a technology of packet transmission with two 802.1q tags. The technology is used for extending quantity of VLANs in data networks. 802.1q header, which is closer to payload, is an Inner Tag also known as C-VLAN (Customer VLAN). 802.1q header, which is comes before C-VLAN, is an Outer Tag also known as S-VLAN (Service VLAN). Using of double tags in Ethernet frames is describing by 802.1ad protocol.
Configuration algorithm
Step | Description | Command | Keys |
---|---|---|---|
1 | Create a sub-interface of a physical interface (possible if the physical interface is in routeport mode). | esr(config)# interface gigabitethernet <PORT>.<S-VLAN> or interface tengigabitethernet <PORT>.<S-VLAN> or interface port-channel <CH>.<S-VLAN> | <PORT> – physical interface number. <CH> – aggregated interface number. <S-VLAN> – identifier of created S-VLAN. |
2 | Create Q-in-Q interface. | esr(config)# interface gigabitethernet <PORT>.<S-VLAN>.<C-VLAN> or esr(config)# interface tengigabitethernet <PORT>.<S-VLAN>.<C-VLAN> or esr(config)# interface port-channel <CH>.<S-VLAN>.<C-VLAN> | <PORT> – physical interface number. <CH> – aggregated interface number. <S-VLAN> – identifier of created S-VLAN. <C-VLAN> – identifier of created C-VLAN. If a physical interface or a sub-interface is included in bridge-group, it will be impossible to create sub-interface. |
3 | Specify Q-in-Q interface description (optionally). | esr(config-qinq-if)# description <DESCRIPTION> | <DESCRIPTION> – interface description, set by the string of up to 255 characters. |
4 | Specify VRF instance, in which the given Q-in-Q interface will operate (optionally). | esr(config- qinq-if) # ip vrf forwarding <VRF> | <VRF> – VRF name, set by the string of up to 31 characters. |
5 | Set the time interval during which statistics on the Q-in-Q interface load is collected. (optionally). | esr(config-qinq-if)# load-average <TIME> | <TIME> – interval in seconds, takes values of [5..150]. |
6 | Enable bridge-group Q-in-Q interface (optionally). | esr(config-qinq-if)#bridge-group <BRIDGE-ID> | <BRIDGE-ID> – bridge identifying number. |
7 | Set the lifetime of IPv4/IPv6 entries in the ARP table studied on the given Q-in-Q interface (optionally). | esr(config-qinq-if)# ip arp reachable-time <TIME> or ipv6 nd reachable-time <TIME> |
Q-in-Q configuration example
Objective:
Configure 192.168.1.1/24 subnet termination (Combinations C-VLAN: 741, S-VLAN: 828 on gigabitethernet 1/0/1 physical interface.
Solution:
Create sub-interface for S-VLAN: 828
esr(config)# interface gigabitethernet 1/0/1.828 esr(config-subif)# exit
Create Q-in-Q sub-interface for C-VLAN: 741 and configure IP address from necessary subnet.
esr(config)# interface gigabitethernet 1/0/1.828.741 esr(config-qinq-if)# ip address 192.168.1.1/24 esr(config-qinq-if)# exit
Besides assigning IP address, it is necessary to disable firewall or to configure corresponding security zone on Q-in-Q interface.
USB modems configuration
The use of USB modems allows organizing additional link channel for router operation. When connecting USB modems, you may use USB hubs. Up to 10 USB modems can be configured in the system at the same time.
USB modems configuration algorithm
Step | Description | Command | Keys |
---|---|---|---|
1 | After USB modem connection, wail until the system detects the connected device | ||
2 | Define which number of the device is allocated to the connected USB modem | esr# show cellulars status modem | The connected device identifier will be specified in 'USB port' field |
3 | Create parameter profile for USB modem and switch to the profile configuration mode | esr(config)# cellular profile <ID> | <ID> – identifier of USB modem parameter profile, set in the range of [1..10]. |
4 | Specify parameter profile description (optionally). | esr(config-cellular-profile)# description <DESCRIPTION> | <DESCRIPTION> – interface description, set by the string of up to 255 characters. |
5 | Set mobile network access point | esr(config-cellular-profile)# apn <NAME> | <NAME> – mobile network access point, set by the string of up to 31 characters. |
6 | Set the name of mobile network user (if required by cellular carrier) | esr(config-cellular-profile)# user <NAME> | <NAME> – user name, set by the string of up to 31 characters. |
7 | Set the password of mobile network user (if required by cellular carrier) | esr(config-user)# password ascii-text { <CLEAR-TEXT> | encrypted <ENCRYPTED-TEXT> } | <CLEAR-TEXT> – unencrypted password, set by the string of [1..64] characters, may include [0-9a-fA-F] characters. <ENCRYPTED-TEXT> – unencrypted password, set by the string of [2..128] characters. |
8 | Set the dial-up number for connection to the mobile network | esr(config-cellular-profile)# number <WORD> | <WORD> – dial-up number for connection to a mobile network, set by the string of up to 15 characters. |
9 | Set the method of user authentication in the mobile network (optionally) | esr(config-cellular-profile)# allowed-auth <TYPE> | <TYPE> – method of user authentication in a mobile network [none, PAP, CHAP, MSCHAP, MSCHAPv2, EAP]. |
10 | Limit the possibility of the use of IP addresses in mobile network. | esr(config-cellular-profile)# ip-version |
|
11 | Create USB modem in the router configuration and switch to the modem configuration mode | esr(config)# cellular modem <ID> | <ID> – USB modem identifier, set in the range of [1..10]. |
12 | Specify VRF instance, in which the given modem will operate (optionally). | esr(config-cellular-modem)# ip vrf forwarding <VRF> | <VRF> – VRF name, set by the string of up to 31 characters. |
13 | Set USB modem identifier allocated by the system (specified in item 2) | esr(config-cellular-modem)# device <WORD> | <WORD> – identifier of connected modem’s USB port, set in the range of [1..12]. |
14 | Set the previously established parameter profile to the USB modem | esr(config-cellular-modem)# profile <ID> | <ID> – identifier of USB modem parameter profile, set in the range of [1..10]. |
15 | Set SIM card unlock code (if necessary) | esr(config-cellular-modem)# pin <WORD> | <WORD> – SIM card unblock code [4..8]. Only digits are allowed. |
16 | Allow the use of any USB modem operation mode (optionally) | esr(config-cellular-modem)# allowed-mode <MODE> | <MODE> – acceptable USB modem operation mode [2g, 3g, 4g]. By default: all modes supported by the modem are allowed. |
17 | Set the size of the largest received packet (optionally) | esr(config-cellular-modem)# mru { <MRU> } | <MRU> – MRU value, takes values in the range of [128..16383]. |
18 | Set the preferable USB modem operation mode in the mobile network (optionally) | esr(config-cellular-modem)# preferred-mode { <MODE> } | <MODE> – preferable USB modem operation mode [2g, 3g, 4g]. |
19 | Activate USB modem | esr(config-cellular-modem)# enable |
Configuration example
Objective:
Configure connection to the Internet by using USB modem.
Solution:
For example, consider the connection to the cellular operator MTS.
After modem connection, wait until the system detects the device. Determine the port of the device that was assigned to the connected USB modem:
esr# show cellular status modem Number device USB port Manufacturer Model Current state Interface Link state 1 1-2 huawei E3372 Disabled -- Down
Create the parameter profile for USB modem:
esr(config)# cellular profile 1
Specify the required APN or any other necessary address. Below you can see the example of connection to MTS APN:
esr(config-cellular-profile)# apn internet.mts.ru
If necessary, create user name, password, dial-up number and authentication number:
esr(config-cellular-profile)# user mts esr(config-cellular-profile)# password ascii-text mts esr(config-cellular-profile)# number *99# esr(config-cellular-profile)# allowed-auth PAP
Let us proceed to configuring the USB modem and set the identifier corresponding to the device port that was defined at the beginning:
esr(config)# cellular modem 1 esr(config-cellular-modem)# device 1-2
Set the corresponding parameter profile and activate the modem:
esr(config-cellular-modem)# profile 1 esr(config-cellular-modem)# enable
AAA configuration
AAA (Authentication, Authorization, Accounting) is used for description of access provisioning and control.
- Authentication is a matching of a person (request) for the existing account in the security system. Performed by the login and password.
- Authorization (authorization, privilege verification, access level verification) is a matching of the existing account in the system (passed authentication) and specific privileges.
- Accounting (accounting) is a monitoring of user connection or changes made by the user.
Local authentication configuration algorithm
Step | Description | Command | Keys |
---|---|---|---|
1 | Set local as authentication method. | esr(config)# aaa authentication login { default | <NAME> } <METHOD 1> [ <METHOD 2> ] [ <METHOD 3> ] [ <METHOD 4> ] | <NAME> – list name, set by the string of up to 31 characters. Authentication methods:
|
2 | Set enable as authentication method of user privileges elevation. | esr(config)# aaa authentication enable <NAME><METHOD 1> [ <METHOD 2> ] [ <METHOD 3> ] [ <METHOD 4> ] | <NAME> – list name, set by the string of up to 31 characters. Authentication methods:
|
3 | Set the method for iterating over authentication methods (optionally). | esr(config)# aaa authentication mode <MODE> | <MODE> – options of iterating over methods:
Default value: chain. |
4 | Specify the number of failed authentication attempts to block the user login and time of the lock (optionally) | esr(config)# aaa authentication attempts max-fail <COUNT> <TIME> | <COUNT> – amount of failed authentication attempts after which a user is blocked, takes the values of [1..65535]; <TIME> – user blocking time in minutes, takes the values of [1..65535]. Default value: |
5 | Enable request for change the default password for the ‘admin’ user (optionally) | esr(config)# security passwords default-expired | |
6 | Enable the inhibit mode on the use of previously set local user passwords (optionally) | esr(config)# security passwords history <COUNT> | <COUNT> – number of passwords saved in the router memory. Takes values in the range of [1..15]. Default value: 0 |
7 | Set the lifetime of local user password (optionally) | esr(config)# security passwords lifetime <TIME> | <TIME> – password lifetime in days. Takes values in the range of [1..365]. By default: The lifetime of local user password is unlimited. |
8 | Set a limit on the minimum length of local user password and ENABLE password (optionally) | esr(config)# security passwords min-length <NUM> | <NUM> – minimum number of characters in the password. Takes values in the range of [8..128]. Default value: 0 |
9 | Set a limit on the maximum length of local user password and ENABLE password (optionally) | esr(config)# security passwords max-length <NUM> | <NUM> – maximum number of characters in the password. Takes values in the range of [8..128]. Default value: not limited. |
10 | Set the minimum number of character types that must be present in the local user password and ENABLE password (optionally) | esr(config)# security passwords symbol-types <COUNT> | <COUNT> – minimum number of character types in the password. Takes values in the range of [1..4]. Default value: 1 |
11 | Set the minimum number of lower case letters in the local user password and ENABLE password (optionally) | esr(config)# security passwords lower-case <COUNT> | <COUNT> – minimum number of lower case letters in the local user password and ENABLE password. Takes values in the range of [0..128]. Default value: 0 |
12 | Set the minimum number of upper case letters in the local user password and ENABLE password (optionally) | esr(config)# security passwords upper-case <COUNT> | <COUNT> – minimum number of upper case letters in the password. Takes values in the range of [0..128]. Default value: 0 |
13 | Set the minimum number of digits in the local user password and ENABLE password (optionally) | esr(config)# security passwords numeric-count <COUNT> | <COUNT> – minimum number of digits in the password. Takes values in the range of [0..128]. Default value: 0 |
14 | Set the minimum number of special characters in the local user password and ENABLE password (optionally) | esr(config)# security passwords special-case <COUNT> | <COUNT> – minimum number of special characters in the password. Takes values in the range of [0..128]. Default value: 0 |
15 | Add user in the local database and switch to the user parameters configuration mode | esr(config)# username <name> | <NAME> – user name, set by the string of up to 31 characters. |
16 | Set user password | esr(config-user)# password { <CLEAR-TEXT> | encrypted <HASH_SHA512> } | <CLEAR-TEXT> – password, set by the string of 8 to 32 characters, takes the value of [0-9a-fA-F]; <HASH_SHA512> – hash password via sha512 algorithm, set by the string of 110 characters. |
17 | Set user privileges level | esr(config-user)# privilege <PRIV> | <PRIV> – required privilege level. Takes values in the range of [1..15]. |
18 | Switch to the corresponding terminal configuration mode | esr(config)# line console or esr(config)# line telnet or esr(config)# line ssh | |
19 | Activate user login authentication list | esr(config-line-ssh)# login authentication <NAME> | <NAME> – list name, set by the string of up to 31 characters. |
20 | Activate authentication list of user privileges elevation | esr(config-line-ssh)# enable authentication <NAME> | <NAME> – list name, set by the string of up to 31 characters. |
21 | Set the interval after which the idle session will be terminated | esr(config-line-ssh)# exec-timeout <SEC> | <SEC> – time interval in minutes, takes values of [1..65535]. |
AAA configuration algorithm via RADIUS
Step | Description | Command | Keys |
---|---|---|---|
1 | Set the DSCP code global value for the use in IP headers of RADIUS server egress packets (optionally). | esr(config)# radius-server dscp <DSCP> | <DSCP> – DSCP code value, takes values in the range of [0..63]. Default value: 63. |
2 | Set the global number of iterative queries to the last active RADIUS server (optionally). | esr(config)# radius-server retransmit <COUNT> | <COUNT> – amount of iterative requests to RADIUS server, takes values of [1..10]. Default value: 1. |
3 | Set the global value of the interval after which the router assumes that the RADIUS server is not available (optional). | esr(config)# radius-server timeout <SEC> | <SEC> – time interval in seconds, takes values of [1..30]. Default value: 3 seconds. |
4 | Add RADIUS server to the list of used servers and switch to its configuration mode. | esr(config)# radius-server host { <IP-ADDR> | <IPV6-ADDR> } [ vrf <VRF> ] | <IP-ADDR> – RADIUS server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]; <IPV6-ADDR> – RADIUS server IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF] <VRF> – VRF instance name, set by the string of up to 31 characters. |
5 | Specify the number of failed authentication attempts to block the user login and time of the lock (optionally). | aaa authentication attempts max-fail <COUNT> <TIME> | <COUNT> – amount of failed authentication attempts after which a user is blocked, takes the values of [1..65535]; <TIME> – user blocking time in seconds, takes the values of [1..65535]. Default value: <COUNT> – 5; <TIME> – 300 |
6 | Set the password for authentication on remote RADIUS server. | esr(config-radius-server)# key ascii-text { <TEXT> | encrypted <ENCRYPTED-TEXT> } | <TEXT> – string [8..16] ASCII characters; <ENCRYPTED-TEXT> – encrypted password, [8..16] bytes size, set by the string of [16..32] characters. |
7 | Prioritize the use of a remote RADIUS server (optionally). | esr(config-radius-server)# priority <PRIORITY> | <PRIORITY> – remote server priority, takes values in the range of [1..65535]. The lower value, the higher the priority of server is. Default value: 1. |
8 | Set the interval after which the router assumes that the RADIUS server is not available (optional). | esr(config-radius-server)# timeout <SEC> | <SEC> – time interval in seconds, takes values of [1..30]. Default value: global timer value is used. |
9 | Set IPv4/IPv6 address that will be used as source IPv4/IPv6 address in transmitted RADIUS packets. | esr(config-radius-server)# source-address { <ADDR> | <IPV6-ADDR> } | <ADDR> – source IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]; <IPV6-ADDR> – source IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF]. |
10 | Set radius as authentication method. | esr(config)# aaa authentication login { default | <NAME> } <METHOD 1> [ <METHOD 2> ] [ <METHOD 3> ] [ <METHOD 4> ] | <NAME> – list name, set by the string of up to 31 characters. Authentication methods:
|
11 | Set radius as authentication method of user privileges elevation. | esr(config)# aaa authentication enable <NAME><METHOD 1> | <NAME> – list name, set by the string of up to 31 characters;
<METHOD> – authentication methods:
|
12 | Set the method for iterating over authentication methods (optionally). | esr(config)# aaa authentication mode <MODE> | <MODE> – options of iterating over methods:
Default value: chain. |
13 | Configure radius in the list of user session accounting methods (optionally). | esr(config)# aaa accounting login start-stop <METHOD 1> | <METHOD> – accounting methods:
|
14 | Switch to the corresponding terminal configuration mode. | esr(config)# line <TYPE> | <TYPE> – console type:
|
15 | Activate user login authentication list. | esr(config-line-console)# login authentication <NAME> | <NAME> – list name, set by the string of up to 31 characters. Created in step 8. |
16 | Activate authentication list of user privileges elevation. | esr(config-line-console)# enable authentication <NAME> | <NAME> – list name, set by the string of up to 31 characters. Created in step 9. |
AAA configuration algorithm via TACACS
Step | Description | Command | Keys |
---|---|---|---|
1 | Set the DSCP code global value for the use in IP headers of TACACS server egress packets (optionally). | esr(config)# tacacs-server dscp <DSCP> | <DSCP> – DSCP code value, takes values in the range of [0..63]. Default value: 63. |
2 | Set the global value of the interval after which the router assumes that the TACACS server is not available (optional). | esr(config)# tacacs-server timeout <SEC> | <SEC> – time interval in seconds, takes values of [1..30]. Default value: 3 seconds. |
3 | Add TACACS server to the list of used servers and switch to its configuration mode. | esr(config)# tacacs -server host { <IP-ADDR> | <IPV6-ADDR> } [ vrf <VRF> ] esr(config- tacacs -server)# | <IP-ADDR> – TACACS server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255] <IPV6-ADDR> – TACACS server IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF] <VRF> – VRF instance name, set by the string of up to 31 characters. |
4 | Specify the number of failed authentication attempts to block the user login and time of the lock (optionally) | aaa authentication attempts max-fail <COUNT> <TIME> | <COUNT> – amount of failed authentication attempts after which a user is blocked, takes the values of [1..65535]; <TIME> – user blocking time in minutes, takes the values of [1..65535]. Default value: <COUNT> – 5; <TIME> – 300 |
5 | Set the password for authentication on remote TACACS server. | esr(config-tacacs-server)# key ascii-text { <TEXT> | encrypted <ENCRYPTED-TEXT> } | <TEXT> – string [8..16] ASCII characters; <ENCRYPTED-TEXT> – encrypted password, [8..16] bytes size, set by the string of [16..32] characters. |
6 | Set the port number to communicate with remote TACACS server (optionally). | esr(config-tacacs-server)# port <PORT> | <PORT> – number of TCP port to exchange data with a remote server, takes values of [1..65535]. Default value: 49 for TACACS server. |
7 | Prioritize the use of a remote TACACS server (optionally). | esr(config-tacacs-server)# priority <PRIORITY> | <PRIORITY> – remote server priority, takes values in the range of [1..65535]. The lower value, the higher the priority of server is. Default value: 1. |
8 | Set IPv4/IPv6 address that will be used as source IPv4/IPv6 address in transmitted TACACS packets. | esr(config-radius-tacacs)# source-address { <ADDR> | <IPV6-ADDR> } | <ADDR> – source IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]; |
9 | Set TACACS as authentication method of user privileges elevation. | esr(config)# aaa authentication enable <NAME><METHOD 1> [ <METHOD 2> ] [ <METHOD 3> ] [ <METHOD 4> ] | <NAME> – list name, set by the string of up to 31 characters;
<METHOD> – authentication methods:
|
10 | Set the method for iterating over authentication methods (optionally). | esr(config)# aaa authentication mode <MODE> | <MODE> – options of iterating over methods:
Default value: chain. |
11 | Configure the list of CLI commands accounting methods (optionally). | esr(config)# aaa accounting commands stop-only tacacs | |
12 | Configure tacacs in the list of user session accounting methods (optionally). | esr(config)# aaa accounting login start-stop <METHOD 1> [ <METHOD 2> ] | <METHOD> – accounting methods:
|
13 | Switch to the corresponding terminal configuration mode. | esr(config)# line <TYPE> | <TYPE> – console type:
|
14 | Activate user login authentication list. | esr(config-line-console)# login authentication <NAME> | <NAME> – list name, set by the string of up to 31 characters. Created in step 7. |
15 | Activate authentication list of user privileges elevation. | esr(config-line-console)# enable authentication <NAME> | <NAME> – list name, set by the string of up to 31 characters. Created in step 8. |
AAA configuration algorithm via LDAP
Step | Description | Command | Keys |
---|---|---|---|
1 | Specify basic DN (Distinguished name) which will be used when searching for users. | esr(config)# ldap-server base-dn <NAME> | <NAME> – basic DN, set by the string of up to 255 characters. |
2 | Set the interval after which the router assumes that the LDAP server is not available (optionally). | esr(config)# ldap-server bind timeout <SEC> | <SEC> – time interval in seconds, takes values of [1..30]. Default value: 3 seconds. |
3 | Specify the DN (Distinguished name) of a user with administrator rights, under which authorization will take place on the LDAP server when searching for users. | esr(config)# ldap-server bind authenticate root-dn <NAME> | <NAME> – DN of a user with administration rights, set by the string of up to 255 characters. |
4 | Specify the password of a user with administrator rights, under which authorization will take place on the LDAP server when searching for users. | esr(config)# ldap-server bind authenticate root-password ascii-text { <TEXT> | encrypted <ENCRYPTED-TEXT> } | <TEXT> – string [8..16] ASCII characters; <ENCRYPTED-TEXT> – encrypted password, [8..16] bytes size, set by the string of [16..32] characters. |
5 | Specify a class name of the objects among which it is necessary to search for users on LDAP server (optionally). | esr(config)# ldap-server search filter user-object-class <NAME> | <NAME> – object class name, set by the string of up to 127 characters. Default value: posixAccount. |
6 | Specify the user search scope in LDAP server tree (optionally). | esr(config)# ldap-server search scope <SCOPE> | <SCOPE> – user search scope on LDAP server, takes the following values: onelevel – search through the objects on the level following a basic DN tree in LDAP server tree; subtree – search through all objects of basic DN subtree in LDAP server tree. Default value: subtree. |
7 | Specify the interval after which the device assumes that LDAP server has not found users entries satisfying the search condition (optionally). | esr(config)# ldap-server search timeout <SEC> | <SEC> – time interval in seconds, takes values of [0..30] Default value: 0 – device is waiting for search completion and response from LDAP server. |
8 | Specify an attribute name of the object which is compared with the name of the desired user on LDAP server (optional). | esr(config)# ldap-server naming-attribute <NAME> | <NAME> – object attribute name, set by the string of up to 127 characters. Default value: uid. |
9 | Specify the object attribute name which is compared with the name of a desired user on LDAP server (optionally). | esr(config)# ldap-server privilege-level-attribute <NAME> | <NAME> – object attribute name, set by the string of up to 127 characters. Default value: priv-lvl |
10 | Set the DSCP code global value for the use in IP headers of LDAP server egress packets (optionally). | esr(config)# ldap-server dscp <DSCP> | <DSCP> – DSCP code value, takes values in the range of [0..63]. Default value: 63 |
11 | Add LDAP server to the list of used servers and switch to its configuration mode. | esr(config)# ldap -server host { <IP-ADDR> | <IPV6-ADDR> } [ vrf <VRF> ] esr(config- tacacs -server)# | <IP-ADDR> – LDAP server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255] <IPV6-ADDR> – TACACS server IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF] <VRF> – VRF instance name, set by the string of up to 31 characters. |
12 | Specify the number of failed authentication attempts to block the user login and time of the lock (optionally) | aaa authentication attempts max-fail <COUNT> <TIME> | <COUNT> – amount of failed authentication attempts after which a user is blocked, takes the values of [1..65535]; <TIME> – user blocking time in minutes, takes the values of [1..65535]. Default value: <COUNT> – 5; <TIME> – 300 |
13 | Set the port number to communicate with remote LDAP server (optionally). | esr(config-ldap-server)# port <PORT> | <PORT> – number of TCP port to exchange data with a remote server, takes values of [1..65535]. Default value: 389 for LDAP server. |
14 | Prioritize the use of a remote LDAP server (optionally). | esr(config-ldap-server)# priority <PRIORITY> | <PRIORITY> – remote server priority, takes values in the range of [1..65535]. The lower value, the higher the priority of server is. Default value: 1. |
15 | Set IPv4/IPv6 address that will be used as source IPv4/IPv6 address in transmitted LDAP packets. | esr(config-ldap-server)# source-address { <ADDR> | <IPV6-ADDR> } | <ADDR> – source IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]; <IPV6-ADDR> – source IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF]. |
16 | Set LDAP as authentication method. | esr(config)# aaa authentication login { default | <NAME> } <METHOD 1> [ <METHOD 2> ] [ <METHOD 3> ] [ <METHOD 4> ] | <NAME> – list name, set by the string of up to 31 characters. Authentication methods:
|
17 | Set LDAP as authentication method of user privileges elevation. | esr(config)# aaa authentication enable <NAME><METHOD 1> [ <METHOD 2> ] [ <METHOD 3> ] [ <METHOD 4> ] | <NAME> – list name, set by the string of up to 31 characters;
<METHOD> – authentication methods:
|
18 | Set the method for iterating over authentication methods. | esr(config)# aaa authentication mode <MODE> | <MODE> – options of iterating over methods:
Default value: chain. |
19 | Switch to the corresponding terminal configuration mode. | esr(config)# line <TYPE> | <TYPE> – console type:
|
20 | Activate user login authentication list. | esr(config-line-console)# login authentication <NAME> | <NAME> – list name, set by the string of up to 31 characters. Created in step 14. |
21 | Activate authentication list of user privileges elevation. | esr(config-line-console)# enable authentication <NAME> | <NAME> – list name, set by the string of up to 31 characters. Created in step 15. |
Example of authentication configuration using telnet via RADIUS server
Objective:
Configure authentication for users being connected via Telnet and RADIUS (192.168.16.1/24).
Solution:
Configure connection to RADIUS server and specify the key (password):
esr# configure esr(config)# radius-server host 192.168.16.1 esr(config-radius-server)# key ascii-text encrypted 8CB5107EA7005AFF esr(config-radius-server)# exit
Create authentication profile:
esr(config)# aaa authentication login log radius
Specify authentication mode used for Telnet protocol connection:
esr(config)# line telnet esr(config-line-telnet)# login authentication log esr(config-line-telnet)# exit esr(config)# exit
To view the information on RADIUS server connection settings, use the following command:
esr# show aaa radius-servers
To view the authentication profiles, use the following command:
esr# show aaa authentication
Command privilege configuration
Command privilege configuration is a flexible tool that allows you to assign baseline user privilege level (1–15) to a command set. In future, you may specify privilege level during user creation which will define a command set available to them.
- Levels 1-9 enable all monitoring commands (show …);
- Levels 10-14 enable all commands except for device reboot, user management and other specific commands;
- Level 15 enables all monitoring commands.
Configuration algorithm
To change minimum privilege level required for CLI command execution, use the following command:
esr(config)# privilege <COMMAND-MODE> level <PRIV><COMMAND>
<COMMAND-MODE> – command mode;
<PRIV> – required command subtree privilege level, takes value in the range of [1..15];
<COMMAND> – command subtree, set by the string of up to 255 characters.
Example of command privilege configuration
Objective:
Transfer all interface information display commands to the privilege level 10 except for 'show interfaces bridges' command. Transfer 'show interfaces bridges' command to the privilege level 3.
Solution:
In configuration mode, identify commands enabled for operation under privilege level 10 and privilege level 3:
esr(config)# privilege root level 3 "show interfaces bridge" esr(config)# privilege root level 10 "show interfaces"
DHCP server configuration
Integrated DHCP server of the router allows you to configure LAN device network settings. Router DHCP server is able to send additional options to network devices, for example:
- default-router – IP address of the router used as default gateway;
- domain-name – domain name which will be used by client while solving host names via domain name system (DNS);
- dns-server – list of domain name server addresses for the current network that should be known by the client. Server addresses are listed in descending order of their preference.
Configuration algorithm
Step | Description | Command | Keys |
1 | Enable IPv4/IPv6 DHCP server. | esr(config)# ip dhcp-server [vrf <VRF>] | <VRF> – VRF instance name, set by the string of up to 31 characters, within which the NTP server will operate. Set by the string of up to 31 characters. |
esr(config)# ipv6 dhcp-server [vrf <VRF>] | |||
2 | Set the DSCP code value for the use in IP headers of DHCP server egress packets (optionally). | esr(config)# ip dhcp-server dscp <DSCP> | <DSCP> – DSCP code value, takes values in the range of [0..63]. Default value: 61. |
3 | Create pool of DHCP server IPv4/IPv6 addresses and switch to its configuration mode. | esr(config)# ip dhcp-server pool <NAME> [vrf <VRF>] | <NAME> – IPv4/IPv6 server profile name, set by the string of up to 31 characters. <VRF> – VRF instance name, within which the NTP server will operate. Set by the string of up to 31 characters. |
esr(config)# ipv6 dhcp-server pool <NAME> [vrf <VRF>] | |||
4 | Specify IPv4/IPv6 address and mask for the subnet from which IPv4/IPv6 addresses pool will be allocated. | esr(config-dhcp-server)# network <ADDR/LEN> | <ADDR/LEN> – IP address and prefix of a subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32]. |
esr(config-ipv6-dhcp-server)# network <IPV6-ADDR/LEN> | <IPV6-ADDR/LEN> – IP address and prefix of a subnet, defined as X:X:X:X::X/EE where each X part takes values in hexadecimal format [0..FFFF] and EE takes values of [1..128]. | ||
5 | Add IPv4/IPv6 addresses range to the address pool of configurable DHCP server. | esr(config-dhcp-server)# address-range <FROM-ADDR>-<TO-ADDR> | <FROM-ADDR> – range starting IP address; <TO-ADDR> – range ending IP address; The addresses are defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. You can specify up to 32 IP addresses separated by commas. |
esr(config-ipv6-dhcp-server)# address-range <FROM-ADDR>-<TO-ADDR> | <FROM-ADDR> – range starting IP address; <TO-ADDR> – range ending IP address; The addresses are defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF]. | ||
6 | Add IPv4/IPv6 address for a specific physical address to the address pool of configurable DHCP server (optionally). | esr(config-dhcp-server)# address <ADDR> {mac-address <MAC> | client-identifier <CI>} | <ADDR> – client IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]; <MAC> – MAC address of the client, which will be given the IP address, is defined as XX: XX: XX: XX: XX: XX where each part takes the values of [00..FF]. <CI> – client identifier according to DHCPOption61. Can be specified as follows:
|
esr(config-ipv6-dhcp-server)# address <ADDR> mac-address <MAC> | <IPV6-ADDR> – client IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF]; <MAC> – MAC address of the client, which will be given the IP address, defined as XX: XX: XX: XX: XX: XX where each part takes the values of [00..FF]. | ||
7 | Specify the list of default gateway IPv4 addresses which will be transmitted by DHCP server to clients through DHCP option 3. | esr(config-dhcp-server)# default-router <ADDR> | <ADDR> – default gateway IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]; You can specify up to 8 IP addresses separated by commas. |
8 | Specify network domain DNS name. Domain name is transmitted to clients as part of DHCP option 15 (optionally). | esr(config-dhcp-server)# domain-name <NAME> | <NAME> – router domain name, set by the string from 1 to 255 characters. |
esr(config-ipv6-dhcp-server)# domain-name <NAME> | |||
9 | Specify DNS server IPv4/IPv6 addresses list. The list is transmitted to clients as part of DHCP option 6 (optionally). | esr(config-dhcp-server)# dns-server <ADDR> | <ADDR> – DNS server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. You can specify up to 8 IP addresses separated by commas. |
esr(config-ipv6-dhcp-server)# dns-server <IPV6-ADDR> | <IPV6-ADDR> – DNS server IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF]. You can specify up to 8 IP addresses separated by commas. | ||
10 | Specify maximum IP addresses lease time (optionally). If the DHCP client requests a lease time that exceeds the maximum value, the time specified by this command will be set. | esr(config-dhcp-server)# max-lease-time <TIME> | <TIME> – maximal IP address lease time, sets in format DD:HH:MM, where:
Default value: 1 day |
esr(config-ipv6-dhcp-server)# max-lease-time <TIME> | |||
11 | Specify the lease time for which a client will be given IP address (optionally). This time will be used if a client did not request the certain lease time. | esr(config-dhcp-server)# default-lease-time <TIME> | <TIME> – maximal IP address lease time, sets in format DD:HH:MM, where:
Default value: 12 hours. |
esr(config-ipv6-dhcp-server)# default-lease-time <TIME> | |||
12 | Create supplier class identifier (DHCP Option 60) (optionally). | esr(config)# ip dhcp-server vendor-class-id <NAME> | <NAME> – carrier class identifier, set by the string of up to 31 characters. |
esr(config)# ipv6 dhcp-server vendor-class-id <NAME> | |||
13 | Specify specific supplier information (DHCP Option 43). | esr(config-dhcp-vendor-id)# vendor-specific-options <HEX> | <HEX> – vendor-specific information, specified in hexadecimal format up to 128 symbols. |
esr(config-ipv6-dhcp-vendor-id)# vendor-specific-options <HEX> | |||
14 | Specify NetBIOS server IP address (DHCP option 44) (optionally). | esr(config-dhcp-server)# netbios-name-server <ADDR> | <ADDR> – NetBIOS server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. You can set up to 4 IP addresses. |
15 | Specify tftp server IP address (DHCP option 150) (optionally). | esr(config-dhcp-server)# tftp-server <ADDR> | <ADDR> – DNS server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. |
DHCP server configuration example
Objective :
Configure DHCP server operation in a local network that belongs to the 'trusted' security zone. Specify IP address pool from 192.168.1.0/24 subnet for distribution to clients. Specify address lease time equal to 1 day. Configure transmission of the default route, domain name and DNS server addresses to clients using DHCP options.
Solution:
Create 'trusted' security zone and determine the inherence of the network interfaces being used to zones:
esr# configure esr(config)# security zone trusted esr(config-zone)# exit
Create address pool named 'Simple' and add IP address range intended for server clients lease into this pool. Specify parameters of the subnet that the pool belongs to, and the lease time for addresses:
esr# configure esr(config)# ip dhcp-server pool Simple esr(config-dhcp-server)# network 192.168.1.0/24 esr(config-dhcp-server)# address-range 192.168.1.100-192.168.1.125 esr(config-dhcp-server)# default-lease-time 1:00:00
Configure transfer of additional network parameters to clients:
- default route: 192.168.1.1;
- domain name: eltex.loc;
- DNS server list: DNS1: 172.16.0.1, DNS2: 8.8.8.8.
esr(config-dhcp-server)# domain-name "eltex.loc" esr(config-dhcp-server)# default-router 192.168.1.1 esr(config-dhcp-server)# dns-server 172.16.0.1 8.8.8.8 esr(config-dhcp-server)# exit
To enable IP address distribution from the configurable pool by DHCP server, IP interface should be created on the router that belongs to the same subnet as the pool addresses.
esr(config)# interface gigabitethernet 1/0/1 esr(config-if-gi)# security-zone trusted esr(config-if-gi)# ip address 192.168.1.1/24 esr(config-if-gi)# exit
To enable DHCP message transmission to the server, you should create the respective port profiles including source port 68 and destination port 67 used by DHCP and create the allowing rule in the security policy for UDP packet transmission:
esr(config)# object-group service dhcp_server esr(config-object-group-service)# port-range 67 esr(config-object-group-service)# exit esr(config)# object-group service dhcp_client esr(config-object-group-service)# port-range 68 esr(config-object-group-service)# exit esr(config)# security zone-pair trusted self esr(config-zone-pair)# rule 30 esr(config-zone-rule)# match protocol udp esr(config-zone-rule)# match source-port dhcp_client esr(config-zone-rule)# match destination-port dhcp_server esr(config-zone-rule)# action permit esr(config-zone-rule)# enable esr(config-zone-rule)# exit esr(config-zone-pair)# exit
Enable server operation:
esr(config)# ip dhcp-server esr(config)# exit
To view the list of leased addresses, use the following command:
esr# show ip dhcp binding
To view the configured address pools, use the following commands:
esr# show ip dhcp server pool esr# show ip dhcp server pool Simple
Configuration of settings for IPv6 is performed by analogy to IPv4.
Destination NAT configuration
Destination NAT (DNAT) function includes destination IP address translation for packets transferred through the network gateway.
DNAT is used for redirection of traffic, coming to a specific 'virtual' address in a public network, to a 'real' server in LAN located behind the network gateway. This function may be used for establishing a public access to servers located within the private network without any public network address.
Configuration algorithm
Step | Description | Command | Keys |
---|---|---|---|
1 | Switch to the configuration mode of destination address translation service. | esr(config)# nat destination | |
2 | Create a pool of IP addresses and/or TCP/UDP ports with a specific name (optionally). | esr(config-dnat)# pool <NAME> | <NAME> – NAT addresses pool name, set by the string of up to 31 characters. |
3 | Set the internal IP address which will replace a destination IP address. | esr(config-dnat-pool)# ip address <ADDR> | <ADDR> – IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. |
4 | Set the internal TCP/UDP port which will replace a destination TCP/UDP port. | esr(config-dnat-pool)# ip port <PORT> | <PORT> – TCP/UDP port, takes values of [1..65535]. |
5 | Create a rule group with a specific name. | esr(config-dnat)# ruleset <NAME> | <NAME> – rule group name, set by the string of up to 31 characters. |
6 | Specify VRF instance, in which the given rule group will operate (optionally). | esr(config-dnat-ruleset)# ip vrf forwarding <VRF> | <VRF> – VRF name, set by the string of up to 31 characters. |
7 | Set the rule group scope. The rules will be applied only to traffic coming from a certain zone or interface. | esr(config-dnat-ruleset)# from { zone <NAME> | interface <IF> | tunnel <TUN> | default } | <NAME> – isolation zone name; <IF> – device interface name; <TUN> – device tunnel name; default – denotes a group of rules for all traffic, the source of which did not fall under the criteria of other groups of rules. |
8 | Specify a rule with a certain number. The rules are proceeded in ascending order. | esr(config-dnat-ruleset)# rule <ORDER> | <ORDER> – rule number, takes values of [1..10000]. |
9 | Specify the profile of IP addresses {sender | recipient} for which the rule should work. | esr(config-dnat-rule)# match [not] 1 {source | destination}-address <OBJ-GROUP-NETWORK-NAME> | <OBJ-GROUP-NETWORK-NAME> – IP addresses profile name, set by the string of up to 31 characters. “Any” value points at any source IP address. |
10 | Specify the profile of services (tcp/udp ports) {sender | recipient} for which the rule should work (optionally). | esr(config-dnat-rule)# match [not] 1 {source | destination}-port <PORT-SET-NAME> | <PORT-SET-NAME> – port profile name, set by the string of up to 31 characters. “Any” value points at any source TCP/UDP port. |
11 | Set name or number of IP for which the rule should work (optionally). | esr(config-dnat-rule)# match [not] 1 {protocol <TYPE> | protocol-id <ID> } | <TYPE> – protocol type, takes the following values: esp, icmp, ah, eigrp, ospf, igmp, ipip, tcp, pim, udp, vrrp, rdp, l2tp, gre. “Any” value points at any protocol type. <ID> – IP identification number, takes values of [0x00-0xFF]. |
12 | Specify the type and code of ICMP messages for which the rule should work (if ICMP is selected as protocol) (optionally). | esr(config-dnat-rule)# match [not] 1 icmp {<ICMP_TYPE><ICMP_CODE> | <TYPE-NAME>} | <ICMP_TYPE> – ICMP message type, takes values of [0..255]. <ICMP_CODE> – ICMP message code, takes values of [0..255]. “Any” value points at any message code. <TYPE-NAME> – ICMP message type name. |
13 | Specify the action “translation of source address and port” for the traffic meeting the requirements of “match” commands. | esr(config-dnat-rule)# action destination-nat { off | pool <NAME> | netmap <ADDR/LEN> } | off – translation is disabled; pool<NAME> – name of the pool that contains IP addresses and/or TCP/UDP ports set; netmap <ADDR/LEN> – subnet IP address and mask used during translation. The parameter is defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32]. |
14 | Activate a configured rule. | esr(config-dnat-rule)# enable |
1 When using the not key, the rule will work for values which are not included in a specified profile
Each 'match' command may contain 'not' key. When using the key, packets that do not meet the given requirement will fall under the rule. You can obtain more detail information about router configuration in 'CLI command reference guide'.
Destination NAT configuration example
Objective :
Establish access from the public network, that belongs to the 'UNTRUST' zone, to LAN server in 'TRUST' zone. Server address in LAN – 10.1.1.100. Server should be accessible from outside the network–address 1.2.3.4, access port 80.
Figure 6 – Network structure
Solution:
Create 'UNTRUST' and 'TRUST' security zones. Specify the inherence of the network interfaces being used to zones. Assign IP addresses to interfaces at the same time.
esr# configure esr(config)# security zone UNTRUST esr(config-zone)# exit esr(config)# security zone TRUST esr(config-zone)# exit
esr(config)# interface gigabitethernet 1/0/1 esr(config-if-gi)# security-zone TRUST esr(config-if-gi)# ip address 10.1.1.1/25 esr(config-if-gi)# exit
esr(config)# interface tengigabitethernet 1/0/1 esr(config-if-te)# ip address 1.2.3.4/29 esr(config-if-te)# security-zone UNTRUST esr(config-if-te)# exit
Create IP address and port profiles required for configuration of the Firewall and DNAT rules.
- NET_UPLINK – public network address profile;
- SERVER_IP – local area network address profile;
- SRV_HTTP – port profile.
esr(config)# object-group network NET_UPLINK esr(config-object-group-network)# ip address 1.2.3.4 esr(config-object-group-network)# exit
esr(config)# object-group service SRV_HTTP esr(config-object-group-service)# port 80 esr(config-object-group-service)# exit
esr(config)# object-group network SERVER_IP esr(config-object-group-network)# ip address 10.1.1.100 esr(config-object-group-network)# exit
Proceed to DNAT configuration mode and create destination address and port pool that will be used for translation of packet addresses coming to address 1.2.3.4 from the external network.
esr(config)# nat destination esr(config-dnat)# pool SERVER_POOL esr(config-dnat-pool)# ip address 10.1.1.100 esr(config-dnat-pool)# ip port 80 esr(config-dnat-pool)# exit
Create 'DNAT' rule set which will be used for address translation. In the set attributes, specify that the rules are applying only to packets coming from the 'UNTRUST' zone. Rule set includes data matching requirements for destination address and port (match destination-address, match destination-port) and for the protocol. Also, the set includes an action that applies to the data that satisfy all of the rules (action destination-nat). The rule set is applied with 'enable' command.
esr(config-dnat)# ruleset DNAT esr(config-dnat-ruleset)# from zone UNTRUST esr(config-dnat-ruleset)# rule 1 esr(config-dnat-rule)# match destination-address NET_UPLINK esr(config-dnat-rule)# match protocol tcp esr(config-dnat-rule)# match destination-port SRV_HTTP esr(config-dnat-rule)# action destination-nat pool SERVER_POOL esr(config-dnat-rule)# enable esr(config-dnat-rule)# exit esr(config-dnat-ruleset)# exit esr(config-dnat)# exit
To transfer the traffic coming from 'UNTRUST' zone into 'TRUST' zone, create the respective pair of zones. Only DNAT-translated traffic with the destination address matching the 'SERVER_IP' specified in the profile should be transferred.
esr(config)# security zone-pair UNTRUST TRUST esr(config-zone-pair)# rule 1 esr(config-zone-pair-rule)# match destination-address SERVER_IP esr(config-zone-pair-rule)# match destination-nat esr(config-zone-pair-rule)# action permit esr(config-zone-pair-rule)# enable esr(config-zone-pair-rule)# exit esr(config-zone-pair)# exit esr(config)# exit
Configuration changes will take effect when the configuration is applied:
esr# show ip nat destination pools esr# show ip nat destination rulesets esr# show ip nat proxy-arp esr# show ip nat translations
Source NAT configuration
Source NAT (SNAT) function substitutes source address for packets transferred through the network gateway. When packets are transferred from LAN into public network, source address is substituted to one of the gateway public addresses. Additionally, source port substitution may be added to the source address. When packets are transferred back from public network to LAN, address and port are reverted to their original values.
SNAT function enables Internet access for computers located in LAN. At that, there is no need in assigning public IP addresses for these computers.
Configuration algorithm
Step | Description | Command | Keys |
---|---|---|---|
1 | Switch to the configuration mode of source address translation service. | esr(config)# nat source | |
2 | Create a pool of IP addresses and/or TCP/UDP ports with a specific name (optionally). | esr(config-snat)# pool <NAME> | <NAME> – NAT addresses pool name, set by the string of up to 31 characters. |
3 | Set the range of IP addresses which will replace a source IP address. | esr(config-snat-pool)# ip address-range <IP>[-<ENDIP>] | <IP> – IP address of the beginning of the range, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]; <ENDIP> – IP address of the end of the range, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. If IP address of the end of the range is not specified, only IP address of the beginning of the range is used as IP address for translation. |
4 | Specify the range of external TCP/UDP ports which will replace a source TCP/UDP port. | esr(config-snat-pool)# ip port-range <PORT>[-<ENDPORT>] | <PORT> – TCP/UDP port of the beginning of range, takes values of [1..65535]. <ENDPORT> – TCP/UDP port of the end of range, takes values of [1..65535]. If TCP/UDP port of the end of the range is not specified, only TCP/UDP port of the beginning of the range is used as TCP/UDP port for translation. |
5 | Set the internal TCP/UDP port which will replace a source TCP/UDP port. | esr(config-snat-pool)# ip port <PORT> | <PORT> – TCP/UDP port, takes values of [1..65535]. |
6 | Enable NAT persistent functions. | esr(config-snat-pool)# persistent | |
7 | Create a rule group with a specific name. | esr(config-snat)# ruleset <NAME> | <NAME> – rule group name, set by the string of up to 31 characters. |
8 | Specify VRF instance, in which the given rule group will operate (optionally). | esr(config-snat-ruleset)# ip vrf forwarding <VRF> | <VRF> – VRF name, set by the string of up to 31 characters. |
9 | Set the rule group scope. The rules will be applied only to traffic coming to a certain zone or interface. | esr(config-snat-ruleset)# to { zone <NAME> | interface <IF> tunnel <TUN> | | default } | <NAME> – isolation zone name; <IF> – device interface name; <TUN> – device tunnel name |
10 | Specify a rule with a certain number. The rules are proceeded in ascending order. | esr(config-snat-ruleset)# rule <ORDER> | <ORDER> – rule number, takes values of [1..10000]. |
11 | Specify the profile of IP addresses {sender | recipient} for which the rule should work. | esr(config-snat-rule)# match [not] 1 {source | destination}-address <OBJ-GROUP-NETWORK-NAME> | <OBJ-GROUP-NETWORK-NAME> – IP addresses profile name, set by the string of up to 31 characters. “Any” value points at any source IP address. |
12 | Specify the profile of IP addresses {sender| recipient} for which the rule should work (optionally). | esr(config-snat-rule)# match [not] 1 {source | destination}-port <PORT-SET-NAME> | <PORT-SET-NAME> – port profile name, set by the string of up to 31 characters. “Any” value points at any source TCP/UDP port. |
13 | Set name or number of IP for which the rule should work (optionally). | esr(config-snat-rule)# match [not] 1 {protocol | protocol-id} <TYPE> | <TYPE> – protocol type, takes the following values: esp, icmp, ah, eigrp, ospf, igmp, ipip, tcp, pim, udp, vrrp, rdp, l2tp, gre. “Any” value points at any protocol type. <ID> – IP identification number, takes values of [0x00-0xFF]. |
14 | Specify the type and code of ICMP messages for which the rule should work (optionally). | esr(config-snat-rule)# match [not] icmp {<ICMP_TYPE><ICMP_CODE> | <TYPE-NAME>} | <ICMP_TYPE> – ICMP message type, takes values of [0..255]. <ICMP_CODE> – ICMP message code, takes values of [0..255]. “Any” value points at any message code. <TYPE-NAME> – ICMP message type name |
15 | Specify the action “translation of source address and port” for the traffic meeting the requirements of “match” command. | esr(config-snat-rule)# action source-nat { off | pool <NAME> | netmap <ADDR/LEN> [static] | interface [FIRST_PORT – LAST_PORT] } | off – translation is disabled; pool<NAME> – name of the pool that contains IP addresses and/or TCP/UDP ports set; netmap <ADDR/LEN> – subnet IP address and mask used during translation; static – option for static NAT organization. The parameter is defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32]. interface [FIRST_PORT – LAST_PORT] – specify the translation to the interface IP address. If the range of TCP/UDP ports is additionally specified, the translation will occur only for the sender TCP/UDP ports included in the specified range. |
16 | Activate a configured rule. | esr(config-snat-rule)# enable |
1 When using the not key, the rule will work for values which are not included in a specified profile
Each 'match' command may contain 'not' key. When using the key, packets that do not meet the given requirement will fall under the rule.
You can obtain more detail information about router configuration in 'CLI command reference guide'.
Configuration example 1
Objective :
Configure access for users in LAN 10.1.2.0/24 to public network using Source NAT function. Specify public network address range for SNAT 100.0.0.100-100.0.0.249.
Figure 7 – Network structure
Solution :
Begin configuration with creation of security zones, configuration of network interfaces and their inherence to security zones. Create 'TRUST' zone for LAN and 'UNTRUST' zone for public network.
esr# configure esr(config)# security zone UNTRUST esr(config-zone)# exit esr(config)# security zone TRUST esr(config-zone)# exit
esr(config)# interface gigabitethernet 1/0/1 esr(config-if-gi)# ip address 10.1.2.1/24 esr(config-if-gi)# security-zone TRUST esr(config-if-gi)# exit
esr(config)# interface tengigabitethernet 1/0/1 esr(config-if-te)# ip address 100.0.0.99/24 esr(config-if-te)# security-zone UNTRUST esr(config-if-te)# exit
For SNAT function configuration and definition of rules for security zones, create 'LOCAL_NET' LAN address profile that includes addresses which are allowed to access the public network and 'PUBLIC_POOL' public network address profile.
esr(config)# object-group network LOCAL_NET esr(config-object-group-network)# ip address-range 10.1.2.2-10.1.2.254 esr(config-object-group-network)# exit
esr(config)# object-group network PUBLIC_POOL esr(config-object-group-network)# ip address-range 100.0.0.100-100.0.0.249 esr(config-object-group-network)# exit
To transfer traffic from 'TRUST' zone into 'UNTRUST' zone, create a pair of zones and add rules allowing traffic transfer in this direction. Additionally, there is a check in place to ensure that data source address belongs to 'LOCAL_NET' address range in order to limit the access to public network. Rules are applied with the enable command.
esr(config)# security zone-pair TRUST UNTRUST esr(config-zone-pair)# rule 1 esr(config-zone-pair-rule)# match source-address LOCAL_NET esr(config-zone-pair-rule)# action permit esr(config-zone-pair-rule)# enable esr(config-zone-pair-rule)# exit esr(config-zone-pair)# exit
Configure SNAT service. First step is to create public network address pool for use with SNAT.
esr(config)# nat source esr(config-snat)# pool TRANSLATE_ADDRESS esr(config-snat-pool)# ip address-range 100.0.0.100-100.0.0.249 esr(config-snat-pool)# exit
Second step is to create SNAT rule set. In the set attributes, specify that the rules are applying only to packets transferred to public network–into the 'UNTRUST' zone. Rules include a check which ensures that data source address belongs to 'LOCAL_NET' pool.
esr(config-snat)# ruleset SNAT esr(config-snat-ruleset)# to zone UNTRUST esr(config-snat-ruleset)# rule 1 esr(config-snat-rule)# match source-address LOCAL_NET esr(config-snat-rule)# action source-nat pool TRANSLATE_ADDRESS esr(config-snat-rule)# enable esr(config-snat-rule)# exit esr(config-snat-ruleset)# exit
In order the router could response to the ARP requests for addresses from the public pool, you should launch ARP Proxy service. ARP Proxy service is configured on the interface that IP address from 'PUBLIC_POOL' public network address profile subnet belongs to.
esr(config)# interface tengigabitethernet 1/0/1 esr(config-if-te)# ip nat proxy-arp PUBLIC_POOL
To enable public network access for LAN devices, they should be configured for routing–10.1.2.1 should be defined as a gateway address.
On the router, you should create the route for public network. Specify this route as a default using the following command.
esr(config)# ip route 0.0.0.0/0 100.0.0.1 esr(config)# exit
Configuration example 2
Objective :
Configure access for users in LAN 21.12.2.0/24 to public network using Source NAT function without the firewall. Public network address range for SNAT 200.10.0.100-200.10.0.249.
Figure 8 – Network structure
Solution:
Begin configuration with network interface configuration and disabling the firewall:
esr(config)# interface gigabitethernet 1/0/1 esr(config-if-gi)# ip address 21.12.2.1/24 esr(config-if-gi)# ip firewall disable esr(config-if-gi)# exit
esr(config)# interface tengigabitethernet 1/0/1 esr(config-if-te)# ip address 200.10.0.1/24 esr(config-if-te)# ip firewall disable esr(config-if-te)# exit
For SNAT function configuration, create 'LOCAL_NET' LAN address profile that includes addresses which are allowed to access the public network and 'PUBLIC_POOL' public network address profile.
esr(config)# object-group network LOCAL_NET esr(config-object-group-network)# ip address-range 21.12.2.2-21.12.2.254 esr(config-object-group-network)# exit esr(config)# object-group network PUBLIC_POOL esr(config-object-group-network)# ip address-range 200.10.0.100-200.10.0.249 esr(config-object-group-network)# exit
Configure SNAT service.
First step is to create public network address pool for use with SNAT:
esr(config)# nat source esr(config-snat)# pool TRANSLATE_ADDRESS esr(config-snat-pool)# ip address-range 200.10.0.100-200.10.0.249 esr(config-snat-pool)# exit
Second step is to create SNAT rule set. In the set attributes, specify that the rules are applying only to packets transferred to public network through te1/0/1 port. Rules include a check which ensures that data source address belongs to 'LOCAL_NET' pool:
esr(config-snat)# ruleset SNAT esr(config-snat-ruleset)# to interface te1/0/1 esr(config-snat-ruleset)# rule 1 esr(config-snat-rule)# match source-address LOCAL_NET esr(config-snat-rule)# action source-nat pool TRANSLATE_ADDRESS esr(config-snat-rule)# enable esr(config-snat-rule)# exit esr(config-snat-ruleset)# exit
In order the router could response to the ARP requests for addresses from the public pool, you should launch ARP Proxy service. ARP Proxy service is configured on the interface that IP address from 'PUBLIC_POOL' public network address profile subnet belongs to:
esr(config)# interface tengigabitethernet 1/0/1 esr(config-if-te)# ip nat proxy-arp PUBLIC_POOL
To enable public network access for LAN devices, they should be configured for routing – 21.12.2.1 should be defined as a gateway address.
On the router, you should create the route for public network. Specify this route as a default using the following command:
esr(config)# ip route 0.0.0.0/0 200.10.0.254 esr(config)# exit
Static NAT configuration
Static NAT — static NAT sets a unique match between two addresses. In other words, when passing through the router the address is changed to another strictly specified one, one-to-one. The record about this translation is kept indefinitely until NAT reconfiguration is carried out on the router.
Configuration algorithm
Static NAT configuration is carried out by Source NAT means, the configuration algorithm is described in Section Source NAT configuration, configuration algorithm of the manual.
Static NAT configuration example
Objective :
Configure two-way and continuous translation from LAN for the addresses range of 21.12.2.100-21.12.2.150 to the public network 200.10.0.0/24. Public network address range for translation use – 200.10.0.100-200.10.0.150.
Figure 9 – Network structure
Solution :
Begin configuration with network interface configuration and disabling the firewall:
esr(config)# interface gigabitethernet 1/0/1 esr(config-if-gi)# ip address 21.12.2.1/24 esr(config-if-gi)# ip firewall disable esr(config-if-gi)# exit
esr(config)# interface tengigabitethernet 1/0/1 esr(config-if-te)# ip address 200.10.0.1/24 esr(config-if-te)# ip firewall disable esr(config-if-te)# exit
For Static NAT configuration, create 'LOCAL_NET' LAN address profile, that includes local subnet, and 'PUBLIC_POOL' public network address profile.
esr(config)# object-group network LOCAL_NET esr(config-object-group-network)# ip prefix 21.12.2.0/24 esr(config-object-group-network)# exit
esr(config)# object-group network PUBLIC_POOL esr(config-object-group-network)# ip prefix 200.10.0.0/24 esr(config-object-group-network)# exit
The range of public network addresses for Static NAT use is specified in “PROXY” profile:
esr(config)# object-group network PROXY esr(config-object-group-network)# ip address-range 200.10.0.100-200.10.0.150 esr(config-object-group-network)# exit
Configure Static NAT service in SNAT configuration mode. In the set attributes, specify that the rules are applying only to packets transferred to public network through te1/0/1 port. The rules include data source address test for belonging to “LOCAL_NET” pool and destination addresses test for belonging to “PUBLIC_POOL” pool.
esr(config)# nat source esr(config-snat)# ruleset SNAT esr(config-snat-ruleset)# to interface te1/0/1 esr(config-snat-ruleset)# rule 1 esr(config-snat-rule)# match source-address LOCAL_NET esr(config-snat-rule)# match destination-address PUBLIC_POOL esr(config-snat-rule)# action source-nat netmap 200.10.0.0/24 static esr(config-snat-rule)# enable esr(config-snat-rule)# exit esr(config-snat-ruleset)# exit
In order the router could response to the ARP requests for addresses from the “PROXY” translation pool, you should launch ARP Proxy service. ARP Proxy service is configured on the interface that IP address from 'PROXY' address profile subnet belongs to:
esr(config)# interface tengigabitethernet 1/0/1 esr(config-if-te)# ip nat proxy-arp PROXY
To enable 200.10.0.0/24 network access for LAN devices, they should be configured for routing – 21.12.2.1 should be defined as a gateway address.
The configuration changes come into effect after applying the following commands:
esr# commit Configuration has been successfully committed esr# confirm Configuration has been successfully confirmed
You can display active translations by using the following command:
esr# show ip nat translations
Configuration example of application filtering (DPI)
The use of application filtering mechanism reduces by several times the router performance because of the need to check each packet. The performance decreases with an increase in amount of the selected for filtration applications.
Objective:
Block access to such resources as youtube, bittorrent and facebook.
Figure 10 – Network structure
Solution:
Create a security zone for each ESR network:
esr# configure esr(config)# security zone LAN esr(config-zone)# exit esr(config)# security zone WAN esr(config-zone)# exit
Configure network interfaces and identify their inherence to security zones:
esr(config)# interface gi1/0/1 esr(config-if-gi)# ip address 10.0.0.1/24 esr(config-if-gi)# security-zone WAN esr(config-if-gi)# exit esr(config)# interface gi1/0/2 esr(config-if-te)# ip address 192.168.0.1/24 esr(config-if-te)# security-zone LAN esr(config-if-te)# exit
To configure security zones rules, you should create profile of the applications that should be blocked.
esr(config)# object-group application APP esr(config-object-group-application)# application youtube esr(config-object-group-application)# application bittorrent esr(config-object-group-application)# application facebook esr(config-object-group-application)# exit
To set the rules of traffic passing from “WAN” zone to “LAN” zone, create a couple of zones and add a rule prohibiting the application traffic from passing and a rule allowing the rest of traffic to pass. Rules are applied with the enable command:
esr(config)# security zone-pair WAN LAN esr(config-zone-pair)# rule 1 esr(config-zone-pair-rule)# action deny esr(config-zone-pair-rule)# match application APP esr(config-zone-pair-rule)# enable esr(config-zone-pair-rule)# exit esr(config-zone-pair)# rule 2 esr(config-zone-pair-rule)# action permit esr(config-zone-pair-rule)# enable esr(config-zone-pair-rule)# exit esr(config-zone-pair-pair)# exit
To set the rules of traffic passing from “LAN” zone to “WAN” zone, create a couple of zones and add a rule allowing all traffic to pass. Rules are applied with the enable command:
esr(config)# security zone-pair LAN WAN esr(config-zone-pair)# rule 1 esr(config-zone-pair-rule)# action permit esr(config-zone-pair-rule)# enable esr(config-zone-pair-rule)# exit esr(config-zone-pair-pair)# exit
To view port membership in zones, use the following command:
esr# show security zone
To view zone pairs and their configuration, use the following commands:
esr# show security zone-pair esr# show security zone-pair configuration
To view active sessions, use the following commands:
esr# show ip firewall sessions
HTTP/HTTPS traffic proxying
Configuration algorithm
Step | Description | Command | Keys |
---|---|---|---|
1 | Create an object with a URL | esr(config)# object-group url <NAME> | |
2 | Specify the set | esr(config-object-group-url)# url <URL> | <URL> – web page, site address. |
3 | Create proxy profile | esr(config)# ip http profile <NAME> | <NAME> – profile name. |
4 | Choose default action | esr(config-profile)# default action {deny|permit|redirect} [redirect-url <URL>] | <URL> – address of the host to which requests will be sent. |
5 | Specify description (optionally). | esr(config-profile)# description <description> | <description> – up to 255 characters. |
6 | Specify a remote or local URL list and type of operation (block/traffic pass/redirect) (optional) | esr(config-profile)# urls {local|remote} <URL_OBJ_GROUP_NAME> action {deny|permit|redirect} [redirect-url <URL>] | <URL_OBJ_GROUP_NAME> – specify the name of the object containing the URL set. |
7 | Specify the remote server where the necessary URL lists are (optional) | esr(config)# ip http proxy server-url <URL> | <URL> – server address where remote url lists will be taken from. |
8 | Specify a listening port for proxying (optional) | esr(config)# ip http proxy listen-ports <OBJ_GROUP_NAME> | <OBJ_GROUP_NAME> – port profile name, set by string of up to 31 characters. |
9 | Specify a listening port for proxying (optional) | esr(config)# ip https proxy listen-ports <OBJ_GROUP_NAME> | <OBJ_GROUP_NAME> – port profile name, set by string of up to 31 characters. |
10 | Enable proxying on the interface based on the selected HTTP profile | esr(config-if)# ip http proxy <PROFILE_NAME> | <PROFILE_NAME> – profile name |
11 | Enable proxying on the interface based on the selected HTTPS profile | esr(config-if)# ip https proxy <PROFILE_NAME> | <PROFILE_NAME> – profile name |
12 | Create services lists which will be used during filtration. | esr(config)# object-group service <obj-group-name> | <obj-group-name> – service profile name, set by the string of up to 31 characters. |
13 | Specify services list description (optionally). | esr(config-object-group-service)# description <description> | <description> – profile description, set by the string of up to 255 characters. |
14 | Add necessary services (tcp/udp ports) to the list. | esr(config-object-group-service)# port-range 3129-3134 | The ESR proxy server uses ports 3129, 3130, 3133 and 3134 for its operation. |
15 | Create an interzone interaction rule set. | esr(config)# security zone-pair <src-zone-name1> self | <src-zone-name> – security zone in which the interfaces with the ip http proxy or ip https proxy function are located. self – a predefined security zone for traffic entering the ESR itself. |
16 | Create an interzone interaction rule set. | esr(config-zone-pair)# rule <rule-number> | <rule-number> – 1..10000. |
17 | Specify rule description (optionally). | esr(config-zone-rule)# description <description> | <description> – up to 255 characters.. |
18 | Specify the given rule force. | esr(config-zone-rule)# action <action> [ log ] | <action> – permit log – activation key for logging of sessions established according to this rule. |
19 | Set name of IP protocol for which the rule should work. | esr(config-zone-rule)# match protocol <protocol-type> | <protocol-type> – tcp ESR proxy server uses ESR protocol. |
20 | Set the destination TCP/UDP ports profile for which the rule should work (if the protocol is specified). | esr(config-zone-rule)# match [not] 1 destination-port <obj-group-name> | <obj-group-name> – name of the service profile created in step 12. |
21 | Create an interzone interaction rule. | esr(config-zone-rule)# enable |
If the Firewall function on the ESR is not forcibly disabled, you must create an allow rule for the Self zone.
HTTP proxy configuration example
Objective :
Organize URL filtering for a number of addresses using a proxy.
Figure 11 – Network structure
Solution:
Create a set of URLs to filter by. Configure a proxy filter and specify the actions for the created set of URLs.
esr# configure esr(config)# object-group url test1 esr(config-object-group-url)# url http://speedtest.net/ esr(config-object-group-url)# url http://www.speedtest.net/ esr(config-object-group-url)# exit
Create a profile
esr(config)# ip http profile list1 esr(config-profile)# default action permit esr(config-profile)# urls local test1 action redirect redirect-url http://test.loc esr(config-profile)# exit
Enable proxying on the interface by profile 'list'
esr(config)# interface gi 1/0/1 esr(config-if)# ip http proxy list1
If you use Firewall, create permissive rules for it:
Create a proxy port profile
esr(config)# object-group service proxy esr(config-object-group-service)# port-range 3129-3134 esr(config-object-group-service)# exit
Create a permissive interzonal interaction rule
esr(config)# security zone-pair LAN self esr(config-zone-pair)# rule 50 esr(config-zone-pair-rule)# action permit esr(config-zone-pair-rule)# match protocol tcp esr(config-zone-pair-rule)# match destination-port proxy esr(config-zone-pair-rule)# enable esr(config-zone-pair-rule)# exit esr(config-zone-pair)# exit
Configuration of logging and protection against network attacks
Configuration algorithm
Step | Description | Command | Keys |
---|---|---|---|
1 | Enable protection against ICMP flood attacks. | esr(config)# ip firewall screen dos-defense icmp-threshold { <NUM> } | <NUM> – amount of ICMP packets per second, set in the range of [1..10000] |
2 | Enable protection against land attacks. | esr(config)# firewall screen dos-defense land | |
3 | Enable the limitation on amount of simultaneous sessions based on the destination address | esr(config)# ip firewall screen dos-defense limit-session-destination { <NUM> } | <NUM> – limitation on amount of |
4 | Enable the limitation on the amount of simultaneous sessions, based on the source address, that mitigates DoS attacks. | esr(config)# ip firewall screen dos-defense limit-session-source { <NUM> }
| <NUM> – limitation on amount of |
5 | Enable protection against SYN flood attacks. | esr(config)# ip firewall screen dos-defense syn-flood { <NUM> } [src-dsr] | <NUM> – maximum amount of TCP packets with the set SYN flag per second, set in the range of [1..10000]. src-dst – limitation on the amount of TCP packets with the SYN flag set, based on the source and destination addresses. |
6 | Enable protection against UDP flood attacks. | esr(config)# ip firewall screen dos-defense udp-threshold { <NUM> } | <NUM> – maximum amount of UDP packets per second, set in the range of [1..10000]. |
7 | .Enable protection against winnuke attacks. | esr(config)# ip firewall screen dos-defense winnuke | |
8 | Enable the blocking of TCP packets with the FIN flag set and the ACK flag not set. | esr(config)# ip firewall screen spy-blocking fin-no-ack | |
9 | Enable the blocking of various type ICMP packets. | esr(config)# ip firewall screen spy-blocking icmp-type | <TYPE> – ICMP type, may take the following values:
|
10 | Enable the protection against IP-sweep attacks. | esr(config)# ip firewall screen spy-blocking ip-sweep { <NUM> } | <NUM> – ip sweep attack detection time, set in milliseconds [1..1000000]. |
11 | Enable protection against port scan attacks. | esr(config)# ip firewall screen spy-blocking port-scan { <threshold> } [ <TIME> ] | <threshold> – interval in milliseconds during which the port scan attack will be recorded [1..1000000]. <TIME> – blocking time in milliseconds [1..1000000]. |
12 | Enable the protection against IP spoofing attacks. | esr(config)# ip firewall screen spy-blocking spoofing | |
13 | Enable the blocking of TCP packets, with the SYN and FIN flags set. | esr(config)# ip firewall screen spy-blocking syn-fin | |
14 | Enable the blocking of TCP packets, with all flags or with the set of flags: FIN, PSH, URG. The given command provides the protection against XMAS attack | esr(config)# ip firewall screen spy-blocking tcp-all-flag | |
15 | Enable the blocking of TCP packets, with the zero “flags” field. | esr(config)# ip firewall screen spy-blocking tcp-no-flag | |
16 | Enable the blocking of fragmented | esr(config)# ip firewall screen suspicious-packets icmp-fragment | |
17 | Enable the blocking of fragmented IP packets. | esr(config)# ip firewall screen suspicious-packets ip-fragment | |
18 | Enable the blocking of ICMP packets more than 1024 bytes. | esr(config)# ip firewall screen suspicious-packets icmp-fragment | |
19 | Enable the blocking of fragmented TCP packets, with the SYN flag. | esr(config)# ip firewall screen suspicious-packets syn-fragment | |
20 | Enable the blocking of fragmented UDP packets. | esr(config)# ip firewall screen suspicious-packets udp-fragment | |
21 | Enable the blocking of packets, with the protocol ID contained in IP header equal to 137 and more. | esr(config)# ip firewall screen suspicious-packets unknown-protocols | |
22 | Set the frequency of notification (via SNMP, syslog and in CLI) of detected and blocked network attacks. | esr(config)# ip firewall logging interval <NUM>
| <NUM> – time interval in seconds [30 .. 2147483647] |
23 | Enable more detailed message output about detected and blocked network attacks in the CLI. | esr(config)# logging firewall screen detailed | |
24 | Enable mechanism of DoS attacks detection and logging via CLI, syslog and SNMP. | esr(config)# logging firewall screen dos-defense <ATACK_TYPE> | <ATACK_TYPE> – DoS attack type, takes the following values: icmp-threshold, land, limit-session-destination, limit-session-source, syn-flood, udp-threshold, winnuke. |
25 | Enable mechanism of espionage activity detection and logging via CLI, syslog and SNMP. | esr(config)# logging firewall screen spy-blocking { <ATACK_TYPE> | icmp-type <ICMP_TYPE> } | <ATACK_TYPE> – espionage activity type, takes the following values: fin-no-ack, ip-sweep, port-scan, spoofing, syn-fin, tcp-all-flag, tcp-no-flag. <ICMP_TYPE> – icmp type, takes values: destination-unreachable, echo-request, reserved, source-quench, time-exceeded. |
26 | Enable mechanism of specialized packets detection and logging via CLI, syslog and SNMP. | esr(config)# logging firewall screen suspicious-packets <PACKET_TYPE> | <PACKET_TYPE> – specialized packets type, takes the following values: icmp-fragment, ip-fragment, large-icmp, syn-fragment, udp-fragment, unknown-protocols. |
Description of attack protection mechanisms
Command | Description |
---|---|
ip firewall screen dos-defense icmp-threshold | This command enables the protection against ICMP flood attacks. When the protection is enabled, the amount of all types ICMP packets per second for one destination address is limited. The attack leads to the host reboot and its failure due to the necessity to process each query and respond to it. |
firewall screen dos-defense land | The given command enables the protection against land attacks. When the protection is enabled, the packets with the same source and destination IP addresses and with SYN flag in TCP header are blocked. The attack leads to the host reboot and its failure due to the necessity to process each TCP SYN packet and the attempts of the host to establish a TCP session with itself. |
ip firewall screen dos-defense limit-session-destination | When the host IP sessions table is overfilled, the host is unable to establish new sessions and it drops the queries (this may happen during various attacks: SYN flood, UDP flood, ICMP flood and etc.). The command enables the limitation on the amount of simultaneous sessions, based on the source address, that mitigates DoS attacks. |
ip firewall screen dos-defense limit-session-source | When the host IP sessions table is overfilled, the host is unable to establish new sessions and it drops the queries (this may happen during various DoS attacks: SYN flood, UDP flood, ICMP flood and etc.). The command enables the limitation on the amount of simultaneous sessions, based on the source address, that mitigates DoS attacks. |
ip firewall screen dos-defense syn-flood | This command enables the protection against SYN flood attacks. When the protection is enabled, the amount of TCP packets with the SYN flag set per second for one destination address is limited. The attack leads to the host reboot and its failure due to the necessity to process each TCP SYN packet and the attempts to establish a TCP session. |
ip firewall screen dos-defense udp-threshold | This command enables the protection against UDP flood attacks. When the protection is enabled, the amount of UDP packets per second for one destination address is limited. The attack lead to the host reboot and its failure due to the massive UDP traffic. |
ip firewall screen dos-defense winnuke | The given command enables the protection against winnuke attacks. When the protection is enabled, |
ip firewall screen spy-blocking fin-no-ack | This command enables the blocking of TCP packets with the FIN flag set and the ACK flag not set. These packets are specialized and it is possible to determine a victim operational system by the respond. |
ip firewall screen spy-blocking icmp-type destination-unreachable | This command enables the blocking of all 3 type ICMP packets (destination-unreachable) including the packets generated by the router itself. The protection prevents an attacker from learning about network topology and hosts availability |
ip firewall screen spy-blocking icmp-type echo-request | The given command enables the blocking of all 8 type ICMP packets (echo-request) including the packets generated by the router itself. The protection prevents an attacker from learning about network topology and hosts availability |
ip firewall screen spy-blocking icmp-type reserved | This command enables the blocking of all 2 and 7 type ICMP packets (reserved) including the packets generated by the router itself. The protection prevents an attacker from learning about network topology and hosts availability |
ip firewall screen spy-blocking icmp-type source-quench | This command enables the blocking of all 4 type ICMP packets (source quench) including the packets generated by the router itself. The protection prevents an attacker from learning about network topology and hosts availability |
ip firewall screen spy-blocking icmp-type time-exceeded | This command enables the blocking of all 11 type ICMP packets (time exceeded) including the packets generated by the router itself. The protection prevents an attacker from learning about network topology and hosts availability |
ip firewall screen spy-blocking ip-sweep | This command enables the protection against IP-sweep attacks. When the protection is enabled, if more than 10 ICMP requests from one source arrive within the specified interval, the first 10 requests are dropped by the router and 11th with the following ones are discarded for the remaining interval time. The protection prevents an attacker from learning about network topology and hosts availability. |
ip firewall screen spy-blocking port-scan | This command enables the protection against port scan attacks. If more than 10 TCP packets with the SYN flag arrive to one source within the first specified interval (<threshold>), then this behaviour is recorded as port scan attack and all the following packets of that type are blocked for the second specified time interval (<TIME>). An attacker will not be able to scan the device open ports quickly. |
ip firewall screen spy-blocking spoofing | The given command enables the protection against ip spoofing attacks. When the protection is enabled, the router checks packets for matching the source address and routing table entries, and in case of mismatch the packet is dropped. For example, if a packet with source address 10.0.0.1/24 arrives to the Gi1/0/1 interface and the given subnet is located after the Gi1/0/2 interface in the routing table, it is considered that the source address has been replaced. Protects from network intrusions with replaced source IP addresses. |
ip firewall screen spy-blocking syn-fin | The given command enables the blocking of TCP packets, with the SYN and FIN flags set. These packets are specialized and it is possible to determine a victim operational system by the respond. |
ip firewall screen spy-blocking tcp-all-flag | Enable the blocking of TCP packets, with all flags or with the set of flags: FIN, PSH, URG. The protection against XMAS attack is provided. |
ip firewall screen spy-blocking tcp-no-flag | This command enables the blocking of TCP packets with the zero 'flags' field. These packets are specialized and it is possible to determine a victim operational system by the respond. |
ip firewall screen suspicious-packets icmp-fragment | This command enables the blocking of fragmented ICMP packets. ICMP packets are usually small and there is no need to fragment them. |
ip firewall screen suspicious-packets ip-fragment | The given command enables the blocking of fragmented packets. |
ip firewall screen suspicious-packets large-icmp | This command enables the blocking of ICMP packets more than 1024 bytes. |
ip firewall screen suspicious-packets syn-fragment | This command enables the blocking of fragmented TCP packets with the SYN flag. TCP packets with the SYN flag are usually small and there is no need to fragment them. The protection prevents concentration of fragmented packets in a buffer. |
ip firewall screen suspicious-packets udp-fragment | This command enables the blocking of fragmented UDP packets. |
ip firewall screen suspicious-packets unknown-protocols | This command enables the blocking of packets, with the protocol ID contained in IP header equal to 137 and more. |
Configuration example of logging and protection against network attacks
Objective :
Protect LAN and ESR router from land, syn-flood, ICMP flood network attacks and configure the notification of attacks by SNMP to SNMP server 192.168.0.10
Figure 12 – Network structure
Solution:
You should first configure interfaces and firewall (firewall configuration or its absence will not influence on the operation of network attacks protection):
esr(config)# security zone LAN esr(config-zone)# exit esr(config)# security zone WAN esr(config-zone)# exit esr(config)# security zone-pair LAN WAN esr(config-zone-pair)# rule 100 esr(config-zone-pair-rule)# action permit esr(config-zone-pair-rule)# enable esr(config-zone-pair-rule)# ex esr(config-zone-pair)# exit esr(config)# security zone-pair WAN LAN esr(config-zone-pair)# rule 100 esr(config-zone-pair-rule)# action permit esr(config-zone-pair-rule)# enable esr(config-zone-pair-rule)# exit esr(config-zone-pair)# exit esr(config)# interface gigabitethernet 1/0/1 esr(config-if-gi)# security-zone LAN esr(config-if-gi)# ip address 192.168.0.1/24 esr(config-if-gi)# exit esr(config)# interface gigabitethernet 1/0/2 esr(config-if-gi)# security-zone WAN esr(config-if-gi)# ip address 10.0.0.1/24 esr(config-if-gi)# exit
Enable the protection against land, syn-flood, ICMP flood attacks:
esr(config)# ip firewall screen dos-defense land esr(config)# ip firewall screen dos-defense syn-flood 100 src-dst esr(config)# ip firewall screen dos-defense icmp-threshold 100
Configure the logging of detected attacks:
esr(config)# ip firewall logging screen dos-defense land esr(config)# ip firewall logging screen dos-defense syn-flood esr(config)# ip firewall logging screen dos-defense icmp-threshold
Configure SNMP server to which the traps will be sent:
esr(config)# snmp-server esr(config)# snmp-server host 192.168.0.10
To view the statistics on recorded network attacks, use the following command:
esr# show ip firewall screen counters
Firewall configuration
Firewall is a package of hardware or software tools that allows for control and filtering of transmitted network packets in accordance with the defined rules.
Configuration algorithm
Step | Description | Command | Keys |
1 | Create security zones. | esr(config)# security zone <zone-name1> esr(config)# security zone <zone-name2> | <zone-name> – up to 12 characters. |
2 | Specify a security zone description. | esr(config-zone)# description <description> | <description> – up to 255 characters.. |
3 | Specify VRF instance, in which the given security zone will operate (optionally). | esr(config- zone )# ip vrf forwarding <VRF> | <VRF> – VRF name, set by the string of up to 31 characters. |
4 | Enable session counters for NAT and Firewall (optionally, may reduce the performance). | esr(config)# ip firewall sessions counters | |
5 | Disable filtration of packets for which it was not possible to determine belonging to any known connection and which are not the beginning of a new connection (optionally, may reduce the performance). | esr(config)# ip firewall sessions allow-unknown | |
6 | Select firewall operation mode (optionally) | esr(config)# ip firewall mode <MODE> | <MODE> – firewall operation mode, may take the following values: stateful, stateless. Default value: stateful |
7 | Determine the session lifetime for unsupported protocols (optionally). | esr(config)# ip firewall sessions generic-timeout <TIME> | <TIME> – session lifetime for unsupported protocols, takes values in seconds [1..8553600]. By default: 60 seconds. |
8 | Determine ICMP session lifetime after which it is considered to be outdated (optionally). | esr(config)# ip firewall sessions icmp-timeout <TIME> | <TIME> – ICMP session lifetime, takes values in seconds [1..8553600]. By default: 30 seconds. |
9 | Determine ICMPv6 session lifetime after which it is considered to be outdated (optionally). | esr(config)# ip firewall sessions icmpv6-timeout <TIME> | <TIME> – ICMP session lifetime, takes values in seconds [1..8553600]. By default: 30 seconds. |
10 | Determine the size of outstanding sessions table (optionally). | esr(config)# ip firewall sessions max-expect <COUNT> | <COUNT> – table size, takes values of [1..8553600]. By default: 256. |
11 | Determine the size of trackable sessions table (optionally). | esr(config)# ip firewall sessions max-tracking <COUNT> | <COUNT> – table size, takes values of [1..8553600]. |
12 | Determine the lifetime of TCP session in “connection is being established” state after which it is considered to be outdated (optionally). | esr(config)# ip firewall sessions tcp-connect-timeout <TIME> | <TIME> – lifetime of TCP session in 'connection is being established' state, takes values in seconds [1..8553600]. By default: 60 seconds. |
13 | Determine the lifetime of TCP session in 'connection is being closed' state after which it is considered to be outdated (optionally). | esr(config)# ip firewall sessions tcp-disconnect-timeout <TIME> | <TIME> – lifetime of TCP session in 'connection is being closed' state, takes values in seconds [1..8553600]. |
14 | Determine the lifetime of TCP session in “connection is being established” state after which it is considered to be outdated (optionally). | esr(config)# ip firewall sessions tcp-established-timeout <TIME> | <TIME> – lifetime of TCP session in 'connection is being established' state, takes values in seconds [1..8553600]. By default: 120 seconds. |
15 | Determine the timeout after which the closed TCP session is actually deleted from the table of trackable sessions (optionally). | esr(config)# ip firewall sessions tcp-latecome-timeout <TIME> | <TIME> – timeout, takes value in seconds [1..8553600]. By default: 120 seconds. |
16 | Enable application-level session tracking for certain protocols (optionally). | esr(config)# ip firewall sessions tracking e; | <PROTOCOL> - application-level protocol [ftp, h323, pptp, netbios-ns, tftp] sessions of which should be tracked. <OBJECT-GROUP-SERVICE> – sip session TCP/UDP ports’ profile name, set by the string of up to 31 characters. If a group is not specified, sip sessions monitoring will be performed for 5060 port. Instead of a certain protocol you can use the 'all' key that enables application-level session tracking for all available protocols. By default - disabled for all protocols. |
17 | Determine the lifetime of UDP session in “connection is confirmed” state after which it is considered to be outdated (optionally). | esr(config)# ip firewall sessions udp-assured-timeout <TIME> | <TIME> – lifetime of UDP session in “connection is confirmed” state, takes values in seconds [1..8553600]. By default: 180 seconds. |
18 | Determine the lifetime of UDP session in 'connection is not confirmed' state after which it is considered to be outdated. | esr(config)# ip firewall sessions udp-wait-timeout <TIME> | <TIME> – lifetime of UDP session in 'connection is not confirmed' state, takes values in seconds [1..8553600]. By default: 30 seconds. |
19 | Create IP addresses lists which will be used during filtration. | esr(config)# object-group network <obj-group-name> | <obj-group-name> – up to 31 characters. |
20 | Specify IP addresses list description (optionally). | esr(config-object-group-network)# description <description> | <description> – profile description, set by the string of up to 255 characters. |
21 | Add necessary IPv4/IPv6 addresses to the list. | esr(config-object-group-network)# ip prefix <ADDR/LEN> | <ADDR/LEN> – subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32]. |
esr(config-object-group-network)# ip address-range <FROM-ADDR>-<TO-ADDR> | <FROM-ADDR> – range starting IP address; <TO-ADDR> – range ending IP address, optional parameter; If the parameter is not specified, a single IP address is set by the command. The addresses are defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. | ||
esr(config-object-group-network)# ipv6 prefix <IPV6-ADDR/LEN> | <IPV6-ADDR/LEN> – IP address and mask of a subnet, defined as X:X:X:X::X/EE where each X part takes values in hexadecimal format [0..FFFF] and EE takes values of [1..128]. | ||
esr(config-object-group-network)# ipv6 address-range <FROM-ADDR>-<TO-ADDR> | <FROM-ADDR> – range starting IPv6 address; <TO-ADDR> – range ending IPv6 address, optional parameter. If the parameter is not specified, a single IPv6 address is set by the command. The addresses are defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF]. | ||
22 | Create services lists which will be used during filtration. | esr(config)# object-group service <obj-group-name> | <obj-group-name> – service profile name, set by the string of up to 31 characters. |
23 | Specify services list description (optionally). | esr(config-object-group-service)# description <description> | <description> – profile description, set by the string of up to 255 characters. |
24 | Add necessary services (tcp/udp ports) to the list. | esr(config-object-group-service)# port-range <port> | <port> – takes values in the range of [1..65535]. You can specify several ports separated by commas ',' or you can specify the range of ports with '-'. |
25 | Create applications lists which will be used in DPI mechanism. | esr(config)# object-group application <NAME> | <NAME> – application profile name, set by the string of up to 31 characters. |
26 | Specify applications list description (optionally). | esr(config-object-group-application)# description <description> | <description> – profile description, set by the string of up to 255 characters. |
27 | Add necessary applications to the lists. | esr(config-object-group-application)# application < APPLICATION > | <APPLICATION> – specifies the application covered by the given profile |
28 | Add interfaces (physical, logical, E1/Multilink and connected), remote-access server (l2tp, openvpn, pptp) or tunnels (gre, ip4ip4, l2tp, lt, pppoe, pptp) into security zones (optionally). | esr(config-if-gi)# security-zone <zone-name> | <zone-name> – up to 12 characters. |
Disable Firewall functions on the network interface (physical, logical, E1/Multilink and connected), remote-access server (l2tp, openvpn, pptp) or tunnels (gre, ip4ip4, l2tp, lt, pppoe, pptp) (optionally). | esr(config-if-gi)# ip firewall disable | ||
29 | Create an interzone interaction rule set. | esr(config)# security zone-pair <src-zone-name1> <dst-zone-name2> | <src-zone-name> – up to 12 characters. <dst-zone-name> – up to 12 characters. |
30 | Create an interzone interaction rule set. | esr(config-zone-pair)# rule <rule-number> | <rule-number> – 1..10000. |
31 | Specify rule description (optionally). | esr(config-zone-rule)# description <description> | <description> – up to 255 characters.. |
32 | Specify the given rule force. | esr(config-zone-rule)# action <action> [ log ] | <action> – permit/deny/reject/netflow-sample/sflow-sample log – activation key for logging of sessions established according to this rule. |
33 | Set name or number of IP for which the rule should work (optionally). | esr(config-zone-rule)# match [not] 1 protocol <protocol-type> | <protocol-type> – protocol type, takes the following values: esp, icmp, ah, eigrp, ospf, igmp, ipip, tcp, pim, udp, vrrp, rdp, l2tp, gre. When specifying the “any” value, the rule will work for any protocols. |
esr(config-zone-rule)# match [not] 1 protocol-id <protocol-id> | <protocol-id> – IP identification number, takes values of [0x00-0xFF]. | ||
34 | Specify the profile of transmitter IP addresses for which the rule should work (optional). | esr(config-zone-rule)# match [not] 1 source-address <OBJ-GROUP-NETWORK-NAME> | <OBJ-GROUP-NETWORK-NAME> – IP addresses profile name, set by the string of up to 31 characters. When specifying the “any” value, the rule will work for any sender/recipient IP address. |
35 | Set the profile of destination IP addresses for which the rule should work (optionally). | esr(config-zone-rule)# match [not] 1 destination-address <OBJ-GROUP-NETWORK-NAME> | |
36 | Set source MAC address for which the rule should work (optionally). | esr(config-zone-rule)# match [not] 1 source-mac <mac-addr> | <mac-addr> – defined as XX:XX:XX:XX:XX:XX where each part takes the values of [00..FF]. |
37 | Set sender MAC address for which the rule should work (optionally). | esr(config-zone-rule)# match [not] 1 destination-mac <mac-addr> | |
38 | Set TCP/UDP ports profile for which the rule should work (if the protocol is specified). | esr(config-zone-rule)# match [not] 1 source-port <PORT-SET-NAME> | <PORT-SET-NAME> – set by the string of up to 31 characters. When specifying the “any” value, the rule will work for any sender/recipient TCP/UDP port. |
39 | Set the destination TCP/UDP ports profile for which the rule should work (if the protocol is specified). | esr(config-zone-rule)# match [not] 1 destination-port <PORT-SET-NAME> | |
40 | Specify the type and code of ICMP messages for which the rule should work (if ICMP is selected as protocol) (optionally). | esr(config-zone-rule)# match [not] 1 icmp <ICMP_TYPE> <ICMP_CODE> | <ICMP_TYPE> – ICMP message type, takes values of [0..255]. <ICMP_CODE> – ICMP message code, takes values of [0..255]. When specifying the 'any' value, the rule will work for any ICMP message code. |
41 | Set the limitation under which the rule will only work for traffic modified by the IP address and destination ports translation service. | esr(config-zone-rule)# match [not] 1 destination-nat | |
42 | Set the maximum packet rate (optionally, available only for zone-pair any self and zone-pair <zone-name> any). | esr(config-zone-pair-rule)# rate-limit pps <rate-pps> | <rate-pps> – maximum amount of packets that can be transmitted. Takes values in the range of [1..10000]. |
43 | Set the filtration only for fragmented IP packets (optionally, available only for zone-pair any self and zone-pair <zone-name> any). | esr(config-zone-pair-rule)# match [not] 1 fragment | |
44 | Set the filtration only for IP packets including ip-option (optionally, available only for zone-pair any self and zone-pair <zone-name> any). | esr(config-zone-pair-rule)# match [not] 1 ip-option | |
45 | Create an interzone interaction rule. | esr(config-zone-rule)# enable | |
46 | Enable the filtration and session tracking mode while packets are transmitted between one Bridge group participants (optionally, available only for ESR-1000/1200/1500/1510/1700) | esr(config-bridge)# ports firewall enable |
1 When using the not key, the rule will work for values which are not included in a specified profile.
Each 'match' command may contain 'not' key. When using the key, packets that do not meet the given requirement will fall under the rule.
You can obtain more detail information about firewall configuration in 'CLI command reference guide'.
Firewall configuration example
Objective:
Enable message passage via ICMP between R1, R2 and ESR router.
Figure 13 – Network structure
Solution:
Create a security zone for each ESR network:
esr# configure esr(config)# security zone LAN esr(config-zone)# exit esr(config)# security zone WAN esr(config-zone)# exit
Configure network interfaces and identify their inherence to security zones:
esr(config)# interface gi1/0/2 esr(config-if-gi)# ip address 192.168.12.2/24 esr(config-if-gi)# security-zone LAN esr(config-if-gi)# exit esr(config)# interface gi1/0/3 esr(config-if-gi)# ip address 192.168.23.2/24 esr(config-if-gi)# security-zone WAN esr(config-if-gi)# exit
For definition of rules for security zones, create 'LAN' address profile that includes addresses which are allowed to access WAN network and 'WAN' network address profile.
esr(config)# object-group network WAN esr(config-object-group-network)# ip address-range 192.168.23.2 esr(config-object-group-network)# exit esr(config)# object-group network LAN esr(config-object-group-network)# ip address-range 192.168.12.2 esr(config-object-group-network)# exit esr(config)# object-group network LAN_GATEWAY esr(config-object-group-network)# ip address-range 192.168.12.1 esr(config-object-group-network)# exit esr(config)# object-group network WAN_GATEWAY esr(config-object-group-network)# ip address-range 192.168.23.3 esr(config-object-group-network)# exit
To transfer traffic from 'LAN' zone into 'WAN' zone, create a pair of zones and add a rule allowing ICMP traffic transfer from R1 to R2. Rules are applied with the enable command:
esr(config)# security zone-pair LAN WAN esr(config-zone-pair)# rule 1 esr(config-zone-pair-rule)# action permit esr(config-zone-pair-rule)# match protocol icmp esr(config-zone-pair-rule)# match destination-address WAN_GATEWAY esr(config-zone-pair-rule)# match source-address LAN_GATEWAY esr(config-zone-pair-rule)# enable esr(config-zone-pair-rule)# exit esr(config-zone-pair-pair)# exit
To transfer traffic from 'WAN' zone into 'LAN' zone, create a pair of zones and add a rule allowing ICMP traffic transfer from R2 to R1. Rules are applied with the enable command:
esr(config)# security zone-pair WAN LAN esr(config-zone-pair)# rule 1 esr(config-zone-pair-rule)# action permit esr(config-zone-pair-rule)# match protocol icmp esr(config-zone-pair-rule)# match destination-address LAN_GATEWAY esr(config-zone-pair-rule)# match source-address WAN_GATEWAY esr(config-zone-pair-rule)# enable esr(config-zone-pair-rule)# exit esr(config-zone-pair)# exit
Router always has a security zone named 'self'. When the traffic recipient is the router itself, i.e. traffic is not transit, pass 'self' zone as a parameter. Create a pair of zones for traffic coming from 'WAN' zone into 'self' zone. In order the router could response to the ICMP requests from 'WAN' zone, add a rule allowing ICMP traffic transfer from R2 to ESR router:
esr(config)# security zone-pair WAN self esr(config-zone-pair)# rule 1 esr(config-zone-pair-rule)# action permit esr(config-zone-pair-rule)# match protocol icmp esr(config-zone-pair-rule)# match destination-address WAN esr(config-zone-pair-rule)# match source-address WAN_GATEWAY esr(config-zone-pair-rule)# enable esr(config-zone-pair-rule)# exit esr(config-zone-pair)# exit
Create a pair of zones for traffic coming from 'LAN' zone into 'self' zone. In order the router could response to the ICMP requests from 'LAN' zone, add a rule allowing ICMP traffic transfer from R1 to ESR:
esr(config)# security zone-pair LAN self esr(config-zone-pair)# rule 1 esr(config-zone-pair-rule)# action permit esr(config-zone-pair-rule)# match protocol icmp esr(config-zone-pair-rule)# match destination-address LAN esr(config-zone-pair-rule)# match source-address LAN_GATEWAY esr(config-zone-pair-rule)# enable esr(config-zone-pair-rule)# exit esr(config-zone-pair)# exit esr(config)# exit
To view port membership in zones, use the following command:
esr# show security zone
To view zone pairs and their configuration, use the following commands:
esr# show security zone-pair esr# show security zone-pair configuration
To view active sessions, use the following commands:
esr# show ip firewall sessions
Access list (ACL) configuration
Access Control List or ACL is a list that contains rules defining traffic transmission through the interface.
Configuration algorithm
Step | Description | Command | Keys |
1 | Create access control list and switch to its configuration mode. | esr(config)# ip access-list extended <NAME> | <NAME> – access control list name, set by the string of up to 31 characters. |
2 | Specify the description of a configurable access control list (optionally). | esr(config-acl)# description <DESCRIPTION> | <DESCRIPTION> – access control list description, set by the string of up to 255 characters. |
3 | Create a rule and switch to its configuration mode. The rules are proceeded by the router in number ascending order. | esr(config-acl)# rule <ORDER> | <ORDER> – rule number, takes values of [1..4094]. |
4 | Specify the action that should be applied for the traffic meeting the given requirements. | esr(config-acl-rule)# action <ACT> | <ACT> – allocated action:
|
5 | Set name of protocol for which the rule should work (optionally). | esr(config-acl-rule)# match protocol <TYPE> | <TYPE> – protocol type, takes the following values: esp, icmp, ah, eigrp, ospf, igmp, ipip, tcp, pim, udp, vrrp, rdp, l2tp, gre. When specifying the 'any' value, the rule will work for any protocols. |
esr(config-acl-rule)# match protocol-id <ID> | <ID> – IP identification number, takes values of [0x00-0xFF]. | ||
6 | Set sender IP addresses for which the rule should work (optionally). | esr(config-acl-rule)# match source-address { <ADDR> <MASK> | any } | <ADDR> – source IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]; <MASK> – IP address mask, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. Mask bits, set to zero, specify IP address bits excluded from the comparison when searching. When specifying the “any” value, the rule will work for any sender/recipient IP address. |
7 | Set destination IP addresses for which the rule should work (optionally). | esr(config-acl-rule)# match destination-address { <ADDR> <MASK> | any } | |
8 | Set sender MAC addresses for which the rule should work (optionally). | esr(config-acl-rule)# match source-mac <ADDR><WILDCARD> | <ADDR> – source MAC address, defined as XX:XX:XX:XX:XX:XX where each part takes the values of [00..FF]. <WILDCARD> – MAC address mask, defined as XX:XX:XX:XX:XX:XX where each part takes the values of [00..FF]. Mask bits, set to zero, specify MAC address bits excluded from the comparison when searching. |
9 | Set destination MAC addresses for which the rule should work (optionally). | esr(config-acl-rule)# match destination-mac <ADDR><WILDCARD> | |
10 | Set the number of sender TCP/UDP ports for which the rule should work (if the protocol is specified). | esr(config-acl-rule)# match source-port { <PORT> | any } | <PORT> – number of source TCP/UDP port, takes values of [1..65535]. When specifying the 'any' value, the rule will be triggered for any source TCP/UDP port. |
11 | Set the destination TCP/UDP ports number for which the rule should work (if the protocol is specified). | esr(config-acl-rule)# match destination-port { <PORT> | any } | |
12 | Set priority 802.1p value for which the rule should work (optionally). | esr(config-acl-rule)# match c os <COS> | <COS> – priority 802.1p value, takes values of [0..7]. |
13 | Set DSCP code value for which the rule should work (optionally). Can not be used with IP Precedence. | esr(config-acl-rule)# match dscp <DSCP> | <DSCP> – DSCP code value, takes values in the range of [0..63]. |
14 | Set IP Precedence code for which the rule should work (optionally). Can not be used with DSCP. | esr(config-acl-rule)# match ip-precedence <IPP> | <IPP> – IP Precedence code value, takes values in the range of [0..7]. |
15 | Set VLAN ID for which the rule should work (optionally). | esr(config-acl-rule)# match vlan <VID> | <VID> – VLAN ID, takes values of [1..4094]. |
16 | Activate a rule. | esr(config-acl-rule)# enable | |
17 | Specify access control list for the configured interface to filtrate incoming traffic. | esr(config-if-gi)# service-acl input <NAME> | <NAME> – access control list name, set by the string of up to 31 characters. |
Also the access lists can be used to organize QoS policy.
Access list configuration example
Objective:
Allow traffic transmission from 192.168.20.0/24 subnet only.
Solution:
Configure access control list for filtering by a subnet:
esr# configure esr(config)# ip access-list extended white esr(config-acl)# rule 1 esr(config-acl-rule)# action permit esr(config-acl-rule)# match source-address 192.168.20.0 255.255.255.0 esr(config-acl-rule)# enable esr(config-acl-rule)# exit esr(config-acl)# exit
Apply access list to Gi1/0/19 interface for inbound traffic:
esr(config)# interface gigabitethernet 1/0/19 esr(config-if-gi)# service-acl input white
To view the detailed information on access control list, use the following command:
esr# show ip access-list white
Static routes configuration
Static routing is a type of routing in which routes are defined explicitly during the router configuration without dynamic routing protocols.
Configuration process
You can add a static route by using the following command in global configuration mode:
esr(config)# ip route [ vrf <VRF> ] <SUBNET> { <NEXTHOP> | interface <IF> | tunnel <TUN> | wan load-balance rule <RULE> [<METRIC>] | blackhole | unreachable | prohibit } [ <METRIC> ] [ track <TRACK-ID> ] [ bfd ]
- <VRF> – VRF name, set by the string of up to 31 characters.
- <SUBNET> – destination address, can be specified in the following format:
- BBB.CCC.DDD – host IP address, where each part takes values of [0..255].
- BBB.CCC.DDD/NN – network IP address with prefix mask, where AAA-DDD take values of [0..255] and NN takes values of [1..32].
- <NEXTHOP> – gateway IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];
- <IF> – an IP interface name specified in the form described in Section Types and naming order of router interfaces;
- <TUN> – the name of the tunnel is specified as described in section Types and naming order of router tunnels;
- <RULE> – wan rule number, set in the range of [1..50];
- blackhole – when specifying the command, the packets to this subnet will be removed by the device without sending notifications to a sender;
- unreachable – when specifying the command, the packets to this subnet will be removed by the device, a sender will receive in response ICMP Destination unreachable (Host unreachable, code 1);
- prohibit – when specifying the command, the packets to this subnet will be removed by the device, a sender will receive in response ICMP Destination unreachable (Communication administratively prohibited, code 13);
- bfd – when specifying the given key, the removal of static route in case of next-hop unavailability is activated.
To add static IPv6 route to the given subnet, use the following command:
ipv6 route [ vrf <VRF> ] <SUBNET> { <NEXTHOP> [ resolve ] | interface <IF> | wan load-balance rule <RULE> | blackhole | unreachable | prohibit } [ <METRIC> ] [ bfd ]
- <VRF> – VRF name, set by the string of up to 31 characters.
- <SUBNET> – destination address, can be specified in the following formats:
- The addresses are defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF].
- <IPV6-ADDR/LEN> – IP address and mask of a subnet, defined as X:X:X:X::X/EE where each X part takes values in hexadecimal format [0..FFFF] and EE takes values of [1..128].
- <IPV6-ADDR> – client IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF];
- resolve – when specifying this parameter, gateway IPv6 address will be recursively calculated through the routing table. If the recursive calculation fails to find a gateway from a directly connected subnet, then this route will not be installed into the system;
- <IF> – an IP interface name specified in the form described in Section Types and naming order of router interfaces;
- blackhole – when specifying the command, the packets to this subnet will be removed by the device without sending notifications to a sender;
- unreachable – when specifying the command, the packets to this subnet will be removed by the device, a sender will receive in response ICMP Destination unreachable (Host unreachable, code 1);
- prohibit – when specifying the command, the packets to this subnet will be removed by the device, a sender will receive in response ICMP Destination unreachable (Communication administratively prohibited, code 13);
- <METRIC> – route metric, takes values of [0..255].
- bfd – when specifying the given key, the removal of static route in case of next-hop unavailability is activated.
Static routes configuration example
Objective:
Configure Internet access for users in LAN 192.168.1.0/24 and 10.0.0.0/8 using the static routing. On R1 device, create gateway for Internet access. Traffic within LAN should be routed within LAN zone, traffic from the Internet should belong to WAN zone.
Figure 14 – Network structure
Solution:
Specify the device name for R1 router:
esr# hostname R1
Specify 192.168.1.1/24 address and the “LAN” zone for the gi1/0/1 interface. R1 interface will be connected to 192.168.1.0/24 network via this interface:
esr(config)# interface gi1/0/1 esr(config-if-gi)# security-zone LAN esr(config-if-gi)# ip address 192.168.1.1/24 esr(config-if-gi)# exit
Specify 192.168.100.1/30 address and the 'LAN' zone for the gi1/0/2 interface. R1 will be connected to R2 device via the given interface for the further traffic routing:
esr(config)# interface gi1/0/2 esr(config-if-gi)# security-zone LAN esr(config-if-gi)# ip address 192.168.100.1/30 esr(config-if-gi)# exit
Specify 128.107.1.2/30 address and the “WAN” zone for the gi1/0/3 interface. R1 interface will be connected to the Internet via this interface:
esr(config)# interface gi1/0/3 esr(config-if-gi)# security-zone WAN esr(config-if-gi)# ip address 128.107.1.2/30 esr(config-if-gi)# exit
Create a route for interaction with 10.0.0.0/8 network using R2 device as a gateway (192.168.100.2):
esr(config)# ip route 10.0.0.0/8 192.168.100.2
Create a route for interaction with the Internet using the provider gateway as a nexthop (128.107.1.1):
esr(config)# ip route 0.0.0.0/0 128.107.1.1
Specify the device name for R2 router:
esr# hostname R2
Specify 10.0.0.1/8 address and the 'LAN' zone for the gi1/0/1 interface. R2 interface will be connected to 10.0.0.0/8 network via this interface:
esr(config)# interface gi1/0/1 esr(config-if-gi)# security-zone LAN esr(config-if-gi)# ip address 10.0.0.1/8 esr(config-if-gi)# exit
Specify 192.168.100.2/30 address and the 'LAN' zone for the gi1/0/2 interface. R2 will be connected to R1 device via the given interface for the further traffic routing:
esr(config)# interface gi1/0/2 esr(config-if-gi)# security-zone LAN esr(config-if-gi)# ip address 192.168.100.2/30 esr(config-if-gi)# exit
Create a default route by specifying the IP address of R1 router gi1/0/2 interface (192.168.100.1) as a nexthop:
esr(config)# ip route 0.0.0.0/0 192.168.100.1
You can use the following command to check the routing table:
esr# show ip route
PPP through E1 configuration
PPP (Point-to-Point Protocol) — point-to-point link layer protocol, used to establish direct communication between two network nodes. It can provide connection authentication, encryption and data compression.
To establish a PPP connection through the E1 stream, you must have a ToPGATE-SFP media converter in the ESR router.
Configuration process
Step | Description | Command | Keys |
---|---|---|---|
1 | Put physical interface in switch mode | esr(config-if-gi)# mode switchport | |
2 | Set the operation mode of the e1 interface | esr(config-if-gi)# switchport mode e1 | |
3 | Set the synchronization source | esr(config-if-gi)# switchport e1 clock source <SOURCE> | <SOURCE> – synchronization source:
|
4 | Specify MTU (Maximum Transmition Unit) size for physical interfaces | esr(config-if-gi)# mtu <MTU> | <MTU> – MTU value, for E1 and Multilink interfaces may take values in the range of [128..1500]. |
5 | Specify frame check hash algorithm (optionally) | esr(config-if-gi)# switchport e1 crc <FCS> | <FCS> – frame check sequence:
|
6 | Set check for transmission errors (optionally) | esr(config-if-gi)# switchport e1 framing <CRC> | <CRC> – cyclic redundancy check:
|
7 | Set transmitting bits inversion (optionally) | esr(config-if-gi)# switchport e1 invert data | |
8 | Set linear encoding type (optionally) | esr(config-if-gi)# switchport e1 linecode <CODE> | <CODE> – linear encoding type;
|
9 | Set amount of timeslots | esr(config-if-gi)# switchport e1 timeslots <RANGE> | <RANGE> – amount of timeslots |
10 | Use E1 as a single entity, without time slots (optional) | esr(config-if-gi)# switchport e1 unframed | |
11 | Configure E1 | esr(config)# interface e1 1/<SLOT>/1 | <SLOT> – slot number. |
12 | Enable CHAP authentication for PPP (optionally) | esr(config-e1)# ppp authentication chap | |
13 | Specify the router name that is sent to a remote party for CHAP authentication (optionally) | esr(config-e1)# ppp chap hostname <NAME> | <NAME> – router name |
14 | Set authentication password (optionally) | esr(config-e1)# ppp chap password ascii-text <CLEAR-TEXT> | <CLEAR-TEXT> – unencrypted password, set by the string of [1..64] characters, may include [0-9a-fA-F] characters |
15 | Enable authentication override (optionally) | esr(config-e1)# ppp chap refuse | |
16 | Set authentication username (optionally) | esr(config-e1)# ppp chap username <NAME> | <NAME> – user name |
17 | Allow any non-null IP address to be accepted as a local IP address from the neighbour (optionally) | esr(config-e1)# ppp ipcp accept-address | |
18 | Set IP address that is sent to a remote party for the further allocation (optionally) | esr(config-e1)# ppp ipcp remote-address <ADDR> | <ADDR> – IP address of a remote gateway |
19 | Set the amount of attempts to send Configure-Request packets before the remote peer is found to be unable to respond (optionally) | esr(config-e1)# ppp max-configure <VALUE> | <VALUE> – number of retries |
20 | Set the amount of attempts to send Configure-NAK packets before all options are confirmed (optionally) | esr(config-e1)# ppp max-failure <VALUE> | <VALUE> – number of retries |
21 | Set the amount of attempts to send Terminate-Request packets before the session is aborted (optionally) | esr(config-e1)# ppp max-terminate <VALUE> | <VALUE> – number of retries |
22 | Set MRU (Maximum Receive Unit) size for the interface (optionally) | esr(config-e1)# ppp mru <MRU> | <MRU> – MRU value |
23 | Enable MLPPP mode (optionally) | esr(config-e1)# ppp multilink | |
24 | Add the group to MLPPP (optionally) | esr(config-e1)# ppp multilink-group <GROUP-ID> | <GROUP-ID> – group number |
25 | Specify the time interval in seconds after which the router sends a keepalive message (optionally) | esr(config-e1)# ppp timeout keepalive <TIME> | <TIME> – time in seconds |
26 | Specify the interval after which the router sends a keepalive message (optionally) | esr(config-e1)# ppp timeout retry <TIME> | <TIME> – time in seconds |
Configuration example
Objective:
Configure PPP connection to the opposite side with IP address 10.77.0.1/24 via ToPGARE-SFP using 1-8 channel slots for data transmission; the clock source is the opposite side.
Figure 15 – Network structure
Solution:
Switch gigabitethernet 1/0/3 interface on which ToPGATE-SFP is set into E1 operation mode:
esr# configure esr(config)# interface gigabitethernet 1/0/3 esr(config-if-gi)# description "*** ToPGATE ***" esr(config-if-gi)# switchport mode e1 esr(config-if-gi)# switchport e1 timeslots 1-8 esr(config-if-gi)# switchport e1 clock source line esr(config-if-gi)# switchport e1 slot 3 esr(config-if-gi)# exit
Enable interface e1 1/3/1:
esr(config)# interface e1 1/3/1 esr(config-e1)# security-zone trusted esr(config-e1)# ip address 10.77.0.1/24 esr(config-e1)# exit
The configuration changes come into effect after applying the following commands:
esr# commit Configuration has been successfully committed esr# confirm Configuration has been successfully confirmed
MLPPP Configuration
Multilink PPP (MLPPP) is an aggregated channel that encompasses methods of traffic transition via multiple physical channels while having a single logical connection. This option allows to enhance bandwidth and enables load balancing.
Figure 16 – Network structure
Configuration algorithm
Step | Description | Command | Keys |
---|---|---|---|
1 | Configure aggregation group. | esr(config)# interface multilink <IF> | <IF> – interface name. |
2 | Specify the description of configured aggregation group (optionally). | esr(config- multilink )# description <DESCRIPTION> | <DESCRIPTION> – aggregation group description, set by the string of up to 255 characters. |
3 | Specify the time interval during which the statistics on the aggregation group load is averaged (optionally). | esr(config- multilink )# load-average <TIME> | <TIME> – interval in seconds, takes values of [5..150]. Default value: 5. |
4 | Specify MTU (Maximum Transmission Unit) size for the aggregation group (optionally). MTU above 1500 will be active only when using the "system jumbo-frames” command. | esr(config- multilink )# mtu <MTU> | <MTU> – MTU value, takes values in the range of [1280..1500]. Default value: 1500. |
5 | Enable CHAP authentication. | esr(config-multilink)# ppp authentication chap | |
6 | Enable authentication override (optionally). | esr(config-multilink)# ppp chap refuse | |
7 | Specify the router name that is sent to a remote party for CHAP authentication. | esr(config-multilink)# ppp chap hostname <NAME> | <NAME> – router name, set by the string of up to 31 characters. |
8 | Specify the password that is sent with the router name to a remote party for CHAP authentication. | esr(config-multilink)# ppp chap password ascii-text { <CLEAR-TEXT> | encrypted <ENCRYPTED-TEXT> } | <CLEAR-TEXT> – unencrypted password, set by the string of [8..64] characters, may include [0-9a-fA-F] characters. <ENCRYPTED-TEXT> – unencrypted password, set by the string of [16..128] characters. |
9 | Allow any non-null IP address to be accepted as a local IP address from the neighbour (optionally). | esr(config-multilink)# ppp ipcp accept-address | |
10 | Set IP address that is sent to a remote party for the further allocation. | esr(config-multilink)# ppp iccp remote-address <ADDR> | <ADDR> – IP address of a remote gateway. |
11 | Specify a user for remote party authentication and switch to the specified user configuration mode | esr(config-multilink)# chap username <NAME> | <NAME> – user name, set by the string of up to 31 characters. |
12 | Set encrypted or unencrypted password for a specific user to authenticate the remote party. | esr(config-ppp-user)# password ascii-text { <CLEAR-TEXT> | encrypted <ENCRYPTED-TEXT> } | <CLEAR-TEXT> – unencrypted password, set by the string of [8..64] characters, may include [0-9a-fA-F] characters. <ENCRYPTED-TEXT> – unencrypted password, set by the string of [16..128] characters. |
13 | Set the amount of attempts to send Configure-Request packets before the remote peer is found to be unable to respond | esr(config-multilink)# ppp max-configure <VALUE> | <VALUE> – time in seconds, takes values of [1..255]. Default value: 10. |
14 | Set the amount of attempts to send Configure-NAK packets before all options are confirmed (optionally). | esr(config-multilink)# ppp max-failure <VALUE> | <VALUE> – time in seconds, takes values of [1..255]. |
15 | Set the amount of attempts to send Terminate-Request packets before the session is aborted (optionally). | esr(config-multilink)# ppp max-terminate <VALUE> | <VALUE> – time in seconds, takes values of [1..255]. Default value: 2. |
16 | Set MRU (Maximum Receive Unit) size for the interface. | esr(config-multilink)# ppp mru <MRU> | <MRU> – MRU value, takes values in the range of [128..1485]. Default value: 1500. |
17 | Specify the time interval in seconds after which the router sends a keepalive message (optionally). | esr(config-multilink)# ppp timeout keepalive <TIME> | <TIME> – time in seconds, takes values of [1..32767]. Default value: 10. |
18 | Specify the time interval in seconds after which the router sends a keepalive message (optionally). | esr(config-multilink)# ppp timeout retry <TIME> | <TIME> – time in seconds, takes values of [1..255]. Default value: 3. |
19 | Specify the maximum packet size for MLPP interface. | esr(config-multilink)# mrru <MRRU> | <MRRU> – maximum size of a received packet for MLPP interface, takes value in the range of [1500..10000]. |
20 | Bind e1 port to the physical interface. | esr(config-if-gi)# switchport e1 <SLOT> | <SLOT> – slot identifier, takes values in the range of [0..3]. |
21 | Put the physical port into SFPe1 module operation mode. | esr(config-if-gi)# switchport mode e1 | |
22 | Enable MLPPP mode on E1 interface. | esr(config-e1)# ppp multilink | |
23 | Include E1 interface in the aggregation group. | esr(config-e1)# ppp multilink-group <GROUP-ID> | <GROUP-ID> – group identifier, takes values in the range of [1..4]. |
Configuration example
Objective :
Configure MLPPP connection to the opposite side with IP address 10.77.0.1/24 via MXE device.
Figure 17 – Network structure
Solution:
Switch gigabitethernet 1/0/10 interface into E1 operation mode:
esr# configure esr(config)# interface gigabitethernet 1/0/1 esr(config-if-gi)# switchport mode e1 esr(config-if-gi)# switchport e1 slot 0 esr(config-if-gi)# exit esr(config)# interface gigabitethernet 1/0/2 esr(config-if-gi)# switchport mode e1 esr(config-if-gi)# switchport e1 slot 1 esr(config-if-gi)# exit
Configure MLPPP 3:
esr(config)# interface multilink 3 esr(config-multilink)# ip address 10.77.0.2/24 esr(config-multilink)# security-zone trusted esr(config-multilink)# exit esr(config)# exit
Enable interface e1 1/0/1, interface e1 1/0/2 into MLPPP 3 aggregation group:
esr(config)# interface e1 1/0/1 esr(config-e1)# ppp multilink esr(config-e1)# ppp multilink-group 3 esr(config-e1)# exit esr(config)# interface e1 1/0/2 esr(config-e1)# ppp multilink esr(config-e1)# ppp multilink-group 3 esr(config-e1)# exit
Bridge configuration
Bridge is a method of connection for two Ethernet segments on data-link level without any higher level protocols, such as IP. Packet transmission is based on Ethernet addresses, not on IP addresses. Given that the transmission is performed on data-link level (Level 2 of the OSI model), higher level protocol traffic passes through the bridge transparently.
Configuration algorithm
Step | Description | Command | Keys |
---|---|---|---|
1 | Add a network bridge to the system and switch to its configuration mode. | esr(config)# bridge <BRIDGE-ID> | <BRIDGE-ID> – bridge identification number, takes values in the range of:
|
2 | Enable network bridge. | esr ( config - bridge )# enable | |
3 | Specify VRF instance, in which the given modem will operate (optionally). | esr(config- bridge )# ip vrf forwarding <VRF> | <VRF> – VRF name, set by the string of up to 31 characters. |
4 | Specify the configured network bridge description (optionally). | esr(config-bridge)# description <DESCRIPTION> | <DESCRIPTION> – network bridge description, set by the string of up to 255 characters. |
5 | Specify the size of MTU packets that can be passed by the bridge (optionally; possible if only VLAN is included in the bridge). MTU above 1500 will be active only when using the "system jumbo-frames” command. | esr(config-bridge)# mtu <MTU> | <MTU> – MTU value, takes values in the range of:
Default value: 1500 |
6 | Specify the time interval during which the statistics on the bridge load is averaged (optionally). | esr(config-bridge)# load-average <TIME> | <TIME> – interval in seconds, takes values of [5..150]. Default value: 5 |
7 | Connect the current network bridge with VLAN. All interfaces and L2 tunnels that are members of the assigned VLAN are automatically included in the network bridge and become members of the shared L2 domain (optionally). | esr(config-bridge)# vlan <VID> | <VID> – VLAN identifier, set in the range of [1..4094]. |
8 | Specify the network bridge MAC address different from a system one (optionally). | esr(config-bridge)# mac-address <ADDR> | <ADDR> – network bridge MAC address, defined as XX:XX:XX:XX:XX:XX where each part takes the values of [00..FF]. |
9 | Connect sub interface, qinq interface, L2GRE tunnel or L2TPv3 tunnel with the network bridge. Connected interfaces/tunnels and network bridges automatically become participants of the shared L2 domain (optionally). | esr(config-if-gi)# bridge-group <BRIDGE-ID> esr(config-if-l2tpv3)# bridge-group <BRIDGE-ID> | <BRIDGE-ID> – bridge identification number, takes values in the range of:
|
10 | Enable interface isolation mode on the bridge. In this mode, the traffic exchange between members of the network bridge is prohibited. (Optionally; relevant only for ESR-1000/1200/1500/1510/1700) | esr(config-bridge)# protected-ports [ exclude vlan ] | exclude vlan – when specifying the given key, VLAN (connected with bridge) is excluded from the isolated interfaces list. |
11 | Prohibit unknown-unicast traffic switching (when a destination MAC address is not included in the switching table) in the given bridge. (Optionally; relevant only for ESR-1000/1200/1500/1510/1700) | esr(config-bridge)# unknown-unicast-forwarding disable | |
12 | Set the lifetime of IPv4/IPv6 entries in the ARP table studied on the given bridge (optionally). | esr(config- bridge)# ip arp reachable-time <TIME> or ipv6 nd reachable-time <TIME> | <TIME> – lifetime of dynamic MAC addresses, in milliseconds. Allowed values are from 5000 to 100000000 milliseconds. Real time of the entry update varies from [0,5;1,5]*<TIME>. |
Example of bridge configuration for VLAN and L2TPv3 tunnel
Objective:
Combine router interfaces related to LAN and L2TPv3 tunnel passing through the public network into a single L2 domain. For combining, use VLAN 333.
Figure 18 – Network structure
Solution:
Create VLAN 333:
esr(config)# vlan 333 esr(config-vlan)# exit
Create 'trusted' security zone:
esr(config)# security-zone trusted esr(config-zone)# exit
Add gi1/0/11, gi1/0/12 interfaces to VLAN 333:
esr(config)# interface gigabitethernet 1/0/11-12 esr(config-if)# mode switchport esr(config-if)# switchport general allowed vlan add 333 tagged
Create bridge 333, map VLAN 333 to it and specify membership in 'trusted' zone:
esr(config)# bridge 333 esr(config-bridge)# vlan 333 esr(config-bridge)# security-zone trusted esr(config-bridge)# enable
Specify the affilation of L2TPv3 tunnel to bridge mapped to LAN (for L2TPv3 tunnel configuration, see Section L2TPv3 tunnel configuration). In general, bridge and tunnel identifiers should not match the VID, unlike this example.
esr(config)# tunnel l2tpv3 333 esr(config-l2tpv3)# bridge-group 333
Example of bridge configuration for VLAN
Objective:
Configure routing between VLAN 50 (10.0.50.0/24) and VLAN 60 (10.0.60.0/24). VLAN 50 should belong to 'LAN1', VLAN 60 – to 'LAN2', enable free traffic transmission between zones.
Figure 19 – Network structure
Solution:
Create VLAN 50, 60:
esr(config)# vlan 50,60 esr(config-vlan)# exit
Create 'LAN1' and 'LAN2’ security zones:
esr(config)# security-zone LAN1 esr(config-zone)# exit esr(config)# security-zone LAN2 esr(config-zone)# exit
Map VLAN 50 to gi1/0/11, gi1/0/12 interfaces:
esr(config)# interface gigabitethernet 1/0/11-12 esr(config-if-gi)# switchport general allowed vlan add 50 tagged
Map VLAN 60 to gi1/0/14 interface:
esr(config)# interface gigabitethernet 1/0/14 esr(config-if-gi)# switchport general allowed vlan add 60 tagged
Create bridge 50, map VLAN 50, define IP address 10.0.50.1/24 and membership in 'LAN1' zone:
esr(config)# bridge 50 esr(config-bridge)# vlan 50 esr(config-bridge)# ip address 10.0.50.1/24 esr(config-bridge)# security-zone LAN1 esr(config-bridge)# enable
Create bridge 60, map VLAN 60, define IP address 10.0.60.1/24 and membership in 'LAN2' zone:
esr(config)# bridge 60 esr(config-bridge)# vlan 60 esr(config-bridge)# ip address 10.0.60.1/24 esr(config-bridge)# security-zone LAN2 esr(config-bridge)# enable
Create firewall rules that enable free traffic transmission between zones:
esr(config)# security zone-pair LAN1 LAN2 esr(config-zone-pair)# rule 1 esr(config-zone-pair-rule)# action permit esr(config-zone-pair-rule)# enable esr(config-zone-pair-rule)# exit esr(config-zone-pair)# exit esr(config)# security zone-pair LAN2 LAN1 esr(config-zone-pair)# rule 1 esr(config-zone-pair-rule)# action permit esr(config-zone-pair-rule)# enable esr(config-zone-pair-rule)# exit esr(config-zone-pair)# exit esr(config)# exit
To view an interface membership in a bridge, use the following command:
esr# show interfaces bridge
Configuration example of the second VLAN tag adding/removing
Objective:
The gigabitethernet 1/0/1 interface receives Ethernet frames with various VLAN tags. It is necessary to redirect them to the gigabitethernet 1/0/2 interface, adding the second VLAN-ID 828. When Ethernet frames with VLAN-ID 828 come on the gigabitethernet 1/0/2, this tag must be removed and sent to the gigabitethernet 1/0/1 interface.
Solution:
Create the bridge without VLAN and IP address on the route.
esr(config)# bridge 1 esr(config-bridge)# enable esr(config-bridge)# exit
Include the gigabitethernet 1/0/1 interface in bridge 1.
esr(config)# interface gigabitethernet 1/0/1 esr(config-if-gi)# bridge-group 1 esr(config-if-gi)# exit
Include the gigabitethernet 1/0/2.828 sub interface in bridge 1.
esr(config)# interface gigabitethernet 1/0/2.828 esr(config-subif)# bridge-group 1 esr(config-subif)# exit
When adding the second VLAN tag to an Ethernet frame, its size is increased by 4 bytes. MTU must be increased by 4 bytes or more on the gigabitethernet 1/0/2 router interface and on all equipment transmitting Q-in-Q frames.
RIP Configuration
RIP is a distance-vector dynamic routing protocol that uses hop count as a routing metric. The maximum amount of hops allowed for RIP is 15. By default, each RIP router transmits full routing table into the network every 30 seconds. RIP operates at 3rd level of TCP/IP stack via UDP port 520.
Configuration algorithm
Step | Description | Command | Keys |
1 | Configure RIP precedence for the main routing table (optionally). | esr(config)# ip protocols rip preference <VALUE> | <VALUE> – protocol precedence, takes values in the range of [1..255]. Default value: RIP (100). |
2 | Configure RIP routing tables capacity (optionally). | esr(config)# ip protocols rip max-routes <VALUE> | <VALUE> – amount of RIP routes in the routing table, takes values in the range of[ 1..10000]; 10000. |
3 | Create IP subnets lists that will be used for further filtration of advertised and received IP routes. | esr(config)# ip prefix-list <NAME> | <NAME> – name of a subnet list being configured, set by the string of up to 31 characters. |
4 | Permit or deny the prefixes lists. | esr(config-pl)# permit {object-group <OBJ-GROUP-NETWORK-NAME> [ { eq <LEN> | le <LEN> | ge <LEN> [ le <LEN> ] } ]|default-route} | <OBJ-GROUP-NETWORK-NAME> – IP addresses profile name, set by the string of up to 31 characters; <LEN> – prefix length, takes values of [1..32] in prefix IP lists;
|
esr(config-pl)# deny {object-group <OBJ-GROUP-NETWORK-NAME> [ { eq <LEN> | le <LEN> | ge <LEN> [ le <LEN> ] } ] | default-route} | |||
5 | Switch to the RIP process configuration mode. | esr(config)# router rip esr(config-rip)# | |
6 | Enable RIP. | esr(config-rip)# enable | |
7 | Specify RIP authentication algorithm (optionally). | esr(config-rip)# authentication algorithm { cleartext | md5 } |
|
8 | Set the password for neighbour authentication (optionally). | esr(config-rip)# authentication key ascii-text { <CLEAR-TEXT> | encrypted <ENCRYPTED-TEXT> } | <CLEAR-TEXT> – password, sets by string from 8 to 16 characters; <ENCRYPTED-TEXT> – encrypted password from 8 bytes to 16 bytes (16 to 32 characters) in hexadecimal format (0xYYYY...) or (YYYY...). |
9 | Specify the list of passwords for authentication via md5 hashing algorithm (optionally). | esr(config-rip)# authentication key-chain <KEYCHAIN> | <KEYCHAIN> – key list identifier, set by the string of up to 16 characters. |
10 | Disable routes advertising on the interfaces/tunnels/bridge where it is not necessary (optionally). | esr(config-rip)# passive-interface {<IF> | <TUN> } | <IF> – interface and identifier; <TUN> – tunnel name and number. |
11 | Set time interval after which the advertising is carried out (optionally). | esr(config-rip)# timers update <TIME> | <TIME> – time in seconds, takes values of [1..65535]. Default value: 180 seconds. |
12 | Set time interval of route entry correctness without updating (optionally). | esr(config-rip)# timers invalid <TIME> | <TIME> – time in seconds, takes values of [1..65535]. Default value: 180 seconds. |
13 | Set time interval after which the route removing is carried out (optionally). | esr(config-rip)# timers flush <TIME> | <TIME> – time in seconds, takes values of [1..65535]. When setting the value, consider the following rule: «timersinvalid + 60» Default value: 240 seconds. |
14 | Enable subnets advertising. | esr(config-rip)# network <ADDR/LEN> | <ADDR/LEN> – subnet address, set in the following format: AAA.BBB.CCC.DDD/NN – network IP address with prefix mask, where AAA-DDD take values of [0..255] and EE takes values of [1..32]. |
15 | Add subnets filtration in incoming or outgoing updates (optionally). | esr(config-rip)# prefix-list <PREFIX-LIST-NAME> { in | out } | <PREFIX-LIST-NAME> – name of a subnet list being configured, set by the string of up to 31 characters.
|
16 | Enable advertising of routes received in an alternative way (optionally). | esr(config-rip)# redistribute static [ route-map <NAME> ] | <NAME> – name of the route map that will be used for advertised static routes filtration and modification, set by the string of up to 31 characters. |
esr(config-rip)# redistribute connected [ route-map <NAME> ] | <NAME> – name of the route map that will be used for filtration and modification of advertised directly connected subnets, set by the string of up to 31 characters. | ||
esr(config-rip)# redistribute ospf <ID><ROUTE-TYPE> [ route-map <NAME> ] | <ID> – process number, takes values of [1..65535]. <ROUTE-TYPE> – route type:
<NAME> – name of the route map that will be used for advertised OSFP routes filtration and modification, set by the string of up to 31 characters. | ||
esr(config-rip)# redistribute bgp <AS> [ route-map <NAME> ] | <AS> – autonomous system number, takes values of [1..4294967295]. <NAME> – name of the route map that will be used for advertised BGP routes filtration and modification, set by the string of up to 31 characters. | ||
17 | Switch to the interface/tunnel/network bridge configuration mode. | esr(config)# interface <IF-TYPE><IF-NUM> | <IF-TYPE> – interface type; <IF-NUM> – F/S/P – F frame (1), S – slot (0), P – port. |
esr(config)# tunnel <TUN-TYPE><TUN-NUM> | <TUN-TYPE> – tunnel type; <TUN-NUM> – tunnel number. | ||
esr(config)# bridge <BR-NUM> | <BR-NUM> – bridge number. | ||
18 | Set RIP routes metric value on the interface (optionally). | esr(config-if-gi)# ip rip metric <VALUE> | <VALUE> – metric size, takes values of [0..32767]. Default value: 5. |
19 | Set the routes advertising mode via RIP (optionally). | esr(config-if-gi)# ip rip mode <MODE> | <MODE> – route advertising mode: multicast – routes are advertised in multicast mode; broadcast – routes are advertised in broadcast mode; unicast – routes are advertised to the neighbours in unicast mode; Default value: multicast. |
20 | Specify a neighbour’s IP address for establishment of a relation in routes advertising unicast mode (optionally). | esr(config-if-gi)# ip rip neighbor <ADDR> | <ADDR> – IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. |
21 | Enable subnet summarization (optionally). | esr(config-if-gi)# ip rip summary-address <ADDR/LEN> | <ADDR/LEN> – IP address and mask of a subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32]. |
RIP configuration example
Objective:
Configure RIP on the router in order to exchange the routing information with neighbouring routers. The router should advertise static routes and subnets 115.0.0.0/24, 14.0.0.0/24, 10.0.0.0/24. Routes should be advertised each 25 seconds.
Figure 20 – Network structure
Solution:
Pre-configure IP addresses on interfaces according to the network structure shown in Figure 20.
Switch to the RIP configuration mode:
esr(config)# router rip
Specify subnets that will be advertised by the protocol: 115.0.0.0/24, 14.0.0.0/24 and 10.0.0.0/24:
esr(config-rip)# network 115.0.0.0/24 esr(config-rip)# network 14.0.0.0/24 esr(config-rip)# network 10.0.0.0/24
To advertise static routes by the protocol, execute the following command:
esr(config-rip)# redistribute static
Configure timer, responsible for routing information transmission:
esr(config-rip)# timers update 25
When all required settings are done, enable the protocol:
esr(config-rip)# enable
To view the RIP routing table, use the following command:
esr# show ip rip
In addition to RIP protocol configuration, open UDP port 520 in the firewall.
OSFP configuration
OSPF is a dynamic routing protocol, based on link-state technology and using shortest path first Dijkstra's algorithm.
Configuration algorithm
Step | Description | Command | Keys |
1 | Configure OSFP precedence for the main routing table (optionally). | esr(config)# ip protocols ospf preference <VALUE> | <VALUE> – protocol precedence, takes values in the range of [1..255]. Default value: 150. |
esr(config-vrf)# ip protocols ospf preference <VALUE> | |||
2 | Configure OSFP routing tables capacity (optionally). | esr(config)# ip protocols ospf max-routes <VALUE> | <VALUE> – amount of OSPF routes in the routing table, takes values in the range of:
Default value for the global mode:
Default value for VRF: 0 |
esr(config)# ipv6 protocols ospf max-routes <VALUE>
| |||
3 | Enable the output of OSPF neighbor state information (optionally). | esr(config)# router ospf log-adjacency-changes | |
esr(config)# ipv6 router ospf log-adjacency-changes | |||
4 | Create IP subnets lists that will be used for further filtration of advertised and received IP routes. | esr(config)# ip prefix-list <NAME> | <NAME> – name of a subnet list being configured, set by the string of up to 31 characters. |
esr(config)# ipv6 prefix-list <NAME> | |||
5 | Permit or deny the prefixes lists. | esr(config-pl)# permit {object-group <OBJ-GROUP-NETWORK-NAME> [ { eq <LEN> | le <LEN> | ge <LEN> [ le <LEN> ] } ]|default-route} | <OBJ-GROUP-NETWORK-NAME> – IP addresses profile name, set by the string of up to 31 characters; <LEN> – prefix length, takes values of [1..32] in prefix IP lists;
|
esr(config-pl)# deny {object-group <OBJ-GROUP-NETWORK-NAME> [ { eq <LEN> | le <LEN> | ge <LEN> [ le <LEN> ] } ] | default-route} | |||
esr(config-ipv6-pl)# permit {object-group <OBJ-GROUP-NETWORK-NAME> [ { eq <LEN> | le <LEN> | ge <LEN> [ le <LEN> ] } ]|default-route} | |||
esr(config-ipv6-pl)# deny object-group <OBJ-GROUP-NETWORK-NAME> [ { eq <LEN> | le <LEN> | ge <LEN> [ le <LEN> ] } ] | default-route} | |||
6 | Add OSFP process to the system and switch to the OSFP process parameters configuration mode. | esr(config)# router ospf <ID> [vrf <VRF>] | <ID> – stand alone system number, takes values of [1..65535]. <VRF> – VRF instance name, set by the string of up to 31 characters, within which the routing protocol will operate. |
esr(config)# ipv6 router ospf <ID> [vrf <VRF>] | |||
7 | Set the router identifier for the given OSFP process. | esr(config-ospf)# router-id <ID> | <ID> – router identifier, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. |
esr(config-ipv6-ospf)# router-id <ID> | |||
8 | Define OSFP process routes precedence. | esr(config-ospf)# preference <VALUE> | <VALUE> – OSPF process routes precedence, takes values in the range of [1..255]. Default value: 10. |
esr(config-ipv6-ospf)# preference <VALUE> | |||
9 | Enable compatibility with RFC 1583 (optionally). | esr(config-ospf)# compatible rfc1583 | |
esr(config-ipv6-ospf)# compatible rfc1583 | |||
11 | Add subnets filtration in incoming or outgoing updates (optionally). | esr(config-ospf)# prefix-list <PREFIX-LIST-NAME> { in | out } | <PREFIX-LIST-NAME> – name of a subnet list being configured, set by the string of up to 31 characters.
|
esr(config-ipv6-ospf)# prefix-list <PREFIX-LIST-NAME> { in | out } | |||
12 | Enable advertising of routes received in an alternative way (optionally). | esr(config-ospf)# redistribute static [ route-map <NAME> ] | <NAME> – name of the route map that will be used for advertised static routes filtration and modification, set by the string of up to 31 characters. |
esr(config-ipv6-ospf)# redistribute static [ route-map <NAME> ] | |||
esr(config-ospf)# redistribute connected [ route-map <NAME> ] | <NAME> – name of the route map that will be used for filtration and modification of advertised directly connected subnets, set by the string of up to 31 characters. | ||
esr(config-ipv6-ospf)# redistribute connected [ route-map <NAME> ] | |||
esr(config-ospf)# redistribute rip [ route-map <NAME> ] | <NAME> – name of the route map that will be used for advertised RIP routes filtration and modification, set by the string of up to 31 characters. | ||
esr(config-ospf)# redistribute bgp <AS> [ route-map <NAME> ] | <AS> – autonomous system number, takes values of [1..4294967295]. <NAME> – name of the route map that will be used for advertised BGP routes filtration and modification, set by the string of up to 31 characters. | ||
esr(config-ipv6-ospf)# redistribute bgp <AS> [ route-map <NAME> ] | |||
13 | Enable OSFP process. | esr(config-ospf)# enable | |
esr(config-ipv6-ospf)# enable | |||
14 | Create OSFP area and switch to the scope configuration mode. | esr(config-ospf)# area <AREA_ID> | <AREA_ID> – area identifier, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. |
esr(config-ipv6-ospf)# area <AREA_ID> | |||
15 | Enable subnets advertising. | esr(config-ospf-area)# network <ADDR/LEN> | <ADDR/LEN> – subnet address, set in the following format: AAA.BBB.CCC.DDD/NN – network IP address with prefix mask, where AAA-DDD take values of [0..255] and EE takes values of [1..32]. |
esr(config-ipv6-ospf-area)# network <IPV6-ADDR/LEN> | <IPV6-ADDR/LEN> – IPv6 address and mask of a subnet, defined as X:X:X:X::X/EE where each X part takes values in hexadecimal format [0..FFFF] and EE takes values of [1..128]. | ||
16 | Specify the area type | esr(config-ospf-area)# area-type <TYPE> [ no-summary ] | <TYPE> – area type:
|
esr(config-ipv6-ospf-area)# area-type <TYPE> [ no-summary ] | |||
17 | Enable the default route generation for NSSA area and its advertising as NSSA-LSA. | esr(config-ospf-area)# default-information-originate | |
esr(config-ipv6-ospf-area)# default-information-originate | |||
18 | Enable the subnet summarization or hiding. | esr(config-ospf-area)# summary-address <ADDR/LEN> { advertise | not-advertise } | <ADDR/LEN> – IP address and mask of a subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32];
|
esr(config-ipv6-ospf-area)# summary-address <IPV6-ADDR/LEN> { advertise | not-advertise } | <IPV6-ADDR/LEN> – IPv6 address and mask of a subnet, defined as X:X:X:X::X/EE where each X part takes values in hexadecimal format [0..FFFF] and EE takes values of [1..128];
| ||
19 | Enable OSFP area. | esr(config-ospf-area)# enable | |
esr(config-ipv6-ospf-area)# enable | |||
20 | Establish a virtual connection between the main and remote areas having several areas between them. | esr(config-ospf-area)# virtual-link <ID> | <ID> – router identifier with which virtual connection is establishing, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. |
esr(config-ipv6-ospf-area)# virtual-link <ID> | |||
21 | Set the time interval in seconds after which the router re-sends a packet that has not received a delivery confirmation (for example, a DatabaseDescription packet or LinkStateRequest packets). | esr(config-ospf- vlink)# restransmit-interval <TIME> | <TIME> – time in seconds, takes values of [1..65535]. Default value: 5 seconds. |
esr(config-ipv6-ospf- vlink)# restransmit-interval <TIME> | |||
22 | Set the time interval in seconds after which the router sends the next hello packet. | esr(config-ospf- vlink)# hello-interval <TIME> | <TIME> – time in seconds, takes values of [1..65535]. Default value: 10 seconds. |
esr(config-ipv6-ospf- vlink)# hello-interval <TIME> | |||
23 | Set the time interval in seconds after which the neighbor is considered to be idle. This interval should be a multiple of the ‘hello interval’ value. | esr(config-ospf- vlink)# dead-interval <TIME> | <TIME> – time in seconds, takes values of [1..65535]. Default value: 40 seconds. |
esr(config-ipv6-ospf- vlink)# dead-interval <TIME> | |||
24 | Set the time interval in seconds after which the router selects DR in the network. | esr(config-ospf- vlink)# wait-interval <TIME> | <TIME> – time in seconds, takes values of [1..65535]. |
esr(config-ipv6-ospf- vlink)# wait-interval <TIME> | |||
25 | Define authentication algorithm. | esr(config-ospf- vlink)# authentication algorithm <ALGORITHM> | <ALGORITHM> – authentication algorithm:
|
26 | Set the password for neighbour authentication. | esr(config-ospf- vlink)# authentication key ascii-text { <CLEAR-TEXT> | encrypted <ENCRYPTED-TEXT> } | <CLEAR-TEXT> – password, set by the string of 8 to 16 characters. <ENCRYPTED-TEXT> – encrypted password from 8 bytes to 16 bytes (16 to 32 characters) in hexadecimal format (0xYYYY...) or (YYYY...). |
27 | Specify the list of passwords for authentication via md5 hashing algorithm. | esr(config-ospf- vlink)# authentication key chain <KEYCHAIN> | <KEYCHAIN> – key list identifier, set by the string of up to 16 characters. |
28 | Enable virtual connection. | esr(config-ospf- vlink)# enable | |
29 | Switch to the interface/tunnel/network bridge configuration mode. | esr(config)# interface <IF-TYPE><IF-NUM> | <IF-TYPE> – interface type; <IF-NUM> – F/S/P – F frame (1), S – slot (0), P – port. |
esr(config)# tunnel <TUN-TYPE><TUN-NUM> | <TUN-TYPE> – tunnel type; <TUN-NUM> – tunnel number. | ||
esr(config)# bridge <BR-NUM> | <BR-NUM> – bridge number. | ||
30 | Define the interface / tunnel / network bridge inherence to a specific OSPF process. | esr(config-if-gi)# ip ospf instance <ID> | <ID> – process number, takes values of [1..65535]. |
esr(config-if-gi)# ipv6 ospf instance <ID> | |||
31 | Define the interface inherence to a specific OSPF process area. | esr(config-if-gi)# ip ospf area <AREA_ID> | <AREA_ID> – area identifier, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. |
esr(config-if-gi)# ipv6 ospf area <AREA_ID> | |||
32 | Enable the routing via OSFP on the interface. |
esr(config-if-gi)# ip ospf | |
esr(config-if-gi)# ipv6 ospf | |||
33 | Enable the mode in which the OSPF process will ignore MTU interface value in incoming Database Description packets. | esr(config-if-gi)# ip ospf mtu-ignore | |
esr(config-if-gi)# ipv6 ospf mtu-ignore | |||
34 | Specify OSFP authentication algorithm. | esr(config-if-gi)# ip ospf authentication algorithm <ALGORITHM> | <ALGORITHM> – authentication algorithm:
|
35 | Set the password for OSPF neighbor authentication when transmitting an unencrypted password. | esr(config-if-gi)# ip ospf authentication key ascii-text { <CLEAR-TEXT> | encrypted <ENCRYPTED-TEXT> } | <CLEAR-TEXT> – password, sets by string from 8 to 16 characters; <ENCRYPTED-TEXT> – encrypted password from 8 bytes to 16 bytes (16 to 32 characters) in hexadecimal format (0xYYYY...) or (YYYY...). |
36 | Specify the list of passwords for neighbor authentication via md5 hashing algorithm. | esr(config-if-gi)# ip ospf authentication key-chain <KEYCHAIN> | <KEYCHAIN> – key list identifier, set by the string of up to 16 characters. |
37 | Set the time interval in seconds after which the router selects DR in the network. | esr(config-if-gi)# ip ospf wait-interval <TIME> | <TIME> – time in seconds, takes values of [1..65535]. Default value: 40 seconds. |
esr(config-if-gi)# ipv6 ospf wait-interval <TIME> | |||
38 | Set the time interval in seconds after which the router re-sends a packet that has not received a delivery confirmation (for example, a DatabaseDescription packet or LinkStateRequest packets). | esr(config-if-gi)# ip ospf restransmit-interval <TIME> | <TIME> – time in seconds, takes values of [1..65535]. Default value: 5 seconds. |
esr(config-if-gi)# ipv6 ospf restransmit-interval <TIME> | |||
39 | Set the time interval in seconds after which the router sends the next hello packet. | esr(config-if-gi)# ip ospf hello-interval <TIME> | <TIME> – time in seconds, takes values of [1..65535]. Default value: 10 seconds. |
esr(config-if-gi)# ipv6 ospf hello-interval <TIME> | |||
40 | Set the time interval in seconds after which the neighbor is considered to be idle. This interval should be a multiple of the ‘hello interval’ value. | esr(config-if-gi)# ip dead-interval <TIME> | <TIME> – time in seconds, takes values of [1..65535]. Default value: 40 seconds. |
esr(config-if-gi)# ipv6 dead-interval <TIME> | |||
41 | Set the time interval during which NBMA interface waits before sending a HELLO packet to a neighbor, even if the neighbor is idle. | esr(config-if-gi)# ip poll-interval <TIME> | <TIME> – time in seconds, takes values of [1..65535]. Default value: 120 seconds. |
esr(config-if-gi)# ipv6 poll-interval <TIME> | |||
42 | Set static IP address of a neighbor to establish a relation in NMBA and P2MP (Point-to-MultiPoint) networks. | esr(config-if-gi)# ip ospf neighbor <IP> [ eligible ] | <IP> – neighbor IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. eligible – optional parameter, allows the device to take part in DR selection process in NMBA networks. The interface priority should be greater than zero. |
esr(config-if-gi)# ip ospf neighbor <IP> [ eligible ] | <IPV6-ADDR> – neighbor’s IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF]; eligible – optional parameter, allows the device to take part in DR selection process in NMBA networks. The interface priority should be greater than zero. | ||
43 | Define the network type for OSPF neighborhood establishment. | esr(config-if-gi)# ip ospf network <TYPE> | <TYPE> – network type:
Default value: broadcast. |
esr(config-if-gi)# ipv6 ospf network <TYPE> | |||
44 | Set the router priority that is used for DR and BDR selection. | esr(config-if-gi)# ip ospf priority <VALUE> | <VALUE> – interface priority, takes values of [1..65535]. Default value: 120. |
esr(config-if-gi)# ipv6 ospf priority <VALUE> | |||
45 | Set the metric size on the interface or tunnel. | esr(config-if-gi)# ip ospf cost <VALUE> | <VALUE> – metric size, takes values of [0..32767]. Default value: 150. |
esr(config-if-gi)# ipv6 ospf cost <VALUE> | |||
47 | Enable BFD protocol for OSPF protocol. | esr(config-if-gi)# ip ospf bfd-enable | |
esr(config-if-gi)# ipv6 ospf bfd-enable |
OSPF configuration example
Objective:
Configure OSPF protocol on the router in order to exchange the routing information with neighbouring routers. The router should be in 1.1.1.1 identifier area and announce routes received via RIP.
Figure 21 – Network structure
Solution:
Pre-configure IP addresses on interfaces according to the network structure shown in Figure 21.
Create OSPF process with identifier 10 and proceed to the OSPF protocol configuration mode:
esr(config)# router ospf 10
Create and enable the required area:
esr(config-ospf)# area 1.1.1.1 esr(config-ospf-area)# enable esr(config-ospf-area)# exit
Enable advertising of the routing information from RIP:
esr(config-ospf)# redistribute rip
Enable OSPF process:
esr(config-ospf)# enable esr(config-ospf)# exit
Neighbouring routers are connected to gi1/0/5 and gi1/0/15 interfaces. To establish the neighbouring with other routers, map them to OSPF process and the area. Next, enable OSPF routing for the interface.
esr(config)# interface gigabitethernet 1/0/5 esr(config-if-gi)# ip ospf instance 10 esr(config-if-gi)# ip ospf area 1.1.1.1 esr(config-if-gi)# ip ospf esr(config-if-gi)# exit
esr(config)# interface gigabitethernet 1/0/15 esr(config-if-gi)# ip ospf instance 10 esr(config-if-gi)# ip ospf area 1.1.1.1 esr(config-if-gi)# ip ospf esr(config-if-gi)# exit esr(config)# exit
OSPF stub area configuration example
Objective:
Change 1.1.1.1 area type, area should be stub. Stub router should advertise routes received via RIP.
Figure 22 – Network structure
Solution:
Pre-configure OSPF protocol and IP addresses on interfaces according to the network structure shown in Figure 22.
Change area type to stub. For each router from 1.1.1.1 area, execute the following command in the configuration mode:
esr(config-ospf-area)# area-type stub
For R3 stub router, enable advertising of the routing information from RIP:
esr(config-ospf)# redistribute rip
Virtual link configuration example
Objective:
Merge two backbone areas using virtual link.
Figure 23 – Network structure
Solution:
Virtual link is a specialized connection that allows you to merge a split zone or connect a zone to the backbone zone trough the third zone. Virtual link is configured between two Area Border Routers (ABR).
Pre-configure OSPF protocol and IP addresses on interfaces according to the network structure shown in Figure 23.
For R1 router, proceed to 1.1.1.1 area configuration mode:
esr(config-ospf)# area 1.1.1.1
Create and enable virtual link with the identifier 0.0.0.3:
esr(config-ospf-area)# virtual-link 0.0.0.3 esr(config-ospf-vlink)# enable
For R3 router, proceed to 1.1.1.1 area configuration mode:
esr(config-ospf)# area 1.1.1.1
Create and enable virtual link with the identifier 0.0.0.1:
esr(config-ospf-area)# virtual-link 0.0.0.1 esr(config-ospf-vlink)# enable
Review the routing table on R1 router:
esr# show ip route C * 10.0.0.0/24 [0/0] dev gi1/0/12, [direct 00:49:34] O * 10.0.1.0/24 [150/20] via 10.0.0.1 on gi1/0/12, [ospf1 00:49:53] (0.0.0.3) O * 192.168.20.0/24 [150/30] via 10.0.0.1 on gi1/0/12, [ospf1 00:50:15] (0.0.0.3) C * 192.168.10.0/24 [0/0] dev lo1, [direct 21:32:01]
Review the routing table on R3 router:
esr# show ip route O * 10.0.0.0/24 [150/20] via 10.0.1.1 on gi1/0/12, [ospf1 14:38:35] (0.0.0.2) C * 10.0.1.0/24 [0/0] dev gi1/0/12, [direct 14:35:34] C * 192.168.20.0/24 [0/0] dev lo1, [direct 14:32:58] O * 192.168.10.0/24 [150/30] via 10.0.1.1 on gi1/0/12, [ospf1 14:39:54] (0.0.0.1)
Since OSPF considers virtual link as the part of the area, R1 routes received from R3 are marked as an intrazone and vice versa.
To view the neighbors, use the following command:
esr# show ip ospf neighbors 10
To view OSPF routing table, use the following command:
esr# show ip ospf 10
In the firewall, you should enable OSPF protocol (89).
BGP configuration
BGP protocol is designed to exchange subnet reachability information among autonomous systems (AS), i.e. router groups united under a single technical control that uses interdomain routing protocol for defining packet delivery routes to other AS. Transmitted information includes a list of AS that are accessible through this system. Selection of the optimal routes is based on effective rules for the network.
Configuration algorithm
Step | Description | Command | Keys |
---|---|---|---|
1 | Configure BGP precedence for the main routing table (optionally). | esr(config)# ip protocols bgp preference <VALUE> | <VALUE> – protocol precedence, takes values in the range of [1..255]. Default value: BGP (170). |
2 | Configure BGP routing tables capacity (optionally). | esr(config)# ip protocols bgp max-routes <VALUE> | <VALUE> – amount of BGP routes in the routing table, takes values in the range of:
Default value:
|
esr(config)# ipv6 protocols bgp max-routes <VALUE> | |||
esr(config-vrf)# ip protocols bgp max-routes <VALUE> | |||
esr(config-vrf)# ipv6 protocols bgp max-routes <VALUE> | |||
3 | Enable the output of BGP neighbor state information (optionally). | esr(config)# router bgp log-neighbor-changes | |
esr(config)# ipv6 router bgp log-neighbor-changes | |||
4 | Enable ECMP and define the maximum amount of equal routes to a destination point. | esr(config)# router bgp maximum-paths <VALUE> | <VALUE> – amount of valid equal routes to the target, takes the values of [1..16]. |
5 | Create IP subnets lists that will be used for further filtration of advertised and received IP routes. | esr(config)# ip prefix-list <NAME> | <NAME> – name of a subnet list being configured, set by the string of up to 31 characters. |
esr(config)# ipv6 prefix-list <NAME> | |||
6 | Permit or deny the prefixes lists. | esr(config-pl)# permit {object-group <OBJ-GROUP-NETWORK-NAME> [ { eq <LEN> | le <LEN> | ge <LEN> [ le <LEN> ] } ]|default-route} | <OBJ-GROUP-NETWORK-NAME> – IP addresses profile name, set by the string of up to 31 characters; <LEN> – prefix length, takes values of [1..32] in prefix IP lists;
|
esr(config-pl)# deny {object-group <OBJ-GROUP-NETWORK-NAME> [ { eq <LEN> | le <LEN> | ge <LEN> [ le <LEN> ] } ] | default-route} | |||
7 | Add BGP process to the system and switch to the BGP process parameters configuration mode. | esr(config)# router bgp <AS> | <AS> – autonomous system number, takes values of [1..4294967295]. |
8 | Define the type of configured routing information and switch to this configuration mode. | esr(config-bgp)# address-family { ipv4 | ipv6 } [ vrf <VRF> ] |
<VRF> – VRF instance name, set by the string of up to 31 characters, within which the routing protocol will operate. |
9 | Set the router identifier. | esr(config-bgp-af)# router-id <ID> | <ID> – router identifier, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. |
esr(config-ipv6-bgp-af)# router-id <ID> | |||
10 | Set the time interval after which the connection with the opposing party is checked. | esr(config-bgp-af)# timers keepalive <TIME> | <TIME> – time in seconds, takes values of [1..65535]. Default value: 60 seconds. |
esr(config-ipv6-bgp-af)# timers keepalive <TIME> | |||
11 | Set time interval after which the opposing party is considered to be unavailable. | esr(config-bgp-af)# timers holdtime <TIME> | <TIME> – time in seconds, takes values of [1..65535]. Default value: 180 seconds. |
esr(config-ipv6-bgp-af)# timers holdtime <TIME> | |||
12 | Set the time of minimum and maximum delay during which it is prohibited to establish a connection in order to prevent frequent disconnections. | esr(config-bgp-af)# timers error-wait <TIME1> <TIME2> | <TIME1> – minimum delay time in seconds, takes values of [1..65535]. <TIME2> – maximum delay time in seconds, takes values of [1..65535]. |
esr(config-ipv6-bgp-af)# timers error-wait <TIME1> <TIME2> | |||
13 | Set the Route-Reflector identifier of the cluster to which the router BGP process belongs. | esr(config-bgp-af)# cluster-id <ID> | <ID> – Route-Reflector cluster identifier, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. |
esr(config-ipv6-bgp-af)# cluster-id <ID> | |||
14 | Define the global algorithm of neighbor authentication. | esr(config-bgp-af)# authentication algorithm <ALGORITHM> | <ALGORITHM> – encryption algorithm: md5 – password is encrypted by md5 algorithm. |
esr(config-ipv6-bgp-af)# authentication algorithm <ALGORITHM> | |||
15 | Set the global password for neighbour authentication. | esr(config-bgp-af)# authentication key ascii-text { <CLEAR-TEXT> | encrypted <ENCRYPTED-TEXT> } | <CLEAR-TEXT> – password, sets by string from 8 to 16 characters; <ENCRYPTED-TEXT> – encrypted password from 8 bytes to 16 bytes (16 to 32 characters) in hexadecimal format (0xYYYY...) or (YYYY...). |
esr(config-ipv6-bgp-af)# authentication key ascii-text { <CLEAR-TEXT> | encrypted <ENCRYPTED-TEXT> } | |||
16 | Enable BGP process. | esr(config-bgp-af)# enable | |
esr(config-ipv6-bgp-af)# enable | |||
17 | Enable the advertising of static routes received in an alternative way. | esr(config-bgp-af)# redistribute static [ route-map <NAME> ] | <NAME> – name of the route map that will be used for advertised static routes filtration and modification, set by the string of up to 31 characters. |
esr(config-ipv6-bgp-af)# redistribute static [ route-map <NAME> ] | |||
esr(config-bgp-af)# redistribute connected [ route-map <NAME> ] | <NAME> – name of the route map that will be used for filtration and modification of advertised directly connected subnets, set by the string of up to 31 characters. | ||
esr(config-ipv6-bgp-af)# redistribute connected [ route-map <NAME> ] | |||
esr(config-bgp-af)# redistribute rip [ route-map <NAME> ] | <NAME> – name of the route map that will be used for advertised RIP routes filtration and modification, set by the string of up to 31 characters. | ||
esr(config-ipv6-bgp-af)# redistribute rip [ route-map <NAME> ] | |||
esr(config-bgp-af)# redistribute ospf <ID> <ROUTE-TYPE> [ route-map <NAME> ] | <ID> – process number, takes values of [1..65535]. <ROUTE-TYPE> – route type:
<NAME> – name of the route map that will be used for advertised OSFP routes filtration and modification, set by the string of up to 31 characters. | ||
esr(config-ipv6-bgp-af)# redistribute ospf <ID> <ROUTE-TYPE> [ route-map <NAME> ] | |||
esr(config-bgp-af)# redistribute bgp <AS> [ route-map <NAME> ] | <AS> – autonomous system number, takes values of [1..4294967295]. <NAME> – name of the route map that will be used for advertised BGP routes filtration and modification, set by the string of up to 31 characters. | ||
esr(config-ipv6-bgp-af)# redistribute bgp <AS> [ route-map <NAME> ] | |||
18 | Enable subnets advertising. | esr(config-bgp-af)# network <ADDR/LEN> | <ADDR/LEN> – subnet address, set in the following format: AAA.BBB.CCC.DDD/NN – network IP address with prefix mask, where AAA-DDD take values of [0..255] and EE takes values of [1..32]. |
esr(config-ipv6-bgp-af)# network <ADDR/LEN> | X:X:X:X::X/EE – IPv6 address and mask of a subnet, where each X part takes values in hexadecimal format [0..FFFF] and EE takes values of [1..128]. | ||
19 | Add subnets filtration in incoming or outgoing updates (optionally). | esr(config-bgp-af)# prefix-list <PREFIX-LIST-NAME> { in | out } | <PREFIX-LIST-NAME> – name of a subnet list being configured, set by the string of up to 31 characters.
|
20 | Add BGP neighbor and switch to the BGP process parameters configuration mode. | esr(config-bgp-af)# neighbor <ADDR> | <ADDR> – neighbor’s IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. |
esr(config-ipv6-bgp-af)# neighbor <IPV6-ADDR> | <IPV6-ADDR> – client IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF]. | ||
21 | Specify neighbor description (optionally). | esr(config-bgp-neighbor)# description <DESCRIPTION> | <DESCRIPTION> – neighbor description, set by the string of up to 255 characters. |
22 | Set the time interval after which the connection with the opposing party is checked. | esr(config-bgp-neighbor)# timers keepalive <TIME> | <TIME> – time in seconds, takes values of [1..65535]. Default value: 60 seconds. |
esr(config-ipv6-bgp-neighbor)# timers keepalive <TIME> | |||
23 | Set time interval after which the opposing party is considered to be unavailable (optionally). | esr(config-bgp- neighbor)# timers holdtime <TIME> | <TIME> – time in seconds, takes values of [1..65535]. Default value: 180 seconds. |
esr(config-ipv6-bgp- neighbor)# timers holdtime <TIME> | |||
24 | Set the time of minimum and maximum delay during which it is prohibited to establish a connection in order to prevent frequent disconnections (optionally). | esr(config-bgp-af)# timers error-wait <TIME1> <TIME2> | <TIME1> – minimum delay time in seconds, takes values of [1..65535]. <TIME2> – maximum delay time in seconds, takes values of [1..65535]. Default value: 60 and 300 seconds |
esr(config-ipv6-bgp-af)# timers error-wait <TIME1> <TIME2> | |||
25 | Set the number of BGP neighbor stand alone system. | esr(config-bgp- neighbor)# remote-as <AS> | <AS> – autonomous system number, takes values of [1..4294967295]. |
esr(config-ipv6-bgp- neighbor)# remote-as <AS> | |||
26 | Allow connections to neighbors that are located not in directly connected subnets. (optionally) | esr(config-bgp- neighbor)# ebgp-multihop <NUM> | <NUM> – maximum amount of hops when installing EBGP (used for TTL). |
esr(config-ipv6-bgp- neighbor)# ebgp-multihop <NUM> | |||
27 | Set the mode in which all updates are sent to BGP neighbor with the IP address of a local router outgoing interface as the next-hop. | esr(config-bgp- neighbor)# next-hop-self | |
esr(config-ipv6-bgp- neighbor)# next-hop-self | |||
28 | Set the mode in which private numbers of autonomous systems are removed from the AS Path routes BGP attribute before sending an update (in accordance with RFC 6996). (optionally) | esr(config-bgp- neighbor)# remove-private-as | |
esr(config-ipv6-bgp- neighbor)# remove-private-as | |||
29 | Set the mode in which the default route is always sent to the BGP neighbor in the update along with other routes. (optionally) | esr(config-bgp- neighbor)# default-originate | |
esr(config-ipv6-bgp- neighbor)# default-originate | |||
30 | Enable generation and sending of a default route, if the default route is in the FIB routing table. (optionally) | esr(config-bgp-af)# default-information-originate | |
31 | Specify BGP neighbor as a Route-Reflector client. (optionally) | esr(config-bgp- neighbor)# route-reflector-client | |
esr(config-ipv6-bgp- neighbor)# route-reflector-client | |||
32 | Define the precedence of the routes received from a neighbor. (optionally) | esr(config-bgp- neighbor)# preference <VALUE> | <VALUE> – neighbor routes precedence, takes values in the range of [1..255]. Default value: 170. |
esr(config-ipv6-bgp- neighbor)# preference <VALUE> | |||
33 | Set IP/IPv6 router address that will be used as source IP/IPv6 address in transmitted BGP route information updates. (optionally) | esr(config-bgp- neighbor)# update-source { <ADDR> | <IPV6-ADDR> } | <ADDR> – source IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]; |
esr(config-ipv6-bgp- neighbor)# update-source <ADDR> | <IPV6-ADDR> – source IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF]. | ||
34 | Enable the mode in which the reception of routes in the BGP attribute, AS Path of which includes the numbers of process stand alone system, is allowed. (optionally) | esr(config-bgp- neighbor)# allow-local-as <NUMBER> | <NUMBER> – threshold amount of instances of autonomous system number in the AS Path attribute at which the route will be accepted, the range of acceptable values [1..10]. |
esr(config-bgp- neighbor)# allow-local-as <NUMBER> | |||
35 | Enable BFD protocol on the BGP neighbor being configured. (optionally) | esr(config-bgp- neighbor)# bfd-enable | |
esr(config-ipv6-bgp- neighbor)# bfd-enable | |||
36 | Specify neighbor authentication algorithm (optionally). | esr(config-bgp- neighbor)# authentication algorithm <ALGORITHM> | <ALGORITHM> – encryption algorithm: md5 – password is encrypted by md5 algorithm. |
esr(config-ipv6-bgp- neighbor)# authentication algorithm <ALGORITHM> | |||
37 | Set the password for neighbour authentication (optionally). | esr(config-bgp- neighbor)# authentication key ascii-text { <CLEAR-TEXT> | encrypted <ENCRYPTED-TEXT> } | <CLEAR-TEXT> – password, sets by string from 8 to 16 characters; <ENCRYPTED-TEXT> – encrypted password from 8 bytes to 16 bytes (16 to 32 characters) in hexadecimal format (0xYYYY...) or (YYYY...). |
esr(config-ipv6-bgp- neighbor)# authentication key ascii-text { <CLEAR-TEXT> | encrypted <ENCRYPTED-TEXT> } |
It often happens, especially when configuring iBGP, that in one bgp address-family you need to configure several bgp neighbor with the same parameters. To avoid configuration redundancy, it is recommended to use bgp peer-group in which you can describe common parameters and it is easy to identify the bgp peer-group membership in the bgp neighbor configuration.
Configuration example
Objective:
Configure BGP on the router with the following parameters:
Figure 24 – Network structure
- proprietary subnets: 80.66.0.0/24, 80.66.16.0/24;
- advertising of directly connected subnets;
- proprietary AS 2500;
- first neighbouring – subnet 219.0.0.0/30, proprietary IP address 219.0.0.1, neighbour IP address 219.0.0.2, AS 2500;
- second neighbouring – subnet 185.0.0.0/30, proprietary IP address 185.0.0.1, neighbour IP address 185.0.0.2, AS 20.
Solution:
Configure required network parameters:
esr# configure esr(config)# interface gigabitethernet 1/0/1 esr(config-if-gi)# ip address 185.0.0.1/30 esr(config-if-gi)# exit esr(config)# interface gigabitethernet 1/0/2 esr(config-if-gi)# ip address 219.0.0.1/30 esr(config-if-gi)# exit esr(config)# interface gigabitethernet 1/0/3 esr(config-if-gi)# ip address 80.66.0.1/24 esr(config-if-gi)# exit esr(config)# interface gigabitethernet 1/0/4 esr(config-if-gi)# ip address 80.66.16.1/24 esr(config-if-gi)# exit
Create BGP process for AS 2500 and enter process parameters' configuration mode:
esr(config)# router bgp 2500
Enter routing information configuration mode for IPv4:
esr(config-bgp)# address-family ipv4
Advertise directly connected subnets:
esr(config-bgp-af)# redistribute connected
Create neighboring with 185.0.0.2, 219.0.0.2 specifying AS and enable them:
esr(config-bgp-af)# neighbor 185.0.0.2 esr(config-bgp-neighbor)# remote-as 20 esr(config-bgp-neighbor)# enable esr(config-bgp-neighbor)# exit esr(config-bgp-af)# neighbor 219.0.0.2 esr(config-bgp-neighbor)# remote-as 2500 esr(config-bgp-neighbor)# enable esr(config-bgp-neighbor)# exit
Enable protocol operation:
esr(config-bgp-af)# enable esr(config-bgp-af)# exit esr(config)# exit
To view BGP peers information, use the following command:
esr# show ip bgp 2500 neighbors
To view BGP routing table, use the following command:
esr# show ip bgp
You should open TCP port 179 in the firewall.
BFD configuration
BFD (Bidirectional Forwarding Detection) is a protocol operating over other protocols and allowing to reduce the problem detection time to 50 msec. BFD is two-party protocol, it requires the configuration of both routers (both routers generate BFD packets and respond to each other).
Configuration algorithm
Step | Description | Command | Keys |
---|---|---|---|
1 | Enable BFD for OSFP on the interface | esr(config-if-gi)# ip ospf bfd-enable | |
2 | Enable BFD for BGP neighbor on the interface | esr(config-bgp-neighbor)# bfd-enable | |
3 | Set the interval after which the BFD message is sent to the neighbor. Globally | esr(config)# ip bfd idle-tx-interval <TIMEOUT> | <TIMEOUT> – interval after which the BFD packet should be sent, takes values in milliseconds in the range of [200..65535] for ESR-1000/1200/1500/1510/1700 and [300..65535] for ESR-10/12V(F)/14VF/20/21/100/200 By default, 1 second |
4 | Enable the logging of BFD protocol state changes (optionally) | esr(config)# ip bfd log-adjacency-changes | |
5 | Set the minimum interval after which the neighbor should generate BFD message. | esr(config)# ip bfd min-rx-interval <TIMEOUT> | <TIMEOUT> – interval after which the BFD message should be sent by the neighbor, takes values in milliseconds in the range of By default:
|
6 | Set the minimum interval after which the BFD message is sent to the neighbor. | esr(config)# ip bfd min-tx-interval <TIMEOUT> | <TIMEOUT> – interval after which the BFD message should be sent by the neighbor, takes values in milliseconds in the range of [200..65535] for ESR-1000/1200/1500/1510/1700 and [300..65535] for ESR-10/12V(F)/20/21/100/200 By default:
|
7 | Set the amount of dropped packets, at which the BFD neighbor is considered to be unavailable. Globally | esr(config)# ip bfd multiplier <COUNT>
| <COUNT> – amount of dropped packets, at which the neighbor is considered to be unavailable, takes values in the range of [1..100]. By default: 5 |
8 | Put BFD mechanism with the specified IP address into operation. | esr(config)# ip bfd neighbor <ADDR> [ { interface <IF> | tunnel <TUN> } ] [local-address <ADDR> [multihop]] [vrf <VRF>] | <ADDR> – gateway IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]; <IF> – interface or interface group; <TUN> – tunnel type and number. <VRF> – VRF name, set by the string of up to 31 characters. multihop – key for setting TTL=255, for BFD mechanism operation through the routed network. |
9 | Switch BFD session to the passive mode, so that BFD messages will not be sent until the messages from BFD neighbor are received. Globally (optionally) | esr(config)# ip bfd passive | |
10 | Set the interval after which the BFD message is sent to the neighbor. | esr(config-if-gi)# ip bfd idle-tx-interval <TIMEOUT> | <TIMEOUT> – interval after which the BFD packet should be sent, takes values in milliseconds in the range of [200..65535] for ESR-1000/1200/1500/1510/1700 and [300..65535] for ESR-10/12V(F)/14VF/20/21/100/200. By default: 1 second |
11 | Set the minimum interval after which the neighbor should generate BFD message. | esr(config-if-gi)# ip bfd min-rx-interval <TIMEOUT> | <TIMEOUT> – interval after which the BFD message should be sent by the neighbor, takes values in milliseconds in the range of [200..65535] for ESR-1000/1200/1500/1510/1700 and [300..65535] for ESR-10/12V(F)/20/21/100/200 By default:
|
12 | Set the minimum interval after which the BFD message is sent to the neighbor. | esr(config-if-gi)# ip bfd min-tx-interval <TIMEOUT> | <TIMEOUT> – interval after which the BFD message should be sent by the neighbor, takes values in milliseconds in the range of [200..65535] for ESR-1000/1200/1500/1510/1700 and [300..65535] for ESR-10/12V(F)/20/21/100/200 By default:
|
13 | Set the amount of dropped packets, at which the BFD neighbor is considered to be unavailable. (optionally) | esr(config-if-gi)# ip bfd multiplier <COUNT> | <COUNT> – amount of dropped packets, at which the neighbor is considered to be unavailable, takes values in the range of [1..100]. By default: 5 |
14 | Switch BFD session to the passive mode, so that BFD messages will not be sent until the messages from BFD neighbor are received. On the interface | esr(config-if-gi)# ip bfd passive |
Configuration example of BFD with BGP
Objective :
Configure eBGP between ESR R1 and R2 and enable BFD.
Figure 25 – Network structure
Solution:
R1 configuration
Preconfigure Gi1/0/1 interface:esr(config)# interface gigabitethernet 1/0/1 esr(config-if-gi)# ip firewall disable esr(config-if-gi)# ip address 10.0.0.1/24
Configure eBGP with BFD:
esr(config)# router bgp 100 esr(config-bgp)# address-family ipv4 esr(config-bgp-af)# neighbor 10.0.0.2 esr(config-bgp-neighbor)# remote-as 200 esr(config-bgp-neighbor)# update-source 10.0.0.1 esr(config-bgp-neighbor)# bfd-enable esr(config-bgp-neighbor)# enable esr(config-bgp-neighbor)# ex esr(config-bgp-af)# enable esr(config-bgp-af)# exit
- R2 configuration
Preconfigure Gi1/0/1 interface:
esr(config)# interface gigabitethernet 1/0/1 esr(config-if-gi)# ip firewall disable esr(config-if-gi)# ip address 10.0.0.2/24
Configure eBGP with BFD:
esr(config)# router bgp 200 esr(config-bgp)# address-family ipv4 esr(config-bgp-af)# neighbor 10.0.0.1 esr(config-bgp-neighbor)# remote-as 100 esr(config-bgp-neighbor)# update-source 10.0.0.2 esr(config-bgp-neighbor)# bfd-enable esr(config-bgp-neighbor)# enable esr(config-bgp-neighbor)# ex esr(config-bgp-af)# enable esr(config-bgp-af)# exit
PBR routing policy configuration
Configuring Route-map for BGP
Route-maps may serve as filters processing routing information when it is received from or sent to the neighbouring device. Processing may include filtering based on various route criteria and setting attributes (MED, AS-PATH, community, LocalPreference, etc.) for the respective routes.
Also, Route-map may assign routes based on access control lists (ACL).
Configuration algorithm
Step | Description | Command | Keys |
1 | Create a route map for | esr(config)# route-map <NAME> | <NAME> – router map name, set by the string of up to 31 characters. |
2 | Create a route map rule. | esr(config-route-map)# rule <ORDER> | <ORDER> – rule number, takes values of [1..10000]. |
3 | Specify the action that should be applied for routing information. | esr(config-route-map-rule)# action <ACT> | <ACT> – allocated action:
|
4 | Set BGPAS-Path attribute value in the route for which the rule should work | esr(config-route-map-rule)# match as-path [begin | end | contain] <AS-PATH> | <AS-PATH> – list of stand alone system numbers, defined as AS,AS,AS, takes values of [1..4294967295]. Optional parameters:
|
5 | Set BGPCommunity attribute value for which the rule should work (optionally). | esr(config-route-map-rule)# match community <COMMUNITY-LIST> | <COMMUNITY-LIST> – community list, defined as AS:N,AS:N, takes values of [1..4294967295]. You can specify up to 64 community. |
6 | BGPExtendedCommunity attribute value for which the rule should work (optionally). | esr(config-route-map-rule)# match extcommunity <EXTCOMMUNITY-LIST> | <EXTCOMMUNITY-LIST> – extcommunity list, defined as KIND:AS:N, KIND:AS:N, where KIND – extcommunity type:
N – extcommunity number, takes values of [1..65535]. |
7 | Set IP addresses profile including destination subnet values in the route (optionally). | esr(config-route-map-rule)# match ip address object-group <OBJ-GROUP- NETWORK -NAME> | <OBJ-GROUP-NETWORK-NAME> – name of the IP addresses profile that includes destination subnets prefixes, set by the string of up to 31 characters. |
esr(config-route-map-rule)# match ipv6 address object-group <OBJ-GROUP- NETWORK -NAME> | |||
8 | Set IP addresses profile that includes BGPNext-Hop attribute value in the route for which the rule should work (optionally). | esr(config-route-map-rule)# match ip next-hop object-group <OBJ-GROUP- NETWORK -NAME> | <OBJ-GROUP-NETWORK-NAME> – name of the IP addresses profile that includes destination subnets prefixes, set by the string of up to 31 characters. |
esr(config-route-map-rule)# match ipv6 next-hop object-group <OBJ-GROUP- NETWORK -NAME> | |||
9 | Set the profile that includes IP addresses of the router having advertised the route for which the rule should work (optionally). | esr(config-route-map-rule)# match ip route-source object-group <OBJ-GROUP- NETWORK -NAME> | <OBJ-GROUP-NETWORK-NAME> – name of the IP addresses profile that includes destination subnets prefixes, set by the string of up to 31 characters. |
esr(config-route-map-rule)# match ipv6 route-source object-group <OBJ-GROUP- NETWORK -NAME> | |||
10 | Specify ACL group for which the rule should work. | esr(config-route-map-rule)# match access-group <NAME> | <NAME> – access control list name, set by the string of up to 31 characters. |
11 | Set BGP MED attribute value in the route for which the rule should work (optionally). | esr(config-route-map-rule)# match metric bgp <METRIC> | <METRIC> – BGP MED attribute value, takes values in the range of [0..4294967295]. |
12 | Set OSPF Metric attribute value in the route for which the rule should work. | esr(config-route-map-rule)# match metric ospf <TYPE> <METRIC> | <TYPE> – OSPF Metric attribute type, takes values type-1 and type-2; <METRIC> – OSPF Metric attribute value, takes values in the range of [0..65535]. |
13 | Set RIP Metric attribute value in the route for which the rule should work. | esr(config-route-map-rule)# match metric rip <METRIC> | <METRIC> – RIP Metric attribute value, takes values in the range of [0..16]. |
14 | Set OSPF Tag attribute value in the route for which the rule should work. | esr(config-route-map-rule)# match tag ospf <TAG> | <TAG> – OSPF Tag attribute value, takes values in the range of [0..4294967295]. |
15 | Set RIP Tag attribute value in the route for which the rule should work. | esr(config-route-map-rule)# match tag rip <TAG> | <RIP> – RIP Tag attribute value, takes values in the range of [0..65535]. |
16 | Set BGP AS-Path attribute value that will be added to the beginning of AS-Path list (optionally). | esr(config-route-map-rule)# action set as-path prepend <AS-PATH> {track <TRACK-ID>} | <AS-PATH> – autonomous systems number list that will be added to the current value in the route. Set as AS, AS, AS, takes values of [1..4294967295]. <TCACK-ID> – vrrp-tracking identifier that provides the specified action execution. Changes in the range of [1..60]. |
17 | Set BGP Community attribute value that will be specified in the route (optionally). | esr(config-route-map-rule)# action set community {COMMUNITY-LIST> | no-advertise | no-export } | <COMMUNITY-LIST> – community list, defined as AS:N,AS:N, where each part takes values of [1..65535].
|
18 | Set BGP ExtCommunity attribute value that will be specified in the route (optionally). | esr(config-route-map-rule)# action set extcommunity <EXTCOMMUNITY-LIST> | <EXTCOMMUNITY-LIST> – extcommunity list, defined as KIND:AS:N, KIND:AS:N, where KIND – extcommunity type:
N – extcommunity number, takes values of [1..65535]. |
19 | Specify BGP Next-Hop attribute that will be set in the route when advertising (optionally). | esr(config-route-map-rule)# action set ip bgp-next-hop <ADDR> | <ADDR> – gateway IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. |
esr(config-route-map-rule)# action set ipv6 bgp-next-hop <IPV6-ADDR> | <IPV6-ADDR> – gateway IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF]. | ||
20 | Specify Next-Hop value that will be set in the route received by BGP (optionally). | esr(config-route-map-rule)# action set ip next-hop {NEXTHOP> | blackhole | unreachable | prohibit}
| <NEXTHOP> – gateway IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];
|
esr(config-route-map-rule)# action set ipv6 next-hop <IPV6-NEXTHOP> | <IPV6-ADDR> – gateway IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF]. | ||
21 | Specify BGP Local Preference attribute value that will be set in the route (optionally). | esr(config-route-map-rule)# action set local-preference <PREFERENCE> | <PREFERENCE> – BGP Local Preference attribute value, takes values in the range of [0..255]. |
22 | Specify BGP Origin attribute value that will be set in the route (optionally). | esr(config-route-map-rule)# action set origin <ORIGIN> | <ORIGIN> – BGP Origin attribute value:
|
23 | Specify BGP MED value that will be set in the route | esr(config-route-map-rule)# action set metric bgp <METRIC> | <METRIC> – BGP MED attribute value, takes values in the range of [0..4294967295]. |
24 | Add filtration and modification of routes in incoming or outgoing directions. | esr(config-bgp-neighbor)# route-map <NAME><DIRECTION> | <NAME> – name of the route map having been configured; <DIRECTION> – direction:
|
esr(config-ipv6-bgp-neighbor)# route-map <NAME><DIRECTION> |
Configuration example 1
Figure 26 – Network structure
Objective:
Assign community for routing information coming from AS 20:
First, do the following:
- Configure BGP with AS 2500 on ESR router;
- Establish neighbouring with AS20.
Solution:
Create a policy:
esr# configure esr(config)# route-map from-as20
Create rule 1:
esr(config-route-map)# rule 1
If AS PATH contains AS 20, assign community 20:2020 to it and exit:
esr(config-route-map-rule)# match as-path contain 20 esr(config-route-map-rule)# action set community 20:2020 esr(config-route-map-rule)# exit esr(config-route-map)# exit
In AS 2500 BGP process, enter neighbour parameter configuration:
esr(config)# router bgp 2500 esr(config-bgp)# address-family ipv4 esr(config-bgp-af)# neighbor 185.0.0.2
Map the policy to routing information:
esr(config-bgp-neighbor)# route-map from-as20 in
Configuration example 2
Objective:
For the whole transmitted routing information (from community 2500:25), assign MED equal to 240 and define EGP routing information source:
First:
Configure BGP with AS 2500 on ESR
Solution:
Create a policy:
esr(config)# route-map to-as20
Create rule:
esr(config-route-map)# rule 1
If community contains 2500:25, assign MED 240 and Origin EGP to it:
esr(config-route-map-rule)# match community 2500:25 esr(config-route-map-rule)# action set metric bgp 240 esr(config-route-map-rule)# action set origin egp esr(config-route-map-rule)# exit esr(config-route-map)# exit
In AS 2500 BGP process, enter neighbour parameter configuration:
esr(config)# router bgp 2500 esr(config-bgp)# address-family ipv4 esr(config-bgp-af)# neighbor 185.0.0.2
Map the policy to routing information being advertised:
esr(config-bgp-neighbor)# route-map to-as20 out esr(config-bgp-neighbor)# exit esr(config-bgp)# exit esr(config)# exit
Route-map based on access control lists (Policy-based routing)
Configuration algorithm
Step | Description | Command | Keys |
---|---|---|---|
1 | Create a route map for IP routes filtration and modification. | esr(config)# route-map <NAME> | <NAME> – router map name, set by the string of up to 31 characters. |
2 | Create a route map rule | esr(c onfig-route-map)# rule <ORDER> | <ORDER> – rule number, takes values of [1..10000]. |
3 | Specify the action that should be applied for routing information. | esr(config-route-map-rule)# action <ACT> | <ACT> – allocated action:
|
4 | Set ACL for which the rule should work (optionally). | esr(config-route-map-rule)# match ip access-group <NAME> | <NAME> – access control list name, set by the string of up to 31 characters. |
5 | Set Next-Hop for the packets that meet the requirements of the specified ACL (optionally). | esr(config-route-map-rule)# action set ip next-hop verify-availability <NEXTHOP><METRIC> | <NEXTHOP> – gateway IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]; <METRIC> – route metric, takes values of [0..255]. |
6 | Specify ACL-based routing policy. | esr(config-if-gi)# ip policy route-map <NAME> | <NAME> – configured routing policy name, set by the string of up to 31 characters. |
Configuration example
Figure 27 – Network structure
Objective:
Distribute traffic between Internet service providers based on user subnets.
First, assign IP address to interfaces.
Route traffic from addresses 10.0.20.0/24 through ISP1 (184.45.0.150), and traffic from addresses 10.0.30.0/24 – through ISP2 (80.16.0.23). You should monitor availability of ISP addresses (ISP connection operational capability), and if one the connections goes down, redirect all the traffic from malfunctioning connection to the operational one.
Solution:
Create ACL:
esr# configure esr(config)# ip access-list extended sub20 esr(config-acl)# rule 1 esr(config-acl-rule)# match source-address 10.0.20.0 255.255.255.0 esr(config-acl-rule)# match destination-address any esr(config-acl-rule)# match protocol any esr(config-acl-rule)# action permit esr(config-acl-rule)# enable esr(config-acl-rule)# exit esr(config-acl)# exit esr(config)# ip access-list extended sub30 esr(config-acl)# rule 1 esr(config-acl-rule)# match source-address 10.0.30.0 255.255.255.0 esr(config-acl-rule)# match destination-address any esr(config-acl-rule)# match protocol any esr(config-acl-rule)# action permit esr(config-acl-rule)# enable esr(config-acl-rule)# exit esr(config-acl)# exit
Create a policy:
esr(config)# route-map PBR
Create rule 1:
esr(config-route-map)# rule 1
Specify ACL as a filter:
esr(config-route-map-rule)# match ip access-group sub20
Specify nexthop for sub20:
esr(config-route-map-rule)# action set ip next-hop verify-availability 184.45.0.150 10 esr(config-route-map-rule)# action set ip next-hop verify-availability 80.16.0.23 30 esr(config-route-map-rule)# exit esr(config-route-map)# exit
Rule 1 should provide traffic routing from the network 10.0.20.0/24 to address 184.45.0.150, and in case of its failure, to address 80.16.0.23. Gateway precedence is defined by metrics values – 10 and 30.
Create rule 2:
esr(config-route-map)# rule 2
Specify ACL as a filter:
esr(config-route-map-rule)# match ip access-group sub30
Specify nexthop for sub30 and exit:
esr(config-route-map-rule)# action set ip next-hop verify-availability 80.16.0.23 10 esr(config-route-map-rule)# action set ip next-hop verify-availability 184.45.0.150 30 esr(config-route-map-rule)# exit esr(config-route-map)# exit
Rule 2 should provide traffic routing from the network 10.0.30.0/24 to address 80.16.0.23, and in case of its failure, to address 184.45.0.150. Precedence is defined by metrics values.
Proceed to TE 1/0/1 interface:
esr(config)# interface tengigabitethernet 1/0/1
Map the policy to the respective interface:
esr(config-if-te)# ip policy route-map PBR
GRE tunnel configuration
GRE ( Generic Routing Encapsulation) is a network packet tunneling protocol. Its main purpose is to encapsulate packets of the OSI model network layer into IP packets. GRE may be used for VPN establishment on 3rd level of OSI model. In ESR router implemented static unmanageable GRE tunnels, i.e. tunnels are created manually via configuration on local and remote hosts. Tunnel parameters for each side should be mutually agreeable, otherwise transferred data will not be decapsulated by the partner.
Configuration algorithm
Step | Description | Command | Keys |
---|---|---|---|
1 | Configure L3 interface from which a GRE tunnel will be built. | ||
2 | Create a GRE tunnel and switch to its configuration mode. | esr(config)# tunnel gre <INDEX> | <INDEX> – tunnel identifier, set in the range of:
|
3 | Specify VRF instance, in which the given GRE tunnel will operate (optionally). | esr(config- bridge )# ip vrf forwarding <VRF> | <VRF> – VRF name, set by the string of up to 31 characters. |
4 | Specify the description of the configured tunnel (optionally). | esr(config-gre)# description <DESCRIPTION> | <DESCRIPTION> – tunnel description, set by the string of up to 255 characters. |
5 | Set local IP address for tunnel installation. | esr(config-gre)# local address <ADDR> | <ADDR> – gateway IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. |
esr(config-gre)# interface <IF> | <IF> – interface IP address of which is used for the tunnel installation. | ||
6 | Set remote IP address for tunnel installation. | esr(config-gre)# remote address <ADDR> | <ADDR> – gateway IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. |
7 | Specify the GRE tunnel encapsulation mode. | esr(config-gre)# mode <MODE> | <MODE> – GRE tunnel encapsulation mode:
Default value: ip |
8 | Set the IP address of a tunnel local side (only in ip mode). | esr(config-gre)# ip address <ADDR/LEN> | <ADDR/LEN> – IP address and prefix of a subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32]. You can specify up to 8 IP addresses separated by commas. |
9 | Assign the broadcast domain for encapsulation in the tunnel’s GRE packets (only in ethernet mode). | esr(config-gre)# bridge-group <BRIDGE-ID> | <BRIDGE-ID> – bridge identification number, takes values in the range of:
|
10 | Specify MTU size (MaximumTransmissionUnit) for the tunnel (optionally). | esr(config-gre)# mtu <MTU> | <MTU> – MTU value, takes values in the range of:
Default value: 1500. |
11 | Specify the TTL lifetime for tunnel packets (optionally). | esr(config-gre)# ttl <TTL> | <TTL> – TTL value, takes values in the range of [1..255]. Default value: Inherited from encapsulated packet. |
12 | Specify DSCP for the use in IP header of encapsulated packet (optionally). | esr(config-gre)# dscp <DSCP> | <DSCP> – DSCP code value, takes values in the range of [0..63]. Default value: inherited from encapsulated packet. |
13 | Enable key transmitting in GRE tunnel header (according to RFC 2890) and set the key value. Configured on the both tunnel sides. | esr(config-gre)# key <KEY> | <KEY> – KEY value, takes values in the range of [1..2000000]. Default value: key is not transmitted. |
14 | Enable the calculation of the checksum and entry it to the GRE header of the packets to be sent. Also it is necessary to enable verifying of the checksum on the remote side. | esr(config-gre)# local checksum | |
15 | Enable verification of the presence and consistency of checksum values in the headers of GRE packets being received. Also it is necessary to enable calculation of the checksum on the remote side. | esr(config-gre)# remote checksum | |
16 | Enable the check for tunnel remote gateway availability (optionally) | esr(config-gre)# keepalive enable | |
17 | Specify the keepalive packets timeout from the opposing party (optionally) | esr(config-gre)# keepalive timeout <TIME> | <TIME> – time in seconds, takes values of [1..32767]. Default value: 10 |
18 | Set the number of attempts to check the availability of a tunnel remote gateway (optionally) | esr(config-gre)# keepalive retries <VALUE> | <VALUE> – number of attempts, takes values in the range of [1..255]. Default value: 5 |
19 | Specify the time interval during which the statistics on the tunnel load is averaged (optionally) | esr(config-gre)# load-average <TIME> | <TIME> – interval in seconds, takes values of [5..150]. Default value: 5 |
20 | Enable sending snmp-trap about tunnel enabling/disabling. | esr(config-gre)# snmp init-trap | |
21 | Enable the mechanism of IP addresses iterative query using DHCP on the specified interfaces when the GRE tunnel is disconnected via keepalive (optionally) | esr(config-gre)# keepalive dhcp dependent-interface <IF> | <IF> – physical/logical interface on which IP address obtaining via DHCP is enabled. |
22 | Specify the time interval between GRE tunnel disabling and IP address iterative query on the interface/interfaces specified by the keepalive dhcp dependent-interface command (optionally) | esr(config-gre)# keepalive dhcp link-timeout <SEC> | <SEC> – time interval between GRE tunnel disabling and IP address requery via DHCP on the interfaces |
23 | Enable the tunnel. | esr(config-gre)# enable |
IP-GRE tunnel configuration example
Objective :
Establish L3-VPN for company offices using IP network with GRE protocol for traffic tunneling.
- IP address 115.0.0.1 is used as a local gateway for the tunnel;
- IP address 114.0.0.10 is used as a remote gateway for the tunnel;
- IP address of the tunnel at the local side is 25.0.0.1/24.
Figure 28 – Network structure
Solution:
Pre-configure interfaces on the routers for connection with WAN, enable GRE packets reception from a security zone where WAN connected interfaces operate.
Create GRE 10 tunnel:
esr(config)# tunnel gre 10
Specify local and remote gateways (IP addresses of WAN border interfaces):
esr(config-gre)# local address 115.0.0.1 esr(config-gre)# remote address 114.0.0.10
Specify tunnel IP address 25.0.0.1/24:
esr(config-gre)# ip address 25.0.0.1/24
Also, the tunnel should belong to the security zone in order to create rules that allow traffic to pass through the firewall. To define the tunnel inherence to a zone, use the following command:
esr(config-gre)# security-zone untrusted
Enable tunnel:
esr(config-gre)# enable esr(config-gre)# exit
Create route to the partner's local area network on the router. Specify previously created GRE tunnel as a destination interface.
esr(config)# ip route 172.16.0.0/16 tunnel gre 10
When settings are applied, traffic will be encapsulated into the tunnel and sent to the partner regardless of their GRE tunnel existence and settings validity.
Alternatively, you may specify the following parameters for GRE tunnel:
Enable GRE header checksum calculation and inclusion into a packet with encapsulated packet for outbound traffic:
esr(config-gre)# local checksum
Enable check for GRE checksum presence and validity for inbound traffic:
esr(config-gre)# remote checksum
Specify a unique identifier:
esr(config-gre)# key 15808
Specify DSCP, MTU, TTL values:
esr(config-gre)# dscp 44 esr(config-gre)# mtu 1426 esr(config-gre)# ttl 18
Enable and configure keepalive mechanism:
esr(config-gre)# keepalive enable esr(config-gre)# keepalive timeout <TIME> esr(config-gre)# keepalive retries <VALUE>
To view the tunnel status, use the following command:
esr# show tunnels status gre 10
To view sent and received packet counters, use the following command:
esr# show tunnels counters gre 10
To view the tunnel configuration, use the following command:
esr# show tunnels configuration gre 10
IPv4-over-IPv4 tunnel configuration is performed in the same manner.
During tunnel creation, you should enable GRE protocol (47) in the firewall.
DMVPN configuration
DMVPN (Dynamic Multipoint Virtual Private Network) – technology for creating virtual private networks, with the ability to dynamically create tunnels between hosts. The advantage of this solution is its high scalability and ease of setup when connecting branches to the head office. DMVPN is used in the Hub-and-Spoke topology, and allows the construction of direct VPN Spoke-to-Spoke tunnels in addition to the usual Spoke-to-Hub tunnels. This means that branches can communicate with each other directly, without the need for traffic to pass through the Hub.
To establish such a connection, clients (NHC) over an encrypted IPsec tunnel send their internal (tunnel) address and external (NBMA) address to the NHRP server (NHS). When a client wants to connect to another NHC, it sends a request to the server to find out its external address. Having received a response from the server, the client can now independently establish a connection to the remote branch.
Configuration algorithm
Step | Description | Command | Keys |
---|---|---|---|
1 | Check the availability of 'external' IP addresses located on physical interfaces. |
| |
2 | Prepare IPsec tunnels for use with dynamic GRE tunnels. |
| See section Policy-based IPsec VPN configuration. |
3 | Switch to GRE tunnel configuration mode and put the GRE tunnel into multipoint mode. | esr ( config - gre )# multipoint | |
4 | Set an open password for NHRP packets (optional). | esr(config-gre)# ip nhrp authentication <WORD> | <WORD> – unencrypted password, set by the string of [1..8] characters, may include [0-9a-fA-F] characters. |
5 | Specify the time during which a record about this client will exist on the NHS (optional). | esr(config-gre)# ip nhrp holding-time <TIME> | <TIME> – the time in seconds during which a record about this client will exist on the server takes the values [1..65535]. Default value: 7200 |
6 | Set the 'logic (tunnel)' address of the NHRP server. | esr(config-gre)# ip nhrp nhs <ADDR> [ no-registration ] | <ADDR/LEN> – address, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32];
|
7 | Match the 'internal' tunnel address with the 'external' NBMA address. | esr(config-gre)# ip nhrp map <ADDR> <ADDR> | <ADDR> – IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. |
8 | Define the destination of multicast traffic. | esr(config-gre)# ip nhrp multicast { dynamic | nhs | <ADDR> } |
<ADDR> – send to specifically configured server, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. |
9 | Enable the ability to send NHRP Traffic Indication packets. Running on the NHS (optionally). | esr(config-gre)# ip nhrp redirect | |
10 | Enable the ability to create shortest routes. Running on the NHC (optionally). | esr(config-gre)# ip nhrp shortcut | |
11 | Map IPsec-VPN to the mGRE tunnel (optionally). | esr(config-gre)# ip nhrp ipsec <WORD> { static | dynamic } | <WORD> – VPN name, set by the string of up to 31 characters.
|
12 | Enable NHRP. | esr(config-gre)# ip nhrp enable | |
13 | Organize IP connectivity using the dynamic routing protocol. |
|
Configuration example
Objective:
Organize DMVPN between company offices using mGRE tunnels, NHRP (Next Hop Resolution Protocol), Dynamic Routing Protocol (BGP), Ipsec. In our example, we will have a HUB router and two branches. The HUB is the DMVPN server (NHS), and the branches are DMVPN clients (NHC).
Figure 29 – Network structure
External IP addres of Hub — 150.115.0.5;
External IP address of Spoke-1 — 180.100.0.10;
External IP address of Spoke-2 — 140.114.0.4.
IPsec VPN parameters:
IKE:
- Diffie-Hellman group: 2;
- encryption algorithm: AES128;
- authentication algorithm: SHA1.
IPsec:
- encryption algorithm: AES128;
- authentication algorithm: SHA1.
Solution:
Hub configuration
Create GRE tunnel:esr# configure esr(config)# tunnel gre 5
Specify the IP address of the interface bordering the ISP:
esr(config-gre)# local address 150.115.0.5
Specify MTU value:
esr(config-gre)# mtu 1416
Specify ttl value:
esr(config-gre)# ttl 16
Specify IP address of GRE tunnel:
esr(config-gre)# ip address 10.10.0.5/24
Switch the GRE tunnel into multipoint mode to be able to connect to multiple points:
esr(config-gre)# multipoint
Proceed to NHRP configuration. Configure multicast to dynamically learnt addresses:
esr(config-gre)# ip nhrp multicast dynamic
Configure the dynamic routing protocol for the Hub. In our example, this will be BGP:
esr(config)# router bgp 65005 esr(config-bgp)# address-family ipv4 esr(config-bgp-af)# neighbor 10.10.0.8 esr(config-bgp-neighbor)# remote-as 65008 esr(config-bgp-neighbor)# enable esr(config-bgp-neighbor)# exit esr(config-bgp-af)# neighbor 10.10.0.4 esr(config-bgp-neighbor)# remote-as 65004 esr(config-bgp-neighbor)# enable esr(config-bgp-neighbor)# exit esr(config-bgp-af)# enable
Configure IPsec for the Hub:
esr(config)# security ike proposal IKEPROP esr(config-ike-proposal)# encryption algorithm aes128 esr(config-ike-proposal)# dh-group 2 esr(config-ike-proposal)# exit
esr(config)# security ike policy IKEPOLICY esr(config-ike-policy)# pre-shared-key ascii-text encrypted 8CB5107EA7005AFF esr(config-ike-policy)# proposal IKEPROP esr(config-ike-policy)# exit
esr(config)# security ike gateway IKEGW esr(config-ike-gw)# ike-policy IKEPOLICY esr(config-ike-gw)# local address 150.115.0.5 esr(config-ike-gw)# local network 150.115.0.5/32 protocol gre esr(config-ike-gw)# remote address any esr(config-ike-gw)# remote network any esr(config-ike-gw)# mode policy-based esr(config-ike-gw)# exit
esr(config)# security ipsec proposal IPSECPROP esr(config-ipsec-proposal)# encryption algorithm aes128 esr(config-ipsec-proposal)# exit
esr(config)# security ipsec policy IPSECPOLICY esr(config-ipsec-policy)# proposal IPSECPROP esr(config-ipsec-policy)# exit
esr(config)# security ipsec vpn IPSECVPN esr(config-ipsec-vpn)# mode ike esr(config-ipsec-vpn)# ike establish-tunnel route esr(config-ipsec-vpn)# ike gateway IKEGW esr(config-ipsec-vpn)# ike ipsec-policy IPSECPOLICY esr(config-ipsec-vpn)# enable
Map IPsec to the GRE tunnel so that clients can establish an encrypted connection:
esr(config-gre)# ip nhrp ipsec IPSECVPN dynamic
Enable NHRP and the tunnel:
esr(config-gre)# ip nhrp enable esr(config-gre)# enable
- Spoke configuration
Perform the standard DMVPN configuration on the tunnel:
esr# configure esr(config-gre)# tunnel gre 8 esr(config-gre)# mtu 1416 esr(config-gre)# ttl 16 esr(config-gre)# multipoint esr(config-gre)# local address 180.100.0.10 esr(config-gre)# ip address 10.10.0.8/24
Specify the time while the client record will be stored on the server:
esr(config-gre)# ip nhrp holding-time 300
Specify the tunnel address of NHS:
esr(config-gre)# ip nhrp nhs 10.10.0.5/24
Specify the tunnel address – real:
esr(config-gre)# ip nhrp map 10.10.0.5 150.115.0.5
Configure the multicast to the NHRP server:
esr(config)# ip nhrp multicast nhs
Configure the BGP for spoke:
esr(config)# router bgp 65008 esr(config-bgp)# address-family ipv4 esr(config-bgp-af)# neighbor 10.10.0.5 esr(config-bgp-neighbor)# remote-as 65005 esr(config-bgp-neighbor)# enable esr(config-bgp-neighbor)# exit esr(config-bgp-af)# enable
Configure IPsec. When creating the IKE protocol gateway for NHS, specify particular destination addresses. When creating an IKE gateway for NHC – the destination address will be any:
esr(config)# security ike proposal IKEPROP esr(config-ike-proposal)# encryption algorithm aes128 esr(config-ike-proposal)# dh-group 2 esr(config-ike-proposal)# exit
esr(config)# security ike policy IKEPOLICY esr(config-ike-policy)# pre-shared-key ascii-text encrypted 8CB5107EA7005AFF esr(config-ike-policy)# proposal IKEPROP esr(config-ike-policy)# exit
esr(config)# security ike gateway IKEGW_HUB esr(config-ike-gw)# ike-policy IKEPOLICY esr(config-ike-gw)# local address 180.100.0.10 esr(config-ike-gw)# local network 180.100.0.10/32 protocol gre esr(config-ike-gw)# remote address 150.115.0.5 esr(config-ike-gw)# remote network 150.115.0.5/32 protocol gre esr(config-ike-gw)# mode policy-based esr(config-ike-gw)# exit
esr(config)# security ike gateway IKEGW_SPOKE esr(config-ike-gw)# ike-policy IKEPOLICY esr(config-ike-gw)# local address 180.100.0.10 esr(config-ike-gw)# local network 180.100.0.10/32 protocol gre esr(config-ike-gw)# remote address any esr(config-ike-gw)# remote network any esr(config-ike-gw)# mode policy-based esr(config-ike-gw)# exit
esr(config)# security ipsec proposal IPSECPROP esr(config-ipsec-proposal)# encryption algorithm aes128 esr(config-ipsec-proposal)# exit
esr(config)# security ipsec policy IPSECPOLICY esr(config-ipsec-policy)# proposal IPSECPROP esr(config-ipsec-policy)# exit
esr(config)# security ipsec vpn IPSECVPN_HUB esr(config-ipsec-vpn)# mode ike esr(config-ipsec-vpn)# ike establish-tunnel route esr(config-ipsec-vpn)# ike gateway IKEGW_HUB esr(config-ipsec-vpn)# ike ipsec-policy IPSECPOLICY esr(config-ipsec-vpn)# enable
esr(config)# security ipsec vpn IPSECVPN_SPOKE esr(config-ipsec-vpn)# mode ike esr(config-ipsec-vpn)# ike establish-tunnel route esr(config-ipsec-vpn)# ike gateway IKEGW_SPOKE esr(config-ipsec-vpn)# ike ipsec-policy IPSECPOLICY esr(config-ipsec-vpn)# enable
Map IPsec to the GRE tunnel, in order to be able to establish an encrypted connection with the server and with other network clients:
esr(config-gre)# ip nhrp ipsec IPSECVPN_HUB static esr(config-gre)# ip nhrp ipsec IPSECVPN_SPOKE dynamic
Enable NHRP and the tunnel:
esr(config-gre)# ip nhrp enable esr(config-gre)# enable
To view the NHRP records status, use the following command:
esr# show ip nhrp
You can clear NHRP records with the command:
esr# clear ip nhrp
L2TPv3 tunnels configuration
L2TPv3 (Layer 2 Tunnelling Protocol Version 3) is a protocol used for tunneling of 2nd level OSI model packets between two IP nodes. IP or UDP is used as an encapsulation protocol. L2TPv3 may be used as an alternative to MPLS P2P L2VPN (VLL) for L2 VPN establishment. In ESR router implemented static unmanageable L2TPv3 tunnels, i.e. tunnels are created manually via configuration on local and remote hosts. Tunnel parameters for each side should be mutually agreeable, otherwise transferred data will not be decapsulated by the partner.
Configuration algorithm
Step | Description | Command | Keys |
---|---|---|---|
1 | Configure L3 interface from which a L2TPv3 tunnel will be built. |
| |
2 | Create a L2TPv3 tunnel and switch to its configuration mode. | esr(config)# tunnel l2tpv3 <INDEX> | <INDEX> – tunnel identifier, set in the range of:
|
3 | Specify the description of the configured tunnel (optionally). | esr(config-l2tpv3)# description <DESCRIPTION> | <DESCRIPTION> – tunnel description, set by the string of up to 255 characters. |
4 | Specify VRF instance, in which the given L2TPV3 tunnel will operate (optionally). | esr(config- l2tpv3 )# ip vrf forwarding <VRF> | <VRF> – VRF name, set by the string of up to 31 characters. |
5 | Set local IP address for tunnel installation. | esr(config-l2tpv3)# local address <ADDR> | <ADDR> – gateway IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. |
6 | Set remote IP address for tunnel installation. | esr(config-l2tpv3)# remote address <ADDR> | <ADDR> – gateway IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. |
7 | Select encapsulation method for L2TPv3 tunnel. | esr(config-l2tpv3)# protocol <TYPE> | <TYPE> – encapsulation type, possible values:
|
8 | Set local session identifier. | esr(config-l2tpv3)# local session-id <SESSION-ID> | <SESSION-ID> – session identifier, takes values in the range of [1..200000]. |
9 | Set remote session identifier. | esr(config-l2tpv3)# remote session-id <SESSION-ID> | <SESSION-ID> – session identifier, takes values in the range of [1..200000]. |
10 | Define local UDP port (if UDP was selected as encapsulation method). | esr(config-l2tpv3)# local port <UDP> | <UDP> – UDP port number in the range of [1..65535]. |
11 | Define remote UDP port (if UDP was selected as encapsulation method). | esr(config-l2tpv3)# remote port <UDP> | <UDP> – UDP port number in the range of [1..65535]. |
12 | Assign the broadcast domain for encapsulation in the tunnel’s L2TPV3 packets. | esr(config-l2tpv3)# bridge-group <BRIDGE-ID> | <BRIDGE-ID> – bridge identification number, takes values in the range of:
|
13 | Enable the tunnel. | esr(config-l2tpv3)# enable | |
14 | Specify MTU size (MaximumTransmissionUnit) for the tunnels (optionally). | esr(config-l2tpv3)# mtu <MTU> | <MTU> – MTU value, takes values in the range of:
Default value: 1500. |
15 | Define the local cookie value to check the conformance of data being transmitted and session (optionally). | esr(config-l2tpv3)# local cookie <COOKIE> | <COOKIE> – COOKIE value, the parameter takes values of 8 or 16 characters in hexadecimal form. |
16 | Define the remote cookie value to check the conformance of data being transmitted and session (optionally). | esr(config-l2tpv3)# remote cookie <COOKIE> | <COOKIE> – COOKIE value, the parameter takes values of 8 or 16 characters in hexadecimal form. |
17 | Specify the time interval during which the statistics on the tunnel load is averaged (optionally). | esr(config-l2tpv3)# load-average <TIME> | <TIME> – interval in seconds, takes values of [5..150]. Default value: 5. |
L2TPv3 tunnel configuration example
Objective :
Establish L2 VPN for company offices using IP network with L2TPv3 protocol for traffic tunneling.
- UDP is used as an encapsulation protocol, port number at the local side and port number at the partner's side is 519;
- IP address 21.0.0.1 is used as a local gateway for the tunnel;
- IP address 183.0.0.10 is used as a remote gateway for the tunnel;
- Tunnel identifier at the local side equals 2, at the partner's side - 3;
- Tunnel identifier inside the tunnel equals 100, at the partner's side - 200;
- Forward traffic into the tunnel from the bridge with identifier 333.
Figure 30 – Network structure
Solution:
Create L2TPv3 333 tunnel:
esr# configure esr(config)# tunnel l2tpv3 333
Specify local and remote gateways (IP addresses of WAN border interfaces):
esr(config-l2tpv3)# local address 21.0.0.1 esr(config-l2tpv3)# remote address 183.0.0.10
Specify the type of encapsulating protocol and UDP port numbers:
esr(config-l2tpv3)# protocol udp esr(config-l2tpv3)# local port 519 esr(config-l2tpv3)# remote port 519
Specify identifiers for session inside the tunnel for local and remote sides:
esr(config-l2tpv3)# local session-id 100 esr(config-l2tpv3)# remote session-id 200
Define the inherence of L2TPv3 tunnel to a bridge that should be mapped to remote office network (for bridge configuration, see Section Configuration example of bridge for VLAN and L2TPv3 tunnel):
esr(config-l2tpv3)# bridge-group 333
Enable previously created tunnel and exit:
esr(config-l2tpv3)# enable esr(config-l2tpv3)# exit
Create sub-interface for switching of traffic coming from the tunnel into LAN with VLAN id 333:
esr(config)# interface gi 1/0/2.333
Define the inherence of sub-interface to a bridge that should be mapped to LAN (for bridge configuration, see Section Configuration of PPP via E1):
esr(config-subif)# bridge-group 333 esr(config-subif)# exit
When settings are applied, traffic will be encapsulated into the tunnel and sent to the partner regardless of their L2TPv3 tunnel existence and settings validity.
Tunnel settings for the remote office should mirror local ones. IP address 183.0.0.10 should be used as a local gateway. IP address 21.0.0.1 should be used as a remote gateway for the tunnel. Encapsulation protocol port number at the local side should be 520, at the partner's side – 519. Session identifier inside the tunnel should be equal to 200, at the partner's side – 100. Also, the tunnel should belong to a bridge that should be connected with the partner's network.
To view the tunnel status, use the following command:
esr# show tunnels status l2tpv3 333
To view sent and received packet counters, use the following command:
esr# show tunnels counters l2tpv3 333
To view the tunnel configuration, use the following command:
esr# show tunnels configuration l2tpv3 333
In addition to tunnel creation, you should enable UDP inbound traffic in the firewall with source port 519 and destination port 519.
IPsec VPN configuration
IPsec is a set of protocols that enable security features for data transferred via IP protocol. This set of protocols allows for identity validation (authentication), IP packet integrity check and encryption, and also includes protocols for secure key exchange over the Internet.
Route-based IPsec VPN configuration
Configuration algorithm
Step | Description | Command | Keys |
1 | Create a VTI tunnel and switch to its configuration mode. | esr(config)# tunnel vti <TUN> | <TUN> – device tunnel name. |
2 | Specify the local IP address of the VTI tunnel. | esr(config-vti)#local address <ADDR> | <ADDR> – IP address of a local gateway. |
3 | Specify the remote IP address of the VTI tunnel. | esr(config-vti)#remote address <ADDR> | <ADDR> – IP address of a remote gateway. |
4 | Specify the IP address of the VTI tunnel local side. | esr(config-vti)# ip address <ADDR/LEN> | <ADDR/LEN> – IP address and prefix of a subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32]. |
5 | Include the VTI tunnel in a security zone and configure interaction rules between zones or disable firewall for VTI tunnel. | esr(config-vti)# security-zone<NAME> | <NAME> – security zone name, set by the string of up to 12 characters. |
esr(config-vti)# ip firewall disable | |||
6 | Enable the tunnel. | esr(config-vti)#enable | |
7 | Create an IKE profile and switch to its configuration mode. | esr(config)# security ike proposal <NAME> | <NAME> – IKE protocol name, set by the string of up to 31 characters. |
8 | Specify the description of the configured IKE profile (optionally). | esr(config-ike- proposal)# description<DESCRIPTION> | <DESCRIPTION> – tunnel description, set by the string of up to 255 characters. |
9 | Specify IKE authentication algorithm. (optionally) | esr(config-ike- proposal)# authentication algorithm <ALGORITHM> | <ALGORITHM> – authentication algorithm, may take values: md5, sha1, sha2-256, sha2‑384, sha2-512. Default value: sha1 |
10 | Specify IKE encryption algorithm. (optionally) | esr(config-ike- proposal)# encryption algorithm <ALGORITHM> | <ALGORITHM> – encryption protocol, takes the following values: des, 3des, blowfish128, blowfish192, blowfish256, aes128, aes192, aes256, aes128ctr, aes192ctr, aes256ctr, camellia128, camellia192, camellia256. Default value: 3des |
11 | Define Diffie-Hellman group number. (optionally) | esr(config-ike- proposal)# dh-group <DH-GROUP> | <DH-GROUP> – Diffie-Hellman group number, takes values of [1, 2, 5, 14, 15, 16, 17, 18]. Default value: 1 |
12 | Specify IKE authentication mode. (optionally) | esr(config-ike- proposal)# authentication method <METHOD> | <METHOD> – key authentication method. May take the following values:
Default value: pre-shared-key |
13 | Create an IKE policy and switch to its configuration mode. | esr(config)# security ike policy <NAME> | <NAME> – IKE policy name, set by the string of up to 31 characters. |
14 | Specify the lifetime of IKE protocol connection (optionally). | esr(config-ike- proposal)# lifetime seconds <SEC> | <SEC> – time interval, takes values of [4..86400] seconds. Default value: 3600 |
15 | Bind IKE profile to IKE policy. | esr(config-ike-policy)# proposal <NAME> | <NAME> – IKE protocol name, set by the string of up to 31 characters. |
16 | Specify authentication key. (mandatory if pre-shared-key is selected as authentication mode) | esr(config-ike-policy)# pre-shared-key ascii-text<TEXT> | <TEXT> – string [1..64] ASCII characters. |
17 | Create an IKE gateway and switch to its configuration mode. | esr(config)# security ike gateway <NAME> | <NAME> – IKE protocol gateway name, set by the string of up to 31 characters. |
18 | Bind IKE policy to IKE gateway. | esr(config-ike-gw)# ike-policy <NAME> | <NAME> – IKE protocol policy name, set by the string of up to 31 characters. |
19 | Specify IKE version (optionally). | esr(config-ike-gw)# version <VERSION> | <version> – IKE protocol version: v1-only or v2-only. Default value: v1-only |
20 | Set the route-based mode. | esr(config-ike-gw)# mode route-based | |
21 | Specify the action for DPD (optionally). | esr(config-ike-gw)# dead-peer-detection action <MODE> | <MODE> – DPD operation mode:
Default value: none |
22 | Specify the interval between sending messages via DPD mechanism (optionally). | esr(config-ike-gw)# dead-peer-detection interval <SEC> | <SEC> – interval between sending messages via DPD mechanism, takes values of [1..180] seconds. Default value: 2 |
23 | Specify the time period of response to DPD mechanism messages (optionally). | esr(config-ike-gw)# dead-peer-detection timeout <SEC> | <SEC> – time interval of response to DPD mechanism messages, takes values of [1..180] seconds. Default value: 30 seconds |
24 | Bind VTI tunnel to IKE gateway. | esr(config-ike-gw)# bind-interface vti <VTI> | <VTI> – VTI ID. |
25 | Create IPsec profile. | esr(config)# security ipsec proposal <NAME> | <NAME> – IPsec protocol profile name, set by the string of up to 31 characters. |
26 | Specify IPsec authentication algorithm. (optionally) | esr(config-ipsec- proposal)# authentication algorithm <ALGORITHM> | <ALGORITHM> – authentication algorithm, may take values: md5, sha1, sha2-256, sha2‑384, sha2-512. Default value: sha1 |
27 | Specify IPsec encryption algorithm. (optionally) | esr(config-ipsec- proposal)# encryption algorithm <ALGORITHM> | <ALGORITHM> – encryption protocol, takes the following values: des, 3des, blowfish128, blowfish192, blowfish256, aes128, aes192, aes256, aes128ctr, aes192ctr, aes256ctr, camellia128, camellia192, camellia256. Default value: 3des |
28 | Specify encapsulation protocol for IPsec (optionally). | esr(config-ipsec- proposal)# protocol <PROTOCOL> | <PROTOCOL> – encapsulation protocol, takes the following values: Default value: esp |
29 | Create an IPsec policy and switch to its configuration mode. | esr(config)# security ipsec policy <NAME> | <NAME> – IPsec policy name, set by the string of up to 31 characters. |
30 | Bind IPsec profile to IPsec policy. | esr(config-ipsec-policy)# proposal <NAME> | <NAME> – IPsec protocol profile name, set by the string of up to 31 characters. |
31 | Specify the lifetime of IPsec tunnel (optionally). | esr(config-ipsec- policy)# lifetime { seconds <SEC> | packets <PACKETS> | kilobytes <KB> } | <SEC> – IPsec tunnel lifetime after which the re-approval is carried out. Takes values in the range of [1140..86400] seconds. <PACKETS> – number of packets after transmitting of which the IPsec tunnel re-approval is carried out. Takes values in the range of [4..86400]. <KB> – traffic amount after transmitting of which the IPsec tunnel re-approval is carried out. Takes values in the range of [4..86400] seconds. Default value: 28800 seconds |
32 | Create IPsec VPN policy and switch to its configuration mode. | esr(config)# security ipsec vpn <NAME> | <NAME> – VPN name, set by the string of up to 31 characters. |
33 | Define the matching mode of data required for VPN enabling. | esr(config-ipsec-vpn)# mode <MODE> | <MODE> – VPN operation mode. |
34 | Bind IPsec policy to IPsec VPN. | esr(config-ipsec-vpn)# ike ipsec-policy <NAME> | <NAME> – IPsec policy name, set by the string of up to 31 characters. |
35 | Set the DSCP value for the use in IP headers of IKE outgoing packets (optionally). | esr(config-ipsec-vpn)# ike dscp <DSCP> | <DSCP> – DSCP code value, takes values in the range of [0..63]. Default value: 63 |
36 | Set VPN activation mode. | esr(config-ipsec-vpn)# ike establish-tunnel <MODE> | <MODE> – VPN activation mode:
|
37 | Bind IKE gateway to IPsec VPN. | esr(config-ipsec-vpn)# ike gateway <NAME> | <NAME> – IKE gateway name, set by the string of up to 31 characters. |
38 | Set the time interval value in seconds after which the connection is closed, if no packet has been received or sent via SA (optionally). | esr(config-ipsec-vpn)# ike idle-time <TIME> | <TIME> – interval in seconds, takes values of [4..86400]. |
39 | Disable key re-approval before the IKE connection is lost due to the timeout, the number of transmitted packets or bytes (optionally). | esr(config-ipsec-vpn)# ike rekey disable | |
40 | Configure the start of IKE connection keys re-approval before the expiration of the lifetime (optionally). | esr(config-ipsec-vpn)# ike rekey margin { seconds <SEC> | packets <PACKETS> | kilobytes <KB> } | <SEC> – time interval in seconds remaining before the connection release (set by the lifetimeseconds command, see 22.2.13). Takes values in the range of [4..86400]. <PACKETS> – number of packets remaining before the connection release (set by the lifetimepackets command). Takes values in the range of [4..86400] <KB> – traffic volume in kilobytes remaining before the connection release (set by the lifetimekilobytes command). Takes values in the range of [4..86400] Default value:
|
41 | Set the level of margin seconds, margin packets, margin kilobytes values random spread (optionally). | esr(config-ipsec-vpn)# ike rekey randomization <VALUE> | <VALUE> – maximum ratio of values spread, takes values of [1..100]. Default value: 100% |
42 | Specify the description for IPsec-VPN (optionally). | esr(config-ipsec-vpn)# description <DESCRIPTION> | <DESCRIPTION> – profile description, set by the string of up to 255 characters. |
43 | Enable IPsec VPN. | esr(config-ipsec-vpn)# enable |
Configuration example
Figure 31 – Network structure
Objective :
Configure IPsec tunnel between R1 and R2.
- R1 IP address: 120.11.5.1;
- R2 IP address – 180.100.0.1.
IKE:
- Diffie-Hellman group: 2;
- encryption algorithm: AES 128 bit;
- authentication algorithm: MD5.
IP sec:
- encryption algorithm: AES 128 bit;
- authentication algorithm: MD5.
Solution:
R1 configuration
Configure external network interface and identify its inherence to a security zone:esr# configure esr(config)# interface gi 1/0/1 esr(config-if-gi)# ip address 180.100.0.1/24 esr(config-if-gi)# security-zone untrusted esr(config-if-gi)# exit
Create VTI tunnel. Traffic will be routed via VTI into IPsec tunnel. Specify IP addresses of WAN border interfaces as local and remote gateways:
esr(config)# tunnel vti 1 esr(config-vti)# local address 180.100.0.1 esr(config-vti)# remote address 120.11.5.1 esr(config-vti)# enable esr(config-vti)# exit
To configure security zones rules, you should create ISAKMP port profile:
esr(config)# object-group service ISAKMP esr(config-object-group-service)# port-range 500 esr(config-object-group-service)# exit
Create a static route to the remote LAN. For each subnet located beyond the IPsec tunnel, specify a route via VTI tunnel:
esr(config)# ip route 192.0.2.0/24 tunnel vti 1
Create IKE protocol profile. Select Diffie-Hellman group 2, AES 128 bit encryption algorithm and MD5 authentication algorithm in the profile. The given security parameters are used for IKE connection protection:
esr(config)# security ike proposal ike_prop1 esr(config-ike-proposal)# dh-group 2 esr(config-ike-proposal)# authentication algorithm md5 esr(config-ike-proposal)# encryption algorithm aes128 esr(config-ike-proposal)# exit
Create IKE protocol policy. For the policy, specify the list of IKE protocol profiles that may be used for node and authentication key negotiation:
esr(config)# security ike policy ike_pol1 esr(config-ike-policy)# pre-shared-key hexadecimal 123FFF esr(config-ike-policy)# proposal ike_prop1 esr(config-ike-policy)# exit
Create IKE protocol gateway. For this profile, specify VTI tunnel, policy, protocol version and mode of traffic redirection into the tunnel.
esr(config)# security ike gateway ike_gw1 esr(config-ike-gw)# ike-policy ike_pol1 esr(config-ike-gw)# mode route-based esr(config-ike-gw)# bind-interface vti 1 esr(config-ike-gw)# version v2-only esr(config-ike-gw)# exit
Create security parameters profile for IPsec tunnel. For the profile, select Diffie-Hellman group 2, AES 128 bit encryption algorithm and MD5 authentication algorithm. Use the following parameters to secure IPsec tunnel:
esr(config)# security ipsec proposal ipsec_prop1 esr(config-ipsec-proposal)# authentication algorithm md5 esr(config-ipsec-proposal)# encryption algorithm aes128 esr(config-ipsec-proposal)# exit
Create a policy for IPsec tunnel. For the policy, specify the list of IPsec tunnel profiles that may be used for node negotiation:
esr(config)# security ipsec policy ipsec_pol1 esr(config-ipsec-policy)# proposal ipsec_prop1 esr(config-ipsec-policy)# exit
Create IPsec VPN. For VPN, specify IKE protocol gateway, IPsec tunnel policy, key exchange mode and connection establishment method. When all parameters are entered, enable tunnel using the enable command.
esr(config)# security ipsec vpn ipsec1 esr(config-ipsec-vpn)# mode ike esr(config-ipsec-vpn)# ike establish-tunnel route esr(config-ipsec-vpn)# ike gateway ike_gw1 esr(config-ipsec-vpn)# ike ipsec-policy ipsec_pol1 esr(config-ipsec-vpn)# enable esr(config-ipsec-vpn)# exit esr(config)# exit
- R2 configuration
Configure external network interface and identify its inherence to a security zone:
esr# configure esr(config)# interface gi 1/0/1 esr(config-if)# ip address 120.11.5.1/24 esr(config-if)# security-zone untrusted esr(config-if)# exit
Create VTI tunnel. Traffic will be routed via VTI into IPsec tunnel. Specify IP addresses of WAN border interfaces as local and remote gateways:
esr(config)# tunnel vti 1 esr(config-vti)# remote address 180.100.0.1 esr(config-vti)# local address 120.11.5.1 esr(config-vti)# enable esr(config-vti)# exit
To configure security zones rules, you should create ISAKMP port profile:
esr(config)# object-group service ISAKMP esr(config-object-group-service)# port-range 500 esr(config-object-group-service)# exit
Create a static route to the remote LAN. For each subnet located beyond the IPsec tunnel, specify a route via VTI tunnel:
esr(config)# ip route 10.0.0.0/16 tunnel vti 1
Create IKE protocol profile. Select Diffie-Hellman group 2, AES 128 bit encryption algorithm and MD5 authentication algorithm in the profile. The given security parameters are used for IKE connection protection:
esr(config)# security ike proposal ike_prop1 esr(config-ike-proposal)# dh-group 2 esr(config-ike-proposal)# authentication algorithm md5 esr(config-ike-proposal)# encryption algorithm aes128 esr(config-ike-proposal)# exit esr(config)#
Create IKE protocol policy. For the policy, specify the list of IKE protocol profiles that may be used for node and authentication key negotiation:
esr(config)# security ike policy ike_pol1 esr(config-ike-policy)# pre-shared-key hexadecimal 123FFF esr(config-ike-policy)# proposal ike_prop1 esr(config-ike-policy)# exit
Create IKE protocol gateway. For this profile, specify VTI tunnel, policy, protocol version and mode of traffic redirection into the tunnel.
esr(config)# security ike gateway ike_gw1 esr(config-ike-gw)# ike-policy ike_pol1 esr(config-ike-gw)# mode route-based esr(config-ike-gw)# bind-interface vti 1 esr(config-ike-gw)# version v2-only esr(config-ike-gw)# exit
Create security parameters profile for IPsec tunnel. For the profile, select Diffie-Hellman group 2, AES 128 bit encryption algorithm and MD5 authentication algorithm. Use the following parameters to secure IPsec tunnel:
esr(config)# security ipsec proposal ipsec_prop1 esr(config-ipsec-proposal)# authentication algorithm md5 esr(config-ipsec-proposal)# encryption algorithm aes128 esr(config-ipsec-proposal)# exit
Create a policy for IPsec tunnel. For the policy, specify the list of IPsec tunnel profiles that may be used for node negotiation:
esr(config)# security ipsec policy ipsec_pol1 esr(config-ipsec-policy)# proposal ipsec_prop1 esr(config-ipsec-policy)# exit
Create IPsec VPN. For VPN, specify IKE protocol gateway, IPsec tunnel policy, key exchange mode and connection establishment method. When all parameters are entered, enable tunnel using the enable command.
esr(config)# security ipsec vpn ipsec1 esr(config-ipsec-vpn)# mode ike esr(config-ipsec-vpn)# ike establish-tunnel route esr(config-ipsec-vpn)# ike gateway ike_gw1 esr(config-ipsec-vpn)# ike ipsec-policy ipsec_pol1 esr(config-ipsec-vpn)# enable esr(config-ipsec-vpn)# exit esr(config)# exit
To view the tunnel status, use the following command:
esr# show security ipsec vpn status ipsec1
To view the tunnel configuration, use the following command:
esr# show security ipsec vpn configuration ipsec1
In the firewall, you should enable ESP and ISAKMP protocol (UDP port 500).
Policy-based IPsec VPN configuration
Configuration algorithm
Step | Description | Command | Keys |
---|---|---|---|
1 | Create an IKE instance and switch to its configuration mode. | esr(config)# security ike proposal <NAME> | <NAME> – IKE protocol name, set by the string of up to 31 characters. |
2 | Specify the description of the configured tunnel (optionally). | esr(config-ike- proposal)# description<DESCRIPTION> | <DESCRIPTION> – tunnel description, set by the string of up to 255 characters. |
3 | Specify IKE authentication algorithm. | esr(config-ike- proposal)# authentication algorithm <ALGORITHM> | <ALGORITHM> – authentication algorithm, may take values: md5, sha1, sha2-256, sha2‑384, sha2-512. |
4 | Specify IKE encryption algorithm. | esr(config-ike- proposal)# encryption algorithm <ALGORITHM> | <ALGORITHM> – encryption protocol, takes the following values: des, 3des, blowfish128, blowfish192, blowfish256, aes128, aes192, aes256, aes128ctr, aes192ctr, aes256ctr, camellia128, camellia192, camellia256. |
5 | Define Diffie-Hellman group number. | esr(config-ike- proposal)# dh-group <DH-GROUP> | <DH-GROUP> – Diffie-Hellman group number, takes values of [1, 2, 5, 14, 15, 16, 17, 18]. |
6 | Specify the authentication mode. | esr(config-ike- proposal)# authentication method <METHOD> | <METHOD> – key authentication method. May take the following values:
|
7 | Create an IKE profile policy and switch to its configuration mode. | esr(config)# security ike policy <NAME> | <NAME> – IKE policy name, set by the string of up to 31 characters. |
8 | Specify the lifetime of IKE protocol connection (optionally). | esr(config-ike- proposal)# lifetime seconds <SEC> | <SEC> – time interval, takes values of [4..86400] seconds. |
9 | Bind the policy to profile. | esr(config-ike-policy)# proposal <NAME> | <NAME> – IKE protocol name, set by the string of up to 31 characters. |
10 | Specify authentication key. | esr(config-ike-policy)#pre-shared-key ascii-text<TEXT> | <TEXT> – string [1..64] ASCII characters. |
11 | Create an IKE gateway and switch to its configuration mode. | esr(config)# security ike gateway <NAME> | <NAME> – IKE protocol gateway name, set by the string of up to 31 characters. |
12 | Bind IKE policy. | esr(config-ike-gw)# ike-policy <NAME> | <NAME> – IKE protocol policy name, set by the string of up to 31 characters. |
13 | Specify IKE version (optionally). | esr(config-ike-gw)# version <VERSION> | <version> – IKE protocol version: v1-only or v2-only. |
14 | Set the mode of traffic redirection into the tunnel. | esr(config-ike-gw)#mode<MODE> | <MODE> – mode of traffic redirection into the tunnel, takes the following values:
|
15 | Specify the action for DPD (optionally). | esr(config-ike-gw)# dead-peer-detection action <MODE> | <MODE> – DPD operation mode:
|
16 | Specify the interval between sending messages via DPD mechanism (optionally). | esr(config-ike-gw)#dead-peer-detection interval <SEC> | <SEC> – interval between sending messages via DPD mechanism, takes values of [1..180] seconds. |
17 | Specify the time period of response to DPD mechanism messages (optionally). | esr(config-ike-gw)# dead-peer-detection timeout <SEC> | <SEC> – time interval of response to DPD mechanism messages, takes values of [1..180] seconds. |
18 | Specify IKE version (optionally). | esr(config-ike-gw)# version <VERSION> | <version> – IKE protocol version: v1-only or v2-only. |
19 | Set sender’s IP subnets. | esr(config-ike-gw)# local network <ADDR/LEN> [ protocol { <TYPE> | <ID> } [ port <PORT> ] ] | <ADDR/LEN> – source IP address and subnet mask. The parameter is defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32]; <TYPE> – protocol type, takes the following values: esp, icmp, ah, eigrp, ospf, igmp, ipip, tcp, pim, udp, vrrp, rdp, l2tp, gre; <ID> – IP identification number, takes values of [0x00-0xFF]; <PORT> – TCP/UDP port, takes values of [1..65535]. |
20 | Specify the IP address of IPsec tunnel local gateway. | esr(config-ike-gw)#local address <ADDR> | <ADDR> – IP address of a local gateway. |
21 | Specify the IP address of IPsec tunnel remote gateway. | esr(config-ike-gw)#remote address <ADDR> | <ADDR> – IP address of a remote gateway. |
22 | Set recipient’s subnet IP address as well as IP and port. | esr(config-ike-gw)# remote network <ADDR/LEN> [ protocol { <TYPE> | <ID> } [ port <PORT> ] ] | <ADDR/LEN> – source IP address and subnet mask. The parameter is defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32]; <TYPE> – protocol type, takes the following values: esp, icmp, ah, eigrp, ospf, igmp, ipip, tcp, pim, udp, vrrp, rdp, l2tp, gre; <ID> – IP identification number, takes values of [0x00-0xFF]; <PORT> – TCP/UDP port, takes values of [1..65535]. |
23 | Create IPsec profile. | esr(config)# security ipsec proposal <NAME> | <NAME> – IPsec protocol profile name, set by the string of up to 31 characters. |
24 | Specify IPsec authentication algorithm. | esr(config-ipsec- proposal)# authentication algorithm <ALGORITHM> | <ALGORITHM> – authentication algorithm, may take values: md5, sha1, sha2-256, sha2‑384, sha2-512. |
26 | Specify IPsec encryption algorithm. | esr(config-ipsec- proposal)# encryption algorithm <ALGORITHM> | <ALGORITHM> – encryption protocol, takes the following values: des, 3des, blowfish128, blowfish192, blowfish256, aes128, aes192, aes256, aes128ctr, aes192ctr, aes256ctr, camellia128, camellia192, camellia256. |
26 | Specify protocol (optionally). | esr(config-ipsec- proposal)# protocol <PROTOCOL> | <PROTOCOL> – encapsulation protocol, takes the following values: |
27 | Create an IPsec profile policy and switch to its configuration mode. | esr(config)# security ipsec policy <NAME> | <NAME> – IPsec policy name, set by the string of up to 31 characters. |
28 | Bind the policy to profile. | esr(config-ipsec-policy)# proposal <NAME> | <NAME> – IPsec protocol profile name, set by the string of up to 31 characters. |
29 | Specify the lifetime of IPsec tunnel (optionally). | esr(config-ipsec- policy)# lifetime { seconds <SEC> | packets <PACKETS> | kilobytes <KB> } | <SEC> – IPsec tunnel lifetime after which the re-approval is carried out. Takes values in the range of [1140..86400] seconds. <PACKETS> – number of packets after transmitting of which the IPsec tunnel re-approval is carried out. Takes values in the range of [4..86400]. <KB> – traffic amount after transmitting of which the IPsec tunnel re-approval is carried out. Takes values in the range of [4..86400] seconds. |
30 | Create IPsec VPN policy and switch to its configuration mode. | esr(config)# security ipsecvpn <NAME> | <NAME> – VPN name, set by the string of up to 31 characters. |
31 | Define the matching mode of data required for VPN enabling. | esr(config-ipsec-vpn)# mode <MODE> | <MODE> – VPN operation mode. |
32 | Bind IPsec policy to VPN. | esr(config-ipsec-vpn)#ike ipsec-policy <NAME> | <NAME> – IPsec policy name, set by the string of up to 31 characters. |
33 | Set the DSCP value for the use in IP headers of IKE outgoing packets (optionally). | esr(config-ipsec-vpn)#ike dscp <DSCP> | <DSCP> – DSCP code value, takes values in the range of [0..63]. |
34 | Set VPN activation mode. | esr(config-ipsec-vpn)#ike establish-tunnel <MODE> | <MODE> – VPN activation mode:
|
35 | Bind IKE gateway to VPN. | esr(config-ipsec-vpn)# ike gateway <NAME> | <NAME> – IKE gateway name, set by the string of up to 31 characters. |
36 | Set the time interval value in seconds after which the connection is closed, if no packet has been received or sent via SA (optionally). | esr(config-ipsec-vpn)# ike idle-time <TIME> | <TIME> – interval in seconds, takes values of [4..86400]. |
37 | Disable key re-approval before the IKE connection is lost due to the timeout, the number of transmitted packets or bytes (optionally). | esr(config-ipsec-vpn)# ike rekey disable | |
38 | Configure the start of IKE connection keys re-approval before the expiration of the lifetime (optionally). | esr(config-ipsec-vpn)# ike rekey margin { seconds <SEC> | packets <PACKETS> | kilobytes <KB> } | <SEC> – time interval in seconds remaining before the connection release (set by the lifetimeseconds command). Takes values in the range of [4..86400]. <PACKETS> – number of packets remaining before the connection release (set by the lifetimepackets command). Takes values in the range of [4..86400]. <KB> – traffic volume in kilobytes remaining before the connection release (set by the lifetimekilobytes command). Takes values in the range of [4..86400] |
39 | Set the level of margin seconds, margin packets, margin kilobytes values random spread (optionally). | esr(config-ipsec-vpn)# ike rekey randomization <VALUE> | <VALUE> – maximum ratio of values spread, takes values of [1..100]. |
40 | Describe VPN (optionally). | esr(config-ipsec-vpn)# description <DESCRIPTION> | <DESCRIPTION> – profile description, set by the string of up to 255 characters. |
41 | Enable IPsec VPN. | esr(config-ipsec-vpn)# enable |
Configuration example
Objective:
Figure 32 – Network structure
Configure IPsec tunnel between R1 and R2.
R1 IP address: 120.11.5.1;
R2 IP address – 180.100.0.1;
IKE:
- Diffie-Hellman group: 2;
- encryption algorithm: AES 128 bit;
- authentication algorithm: MD5.
IPsec:
- encryption algorithm: AES 128 bit;
- authentication algorithm: MD5.
Solution:
- R1 configuration
Configure external network interface and identify its inherence to a security zone:
esr# configure esr(config)# interface gigabitethernet 1/0/1 esr(config-if-gi)# ip address 120.11.5.1/24 esr(config-if-gi)# security-zone untrusted esr(config-if-gi)# exit
To configure security zones rules, you should create ISAKMP port profile:
esr(config)# object-group service ISAKMP esr(config-object-group-service)# port-range 500 esr(config-object-group-service)# exit
Create IKE protocol profile. Select Diffie-Hellman group 2, AES 128 bit encryption algorithm and MD5 authentication algorithm in the profile. The given security parameters are used for IKE connection protection:
esr(config)# security ike proposal ike_prop1 esr(config-ike-proposal)# dh-group 2 esr(config-ike-proposal)# authentication algorithm md5 esr(config-ike-proposal)# encryption algorithm aes128 esr(config-ike-proposal)# exit
Create IKE protocol policy. For the policy, specify the list of IKE protocol profiles that may be used for node and authentication key negotiation:
esr(config)# security ike policy ike_pol1 esr(config-ike-policy)# pre-shared-key hexadecimal 123FFF esr(config-ike-policy)# proposal ike_prop1 esr(config-ike-policy)# exit
Create IKE protocol gateway. For this profile, specify VTI tunnel, policy, protocol version and mode of traffic redirection into the tunnel.
esr(config)# security ike gateway ike_gw1 esr(config-ike-gw)# ike-policy ike_pol1 esr(config-ike-gw)# local address 180.100.0.1 esr(config-ike-gw)# local network 10.0.0.0/16 esr(config-ike-gw)# remote address 120.11.5.1 esr(config-ike-gw)# remote network 192.0.2.0/24 esr(config-ike-gw)# mode policy-based esr(config-ike-gw)# exit
Create security parameters profile for IPsec tunnel. For the profile, select Diffie-Hellman group 2, AES 128 bit encryption algorithm and MD5 authentication algorithm. Use the following parameters to secure IPsec tunnel:
esr(config)# security ipsec proposal ipsec_prop1 esr(config-ipsec-proposal)# authentication algorithm md5 esr(config-ipsec-proposal)# encryption algorithm aes128 esr(config-ipsec-proposal)# exit
Create a policy for IPsec tunnel. For the policy, specify the list of IPsec tunnel profiles that may be used for node negotiation:
esr(config)# security ipsec policy ipsec_pol1 esr(config-ipsec-policy)# proposal ipsec_prop1 esr(config-ipsec-policy)# exit
Create IPsec VPN. For VPN, specify IKE protocol gateway, IPsec tunnel policy, key exchange mode and connection establishment method. When all parameters are entered, enable tunnel using the enable command.
esr(config)# security ipsec vpn ipsec1 esr(config-ipsec-vpn)# mode ike esr(config-ipsec-vpn)# ike establish-tunnel immediate esr(config-ipsec-vpn)# ike gateway ike_gw1 esr(config-ipsec-vpn)# ike ipsec-policy ipsec_pol1 esr(config-ipsec-vpn)# enable esr(config-ipsec-vpn)# exit esr(config)# exit
- R2 configuration
Configure external network interface and identify its inherence to a security zone:
esr# configure esr(config)# interface gi 1/0/1 esr(config-if)# ip address 120.11.5.1/24 esr(config-if)# security-zone untrusted esr(config-if)# exit
To configure security zones rules, you should create ISAKMP port profile:
esr(config)# object-group service ISAKMP esr(config-addr-set)# port-range 500 esr(config-addr-set)# exit
Create IKE protocol profile. Select Diffie-Hellman group 2, AES 128 bit encryption algorithm and MD5 authentication algorithm in the profile. The given security parameters are used for IKE connection protection:
esr(config)# security ike proposal ike_prop1 esr(config-ike-proposal)# dh-group 2 esr(config-ike-proposal)# authentication algorithm md5 esr(config-ike-proposal)# encryption algorithm aes128 esr(config-ike-proposal)# exit esr(config)#
Create IKE protocol policy. For the policy, specify the list of IKE protocol profiles that may be used for node and authentication key negotiation:
esr(config)# security ike policy ike_pol1 esr(config-ike-policy)# pre-shared-key hexadecimal 123FFF esr(config-ike-policy)# proposal ike_prop1 esr(config-ike-policy)# exit
Create IKE protocol gateway. For this profile, specify VTI tunnel, policy, protocol version and mode of traffic redirection into the tunnel.
esr(config)# security ike gateway ike_gw1 esr(config-ike-gw)# ike-policy ike_pol1 esr(config-ike-gw)# remote address 180.100.0.1 esr(config-ike-gw)# remote network 10.0.0.0/16 esr(config-ike-gw)# local address 120.11.5.1 esr(config-ike-gw)# local network 192.0.2.0/24 esr(config-ike-gw)# mode policy-based esr(config-ike-gw)# exit
Create security parameters profile for IPsec tunnel. For the profile, select Diffie-Hellman group 2, AES 128 bit encryption algorithm and MD5 authentication algorithm. Use the following parameters to secure IPsec tunnel:
esr(config)# security ipsec proposal ipsec_prop1 esr(config-ipsec-proposal)# authentication algorithm md5 esr(config-ipsec-proposal)# encryption algorithm aes128 esr(config-ipsec-proposal)# exit
Create a policy for IPsec tunnel. For the policy, specify the list of IPsec tunnel profiles that may be used for node negotiation:
esr(config)# security ipsec policy ipsec_pol1 esr(config-ipsec-policy)# proposal ipsec_prop1 esr(config-ipsec-policy)# exit
Create IPsec VPN. For VPN, specify IKE protocol gateway, IPsec tunnel policy, key exchange mode and connection establishment method. When all parameters are entered, enable tunnel using the enable command.
esr(config)# security ipsec vpn ipsec1 esr(config-ipsec-vpn)# mode ike esr(config-ipsec-vpn)# ike establish-tunnel immediate esr(config-ipsec-vpn)# ike gateway ike_gw1 esr(config-ipsec-vpn)# ike ipsec-policy ipsec_pol1 esr(config-ipsec-vpn)# enable esr(config-ipsec-vpn)# exit esr(config)# exit
To view the tunnel status, use the following command:
esr# show security ipsec vpn status ipsec1
To view the tunnel configuration, use the following command:
esr# show security ipsec vpn configuration ipsec1
In the firewall, you should enable ESP and ISAKMP protocol (UDP port 500).
Remote Access IPsec VPN configuration
Remote Access IPsec VPN – scenario for organizing temporary VPN connections in which the IPsec VPN server is waiting for incoming connections, and clients make temporary connections to the server to gain access to network resources.
An additional feature of RA IPsec VPN is the ability to use the second IPsec authentication factor – Extended Authentication (XAUTH), where the second authentication factor is the login-password pair for the IPsec VPN client.
Configuration algorithm
Step | Description | Command | Keys |
---|---|---|---|
1 | Create an IKE instance and switch to its configuration mode. | esr(config)# security ike proposal <NAME> | <NAME> – IKE protocol name, set by the string of up to 31 characters. |
2 | Specify the description of the configured tunnel (optionally). | esr(config-ike- proposal)# description<DESCRIPTION> | <DESCRIPTION> – tunnel description, set by the string of up to 255 characters. |
3 | Specify IKE authentication algorithm (optionally). | esr(config-ike- proposal)# authentication algorithm <ALGORITHM> | <ALGORITHM> – authentication algorithm, may take values: md5, sha1, sha2-256, sha2‑384, sha2-512. |
4 | Specify the IP address of the VTI tunnel local side (optional). | esr(config-vti)# ip address <ADDR/LEN> | <ADDR/LEN> – IP address and prefix of a subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..31]. |
5 | Define Diffie-Hellman group number (optionally). | esr(config-ike- proposal)# dh-group <DH-GROUP> | <DH-GROUP> – Diffie-Hellman group number, takes values of [1, 2, 5, 14, 15, 16, 17, 18]. Default value: 1 |
6 | Create an IKE profile policy and switch to its configuration mode. | esr(config)# security ike policy <NAME> | <NAME> – IKE policy name, set by the string of up to 31 characters. |
7 | Specify the authentication mode. | esr(config-ike- policy)# authentication method <METHOD> | <METHOD> – key authentication method. May take the following values:
|
8 | Set the client mode (only for client). | esr(config-ike- policy)# authentication mode client | |
9 | Specify the lifetime of IKE protocol connection (optionally). | esr(config-ike- policy)# lifetime seconds <SEC> | <SEC> – time interval, takes values of [4..86400] seconds. Default value: 3600 |
10 | Bind the policy to profile. | esr(config-ike-policy)# proposal <NAME> | <NAME> – IKE protocol name, set by the string of up to 31 characters. |
11 | Specify authentication key. | esr(config-ike-policy)#pre-shared-key ascii-text<TEXT> | <TEXT> – string [1..64] ASCII characters. |
12 | Create an access profile. | esr(config)# access profile <NAME> | <NAME> – access profile name, set by the string of up to 31 characters. |
13 | Create user name. | esr(config-access-profile)# user <LOGIN> | <LOGIN> – login for client, set by the string of up to 31 characters. |
14 | Specify a password for a user | esr(config-profile)# password ascii-text <TEXT> | <TEXT> – string [8..32] ASCII characters. |
15 | Create a destination address pool (only for server). | esr(config)# address-assignment pool <NAME> | <NAME> – destination addresses pool name, set by the string of up to 31 characters. |
16 | Set the subnet from which IP clients will be issued (only for server). | esr(config-pool)# ip prefix <ADDR/LEN> | <ADDR/LEN> – address and prefix of the subnet. |
17 | Create an IKE gateway and switch to its configuration mode. | esr(config)# security ike gateway <NAME> | <NAME> – IKE protocol gateway name, set by the string of up to 31 characters. |
18 | Bind IKE policy. | esr(config-ike-gw)# ike-policy <NAME> | <NAME> – IKE protocol policy name, set by the string of up to 31 characters. |
19 | Set the mode of traffic redirection into the tunnel. | esr(config-ike-gw)# mode <MODE> | <MODE> – mode of traffic redirection into the tunnel, takes the following values:
|
20 | Specify the action for DPD (optionally). | esr(config-ike-gw)# dead-peer-detection action <MODE> | <MODE> – DPD operation mode:
Default value: none |
21 | Specify the interval between sending messages via DPD mechanism (optionally). | esr(config-ike-gw)#dead-peer-detection interval <SEC> | <SEC> – interval between sending messages via DPD mechanism, takes values of [1..180] seconds. |
22 | Specify the time period of response to DPD mechanism messages (optionally). | esr(config-ike-gw)# dead-peer-detection timeout <SEC> | <SEC> – time interval of response to DPD mechanism messages, takes values of [1..180] seconds. |
23 | Specify IKE version (optionally). | esr(config-ike-gw)# version <VERSION> | <version> – IKE protocol version: v1-only or v2-only. Default value: v1-only |
24 | Set the IP subnet of the source (only for server). | esr(config-ike-gw)# local network <ADDR/LEN> [ protocol { <TYPE> | <ID> } [ port <PORT> ] ] | <ADDR/LEN> – source IP address and subnet mask. The parameter is defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32]; <TYPE> – protocol type, takes the following values: esp, icmp, ah, eigrp, ospf, igmp, ipip, tcp, pim, udp, vrrp, rdp, l2tp, gre; <ID> – IP identification number, takes values of [0x00-0xFF]; <PORT> – TCP/UDP port, takes values of [1..65535]. |
25 | Specify the IP address of IPsec tunnel local gateway. | esr(config-ike-gw)#local address <ADDR> | <ADDR> – IP address of a local gateway. |
26 | Specify the IP address of IPsec tunnel remote gateway. | esr(config-ike-gw)#remote address [any | <ADDR/LEN> [ protocol { <TYPE> | <ID> } [ port <PORT> ] ] | Any – set as a remote address – any client address in the server configuration; <ADDR/LEN> – IP address and subnet mask of the server, in client configuration. |
27 | Set the pool for dynamic allocation of IP addresses to clients (only for server). | esr(config-ike-gw)# remote network dynamic pool <NAME> | <NAME> – destination addresses pool name, set by the string of up to 31 characters. |
28 | Set the dynamic establishment mode of the remote subnet (only for client). | esr(config-ike-gw)# remote network dynamic client | |
29 | Set access profile for XAUTH parameters (only for server). | esr(config-ike-gw)# xauth access-profile <NAME> | <NAME> – access profile name, set by the string of up to 31 characters. |
30 | Set access profile and login for XAUTH parameters (only for client). | esr(config-ike-gw)# xauth access-profile <NAME> client <LOGIN> | <NAME> – access profile name, set by the string of up to 31 characters; <LOGIN> – login for client, set by the string of up to 31 characters. |
31 | Define a dedicated IP termination interface for building IPsec VPN (only for client). | esr(config-ike-gw)# assign-interface loopback <INDEX> | <INDEX> – interface index, takes values of [1..65535]. |
32 | Create IPsec profile. | esr(config)# security ipsec proposal <NAME> | <NAME> – IPsec protocol profile name, set by the string of up to 31 characters. |
33 | Specify IPsec authentication algorithm (optionally). | esr(config-ipsec- proposal)# authentication algorithm <ALGORITHM> | <ALGORITHM> – authentication algorithm, may take values: md5, sha1, sha2-256, sha2‑384, sha2-512. Default value: sha1 |
34 | Specify IPsec encryption algorithm (optionally). | esr(config-ipsec- proposal)# encryption algorithm <ALGORITHM> | <ALGORITHM> – encryption protocol, takes the following values: des, 3des, blowfish128, blowfish192, blowfish256, aes128, aes192, aes256, aes128ctr, aes192ctr, aes256ctr, camellia128, camellia192, camellia256. Default value: 3des |
35 | Specify protocol (optionally). | esr(config-ipsec- proposal)# protocol <PROTOCOL> | <PROTOCOL> – encapsulation protocol, takes the following values: |
36 | Create an IPsec profile policy and switch to its configuration mode. | esr(config)# security ipsec policy <NAME> | <NAME> – IPsec policy name, set by the string of up to 31 characters. |
37 | Bind the policy to profile. | esr(config-ipsec-policy)# proposal <NAME> | <NAME> – IPsec protocol profile name, set by the string of up to 31 characters. |
38 | Specify the lifetime of IPsec tunnel (optionally). | esr(config-ipsec- policy)# lifetime { seconds <SEC> | packets <PACKETS> | kilobytes <KB> } | <SEC> – IPsec tunnel lifetime after which the re-approval is carried out. Takes values in the range of [1140..86400] seconds. Default value: 540 <PACKETS> – number of packets after transmitting of which the IPsec tunnel re-approval is carried out. Takes values in the range of [4..86400]. Default value: disabled. Default value: disabled. |
39 | Create IPsec VPN policy and switch to its configuration mode. | esr(config)# security ipsec vpn <NAME> | <NAME> – VPN name, set by the string of up to 31 characters. |
40 | Define the matching mode of data required for VPN enabling. | esr(config-ipsec-vpn)# mode <MODE> | <MODE> – VPN operation mode, takes the following values: ike, manual. |
41 | Bind IPsec policy to VPN. | esr(config-ipsec-vpn)#ike ipsec-policy <NAME> | <NAME> – IPsec policy name, set by the string of up to 31 characters. |
42 | Set the DSCP value for the use in IP headers of IKE outgoing packets (optionally). | esr(config-ipsec-vpn)#ike dscp <DSCP> | <DSCP> – DSCP code value, takes values in the range of [0..63]. |
43 | Set VPN activation mode. | esr(config-ipsec-vpn)#ike establish-tunnel <MODE> | <MODE> – VPN activation mode:
|
44 | Bind IKE gateway to VPN. | esr(config-ipsec-vpn)# ike gateway <NAME> | <NAME> – IKE gateway name, set by the string of up to 31 characters. |
45 | Set the time interval value in seconds after which the connection is closed, if no packet has been received or sent via SA (optionally). | esr(config-ipsec-vpn)# ike idle-time <TIME> | <TIME> – interval in seconds, takes values of [4..86400]. Default value: 0 |
46 | Disable key re-approval before the IKE connection is lost due to the timeout, the number of transmitted packets or bytes (optionally). | esr(config-ipsec-vpn)# ike rekey disable | Default value: enabled. |
47 | Configure the start of IKE connection keys re-approval before the expiration of the lifetime (optionally). | esr(config-ipsec-vpn)# ike rekey margin { seconds <SEC> | packets <PACKETS> | kilobytes <KB> } | <SEC> – time interval in seconds remaining before the connection release (set by the lifetimeseconds command). Takes values in the range of [4..86400]. <PACKETS> – number of packets remaining before the connection release (set by the lifetimepackets command). Takes values in the range of [4..86400]. <KB> – traffic volume in kilobytes remaining before the connection release (set by the lifetimekilobytes command). Takes values in the range of [4..86400] |
48 | Set the level of margin seconds, margin packets, margin kilobytes values random spread (optionally). | esr(config-ipsec-vpn)# ike rekey randomization <VALUE> | <VALUE> – maximum ratio of values spread, takes values of [1..100]. Default value: 100 |
49 | Describe VPN (optionally). | esr(config-ipsec-vpn)# description <DESCRIPTION> | <DESCRIPTION> – profile description, set by the string of up to 255 characters. |
50 | Enable IPsec VPN. | esr(config-ipsec-vpn)# enable |
Configuration example
Objective:
Figure 33 – Network structure
Configure Remote Access IPsec VPN between R1 and R2 using the second IPsec authentication factor, XAUTH. Configure router R1 as the IPsec VPN server, and router R2 as the IPsec VPN client.
R2 IP address– 120.11.5.1;
R1 IP address: 180.100.0.1;
For IPsec VPN clients:
- issue addresses from the subnet pool 192.0.2.0/24
- provide access to the LAN subnet 10.0.0.0/16
IKE:
- Diffie-Hellman group: 2;
- encryption algorithm: 3DES;
- authentication algorithm: SHA1.
IPsec:
- encryption algorithm: 3DES;
- authentication algorithm: SHA1.
XAUTH:
- login: client1;
- password: password123.
Solution:
R1 configuration
Configure external network interface and identify its inherence to a security zone:esr# configure esr(config)# security zone untrusted esr(config-zone)# exit esr(config)# interface gigabitethernet 1/0/1 esr(config-if-gi)# security-zone untrusted esr(config-if-gi)# ip address 180.100.0.1/24 esr(config-if-gi)# exit
To configure security zones rules, you should create ISAKMP port profile:
esr(config)# object-group service ISAKMP esr(config-object-group-service)# port-range 500,4500 esr(config-object-group-service)# exit
Create IKE protocol profile. Select Diffie-Hellman group 2, 3DES encryption algorithm and SHA1 authentication algorithm in the profile. The given security parameters are used for IKE connection protection:
esr(config)# security ike proposal IKEPROP esr(config-ike-proposal)# dh-group 2 esr(config-ike-proposal)# authentication algorithm sha1 esr(config-ike-proposal)# encryption algorithm 3des esr(config-ike-proposal)# exit
Create IKE protocol policy. For the policy, specify the list of IKE protocol profiles that may be used for node, authentication key and XAUTH authentication method by key negotiation:
esr(config)# security ike policy IKEPOLICY esr(config-ike-policy)# pre-shared-key hexadecimal 123FFF esr(config-ike-policy)# authentication method xauth-psk-key esr(config-ike-policy)# proposal IKEPROP esr(config-ike-policy)# exit
Create an access profile and get in it a pair of username and password for the IPsec VPN client:
esr(config)# access profile XAUTH esr(config-access-profile)# user client1 esr(config-profile)# password ascii-text password123 esr(config-profile)# exit esr(config-access-profile)# exit
Create a pool of destination addresses from which IP clients will be issued IPsec VPN:
esr-1000(config)# address-assignment pool CLIENT_POOL esr-1000(config-pool)# ip prefix 192.0.2.0/24 esr-1000(config-pool)# exit
Create IKE protocol gateway. In this profile, you need to specify the IKE protocol policy, the local subnet, the destination address pool as the remote subnet, set the mode of traffic redirection to the tunnel according to the policy and use the second authentication factor XAUTH:
esr(config)# security ike gateway IKEGW esr(config-ike-gw)# ike-policy IKEPOLICY esr(config-ike-gw)# local address 180.100.0.1 esr(config-ike-gw)# local network 10.0.0.0/16 esr(config-ike-gw)# remote address any esr(config-ike-gw)# remote network dynamic pool CLIENT_POOL esr(config-ike-gw)# dead-peer-detection action clear esr(config-ike-gw)# mode policy-based esr(config-ike-gw)# xauth access-profile XAUTH esr(config-ike-gw)# exit
Create security parameters profile for IPsec tunnel. Specify 3DES encryption algorithm and SHA1 authentication algorithm in the profile. Use the following parameters to secure IPsec tunnel:
esr(config)# security ipsec proposal IPSECPROP esr(config-ipsec-proposal)# authentication algorithm sha1 esr(config-ipsec-proposal)# encryption algorithm 3des esr(config-ipsec-proposal)# exit
Create a policy for IPsec tunnel. For the policy, specify the list of IPsec tunnel profiles that may be used for node negotiation:
esr(config)# security ipsec policy IPSECPOLICY esr(config-ipsec-policy)# proposal IPSECPROP esr(config-ipsec-policy)# exit
Create IPsec VPN. For VPN, specify IKE protocol gateway, IPsec tunnel policy, key exchange mode and waiting mode for the incoming IPsec connection – by-request. When all parameters are entered, enable tunnel using the enable command.
esr(config)# security ipsec IPSECVPN esr(config-ipsec-vpn)# mode ike esr(config-ipsec-vpn)# ike establish-tunnel by-request esr(config-ipsec-vpn)# ike gateway IKEGW esr(config-ipsec-vpn)# ike ipsec-policy IPSECPOLICY esr(config-ipsec-vpn)# enable esr(config-ipsec-vpn)# exit
Allow esp protocol and udp ports 500,4500 in the firewall configuration for establishing IPsec VPN:
esr(config)# security zone-pair untrusted self esr(config-zone-pair)# rule 1 esr(config-zone-pair-rule)# action permit esr(config-zone-pair-rule)# match protocol udp esr(config-zone-pair-rule)# match destination-port ISAKMP esr(config-zone-pair-rule)# enable esr(config-zone-pair-rule)# exit esr(config-zone-pair)# rule 2 esr(config-zone-pair-rule)# action permit esr(config-zone-pair-rule)# match protocol esp esr(config-zone-pair-rule)# enable esr(config-zone-pair-rule)# exit esr(config-zone-pair)# end
R2 configuration
Configure external network interface and identify its inherence to a security zone:esr# configure esr(config)# interface gi 1/0/1 esr(config-if)# ip address 120.11.5.1/24 esr(config-if)# security-zone untrusted esr(config-if)# exit
To configure security zones rules, you should create ISAKMP port profile:
esr(config)# object-group service ISAKMP esr(config-addr-set)# port-range 500,4500 esr(config-addr-set)# exit
Create IKE protocol profile. Select Diffie-Hellman group 2, 3DES encryption algorithm and SHA1 authentication algorithm in the profile. The given security parameters are used for IKE connection protection:
esr(config)# security ike proposal IKEPROP esr(config-ike-proposal)# dh-group 2 esr(config-ike-proposal)# authentication algorithm sha1 esr(config-ike-proposal)# encryption algorithm 3des esr(config-ike-proposal)# exit
Create IKE protocol policy. For the policy, specify the list of IKE protocol profiles that may be used for node, authentication key, XAUTH authentication method by key and client authentication mode negotiation:
esr(config)# security ike policy IKEPOLICY esr(config-ike-policy)# pre-shared-key hexadecimal 123FFF esr(config-ike-policy)# authentication method xauth-psk-key esr(config-ike-policy)# authentication mode client esr(config-ike-policy)# proposal IKEPROP esr(config-ike-policy)# exit
Create an access profile and get in it a pair of username and password:
esr(config)# access profile XAUTH esr(config-access-profile)# user client1 esr(config-profile)# password ascii-text password123 esr(config-profile)# exit esr(config-access-profile)# exit
Create a loopback interface for terminating the IP address received from the IPsec VPN server:
esr(config)# interface loopback 8 esr(config-loopback)# exit
Create IKE protocol gateway. Specify the policy, the termination interface, the dynamic setting mode of the remote subnet, the access profile selection for XAUTH, and the mode of redirecting traffic to the tunnel by policy in this profile:
esr(config)# security ike gateway IKEGW esr(config-ike-gw)# ike-policy IKEPOLICY esr(config-ike-gw)# assign-interface loopback 8 esr(config-ike-gw)# local address 120.11.5.1 esr(config-ike-gw)# remote address 180.100.0.1 esr(config-ike-gw)# remote network dynamic client esr(config-ike-gw)# mode policy-based esr(config-ike-gw)# xauth access-profile xauth client client1 esr(config-ike-gw)# exit
Create security parameters profile for IPsec tunnel. Specify 3DES encryption algorithm and SHA1 authentication algorithm in the profile. Use the following parameters to secure IPsec tunnel:
esr(config)# security ipsec proposal IPSECPROP esr(config-ipsec-proposal)# authentication algorithm md5 esr(config-ipsec-proposal)# encryption algorithm aes128 esr(config-ipsec-proposal)# exit
Create a policy for IPsec tunnel. For the policy, specify the list of IPsec tunnel profiles that may be used for node negotiation:
esr(config)# security ipsec policy IPSECPOLICY esr(config-ipsec-policy)# proposal IPSECPROP esr(config-ipsec-policy)# exit
Create IPsec VPN. For VPN, specify IKE protocol gateway, IPsec tunnel policy, key exchange mode and connection establishment method. When all parameters are entered, enable tunnel using enable command.
esr(config)# security ipsec vpn IPSECVPN esr(config-ipsec-vpn)# mode ike esr(config-ipsec-vpn)# ike establish-tunnel immediate esr(config-ipsec-vpn)# ike gateway IKEGW esr(config-ipsec-vpn)# ike ipsec-policy IPSECPOLICY esr(config-ipsec-vpn)# enable esr(config-ipsec-vpn)# exit
Allow esp protocol and udp ports 500,4500 in the firewall configuration for establishing IPsec VPN:
esr(config)# security zone-pair untrusted self esr(config-zone-pair)# rule 1 esr(config-zone-pair-rule)# action permit esr(config-zone-pair-rule)# match protocol udp esr(config-zone-pair-rule)# match destination-port ISAKMP esr(config-zone-pair-rule)# enable esr(config-zone-pair-rule)# exit esr(config-zone-pair)# rule 2 esr(config-zone-pair-rule)# action permit esr(config-zone-pair-rule)# match protocol esp esr(config-zone-pair-rule)# enable esr(config-zone-pair-rule)# exit esr(config-zone-pair)# end
To view the tunnel status, use the following command:
esr# show security ipsec vpn status IPSECVPN
To view the tunnel configuration, use the following command:
esr# show security ipsec vpn configuration IPSECVPN
In the firewall, you should enable ESP and ISAKMP protocol (UDP port 500, 4500).
LT configuration
LT ( Logical Tunnel) is a type of tunnels dedicated for transmission of routing information and traffic between different virtual routers (VRF Lite) configured on a router. LT tunnel might be used for organization of interaction between two or more VRF using firewall restrictions.
Configuration algorithm
Step | Description | Command | Keys |
1 | Create LT for each of existing VRF. | esr(config)# tunnel lt <ID> | <ID> – tunnel identifier, set in the range of [1..128]. |
2 | Specify the description of the configured tunnels (optionally). | esr(config-lt)# description <DESCRIPTION> | <DESCRIPTION> – tunnel description, set by the string of up to 255 characters. |
3 | Include each LT in the corresponding VFR. | esr(config-lt)# ip vrf forwarding <VRF> | <VRF> – VRF name, set by the string of up to 31 characters. |
4 | Include each LT in a security zone and configure interaction rules between zones or disable firewall for LT. | esr(config-lt)# security-zone<NAME>
| <NAME> – security zone name, set by the string of up to 12 characters. |
esr(config-lt)# ip firewall disable | |||
5 | For each LT, set the opposite LT number (in another VRF). | esr(config-lt)# peer lt <ID> | <ID> – tunnel identifier, set in the range of [1..128]. |
6 | For each LT, specify IP address for packets routing. For interacting LT, IP addresses should locate in one IP subnet. | esr(config-lt)# ip address <ADDR/LEN> | <ADDR/LEN> – IP address and prefix of a subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32]. |
7 | Enable the tunnels. | esr(config-lt)# enable | |
8 | For each VRF configure required routing protocols via LT. |
| |
9 | Specify the time interval during which the statistics on the tunnel load is averaged (optionally) | esr(config-lt)# load-average <TIME> | <TIME> – interval in seconds, takes values of [5..150]. Default value: 5 |
10 | Specify the size of MTU packets that can be passed by the bridge (optionally; possible if only VLAN is included in the bridge). | esr(config-lt)# mtu <MTU> | <MTU> – MTU value, takes values in the range of:
Default value: 1500. |
Configuration example
Objective:
Organize interaction between hosts terminated in two VRF vrf_1 and vrf_2.
Initial configuration:
hostname esr ip vrf vrf_1 exit ip vrf vrf_2 exit interface gigabitethernet 1/0/1 ip vrf forwarding vrf_1 ip firewall disable ip address 10.0.0.1/24 exit interface gigabitethernet 1/0/2 ip vrf forwarding vrf_2 ip firewall disable ip address 10.0.1.1/24 exit
Solution:
Create LT tunnels for each VRF, specifying IP address from one subnet:
esr(config)# tunnel lt 1 esr(config-lt)# ip vrf forwarding vrf_1 esr(config-lt)# ip firewall disable esr(config-lt)# ip address 192.168.0.1/30 esr(config-lt)# exit esr(config)# tunnel lt 2 esr(config-lt)# ip vrf forwarding vrf_2 esr(config-lt)# ip firewall disable esr(config-lt)# ip address 192.168.0.2/30 esr(config-lt)# exit
Designate LT tunnel from VRF, which is necessary to establish link with, for each LT tunnel and activate them.
esr(config)# tunnel lt 1 esr(config-lt)# peer lt 2 esr(config-lt)# enable esr(config-lt)# exit esr(config)# tunnel lt 2 esr(config-lt)# peer lt 1 esr(config-lt)# enable esr(config-lt)# exit
If NONE of dynamic routing protocols works in VRF, specify static routes for each VRF:
esr(config)# ip route vrf vrf_1 0.0.0.0/0 192.168.0.2 esr(config)# ip route vrf vrf_2 0.0.0.0/0 192.168.0.1
Configuring remote access to corporate network via PPTP protocol
PPTP ( Point-to-Point Tunneling Protocol) is a point-to-point tunneling protocol that allows a computer to establish secure connection with a server by creating a special tunnel in a common unsecured network. PPTP encapsulates PPP frames into IP packets for transmission via global IP network, e.g. the Internet. PPTP may be used for tunnel establishment between two local area networks. PPTP uses an additional TCP connection for tunnel handling.
Configuration algorithm
Step | Description | Command | Keys |
---|---|---|---|
1 | Create PPTP server profile. | esr(config)# remote-access pptp <NAME> | <NAME> – PPTP server profile name, set by the string of up to 31 characters. |
2 | Select PPTP clients authentication mode. | esr(config-pptp-server)# authentication mode { local | radius } |
|
3 | Specify the description of the configured server (optionally). | esr(config-pptp-server)# description <DESCRIPTION> | <DESCRIPTION> – PPTP server description, set by the string of up to 255 characters. |
4 | Define the list of DNS servers that will be used by remote users (optionally). | esr(config-pptp-server)# dns-servers object-group <OBJ-GROUP-NETWORK -NAME > | <OBJ-GROUP-NETWORK-NAME> – name of the IP addresses profile that includes required DNS servers addresses, set by the string of up to 31 characters. |
5 | Specify outgoing packets DSCP priority (optionally). | esr(config-pptp-server)# dscp <DSCP> | <DSCP> – outgoing packets dscp priority [0..63]. |
6 | Enable MPPE encryption for PPTP connections (optionally). | esr(config-pptp-server)# encryption mppe | |
7 | IP address of a local gateway. | esr(config-pptp-server)# local-address object-group <OBJ-GROUP-NETWORK -NAME > ip-address <ADDR> | <OBJ-GROUP-NETWORK-NAME> – name of the IP addresses profile that includes local gateway IP address, set by the string of up to 31 characters; <ADDR> – range starting IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. |
8 | Specify MTU size (MaximumTransmissionUnit) for the server (optionally). | esr(config-pptp-server) mtu <MTU> | <MTU> – MTU value, takes values in the range of [1280..1500]. Default value: 1500. |
9 | Specify IP address that should be proceeded by PPTP server. | esr(config-pptp-server)# outside-address { object-group <OBJ-GROUP-NETWORK -NAME > | ip-address <ADDR> } | <OBJ-GROUP-NETWORK-NAME> – name of the profile having IP address that should listened by PPTP server, set by the string of up to 31 characters; <ADDR> – range starting IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. |
10 | Specify IP addresses list from which dynamic IP addresses are leased to remote users by PPTP. | esr(config-pptp-server)# remote-address { object-group <OBJ-GROUP-NETWORK-NAME> address-range <FROM-ADDR>-<TO-ADDR> } | <OBJ-GROUP-NETWORK-NAME> – name of the IP addresses profile that includes remote users IP addresses list, set by the string of up to 31 characters; <FROM-ADDR> – range starting IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]; <TO-ADDR> – range ending IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. |
11 | Include the PPTP server in a security zone and configure interaction rules between zones or disable firewall. | esr(config-pptp-server)# security-zone <NAME> | <NAME> – security zone name, set by the string of up to 31 characters. |
12 | Specify user name (when using local user authentication). | esr(config-pptp-server) username < NAME > | <NAME> – user name, set by the string of up to 12 characters. |
13 | Set user password. | esr(config-pptp-user) password ascii-text { <PASSWORD> | encrypted <PASSWORD> } | <PASSWORD> – user password, set by the string of up to 32 characters. |
14 | Enable user. | esr(config-pptp-user) enable | |
15 | Define the list of WINS servers that will be used by remote users (optionally). | esr(config-pptp-server)# wins-servers object-group <OBJ-GROUP-NETWORK -NAME > | <OBJ-GROUP-NETWORK-NAME> – name of the IP addresses profile that includes required WINS servers addresses, set by the string of up to 31 characters. |
PPTP server configuration example
Objective :
Configure PPTP server on a router.
- PPTP server address: 120.11.5.1;
- Gateway inside the tunnel for connecting clients: 10.10.10.1;
- IP address pool for lease: 10.10.10.5-10.10.10.25;
- DNS servers: 8.8.8.8, 8.8.8.4;
- Accounts for connection: fedor, ivan.
Figure 34 – Network structure
Solution :
Create an address profile that contains an address to be listened by the server:
esr# configure esr(config)# object-group network pptp_outside esr(config-object-group-network)# ip address-range 120.11.5.1 esr(config-object-group-network)# exit
Create address profile that contains local gateway address:
esr(config)# object-group network pptp_local esr(config-object-group-network)# ip address-range 10.10.10.1 esr(config-object-group-network)# exit
Create address profile that contains client addresses:
esr(config)# object-group network pptp_remote esr(config-object-group-network)# ip address-range 10.10.10.5-10.10.10.25 esr(config-object-group-network)# exit
Create PPTP server and map profiles listed above:
esr(config)# remote-access pptp remote-workers esr(config-pptp)# local-address object-group pptp_local esr(config-pptp)# remote-address object-group pptp_remote esr(config-pptp)# outside-address object-group pptp_outside esr(config-pptp)# dns-servers object-group pptp_dns
Select authentication method for PPTP server users:
esr(config-pptp)# authentication mode local
Specify security zone that user sessions will be related to:
esr(config-pptp)# security-zone VPN
Create PPTP users Ivan and Fedor for PPTP server:
esr(config-pptp)# username ivan esr(config-pptp-user)# password ascii-text password1 esr(config-pptp-user)# enable esr(config-pptp-user)# exit esr(config-pptp)# username fedor esr(config-pptp-user)# password ascii-text password2 esr(config-pptp-user)# enable esr(config-pptp-user)# exit esr(config-pptp)# exit
Enable PPTP server:
esr(config-pptp)# enable
When a new configuration is applied, the router will listen to 120.11.5.1:1723. To view PPTP server session status, use the following command:
esr# show remote-access status pptp server remote-workers
To view PPTP server session counters, use the following command:
esr# show remote-access counters pptp server remote-workers
To clear PPTP server session counters, use the following command:
esr# clear remote-access counters pptp server remote-workers
To end PPTP server session for user 'fedor', use one of the following commands:
esr# clear remote-access session pptp username fedor esr# clear remote-access session pptp server remote-workers username fedor
To view PPTP server configuration, use the following command:
esr# show remote-access configuration pptp remote-workers
In addition to PPTP server creation, you should open TCP port 1723 designed for connection handling and enable GRE protocol (47) for the tunnel traffic in the firewall.
Configuring remote access to corporate network via L2TP/IPsec protocol
L2TP ( Layer 2 Tunneling Protocol) is a sophisticated tunneling protocol used to support virtual private networks. L2TP encapsulates PPP frames into IP packets for transmission via global IP network, e.g. the Internet. L2TP may be used for tunnel establishment between two local area networks. L2TP uses an additional UDP connection for tunnel handling. L2TP protocol does not provide data encryption, therefore it is usually combined with an IPsec protocol group that provides security on a packet level.
Configuration algorithm
Step | Description | Command | Keys |
---|---|---|---|
1 | Create L2TP server profile. | esr(config)# remote-access l2tp <NAME> | <NAME> – L2TP server profile name, set by the string of up to 31 characters. |
2 | Select L2TP clients authentication mode. | esr(config-l2tp-server)# authentication mode { local | radius }
| local – user authentication by local base. radius – user authentication by RADIUS server base. |
3 | Specify the description of the configured server (optionally). | esr(config-l2tp-server)# description <DESCRIPTION> | <DESCRIPTION> – L2TP server description, set by the string of up to 255 characters. |
4 | Define the list of DNS servers that will be used by remote users (optionally). | esr(config-l2tp-server)# dns-servers object-group <OBJ-GROUP-NETWORK -NAME > | <OBJ-GROUP-NETWORK-NAME> – name of the IP addresses profile that includes required DNS servers addresses, set by the string of up to 31 characters. |
5 | Specify outgoing packets DSCP priority. | esr(config-l2tp-server)# dscp <DSCP> | <DSCP> – outgoing packets dscp priority [0..63]. |
6 | Enable server. | esr(config-l2tp-server)# enable | |
7 | Select a key authentication method for IKE connection. | esr(config-l2tp-server)# ipsec authentication method pre-shared-key | |
8 | Specify a shared secret authentication key that should be the same for both parties of the tunnel. | esr(config-l2tp-server)# ipsec authentication pre-shared-key { ascii-text { <TEXT> | encrypted <ENCRYPTED-TEXT> }| hexadecimal {<HEX> | encrypted <ENCRYPTED-HEX> } } | <TEXT> – string [1..64] ASCII characters; <HEX> – number, [1..32] bytes size, set by the string of [2..128] characters in hexadecimal format (0xYYYY ...) or (YYYY ...). <ENCRYPTED-TEXT> – encrypted password, [1..32] bytes size, set by the string of [2..128] characters. <ENCRYPTED-TEXT> – encrypted number, [2..64] bytes size, set by the string of [2..256] characters. |
9 | IP address of a local gateway. | esr(config-l2tp-server)# local-address object-group <OBJ-GROUP-NETWORK -NAME > | <OBJ-GROUP-NETWORK-NAME> – name of the IP addresses profile that includes local gateway IP address, set by the string of up to 31 characters; <ADDR> – range starting IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. |
10 | Specify MTU size (MaximumTransmissionUnit) for the server (optionally). | esr(config-l2tp-server) mtu <MTU> | <MTU> – MTU value, takes values in the range of [1280..1500]. Default value: 1500. |
11 | Specify IP address that should be listened by L2TP server. | esr(config-l2tp-server)# outside-address object-group <OBJ-GROUP-NETWORK -NAME > | <OBJ-GROUP-NETWORK-NAME> – name of the profile having IP address that should be listened by L2TP server, set by the string of up to 31 characters; <ADDR> – range starting IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. |
12 | Specify IP addresses list from which dynamic IP addresses are leased to remote users by L2TP. | esr(config-l2tp-server)# remote-address { object-group <OBJ-GROUP-NETWORK-NAME> address-range <FROM-ADDR>-<TO-ADDR> } | <OBJ-GROUP-NETWORK-NAME> – name of the IP addresses profile that includes remote users IP addresses list, set by the string of up to 31 characters; <FROM-ADDR> – range starting IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]; <TO-ADDR> – range ending IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. |
13 | Include the L2TP server in a security zone and configure interaction rules between zones. | esr(config-l2tp-server)# security-zone <NAME> | <NAME> – security zone name, set by the string of up to 31 characters. |
14 | Specify user name (when using local authentication base). | esr(config-l2tp-server) username < NAME > | <NAME> – user name, set by the string of up to 12 characters. |
15 | Specify user password (when using local authentication base). | esr(config-l2tp-user) password ascii-text { <PASSWORD> | encrypted <PASSWORD> } | <PASSWORD> – user password, set by the string of up to 32 characters. |
16 | Enable user. | esr(config-l2tp-user) enable | |
17 | Define the list of WINS servers that will be used by remote users (optionally). | esr(config-l2tp-server)# wins-servers object-group <OBJ-GROUP-NETWORK -NAME > | <OBJ-GROUP-NETWORK-NAME> – name of the IP addresses profile that includes required WINS servers addresses, set by the string of up to 31 characters. |
Configuration example
Objective:
Configure L2TP server on a router for remote user connection to LAN. Authentication is performed on RADIUS server.
- L2TP server address: 120.11.5.1;
- Gateway inside the tunnel: 10.10.10.1;
- Radius server address: 192.168.1.4;
For IPsec, key authentication method is used: key–'password’.
Figure 35 – Network structure
Solution:
First, do the following:
- Configure RADIUS server connection;
- Configure zones for te1/0/1 and gi1/0/1 interfaces.
- Specify IP addresses for te1/0/1 and te1/0/1 interfaces.
Create address profile that contains local gateway address:
esr(config)# object-group network l2tp_local esr(config-object-group-network)# ip address-range 10.10.10.1 esr(config-object-group-network)# exit
Create address profile that contains DNS servers:
esr(config)# object-group network pptp_dns esr(config-object-group-network)# ip address-range 8.8.8.8 esr(config-object-group-network)# ip address-range 8.8.4.4 esr(config-object-group-network)# exit
Create L2TP server and map profiles listed above:
esr(config)# remote-access l2tp remote-workers esr(config-l2tp)# local-address ip-address 10.10.10.1 esr(config-l2tp)# remote-address address-range 10.10.10.5-10.10.10.15 esr(config-l2tp)# outside-address ip-address 120.11.5.1 esr(config-l2tp)# dns-server object-group l2tp_dns
Select authentication method for L2TP server users:
esr(config-l2tp)# authentication mode radius
Specify security zone that user sessions will be related to:
esr(config-l2tp)# security-zone VPN
Specify authentication method for IKE phase 1 and define an authentication key.
esr(config-l2tp)# ipsec authentication method psk esr(config-l2tp)# ipsec authentication pre-shared-key ascii-text password
Enable L2TP server:
esr(config-l2tp)# enable
When a new configuration is applied, the router will listen to IP address 120.11.5.1 and port 1701. To view L2TP server session status, use the following command:
esr# show remote-access status l2tp server remote-workers
To view L2TP server session counters, use the following command:
esr# show remote-access counters l2tp server remote-workers
To clear L2TP server session counters, use the following command:
esr# clear remote-access counters l2tp server remote-workers
To end L2TP server session for user 'fedor', use one of the following commands:
esr# clear remote-access session l2tp username fedor esr# clear remote-access session l2tp server remote-workers username fedor
To view L2TP server configuration, use the following command:
esr# show remote-access configuration l2tp remote-workers
In addition to L2TP server creation, you should open UDP port 500, 1701, 4500 designed for connection handling and enable ESP (50) and GRE protocol (47) for the tunnel traffic in the firewall.
Configuring remote access to corporate network via OpenVPN protocol
OpenVPN is a sophisticated tool based on SSL that implements Virtual Private Networks (VPN), enables remote access and solves many different tasks related to data transmission security.
Configuration algorithm
Step | Description | Command | Keys |
---|---|---|---|
1 | Create OpenVPN server profile. | esr(config)# remote-access openvpn <NAME> | <NAME> – OpenVPN server profile name, set by the string of up to 31 characters. |
2 | Specify IP addresses list from which dynamic IP addresses are leased to remote users in L2 mode by OpenVPN server. (only for tunnel ethernet) | esr(config-openvpn-server)# address-range <FROM-ADDR>-<TO-ADDR> | <FROM-ADDR> – range starting IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]; <TO-ADDR> – range ending IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. |
3 | Include client connections via OpenVPN in L2 domain (only for tunnel ethernet). | esr(config-openvpn-server)# bridge-group <BRIDGE-ID> | <BRIDGE-ID> – bridge identifying number. |
4 | Specify certificates and keys. | esr(config-openvpn-server)# certificate <CERTIFICATE-TYPE><NAME> | <CERTIFICATE-TYPE> – certificate or key type, may take the following values:
<NAME> – certificate or key name, set by the string of up to 31 characters. |
5 | Enable data transmission blocking between clients (optionally). | esr(config-openvpn-server)# client-isolation | |
6 | Set the maximum amount of simultaneous user sessions (optionally). | esr(config-openvpn-server)# client-max <VALUE> | <VALUE> – maximum amount of users, takes values of [1..65535]. |
7 | The mechanism of transmitted data compression between clients and the OpenVPN server is enabled (optionally). | esr(config-openvpn-server)# compression | |
8 | Specify the description of the configured server (optionally). | esr(config-openvpn-server)# description <DESCRIPTION> | <DESCRIPTION> – OpenVPN server description, set by the string of up to 255 characters. |
9 | Define the list of DNS servers that will be used by remote users (optionally). | esr(config-openvpn-server)# dns-server <ADDR> | <ADDR> – DNS server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. |
10 | Select encryption algorithm used when data transmission. | esr(config-openvpn-server)# encryption algorithm <ALGORITHM> | <ALGORITHM> – encryption protocol identifier, takes the following values: 3des, blowfish128, aes128. |
11 | Define the subnet from which IP addresses are leased to users. (only for tunnel ip) | esr(config-openvpn-server)# network <ADDR/LEN> | <ADDR/LEN> – subnet address, set in the following format: AAA.BBB.CCC.DDD/EE – network IP address with prefix mask, where AAA-DDD take values of [0..255] and EE takes values of [1..32]. |
12 | Specify TCP/UDP port that will be listened by OpenVPN server (optionally). | esr(config-openvpn-server)# port <PORT> | <PORT> – TCP/UDP port, takes values of [1..65535]. |
13 | Specify an encapsulated protocol. | esr(config-openvpn-server)# protocol <PROTOCOL> | <PROTOCOL> – encapsulation type, possible values:
|
14 | Enable the default route advertising for OpenVPN connections, which leads to the replacement of the default route on the client side (optionally). | esr(config-openvpn-server)# redirect-gateway | |
15 | Enable the advertising of specified subnets, the gateway is OpenVPN server IP address (optionally). | esr(config-openvpn-server)# route <ADDR/LEN> | <ADDR/LEN> – subnet address, set in the following format: AAA.BBB.CCC.DDD/EE – network IP address with prefix mask, where AAA-DDD take values of [0..255] and EE takes values of [1..32]. |
16 | Include the OpenVPN server in a security zone and configure interaction rules between zones. | esr(config-openvpn-server)# security-zone <NAME> | <NAME> – security zone name, set by the string of up to 31 characters. |
17 | Set time interval after which the opposing party is considered to be unavailable (optionally). | esr(config-openvpn-server)# timers holdtime <TIME> | <TIME> – time in seconds, takes values of [1..65535]. |
18 | Set the time interval after which the connection with the opposing party is checked (optionally). | esr(config-openvpn-server)# timers keepalive <TIME> | <TIME> – time in seconds, takes values of [1..65535]. |
19 | Define type of connection with a private network via OpenVPN server. | esr(config-openvpn-server)# tunnel <TYPE> | <TYPE> – encapsulation protocol, takes the following values:
|
20 | Define the additional parameters for a specified OpenVPN server user (when using a local base for user authentication). | esr(config-openvpn-server)# username < NAME > | <NAME> – user name, set by the string of up to 31 characters. |
21 | Define a subnet for the specified user of the OpenVPN server. | esr(config-openvpn-user)# subnet <ADDR/LEN> | <ADDR/LEN> – subnet address, set in the following format: |
22 | Define a static ip address for the specified OpenVPN server user | esr(config-openvpn-user)# ip address <ADDR> | <ADDR> – address set in the following format: |
23 | Allow multiple users with the same certificate to connect to the OpenVPN server. | esr(config-openvpn-server)# duplicate-cn | |
24 | Define the list of WINS servers that will be used by remote users (optionally). | esr(config-openvpn-server)# wins-server <ADDR> | <ADDR> – WINS server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. |
25 | Enable OpenVPN server profile. | esr(config-openvpn-server)# enable |
Configuration example
Objective:
Configure Open VPN server in L3 mode on a router for remote user connection to LAN.
- OpenVPN server subnet: 10.10.100.0/24;
- Mode: L3;
- Authentication based on certificates.
Figure 36 – Network structure
Solution:
First, do the following:
- Prepare certificates and keys:
- CA certificate
- OpenVPN server key and certificate
- Diffie-Hellman and HMAC key for TLS
- Configure zone for te1/0/1 interface
- Specify IP address for te1/0/1 interface
Import certificates and keys via tftp
esr# copy tftp://192.168.16.10:/ca.crt certificate:ca/ca.crt esr# copy tftp://192.168.16.10:/dh.pem certificate:dh/dh.pem esr# copy tftp://192.168.16.10:/server.key certificate:server-key/server.key esr# copy tftp://192.168.16.10:/server.crt certificate:server-crt/server.crt esr# copy tftp://192.168.16.10:/ta.key certificate:ta/ta.key
Create OpenVPN server and a subnet for its operation:
esr(config)# remote-access openvpn AP esr(config-openvpn)# network 10.10.100.0/24
Specify L3 connection type and encapsulation protocol.
esr(config-openvpn)# tunnel ip esr(config-openvpn)# protocol tcp
Announce LAN subnets that will be available via OpenVPN connection and define DNS server
esr(config-)# route 10.10.0.0/20 esr(config-openvpn)# dns-server 10.10.1.1
Specify previously imported certificates and keys that will be used with OpenVPN server:
esr(config-openvpn)# certificate ca ca.crt esr(config-openvpn)# certificate dh dh.pem esr(config-openvpn)# certificate server-key server.key esr(config-openvpn)# certificate server-crt server.crt esr(config-openvpn)# certificate ta ta.key
Specify security zone that user sessions will be related to:
esr(config-openvpn)# security-zone VPN
Select aes128 encryption algorithm:
esr(config-openvpn)# encryption algorithm aes128
Enable OpenVPN server:
esr(config-openvpn)# enable
When a new configuration is applied, the router will listen to port 1194 (used by default).
To view OpenVPN server session status, use the following command:
esr# show remote-access status openvpn server AP
To view OpenVPN server session counters, use the following command:
esr# show remote-access counters openvpn server AP
To clear OpenVPN server session counters, use the following command:
esr# clear remote-access counters openvpn server AP
To end OpenVPN server session for user 'fedor', use one of the following commands:
esr# clear remote-access session openvpn username fedor esr# clear remote-access session openvpn server AP username fedor
To view OpenVPN server configuration, use the following command:
esr# show remote-access configuration openvpn AP
In addition to OpenVPN server creation, you should open TCP port 1194 in the firewall.
Configuring remote access client via PPPoE
PPPoE is a tunneling protocol that allows encapsulating IP PPP over Ethernet connections and has PPP connection software capabilities, which allows using it to establish virtual connections to a neighbouring Ethernet device or a point-to-point connection that is used to transmit IP packets, and also works with PPP features. This allows applying conventional PPP-oriented software to configure the connection that uses not serial communication link but packet-oriented network (for example, Ethernet) to organize a classical connection with login and password for Internet connections. In addition, IP address on the opposite side of connection is assigned only when PPPoE connection is open, allowing the dynamic reuse of IP addresses.
Configuration algorithm
Step | Description | Command | Keys |
---|---|---|---|
1 | Create a PPPoE tunnel and switch to its configuration mode. | esr(config)# tunnel pppoe <PPPoE> | <PPPoE> – tunnel sequence number from 1 to 10. |
2 | Specify the description of the configured client (optionally). | esr(config-pppoe)# description <DESCRIPTION> | <DESCRIPTION> – PPPoE server description, set by the string of up to 255 characters. |
3 | Specify authentication method (optionally). | esr(config-pptp)# authentication method <METHOD> | <METHOD> – authentication method, possible values: chap, mschap, mschap-v2, eap, pap Default value: chap |
4 | Enable the opt-out of receiving the default route from PPPoE server (optionally). | esr(config-pppoe)# ignore-default-route | |
5 | Specify the interface through which the PPPoE connection will be established. | esr(config-pppoe)# interface <IF> | <IF> – interface or interface group. |
6 | Specify the time interval during which the statistics on the load is averaged (optionally). | esr(config-pppoe)# load-average <TIME> | <TIME> – time interval in seconds from 5 to 150 (5 seconds by default) |
7 | Specify MTU size (MaximumTransmissionUnit) for PPPoE tunnel. | esr(config-pppoe)# mtu <MTU> | <MTU> – MTU value, takes values in the range of:
Default value: 1500. |
8 | Specify user name and password for connection to PPPoE server | esr(config-pppoe)# username <NAME> password ascii-text { <CLEAR-TEXT> | encrypted <ENCRYPTED-TEXT> }
| <NAME> – user name, set by the string of up to 31 characters; <CLEAR-TEXT> – password, set by the string of 8 to 16 characters; <ENCRYPTED-TEXT> – encrypted password, set by the string of [16..128] characters. |
9 | Specify the name of VRF instance in which the specified network interface, bridge, security zone, dynamic authorization server (DAS) or NAT rules group will be used. (optionally) | esr(config-pppoe)# ip vrf forwarding <VRF> | <VRF> – VRF name, set by the string of up to 31 characters. |
10 | Disable Firewall function on a network interface (optionally) | esr(config-pppoe)# ip firewall disable | |
Configure a security zone. | esr(config-pppoe)#security-zone <NAME> | <NAME> – security zone name, set by the string of up to 31 characters. | |
11 | Enable a configured profile. | esr(config-pppoe)# enable |
PPPoE client configuration example
Objective :
Configure PPPoE client on the router.
- Accounts for connection – tester;
- Account passwords – password;
- The connection should be established from the gigabitethernet 1/0/7 interface.
Figure 37 – Network structure
Solution :
Pre-configure PPPoE server with the accounts.
Enter the PPPoE client configuration mode and disable the firewall:
esr# configure esr(config)# tunnel pppoe 1 esr(config-pppoe)# ip firewall disable
Specify user name and password for connection to PPPoE server:
esr(config-pppoe)# username tester password ascii-text password
Specify the interface through which the PPPoE connection will be established:
esr(config-pppoe)# interface gigabitethernet 1/0/7 esr(config- pppoe)# enable
To view the tunnel status, use the following command:
esr# show tunnels configuration pppoe 1
To view PPPoE client session counters, use the following command:
esr# show tunnels counters pppoe 1
Configuring remote access client via PPTP
PPTP ( Point-to-Point Tunneling Protocol) is a point-to-point tunneling protocol that allows establishing secure connection with a server by creating a special tunnel in a common unsecured network. PPTP encapsulates PPP frames into IP packets for transmission via global IP network, e.g. the Internet. PPTP may be used for tunnel establishment between two local area networks. PPTP uses an additional TCP connection for tunnel handling.
Configuration algorithm
Step | Description | Command | Keys |
---|---|---|---|
1 | Create a PPTP tunnel and switch to its configuration mode. | esr(config)# tunnel pptp <INDEX> | <INDEX> – tunnel identifier, set in the range of: [1..10]. |
2 | Specify authentication method (optionally). | esr(config-pptp)# authentication method <METHOD> | <METHOD> – authentication method, possible values: chap, mschap, mschap-v2, eap, pap Default value: chap |
3 | Specify VRF instance, in which the given PPTP tunnel will operate (optionally). | esr(config-pptp)# ip vrf forwarding <VRF> | <VRF> – VRF name, set by the string of up to 31 characters. |
4 | Specify the description of the configured tunnel (optionally). | esr(config-pptp)# description <DESCRIPTION> | <DESCRIPTION> – tunnel description, set by the string of up to 255 characters. |
5 | Set remote IP address for tunnel installation. | esr(config-pptp)# remote address <ADDR> | <ADDR> – local gateway IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. |
6 | Specify MTU size (MaximumTransmissionUnit) for the tunnel (optionally). | esr(config-pptp)# mtu <MTU> | <MTU> – MTU value, takes values in the range of:
Default value: 1500. |
7 | Ignore the default route via the given PPTP tunnel (optionally) | esr(config-pptp)# ignore-default-route | |
8 | Specify the time interval during which the statistics on the tunnel load is averaged (optionally). | esr(config-pptp)# load-average <TIME> | <TIME> – interval in seconds, takes values of [5..150]. Default value: 5 |
9 | Specify the user and set an encrypted or unencrypted password to authenticate the remote party. | esr(config-pptp)# username <NAME> password ascii-text { <WORD> | encrypted <HEX> } | <NAME> – user name, set by the string of up to 31 characters. <WORD> – unencrypted password, set by the string of [8..64] characters, may include [0-9a-fA-F] characters. <HEX> – encrypted password, set by the string of [16..128] characters. |
10 | Include the PPTP tunnel in a security zone and configure interaction rules between zones or disable firewall (optionally). | esr(config-pptp)# security-zone <NAME> | <NAME> – security zone name, set by the string of up to 31 characters. |
11 | Disable the incoming traffic processing in Firewall (optionally). | esr(config-pptp)# ip firewall disable | |
12 | Enable the tunnel | esr(config- pptp )# enable |
Example of remote connection configuration via PPTP
Objective:
Configure PPTP tunnel on a router:
- PPTP server address: 20.20.0.1;
- Account for connection – login: ivan, password: simplepass.
Figure 38 – Network structure
Solution:
Create PPTP tunnel:
esr(config)# tunnel pptp 1
Specify the account (Ivan user) to connect to the server:
esr(config-pptp)# username ivan password ascii-text simplepass
Specify the remote gateway:
esr(config-pptp)# remote address 20.20.0.1
Specify a security zone:
esr(config-pptp)# security-zone VPN
Enable PPTP tunnel:
esr(config-pptp)# enable
To view the tunnel status, use the following command:
esr# show tunnels status pptp
To view sent and received packet counters, use the following command:
esr# show tunnels counters pptp
To view the tunnel configuration, use the following command:
esr# show tunnels configuration pptp
Configuring remote access client via L2TP
L2TP ( Layer 2 Tunneling Protocol) is a sophisticated tunneling protocol used to support virtual private networks. L2TP encapsulates PPP frames into IP packets for transmission via global IP network, e.g. the Internet. L2TP may be used for tunnel establishment between two local area networks. L2TP uses an additional UDP connection for tunnel handling. L2TP protocol does not provide data encryption, therefore it is usually combined with an IPsec protocol group that provides security on a packet level.
Configuration algorithm
Step | Description | Command | Keys |
---|---|---|---|
1 | Create a L2TP tunnel and switch to its configuration mode. | esr(config)# tunnel l2tp <INDEX> | <INDEX> – tunnel identifier, set in the range of: [1..10]. |
2 | Specify authentication method (optionally). | esr(config-pptp)# authentication method <METHOD> | <METHOD> – authentication method, possible values: chap, mschap, mschap-v2, eap, pap Default value: chap |
3 | Specify VRF instance, in which the given L2TP tunnel will operate (optionally). | esr(config-l2tp)# ip vrf forwarding <VRF> | <VRF> – VRF name, set by the string of up to 31 characters. |
4 | Specify the description of the configured tunnel (optionally). | esr(config-l2tp)# description <DESCRIPTION> | <DESCRIPTION> – tunnel description, set by the string of up to 255 characters. |
5 | Set remote IP address for tunnel installation. | esr(config-l2tp)# remote address <ADDR> | <ADDR> – local gateway IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. |
6 | Specify MTU size (MaximumTransmissionUnit) for the tunnel (optionally). | esr(config-l2tp)# mtu <MTU> | <MTU> – MTU value, takes values in the range of:
Default value: 1500. |
7 | Ignore the default route via the given L2TP tunnel (optionally) | esr(config-l2tp)# ignore-default-route | |
8 | Specify the time interval during which the statistics on the tunnel load is averaged (optionally). | esr(config-l2tp)# load-average <TIME> | <TIME> – interval in seconds, takes values of [5..150]. Default value: 5 |
9 | Specify the user and set an encrypted or unencrypted password to authenticate the remote party. | esr(config-l2tp)# username <NAME> password ascii-text { <WORD> | encrypted <HEX> } | <NAME> – user name, set by the string of up to 31 characters. <WORD> – unencrypted password, set by the string of [8..64] characters, may include [0-9a-fA-F] characters. <HEX> – encrypted password, set by the string of [16..128] characters. |
10 | Select a key authentication method for IKE connection. | esr(config-l2tp-server)# ipsec authentication method pre-shared-key | |
11 | Specify a shared secret authentication key that should be the same for both parties of the tunnel. | esr(config-l2tp-server)# ipsec authentication pre-shared-key { ascii-text { <TEXT> | encrypted <ENCRYPTED-TEXT> }| hexadecimal {<HEX> | encrypted <ENCRYPTED-HEX> } } | <TEXT> – string [1..64] ASCII characters; <HEX> – number, [1..32] bytes size, set by the string of [2..128] characters in hexadecimal format (0xYYYY ...) or (YYYY ...). <ENCRYPTED-TEXT> – encrypted password, [1..32] bytes size, set by the string of [2..128] characters. <ENCRYPTED-TEXT> – encrypted number, [2..64] bytes size, set by the string of [2..256] characters. |
12 | Include the L2TP tunnel in a security zone and configure interaction rules between zones or disable firewall (optionally). | esr(config-l2tp)# security-zone <NAME> | <NAME> – security zone name, set by the string of up to 31 characters. |
13 | Disable the incoming traffic processing in Firewall (optionally). | esr(config-l2tp)# ip firewall disable | |
14 | Enable the tunnel | esr(config-l2tp)# enable |
Example of remote connection configuration via L2TP
Objective:
Configure PPTP tunnel on a router:
- PPTP server address: 20.20.0.1;
- Account for connection – login: ivan, password: simplepass
Figure 39 – Network structure
Solution:
Create L2TP tunnel:
esr(config)# tunnel l2tp 1
Specify the account (Ivan user) to connect to the server:
esr(config-l2tp)# username ivan password ascii-text simplepass
Specify the remote gateway:
esr(config-l2tp)# remote address 20.20.0.1
Specify a security zone:
esr(config-l2tp)# security-zone VPN
Specify ipsec authentication method:
esr(config-l2tp)# ipsec authentication method pre-shared-key
Specify ipsec security key:
esr(config-l2tp)# ipsec authentication pre-shared-key ascii-text password
Enable L2TP tunnel:
esr(config-l2tp)# enable
To view the tunnel status, use the following command:
esr# show tunnels status l2tp
To view sent and received packet counters, use the following command:
esr# show tunnels counters l2tp
To view the tunnel configuration, use the following command:
esr# show tunnels configuration l2tp
Dual-Homing configuration
In the current firmware version, this functionality is supported only by ESR-1000 router.
Dual-Homing is a technology based on redundant links that creates a secure connection in order to prevent failures of the key network resources.
Configuration algorithm
Step | Description | Command | Keys |
---|---|---|---|
1 | Specify a redundant interface to which the switching will occur when the connection is lost on a primary one. | esr(config-if-gi)# backup interface<IF> vlan <VID> | <IF> – interface to which the switching will occur <VID> – VLAN ID, set in the range of [2..4094]. You can also specify it by the range with '-' or by comma-separated list. |
2 | Specify the number of packets copies with the same MAC address that will be sent to an active interface when switching (optionally). | esr(config)# backup-interface mac-duplicate <COUNT> | <COUNT> – packet copies amount, take values [1..4]. |
3 | Specify the number of packets per second that will be sent to an active interface when switching (optionally). | esr(config)# backup-interfacemac-per-second<COUNT> | <COUNT> – number of MAC addresses per second, takes values [50..400]. |
4 | Specify that it is necessary to carry out the switching to the primary interface when restoring the communication (optionally). | esr(config)# backup-interface preemption |
Configuration example
Objective :
Establish redundancy of the ESR router L2 connections for VLAN 50-55 using SW1 and SW2 devices.
Figure 40 – Network structure
Solution:
First, do the following:
Create VLAN 50, -55:
esr(config)# vlan 50-55
You should disable STP for gigabitethernet 1/0/9 and gigabitethernet 1/0/10 interfaces, i.e. these protocols cannot operate simultaneously:
esr(config)# interface gigabitethernet 1/0/9-10 esr(config-if-gi)# spanning-tree disable
Add gigabitethernet 1/0/9 and gigabitethernet 1/0/10 interfaces into VLAN 50-55 in 'general' mode.
esr(config-if-gi)# switchport general allowed vlan add 50-55 esr(config-if-gi)# exit
Main configuration step:
Make gigabitethernet 1/0/10 redundant for gigabitethernet 1/0/9:
esr(config)# interface gigabitethernet 1/0/9 esr(config-if-gi)# backup interface gigabitethernet 1/0/10 vlan 50-55
To view information on redundant interfaces, use the following command:
esr# show interfaces backup
QoS configuration
QoS (Quality of Service) is a technology that provides various traffic classes with various service priorities. QoS service allows network applications to co-exist in a single network without altering the bandwidth of other applications.
Basic QoS
Configuration algorithm
Step | Description | Command | Keys |
---|---|---|---|
1 | Enable QoS on the interface/tunnel/network bridge. If QoS policy is not assigned on the interface, the interface operates in BasicQoS mode. | esr(config-if-gi)# qos enable | |
2 | Set the trust mode for 802.1p and DSCP codes values in incoming packets. (optionally) | esr(config)# qos trust <MODE> | <MODE> – trust mode for 802.1p and DSCP codes values, takes one of the following values:
|
3 | Set the match between DSCP codes values of incoming packets and outgoing queues. The given match works for incoming interfaces/tunnels/bridge on which QoS is enabled. (optionally) | esr(config)# qos map dscp-queue <DSCP> to <QUEUE> | <DSCP> – service classifier in a packet IP header, takes values in the range of [0..63]; <QUEUE> – queue identifier, takes values in the range of [1..8]. Default values:
|
4 | Set the match between 802.1p codes values of incoming packets and outgoing queues. The given match works for incoming interfaces/tunnels/bridge on which QoS is enabled. (optionally) | esr(config)# qos map cos-queue <COS> to <QUEUE> | <COS> – service classifier in 802.1q packet tag, takes values in the range of [0..7]; <QUEUE> – queue identifier, takes values in the range of [1..8]. Default values:
|
5 | Set the match between DSCP codes values of incoming packets and outgoing DSCP codes. (if remarking is required) The given match works for incoming interfaces/tunnels/bridge on which QoS is enabled. | esr(config)# qos map dscp-queue <DSCP> to <DSCP> | <DSCP> – service classifier in a packet IP header, takes values in the range of [0..63]. |
6 | Enable DSCP codes changes according to the DSCP-Mutation table. (if remarking is required) | esr(config)# qos dscp mutation | |
7 | Set the number of the default queue to which all traffic except IP falls into the trust mode for DSCP priorities. | esr(config)# qos queue default <QUEUE> | <QUEUE> – queue identifier, takes values in the range of [1..8]. |
8 | Set the amount of priority queues. The remaining queues are weighted. (optionally) | esr(config)# priority-queue out num-of-queues <VALUE> | <VALUE> – amount of queues, takes values of [0..8], where:
The priority queues are allocated, starting from the 8th one, decreasing the queue number. Default value: 8 |
9 | Define the weights for corresponding weighted queues. | esr(config)# qos wrr-queue <QUEUE> bandwidth <WEIGHT> | <QUEUE> – queue identifier, takes values in the range of [1..8]; <WEIGHT> – weight value, takes values in the range of [1..255]. Default value: weight 1 for all queues. |
10 | Set the outgoing traffic rate limiting for a certain queue or interface in total. The command is relevant only for BasicQoS mode of the interface. If the incoming traffic was classified by advanced QoS, the limiting will not work. (if the incoming rate limiting is required) | esr(config-if-gi)# traffic-shape { <BANDWIDTH> [BURST] | queue <QUEUE><BANDWIDTH> [BURST] } | <QUEUE> – queue identifier, takes values in the range of [1..8]; <BANDWIDTH> – average traffic rate in Kbps, takes the value of [3000..10000000] for TengigabitEthernet interfaces and [64..1000000] for other interfaces and tunnels; <BURST> – size of the restrictive threshold in KB, takes the value [4..16000]. By default 128 KB. Default value: Disabled. |
11 | Set the incoming traffic rate limiting. (if the outgoing rate limiting is required) | esr(config-if-gi)# rate-limit <BANDWIDTH> [BURST] | <BANDWIDTH> – average traffic rate in Kbps, takes the value of [3000..10000000] for TengigabitEthernet interfaces and [64..1000000] for other interfaces and tunnels; <BURST> – size of the restrictive threshold in KB, takes the value [4..16000]. By default 128 KB. Default value: Disabled. |
Configuration example
Objective :
Configure the following restrictions on gigabitethernet 1/0/8 interface: transfer DSCP 22 traffic into 8th priority queue, DSCP 14 traffic into 7th weighted queue, limit transfer rate to 60Mbps for 7th queue.
Figure 41 – Network structure
Solution:
In order to make 8th queue a priority queue, and 2nd to 8th queues weighted ones, limit the quantity of priority queues to 1:
esr(config)# priority-queue out num-of-queues 1
Redirect DSCP 22 traffic into 1st priority queue:
esr(config)# qos map dscp-queue 22 to 1
Redirect DSCP 14 traffic into 7th priority queue:
esr(config)# qos map dscp-queue 14 to 7
Enable QoS on the incoming interface for the correct classification of traffic and the direction to the corresponding queue from the LAN side:
esr(config)# interface gigabitethernet 1/0/5 esr(config-if-gi)# qos enable esr(config-if-gi)# exit
Enable QoS on the interface from the WAN side to correctly process queues and limit bandwidth:
esr(config)# interface gigabitethernet 1/0/8 esr(config-if-gi)# qos enable
Limit transfer rate to 60Mbps for 7th queue:
esr(config-if)# traffic-shape queue 7 60000 esr(config-if)# exit
To view QoS statistics, use the following command:
esr# show qos statistics gigabitethernet 1/0/8
Advanced QoS
Configuration algorithm
Step | Description | Command | Keys |
1 | Create access lists to define the traffic to which the advanced QoS should be applied. | See Section Access list (ACL) configuration. | |
2 | Create QoS class and switch to the class parameters configuration mode. | esr(config)# class-map <NAME> | <NAME> – name of the class being created, set by the string of up to 31 characters. |
3 | Specify QoS class description (optionally). | esr(config-class-map)# description <description> | <description> – up to 255 characters.. |
4 | Specify the traffic related to the configured class by access control list (ACL). | esr(config-class-map)# match access-group <NAME> | <NAME> – access control list name, set by the string of up to 31 characters. |
5 | Specify DSCP code value which will be set in IP packets corresponding to the class being configured. (cannot be assigned simultaneously with IP Precedence and CoS fields). (if remarking is required) | esr(config-class-map)# set dscp <DSCP> | <DSCP> – DSCP code value, takes values in the range of [0..63]. |
6 | Specify IP Precedence code value which will be set in IP packets corresponding to the class being configured (cannot be assigned simultaneously with DSCP and CoS fields). (if remarking is required) | esr(config-class-map)# set ip-precedence <IPP> | <IPP> – IP Precedence code value, takes values in the range of [0..7]. |
7 | Specify 802.1p priority value which will be set in packets corresponding to the class being configured (cannot be assigned simultaneously with DSCP and IP Precedence fields). (if remarking is required) | esr(config-class-map)# set c os <COS> | <COS> – priority 802.1p value, takes values of [0..7]. |
8 | Create QoS policy and switch to the policy parameters configuration mode. | esr(config)# policy-map <NAME> esr(config-policy-map)# | <NAME> – name of the policy being created, set by the string of up to 31 characters. |
9 | Specify QoS policy description (optionally). | esr(config-policy-map)# description <description> | <description> – up to 255 characters.. |
10 | Set the committed outgoing bandwidth for the policy in total. | esr(config-policy-map)# shape average <BANDWIDTH> [BURST] | <BANDWIDTH> – guaranteed bandwidth in Kbps, takes the value [64..10000000]; <BURST> – size of the restrictive threshold in KB, takes the value [4..16000]. By default 128 KB. |
11 | Enable automatic bandwidth allocation between classes without bandwidth configuration, including the default class. (if required) | esr(config-policy-map)# shape auto-distribution | |
12 | Include the specified QoS class in the policy and switch to the class parameters configuration mode within the policy. | esr(config-policy-map)# class <NAME> esr(config-class-policy-map)# | <NAME> – name of the class being bound, set by the string of up to 31 characters. When specifying the 'class-default' value, the incoming unclassified traffic falls into this class. |
13 | Include QoS policy in QoS class to create hierarchical QoS. | esr(config-class-policy-map)# service-policy <NAME> | <NAME> – policy name, set by the string of up to 31 characters. Inserted policy must already be created. |
14 | Set the committed outgoing bandwidth for the class within the policy. (if required) | esr(config-class-policy-map)# shape average <BANDWIDTH> [BURST] | <BANDWIDTH> – guaranteed bandwidth in Kbps, takes the value [64..10000000]; <BURST> – size of the restrictive threshold in KB, takes the value [4..16000]. By default 128 KB. |
15 | Set the shared outgoing bandwidth for a specific class. The class may occupy the bandwidth if a lower priority class has not occupied its committed bandwidth. (if required) | esr(config-class-policy-map)# shape peak <BANDWIDTH> [BURST] | |
16 | Specify class operation mode. (optionally) | esr(config-class-policy-map)# mode <MODE> | <MODE> – class mode:
Default value: FIFO. |
17 | Specify the class priority in WRR process. (if required) | esr(config-class-policy-map)# priority class <PRIORITY> | <PRIORITY> – priority of class in WRR process, takes values of [1..8]. Classes with the highest priority are proceeded first. |
18 | Switch the class to the StrictPriority mode and specify the class priority. (if required) | esr(config-class-policy-map)# priority level <PRIORITY> | <PRIORITY> – priority level in StrictPriority process, takes values of [1..8]. Classes with the highest priority are proceeded first. Default value: the class operates in WRR mode, the priority is not specified. |
19 | Specify the limited number of virtual queues. (optionally) | esr(config-class-policy-map)# fair-queue <QUEUE-LIMIT> | <QUEUE-LIMIT> – limited number of virtual queues, takes values in the range of [16..4096]. Default value: 16. |
20 | Specify the limited number of packets for a virtual queue. (optionally) | esr(config-class-policy-map)# queue-limit <QUEUE-LIMIT> | <QUEUE-LIMIT> – limited number of packets in a virtual queue, takes values in the range of [2..4096]. Default value: 127. |
21 | Specify RED (Random Early Detection) parameters. (if required) | esr(config-class-policy-map)# random-detect <LIMIT><MAX><MIN><PROBABILITY> | <LIMIT> – limited size of a queue in bytes, takes values of in the range of [1..1000000]; <MAX> – maximum size of a queue in bytes, takes value in the range of [1..1000000]; <MIN> – minimum size of a queue in bytes, takes value in the range of [1..1000000]; <PROBABILITY> – probability of packet drop, takes values of [0..100]. When specifying values, the following rules should be followed:
|
22 | Specify GRED (Generalized Random Early Detection) parameters. (if required) | esr(config-class-policy-map)# random-detect precedence <PRECEDENCE><LIMIT><MAX><MIN><PROBABILITY> | <PRECEDENCE> – IPPrecendence value [0..7]; <LIMIT> – limited size of a queue in bytes, takes values of in the range of [1..1000000]; <MAX> – maximum size of a queue in bytes, takes value in the range of [1..1000000]; <MIN> – minimum size of a queue in bytes, takes value in the range of [1..1000000]; <PROBABILITY> – probability of packet drop, takes values of [0..100]. When specifying values, the following rules should be followed:
|
23 | Enable tcp headers compression protocol for the certain class traffic. (if required) | esr(config-class-policy-map)# compression header ip tcp | |
24 | Enable QoS on the interface/tunnel/network bridge. | esr(config-if-gi)# qos enable | |
25 | Define the QoS policy on a configured interface/tunnel/network bridge to classify input and prioritize output traffic. | esr(config-if-gi)# service-policy { input | output } <NAME> | <NAME> – QoS policy name, set by the string of up to 31 characters. |
Configuration example
Objective:
Classify incoming traffic by a subnet (10.0.11.0/24, 10.0.12.0/24), label it by DSCP (38 and 42) and segregate by a subnet (40Mbps and
60Mbps), limit general bandwidth to 250Mbps, process the rest of traffic using SFQ mechanism.
Figure 42 – Network structure
Solution:
Configure access control lists for filtering by a subnet, proceed to global configuration mode:
esr(config)# ip access-list extended fl1 esr(config-acl)# rule 1 esr(config-acl-rule)# action permit esr(config-acl-rule)# match protocol any esr(config-acl-rule)# match source-address 10.0.11.0 255.255.255.0 esr(config-acl-rule)# match destination-address any esr(config-acl-rule)# enable esr(config-acl-rule)# exit esr(config-acl)# exit esr(config)# ip access-list extended fl2 esr(config-acl)# rule 1 esr(config-acl-rule)# action permit esr(config-acl-rule)# match protocol any esr(config-acl-rule)# match source-address 10.0.12.0 255.255.255.0 esr(config-acl-rule)# match destination-address any esr(config-acl-rule)# enable esr(config-acl-rule)# exit esr(config-acl)# exit
Create classes fl1 and fl2, specify the respective access control lists, configure labelling:
esr(config)# class-map fl1 esr(config-class-map)# set dscp 38 esr(config-class-map)# match access-group fl1 esr(config-class-map)# exit esr(config)# class-map fl2 esr(config-class-map)# set dscp 42 esr(config-class-map)# match access-group fl2 esr(config-class-map)# exit
Create policy and define general bandwidth limits:
esr(config)# policy-map fl esr(config-policy-map)# shape average 250000
Map class to policy, configure bandwidth limit and exit:
esr(config-policy-map)# class fl1 esr(config-class-policy-map)# shape average 40000 esr(config-class-policy-map)# exit esr(config-policy-map)# class fl2 esr(config-class-policy-map)# shape average 60000 esr(config-class-policy-map)# exit
For the rest of traffic, configure a class with SFQ mode:
esr(config-policy-map)# class class-default esr(config-class-policy-map)# mode sfq esr(config-class-policy-map)# fair-queue 800 esr(config-class-policy-map)# exit esr(config-policy-map)# exit
Enable QoS on the interfaces, policy on gi 1/0/19 interface ingress for classification purposes and gi1/0/20 egress for applying restrictions and SFQ mode for default class:
esr(config)# interface gigabitethernet 1/0/19 esr(config-if-gi)# qos enable esr(config-if-gi)# service-policy input fl esr(config-if-gi)# exit esr(config)# interface gigabitethernet 1/0/20 esr(config-if-gi)# qos enable esr(config-if-gi)# service-policy output fl esr(config-if-gi)# exit
To view the statistics, use the following command:
esr# do show qos policy statistics gigabitethernet 1/0/20
Mirroring configuration
In the current firmware version, this functionality is supported only by ESR-1000 router.
Traffic mirroring is a feature of the router that allows for redirection of traffic from a specific port of the router to another port of the same router (local mirroring) or to a remote device (remote mirroring).
Configuration algorithm
Step | Description | Command | Keys |
---|---|---|---|
1 | Define VLAN over which the mirrored traffic will be transmitted (in case of using remote mirroring). | esr(config)# port monitor remote vlan <VID><DIRECTION> | <VID> – VLAN ID, set in the range of [2..4094]; <DIRECTION> – traffic direction:
|
2 | Enable the remote mirroring mode (in case of using remote mirroring). | esr(config)# port monitor remote | |
3 | Define the mode of the port transmitting mirrored traffic. | esr(config)# port monitor mode <MODE> | <MODE> – mode:
|
4 | Enable mirroring in the interface configuration mode. | esr(config-if-gi)# port monitor interface <IF><DIRECTION> | <IF> – interface to which the mirroring will occur; <DIRECTION> – traffic direction:
|
Configuration example
Objective :
Establish remote mirroring of traffic through VLAN 50 from gi1/0/11 interface to be sent to server for processing purposes.
Figure 43 – Network structure
Solution:
First, do the following:
- Create VLAN 50:
- On gi 1/0/5 interface, add VLAN 50 in 'general' mode.
Main configuration step:
Specify VLAN that will be used for transmission of mirrored traffic:
esr1000(config)# port monitor remote vlan 50
For gi 1/0/5 interface, specify a port for mirroring:
esr1000(config)# interface gigabitethernet 1/0/5 esr1000(config-if-gi)# port monitor interface gigabitethernet 1/0/11
For gi 1/0/5 interface, specify the remote mirroring mode:
esr1000(config-if-gi)# port monitor remote
Netflow configuration
Netflow is a network protocol designed for traffic accounting and analysis. Netflow allows transmitting traffic information (source and destination address, port, quantity of information) from the network equipment (sensor) to the collector. Common server may serve as a collector.
Configuration algorithm
Step | Description | Command | Keys |
---|---|---|---|
1 | Specify Netflow protocol version. | esr(config)# netflow version <VERSION> | <VERSION> – Netflow protocol version: 5, 9 and 10. |
2 | Set the maximum amount of observed sessions. | esr(config)# netflow max-flows <COUNT> | <COUNT> – number of watched sessions, takes the value [10000..2000000]. Default value: 512000. |
3 | Set the interval after which the information on outdated sessions is exported to the collector. | esr(config)# netflow inactive-timeout <TIMEOUT> | <TIMEOUT> – delay before sending information about outdated sessions, set in seconds, takes the value [0..240]. Default value: 15 seconds. |
4 | Set the rate of the statistics sending to a Netflow collector. | esr(config)# netflow refresh-rate <RATE> | <RATE> – frequency of sending statistics, is set in packets per stream, takes the value [1..10000]. Default value: 10. |
5 | Enable Netflow on the router. | esr(config)# netflow enable | |
6 | Create the Netflow collector and switch to its configuration mode. | esr(config)# netflow collector <ADDR> | <ADDR> – collector IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. |
7 | Set the Netflow service port on the statistics collection server. | esr(config-netflow-host)# port <PORT> | <PORT> – UDP port number, set in the range of [1..65535]. Default value: 2055. |
8 | Enable statistics sending to the Netflow server in the interface/tunnel/network bridge configuration mode. | esr(config-if-gi)# ip netflow export |
Configuration example
Objective :
Establish accounting for traffic from gi1/0/1 interface to be sent to the server via gi1/0/8 interface for processing purposes.
Figure 44 – Network structure
Solution:
First, do the following:
- For gi1/0/1, gi1/0/8 interfaces disable firewall with 'ip firewall disable' command.
- Assign IP address to ports.
Main configuration step:
Specify collector IP address:
esr(config)# netflow collector 10.10.0.2
Enable netflow statistics export collection for gi1/0/1 network interface:
esr(config)# interface gigabitethernet 1/0/1 esr(config-if-gi)# ip netflow export
Enable netflow on the router:
esr(config)# netflow enable
To view the Netflow statistics, use the following command:
esr# show netflow statistics
Netflow configuration for traffic accounting between zones is performed by analogy to sFlow configuration; for description, see Section sFlow configuration.
sFlow configuration
sFlow is a computer network, wireless network and network device monitoring standard designed for traffic accounting and analysis.
Configuration algorithm
Step | Description | Command | Keys |
---|---|---|---|
1 | Set the rate of sending the unchanged user traffic packets to sFlow collector. | esr(config)# sflow sampling-rate <RATE> | <RATE> – rate of sending the user traffic packets to the collector, takes the value of [1..10000000]. If the frequency value is 10, one packet out of ten will be sent to the collector. Default value: 1000. |
2 | Set the interval after which the information on the network interface counters is obtained | esr(config)# sflow poll-interval <TIMEOUT> | <TIMEOUT> – interval after which the information on the network interface counters is obtained, takes values of [1..10000]. Default value: 10 seconds. |
3 | Enable sFlow on the router. | esr(config)# sflow enable | |
4 | Create the sFlow collector and switch to its configuration mode. | esr(config)# sflow collector <ADDR> | <ADDR> – collector IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. |
5 | Enable statistics sending to the sFlow server in the interface/tunnel/network bridge configuration mode. | esr(config-if-gi)# ip sflow export |
Configuration example
Objective :
Establish accounting for traffic between 'trusted' and 'untrusted' zones.
Figure 45 – Network structure
Solution:
Create two security zones for ESR networks:
esr# configure esr(config)# security zone TRUSTED esr(config-zone)# exit esr(config)# security zone UNTRUSTED esr(config-zone)# exit
Configure network interfaces and identify their inherence to security zones:
esr(config)# interface gi1/0/1 esr(config-if-gi)# security-zone UNTRUSTED esr(config-if-gi)# ip address 10.10.0.1/24 esr(config-if-gi)# exit esr(config)# interface gi1/0/2-3 esr(config-if-gi)# security-zone TRUSTED esr(config-if-gi)# exit esr(config)# interface gi1/0/2 esr(config-if-gi)# ip address 192.168.1.5/24 esr(config-if-gi)# exit esr(config)# interface gi1/0/3 esr(config-if-gi)# ip address 192.168.3.5/24 esr(config-if-gi)# exit
Specify collector IP address:
esr(config)# sflow collector 192.168.1.8
Enable sFlow protocol statistics export for all traffic within 'rule1' for TRUSTED-UNTRUSTED direction:
esr(config)# security zone-pair TRUSTED UNTRUSTED esr(config-zone-pair)# rule 1 esr(config-zone-pair-rule)# action sflow-sample esr(config-zone-pair-rule)# match protocol any esr(config-zone-pair-rule)# match source-address any esr(config-zone-pair-rule)# match destination-address any esr(config-zone-pair-rule)# enable
Enable sFlow on the router:
esr(config)# sflow enable
SFlow configuration for traffic accounting from the interface is performed by analogy to Netflow configuration.
LACP configuration
LACP is a link aggregation protocol that allows multiple physical links to be combined into a single logical link. This process allows to increase the communication link bandwidth and robustness.
Configuration algorithm
Step | Description | Command | Keys |
---|---|---|---|
1 | Set the system priority for LACP. | esr(config)# lacp system-priority <PRIORITY> | <PRIORITY> – priority, set in the range of [1..65535]. Default value: 1. |
2 | Set the load balancing mechanism for channel aggregation groups. | esr(config)# port-channel load-balance {src-dst-mac-ip|src-dst-mac|src-dst-ip|src-dst-mac-ip-port} |
|
3 | Set LACP administration timeout. | esr(config)# lacp timeout { short | long } |
Default value: long. |
4 | Create and switch to the aggregated interface configuration mode. | esr(config)# interface port-channel <ID> | <ID> – sequence number of a channel aggregation group, takes values of [1..12]. |
5 | Configure the required parameters of aggregated channel. |
| |
6 | Switch to the physical interface configuration mode. | esr(config)# interface <IF-TYPE><IF-NUM> | <IF-TYPE> interface type (gigabitethernet or tengigabitethernet). <IF-NUM> – F/S/P – F frame (1), S – slot (0), P – port. |
7 | Include a physical interface in the channel aggregation group specifying the mode of the channel aggregation group formation. | esr(config-if-gi)# channel-group <ID> mode <MODE> | <ID> – sequence number of a channel aggregation group, takes values of [1..12]. <MODE> – mode of the channel aggregation group formation:
|
8 | Set the Ethernet interface LACP priority. | esr(config-if-gi)# lacp port-priority <PRIORITY> | <PRIORITY> – priority, set in the range of [1..65535]. Default value: 1. |
Configuration example
Objective :
Configure aggregated link between ESR router and the switch.
Figure 46 – Network structure
Solution:
First, do the following settings:
For gi1/0/1, gi1/0/2 interfaces disable security zone with 'no security-zone' command.
Main configuration step:
Create port-channel 2 interface:
esr(config)# interface port-channel 2
Add gi1/0/1, gi1/0/2 physical interfaces into the created link aggregation group:
esr(config)# interface gigabitethernet 1/0/1-2 esr(config-if-gi)# channel-group 2 mode auto
Further port-channel configuration is performed by analogy to the common physical interface.
VRRP configuration
VRRP (Virtual Router Redundancy Protocol) is a network protocol designed for increased availability of routers, acting as a default gateway. This is performed by aggregation of a router group into a single virtual router and assigning a shared IP address, that will be used as a default gateway for computers in the network.
Configuration algorithm
Step | Description | Command | Keys |
---|---|---|---|
1 | Switch to the interface/tunnel/ network bridge configuration mode for which it is necessary to configure VRRP | esr(config)# interface <IF-TYPE><IF-NUM> | <IF-TYPE> – interface type; <IF-NUM> – F/S/P – F frame (1), S – slot (0), P – port. |
esr(config)# tunnel <TUN-TYPE><TUN-NUM> | <TUN-TYPE> – tunnel type; <TUN-NUM> – tunnel number. | ||
esr(config)# bridge <BR-NUM> | <BR-NUM> – bridge number. | ||
2 | Configure the required parameters on the interface/tunnel/ network bridge including IP address | ||
3 | Enable VRRP process on IP interface. | esr(config-if-gi)# vrrp | |
esr(config-if-gi)# ipv6 vrrp | |||
4 | Set virtual IP address of VRRP router. | esr(config-if-gi)# vrrp ip <ADDR/LEN> | <ADDR/LEN> – virtual IP address, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32]. You can specify several IP addresses separated by commas. Up to 4 IP addresses can be assigned to the interface. |
esr(config-if-gi)# ipv6 vrrp ip <IPV6-ADDR> | <IPV6-ADDR> – virtual IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF]. You can specify up to 8 IPv6 addresses separated by commas. | ||
5 | Set the VRRP router identifier. | esr(config-if-gi)# vrrp id <VRID> | <VRID> – VRRP router identifier, takes values in the range of [1..255]. |
esr(config-if-gi)# ipv6 vrrp id <VRID> | |||
6 | Set the VRRP router priority. | esr(config-if-gi)# vrrp priority <PR> | <PR> – VRRP router priority, takes values in the range of [1..254]. Default value: 100. |
esr(config-if-gi)# ipv6 vrrp priority <PR> | |||
7 | Identify the VRRP router’s inherence to a group. The group provides the ability to synchronize several VRRP processes, so if in one of the processes there is a wizard change, then in another process roles will also be changed. | esr(config-if-gi)# vrrp group <GRID> | <GRID> – VRRP router group identifier, takes values in the range of [1..32]. |
esr(config-if-gi)# ipv6 vrrp group <GRID> | |||
8 | Set the IP address that will be used as a source IP address for VRRP messages. | esr(config-if-gi)# vrrp source-ip <IP> | <IP> – sender IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. |
esr(config-if-gi)# ipv6 vrrp source-ip <IPV6> | <IPV6> – source IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF]. | ||
9 | Set the interval between sending VRRP messages | esr(config-if-gi)# vrrp timers advertise <TIME> | <TIME> – time in seconds, takes values of [1..40]. Default value: 1 second. |
esr(config-if-gi)# ipv6 vrrp timers advertise <TIME> | |||
10 | Set the interval after which GratuituousARP messages are sent when switching the router to the Master status. | esr(config-if-gi)# vrrp timers garp delay <TIME> | <TIME> – time in seconds, takes values of [1..60]. Default value: 5 seconds. |
11 | Set the amount of GratuituousARP messages that will be sent when switching the router to the Master status. | esr(config-if-gi)# vrrp timers garp repeat <COUNT> | <COUNT> – amount of messages, takes values of [1..60]. Default value: 5. |
12 | Set the interval after which GratuituousARP messages will be sent periodically while the router is in the Master status. | esr(config-if-gi)# vrrp timers garp refresh <TIME> | <TIME> – time in seconds, takes values of [1..65535]. Default value: Periodic sending is disabled. |
13 | Set the amount of GratuituousARP messages that will be sent with the garprefresh period while the router is in the Master status. | esr(config-if-gi)# vrrp timers garp refresh-repeat <COUNT> | <COUNT> – amount of messages, takes values of [1..60]. Default value: 1. |
14 | Specify whether the higher priority Backup router would try to take the Master role from the current lower priority Master router. | esr(config-if-gi)# vrrp preemption disable | |
esr(config-if-gi)# ipv6 vrrp preemption disable | |||
15 | Set the time interval after which the higher priority Backup route will try to take the Master role from the current lower priority Master router. | esr(config-if-gi)# vrrp preemption delay <TIME> | <TIME> – timeout, takes value in seconds [1..1000]. Default value: 0 |
esr(config-if-gi)# ipv6 vrrp preemption delay <TIME> | |||
16 | Set the password for neighbour authentication. | esr(config-if-gi)# vrrp authentication key ascii-text { <CLEAR-TEXT> | encrypted <ENCRYPTED-TEXT> } | <CLEAR-TEXT> – password, sets by string from 8 to 16 characters; <ENCRYPTED-TEXT> – encrypted password from 8 bytes to 16 bytes (16 to 32 characters) in hexadecimal format (0xYYYY...) or (YYYY...). |
17 | Define authentication algorithm. | esr(config-if-gi)# vrrp authentication algorithm <ALGORITHM> | <ALGORITHM> – authentication algorithm:
|
18 | Specify VRRP version. | esr(config-if-gi)# vrrp version <VERSION> | <VERSION> – VRRP version: 2, 3. |
19 | Set the mode when vrrp IP address remains in the UP status regardless of the status of the interface itself. (optionally) | esr(config-if-gi)# vrrp force-up | |
20 | Specify the delay between the assignment of MASTER status to ipv6 vrrp and the start of ND messages distribution. | esr(config-if-gi)# ipv6 vrrp timers nd delay <TIME> | <TIME> – time in seconds, takes values of [1..60]. Default value: 5 |
21 | Specify the period of ND protocol information update for ipv6 vrrp in MASTER status. | esr(config-if-gi)# ipv6 vrrp timers nd refresh <TIME> | <TIME> – time in seconds, takes values of [1..65535]. Default value: 5 |
22 | Specify the amount of ND messages sent in the update period for ipv6 vrrp in MASTER status. | esr(config-if-gi)# ipv6 vrrp timers nd refresh-repeat <NUM> | <NUM> – amount, takes values of [1..60]. Default value: 0 |
23 | Specify the amount of ND packets sendings after setting ipv6 vrrp to the MASTER status. | esr(config-if-gi)# ipv6 vrrp timers nd repeat <NUM> | <NUM> – amount, takes values of [1..60]. Default value: 1 |
Configuration example 1
Objective:
Establish LAN virtual gateway in VLAN 50 using VRRP. IP address 192.168.1.1 is used as a local virtual gateway.
Figure 47 – Network structure
Solution:
First, do the following:
- create a correspond sub interface;
- configure a zone for the sub-interface;
- specify IP address for the sub-interface.
Main configuration step:
Configure R1 router.
Configure VRRP in the created sub-interface. Specify unique VRRP identifier:
R1(config)#interface gi 1/0/5.50 R1(config-subif)# vrrp id 10
Specify virtual gateway IP address 192.168.1.1/24:
R1(config-subif)# vrrp ip 192.168.1.1
Enable VRRP:
R1(config-subif)# vrrp R1(config-subif)# exit
Configure R2 same.
Configuration example 2
Objective:
Establish virtual gateways for 192.168.20.0/24 subnet in VLAN 50 and 192.168.1.0/24 in VLAN 60 using VRRP with Master sync feature. To do this, you have to group VRRP processes. IP addresses 192.168.1.1 and 192.168.20.1 are used as virtual gateways.
Figure 48 – Network structure
Solution:
First, do the following:
- create correspond sub interfaces;
- configure a zone for the sub-interfaces;
- specify IP addresses for the sub-interfaces.
Main configuration step:
Configure R1 router.
Configure VRRP for 192.168.1.0/24 subnet in the created sub-interface.
Specify unique VRRP identifier:
R1(config-sub)#interface gi 1/0/5.50 R1(config-subif)# vrrp id 10
Specify virtual gateway IP address 192.168.1.1:
R1(config-subif)# vrrp ip 192.168.1.1
Specify VRRP group identifier:
R1(config-subif)# vrrp group 5
Enable VRRP:
R1(config-subif)# vrrp R1(config-subif)# exit
Configure VRRP for 192.168.20.0/24 subnet in the created sub-interface.
Specify unique VRRP identifier:
R1(config-sub)#interface gi 1/0/6.60 R1(config-subif)# vrrp id 20
Specify virtual gateway IP address 192.168.1.20:
R1(config-subif)# vrrp ip 192.168.20.1
Specify VRRP group identifier:
R1(config-subif)# vrrp group 5
Enable VRRP:
R1(config-subif)# vrrp R1(config-subif)# exit
Configure R2 the same.
In addition to tunnel creation, you should enable VRRP protocol (112) in the firewall.
VRRP tracking configuration
VRRP tracking is a mechanism, which allows activating static routes, depending on VRRP state.
Configuration algorithm
Step | Description | Command | Keys |
---|---|---|---|
1 | Configure VRRP according to the section Algorithm for setting up USB modems. |
| |
2 | Add Tracking object to the system and switch to the Tracking object parameters configuration mode. | esr(config)#tracking <ID> | <ID> – Tracking object number, takes values of [1..60]. |
3 | Specify a rule for keeping track of VRRP process status. | esr(config-tracking)# vrrp <VRID> [not] state { master | backup | fault } | <VRID> – trackable VRRP router identifier, takes values in the range of [1..255]. |
4 | Enable Tracking object. | esr(config-tracking)#enable | |
5 | Create a static IP route to the specified subnet indicating the Tracking object. | esr(config)# ip route [ vrf <VRF> ] <SUBNET> { <NEXTHOP> [ resolve ] | interface <IF> | tunnel <TUN> | wan load-balance rule <RULE> | blackhole | unreachable | prohibit } [ <METRIC> ] [ track <TRACK-ID> ] | <VRF> – VRF name, set by the string of up to 31 characters. <SUBNET> – destination address, can be specified in the following formats: AAA.BBB.CCC.DDD – host IP address, where each part takes values of [0..255]. AAA.BBB.CCC.DDD/NN – network IP address with prefix mask, where AAA-DDD take values of [0..255] and NN takes values of [1..32]. <NEXTHOP> – gateway IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];
<IF> – an IP interface name specified in the form described in Section Types and naming order of router interfaces; <TUN> – the name of the tunnel is specified as described in section Types and naming order of router tunnels; <RULE> – wan rule number, set in the range of [1..50];
<METRIC> – route metric, takes values of [0..255]; <TRACK-ID> – Tracking object identifier. If the router is bound to the Tracking object, it will appear in the system only after meeting all requirements specified in the object. |
Configuration example
Objective :
Virtual gateway 192.168.0.1/24 is organized for 192.168.0.0/24 subnet, using VRRP protocol and routers R1 and R2. There is a link with a singular subnet 192.168.1.0/30 between R1 and R2 routers. Subnet 10.0.1.0/24 is terminated only on R2 router. PC has IP address - 192.168.0.4/24 and default gateway 192.168.1.1.
When router R1 is in vrrp backup state, traffic from PC will be transmitted without any additional settings. When router R1 is in vrrp master state, additional route is necessary for subnet 10.0.1.0/24 through interface 192.168.1.2.
Figure 49 – Network structure
Initial configurations of the routers:
R1 router
hostname R1 interface gigabitethernet 1/0/1 switchport forbidden default-vlan exit interface gigabitethernet 1/0/1.741 ip firewall disable ip address 192.168.0.2/24 vrrp id 10 vrrp ip 192.168.0.1/24 vrrp exit interface gigabitethernet 1/0/2 switchport forbidden default-vlan exit interface gigabitethernet 1/0/2.742 ip firewall disable ip address 192.168.1.1/30 exit
R2 router
hostname R2 interface gigabitethernet 1/0/1 switchport forbidden default-vlan exit interface gigabitethernet 1/0/1.741 ip firewall disable ip address 192.168.0.3/24 vrrp id 10 vrrp ip 192.168.0.1/24 vrrp exit interface gigabitethernet 1/0/2 switchport forbidden default-vlan exit interface gigabitethernet 1/0/2.742 ip firewall disable ip address 192.168.1.2/30 exit interface gigabitethernet 1/0/4 ip firewall disable ip address 10.0.1.1/24 exit
Solution :
There is no need in any changes in router R2, since subnet 10.0.1.0/24 is terminated on it and as soon as router R2 is vrrp master, packets will be transmitted to corresponding interface. As soon as R1 becomes vrrp master, route for packets must be created with destination IP address from network 10.0.1.0/24.
Create tracking-object with corresponding condition:
R1(config)# tracking 1 R1(config-tracking)# vrrp 10 state master R1(config-tracking)# enable R1(config-tracking)# exit
Create static route to subnet 10.0.1.0/24 through 192.168.1.2, which will work in case of satisfying of tracking 1 condition:
R1(config)# ip route 10.0.1.0/24 192.168.1.2 track 1
VRF Lite configuration
VRF (Virtual Routing and Forwarding) is a technology designed for isolation of routing information that belongs to different classes (e.g., routes of a specific client).
Figure 50 – Network structure
Configuration algorithm
Step | Description | Command | Keys |
1 | Create VRF instance and switch to the VRF instance parameters configuration mode. | esr(config)# ip vrf <VRF> | <VRF> – VRF instance name, set by the string of up to 31 characters. |
2 | Assign the description of the configured VRF instance. | esr(config-vrf)# description <DESCRIPTION> | <DESCRIPTION> – VRF instance description, set by the string of up to 255 characters. |
3 | Set the capacity of routing tables in configured VRF for IPv4/IPv6 (optionally). | esr(config-vrf)# ip protocols <PROTOCOL> max-routes <VALUE> | <PROTOCOL> – protocol type, may take values: ospf, bgp; <VALUE> – amount of routes in the routing table, takes values in the range of: OSPF ESR-1000/1200/1500/1510/1700 [1..500000], ESR-20/21/100/200 [1..300000], ESR-10/12V(F)/14VF [1..30000] BGP ESR-1000/1200/1500/1510/1700 [1..2800000], ESR-20/21/100/200 [1..1500000], ESR-10/12V(F)/14VF [1..800000]. Default value: 0 |
esr(config-vrf)#ipv6 protocols <PROTOCOL> max-routes <VALUE> | |||
4 | Enable and configure dynamic traffic routing protocols (Static/OSPF/BGP) in VRF instance (optionally). See the related sections: Static routes configuration, OSPF configuration, and BGP configuration. |
| |
5 | In the configuration mode of physical/logical interface, tunnel, DNAT/SNAT rule, DAS server or SNMPv3 user, specify the name of VRF instance for which the mode will be used (optionally). | esr(config-snat-ruleset)# ip vrf forwarding <VRF> | <VRF> – VRF instance name, set by the string of up to 31 characters. |
6 | Configure LT tunnel to transmit traffic to global mode or to other VRFs (if required). |
|
Configuration example
Objective :
ESR series router features 2 connected networks that should be isolated from other networks.
Solution:
Create VRF:
esr(config)# ip vrf bit esr(config-vrf)# exit
Create a security zone:
esr(config)# security zone vrf-sec esr(config-zone)# ip vrf forwarding bit esr(config-zone)# exit
Create rule for a pair of zones and allow all TCP/UDP traffic:
esr(config)# security zone-pair vrf-sec vrf-sec esr(config-zone-pair)# rule 1 esr(config-zone-rule)# match source-address any esr(config-zone-rule)# match destination-address any esr(config-zone-rule)# match protocol udp esr(config-zone-rule)# match source-port any esr(config-zone-rule)# match destination-port any esr(config-zone-rule)# action permit esr(config-zone-rule)# enable esr(config-zone-rule)# exit esr(config-zone-pair)# rule 2 esr(config-zone-rule)# match source-address any esr(config-zone-rule)# match destination-address any esr(config-zone-rule)# match protocol tcp esr(config-zone-rule)# match source-port any esr(config-zone-rule)# match destination-port any esr(config-zone-rule)# action permit esr(config-zone-rule)# enable esr(config-zone-rule)# exit
Create interface mapping, assign IP addresses, specify an inherence to a security zone:
esr(config)# interface gigabitethernet 1/0/7 esr(config-if-gi)# ip vrf forwarding bit esr(config-if-gi)# ip address 10.20.0.1/24 esr(config-if-gi)# security-zone vrf-sec esr(config-if-gi)# exit esr(config)# interface gigabitethernet 1/0/14.10 esr(config-subif)# ip vrf forwarding bit esr(config-subif)# ip address 10.30.0.1/16 esr(config-subif)# security-zone vrf-sec esr(config-subif)# exit esr(config)# exit
To view information on interfaces mapped to VRF, use the following command:
esr# show ip vrf
To view VRF routing table, use the following command:
esr# show ip route vrf bit
MultiWAN configuration
MultiWAN technology establishes a fail-safe connection with redundancy of links from multiple providers and solves the problem involving traffic balancing between redundant links.
Configuration algorithm
Step | Description | Command | Keys |
---|---|---|---|
1 | Configure interfaces through which MultiWAN will operate: set ip addresses and specify security zone. | ||
2 | Write static routes through WAN (if required). | esr(config)# ip route <SUBNET> wan load-balance rule <ID> [<METRIC>] | <ID> – identifier of the rule being created (see item 2). <METRIC> – route metric, takes values of [0..255]. |
3 | Create WAN rule and switch to the rule parameters configuration mode. | esr(config)# wan load-balance rule <ID> | <ID> – identifier of the rule being created, takes values in the range of [1..50]. |
4 | Specify interfaces or tunnels which are gateways in the route created by MultiWAN service. | esr(config-wan-rule)# outbound { interface <IF> | tunnel <TUN> } [WEIGHT] | <IF> – device interface name; <TUN> – tunnel name; [WEIGHT] – tunnel or interface weight, defined in the range of [1..255]. If the value is equal 2, than 2 times more traffic will be transmit via the given interface than via the interface with the default value. In redundancy mode, the route with the highest weight will be active. Default value: 1 |
5 | Describe the rules (optionally). | esr(config-wan-rule)# description <DESCRIPTION> | <DESCRIPTION> – wan rule description, set by the string of up to 255 characters. |
6 | You can use this command to switch from the balancing mode to the redundancy mode. | esr(config-wan-rule)# failover | |
7 | Enable wan rule. | esr(config-wan-rule)# enable | |
8 | Create a list of IP addresses to check the connection integrity and perform the switching to the list parameters configuration mode. | esr(config)# wan load-balance target-list <NAME> | <NAME> – list name, set by the string of up to 31 characters. |
9 | Specify the check target and switch to the target parameters configuration mode. | esr(config-target-list)# target <ID> | <ID> – target identifier, defines in range [1..50]. If the 'all' parameter value is used when removing, all targets for the configured target list will be removed. |
10 | Describe target (optionally). | esr(config-wan-target)# description <DESCRIPTION> | <DESCRIPTION> – target description, set by the string of up to 255 characters. |
11 | Specify the standby time via ICMP (optionally). | esr(config-wan-target)# resp-time <TIME> | <TIME> – timeout, takes value in seconds [1..30]. |
12 | Specify IP address of the check. | esr(config-wan-target)# ip address <ADDR> | <ADDR> – destination IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. |
esr(config-wan-target)# ipv6 address <IPV6-ADDR> | <IPV6-ADDR> – destination IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF]. | ||
13 | Enable the target check. | esr(config-wan-target)# enable | |
Commands for 13-17 items should be applied on interfaces/tunnels in MultiWAN. | |||
14 | Enable WAN mode on the interface for IPv4/IPv6 stack. | esr(config-if-gi)# wan load-balance enable | |
esr(config-if-gi)# ipv6 wan load-balance enable | |||
15 | Set the amount of ineffective attempts to check the connection, after which, if there is not response from the opposing side, the connection is considered to be inactive (optionally). | esr(config-if-gi)# wan load-balance failure-count <VALUE> | <VALUE> – number of attempts, takes values in the range of [1..10]. Default value: 1 |
esr(config-if-gi)# ipv6 wan load-balance failure-count <VALUE> | |||
16 | Set the amount of successful attempts to check the connection, after which, if successful, the connection is considered to be active again. (optionally). | esr(config-if-gi)# wan load-balance success-count <VALUE> | <VALUE> – number of attempts, takes values in the range of [1..10]. Default value: 1 |
esr(config-if-gi)# ipv6 wan load-balance success-count <VALUE> | |||
17 | Set a neighbour's IP address that will be indicated as one of the gateways in a static route created by MultiWAN service. | esr(config-if-gi)# wan load-balance nexthop { <IP> | dhcp enable | tunnel enable } | <IP> – destination IP address (gateway), defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. dhcp enable – if IP address on the interface is obtained via DHCP client, a gateway from DHCP server is used. |
esr(config-if-gi)# ipv6 wan load-balance nexthop { <IPV6> } | <IPV6> – destination IPv6 address (gateway), defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF]. | ||
18 | This command will be checking the IP addresses from the integrity check list. If one of the nodes being checked is unavailable, the gateway will be considered to be unavailable. | esr(config-if-gi)# wan load-balance target-list { check-all | <NAME> } | <NAME> – run check on the basis of a certain target list (specified in item 7). check-all – run check on the basis of all targets in the list. |
esr(config-if-gi)# ipv6 wan load-balance target-list { check-all | <NAME> } | |||
19 | Write static routes through WAN (if required). | esr(config)# ip route <SUBNET> wan load-balance rule <ID> [<METRIC>] | <ID> – identifier of the rule being created (see item 2). <METRIC> – route metric, takes values of [0..255]. |
esr(config)# ipv6 route <SUBNET> wan load-balance rule <ID> [<METRIC>] |
Configuration example
Objective :
Configure route to the server (108.16.0.1/28) with the load balancing option.
Figure 51 – Network structure
Solution:
First, do the following:
- Configure zones for te1/0/1 and te1/0/2 interfaces.
- Specify IP addresses for te1/0/1 and te1/0/2 interfaces.
Main configuration step:
Configure routing:
esr(config)# ip route 108.16.0.0/28 wan load-balance rule 1
Create WAN rule:
esr(config)# wan load-balance rule 1
Specify affected interfaces:
esr(config-wan-rule)# outbound interface tengigabitethernet 1/0/2 esr(config-wan-rule)# outbound interface tengigabitethernet 1/0/1
Enable the created balancing rule and exit the rule configuration mode:
esr(config-wan-rule)# enable esr(config-wan-rule)# exit
Create a list for the connection integrity check:
esr(config)# wan load-balance target-list google
Create integrity check target:
esr(config-target-list)# target 1
Specify address to be checked, enable check for the specified address and exit:
esr(config-wan-target)# ip address 8.8.8.8 esr(config-wan-target)# enable esr(config-wan-target)# exit
Configure interfaces. In te1/0/1 interface configuration mode, specify nexthop:
esr(config)# interface tengigabitethernet 1/0/1 esr(config-if)# wan load-balance nexthop 203.0.0.1
In te1/0/1 interface configuration mode, specify a list of targets for connection check:
esr(config-if)# wan load-balance target-list google
In te1/0/1 interface configuration mode, enable WAN mode and exit:
esr(config-if)# wan load-balance enable esr(config-if)# exit
In te1/0/2 interface configuration mode, specify nexthop:
esr(config)# interface tengigabitethernet 1/0/2 esr(config-if)# wan load-balance nexthop 65.6.0.1
In te1/0/2 interface configuration mode, specify a list of targets for connection check:
esr(config-if)# wan load-balance target-list google
In te1/0/2 interface configuration mode, enable WAN mode and exit:
esr(config-if)# wan load-balance enable esr(config-if)# exit
To switch into redundancy mode, configure the following:
Proceed to WAN rule configuration mode:
esr(config)# wan load-balance rule 1
MultiWAN function may also work in redundancy mode when traffic is directed to the active interface with the highest weight. To enable this mode, use the following command:
esr(config-wan-rule)# failover
SNMP configuration
SNMP ( Simple Network Management Protocol)is a protocol designed for device management in IP networks featuring TCP/UDP architecture. SNMP provides management data as variables that describe the configuration of a system being managed.
Configuration algorithm
Step | Description | Command | Keys |
1 | Enable SNMP server | esr(config)# snmp-server | |
2 | Specify community for the access via SNMPv2c. | esr(config)# snmp-server community <COMMUNITY> [ <TYPE> ] [{ <IP-ADDR> | <IPV6-ADDR> ] [client-list <OBJ-GROUP-NETWORK-NAME> ] [ <VERSION> ] [ view <VIEW-NAME> ] [ vrf <VRF> ] | <COMMUNITY> – access comunity via SNMP; <TYPE> – access level:
<IP-ADDR> – IP address of the client that have access, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]; <OBJ-GROUP-NETWORK-NAME> – profile name of IP addresses, from which snmp requests are processing, set by the string of up to 31 characters; <VERSION> – the snmp version supported by this community takes the values v1 or v2c; <VIEW-NAME> – SNMP view profile name, set by the string of up to 31 characters; |
3 | Set the value of SNMP variable that contains contact information | esr(config)# snmp-server contact <CONTACT> | <CONTACT> – contact information, sets by string with 255 characters length. |
4 | Set the DSCP code value for the use in IP headers of SNMP server egress packets (optionally). | esr(config)# snmp-server dscp <DSCP> | <DSCP> – DSCP code value, takes values in the range of [0..63]. Default value: 63. |
5 | Enable router reboot by using snmp messages (optionally) | esr(config)# snmp-server system-shutdown | |
6 | Create SNMPv3 user. | esr(config)# snmp-server user <NAME> | <NAME> – user name, set by the string of up to 31 characters. |
7 | Set the value of SNMP value that contains the information on the device location | esr(config)# snmp-server location <LOCATION> | <LOCATION> – information about equipment location, set by the string up to 255 characters. |
8 | Specify user access level via SNMPv3. | esr(config-snmp-user)# access <TYPE> | <TYPE> – access level:
|
9 | Specify user security mode via SNMPv3. | esr(config-snmp-user)# authentication access <TYPE> | <TYPE> – security mode:
|
10 | Specify SNMPv3 queries authentication algorithm. | esr(config-snmp-user)# authentication algorithm <ALGORITHM> | <ALGORITHM> – encryption algorithm:
|
11 | Set the password for SNMPv3 queries authentication. | esr(config-snmp-user)# authentication key ascii-text { <CLEAR-TEXT> | encrypted <ENCRYPTED-TEXT> } | <CLEAR-TEXT> – password, sets by string from 8 to 16 characters;
<ENCRYPTED-TEXT> – encrypted password from 8 bytes to 16 bytes (16 to 32 characters) in hexadecimal format (0xYYYY...) or (YYYY...). |
12 | Enable filtration and set the profile of IP addresses from which SNMPv3 packets with the given SNMPv3 user name can be received. | esr(config-snmp-user)# client-list <NAME> | <NAME> – name of the previously conscious object-group, specified in a string of up to 31 characters. |
13 | Enable filtration and set IPv4/IPv6 address which is provided with the access to the router as the given SNMPv3 user. | esr(config-snmp-user)# ip address <ADDR> | <ADDR> – IP address of client that have access, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. |
esr(config-snmp-user)# ipv6 address <ADDR> | <IPV6-ADDR> – client IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF]. | ||
14 | Enable SNMPv3 user. | esr(config-snmp-user)# enable | Default value: process disabled. |
15 | Specify the transmitted data encryption algorithm. | esr(config-snmp-user)# privacy algorithm <ALGORITHM> | <ALGORITHM> – encryption algorithm:
|
16 | Set password for the transmitted data encryption. | esr(config-snmp-user)# privacy key ascii-text { <CLEAR-TEXT> | encrypted <ENCRYPTED-TEXT> } | <CLEAR-TEXT> – password, sets by string from 8 to 16 characters; <ENCRYPTED-TEXT> – encrypted password from 8 bytes to 16 bytes (16 to 32 characters) in hexadecimal format (0xYYYY...) or (YYYY...). |
Set the snmp view profile permitting or denying the access to one or another OID for user. | esr(config-snmp-user)# view <VIEW-NAME> | <VIEW-NAME> – name of SNMP view profile, on which based access to OID, set by the string up to 31 characters. | |
17 | Enable SNMP notifications transmission to the specified IP address and switch to SNMP notifications configuration mode. | esr(config)# snmp-server host { <IP-ADDR> | <IPV6-ADDR> } [vrf <VRF>] | <IP-ADDR> – IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. <IPV6-ADDR> – IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF]; <VRF> – VRF instance name, set by the string of up to 31 characters, which contains SNMP notification collector. |
18 | Define the port of SNMP notifications collector on the remote server (optionally). | esr(config-snmp-host)# port <PORT> | <PORT> – UDP port number, set in the range of [1..65535]. Default value: 162. |
19 | Set the filtration of SNMP notifications being sent. | esr(config)# snmp-server enable traps <TYPE> | <TYPE> – type of filtered messages. May take the following values: config, entry, entry-sensor, environment, envmon, files-operations, flash, flash-operations, interfaces, links, ports, screens, snmp, syslog. Additional parameters depend on the filter type. See Section FW 1.8.2 CLI command reference guide. |
20 | Create the snmp view profile permitting or denying the access to one or another OID for community (SNMPv2) and user (SNMPv3). | esr(config)# snmp-server enable traps <TYPE> | <VIEW-NAME> – SNMP view profile name, set by the string of up to 31 characters. |
Configuration example
Objective :
Configure SNMPv3 server with authentication and data encryption for 'admin' user. ESR router IP address: 192.168.52.41, server IP address: 192.168.52.8.
Figure 52 – Network structure
Solution:
First, do the following:
- Specify zone for gi1/0/1 interface;
- Configure IP address for gi1/0/1 interface.
Main configuration step:
Enable SNMP server:
esr(config)# snmp-server
Create SNMPv3 user:
esr(config)# snmp-server user admin
Specify security mode:
esr(snmp-user)# authentication access priv
Specify authentication algorithm for SNMPv3 requests:
esr(snmp-user)# authentication algorithm md5
Set the password for SNMPv3 request authentication:
esr(snmp-user)# authentication key ascii-text 123456789
Specify the transmitted data encryption algorithm:
esr(snmp-user)# privacy algorithm aes128
Set password for the transmitted data encryption:
esr(snmp-user)# privacy key ascii-text 123456789
Enable SNMPv3 user:
esr(snmp-user)# enable
Define receiver-server of Trap-PDU messages:
esr(config)# snmp-server host 192.168.52.41
Zabbix-agent configuration
Zabbix-agent – agent designed to monitor the device, as well as execute remote commands from the Zabbix server. The agent can operate in two modes: passive and active. To operate in passive mode, by default, you need an allow rule in the firewall – tcp protocol, port 10050. For active mode – tcp protocol, port 10051.
Configuration algorithm
Step | Description | Command | Keys |
---|---|---|---|
1 | Switch to the agent configuration context. | esr(config)# zabbix-agent | |
2 | Specify the host name (optionally). For active mode, the name must match the host name on the zabbix server. | esr(config-zabbix)# hostname <WORD> | <WORD> – host name, set by the string of up to 255 characters. |
3 | Specify the address of the zabbix server. | esr(config-zabbix)# server <ADDR> | <ADDR> – server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. |
4 | Specify the server address for active checks (when using active mode). | esr(config-zabbix)# active-server <ADDR> <PORT> | <ADDR> – server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. <PORT> – server port, set in the range of [1..65535]. |
5 | Specify the port that will be listened by the agent (optional) | esr(config-zabbix)# port <PORT>. | <PORT> – port that will be listened by zabbix agent, may take values in the range of [1..65535]. |
6 | Allow remote commands execution by zabbix agent (when using active mode). | esr(config-zabbix)# remote-commands | |
7 | Specify the address from which the server will interact (optionally). | esr(config-zabbix)# source-address <ADDR> | <ADDR> – server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. |
8 | Specify the processing time for remote commands (optionally). | esr(config-zabbix)# timeout <TIME> | <TIME> – timeout, takes value in seconds [1..30]. |
9 | Enable agent functionality | esr(config-zabbix)# enable |
Zabbix-agent configuration example
Figure 53 – Network structure
Objective :
Configure the interaction between the agent and the server to execute remote commands from the server.
Solution:
In the context of the agent settings, specify the address of the zabbix server, and the address from which the server will interact:
esr(config-zabbix)# server 192.168.32.101 esr(config-zabbix)# source-address 192.168.39.170
To activate the active mode, specify hostname, active-server, and also enable the execution of remote commands.
esr(config-zabbix)# hostname ESR-agent esr(config-zabbix)# active-server 192.168.32.101 esr(config-zabbix)# source-address 192.168.39.170 esr(config-zabbix)# remote-commands
Set the execution time of the remote commands, and activate the agent’s functionality.
esr(config-zabbix)# timeout 30 esr(config-zabbix)# enable
Zabbix-agent configuration example
Create the host:
Create the script (Administration -> Scripts-> Create Script)
ESR routers support execution of the following remote commands:
Ping:
zabbix_get -s {HOST.CONN} -p 10050 -k "system.run[ sudo ping -c 3 192.168.32.101]"
The client (ESR) that received this command from the server will execute ping command to the specified host (in our example, up to 192.168.32.101) and return the result to the server.
Ping in VRF:
zabbix_get -s {HOST.CONN} -p 10050 -k "system.run[sudo netns-exec -n backup sudo ping 192.168.32.101 -c 5 -W 2 ]"
The command above will be executed in the specified VRF.
Fping
zabbix_get -s {HOST.CONN} -p 10050 -k "system.run[ sudo fping 192.168.32.101]"
The client (ESR) that received this command from the server will execute fping command to the specified host (in our example, up to 192.168.32.101) and return the result to the server.
Fping in VRF
zabbix_get -s {HOST.CONN} -p 10050 -k "system.run[sudo netns-exec -n backup sudo fping 192.168.32.101 ]"
Traceroute
zabbix_get -s {HOST.CONN} -p 10050 -k "system.run[ sudo traceroute 192.168.32.101]
The client (ESR) that received this command from the server will execute traceroute command to the specified host (in our example, up to 192.168.32.101) and return the result to the server.
Traceroute in VRF
zabbix_get -s {HOST.CONN} -p 10050 -k "system.run[ sudo netns-exec -n backup sudo traceroute 192.168.32.179]"
Iperf
zabbix_get -s {HOST.CONN} -p 10050 -k "system.run[ sudo iperf -c 192.168.32.101 -u -b 100K -i 1 -t 600]"
The client (ESR) that received this command from the server will execute iperf command to the specified server (in our example, up to 192.168.32.101) and return the result to the server.
Iperf in VRF
zabbix_get -s {HOST.CONN} -p 10050 -k "system.run[ sudo netns-exec -n backup sudo iperf -c 192.168.32.101 -u -b 100K -i 1 -t 600]"
Nslookup
zabbix_get -s {HOST.CONN} -p 10050 -k "system.run[sudo nslookup ya.ru ]"
The client (ESR) that received this command from the server will execute nslookup command and return the result to the server.
Nslookup in VRF
zabbix_get -s {HOST.CONN} -p 10050 -k "system.run[sudo netns-exec sudo nslookup ya.ru ]"
Iperf command execution example:
Syslog configuration
Syslog (system log) – standard for sending and registering messages about events occurring in the system is used in networks operating over IP.
Configuration algorithm
Step | Description | Command | Keys |
---|---|---|---|
1 | Set the level of syslog messages that will be transmitted by SNMP-Traps messages (optionally) | esr(config)# syslog alarms <SEVERITY> | <SEVERITY> – message importance level, takes values (in order of decreasing importance):
|
2 | Set the level of syslog messages that will be displayed during remote connections (Telnet, SSH) (optionally) | esr(config)# syslog monitor <SEVERITY> | |
3 | Enable the process of logging user commands entered to the local syslog server (optionally) | esr(config)# syslog cli-commands | |
4 | Enable the saving of syslog messages of a specified level of importance to the specified log file | esr(config)# syslog file <NAME> <SEVERITY> | <NAME> – name of the file to which messages of a given level will be recorded, specified by the string up to 31 characters; <SEVERITY> is described in syslog alarms command. |
5 | Specify the maximum size of the log file (optionally) | esr(config)# syslog file-size <SIZE> | <SIZE> – file size, takes the value [10..10000000] KB |
6 | Set the maximum number of files saved during rotation (optionally) | esr(config)# syslog max-files <NUM> | <NUM> – maximal numberf of files , takes values [1 .. 1000] |
7 | Enable the sending of syslog messages of a specified level of importance to a remote syslog server | esr(config)#syslog host <HOSTNAME> <ADDR> <SEVERITY> <TRANSPORT> <PORT> | <HOSTNAME> – syslog server name, set by the string of up to 31 characters. Used only to identify the server during configuration. The value 'all' is used in the no syslog host command to delete all syslog servers; <ADDR> – IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]; <SEVERITY> – importance level of the message, optional parameter, possible values are given in section Syslog configuration example; <TRANSPORT> – data transfer protocol, optional parameter, takes values:
<PORT> – number of TCP/UDP port, optional parameter, takes values of [1..65535], default value is 514 |
8 | Enable debugging output during device boot (optionally) | esr(config)#syslog reload debugging | |
9 | Enable message enumeration (optionally) | esr(config)#syslog sequence-numbers | |
10 | Enable message date accuracy of up to milliseconds (optionally). | esr(config)#syslog timestamp msec | |
11 | Enable registration of failed authentications (optionally). | esr(config)#logging login on-failure | |
12 | Enable registration of changes to the audit system settings(optionally). | esr(config)#logging syslog configuration | |
13 | Enable registration of changes to the user settings (optionally). | esr(config)#logging userinfo |
Syslog configuration example
Objective:
Configure message sending for the following system events:
- failed user authentication;
- changes to the configuration of logging system events;
- start/stop of the system process;
- changes are made to the user profile.
ESR router IP address: 192.168.52.8, Syslog server IP address: 192.168.52.41. Use default settings for sending messages – UDP protocol, port 514.
Figure 54 – Network structure
Solution:
First, do the following:
- Specify zone for gi1/0/1 interface;
- Configure IP address for gi1/0/1 interface.
Main configuration step:
Create a file on the router for syslog, the level of messages for logging – info:
esr(config)# syslog file ESR info
Specify the IP address and parameters of the remote Syslog server:
esr(config)# syslog host SERVER 192.168.17.30 info udp 514
Set the logging of failed authentication attempts:
esr(config)# logging login on-failure
Set the logging of syslog configuration changes:
esr(config)# logging syslog configuration
Set the logging of start/stop of the system process:
esr(config)# logging service start-stop
Set the logging of changes to the user profile:
esr(config)# logging userinfo
The configuration changes come into effect after applying the following commands:
esr# commit Configuration has been successfully committed esr# confirm Configuration has been successfully confirmed
View the current syslog configuration:
esr# show syslog configuration
View the syslog entries:
esr# show syslog ESR
BRAS (Broadband Remote Access Server) configuration
Configuration algorithm
Step | Description | Command | Keys |
---|---|---|---|
1 | Add RADIUS server to the list of used servers and switch to its configuration mode. | esr(config)# radius -server host { <IP-ADDR> | <IPV6-ADDR> } [ vrf <VRF> ]esr(config-radius-server)# | <IP-ADDR> – RADIUS server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]; <IPV6-ADDR> – RADIUS server IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF]; <VRF> – VRF instance name, set by the string of up to 31 characters. |
2 | Set the password for authentication on remote RADIUS server. | esr(config-radius-server)# key ascii-text { <TEXT> | encrypted <ENCRYPTED-TEXT> } | <TEXT> – string of [8..16] ASCII characters; <ENCRYPTED-TEXT> – encrypted password, [8..16] bytes size, set by the string of [16..32] characters. |
3 | Create AAA profile. | esr(config)# aaa radius-profile <NAME> | <NAME> – server profile name, set by the string of up to 31 characters. |
4 | Specify RADIUS server in AAA profile. | esr(config-aaa-radius-profile)# radius-server host { <IP-ADDR> | <IPV6-ADDR> } | <IP-ADDR> – RADIUS server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]; <IPV6-ADDR> – RADIUS server IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF]. |
5 | Create DAS server. | esr(config)# das-server <NAME> | <NAME> – DAS server name, set by the string of up to 31 characters. |
6 | Set the password for authentication on remote DAS server. | esr(config-das-server)# key ascii-text {<TEXT>|encrypted <ENCRYPTED-TEXT> } | <TEXT> – string of [8..16] ASCII characters; <ENCRYPTED-TEXT> – encrypted password, [8..16] bytes size, set by the string of [16..32] characters. |
7 | Create AAA DAS profile. | esr(config)# aaa das-profile <NAME> | <NAME> – DAS profile name, set by the string of up to 31 characters. |
8 | Specify DAS server in DAs profile. | esr(config-aaa-das-profile)# das-server <NAME> | <NAME> – DAS server name, set by the string of up to 31 characters. |
9 | Configure BRAS. | esr(config)# subscriber-control [ vrf <VRF> ] | <VRF> – VRF instance name, set by the string of up to 31 characters, within which the user control will operate. |
10 | Select the profile of dynamic authorization servers to which CoS queries from PCRF will be sent. | esr(config-subscriber-control)# aaa das-profile <NAME> | <NAME> – DAS profile name, set by the string of up to 31 characters. |
11 | Select RADIUS server profile to obtain the user service parameters. | esr(config-subscriber-control)# aaa services-radius-profile <NAME> | <NAME> – RADIUS server profile name, set by the string of up to 31 characters. |
12 | Select RADIUS server profile to obtain the user session parameters. | esr(config-subscriber-control)# aaa sessions-radius-profile <NAME> | <NAME> – RADIUS server profile name, set by the string of up to 31 characters. |
13 | Set router IP address that will be used as source IP address in transmitted RADIUS packets. | esr(config-subscriber-control)# nas-ip-address <ADDR> | <ADDR> – source IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]; |
14 | Enable session authentication by MAC address (optionally). | esr(config-subscriber-control)# session mac-authentication | |
15 | Organize transparent filter-based transmission of administrative traffic (DHCP, DNS and etc.). | esr(config-subscriber-control)# bypass-traffic-a c l <NAME> | <NAME> – name of the ACL being bound, set by the string of up to 31 characters. |
16 | Switch to the default service configuration mode. | esr(config-subscriber-control)# default-service | |
17 | Bind the specified QoS class to the default service. | esr(config-subscriber-default-service)# class-map <NAME> | <NAME> – name of the class being bound, set by the string of up to 31 characters. |
18 | Specify a name of the URL list that will be used to filtrate HTTP/HTTPS traffic of non-authenticated users. | esr(config-subscriber-default-service)# filter-name { local<LOCAL-NAME> | remote<REMOTE-NAME> } | <LOCAL-NAME> – URL profile name, set by the string of up to 31 characters; <REMOTE-NAME> – remote server URL list name, set by the string of up to 31 characters. |
19 | Specify the actions that should be applied for HTTP/HTTPS packets, whose URL is included in the list of URL assigned by the “filter-name” command. | esr(config-subscriber-default-service)# filter-action<ACT> | <ACT> – allocated action:
redirect <URL> – redirect to the specified URL will be carried out, set by the string of up to 255 characters. |
20 | Specify the actions that should be applied for HTTP/HTTPS packets, whose URL is not included in the list of URL assigned by the “filter-name” command. | esr(config-subscriber-default-service)# default -action<ACT> | <ACT> – allocated action:
redirect <URL> – redirect to the specified URL will be carried out, set by the string of up to 255 characters. |
21 | Enable user control profile. | esr(config-subscriber-control)# enable | |
22 | Change the identifier of a network interface (physical, sub interface or network bridge) | esr(config-if)# location <ID> | <ID> – network interface identifier, set by the string of up to 220 characters. |
23 | Enable user control on the interface. | esr(config-if-gi)# service-subscriber-control {any| object-group <NAME>} | <NAME> – IP addresses profile name, set by the string of up to 31 characters. |
24 | Enable iterative query of quota value when it expires for user services with a configured restriction on the amount of traffic or time (optionally). | esr(config-subscriber-control)# quota-expired-reauth | |
25 | Enable session authentication by IP address. (optionally) | esr(config-subscriber-control)# session ip-authentication | |
26 | Enable transparent transmission of backup traffic for BRAS (optionally). | esr(config-subscriber-control)# backup traffic-processing transparent | |
27 | Specify the interval after which currently unused URL lists will be removed. (optionally). | esr(config)# subscriber-control unused-filters-remove-delay <DELAY> | <DELAY> – time interval in seconds, takes values of [10800..86400]. |
28 | Specify the interval after which, if a user has not sent any packets, the session is considered to be outdated and is removed from the device. (optionally). | esr(config-subscriber-default-service)# session-timeout <SEC> | <SEC> – time interval in seconds, takes values of [120..3600]. |
29 | Specify the VRRP group on the basis of which user control service status is determined (primary/redundant) (optionally). | esr(config-subscriber-control)# vrrp-group <GRID> | <GRID> – VRRP router group identifier, takes values in the range of [1..32]. |
30 | Define destination TCP ports from which the traffic will be redirected to the router HTTP Proxy server (optionally). | esr(config-subscriber-control)# ip proxy http listen-ports <NAME> | <NAME> – TCP/UDP ports profile name, set by the string of up to 31 characters. |
31 | Define HTTP Proxy server port on the router (optionally). | esr(config-subscriber-control)# ip proxy http redirect-port <PORT> | <PORT> – port number, set in the range of [1..65535]. |
32 | Define destination TCP ports from which the traffic will be redirected to the router HTTPS Proxy server (optionally). | esr(config-subscriber-control)# ip proxy https listen-ports <NAME> | <NAME> – TCP/UDP ports profile name, set by the string of up to 31 characters. |
33 | Define HTTPS Proxy server port on the router (optionally). | esr(config-subscriber-control)# ip proxy https redirect-port <PORT> | <PORT> – port number, set in the range of [1..65535]. |
34 | Set router IP address that will be used as source IP address in HTTP/HTTPS packets transmitted by Proxy server (optionally). | esr(config-subscriber-control)# ip proxy source-address <ADDR> | <ADDR> – source IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]; |
35 | Specify URL address of the server providing lists of traffic filtration applications (optionally) | esr(config)# subscriber-control apps-server-url <URL> | <URL> – reference address, set by the string from 8 to 255 characters. |
36 | Enable the application control on the interface (optionally) | esr(config-if-gi)# subscriber-control application-filter <NAME> | <NAME> – application profile name, set by the string of up to 31 characters. |
37 | Set/clear the upper bound of BRAS sessions amount (optionally) | esr(config-subscriber-control)# thresholds sessions-number high <Threshold>
| <Threshold> – BRAS sessions amount, [0-50000] – for ESR-1700
|
38 | Set/clear the lower bound of BRAS sessions amount (optionally) | esr(config-subscriber-control)# thresholds sessions-number low <Threshold> | <Threshold> – BRAS sessions amount, [0-50000] – for ESR-1700
|
Example of configuration with SoftWLC
Objective:
Provide access to the Internet only to authorized users.
Figure 55 – Network structure
Solution:
SoftWLC server keeps accounts data and tariff plan parameters. You can obtain more detailed information on installation and configuring SoftWLC server using following links:
http://kcs.eltex.nsk.ru/articles/960 – general article about SoftWLC;
http://kcs.eltex.nsk.ru/articles/474 – SoftWLC installation from repositories.
The BRAS license is obligatory for router, after its activation you can start device configuring.
Create 3 security zones, according to the network structure depicted in Fig. 7.3.
esr# configure esr(config)# security zone trusted esr(config-zone)# exit esr(config)# security zone untrusted esr(config-zone)# exit esr(config)# security zone dmz esr(config-zone)# exit
Configure public port parameters and assign its default gateway:
esr(config)# interface gigabitethernet 1/0/1 esr(config-if-gi)# security-zone untrusted esr(config-if-gi)# ip address 203.0.113.2/30 esr(config-if-gi)# service-policy dynamic upstream esr(config-if-gi)# exit esr(config)# ip route 0.0.0.0/0 203.0.113.1
Configure port in direction to the SoftWLC server:
esr (config)# interface gigabitethernet 1/0/24 esr (config-if-gi)# security-zone dmz esr (config-if-gi)# ip address 192.0.2.1/24 esr (config-if-gi)# exit
Configure port for Wi-Fi access point connection:
esr(config)# bridge 2 esr(config-bridge)# security-zone trusted esr(config-bridge)# ip address 192.168.0.254/24 esr(config-bridge)# ip helper-address 192.0.2.20 esr(config-bridge)# service-subscriber-control object-group users esr(config-bridge)# location ssid1 esr(config-bridge)# enable esr(config-bridge)# exit esr(config)# interface gigabitethernet 1/0/2.2000 esr(config-subif)# bridge-group 1 esr(config-subif)# exit esr(config)# interface gigabitethernet 1/0/2 esr(config-if-gi)# service-policy dynamic downstream esr (config-if-gi)# exit
Customer connection must be implemented through sub-interfaces to bridges. Selection of tariff plan depends on Location parameter (see bridge 2 configuration).
The module which is responsible for AAA operations is based on eltex-radius and available by SoftWLC IP address. Numbers of ports for authentication and accounting in the example below are the default values for SoftWLC.
Define parameters for interaction with the module:
esr(config)# radius-server host 192.0.2.20 esr(config-radius-server)# key ascii-text password esr(config-radius-server)# auth-port 31812 esr (config-radius-server)# acct-port 31813 esr (config-radius-server)# exit
Create AAA profile:
esr(config)# aaa radius-profile RADIUS esr(config-aaa-radius-profile)# radius-server host 192.0.2.20 esr(config-aaa-radius-profile)# exit
Specify parameters for access to DAS (Direct-attached storage) server:
esr(config)# object-group network server esr(config-object-group-network)# ip address-range 192.0.2.20 esr(config-object-group-network)# exit esr(config)# das-server CoA esr(config-das-server)# key ascii-text password esr(config-das-server)# port 3799 esr(config-das-server)# clients object-group server esr(config-das-server)# exit esr(config)# aaa das-profile CoA esr(config-aaa-das-profile)# das-server CoA esr(config-aaa-das-profile)# exit
The traffic from trusted zone is blocked before authentication as well as DHCP and DNS requests. You need to configure allowing rules in order to pass DHCP and DNS requests:
esr(config)# ip access-list extended DHCP esr(config-acl)# rule 10 esr(config-acl-rule)# action permit esr(config-acl-rule)# match protocol udp esr(config-acl-rule)# match source-address any esr(config-acl-rule)# match destination-address any esr(config-acl-rule)# match source-port 68 esr(config-acl-rule)# match destination-port 67 esr(config-acl-rule)# enable esr(config-acl-rule)# exit esr(config-acl)# rule 11 esr(config-acl-rule)# action permit esr(config-acl-rule)# match protocol udp esr(config-acl-rule)# match source-address any esr(config-acl-rule)# match destination-address any esr(config-acl-rule)# match source-port any esr(config-acl-rule)# match destination-port 53 esr(config-acl-rule)# enable esr(config-acl-rule)#exit esr(config-acl)# exit
Then, create rules for redirecting to portal and passing traffic to the Internet:
esr(config)# ip access-list extended WELCOME esr(config-acl)# rule 10 esr(config-acl-rule)# action permit esr(config-acl-rule)# match protocol any esr(config-acl-rule)# match source-address any esr(config-acl-rule)# match destination-address any esr(config-acl-rule)# enable esr(config-acl-rule)# exit esr(config-acl)# exit esr (config)# ip access-list extended INTERNET esr(config-acl)# rule 10 esr(config-acl-rule)# action permit esr(config-acl-rule)# match protocol any esr(config-acl-rule)# match source-address any esr(config-acl-rule)# match destination-address any esr(config-acl-rule)# enable esr(config-acl-rule)# exit esr(config-acl)# exit
Specify web resources which are available without authorization:
esr(config)# object-group url defaultservice esr(config-object-group-url)# url http://eltex.nsk.ru esr(config-object-group-url)# exit
The URL filtering lists are kept on SoftWLC server (you need to change only IP address of SoftWLC server, if addressing is different from the example. Leave the rest of URL without changes):
esr(config)# subscriber-control filters-server-url http://192.0.2.20:7070/Filters/file/
Configure and enable BRAS, define NAS IP as address of the interface interacting with SoftWLC (gigabitethernet 1/0/24 in the example):
esr(config)# subscriber-control esr(config-subscriber-control)# aaa das-profile CoA esr(config-subscriber-control)# aaa sessions-radius-profile RADIUS esr(config-subscriber-control)# nas-ip-address 192.0.2.1 esr(config-subscriber-control)# session mac-authentication esr(config-subscriber-control)# bypass-traffic-acl DHCP esr(config-subscriber-control)# default-service esr(config-subscriber-default-service)# class-map INTERNET esr(config-subscriber-default-service)# filter-name local defaultservice esr(config-subscriber-default-service)# filter-action permit esr(config-subscriber-default-service)# default-action redirect http://192.0.2.20:8080/eltex_portal/ esr(config-subscriber-default-service)# session-timeout 3600 esr(config-subscriber-default-service)# exit esr(config-subscriber-control)# enable esr(config-subscriber-control)# exit
Configure rules for transition between security zones.
esr(config)# object-group service telnet esr(config-object-group-service)# port-range 23 esr(config-object-group-service)# exit esr(config)# object-group service ssh esr(config-object-group-service)# port-range 22 esr(config-object-group-service)# exit esr(config)# object-group service dhcp_server esr(config-object-group-service)# port-range 67 esr(config-object-group-service)# exit esr(config)# object-group service dhcp_client esr(config-object-group-service)# port-range 68 esr(config-object-group-service)# exit esr(config)# object-group service ntp esr(config-object-group-service)# port-range 123 esr(config-object-group-service)# exit
Enable access to the Internet from trusted and dmz zones:
esr(config)# security zone-pair trusted untrusted esr(config-zone-pair)# rule 10 esr(config-zone-pair-rule)# action permit esr(config-zone-pair-rule)# match protocol any esr(config-zone-pair-rule)# match source-address any esr(config-zone-pair-rule)# match destination-address any esr(config-zone-pair-rule)# enable esr(config-zone-pair-rule)# exit esr(config-zone-pair)# exit esr(config)# security zone-pair dmz untrusted esr(config-zone-pair)# rule 10 esr(config-zone-pair-rule)# action permit esr(config-zone-pair-rule)# match protocol any esr(config-zone-pair-rule)# match source-address any esr(config-zone-pair-rule)# match destination-address any esr(config-zone-pair-rule)# enable esr(config-zone-pair-rule)# exit esr(config-zone-pair)# exit esr(config)# security zone-pair dmz trusted esr(config-zone-pair)# rule 10 esr(config-zone-pair-rule)# action permit esr(config-zone-pair-rule)# match protocol any esr(config-zone-pair-rule)# match source-address any esr(config-zone-pair-rule)# match destination-address any esr(config-zone-pair-rule)# enable esr(config-zone-pair-rule)# exit esr(config-zone-pair)# exit
Enable DHCP transmitting from trusted to dmz:
esr (config)# security zone-pair trusted dmz esr (config-zone-pair)# rule 10 esr(config-zone-pair-rule)# action permit esr(config-zone-pair-rule)# match protocol udp esr(config-zone-pair-rule)# match source-address any esr(config-zone-pair-rule)# match destination-address any esr(config-zone-pair-rule)# match source-port dhcp_client esr(config-zone-pair-rule)# match destination-port dhcp_server esr(config-zone-pair-rule)# enable esr(config-zone-pair-rule)# exit esr(config-zone-pair)# exit
Enable ICMP transmission to the device. For BRAS operation you need to open ports for web proxying - TCP 3129/3128 (NetPortDiscovery Port/Active API Server port:
esr(config)# object-group service bras esr(config-object-group-service)# port-range 3129 esr(config-object-group-service)# port-range 3128 esr(config-object-group-service)# exit esr(config)# security zone-pair trusted self esr(config-zone-pair)# rule 10 esr(config-zone-pair-rule)# action permit esr(config-zone-pair-rule)# match protocol tcp esr(config-zone-pair-rule)# match source-address any esr(config-zone-pair-rule)# match destination-address any esr(config-zone-pair-rule)# match source-port any esr(config-zone-pair-rule)# match destination-port bras esr(config-zone-pair-rule)# enable esr (config-zone-pair-rule)# exit esr(config-zone-pair)# rule 20 esr(config-zone-pair-rule)# action permit esr(config-zone-pair-rule)# match protocol icmp esr(config-zone-pair-rule)# match source-address any esr(config-zone-pair-rule)# match destination-address any esr(config-zone-pair-rule)# enable esr(config-zone-pair-rule)# exit esr(config-zone-pair-rule)# exit esr(config)# security zone-pair dmz self esr(config-zone-pair)# rule 20 esr(config-zone-pair-rule)# action permit esr(config-zone-pair-rule)# match protocol icmp esr(config-zone-pair-rule)# match source-address any esr(config-zone-pair-rule)# match destination-address any esr(config-zone-pair-rule)# enable esr(config-zone-pair-rule)# exit esr(config-zone-pair-rule)# exit esr(config)# security zone-pair untrusted self esr(config-zone-pair)# rule 20 esr(config-zone-pair-rule)# action permit esr(config-zone-pair-rule)# match protocol icmp esr(config-zone-pair-rule)# match source-address any esr(config-zone-pair-rule)# match destination-address any esr(config-zone-pair-rule)# enable esr(config-zone-pair-rule)# exit esr(config-zone-pair-rule)# exit
Activate DHCP-Relay:
esr(config)# ip dhcp-relay
Configure SNAT for gigabitethernet 1/0/1 port:
esr(config)# nat source esr(config-snat)# ruleset inet esr(config-snat-ruleset)# to interface gigabitethernet 1/0/1 esr(config-snat-ruleset)# rule 10 esr(config-snat-rule)# match source-address any esr(config-snat-rule)# action source-nat interface esr(config-snat-rule)# enable esr(config-snat-rule)# end
Example of configuration without SoftWLC
Objective: Configure BRAS without SoftWLC support.
Given: Subnet with clients 10.10.0.0/16, subnet for working with FreeRADIUS server 192.168.1.1/24
Solution:
Step 1: RADIUS server configuration.
For FreeRADIUS server, you need to specify the subnet that can send the queries and add a user list. To do this, add the following to the users file in the directory with FreeRADIUS server configuration files:
User profile:
<MACADDR> Cleartext-Password := <MACADDR>
#User name
User-Name = <USER_NAME>,
#Maximum session lifetime
Session-Timeout = <SECONDS>,
#Maximum session lifetime when the system is idle
Idle-Timeout = <SECONDS>,
#Session statistics update time
Acct-Interim-Interval = <SECONDS>,
#Service name for a session (A – the service is enabled, N – the service is disabled)
Cisco-Account-Info = "{A|N}<SERVICE_NAME>"
Service profile:
<SERVICE_NAME> Cleartext-Password := <MACADDR>
# Matches class-map name in ESR settings
Cisco-AVPair = "subscriber:traffic-class=<CLASS_MAP>",
# Action that is applied to the traffic by ESR (permit, deny, redirect)
Cisco-AVPair = "subscriber:filter-default-action=<ACTION>",
# The ability of IP flows passing (enabled-uplink, enabled-downlink, enabled, disabled)
Cisco-AVPair = "subscriber:flow-status=<STATUS>"
Add a subnet, in which ESR is located, to the clients.conf file:
client ESR {
ipaddr = <SUBNET>
secret = <RADIUS_KEY>
}
In this case the RADIUS server configuration will be as follows:
Add the following strings to the “clients.conf” file:
client BRAS {
ipaddr = 192.168.1.1
secret = password
}
Add the following strings to the “users” file (specify a client MAC address instead of <MAC>):
"54-E1-AD-8F-37-35" Cleartext-Password := "54-E1-AD-8F-37-35"
User-Name = <Bras_user>,
Session-Timeout = 259200,
Idle-Timeout = 259200,
Cisco-AVPair += "subscriber:policer-rate-in=1000",
Cisco-AVPair += "subscriber:policer-rate-out=1000",
Cisco-AVPair += "subscriber:policer-burst-in=188",
Cisco-AVPair += "subscriber:policer-burst-out=188",
Cisco-Account-Info = "AINTERNET"
INTERNET Cleartext-Password := "INTERNET"
User-Name = "INTERNET",
Cisco-AVPair = "subscriber:traffic-class=INTERNET",
Cisco-AVPair += "subscriber:filter-default-action=permit"
Step 2:
ESR configuration.
BRAS functional configuration requires the BRAS licence:
esr(config)# do sh licence Licence information ------------------- Name: Eltex Version: 1.0 Type: ESR-X S/N: NP00000000 MAC: XX:XX:XX:XX:XX:XX Features: BRAS – Broadband Remote Access Server
Configuration of parameters for the interaction with RADIUS server:
esr(config)# radius-server host 192.168.1.2 esr(config-radius-server)# key ascii-text encrypted 8CB5107EA7005AFF esr(config-radius-server)# source-address 192.168.1.1 esr(config-radius-server)# exit
Create AAA profile:
esr(config)# aaa radius-profile bras_radius esr(config-aaa-radius-profile)# radius-server host 192.168.1.2 esr(config-aaa-radius-profile)# exit esr(config)# aaa radius-profile bras_radius_servers esr(config-aaa-radius-profile)# radius-server host 192.168.1.2 esr(config-aaa-radius-profile)# exit
Specify parameters for the DAS server:
esr(config)# das-server das esr(config-das-server)# key ascii-text encrypted 8CB5107EA7005AFF esr(config-das-server)# exit esr(config)# aaa das-profile bras_das esr(config-aaa-das-profile)# das-server das esr(config-aaa-das-profile)# exit esr(config)# vlan 10 esr(config-vlan)# exit
Then, create rules for redirecting to portal and passing traffic to the Internet:
esr(config)# ip access-list extended BYPASS esr(config-acl)# rule 1 esr(config-acl-rule)# action permit esr(config-acl-rule)# match protocol udp esr(config-acl-rule)# match source-address any esr(config-acl-rule)# match destination-address any esr(config-acl-rule)# match source-port 68 esr(config-acl-rule)# match destination-port 67 esr(config-acl-rule)# enable esr(config-acl-rule)# exit esr(config-acl)# rule 2 esr(config-acl-rule)# action permit esr(config-acl-rule)# match protocol udp esr(config-acl-rule)# match source-address any esr(config-acl-rule)# match destination-address any esr(config-acl-rule)# match source-port any esr(config-acl-rule)# match destination-port 53 esr(config-acl-rule)# enable esr(config-acl-rule)# exit esr(config)# ip access-list extended INTERNET esr(config-acl)# rule 1 esr(config-acl-rule)# action permit esr(config-acl-rule)# match protocol any esr(config-acl-rule)# match source-address any esr(config-acl-rule)# match destination-address any esr(config-acl-rule)# enable esr(config-acl-rule)# exit esr(config)# ip access-list extended WELCOME esr(config-acl)# rule 10 esr(config-acl-rule)# action permit esr(config-acl-rule)# match protocol tcp esr(config-acl-rule)# match source-address any esr(config-acl-rule)# match destination-address any esr(config-acl-rule)# match source-port any esr(config-acl-rule)# match destination-port 443 esr(config-acl-rule)# enable esr(config-acl-rule)# exit esr(config-acl)# rule 20 esr(config-acl-rule)# action permit esr(config-acl-rule)# match protocol tcp esr(config-acl-rule)# match source-address any esr(config-acl-rule)# match destination-address any esr(config-acl-rule)# match source-port any esr(config-acl-rule)# match destination-port 8443 esr(config-acl-rule)# enable esr(config-acl-rule)# exit esr(config-acl)# rule 30 esr(config-acl-rule)# action permit esr(config-acl-rule)# match protocol tcp esr(config-acl-rule)# match source-address any esr(config-acl-rule)# match destination-address any esr(config-acl-rule)# match source-port any esr(config-acl-rule)# match destination-port 80 esr(config-acl-rule)# enable esr(config-acl-rule)# exit esr(config-acl)# rule 40 esr(config-acl-rule)# action permit esr(config-acl-rule)# match protocol tcp esr(config-acl-rule)# match source-address any esr(config-acl-rule)# match destination-address any esr(config-acl-rule)# match source-port any esr(config-acl-rule)# match destination-port 8080 esr(config-acl-rule)# enable esr(config-acl-rule)# exit
Configuration of filtration by URL is obligatory. It is necessary to configure http-proxy filtration on BRAS for non-authorised users:
esr(config)# object-group url defaultserv esr(config-object-group-url)# url http://eltex.nsk.ru esr(config-object-group-url)# url http://ya.ru esr(config-object-group-url)# url https://ya.ru esr(config-object-group-url)# exit
Configure and enable BRAS, define NAS IP as address of the interface interacting with RADIUS server (gigabitethernet 1/0/2 in the example):
esr(config)# subscriber-control esr(config-subscriber-control)# aaa das-profile bras_das esr(config-subscriber-control)# aaa sessions-radius-profile bras_radius esr(config-subscriber-control)# aaa services-radius-profile bras_radius_servers esr(config-subscriber-control)# nas-ip-address 192.168.1.1 esr(config-subscriber-control)# session mac-authentication esr(config-subscriber-control)# bypass-traffic-acl BYPASS esr(config-subscriber-control)# default-service esr(config-subscriber-default-service)# class-map BYPASS esr(config-subscriber-default-service)# filter-name local defaultserv esr(config-subscriber-default-service)# filter-action permit esr(config-subscriber-default-service)# default-action redirect http://192. 168.1.2:8080/eltex_portal esr(config-subscriber-default-service)# session-timeout 121 esr(config-subscriber-default-service)# exit esr(config-subscriber-control)# enable esr(config-subscriber-control)# exit
Perform the following settings on the interfaces that require BRAS operation (minimum one interface is required for the successful start):
esr(config)# bridge 10 esr(config-bridge)# vlan 10 esr(config-bridge)# ip firewall disable esr(config-bridge)# ip address 10.10.0.1/16 esr(config-bridge)# ip helper-address 192.168.1.2 esr(config-bridge)# service-subscriber-control any esr(config-bridge)# location USER esr(config-bridge)# protected-ports esr(config-bridge)# protected-ports exclude vlan esr(config-bridge)# enable esr(config-bridge)# exit
Configure port towards the RADIUS server:
esr(config)# interface gigabitethernet 1/0/2 esr(config-if-gi)# ip firewall disable esr(config-if-gi)# ip address 192.168.1.1/24 esr(config-if-gi)# exit
Port towards the Client:
esr(config)# interface gigabitethernet 1/0/3.10 esr(config-subif)# bridge-group 10 esr(config-subif)# ip firewall disable esr(config-subif)# exit
Configure SNAT for gigabitethernet 1/0/2 port:
esr(config)# nat source esr(config-snat)# ruleset factory esr(config-snat-ruleset)# to interface gigabitethernet 1/0/2 esr(config-snat-ruleset)# rule 10 esr(config-snat-rule)# description "replace 'source ip' by outgoing interface ip address" esr(config-snat-rule)# match protocol any esr(config-snat-rule)# match source-address any esr(config-snat-rule)# match destination-address any esr(config-snat-rule)# action source-nat interface esr(config-snat-rule)# enable esr(config-snat-rule)# exit esr(config-snat-ruleset)# exit esr(config-snat)# exit esr(config)# ip route 0.0.0.0/0 192.168.1.2
The configuration changes come into effect after applying the following commands:
esr(config) # do commit esr(config) # do confirm
To view the information and statistics on the user control sessions, use the following command:
esr # sh subscriber-control sessions status Session id User name IP address MAC address Interface Domain -------------------- --------------- --------------- ----------------- 1729382256910270473 Bras_user 10.10.0.3 54:e1:ad:8f:37:35 gi1/0/3.10 --
IPS/IDS configuration
IPS/IDS (Intrusion Prevention System/Intrusion Detection System) – a network and computer security software system that detects intrusions or security breaches and automatically protecting from them.
The system is based on signature traffic analysis. Signatures for IPS/IDS systems are commonly called rules. ESR devices allow you to download current rules from open sources on the Internet or from a corporate server. Using the CLI, you can also create your own specific rules.
By default, ESR devices have a basic set of rules from EmergingThreats designed for testing and verifying system health.
Base configuration algorithm
Step | Description | Command | Keys |
---|---|---|---|
1 | Create IPS/IDS security policy. | esr(config)# security ips policy <NAME> | <NAME> – security policy name, set by the string of up to 32 characters |
2 | Specify policy description (optionally). | esr(config-ips-policy)# description <DESCRIPTION> | <DESCRIPTION> – description, set by the string of up to 255 characters. |
3 | Specify the IP address profile that IPS/IDS will protect. | esr(config-ips-policy)# protect network-group <OBJ-GROUP-NETWORK_NAME> | <OBJ-GROUP-NETWORK-NAME> – protected IP addresses profile name, set by the string of up to 32 characters. |
4 | Specify the profile of IP addresses that are external for IPS/IDS. (optionally). | esr(config-ips-policy)# external network-group <OBJ-GROUP-NETWORK_NAME> | <OBJ-GROUP-NETWORK-NAME> – external IP addresses profile name, set by the string of up to 32 characters. |
5 | Switch to the IPS/IDS configuration mode. | esr(config)# security ips | |
6 | Assign IPS/IDS security policy. | esr(config-ips)# policy <NAME> | <NAME> – security policy name, set by the string of up to 32 characters |
7 | Use all ESR rosiurces for IPS/IDS. (optionally). | esr(config-ips)# perfomance max | By default, half of the available processor cores are allocated for IPS/IDS. |
8 | Set USB drive for recording logs in EVE format. (optionally). | esr(config-ips)# logging storage-device <DEVICE_NAME> | <DEVICE_NAME> USB storage device name. |
9 | Enable IPS/IDS. | esr(config- ips )# enable | |
10 | Enable IPS/IDS on the interface. | esr(config-if-gi)# service-ips enable |
IPS/IDS rules auto-renewal from external sources configuration algorithm.
Step | Description | Command | Keys |
---|---|---|---|
1 | Switch to the autoupdate configuration mode | esr(config-ips)# auto-upgrade | |
2 | Specify a name and enter the configuration mode of the user update server. | esr(config-ips-auto-upgrade)# user-server <WORD> | <WORD> – server name, set by the string of up to 32 characters. |
3 | Specify the description of the user update server. (optionally). | esr(config-ips-upgrade-user-server)# description <DESCRIPTION> | <DESCRIPTION> – description, set by the string of up to 255 characters. |
4 | Specify URL. | esr(config-ips-upgrade-user-server)# url <URL> | <URL> – text field containing URL link of 8-255 characters length. As an URL-links can be specified:
|
5 | Set the frequency for update checking. (optionally). | esr(config-ips-upgrade-user-server)# upgrade interval <HOURS> | <HOURS> – update interval in hours, from 1 to 240. Default value: 24 hours |
Recommended open rule update source
SSL Blacklist contains lists of 'bad' SSL certificates, i.e. certificates in respect of which the fact of their use by malware and botnets has been established. The lists contain SHA1 fingerprints of public keys from SSL certificates. | |
Feodo Tracker – list of management servers for the Feodo Trojan. Feodo (also known as Cridex or Bugat) is used by cybercriminals to steal sensitive information in the field of electronic banking (credit card information, logins/passwords) from users' computers. Currently, there are four versions of the Trojan (versions A, B, C and D), mainly distinguished by the infrastructure of control servers. | |
https://rules.emergingthreats.net/open/suricata/rules/botcc.rules | These rules describe well-known botnets and control servers. Sources: Shadowserver.org, Zeus Tracker, Palevo Tracker, Feodo Tracker, Ransomware Tracker. |
https://rules.emergingthreats.net/open/suricata/rules/ciarmy.rules | These rules describe malicious hosts by the classification of the www.cinsarmy.com project. |
https://rules.emergingthreats.net/open/suricata/rules/compromised.rules | These rules describe well-known compromised and malicious hosts. Sources: Daniel Gerzo’s BruteForceBlocker, The OpenBL, Emerging Threats Sandnet, SidReporter Projects. |
https://rules.emergingthreats.net/open/suricata/rules/drop.rules | These rules describe spammer hosts/networks by the classification of the www.spamhaus.org project. |
https://rules.emergingthreats.net/open/suricata/rules/dshield.rules | These rules describe malicious hosts by the classification of the www.dshield.org project. |
https://rules.emergingthreats.net/open/suricata/rules/emerging-activex.rules | These rules contain signatures for using ActiveX content. |
https://rules.emergingthreats.net/open/suricata/rules/emerging-attack_response.rules | Rules that detect host behavior after successful attacks. |
https://rules.emergingthreats.net/open/suricata/rules/emerging-chat.rules | These rules describe signs of accessing popular chat rooms. |
https://rules.emergingthreats.net/open/suricata/rules/emerging-current_events.rules | Temporary rules awaiting possible inclusion in permanent rule lists. |
https://rules.emergingthreats.net/open/suricata/rules/emerging-dns.rules | These rules contain signatures of vulnerabilities in the DNS protocol, signs of the use of DNS by malware, and incorrect use of the DNS protocol. |
https://rules.emergingthreats.net/open/suricata/rules/emerging-dos.rules | These rules contain DOS attack signatures. |
https://rules.emergingthreats.net/open/suricata/rules/emerging-exploit.rules | These rules contain exploit signatures. |
https://rules.emergingthreats.net/open/suricata/rules/emerging-ftp.rules | These rules contain signatures of vulnerabilities in the FTP protocol, signs of incorrect use of the FTP protocol. |
https://rules.emergingthreats.net/open/suricata/rules/emerging-games.rules | These rules describe signs of accessing popular gaming sites: World of Warcraft, Starcraft, etc. |
https://rules.emergingthreats.net/open/suricata/rules/emerging-icmp.rules | These rules contain signatures of incorrect use of the ICMP protocol. |
https://rules.emergingthreats.net/open/suricata/rules/emerging-icmp_info.rules | These rules contain signatures of ICMP information messages. |
https://rules.emergingthreats.net/open/suricata/rules/emerging-imap.rules | These rules contain signatures of vulnerabilities in the IMAP protocol, signs of incorrect use of the IMAP protocol. |
https://rules.emergingthreats.net/open/suricata/rules/emerging-inappropriate.rules | These rules describe signs of accessing unwanted resources. |
https://rules.emergingthreats.net/open/suricata/rules/emerging-info.rules | These rules contain different vulnerabilities signatures. |
https://rules.emergingthreats.net/open/suricata/rules/emerging-malware.rules | These rules contain signatures of malware that uses the HTTP protocol in their work. |
https://rules.emergingthreats.net/open/suricata/rules/emerging-misc.rules | These rules contain different vulnerabilities signatures. |
https://rules.emergingthreats.net/open/suricata/rules/emerging-mobile_malware.rules | These rules contain malware signatures for mobile platforms. |
https://rules.emergingthreats.net/open/suricata/rules/emerging-netbios.rules | These rules contain signatures of vulnerabilities in the NetBIOS protocol, signs of incorrect use of the NetBIOS protocol. |
https://rules.emergingthreats.net/open/suricata/rules/emerging-p2p.rules | These rules describe signs of access to P2P networks (Bittorrent, Gnutella, Limewire). |
https://rules.emergingthreats.net/open/suricata/rules/emerging-policy.rules | These rules describe unwanted network activity (access to MySpace, Ebay). |
https://rules.emergingthreats.net/open/suricata/rules/emerging-poprules | These rules contain signatures of vulnerabilities in the POP3 protocol, signs of incorrect use of the POP3 protocol. |
https://rules.emergingthreats.net/open/suricata/rules/emerging-rpc.rules | These rules contain signatures of vulnerabilities in the RPC protocol, signs of incorrect use of the RPC protocol. |
https://rules.emergingthreats.net/open/suricata/rules/emerging-scada.rules | These rules contain vulnerability signatures for SCADA systems. |
https://rules.emergingthreats.net/open/suricata/rules/emerging-scan.rules | These rules describe signs of activity associated with network scanning (Nessus, Nikto, portscanning). |
https://rules.emergingthreats.net/open/suricata/rules/emerging-shellcode.rules | These rules describe signs of activity associated with attempts to gain shell access as a result of exploits. |
https://rules.emergingthreats.net/open/suricata/rules/emerging-smtp.rules | These rules contain signatures of vulnerabilities in the SMTP protocol, signs of incorrect use of the SMTP protocol. |
https://rules.emergingthreats.net/open/suricata/rules/emerging-sql.rules | These rules contain vulnerability signatures for SQL DBMS. |
https://rules.emergingthreats.net/open/suricata/rules/emerging-telnet.rules | These rules contain signatures of vulnerabilities in the telnet protocol, signs of incorrect use of the telnet protocol. |
https://rules.emergingthreats.net/open/suricata/rules/emerging-tftp.rules | These rules contain signatures of vulnerabilities in the TFTP protocol, signs of incorrect use of the TFTP protocol. |
https://rules.emergingthreats.net/open/suricata/rules/emerging-trojan.rules | These rules contain signs of network activity of Trojans. |
https://rules.emergingthreats.net/open/suricata/rules/emerging-user_agents.rules | These rules contain signs of suspicious and potentially dangerous HTTP clients (identified by the values in the User-Agent HTTP header). |
https://rules.emergingthreats.net/open/suricata/rules/emerging-l.rules | These rules contain vulnerability signatures for VOIP protocol. |
https://rules.emergingthreats.net/open/suricata/rules/emerging-web_client.rules | These rules contain vulnerability signatures for WEB clients. |
https://rules.emergingthreats.net/open/suricata/rules/emerging-web_server.rules | These rules contain vulnerability signatures for WEB servers. |
https://rules.emergingthreats.net/open/suricata/rules/emerging-web_specific_apps.rules | These rules contain vulnerability exploitation signatures for WEB applications. |
https://rules.emergingthreats.net/open/suricata/rules/emerging-worm.rules | These rules describe signs of network worm activity. |
IPS/IDS configuration example with auto-update rules
Objective:
Organize LAN protection with auto-update rules from open sources.
192.168.1.0/24 – LAN
Solution:
Create a profile of addresses of LAN which we will protect:
esr(config)# object-group network LAN esr(config-object-group-network)# ip prefix 192.168.1.0/24 esr(config-object-group-network)# exit
Configure the DNS client on the ESR to allow the names of the IPS/IDS rule update sources
esr(config)# domain lookup enable esr(config)# domain name-server 8.8.8.8
Create IPS/IDS security policy:
esr(config)# security ips policy OFFICE esr(config-ips-policy)# description "My Policy" esr(config-ips-policy)# protect network-group LAN
Allow IPS/IDS operation on the bridge 1 LAN interface:
esr(config)# bridge 1 esr(config-bridge)# service-ips enable
Configure IPS/IDS parameters:
esr(config)# security ips esr(config-ips)# logging storage-device usb://DATA esr(config-ips)# policy OFFICE esr(config-ips)# enable
The device will be used only as a security gateway, for this allocate the IPS/IDS service all available resources:
esr(config-ips)# perfomance max
Configure auto-update rules from EmergingThreats.net, etnetera.cz and Abuse.ch sites
esr(config-ips)# auto-upgrade esr(config-auto-upgrade)# user-server ET-Open esr(config-ips-upgrade-user-server)# description «emerging threats open rules» esr(config-ips-upgrade-user-server)# url https://rules.emergingthreats.net/open/suricata-4.0/rules/ esr(config-ips-upgrade-user-server)# exit esr(config-auto-upgrade)# user-server Aggressive esr(config-ips-upgrade-user-server)# description «Etnetera aggressive IP blacklist» esr(config-ips-upgrade-user-server)# url https://security.etnetera.cz/feeds/etn_aggressive.rules esr(config-ips-upgrade-user-server)# upgrade interval 4 esr(config-ips-upgrade-user-server)# exit esr(config-auto-upgrade)# user-server SSL-BlackList esr(config-ips-upgrade-user-server)# description «Abuse.ch SSL Blacklist» esr(config-ips-upgrade-user-server)# url https://sslbl.abuse.ch/blacklist/sslblacklist.rules esr(config-ips-upgrade-user-server)# upgrade interval 4 esr(config-ips-upgrade-user-server)# exit esr(config-auto-upgrade)# user-server C2-Botnet esr(config-ips-upgrade-user-server)# description «Abuse.ch Botnet C2 IP Blacklist» esr(config-ips-upgrade-user-server)# url https://sslbl.abuse.ch/blacklist/sslipblacklist.rules esr(config-ips-upgrade-user-server)# upgrade interval 4 esr(config-ips-upgrade-user-server)# exit
Basic user rules configuration algorithm
Step | Description | Command | Keys |
1 | Specify a name and enter the configuration mode of the set of user rules | esr(config)# security ips-category user-defined <WORD> | <WORD> – user rule set name, set by the string of up to 32 characters. |
2 | Define a description of a set of user rules (optionally). | esr(config-ips-category)# description <DESCRIPTION> | <DESCRIPTION> – description, set by the string of up to 255 characters. |
3 | Create a rule and switch to its configuration mode. | esr(config-ips-category)# rule <ORDER> | <ORDER> – rule number, takes values of [1..512]. |
4 | Specify the rule description (optionally) | esr(config-ips-category-rule)# description <DESCRIPTION> | <DESCRIPTION> – description, set by the string of up to 255 characters. |
5 | Specify the given rule force. | esr(config-ips-category-rule)# action { alert | reject | pass | drop } |
|
6 | Set name of IP protocol for which the rule should work. | esr(config-ips-category-rule)# protocol <PROTOCOL> | <PROTOCOL> – take values: any/ip/icmp/http/tcp/udp When specifying the 'any' value, the rule will work for any protocols |
7 | Set sender IP addresses for which the rule should work | esr(config-ips-category-rule)# source-address {ip <ADDR> | ip-prefix <ADDR/LEN> | object-group <OBJ_GR_NAME> | policy-object-group { protect | external } | any } | <<ADDR> – sender IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]; <ADDR/LEN> – sender IP subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and LEN takes values of [1..32]. <OBJ_GR_NAME> – name of IP addresses profile that contains sender IP address, set by the string of up to 31 characters.
When specifying the 'any' value, the rule will be triggered for any source IP address. |
8 | Set the profile of source TCP/UDP ports for which the rule should work. For protocol icmp value, source-port can only be any | esr(config-ips-category-rule)# source-port {any | <PORT> | object-group <OBJ-GR-NAME> } | <PORT> – number of source TCP/UDP port, takes values of [1..65535]. <OBJ_GR_NAME> – sender TCP/UDP ports profile name, set by the string of up to 31 characters. When specifying the 'any' value, the rule will be triggered for any source TCP/UDP port. |
9 | Set destination IP addresses for which the rule should work | esr(config-ips-category-rule)# destination-address {ip <ADDR> | ip-prefix <ADDR/LEN> | object-group <OBJ_GR_NAME> | policy-object-group { protect | external } | any } | <<ADDR> – recepient IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]; <ADDR/LEN> – recepient IP subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and LEN takes values of [1..32]. <OBJ_GR_NAME> – name of IP addresses profile that contains recepient IP address, set by the string of up to 31 characters.
When specifying the 'any' value, the rule will be triggered for any source IP address. |
10 | Set the profile of destination TCP/UDP ports for which the rule should work. For protocol icmp value, destination-port can only be any | esr(config-ips-category-rule)# destination-port {any | <PORT> | object-group <OBJ-GR-NAME> } | <PORT> – number of destination TCP/UDP port, takes values of [1..65535]. <OBJ_GR_NAME> – recepient TCP/UDP ports profile name, set by the string of up to 31 characters. When specifying the 'any' value, the rule will be triggered for any source TCP/UDP port. |
11 | Set traffic direction for which the rule should work | esr(config-ips-category-rule)# direction { one-way | round-trip } |
|
12 | Define the message that IPS/IDS will record to the log when this rule will work | esr(config-ips-category-rule)# meta log-message <MESSAGE> | <MESSAGE> – text message specified by a string of up to 129 characters. |
13 | Define the traffic classification which will record to the log when this rule will work (optionally) | esr(config-ips-category-rule)# meta classification-type { not-suspicious | unknown | bad-unknown | attempted-recon | successful-recon-limited | successful-recon-largescale | attempted-dos | successful-dos | attempted-user | unsuccessful-user | successful-user | attempted-admin | successful-admin | rpc-portmap-decode | shellcode-detect | string-detect | suspicious-filename-detect | suspicious-login | system-call-detect | tcp-connection | trojan-activity | unusual-client-port-connection | network-scan | denial-of-service | non-standard-protocol | protocol-command-decode | web-application-activity | web-application-attack | misc-activity | misc-attack | icmp-event | inappropriate-content | policy-violation | default-login-attempt } |
|
14 | Set DSCP code value for which the rule should work (optionally). | esr(config-ips-category-rule)# ip dscp <DSCP> | <DSCP> – DSCP code value, takes values in the range of [0..63]. |
15 | Set the packet lifetime (TTL) value for which the rule will work (optionally). | esr(config-ips-category-rule)# ip ttl <TTL> | <TTL> – TTL value, takes values in the range of [1..255]. |
16 | Set number of IP protocol for which the rule should work Applicable only for protocol any value (optionally). | esr(config-ips-category-rule)# ip protocol-id <ID> | <ID> – IP identification number, takes values of [1..255]. |
17 | Set ICMP CODE value for which the rule should work Applicable only for protocol icmp value (optionally). | esr(config-ips-category-rule)# ip icmp code <CODE> | <CODE> – ICMP CODE value, takes a value in the range [0..255]. |
esr(config-ips-category-rule)# ip icmp code comparison-operator { greater-than | less-than } | Comparison operator for ip icmp code value:
| ||
18 | Set ICMP ID value for which the rule should work Applicable only for protocol icmp value (optionally). | esr(config-ips-category-rule)# ip icmp id <ID> | <ID> – ICMP ID value, takes a value in the range [0..65535]. |
19 | Set ICMP Sequence-ID value for which the rule should work Applicable only for protocol icmp value (optionally). | esr(config-ips-category-rule)# ip icmp sequence-id <SEQ-ID> | <SEQ-ID> – ICMP Sequence-ID value, takes a value in the range [0..4294967295]. |
20 | Set ICMP TYPE value for which the rule should work Applicable only for protocol icmp value (optionally). | esr(config-ips-category-rule)# ip icmp type <TYPE> | <TYPE> – ICMP TYPE value, takes a value in the range [0..255]. |
esr(config-ips-category-rule)# ip icmp type comparison-operator { greater-than | less-than } | Comparison operator for ip icmp type value:
| ||
21 | Set TCP Acknowledgement-Number value for which the rule should work Applicable only for protocol tcp value (optionally). | esr(config-ips-category-rule)# ip tcp acknowledgment-number <ACK-NUM> | <ACK-NUM> – TCP Acknowledgement-Number value, takes a value in the range [0..4294967295]. |
22 | Set TCP Sequence-ID value for which the rule should work Applicable only for protocol tcp value (optionally). | esr(config-ips-category-rule)# ip tcp sequence-id <SEQ-ID> | <SEQ-ID> – TCP Sequence-ID value, takes a value in the range [0..4294967295]. |
23 | Set TCP Window-Size value for which the rule should work Applicable only for protocol tcp value (optionally). | esr(config-ips-category-rule)# ip tcp window-size <SIZE> | <SIZE> – TCP Window-Size value, takes a value in the range [0..65535]. |
24 | Set HTTP protocol keywords for which the rule will work Applicable only for protocol http value (optionally). | esr(config-ips-category-rule)# ip http { accept | accept-enc | accept-lang | client-body | connection | content-type | cookie | file-data | header | header-names | host | method | protocol | referer | request-line | response-line | server-body | start | start-code | start-msg | uri | user-agent } | See the Suricata 4.X documentation for the meaning of the keywords. https://suricata.readthedocs.io/en/suricata-4.1.4/rules/http-keywords.html |
25 | Set HTTP protocol URI LEN keyword value for which the rule will work Applicable only for protocol http value (optionally). | esr(config-ips-category-rule)# ip http urilen <LEN> | <LEN> – takes values in the range of [0.. 65535]. |
esr(config-ips-category-rule)# ip http urilen comparison-operator { greater-than | less-than } | Comparison operator for ip http urilen value:
| ||
26 | Set the value of the content of packages (Payload content) for which the rule will work (optionally). | esr(config-ips-category-rule)# payload content <CONTENT> | <CONTENT> – text message specified by a string of up to 1024 characters. |
27 | Do not distinguish between uppercase and lowercase letters in the description of package contents. Only applicable in conjunction with the payload content command (optionally). | esr(config-ips-category-rule)# payload no-case | |
28 | Set how many bytes from the beginning of the contents of the packet will be checked. Only applicable in conjunction with the payload content command (optionally). | esr(config-ips-category-rule)# payload depth <DEPTH> | <DEPTH> – the number of bytes from the beginning of the packet contents, takes a value in the range [1 .. 65535]. By default, the entire contents of the package are checked. |
29 | Set the number of offset bytes from the beginning of the contents of the packet to check Only applicable in conjunction with the payload content command (optionally). | esr(config-ips-category-rule)# payload offset <OFFSET> | <OFFSET> – the number of offset bytes from the beginning of the packet contents, takes a value in the range [1 .. 65535]. By default, it is checked from the beginning of the content. |
30 | Set the size of the contents of packets for which the rule will work. (optionally) | esr(config-ips-category-rule)# payload data-size <SIZE> | <SIZE> – packet content size, takes values in the range of [0.. 65535]. |
esr(config-ips-category-rule)# payload data-size comparison-operator { greater-than | less-than } | Comparison operator for payload data-size value:
| ||
31 | Specify the threshold number of packets at which the rule will work (optionally) | esr(config-ips-category-rule)# threshold count <COUNT> | <COUNT> – number of packets, takes values in the range of [1.. 65535]. |
32 | Specify the time interval for which the threshold number of packets is considered. (Required if threshold count is enabled) | esr(config-ips-category-rule)# threshold second <SECOND> | <SECOND> – time interval in seconds, takes values in the range of [1.. 65535]. |
33 | Specify at the sender or recipient address thresholds will be considered. (Required if threshold count is enabled) | esr(config-ips-category-rule)# threshold track { by-src | by-dst } |
|
34 | Specify threshold handling method | esr(config-ips-category-rule)# threshold type {threshold | limit | both } |
A message will be generated if during the <SECOND> time interval there were <COUNT> or more packets matching the rule conditions, and the message will be sent only once during the <SECOND> time interval |
Basic user rules configuration example
Objective:
Write a rule to protect a server with IP 192.168.1.10 from a DOS attack by large ICMP packets.
Solution:
Create a set of user rules:
esr(config)# security ips-category user-defined USER
Create a rule to protect against attack:
esr(config-ips-category)# rule 10 esr(config-ips-category-rule)# description «Big ICMP DoS»
We will drop packets:
esr(config-ips-category-rule)# action drop
Configure attack message:
esr(config-ips-category-rule)# meta log-message «Big ICMP DoS» esr(config-ips-category-rule)# meta classification-type successful-dos
Specify protocol type for the rule:
esr(config-ips-category-rule)# protocol icmp
Since we specified the icmp protocol, we need to specify any as the port of the sender and recipient:
esr(config-ips-category-rule)# source-port any esr(config-ips-category-rule)# destination-port any
We will indicate our server as the recipient address:
esr(config-ips-category-rule)# destination-address ip 192.168.1.10
Attacker can send packets from any address:
esr(config-ips-category-rule)# source-address any
Set traffic direction:
esr(config-ips-category-rule)# direction one-way
The rule will work on packets larger than 1024 bytes:
esr(config-ips-category-rule)# payload data-size 1024 esr(config-ips-category-rule)# payload data-size comparison-operator greate r-than
The rule will work if the load on the server exceeds 3 Mbps, while an attack message will be generated not more than once a minute:
3 Mbps = 3145728 bps Packet with size of 1 kB = 8192 bits 3145728 / 8192 = 384 packets per second 384 * 60 = 23040 packets per minute
esr(config-ips-category-rule)# threshold count 2340 esr(config-ips-category-rule)# threshold second 60 esr(config-ips-category-rule)# threshold track by-dst esr(config-ips-category-rule)# threshold type both
Extended user rules configuration algorithm
Step | Description | Command | Keys |
---|---|---|---|
1 | Specify a name and enter the configuration mode of the set of user rules. | esr(config)# security ips-category user-defined <WORD> | <WORD> – user rule set name, set by the string of up to 32 characters. |
2 | Define a description of a set of user rules (optionally). | esr(config-ips-category)# description <DESCRIPTION> | <DESCRIPTION> – description, set by the string of up to 255 characters. |
3 | Create extended rule and switch to its configuration mode. | esr(config-ips-category)# rule-advanced <SID> | <SID> – rule number, takes values of [1..4294967295] |
4 | Specify the rule description (optionally) | esr(config-ips-category-rule-advanced)# description <DESCRIPTION> | <DESCRIPTION> – description, set by the string of up to 255 characters. |
5 | Specify the given rule force. | esr(config-ips-category-rule-advanced)# rule-text <LINE> | <CONTENT> – text message in SNORT 2.X/Suricata 4.X format, specified by a string of up to 1024 characters. When writing rules, the symbol '' needs to be replaced with the symbol ' |
Extended user rules configuration example
Objective:
Write a rule detecting attack like Slowloris.
Solution:
Create a set of user rules:
esr(config)# security ips-category user-defined ADV
Create an extended rule:
esr(config-ips-category)# rule-advanced 1 esr(config-ips-category-rule-advanced)# description «Slow Loris rule 1» esr(config-ips-category-rule-advanced)# rule-text "alert tcp any any -> any 80 (msg:'Possible Slowloris Attack Detected'; flow:to_server,established; content:'X-a|3a|'; distance:0; pcre:'/\d\d\d\d/'; distance:0; content:'|0d 0a|'; sid:10000001;)"
Create another extended rule that works on a similar algorithm to determine which rule will be more effective:
esr(config-ips-category)# rule-advanced 2 esr(config-ips-category-rule-advanced)# description «Slow Loris rule 2» esr(config-ips-category-rule-advanced)# rule-text «alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:'SlowLoris.py DoS attempt'; flow:established,to_server,no_stream; content:'X-a:'; dsize:<15; detection_filter:track by_dst, count 3, seconds 30; classtype:denial-of-service; sid: 10000002; rev:1; )
VoIP configuration
VoIP ( Voice over IP) – a set of protocols that allow to transmit voice data via IP networks. Within the given device, VoIP is used to connect analogue telephones to an IP network with the possibility to make phone calls.
SIP profile configuration process
Step | Description | Command | Keys |
---|---|---|---|
1 | Configure a SIP profile | esr(config)# sip profile <NUM> | <NUM> – SIP profile number, set in the form of a digit from 1 to 5. |
2 | Configure a primary SIP proxy server and registration server | esr(config-sip-profile)# proxy primary | |
3 | Configure a SIP proxy server | esr(config-voip-sip-proxy)# ip address proxy-server <IP> | <IP> – proxy server IP address |
4 | Configure a SIP proxy server port | esr(config-voip-sip-proxy)# ip port proxy-server <PORT> | <PORT> – number of proxy server UDP port, takes values of [1..65535]. If standard 5060 port is used, you do not need to specify it. |
5 | Configure a registration server address | esr(config-voip-sip-proxy)# ip address registration-server <IP> | <IP> – registration server IP address. |
6 | Configure a registration server port: | esr(config-voip-sip-proxy)# ip portregistration-server <PORT> | <PORT> – number of registration server UDP port, takes values of [1..65535]. If standard 5060 port is used, you do not need to specify it. |
7 | Enable registration | esr(config-voip-sip-proxy)# registration | |
8 | Enable proxy server and registration server: | esr(config-voip-sip-proxy)# enable | |
9 | Configure a registration server address | esr(config-voip-sip-proxy)# ip address registration-server <IP> | <IP> – registration server IP address. |
10 | Configure a registration server port: | esr(config-voip-sip-proxy)# ip portregistration-server <PORT> | <PORT> – number of registration server UDP port, takes values of [1..65535]. If standard 5060 port is used, you do not need to specify it. |
11 | Specify SIP domain in which the device is located | esr(config-sip-profile)# sip-domain address <ADDRESS> | <ADDRESS> – SIP domain in which the device is located, set by ipv4 address or domain name. |
12 | Enable the use of SIP domain when registering | esr(config-sip-profile)# sip-domain registration enable | |
13 | Configure a SIP profile | esr(config)# sip profile <NUM> | <NUM> – SIP profile number, set in the form of a digit from 1 to 5. |
14 | Assign a dial plan to the current SIP profile | esr(config-sip-profile)# dialplan pattern <DNAME> | <DNAME> – name of the dial plan, set by the string of up to 31 characters. |
15 | Enable SIP profile | esr(config-sip-profile)# enable |
FXS/FXO ports configuration process
Step | Description | Command | Keys |
---|---|---|---|
1 | Switch to the FXO/FXS ports configuration mode | esr(config)# interface voice-port <NUM> | <NUM> – port number, takes values of [1..4]. |
2 | Assign a subscriber number reserved for a telephone port | esr(config-voice-port-fxs)# sip user phone <PHONE> | <PHONE> – subscriber number reserved for a telephone port, set by the string of up to 50 characters. |
3 | Assign the user name matched with the port | esr-12v(config-voice-port-fxs)# sip user display-name <LOGIN> | <LOGIN> – user name displayed in the Display-Name field, set by the string of up to 31 characters. |
4 | Select SIP profile for a certain port. | esr(config-voice-port-fxs)# profile sip <PROFILE> | <PROFILE> – SIP profile number, set in the form of a digit from 1 to 5. |
5 | Configure a login for authentication | esr(config-voice-port-fxs)# authentication name <LOGIN> | <LOGIN> – login for authentication, set by the string of up to 31 characters |
6 | Configure a password for authentication | esr(config-voice-port-fxs)# authentication password <PASS> | <PASS> – authentication password, set by the string of up to 16 characters. |
7 | Enable FXO port | esr(config)# interface voice-port <NUM> | <NUM> – FXO port number, takes values of [1..4]. |
8 | Assign a subscriber number reserved for a telephone port | esr(config-voice-port-fxo)# sip user phone <PHONE> | <PHONE> – subscriber number reserved for a telephone port. |
9 | Specify UDP port from which and to which the FXO set will send and receive SIP messages | esr(config-voice-port-fxo)# sip port <PORT> | <PORT> – UDP port number. |
10 | Assign the user name matched with the port | esr(config-voice-port-fxo)# sip user display-name <LOGIN> | <LOGIN> – user name displayed in the Display-Name field, set by the string of up to 31 characters. |
11 | Configure a login for authentication | esr(config-voice-port-fxo)# authentication name <LOGIN>
| <LOGIN> – login for authentication, set by the string of up to 31 characters. |
12 | Configure a password for authentication | esr(config-voice-port-fxo)# authentication password <PASS> | <PASS> – authentication password, set by the string of up to 16 characters. |
13 | Enable the number transmission to PSTN | esr(config-voice-port-fxo)# pstn transmit-number | |
14 | Disable prefix transmission | esr(config-voice-port-fxo)# no pstn transmit-prefix | |
15 | Enable the “Hostline PSTN to IP” service | esr(config-voice-port-fxo)# hotline ipt | |
16 | Number of the subscriber that will receive calls from PSTN | esr(config-voice-port-fxo)# hotline number ipt <PHONE> | <PHONE> – phone number that calls are made to when using the service, takes the value from 1 to 50. “Hot/Warm line” in the direction from analogue telephone line to VoIP. |
Dial plan configuration process
Step | Description | Command | Keys |
---|---|---|---|
1 | Create a dial plan | esr(config)# dialplan pattern <DNAME> | <DNAME> – name of the dial plan, set by the string of up to 31 characters. |
2 | Add dial rules | esr(config-dial-ruleset)# pattern <REGEXP> | <REGEXP> - regular expression specifying the dial plan. Set by the string of up to 1024 characters. The rules for creating regular expressions are described in section Dial plan configuration example. |
3 | Enable the dial plan | esr(config-dial-ruleset)# enable |
PBX server configuration procedure
Step | Description | Command | Keys |
---|---|---|---|
1 | PBX server configuration | esr(config)# pbx | |
2 | Enable PBX server | esr(config-pbx)# enable | |
3 | Create a routing plan | esr(config-pbx)# ruleset <rule_name> | <rule_name> – name of the routing plan, set by the string of up to 31 characters. |
4 | Create a routing rule | esr(config-pbx-ruleset)# rule <rule_index> | <rule_index> – number of the rule in the routing plan, takes values from 1 to 1000. |
5 | Creating a pattern in a routing rule | esr(config-pbx-rule)# pattern <REGEXP> | <REGEXP> – regular expression specifying the routing rule. Set by the string of up to 256 characters. The rules for creating regular expressions are described in section Dial plan configuration example. |
6 | Applying a routing rule | esr(config-pbx-rule)# enable | |
7 | Creating a SIP profile on a PBX Server | esr(config-pbx)# profile <PROFILE> | <PROFILE> – name of the SIP profile, that used by PBX server, set by the string of 31 character. |
8 | Selecting a codec supported by a SIP profile | esr(config-pbx-profile)# codec allow { G711A(alaw) | G711U(ulaw) | G722 | G726 } | |
9 | Selecting SIP profile type | esr(config-pbx-profile)# client { peer | user | friend } |
|
10 | Choosing a NAT interaction policy (optional) | esr(config-pbx-profile)# nat { comedia | force-port | both } |
|
11 | Selecting a SIP profile routing plan | esr(config-pbx-profile)# ruleset <NAME> | <NAME> – name of the routing plan, set by the string of up to 31 characters. |
12 | Create a subscriber | esr(config-pbx)# user <user> | <user> – phone number or username, set by the string of up to 31 characters. |
13 | Create a password for the subscriber (optional) | esr(config-pbx-user)# password <password> | <password> – password that will be used by the user for authentication, set by the string of up to 16 characters. |
14 | The use of SIP profile for the subscriber | esr(config-pbx-user)# profile <SIPPROFILE> | <SIPPROFILE> – SIP profile used for this subscriber, set by the string of up to 31 characters. |
Registration trunk creation procedure
Step | Description | Command | Keys |
---|---|---|---|
1 | PBX server configuration | esr(config)# pbx | |
2 | Trunk creation | esr(config-pbx)# register-server <name> | <name> – trunk name, set by the string of up to 31 characters. |
3 | Registration server address configuration | esr(config-pbx-reg-server)# ip address <IP> | <IP> – address of the server on which registration proceeds, takes values of an IP address or can be specified by the string of up to 31 characters. |
4 | Registration server port configuration | esr(config-pbx-reg-server)# ip port <PORT> | <PORT> – number of registration server UDP port, takes values of [1..65535]. If standard 5060 port is used, you do not need to specify it. |
5 | Specify the authentication name | esr(config-pbx-reg-server)# username <user> | <user> – username for this trunk on the upstream domain, set by the string of up to 31 characters. |
6 | Specify the authentication password | esr(config-pbx-reg-server)# authentication password <password> | <user> – password for this trunk on the upstream domain, set by the string of up to 16 characters. |
7 | The use of SIP profile for the trunk | esr(config-pbx-reg-server)# profile <PROFILE> | <PROFILE> – name of the SIP profile, that used for this trunk, set by the string of 31 character. |
8 | Select the transport protocol (optionally) | esr(config-pbx-reg-server)# protocol {tcp | udp } | The default is udp. |
9 | Trunk activation | esr(config-pbx-reg-server)# enable |
VoIP configuration example
Objective:
Connect analogue telephones and fax modems to the IP network via ESR router. SIP server, located on the ESR, functions as proxy server and registration server.
Solution:
Figure 56 – Network structure
Configure a SIP profile:
esr(config)# sip profile 1
Configure a primary SIP proxy server and registration server:
esr(config-sip-profile)# proxy primary
Configure SIP proxy server address (use an embedded SIP server as SIP proxy server):
esr(config-voip-sip-proxy)# ip address proxy-server 192.0.2.5
Configure a SIP proxy server port:
esr(config-voip-sip-proxy)# ip port proxy-server 5080
If standard 5060 port is used, you do not need to specify it.
If it is necessary to use the registration, you should perform the following steps:
Configure registration server address (use an embedded SIP server as registration server):
esr(config-voip-sip-proxy)# ip address registration-server 192.0.2.5
Configure a registration server port:
esr(config-voip-sip-proxy)# ip port registration-server 5080
If standard 5060 port is used, you do not need to specify it.
Enable registration:
esr(config-voip-sip-proxy)# registration
Enable proxy server and registration server:
esr(config-voip-sip-proxy)# enable
This completes the configuration of SIP proxy server and registration server:
esr(config-voip-sip-proxy)# exit
The next step is to continue SIP profile configuration.
If the embedded SIP server is used as SIP proxy and registration server, you should perform its configuration according to the manual 'SIP server configuration on ESR series routers: ESR-12V, ESR-12VF, ESR-14VF'.
Configure a SIP domain:
esr(config-sip-profile)# sip-domain address sipdomain.com
If it is necessary to use SIP Domain for the registration, use the following command:
esr(config-sip-profile)# sip-domain registration enable
In this configuration all calls will be directed to SIP proxy server. If it is necessary to specify another direction for outgoing calls, you should perform the following:
Create a numbering plan, see section Dial plan configuration example.
Next, assign the created dial plan to the SIP profile:
esr(config)# sip profile 1 esr(config-sip-profile)# dialplan pattern firstDialplan
This completes the configuration of a dial plan for SIP profile.
Enable SIP profile:
esr-12v(config-sip-profile)# enable
This completes the baseline configuration of SIP profile:
esr(config-sip-profile)# exit
The next step is to configure subscriber ports:
esr(config)# interface voice-port 1
Specify a subscriber number:
esr(config-voice-port-fxs)# sip user phone 4101
Specify a displayed name:
esr(config-voice-port-fxs)# sip user display-name user-one
Used SIP profile:
esr(config-voice-port-fxs)# profile sip 1
Configure login and password for authentication
esr(config-voice-port-fxs)# authentication name login-4101 esr(config-voice-port-fxs)# authentication password superpassword
This completes the baseline configuration of a subscriber port:
esr(config-voice-port-fxs)# exit
Dial plan configuration example
Objective:
Configure a dial plan in such a manner that calls to local numbers (connected to the given ESR-12V) are switched locally and calls to all other directions – through SIP proxy.
Solution:
Create a dial plan:
esr(config)# dialplan pattern firstDialplan
Dial plan is specified by regular expressions:
esr(config-dial-ruleset)# pattern "<regular expressions>"
For the objective mentioned above, the '<regular expressions>' is given by:
“S5, L5 (410[1-3]@{local} | [xABCD*#].S)”
where:
410[1-3]@{local} – calls to 4101, 4102, 4103 numbers will be switched locally;
[ xABCD*#]. S – calls to all other numbers will be directed to SIP proxy.
Enable the dial plan:
esr(config-dial-ruleset)# enable
Dial plan configuration is finished.
esr(config-dial-ruleset)# exit
Regular expression structure:
Sxx, Lxx ( ),
where:
xx – random values of S and L timers;
() – dialplan limits.
The basis is designators for dialled digits sequence to be written. Dialed digits sequence is recording using several designations: digits, dialed by phone keyboard: 0, 1, 2, 3, …, 9, # and *.
The use of # character in dial plan can block the completion of dialling with this key!
Bracketed sequence of digits corresponds to any bracketed character.
- Example: ([1239]) – corresponds to any of 1, 2, 3 or 9 digits.
You may specify the hyphenated range of characters. Usually it is used inside the square brackets. - Example 1: (1-5) – any digit from 1 to 5.
- Example 2: ([1-39]) – example from the previous item with another recording format.
‘X’ character corresponds to any digit from 0 to 9. - Example: (1XX) – any three-digit number starting with 1.
'.' - Previous symbol repeating from 0 to infinity.
«+» – repeating the previous character from 1 to infinity number of times.
{a,b} – repeating the previous character from a to b times;
{a,} – repeating the previous character equal to or more than a times;
{,b} – repeating the previous character equal to or less than b times.
- Example: (810X.) - international number with any digits amount.
Settings influencing on the dial plan processing: - Interdigit Long Timer (letter “L” in dial plan entry) – timeout to enter the next digit if there are no templates matching the dialled combination;
- Interdigit Short Timer (letter “S” in dial plan entry) – timeout to enter the next digit if at least one pattern completely matches the dialled combination and there is at least one more pattern before matching with that it is necessary to perform the extension dialling.
Additional features:
- Replacement of a dialled sequence
Syntax: <arg1:arg2>
This feature allows to replace a dialled sequence to any sequence of dialled characters. In this case, the second argument must be specified with a certain value, both arguments may be empty.
- Example: (<83812:> XXXXXX) – this entry will correspond to dialled digits 83812 but the sequence will be omitted and will not be transmitted to the SIP server.
- Insert a tone in the set
For long-distance access (for city access in case of office PBX), it is common to hear a ringback, that may be implemented by inserting comma in a sequence of digits.- Example: (8, 770) – when dialling 8770 number, the 8 digit will be followed by a continuous tone.
- Number dialling deny
If at the end of pattern add symbol '!' the dialling of numbers corresponding to the template will be blocked.- Example: (8 10X xxxxxxx ! | 8 xxx xxxxxxx ) - expression allows dialling only intercity numbers and exclude international calls.
- Replacement of number dialling timers values
Timers values can be assigned both to a whole dial plan and to a certain template. 'S' is responsible for the «Interdigit Short Timer» setup and 'L' – for the «Interdigit Long Timer» setup. Timers values can be specified for all templates in a dial plan if the values are listed before the opening parenthesis.- Example: S4 (8XXX.) or S4,L8 (XXX)
If these values are listed in one sequence only, they are effective only for this sequence. Also, in this case it is not necessary to put a colon between the key and the timeout value, the value can be located anywhere in the template. - Example: (S4 8XXX. | XXX) or ([1-5] XX S0) - entry will call instant call transmission when three-digit number starting at 1, 2, ..., 5 is dialed.
- Example: S4 (8XXX.) or S4,L8 (XXX)
- Dialling via direct address (IP Dialing)
The “@” character put after the number means that the address of the server, to which the dialled number call will be sent, will be specified. We recommend to use 'IP Dialling' and receive and transmission of call without registration ('Call Without Reg', 'Answer Without Reg'). This can help in case of server failure.
In addition, the format of address with IP Dialing can be used in numbers intended to forward calls.
- Example 1: ( 8 xxx xxxxxxx ) – 11-digit number, starting with 8.
- Example 2: ( 8 xxx xxxxxxx | <:8495> xxxxxxx ) – 11-digit number, starting with 8; if 7-digit number was entered, add 8495 to the number being transmitted.
- Example 3: (0[123] | 8 [2-9]xx [2-9]xxxxxx) – emergency service numbers dialling as well as unusual dialling of long-distance call numbers.
- Example 4: (S0 <:82125551234>) – shortcut dialing of a specified number, analogy of the «Hotline» mode on other gateways.
- Example 5: (S5 <:1000> | xxxx) – the given dial plan allows to dial any number consisting of digits; if nothing is entered during 5 seconds, call number 1000 (let it be a secretary).
- Example 6: (8, 10x.|1xx@10.110.60.51:5060) – the given dial plan allows to dial numbers starting with 810 and containing at least one digit after “810”. After entering 8, the “station response” signal will be returned. Also a set of three-digit numbers starting with “1”, the Invite of which will be sent to 10.110.60.51 IP address and 5060 port, will be returned.
- Example 7: (S3 *xx#|#xx#|#xx#|*xx*x+#) – management and the use of VAS.
Local calls inside the device may be required in some cases. If the device’s IP address is not known or is periodically changed, it is convenient to use the reserved word {local} as the server address, which means sending the corresponding sequence of digits to the device’s own address. - Example: (123@{local}) – call to 123 will be proceeded locally inside the device.
FXO port configuration
Objective:
Add the ability to make a call to PSTN subscriber through the ESR-12V FXO port.
Solution:
Enable FXO port:
esr(config)# interface voice-port 4
Specify FXO port number same as PSTN access prefix:
esr(config-voice-port-fxo)# sip user phone 9
Specify UDP port from which and to which the FXO set will send and receive SIP messages:
esr(config-voice-port-fxo)# sip port 5064
Specify a displayed name:
esr(config-voice-port-fxo)# sip user display-name user-one
Configure login and password for authentication
esr(config-voice-port-fxo)# authentication name login-9 esr(config-voice-port-fxo)# authentication password superpassword
Assign SIP profile to FXO port:
esr(config-voice-port-fxo)# profile sip 1
Enable the number transmission to PSTN:
esr(config-voice-port-fxo)# pstn transmit-number
Disable prefix transmission:
esr(config-voice-port-fxo)# no pstn transmit-prefix
For outgoing calls to work, you need to specify the following rule in the dial plan settings, which means that outgoing calls to numbers with prefix 9 are routed locally to the FXO set:
9x.@{local}:5064
This completes the baseline configuration of outgoing calls to PSTN. To make a call to PSTN, you should dial the callee number with the specified prefix (FXO set phone number).
To receive calls from PSTN, you should select the subscriber that will receive all calls from PSTN, let it be a subscriber with number 305.
Enable the “Hostline PSTN to IP” service:
esr(config-voice-port-fxo)# hotline ipt
Number of the subscriber that will receive calls from PSTN:
esr(config-voice-port-fxo)# hotline number ipt 305
Integrity check
Integrity check involves checking the integrity of stored executable files.
Configuration process
Step | Description | Command | Keys |
---|---|---|---|
1 | Launch system integrity check | esr# verify filesystem | detailed – detailed information output to the console. |
Configuration example
Objective:
Check file system integrity:
Solution:
Main configuration step:
Launch integrity check
esr# verify filesystem Filesystem Successfully Verified
Router configuration file archiving
ESR routers have the option of local and/or remote configuration file copying by timer or when applying the configuration.
Configuration process
Step | Description | Command | Keys |
---|---|---|---|
1 | Switch to the configuration file backup mode. | esr(config)# archive | |
2 | Set router configuration backup type | esr(config-ahchive)# type <TYPE> | <TYPE> – type of the router configuration backup. Takes the following values:
Default value: remote |
3 | Enable timer configuration backup mode | esr(config-ahchive)# auto | |
4 | Enable configuration backup after each successful configuration application mode | esr(config-ahchive)# by-commit | |
5 | Specify a path for remote copying of the router configuration | esr(config-ahchive)# path <PATH> | <PATH> – defines the protocol, server address, location and prefix of the file name on the server |
6 | Set a period of time for automatic configuration backup (optional, relevant only for auto mode) | esr(config-ahchive)# time-period <TIME> | <TIME> – periodicity of automatic redundancy of the configuration, takes the value in minutes [1..35791394]. |
7 | Set the maximum number of locally saved configuration backups | esr(config-ahchive)# count-backup <NUM> | <NUM> – set the maximum number of locally saved configuration backups. Takes values in the range of [1..100]. |
Configuration example
Objective:
Configure local and remote backup of the router configuration once a day and upon successful configuration change. Remote copies should be sent to the tftp server 172.16.252.77 in the esr-example subfolder. The maximum number of local copies is 30.
Solution:
For successful operation of remote configuration archiving, IP connectivity should be established between the router and the server, permissions for the passage of tftp traffic over the network and saving files on the server should be configured.
Main configuration step:
Switch to the configuration backup mode:
esr# configure esr(config)# archive
Set local and remote configuration backup mode:
esr(config)# type both
Configure the path for remote configuration backups and the maximum number of local backups:
esr(config-archive)# path tftp://172.16.252.77:/esr-example/esr-example.cfg esr(config-archive)# count-backup 30
Set the interval for the configuration backup if there are no changes:
esr(config-archive)# time-period 1440
Enable archiving of router configuration by timer and upon successful configuration change:
esr(config-archive)# auto esr(config-archive)# by-commit
After applying this configuration once a day and with each successful change of the router configuration, a configuration file with the 'esr-exampleYYYYMMDD_HHMMSS.cfg' name will be sent to the tftp server. Also, on the router itself, in the flash:backup/ section, a file with the 'config_YYYYMMDD_HHMMSS' name will be created. When 30 files are accumulated in the flash:backup/ section, the oldest one will be deleted when creating a new one.
Frequently asked questions
Receiving of routes, which are configured in VRF via BGP or/and OSPF, failed. The neighbouring is successfully installed, but record of routes in RIB is denied
%ROUTING-W-KERNEL: Can not install route. Reached the maximum number of BGP routes in the RIB
Allocate RIB resource for VRF (0 by default). Do it in VRF configuration mode:esr(config)# ip vrf <NAME> esr(config-vrf)# ip protocols ospf max-routes 12000 esr(config-vrf)# ip protocols bgp max-routes 1200000 esr(config-vrf)# end
- SSH/Telnet sessions, which go through ESR router, are closing.
Configure transmission of keepalive packets in order to keep session active. Keepalive transmission option is configured on SSH client, for instance, section "Connection" for PuTTY client.
It is possible to set time to closing inactive TCP sessions (1 hour in example):
esr(config)# ip firewall sessions tcp-estabilished-timeout 3600
- Firewall was disabled on interface (ip firewall disable). However access for active sessions from the port was not closed, according to security zone-pair rules, after including this interface to security zone, removing from 'ip firewall disable' configuration and applying changes.
Changes in Firewall configuration will be active only for new sessions. The reset of Firewall active sessions does not occur. You can clear active sessions in firewall, using following command:
esr# clear ip firewall session
- LACP does not launch on XG ports of ESR-1000/1200/1500/1510/1700
Port-channel has speed 1000M mode by default. Enable speed 10G mode:
esr(config)# interface port-channel 1 esr(config-port-channel)# speed 10G
- How to clear ESR configuration completely and reset it to factory default?
Copy blank configuration in candidate-config and apply it in running-config.
esr# copy system:default-config system:candidate-config
Reset to factory default is similar.
esr# copy system:factory-config system:candidate-config
- How to attach sub-interface to created VLAN?
While sub-interface creation, VLAN is created and attached automatically (direct correlation index sub-VID).
esr(config)# interface gigabitethernet 1/0/1.100
Information messages are shown after applying:
2016-07-14T012:46:24+00:00 %VLAN: creating VLAN 100
- Do the ESR-series routers have features for traffic analysis?
Opportunity of analysing traffic through CLI interfaces is realized on ESR-series routers. A packet sniffer is launched by monitor command.
esr# monitor gigabitethernet 1/0/1
- How to configure ip-prefix-list 0.0.0.0./0?
Example of prefix-list configuration is shown below. The configuration allows route reception by default.
esr(config)# ip prefix-list eltex esr(config-pl)# permit default-route
- Problem of asynchronous traffic transmission is occurred.
In case of asynchronous routing, Firewall will forbid "incorrect" ingress traffic (which does not open new connection and does not belong any established connection) for security reasons.
Allowing rule in Firewall does not solve the problem.
Firewall should be disabled on the ingress interface.
esr(config-if-gi)# ip firewall disable
- How to save the local copy of the router configuration?
If you need to copy the current running or candidate configuration on the router itself, you can use the copy command specifying "system:running-config" or 'system:candidate-config' as the copy source, and the file in the 'flash:data/' section as the copy destination.
esr# copy system:candidate-config flash:data/temp.txt
Also, it is possible to copy previously saved configuration files (automatically from the flash:backup/ section or manually from the flash:data/ section) to the candidate configuration:
esr# copy flash:data/temp.txt system:candidate-config esr# copy flash:backup/config_20190918_164455 system:candidate-config
TECHNICAL SUPPORT
For technical assistance in issues related to operation of Eltex Ltd. equipment, please contact the Service Centre:
29v Okruzhnaya st., Novosibirsk, Russian Federation, 630020
Feedback form on the site: http://eltex-co.com/support/
E-mail: techsupp@eltex.nsk.ru
Visit Eltex official website to get the relevant technical documentation and software, benefit from our knowledge base, send us online request or consult a Service Centre Specialist in our technical forum.
Official website: http://eltex-co.com/
Technical forum: http://eltex- co .ru/forum
Knowledge base: https://docs.eltex-co.ru/display/EKB/Eltex+Knowledge+Base
Downloads: http://eltex-co.com/support/downloads