Introduction
Abstract
Today, large-scale communication network development projects are becoming increasingly common. One of the main tasks in implementation of large multiservice networks is the creation of reliable high-performance transport network that will serve as a backbone in multilayer architecture of next-generation networks.
ESR series firewalls could be used in large enterprise networks, SMB networks and operator's networks. Devices provide high performance and bandwidth, and feature protection of transmitted data.
This operation manual describes intended use, specifications, features, design, installation, first time setup, and firmware update guidelines for the ESR series service router (next, the router or the device).
Target Audience
This user manual is intended for technical personnel that performs device installation, configuration and monitoring via command line interface (CLI) as well as the system maintenance and firmware update procedures. Qualified technical personnel should be familiar with the operation basics of TCP/IP protocol stacks and Ethernet networks design concepts.
Notes and warnings
Notes contain important information, tips or recommendations on device operation and setup.
Warnings inform users about hazardous conditions which may cause injuries or device damage and may lead to the device malfunctioning or data loss.
Product Description
Purpose
ESR series devices are the high performance multi-purpose network routers. Device combines traditional network features with a complex multi-tier approach to routing security, and ensures robust corporate environment protection.
Device has a built-in firewall that enables protection of your and organization network environment and supports latest data security, encryption, authentication and anti-intrusion features.
Device contains software and hardware means of data processing. Top performance is achieved through optimal distribution of data processing tasks between different subsets of the device.
Functions
Interfaces functions
Table 1 lists interface functions of the device.
Table 1 – Device interface functions
Cable connection polarity detection (Auto MDI/MDIX) | Automatic cable type detection–crossed or straight.
|
Back pressure routing support (Back pressure) | The backpressure routing method is utilized in half-duplex connections for management of data streams, coming from the opposite devices, by means of collisions. This method allows to avoid buffer overruns and the loss of data. |
Flow control (IEEE 802.3X) | Flow control allows to interconnect the low-speed and the high-speed devices. To avoid buffer overrun, the low-speed device gains the ability to send PAUSE packets, that will force the high-speed device to pause the packet transmission. |
Link aggregation (LAG) | Link aggregation allows to increase the communication link bandwidth and robustness. Router supports static and dynamic link aggregation. For dynamic aggregation, link group management is performed via LACP protocol. |
Functions for MAC address processing
Table 2 lists MAC address processing functions of the device.
Table 2 – MAC address processing functions
Table of MAC addresses | MAC address table sets the correspondence between MAC addresses and device interfaces and is used for data packet routing. Routers support table capacity up to 128K of MAC addresses and reserve specific MAC addresses for the system use. |
Learning mode | MAC address table may contain either static addresses or addresses learnt during data packet transition through the device. Learning involves registration of packet source MAC addresses with their binding to ports and VLANs. Afterwards, this data is used for incoming packet routing. Registered MAC address lifetime is limited. Administrator may adjust this setting. If destination MAC address specified in the packet that was received by the device is not listed in the table, this packet will be sent further as a broadcast packet within L2 segment of the network. |
Second-layer functions of OSI model
Table 3 lists second-layer functions and special aspects (OSI Layer 2).
Table 3 – Second-layer functions description (OSI Layer 2)
VLAN functions | VLAN (Virtual Local Area Network) is a solution used for splitting a network into separate segments on L2 level. VLAN utilization allows to increase the operation stability for large networks by splitting them into smaller networks, isolate diversified data traffic by type and solve many other tasks. Routers support various VLAN management methods:
|
Spanning Tree Protocol 1 | The main task of Spanning Tree Protocol is to exclude redundant network links and convert network topology into the tree-like structure. Common areas of protocol application involve the prevention of network traffic loops and establishing of redundant communication links. |
1 In the current firmware version, this functionality is supported only by ESR-1000 router
Third-layer functions of OSI model
Table 4 lists third-layer functions (OSI Layer 3).
Table 4 – Third-layer functions description (OSI Layer 3)
Static IP routes | Administrator of the router can add or remove static entries into/from the routing table. |
Dynamic routing
| With dynamic routing protocols, the device will be able to exchange the routing information with neighbouring routers and automatically create a routing table. Router supports the following protocols: RIP, OSPFv2, OSPFv3, BGP. |
ARP table | ARP (Address Resolution Protocol) is a protocol used for resolution of the network and data-link layer addresses. ARP table contains information on the established correspondence. Correspondence is established on the basis of the network device response analysis; device addresses are requested with broadcast packets. |
DHCP client
| DHCP (Dynamic Host Configuration Protocol) protocol enables automation of the network device management process. DHCP client allows the router to obtain the network address and additional settings from the external DHCP server. As a rule, this method is used for obtaining network settings of a public network operator (WAN). |
DHCP server | DHCP server enables automation and centralization of the network device configuration process. DHCP server allocated on a router allows for a complete solution for the local area network support. DHCP server integrated into the router assigns IP addresses to network devices and transfers additional network settings, e.g. server addresses, network gateway addresses and other necessary settings. |
Network Address Translation (NAT, Network Address Translation) | Network address translation is a mechanism that translates IP addresses and port numbers for transit packets. NAT function allows to minimize the quantity of IP address used through translation of multiple internal network IP addresses into a single external public IP address. NAT conceals local area network internal structure and allows to enhance its security. Routers support the following NAT options:
|
Traffic tunnelling functions
Table 5 – Traffic tunnelling functions
Tunneling protocols
| Tunneling is a method of packet conversion during their network transfer that involves the replacement, modification and addition of a new packet network header. This method may be used for negotiation of transport protocols when the data is transferred through the transit network as well as for creation of secured connections where tunnelled data is being encrypted. Routers support the following types of tunnels:
|
Management and configuration functions
Table 6 – Basic management and configuration functions
Configuration file download and upload | Device parameters are saved into the configuration file that contains configuration data for the specific device ports as well as for the whole system. The following protocols may be used for file transfers: TFTP, FTP, and SCP. |
Command Line Interface (CLI) | CLI management is performed locally via serial port RS-232, or remotely via Telnet, SSH. Console command line interface (CLI) is the industrial standard. CLI interpreter contains the list of commands and keywords that will help the user and reduce the amount of input data. |
Syslog | Syslog protocol is designed for transmission of system event messages and event logging. |
Network utilities: ping, traceroute | Ping and traceroute utilities allow you to check the availability of network devices and identify data transfer routes in IP networks. |
Access control – privilege levels | Routers support system access level management for users. Access levels enable responsibility areas management for device administrators. Access levels are numbered from 1 to 15; Level 15 stands for full access to device management features. |
Authentication | Authentication is a user identity check procedure. Routers support the following authentication methods:
|
SSH server Telnet server | SSH and Telnet server features allow you to establish connection to the device and perform device management. |
Automatic configuration restore | Device features automatic configuration restore system designed to prevent remote access loss after re-configuration. If the configuration change is not confirmed in the specified time, configuration will be rolled back to the last known state. |
Network security functions
Table 7 lists network security functions of the device.
Table 7 – Network security functions
Security zones
| All router interfaces are distributed by security areas. For each zone pair, you can set the rules that determine the possibility of data transmission between zones, data traffic filtering rules. |
Data filtering | For each zone pair, you can specify the rule set that manages the filtering process for data transmitted through the router. Device command interface provides appropriate means for detailed configuration of the traffic classification rules and to apply the resulting solution for traffic transmission. |
Main specifications
Table 8 lists main specifications of the router.
Table 8 — Main Specifications
General parameters | |||
---|---|---|---|
Packet processor | ESR-1700 | Broadcom XLP780 | |
ESR-1510 | Broadcom XLP532 | ||
ESR-1500 | Broadcom XLP516 | ||
ESR-1200 ESR-1000 | Broadcom XLP316L | ||
ESR-200 | Broadcom XLP204 | ||
ESR-100 | Broadcom XLP104 | ||
ESR-21 ESR-20 | Broadcom NorthStar2 | ||
ESR-14VF ESR-12V(F) ESR-10 | Broadcom NS+ (BCM58625) | ||
Interfaces | ESR-1700 | 4 x Ethernet 10/100/1000BASE-T/1000BASE-X Combo 8 x 10GBASE-R/1000BASE-X (SFP+/SFP) | |
ESR-1510 | 4 x Ethernet 10/100/1000BASE-T 4 x Ethernet 10/100/1000BASE-T/1000BASE-X Combo 4 x 10GBASE-R/1000BASE-X (SFP+/SFP) | ||
ESR-1500 | 4 x Ethernet 10/100/1000BASE-T 4 x Ethernet 10/100/1000BASE-T/1000BASE-X Combo 4 x 10GBASE-R/1000BASE-X (SFP+/SFP) | ||
ESR-1200 | 12 x Ethernet 10/100/1000BASE-T 4 x Ethernet 10/100/1000Base-T/1000BASE-X Combo 8 x 10GBASE-R/1000BASE-X (SFP+/SFP) | ||
ESR-1000 | 24 x Ethernet 10/100/1000BASE-T 2 x 10GBASE-R/1000BASE-X (SFP+/SFP) | ||
ESR-200 | 4 x Ethernet 10/100/1000BASE-T/1000BASE-X Combo 4 x Ethernet 10/100/1000BASE-T | ||
ESR-100 | 4 x Ethernet 10/100/1000BASE-T/1000BASE-X Combo | ||
ESR-21 | 8 x Ethernet 10/100/1000BASE-T, 4 x 1000BASE-X (SFP), 3 x RS-232 | ||
ESR-20 | 2 x Ethernet 10/100/1000BASE-T, 2 x Ethernet 10/100/1000BASE-T/1000BASE-X Combo | ||
ESR-14VF | 8 x Ethernet 10/100/1000BASE-T, 1 x 1000BASE-X (SFP), 4xFXS | ||
ESR-12VF | 8 x Ethernet 10/100/1000BASE-T, 1 x 1000BASE-X (SFP), 3xFXS, 1xFXO | ||
ESR-12V | 8 x Ethernet 10/100/1000BASE-T, 3xFXS, 1xFXO | ||
ESR-10 | 4 x Ethernet 10/100/1000BASE-T, 2 x 1000BASE-X | ||
Types of optical transceivers | ESR-1700 ESR-1510 ESR-1500 ESR-1200 ESR-1000 | 1000BASE-X SFP, 10GBASE-R SFP+ | |
ESR-200 ESR-100 ESR-21 ESR-20 ESR-14VF ESR-12V(F) ESR-10 | 1000BASE-X SFP | ||
Duplex or half-duplex interface modes |
| ||
Maximum bandwidth in L2 mode (hardware switching) | ESR-1700 ESR-1510 ESR-1500 ESR-1200 | 160 Gbps | |
ESR-1000 | 88 Gbps | ||
Data transfer rate | ESR-1700 ESR-1510 ESR-1500 ESR-1200 ESR-1000 |
| |
ESR-200 ESR-100 ESR-21 ESR-20 ESR-14VF ESR-12V(F) ESR-10 |
| ||
MAC table | ESR-1700 ESR-1510 ESR-1500 ESR-1200 | 128k entries | |
ESR-1000 | 16k entries | ||
ESR-200 ESR-100 ESR-21 ESR-20 ESR-14VF ESR-12V(F) ESR-10 | 2k entries per bridge | ||
VLAN support | up to 4k active VLANs according to 802.1Q | ||
Quantity of L3 interfaces | ESR-1700 ESR-1510 ESR-1500 ESR-1200 ESR-1000 ESR-200 ESR-100 ESR-21 ESR-20 | 4000 | |
ESR-14VF ESR-12V(F) ESR-10 | 200 | ||
Quantity of BGP routes | ESR-1700 ESR-1510 ESR-1500 ESR-1200 ESR-1000 | 2,8M | |
ESR-200 ESR-100 ESR-21 ESR-20 | 1,5M | ||
ESR-14VF ESR-12V(F) ESR-10 | 800k | ||
Quantity of OSPF routes | ESR-1700 ESR-1510 ESR-1500 ESR-1200 ESR-1000 | 500k | |
ESR-200 ESR-100 ESR-21 ESR-20 ESR-14VF ESR-12V(F) ESR-10 | 300k | ||
Quantity of RIP routes | 10k | ||
Quantity of static routes | 11k | ||
FIB size | ESR-1700 ESR-1510 ESR-1500 ESR-1200 ESR-1000 | 1,7M | |
ESR-200 ESR-100 ESR-21 ESR-20 | 1,5M | ||
ESR-14VF ESR-12V(F) ESR-10 | 800k | ||
Compliance | IEEE 802.3 10BASE-T Ethernet IEEE 802.3u 100BASE-T Fast Ethernet IEEE 802.3ab 1000BASE-T Gigabit Ethernet IEEE 802.3z Fiber Gigabit Ethernet ANSI/IEEE 802.3 автоопределение скорости IEEE 802.3x контроль потоков данных IEEE 802.3ad объединение каналов LACP IEEE 802.1Q виртуальные локальные сети VLAN IEEE 802.1v IEEE 802.3ac IEEE 802.3ae IEEE 802.1D IEEE 802.1w IEEE 802.1s | ||
Control | |||
Local control | CLI | ||
Remote control | TELNET, SSH | ||
Physical parameters and parameters of environment | |||
Power supply | ESR-1700 ESR-1510 ESR-1500 ESR-1200 ESR-1000 | AC: 220V+-20%, 50Hz DC: -36..-72V Power options:
| |
ESR-200 ESR-100 ESR-21 ESR-20 ESR-14VF ESR-12V(F) | AC: 220V+-20%, 50Hz | ||
ESR-10 | AC: 220V | ||
Maximum power consumption | ESR-1700 | 250 W | |
ESR-1510 ESR-1500 | 160 W | ||
ESR-1200 | 85 W | ||
ESR-1000 | 75 W | ||
ESR-200 | 25 W | ||
ESR-100 | 20 W | ||
ESR-21 ESR-20 | 25 W | ||
ESR-14VF ESR-12V(F) | 27 W | ||
ESR-10 | 9 W | ||
Weight | ESR-1700 | 12 kg max | |
ESR-1500 | 7 kg max | ||
ESR-1200 | 5.5 kg max | ||
ESR-1000 | 3.6 kg max | ||
ESR-200 ESR-100 | 2.5 kg max | ||
ESR-21 | 3.15 kg max | ||
ESR-20 | 2 kg max | ||
ESR-14VF ESR-12V(F) ESR-10 | 1 kg max | ||
Dimensions | ESR-1700 | 440x490x88 mm | |
ESR-1510 ESR-1500 | 430x425x44 mm | ||
ESR-1200 ESR-1000 | 430x352x44 mm | ||
ESR-200 ESR-100 | 310х240х44 mm | ||
ESR-21 | 430х225х44 mm | ||
ESR-20 | 267х212х44 mm | ||
ESR-14VF ESR-12V(F) | 267x160,5x43,6 mm | ||
ESR-10 | 185x118x32 mm | ||
Operating temperature range | ESR-1700 ESR-1510 ESR-1500 ESR-1200 ESR-1000 ESR-200 ESR-100 ESR-21 ESR-20 | from -10 to +45 оС | |
ESR-14VF ESR-12V(F) ESR-10 | from 0 to +40 оС | ||
Storage temperature range | from -40 to +70 оС | ||
Operation relative humidity (non-condensing) | 80% max. | ||
Storage relative humidity (non-condensing) | from 10% to 95% | ||
Average lifetime | 10 years |
Design
This section describes the design of the device. Depicted front, rear, and side panels of the device, connectors, LED indicators and controls.
The device has a metal housing available for 19” form-factor rack mount; housing size is 1U.
ESR-1700 design
ESR-1700 front panel
The front panel layout is depicted in Figure 1.
Figure 1 – ESR-1700 front panel
Table 9 lists connectors, LEDs and controls located on the front panel of ESR-1700.
Table 9 – Description of ESR-1700 connectors, LEDs and front panel controls
№ | Front panel element | Description |
---|---|---|
1 | HDD1 | Connector for HDD installation. |
2 | HDD2 | Connector for HDD installation. |
3 | USB1 | Port for USB device connection. |
4 | USB2 | Port for USB device connection. |
5 | Combo Ports [1 .. 4] | 4 ports of Gigabit Ethernet 10/100/1000BASE-X (SFP). |
6 | XG1 – XG8 | Slots for 10G SFP+/1G SFP transceivers. |
7 | Status | Current device status LED. |
Alarm | Alarm LED. | |
VPN | VPN gateway operation mode LED (is not supported in the current version). | |
Flash | Activity of exchange with data storage – SD card or USB Flash. | |
Power | Device power LED. | |
Master | Failover mode operation LED (is not supported in the current version). | |
Fan | Fan operation LED. | |
RPS | Redundant power supply LED. | |
8 | F | Functional key that reboots the device and resets it to factory default configuration:
|
9 | Console | Console port RS-232 for local management of the device. |
10 | OOB | Ethernet port for router management. |
ESR-1700 rear panel
The rear panel of ESR-1700 is shown in the picture below.
Figure 2 – ESR-1700 rear panel
Table 10 lists rear panel connectors of the router.
Table 10 – Rear panel connectors description
№ | Description |
---|---|
1 | Earth bonding point of the device. |
2 | Hot-swappable removable ventilation modules. |
3 | Main power supply. |
4 | Place for installation of a redundant power supply. |
ESR-1700 side panels
Figure 3 – ESR-1700 right side panel
Figure 4 – ESR-1700 left side panel
Side panels of the device have air vents for heat removal. Do not block air vents. This may cause the components to overheat, which may result in device malfunction. For recommendations on device installation, see section Installation and connection.
ESR-1510, ESR-1500 design
ESR-1510, ESR-1500 front panel
The front panel layout is depicted in 5.
Figure 5 – ESR-1510, ESR-1500 front panel
Table 11 lists connectors, LEDs and controls located on the front panel of ESR-1510 and ESR-1500 routers.
Table 11 – Description of connectors, LEDs and controls located on ESR-1510, ESR-1500 front panel
№ | Front panel element | Description |
---|---|---|
1 | Status | Current device status LED. |
Alarm | Alarm LED. | |
VPN | VPN gateway operation mode LED (is not supported in the current version). | |
Flash | Activity of exchange with data storage – SD card or USB Flash. | |
Power | Device power LED. | |
Master | Failover mode operation LED (is not supported in the current version). | |
Fan | Fan operation LED. | |
RPS | Redundant power supply LED. | |
2 | Console | Console port RS-232 for local management of the device. |
3 | OOB | Ethernet port for router management. |
4 | SD | SD-card connector. |
5 | USB1 | Port for USB device connection. |
6 | F | Functional key that reboots the device and resets it to factory default configuration:
|
7 | USB2 | Port for USB device connection. |
8 | Ethernet | 4 ports of Ethernet 10/100/1000BASE-T. |
9 | Combo Ports [1 .. 4] | 4 ports of Gigabit Ethernet 10/100/1000BASE-X (SFP). |
10 | XG1 – XG4 | Slots for 10G SFP+/1G SFP transceivers. |
ESR-1510, ESR-1500 rear panel
The rear panel layout of ESR-1510 and ESR-1500 routers is depicted in figure 6.
Figure 6 – ESR-1510, ESR-1500 rear panel
Table 12 lists rear panel connectors of the router.
Table 12 – Rear panel connectors description
№ | Description |
---|---|
1 | Main power supply. |
2 | Earth bonding point of the device. |
3 | Hot-swappable removable ventilation modules. |
4 | Place for installation of a redundant power supply. |
ESR-1510, ESR-1500 side panels
Figure 7 – ESR-1500, ESR-1510 right side panel
Figure 8 – ESR-1500, ESR-1510 left side panel
Side panels of the device have air vents for heat removal. Do not block air vents. This may cause the components to overheat, which may result in device malfunction. For recommendations on device installation, see section Installation and connection.
ESR-1200, ESR-1000 design
ESR-1200 front panel
The front panel layout of ESR-12V is depicted in figure 9.
Figure 9 – ESR-1200 front panel
Table 13 lists connectors, LEDs and controls located on the front panel of ESR-1200.
Table 13 – Description of connectors, LEDs and controls located on the front panel of ESR-1200
№ | Front panel element | Description |
---|---|---|
1 | SD | SD-card connector. |
2 | USB1 | Port for USB device connection. |
3 | USB2 | Port for USB device connection. |
4 | [1 .. 12] | 12 ports of Gigabit Ethernet 10/100/1000BASE-T (RJ-45). |
5 | Combo Ports | 4 ports of Gigabit Ethernet 10/100/1000BASE-X (SFP). |
6 | XG1 – XG8 | Slots for installation of 10G SFP+/1G SFP transceivers. |
7 | Status | Current device status LED. |
Alarm | Alarm LED. | |
HA | НА operation mode indicator. | |
Flash | Activity indicator of exchange with data storages (SD-card or USB Flash). | |
Power | Device power LED. | |
Master | Indicator of failover modes operation. | |
Fan | Fan operation LED. | |
RPS | Redundant power supply LED. | |
8 | F | Functional key that reboots the device and resets it to factory default configuration:
|
9 | Console | Console port RS-232 for local management of the device. |
ESR-1000 front panel
The front panel layout is depicted in figure 10.
Figure 10 – ESR-1000 front panel
Table 14 lists sizes, LEDs and controls located on ESR-1000 front panel.
Table 14 – Description of connectors, LEDs and controls located on ESR-1000 front panel
№ | Front panel element | Description |
---|---|---|
1 | SD | SD-card connector. |
2 | USB1 | Port for USB device connection. |
3 | USB2 | Port for USB device connection. |
4 | XG1, XG2 | Slots for 10G SFP+/1G SFP transceivers. |
5 | [1 .. 24] | 24 ports of Gigabit Ethernet 10/100/1000BASE-T (RJ-45). |
6 | Status | Current device status LED. |
Alarm | Alarm LED. | |
VPN | Active VPN sessions indicator. | |
Flash | Activity indicator of exchange with data storages (SD-card or USB Flash). | |
Power | Device power LED. | |
Master | Indicator of failover modes operation. | |
Fan | Fan operation LED. | |
RPS | Redundant power supply LED. | |
7 | F | Functional key that reboots the device and resets it to factory default configuration:
|
8 | Console | Console port RS-232 for local management of the device. |
ESR-1200,1000 rear panel
The rear panel of ESR-1000 is depicted in the figure below.
The figure shows the router delivery package with a single AC power supply.
Figure 11 – ESR-1000 rear panel
Table 15 lists rear panel connectors of the router.
Table 15 – Rear panel connectors description
№ | Description |
---|---|
1 | Main power supply. |
2 | Place for installation of a redundant power supply. |
3 | Hot-swappable removable ventilation modules. |
4 | Earth bonding point of the device. |
ESR-1200, ESR-1000 side panels
Figure 12 – ESR-1200, 1000 right side panel
Figure 13 – ESR-1200, 1000 left side panel
Side panels of the device have air vents for heat removal. Do not block air vents. This may cause the components to overheat, which may result in device malfunction. For recommendations on device installation, see section Installation and connection.
ESR-200, ESR-100 design
ESR-100, ESR-200 front panel
The front panel layout of ESR-200 is depicted in figure 14.
Figure 14 – ESR-200 front panel
The front panel layout of ESR-100 is depicted in figure 15.
Figure 15 – ESR-100 front panel
Table 16 lists connectors, LEDs and controls located on the front panel of ESR-100 and ESR-200 routers.
Table 16 – Description of connectors, LEDs and controls located on ESR-200, ESR-100 front panel
№ | Front panel element | Description |
---|---|---|
1 | SD | SD-card connector. |
2 | USB1, USB2 | 2 x USB-enabled devices connection port. |
3 | [1 .. 4] | 4 ports of Gigabit Ethernet 10/100/1000BASE-T (RJ-45). |
4 | Combo Ports | 4 ports of Gigabit Ethernet 10/100/1000BASE-X (SFP). |
5 | Power | Device power LED. |
Status | Current device status LED. | |
Alarm | Alarm LED. | |
Fan | Fan operation LED. | |
6 | F | Functional key that reboots the device and resets it to factory default configuration:
|
7 | Console | Console port RS-232 for local management of the device. |
8 | 110-250 VAC 60/50 Hz max 1A | Power supply. |
ESR-200, ESR-100 rear panel
The rear panel layout of ESR-100 and ESR-200 routers is depicted in figure 16.
Figure 16 – ESR-200, 100, rear panel
Table 17 lists rear panel connectors of the router.
Table 17 – Rear panel connectors description
№ | Description |
---|---|
1 | Earth bonding point of the device. |
2 | Ventilation module. |
ESR-100, ESR-200 side panels
Figure 17 – ESR-100 and ESR-200 right side panel
Figure 18 – ESR-100 and ESR-200 left side panel
ESR-21 design
The device has a metal housing available for 19” form-factor rack mount; housing size is 1U.
ESR-21 front panel
The front panel layout is depicted in figure 19.
Figure 19 – ESR-21 front panel
Table 18 lists sizes, LEDs and controls located on ESR-21 front panel.
Table 18 – Description of connectors, LEDs and controls located on ESR-21 front panel
№ | Front panel element | Description |
---|---|---|
1 | 220V АC | Power supply |
2 | Power | Device power LED |
Status | Device status LED | |
Alarm | Device alarm presence and level LED | |
HA | HA operation mode LED (is not supported in the current version) | |
3 | F | Functional key that reboots the device and resets it to factory default configuration: pressing the key for less than 10 seconds reboots the device; pressing the key for more than 10 seconds resets the device to factory default configuration. |
4 | SD | SD-card connector |
5 | USB1 | USB2.0 connector for connecting external USB devices |
6 | USB2 | USB3.0 connector for connecting external USB devices |
7 | Console | Console port for local management of the device |
8 | RS-232 | 3 serial ports |
9 | [1 .. 8] | 8 ports of Gigabit Ethernet 10/100/1000BASE-T (RJ-45) |
10 | Optical Port | 4 ports of Gigabit Ethernet 10/100/1000BASE-X (SFP) |
ESR-21 rear panel
The rear panel layout of ESR-21 is depicted in figure 20.
Figure 20 – ESR-21 rear panel
Table 19 lists rear panel connectors of the router.
Table 19 – Rear panel connectors description
№ | Description |
---|---|
1 | Earth bonding point of the device. |
ESR-21 side panels
The side panel layout of ESR-21 is depicted in figures 21 and 22.
Figure 21 – ESR-21 left side panel
Figure 22 – ESR-21 right side panel
ESR-20 design
The device has a metal housing available for 19” form-factor rack mount; housing size is 1U.
ESR-20 front panel
The front panel layout is depicted in figure 23.
Figure 23 – ESR-20 front panel
Table 20 lists connectors, LEDs and controls located on the front panel of ESR-20.
Table 20 – Description of connectors, LEDs and controls located on ESR-20 rear panel
№ | Front panel element | Description |
---|---|---|
1 | 110-250 VАC | Power supply. |
2 | Power | Device power LED. |
Status | Current device status LED. | |
Alarm | Alarm LED. | |
HA | HA operation mode LED (is not supported in the current version). | |
3 | F | Functional key that reboots the device and resets it to factory default configuration: pressing the key for less than 10 seconds reboots the device; pressing the key for more than 10 seconds resets the device to factory default configuration. |
4 | Console | Console port for local management of the device. |
5 | SD | SD-card connector. |
6 | USB1 | USB2.0 connector for connecting external USB devices. |
7 | USB2 | USB3.0 connector for connecting external USB devices. |
8 | 1, 2 | 2 ports of Gigabit Ethernet 10/100/1000BASE-T (RJ-45). |
9 | [1 .. 4] | 2 Combo ports of Ethernet 10/100/1000BASE-X/10/100/1000BASE-T. |
ESR-20 rear panel
The rear panel layout of ESR-20 is depicted in figure 24.
Figure 24 – ESR-20 rear panel
Table 21 lists rear panel connectors of the router.
Table 21 – Rear panel connectors description
№ | Description |
---|---|
1 | Earth bonding point of the device. |
ESR-20 side panels
The side panel layout of ESR-20 is depicted in figures 25 and 26.
Figure 25 – ESR-20 left side panel
Figure 26 – ESR-20 right side panel
ESR-12VF, ESR-14VF design
The device has a metal housing available for 19” form-factor rack mount; housing size is 1U.
ESR-12VF, ESR-14VF front panel
The front panel layout is depicted in figure 27.
ESR-12VF, ESR-14VF front panel
Table 22 lists connectors, LEDs and controls located on the front panel of ESR-12VF and ESR-14VF routers.
Table 22 – Description of connectors, LEDs and controls located on ESR-12VF, ESR-14VF front panel
№ | Front panel element | Description |
---|---|---|
1 | 220V АC | Power supply. |
2 | Power | Device power LED. |
3 | Console | Console port RS-232 for local management of the device. |
4 | F | Functional key that reboots the device and resets it to factory default configuration: pressing the key for less than 10 seconds reboots the device; pressing the key for more than 10 seconds resets the device to factory default configuration. |
5 | USB1, USB2 | 2 USB connectors for connecting external USB devices. |
6 | FXO | PSTN external subscriber line LED. |
1,2,3 | Internal subscriber terminals LED. | |
7 | FXO | 1 FXO connector for connection PSTN external subscriber line (only for ESR-12VF). |
8 | FXS 1, FXS 2, FXS 3 | 3 connectors for internal subscriber terminals (for ESR-12VF). |
FXS 1, FXS 2, FXS 3 | 4 connectors for internal subscriber terminals (for ESR-14VF). | |
9 | [1 .. 8] | 8 ports of Gigabit Ethernet 10/100/1000BASE-T (RJ-45). |
10 | Optical Port | 1 port of Gigabit Ethernet-100/1000BASE-X (SFP) |
11 | 1.2 | Optical interfaces LED |
ESR-14VF, ESR-12VF rear panel
The rear panel layout of ESR-12VF, ESR-14-VF is depicted in figure 28.
Figure 28 – ESR-12VF, ESR-14VF rear panel
Table 23 lists rear panel connectors of the router.
Table 23 – Rear panel connectors description
№ | Description |
---|---|
1 | Earth bonding point of the device. |
ESR-12VF, ESR-14VF side panels
The side panel layout of ESR-12VF, ESR-14VF is depicted in Figures 29 and 30.
Figure 29 – ESR-12VF, ESR-14VF left side panel
Figure 30 – ESR-12VF, ESR-14VF right side panel
ESR-12V design
The device has a metal housing available for 19” form-factor rack mount; housing size is 1U.
ESR-12V front panel
The front panel layout of ESR-12V is depicted in figure 31.
Figure 31 – ESR-12V front panel
Table 24 lists connectors, LEDs and controls located on the front panel of ESR-12VF router.
Table 24 – Description of connectors, LEDs and controls located on ESR-12V front panel
№ | Front panel element | Description |
---|---|---|
1 | 220V АC | Power supply. |
2 | Power | Device power LED. |
3 | Console | Console port RS-232 for local management of the device. |
4 | F | Functional key that reboots the device and resets it to factory default configuration: pressing the key for less than 10 seconds reboots the device; pressing the key for more than 10 seconds resets the device to factory default configuration. |
5 | USB1, USB2 | 2 USB connectors for connecting external USB devices. |
6 | FXO | PSTN external subscriber line LED. |
1,2,3 | Internal subscriber terminals LED. | |
7 | FXO | 1 FXO connector for connection PSTN external subscriber line. |
8 | FXS 1, FXS 2, FXS 3 | 3 connectors for internal subscriber terminals. |
9 | [1 .. 8] | 8 ports of Gigabit Ethernet 10/100/1000BASE-T (RJ-45). |
ESR-12V rear panel
The rear panel layout of ESR-12V is depicted in 32.
Figure 32 – ESR-12V rear panel
Table 25 lists rear panel connectors of the router.
Table 25 – Rear panel connectors description
№ | Description |
---|---|
1 | Earth bonding point of the device. |
ESR-12V side panels
The side panel layout of ESR-12V is depicted in figures 33 and 34.
Figure 33 – ESR-12V left side panel
Figure 34 – ESR-12V right side panel
ESR-10 design
ESR-10 rear panel
The rear panel layout of the device is depicted in figure 35.
Figure 35 – ESR-10 rear panel
Table 26 lists connectors, LEDs and controls located on the rear panel of ESR-10.
Table 26 – Description of connectors, LEDs and controls located on ESR-10 rear panel
№ | Front panel element | Description |
---|---|---|
1 | ON/OFF | Power on/off button |
2 | 12V DC | Connector for power adapter connection |
3 | Console | RS-232 console port for local management of the device |
4 | USB1, USB2 | 2 USB connectors for connecting external USB devices |
5 | [1 .. 4] | 4 ports of Gigabit Ethernet – 10/100/1000BASE-T (RJ-45) |
6 | Optical Ports | 2 ports of Gigabit Ethernet-100/1000BASE-X (SFP) |
ESR-10 side panels
The side panel layout of ESR-10 is depicted in figure 36.
Figure 36 – ESR-10 side panel
Table 27 lists right panel controls of the router.
Table 27 – Right panel connectors description
№ | Side panel element | Description |
---|---|---|
1 | F | Functional key that reboots the device and resets it to factory default configuration: · pressing the key for less than 10 seconds reboots the device. · pressing the key for more than 10 seconds resets the device to factory default configuration. |
ESR-10 top panel
The top panel layout of ESR-10 is depicted in figure 37.
Figure 37 – ESR-10 top panel
Table 28 lists LEDs located on ESR-10 top panel.
Table 28 – Description of front panel LEDs
№ | Top panel element | Description |
---|---|---|
1 | Power | Device power and operation status LED |
2 | - | The LED is not used |
3 | USB1, USB2 | External USB devices LED |
4 | [1 .. 4] | Ethernet ports LED |
5 | [5 .. 6] | Optical interfaces LED |
Light Indication
ESR-1700, ESR-1510, ESR-1500, ESR-1200, ESR-1000 light indication
Gigabit Ethernet copper interface statuses are represented by two LEDs – green LINK/ACT LED and amber SPEED LED. Location of the copper interface LEDs is depicted in figure 38. SFP interface status is represented by two LEDs – RX/ACT and TX/ACT – depicted in figure 39. For light indication meaning, see Tables 29 and 30 respectively.
Figure 38 – Location of RJ-45 connector indicators
Figure 39 – Location of optical interface indicators
Table 29 – Light indication of copper interface status
SPEED indicator light | LINK/ACT indicator light | Ethernet interface state |
---|---|---|
Off | Off | The port is disabled or connection is not established. |
Off | Solid on | 10Mbps or 100Mbps connection is established. |
Solid on | Solid on | 1000Mbps connection is established. |
X | Flashes | Data transfer is in progress. |
Table 30 – Light indication of SFP/SFP+ interface status
RX/ACT indicator light | TX/ACT indicator light | Ethernet interface state |
---|---|---|
Off | Off | The port is disabled or connection is not established. |
Solid on | Solid on | Connection established. |
Flashes | X | Data reception in progress. |
X | Flashes | Data transfer is in progress. |
The following table lists description of system indicator statuses and meanings.
Table 31 – Status of system indicators
Indicator name | Indicator function | LED State | Device State |
---|---|---|---|
Status | Current device status LED. | Green | Device is in normal operation state. |
Orange | Device is booting up the software. | ||
Alarm | Alarm LED. | - | - |
VPN | Active VPN sessions indicator. | - | - |
Flash | Data storage activity indicator: SD card or USB Flash. | Orange | Read/write operation execution with 'copy' command. |
Power | Device power LED. | Green | Device power is OK. Main power supply, if installed, is operational. |
Orange | Main power supply failure, fault, or the primary network is missing. | ||
Off | Device internal power supply failure. | ||
Master | Indicator of failover modes operation. | - | - |
Fan | Cooling fan status. | Off | All fans are operational. |
Red | One or more fans has failed. Possible cause of failure: at least one of the fans has stopped or is working at lower rpm. | ||
RPS | Backup power supply operation mode. | Green | Backup power supply is installed and operational. |
Off | Backup power supply is not installed. | ||
Red | Backup power supply is missing or failed. |
ESR-200/ESR-100 light indication
Gigabit Ethernet copper interface and SFP interface statuses are represented by two LEDs – green LINK/ACT LED and amber SPEED LED. Location of the copper interface LEDs is depicted in figure 38. SFP interface status is depicted in figure 40. For light indication meaning, see Table 32.
Figure 40 – Location of optical interface indicators
Table 32 – Light indication of copper and SFP interface status
SPEED indicator light | LINK/ACT indicator light | Ethernet interface state |
---|---|---|
Off | Off | The port is disabled or connection is not established. |
Off | Solid on | 10Mbps or 100Mbps connection is established. |
Solid on | Solid on | 1000Mbps connection is established. |
X | Flashes | Data transfer is in progress. |
The following table lists description of system indicator statuses and meanings.
Table 33 – Status of system indicators
Indicator name | Indicator function | LED State | Device State |
---|---|---|---|
Status | Current device status LED. | Green | Device is in normal operation state. |
Orange | Device is booting up the software. | ||
Alarm | Device alarm presence and level indicator 1 . | - | - |
Power | Device power LED. | Green | Device power is OK. Main power supply, if installed, is operational. |
Orange | Main power supply failure, fault, or the primary network is missing. | ||
Off | Device internal power supply failure. | ||
Fan | Cooling fan status. | Off | All fans are operational. |
Red | One or more fans has failed. Possible cause of failure: at least one of the fans has stopped or is working at lower rpm. |
1 Not supported in the current firmware version
ESR-21/ESR-20 light indication
Gigabit Ethernet copper interface statuses are represented by two LEDs – green LINK/ACT LED and amber SPEED LED.
Table 34 – Light indication of copper and SFP interface status
SPEED indicator light | LINK/ACT indicator light | Ethernet interface state |
---|---|---|
Off | Off | The port is disabled or connection is not established. |
Off | Solid on | 10Mbps or 100Mbps connection is established. |
Solid on | Solid on | 1000 Mbps connection is established. |
X | Flashes | Data transfer is in progress. |
Figure 41 – Location of SFP connector indicators
Figure 42 – Location of RJ-45 connector indicators
The following table lists description of system indicator statuses and meanings.
Table 35 – Status of system indicators
Indicator name | Indicator function | LED State | Device State |
---|---|---|---|
Power | Device power LED. | Green | Device power is OK. Main power supply, if installed, is operational. The main software is uploaded. |
Red | The main software is not loaded. | ||
Off | Device internal power supply failure. | ||
Status | Current device status LED. | Green | Device is in normal operation state. |
Orange | Device is booting up the software. | ||
Alarm | Alarm LED. | - | - |
HA | HA operation mode LED (is not supported in the current version) | - | - |
ESR-12V(F) light indication
Gigabit Ethernet copper interface statuses are represented by two LEDs – green LINK/ACT LED and amber SPEED LED.
Table 36 – Light indication of copper and SFP interface status
SPEED indicator light | LINK/ACT indicator light | Ethernet interface state |
---|---|---|
Off | Off | Port is disabled or connection is not established |
Off | Solid on | 10Mbps or 100Mbps connection is established |
Solid on | Solid on | 1000Mbps connection is established |
X | Flashes | Data transfer is in progress |
Figure 43 – Location of SFP connector indicators (only for ESR-12VF, ESR-14VF)
Figure 44 – Location of RJ-45 connector indicators
The following table lists description of system indicator statuses and meanings.
Table 37 – Status of system indicators
Indicator name | Indicator function | LED State | Device State |
---|---|---|---|
Power | Device power LED. | Green | Device power is OK. Main power supply, if installed, is operational. The main software is uploaded. |
Red | The main software is not uploaded. | ||
Off | Device internal power supply failure. |
ESR-10 light indication
Gigabit Ethernet copper interfaces statuses are represented by amber SPEED LED.
Table 38 – Light indication of copper interface status
SPEED indicator light | Ethernet interface state |
---|---|
Off | Port is disabled or connection is not established |
Solid on | 1000Mbps connection is established |
Flashes | Data transfer is in progress |
Delivery Package
ESR-10 standard delivery package includes:
- ESR-10 router;
- External 12V power block;
- Documentation.
ESR-12V standard delivery package includes:
- ESR-12V router;
- Power cable;
- 19” rack mounting kit;
- Documentation.
ESR-12VF standard delivery package includes:
- ESR-12VF router;
- Power cable;
- 19” rack mounting kit;
- Documentation.
ESR-14VF standard delivery package includes:
- ESR-14VF router;
- Power cable;
- 19” rack mounting kit;
- Documentation.
ESR-20 standard delivery package includes:
- ESR-20 router;
- Power cable;
- 19” rack mounting kit;
- Documentation.
ESR-21 standard delivery package includes:
- ESR-21 router;
- Power cable;
- 19” rack mounting kit;
- Documentation.
ESR-100 standard delivery package includes:
- ESR-100 router;
- Power cable;
- 19” rack mounting kit;
- Documentation.
ESR-200 standard delivery package includes:
- ESR-200 router;
- Power cable;
- 19” rack mounting kit;
- Documentation.
ESR-1000 standard delivery package includes:
- ESR-1000 router;
- 19” rack mounting kit;
- Documentation.
ESR-1200 standard delivery package includes:
- ESR-1200 router;
- 19” rack mounting kit;
- Documentation.
ESR-1500 standard delivery package includes:
- ESR-1500 router;
- 19” rack mounting kit;
- Documentation.
ESR-1510 standard delivery package includes:
- ESR-1510 router;
- 19” rack mounting kit;
- Documentation.
ESR-1700 standard delivery package includes:
- ESR-1700 router;
- 19” rack mounting kit;
- Documentation.
Power module (PM-160-220/12 or PM-100-48/12) may be included in the ESR-1000, ESR-1200 delivery package on the customer's request.
Power module (PM-160-220/12) may be included in the ESR-1500, ESR-1510 delivery package on the customer's request.
Power module (PM-350-220/12 or PM-350-48/12) may be included in the ESR-1700 delivery package on the customer's request.
SFP/SFP+ transceivers may be included in the delivery package on the customer's request.
Installation and configuration
This section describes installation of the device into a rack and connection to a power supply.
Support brackets mounting
The delivery package includes support brackets for rack installation and mounting screws to fix the device case on the brackets. To install the support brackets:
Figure 45 – Support brackets mounting
- Align four mounting holes in the support bracket with the corresponding holes in the side panel of the device.
- Use a screwdriver to screw the support bracket to the case.
- Repeat steps 1 and 2 for the second support bracket.
Device rack installation
To install the device to the rack:
- Attach the device to the vertical guides of the rack.
- Align mounting holes in the support bracket with the corresponding holes in the rack guides. Use the holes of the same level on both sides of the guides to ensure the device horizontal installation.
- Use a screwdriver to screw the router to the rack.
Figure 46 – Device rack installation
Device ventilation system is implemented using 'front-rear' layout. Vents are located on the front and side panels of the device; ventilation modules are located at the rear. Do not block air inlet and outlet vents to avoid components overheating and subsequent device malfunction.
ESR-1000, ESR-1200, ESR-1500, ESR-1510, ESR-1700 power module installation
ESR-1000/1200/1500/1510/1700 router can operate with one or two power modules. The second power module installation is necessary when the device operates under strict reliability requirements.
From the electric point of view, both places for power module installation are identical. In the context of device operation, the power module located closer to the edge is considered as the main module, and the one closer to the centre – as the backup module. Power modules can be inserted and removed without powering the device off. When additional power module is inserted or removed, the router continues operation without reboot.
Figure 47 – Power module installation
Figure 48 – Plug installation
Power module fault indication may be caused not only by the module failure, but also by the absence of the primary power supply.
You can check the state of power modules by the indication on the front panel of the router (see Section Light indication) or by diagnostics, available through the router management interfaces.
Connection to Power Supply
- Ground the case of the device prior to connecting it to the power supply. An insulated multiconductor wire should be used for earthing. The device grounding and the earthing wire cross-section should comply with Electric Installation Code.
- If a PC or another device is supposed to be connected to the router console port, the device should be also securely grounded.
- Connect the power supply cable to the device. Depending on the delivery package, the device can be powered by AC or DC electrical network. To connect the device to AC power supply, use the cable from the delivery package. To connect the device to DC power supply, use wires with a minimum cross-section of 1 mm2.
- Turn the device on and check the front panel LEDs to make sure the terminal is in normal operating conditions.
SFP transceiver installation and removal
Optical modules can be installed when the terminal is turned on or off.
Transceiver installation
1. Insert the top SFP module into a slot with its open side down, and the bottom SFP module with its open side up.
Figure 49 – SFP transceivers installation
2. Push the module into the device housing until it is secured with a clicking sound.
Figure 50 – Installed SFP transceivers
Transceiver removal
1. Flip the module handle to unlock the latch.
Figure 51 – Opening SFP transceiver latch
2. Remove the module from the slot.
Figure 52 – SFP transceivers removal
Management interfaces
You may use various management interfaces in order to control and monitor the device.
To access the device, you may use network connection via Telnet or SSH as well as direct connection via RS-232 compliant console port. For Telnet, SSH or console port connections, the command line interface is used for device management.
Factory settings contain trusted zone description and IP address for device management access–192.168.1.1/24.
Trusted zone includes the following interfaces:
For ESR-10: GigabitEthernet 1/0/2-6;
for ESR-12V(F), ESR-14VF: GigabitEthernet 1/0/2-8;
for ESR-20: GigabitEthernet 1/0/2-4;
for ESR-21: GigabitEthernet 1/0/2-12;
for ESR-100: GigabitEthernet 1/0/2-4;
for ESR-200: GigabitEthernet 1/0/2-8;
for ESR-1000: GigabitEthernet 1/0/2-24;
for ESR-1200: GigabitEthernet 1/0/2-16, TengigabitEthernet 1/0/3-8.
for ESR-1500, ESR-1510: GigabitEthernet 1/0/2-8, TengigabitEthernet 1/0/2-4;
for ESR-1700: GigabitEthernet 1/0/2-4, TengigabitEthernet 1/0/3-12.
By default, the user 'admin' with the password 'password' is defined in factory settings.
For each management interface provided, there are unified configuration operating principles. When modifying and applying the configuration, you should follow the specific sequence described herein that is intended to protect the device from misconfiguration.
Command Line Interface (CLI)
Command Line Interface (CLI) allows to perform the device management and monitor its operation and status. You will require the PC application supporting Telnet or SSH protocol operation or direct connection via the console port (e.g. HyperTerminal).
Command line interface enables user authorization and restricts access to commands depending on their access level, provided by the administrator.
You can create as many users as you like, access rights will be assigned individually to each user.
To ensure command line interface security, all commands are divided into 2 categories–privileged and unprivileged. Privileged commands basically include configuration commands. Unprivileged commands include monitoring commands.
The system allows multiple users to connect to the device simultaneously.
Types and naming procedure of router interfaces
Network interfaces of various types and purposes are used for the router operation. The naming system allows you to uniquely address the interfaces by their functional purpose and location in the system. The following table contains the list of interfaces types.
Table 39 – Types and naming procedure of router interfaces
Interface type | Designation |
---|---|
Physical interfaces | Designation of physical interface includes its type and identifier. The identifier of physical interfaces is as follows: <UNIT>/<SLOT>/<PORT>, where:
|
1Gbps ports | gigabitethernet <UNIT>/<SLOT>/<PORT> Designation example: gigabitethernet 1/0/12 It is permitted to use short name, for example, gi1/0/12. |
10Gbps ports | tengigabitethernet <UNIT>/<SLOT>/<PORT> Designation example: tengigabitethernet 1/0/2 It is permitted to use short name, for example, te1/0/2. |
Channel aggregation groups | Designation of channel aggregation group includes its type and identifier: port-channel <CHANNEL_ID> Designation example: port-channel 6 It is permitted to use short name, for example, po1. |
Sub-interfaces | Designation of sub-interface is generated from the designation of basic interface and sub-interface identifier (VLAN) separated by a dot. Designation examples:
Sub-interface identifier may take values of [1..4094]. |
Q-in-Q interfaces | Designation of Q-in-Q interface is generated from the designation of basic interface, service VLAN identifier and user VLAN identifier separated by a dot. Designation examples:
Service and user VLAN identifier may take values of [1..4094]. |
E1 interfaces | Designation of E1 interface includes its type and identifier. E1 interfaces identifier is as follows: <UNIT>/<SLOT>/<STREAM>, where
Designation example: e1 1/0/1 |
E1 channels aggregation groups | Designation of E1 channels aggregation group includes its type and interface sequence number: multilink <CHANNEL_ID> Designation example: multilink <CHANNEL_ID> |
Logical interfaces | Designation of logical interface is the interface sequence number: Designation examples:
|
1. Number of interfaces of each type depends on the router model.
2. The current firmware does not support for devices stacking. A device number in unit device group can only take the value of 1.
3. Some commands support for simultaneous operation with the interface group. To specify the interface group, you may use a comma-separated list or specify a range of identifiers using a hyphen '-'.
Examples of interface groups specifying:
interface gigabitethernet 1/0/1, gigabitethernet 1/0/5
interface tengigabitethernet 1/0/1-2
interface gi1/0/1-3,gi1/0/7,te1/0/1
Types and naming procedure of router tunnels
Network tunnels of various types and purposes are used for the router operation. The naming system allows you to uniquely address the tunnels by their functional purpose. The following table contains the list of tunnels types.
Table 40 – Types and naming procedure of router tunnels
Tunnel type | Designation |
---|---|
L2TPv3 tunnel | Designation of L2TPv3 tunnel includes the type and sequence number of a tunnel: |
GRE tunnel | Designation of GRE tunnel includes the type and sequence number of a tunnel: |
SoftGRE tunnel | Designation of SoftGRE tunnel includes the type and sequence number of a tunnel and, optionally, a virtual interface VLAN ID: |
IPv4-over-IPv4 tunnel | Designation of IPv4-over-IPv4 tunnel includes the type and sequence number of a tunnel: |
IPsec tunnel | Designation of IPsec tunnel includes the type and sequence number of a tunnel: |
Logical tunnel (tunnel between VRF) | Designation of logical tunnel includes the type and sequence number of a tunnel: |
Number of tunnels of each type depends on the router model and firmware version.
Initial router configuration
ESR router factory settings
The device is shipped to the consumer with the factory configuration installed that includes essential basic settings. Factory configuration allows you to use the router as a gateway with SNAT without applying any additional settings. Also, factory configuration contains settings that allow you to obtain network access to the device for advanced configuration.
Description of factory settings
To establish network connection, the configuration features 2 security zones named 'Trusted' for local area network and 'Untrusted' for public network. All interfaces are divided between two security zones:
- 'Untrusted' zone is meant for a public network (WAN) connection. In this zone, DHCP ports are open in order to obtain dynamic IP address from the provider. All incoming connections from this zone to the router are blocked.
This security zone includes the following interfaces:
For ESR-10/12V: GigabitEthernet 1/0/1;
for ESR-12VF/ESR-14VF: GigabitEthernet 1/0/1; GigabitEthernet 1/0/9;
for ESR-20: GigabitEthernet 1/0/1;
for ESR-21: GigabitEthernet 1/0/1;
For ESR-100/200: GigabitEthernet 1/0/1;
for ESR-1000/1500/1510: GigabitEthernet 1/0/1, TengigabitEthernet 1/0/1-2;
for ESR-1200/1700: GigabitEthernet 1/0/1, TengigabitEthernet 1/0/1, TengigabitEthernet 1/0/2.
Zone interfaces are grouped into a single L2 segment via Bridge 2 network bridge.
- 'Trusted' zone is meant for a local area network (LAN) connection. In this zone, the following ports are open: Telnet and SSH ports for remote access, ICMP ports for router availability test, DHCP ports for clients obtaining IP addresses from the router. Outgoing connections from this zone into the Untrusted zone are allowed.
This security zone includes the following interfaces:
For ESR-10: GigabitEthernet 1/0/2-6;
for ESR-12V(F)/ESR-14VF: GigabitEthernet 1/0/2-8;
for ESR-20: GigabitEthernet 1/0/2-4;
for ESR-21: GigabitEthernet 1/0/2-12;
for ESR-100: GigabitEthernet 1/0/2-4;
for ESR-200: GigabitEthernet 1/0/2-8;
for ESR-1000: GigabitEthernet 1/0/2-24;
for ESR-1200: GigabitEthernet 1/0/2-16, TengigabitEthernet 1/0/3-8;
for ESR-1500/1510: GigabitEthernet 1/0/2-8, TengigabitEthernet 1/0/3-4;
for ESR-1700: GigabitEthernet 1/0/2-4, TengigabitEthernet 1/0/3-12.
Zone interfaces are grouped into a single L2 segment via Bridge 1 network bridge.
On the Bridge 2 interface, DHCP client is enabled to obtain dynamic IP address from the provider. On Bridge 1 interface, static IP address 192.168.1.1/24 is configured. Created IP address acts as a gateway for LAN clients. For LAN clients, DHCP address pool 192.168.1.2-192.168.1.254 is configured with the mask 255.255.255.0. For clients in order to access the Internet, the router should have Source NAT service enabled.
Security zone policies have the following configuration:
Table 41 – Security zone policy description
Traffic origin zone | Traffic destination zone | Traffic type | Action | Действие | |
---|---|---|---|---|---|
Trusted | Untrusted | TCP, UDP, ICMP | enabled | разрешен | |
Trusted | Trusted | TCP, UDP, ICMP | enabled | разрешен | |
Trusted | self | TCP/22(SSH), ICMP, UDP/67(DHCP Server), UDP/123(NTP) | enabled | разрешен | |
Untrusted | self | UDP/68(DHCP Client) | enabled | разрешен |
To enable device configuration on the first startup, 'admin' account has been created in the router configuration. The user will be prompted to change administrator password during the initial configuration of the router.
To enable network access to the router on the first startup, static IP address 192.168.1.1/24 has been configured on Bridge 1 interface.
Router connection and configuration
ESR series routers are intended to perform border gateway functions and securing the user network when it is connected to public data networks.
Basic router configuration should include:
- Assigning IP addresses (static or dynamic) to the interfaces that participate in data routing;
- Creation of security zones and distribution of interfaces between these zones;
- Creation of policies governing data transfer through these zones;
- Configuration of services that accompany the data routing (NAT, Firewall, etc.).
Advanced settings depend on the requirements of the specific device application pattern and may be easily added or modified with the existing management interfaces.
Connection to the router
There are several device connection options:
Ethernet LAN connection
Upon the initial startup, the router starts with the factory configuration. The factory configuration is described in the ESR Router Factory Configuration section of this manual.
Connect the network data cable (patch cord) to any port within the 'Trusted' zone and to the PC intended for management tasks.
In the router factory configuration, DHCP server is enabled with IP address pool in 192.168.1.0/24 subnet.
When network interface is connected to the management computer, the latter should obtain the network address from the server.
If IP address is not obtained for some reason, assign the interface address manually using any address except for 192.168.1.1 in 192.168.1.0/24 subnet.
RS-232 console port connection
Using RJ-45/DBF9 cable included into device delivery package, connect the router 'Console' port to the computer RS-232 port.
Launch terminal application (e.g. HyperTerminal or Minicom) and create a new connection. VT100 terminal emulation mode should be used.
Specify the following settings for RS-232 interface:
Bit rate: 115200 bps
Data bits: 8 bits
Parity: no
Stop bits: 1
Flow control: none
Applying the configuration change
Any changes made in the configuration will take effect only after applying the command:
esr# commit Configuration has been successfully committed
After applying the command above, the configuration rollback timer is started. To stop the timer and rollback mechanism, use the following command:
esr# confirm Configuration has been successfully confirmed
The default 'rollback' timer value is 600 seconds. To change this timer, use the command:
esr(config)# system config-confirm timeout <TIME>
<TIME> – time period of configuration confirmation pending, takes value in seconds [120..86400].
Basic router configuration
Upon the first startup, the router configuration procedure includes the following steps:
- Changing password for "admin" user.
- Creation of new users.
- Assigning device name (Hostname).
- Setting parameters for public network connection in accordance with the provider requirements.
- Configuring remote connection to router.
- Applying basic settings.
Changing password for "admin" user
To ensure the secure system access, you should change the password for the privileged 'admin' user.
'techsupport' account is required for service centre specialist remote access.
'remote' account – RADIUS, TACACS+, LDAP authentication.
'admin', 'techsupport', 'remote' users cannot be deleted. You may only change passwords and a privilege level.
Username and password are required for login during the device administration sessions.
To change 'admin' password, use the following commands:
esr# configure esr(config)# username admin esr(config-user)# password <new-password> esr(config-user)# exit
Creation of new users
Use the following commands to create a new system user or configure the username, password, or privilege level:
esr(config)# username <name> esr(config-user)# password <password> esr(config-user)# privilege <privilege> esr(config-user)# exit
Privilege levels 1–9 allow you to access the device and view its operation status, but the device configuration is disabled. Privilege levels 10–14 allow both the access to the device and configuration of majority of its functions. Privilege level 15 allows both the access to the device and configuration of all its functions.
Example of commands, that allow you to create user 'fedor' with password '12345678' and privilege level 15 and create user 'ivan' with password 'password' and privilege level '1':
esr# configure esr(config)# username fedor esr(config-user)# password 12345678 esr(config-user)# privilege 15 esr(config-user)# exit esr(config)# username ivan esr(config-user)# password password esr(config-user)# privilege 1 esr(config-user)# exit
Privilege levels 1–9 allow you to access the device and view its operation status, but the device configuration is disabled. Privilege levels 10–14 allow both the access to the device and configuration of majority of its functions. Privilege level 15 allows both the access to the device and configuration of all its functions.
Example of commands, that allow you to create user 'fedor' with password '12345678' and privilege level 15 and create user 'ivan' with password 'password' and privilege level '1':
esr# configure esr(config)# username fedor esr(config-user)# password 12345678 esr(config-user)# privilege 15 esr(config-user)# exit esr(config)# username ivan esr(config-user)# password password esr(config-user)# privilege 1 esr(config-user)# exit
Assigning device name
To assign the device name, use the following commands:
esr# configure esr(config)# hostname <new-name>
When a new configuration is applied, command prompt will change to the value specified by <new-name> parameter.
Configuration of public network parameters
To configure router network interface in the public network, you should assign parameters defined by the network provider – default IP address, subnet mask and gateway address – to the device.
Example of static IP address configuration commands for GigabitEthernet 1/0/2.150 sub-interface used for obtaining access to the router via VLAN 150.
Interface parameters:
- IP address: 192.168.16.144;
- Subnet mask: 255.255.255.0;
- Default gateway IP address: 192.168.16.1.
esr# configure esr(config)# interface gigabitethernet 1/0/2.150 esr(config-subif)# ip address 192.168.16.144/24 esr(config-subif)# exit esr(config)# ip route 0.0.0.0/0 192.168.16.1
To ensure the correct IP address assigning for the interface, enter the following command when the configuration is applied:
esr# show ip interfaces IP address Interface Type ------------------- --------------------------------- ------- 192.168.16.144/24 gigabitethernet 1/0/2.150 static
Provider may use dynamically assigned addresses in their network. If the there is DHCP server in the network, you can obtain the IP address via DHCP.
Configuration example for obtaining dynamic IP address from DHCP server on GigabitEthernet 1/0/10 interface:
esr# configure esr(config)# interface gigabitethernet 1/0/10 esr(config-if)# ip address dhcp esr(config-if)# exit
To ensure the correct IP address assigning for the interface, enter the following command when the configuration is applied:
esr# show ip interfaces IP address Interface Type ------------------- --------------------------------- ------- 192.168.11.5/25 gigabitethernet 1/0/10 DHCP
Configuring remote connection to router
In the factory configuration, remote access to the router may be established via Telnet or SSH from the 'trusted' zone. To enable remote access to the router from other zones, e.g. from the public network, you should create the respective rules in the firewall.
When configuring access to the router, rules should be created for the following pair of zones:
- source-zone – zone that the remote access will originate from;
- self – zone which includes router management interface.
Use the following commands to create the allowing rule:
esr# configure esr(config)# security zone-pair <source-zone> self esr(config-zone-pair)# rule <number> esr(config-zone-rule)# action permit esr(config-zone-rule)# match protocol tcp esr(config-zone-rule)# match source-address <network object-group> esr(config-zone-rule)# match destination-address <network object-group> esr(config-zone-rule)# match destination-port <service object-group> esr(config-zone-rule)# enable esr(config-zone-rule)# exit esr(config-zone-pair)# exit
Example of commands that allow users from 'untrusted' zone with IP addresses in range 132.16.0.5-132.16.0.10 to connect to the router with IP address 40.13.1.22 via SSH:
esr# configure esr(config)# object-group network clients esr(config-addr-set)# ip address-range 132.16.0.5-132.16.0.10 esr(config-addr-set)# exit esr(config)# object-group network gateway esr(config-addr-set)# ip address-range 40.13.1.22 esr(config-addr-set)# exit esr(config)# object-group service ssh esr(config-port-set)# port-range 22 esr(config-port-set)# exit esr(config)# security zone-pair untrusted self esr(config-zone-pair)# rule 10 esr(config-zone-rule)# action permit esr(config-zone-rule)# match protocol tcp esr(config-zone-rule)# match source-address clients esr(config-zone-rule)# match destination-address gateway esr(config-zone-rule)# match destination-port ssh esr(config-zone-rule)# enable esr(config-zone-rule)# exit esr(config-zone-pair)# exit
Firmware update
Updating firmware via system resources
To update the firmware, use any of the following servers: TFTP, FTP, SCP. Router firmware files obtained from the manufacturer should be allocated on the server.
The router stores two copies of the firmware. To ensure the reliability of the firmware update procedure, only the copy that was not used for the last device startup is available for the update.
When update the firmware, the router configuration is converted according to a new version.
When loading a router with an older software version than the previously loaded configuration, the configuration is not converted and is subsequently deleted.
You can update firmware from earlier versions using the instructions in the section Updating firmware from the bootloader.
To update the firmware for the device running the operating system, follow procedure described below.
- Prepare the selected server for operation. You should know the server address; also firmware distributive file should be loaded onto the server.
- The router should be prepared for operation according to the documentary requirements. Router configuration should allow for data exchange with the server via TFTP/FTP/SCP and ICMP protocols. At that, you should take into account the server inherence to the router security zones.
- Connect to the router locally via Console port or remotely via Telnet or SSH.
Check the server availability for the router using ping command on the router. If the server is not available, check the router settings and the status of the server network interfaces. - To update the router firmware, enter the following command. Specify IP address of the server being used as <server> For updates that utilize FTP or SCP server, you should enter a username (<user> parameter) and a password (<password> parameter). Specify the name of the firmware file loaded onto the server as <file_name> parameter (when using SCP, the full path must be as <folder> parameter). When the command is executed, router will copy the file into its internal memory, perform data integrity check and save it into non-volatile memory.
TFTP:
esr# copy tftp://<server>:/<file_name> system:firmware
FTP:
esr# copy ftp://[<user>[:<password>]@]<server>:/<file_name> system:firmware
SCP:
esr# сору scp://[<user>[:<password>]@]<server>://<folder>/<file_name> system:firmware
For example, let's update basic firmware via SCP:
esr# сору scp://adm:password123@192.168.16.168://home/tftp/firmware system:firmware
To start the device with the new firmware version, you have to switch the active image. With show bootvar command, locate the image number, containing updated firmware.
esr# show bootvar Image Version Date Status After reboot ----- -------------- -------------------- ------------ ------------ 1 1.0.7 build 141[f812808] date 18/02/2015 time Active * 16:12:54 2 1.0.7 build 141[f812808] date 18/02/2015 time Not Active 16:12:54
Use the following command to select the image:
esr# boot system image-[1|2]
To update the secondary bootloader (U-Boot), enter the following command: Specify IP address of the server being used as <server> parameter. For updates that utilize FTP or SCP server, you should enter a username (<user> parameter) and a password (<password> parameter). Specify the name of the secondary bootloader onto the server as <file_name> parameter (when using SCP, the full path must be as <folder> parameter). When the command is executed, router will copy the file into its internal memory, perform data integrity check and save it into non-volatile memory.
TFTP:esr# copy tftp://<server>:/<file_name> system:boot
FTP:
esr# copy ftp://<server>:/<file_name> system:boot
SCP:
esr# copy scp://[<user>[:<password>]@]<server>://<folder>/<file_name> system:boot
Updating firmware via bootloader
Router firmware may be updated via the bootloader as follows:
When U-Boot finishes the router initialization, break the device startup with the <Esc> key.
Configuring PoE... distribution 1 dest_threshold 0xa drop_timer 0x0 Configuring POE in bypass mode NAE configuration done! initializing port 0, type 2. initializing port 1, type 2. SMC Endian Test:b81fb81f nae-0, nae-1 =======Skip: Load SYS UCORE for old 8xxB1/3xxB0 revision on default. Hit any key to stop autoboot: 2
Specify TFTP server address:
BRCM.XLP316Lite Rev B0.u-boot# setenv serverip 10.100.100.1 Для версии 1.5 и выше: BRCM.XLP316Lite Rev B0.u-boot# serverip 10.100.100.1
Specify router IP address:
BRCM.XLP316Lite Rev B0.u-boot# setenv ipaddr 10.100.100.2 Для версии 1.5 и выше: BRCM.XLP316Lite Rev B0.u-boot# ipaddr 10.100.100.2
Specify the name of the frimware file on the TFTP server:
Для версии 1.5 и выше: BRCM.XLP316Lite Rev B0.u-boot# firmware_file firmware
- You may save the environment using 'saveenv' command for future updates.
- Launch firmware update procedure
BRCM.XLP316Lite Rev B0.u-boot# run tftp_update_image1
Using nae-0-3 device TFTP from server 10.100.100.1; our IP address is 10.100.100.2 Filename 'esr1000/firmware'. Load address: 0xa800000060000000 Loading: TftpStart:TftpTimeoutMsecs = 10000, TftpTimeoutCountMax = 6 ################################################################# ################################################################# ################################################################# ######################### #################################### done Bytes transferred = 64453909 (3d77d15 hex) Device 0: MT29F8G08ABBCAH4 ... is now current device NAND erase: device 0 offset 0x1440000, size 0x6400000 Bad block table found at page 262080, version 0x01 Bad block table found at page 262016, version 0x01 Erasing at 0x7800000 -- 1895825408% complete.. OK NAND write: device 0 offset 0x1440000, size 0x6400000 104857600 bytes written: OK
- Install the downloaded firmware as an image to start the system and reboot the router:
BRCM.XLP316Lite Rev B0.u-boot# run set_bootpart_1
For version 1.5 and newer: BRCM.XLP316Lite Rev B0.u-boot# boot_system image1
BRCM.XLP316Lite Rev B0.u-boot# reset
Secondary bootloader update (U-Boot)
Secondary bootloader initializes NAND and the router. During the update, a new file of the secondary bootloader is saved to the flash
To view the current version of the load file operating on the device, execute 'version' command in U-Boot CLI. Also, the version is displayed during the router startup:
BRCM.XLP316Lite Rev B0.u-boot# version
BRCM.XLP.U-Boot:1.1.0.47 (29/11/2016 – 19:00:24)
Firmware update procedure:
When U-Boot finishes the router initialization, break the device startup with the <Esc> key.
Configuring PoE... distribution 1 dest_threshold 0xa drop_timer 0x0 Configuring POE in bypass mode NAE configuration done! initializing port 0, type 2. initializing port 1, type 2. SMC Endian Test:b81fb81f nae-0, nae-1 =======Skip: Load SYS UCORE for old 8xxB1/3xxB0 revision on default. Hit any key to stop autoboot: 2
- Specify TFTP server address:
BRCM.XLP316Lite Rev B0.u-boot# setenv serverip 10.100.100.1
For version 1.5 and newer: BRCM.XLP316Lite Rev B0.u-boot# serverip 10.100.100.2
Specify router IP address:
BRCM.XLP316Lite Rev B0.u-boot# setenv ipaddr 10.100.100.2
For version 1.5 and newer: BRCM.XLP316Lite Rev B0.u-boot# ipaddr 10.100.100.2
- Specify the name of the bootloader file on the TFTP server:
For version 1.5 and newer: BRCM.XLP316Lite Rev B0.u-boot# uboot_ file u- boot. bin
- You may save the environment using 'saveenv' command for future updates.
- Launch firmware update procedure:
BRCM.XLP316Lite Rev B0.u-boot# run upd_uboot
For version 1.5 and newer: BRCM.XLP316LiteRevB0.u-boot# run tftp_update_uboot
Using nae-1 device TFTP from server 10.100.100.1; our IP address is 10.100.100.2 Filename 'esr1000/u-boot.bin'. Load address: 0xa800000078020000 Loading: ########################################################### done Bytes transferred = 852648 (d02a8 hex) SF: Detected MX25L12805D with page size 256, total 16777216 bytes 16384 KiB MX25L12805D at 0:0 is now current device
- Reboot the router:
BRCM.XLP316Lite Rev B0.u-boot# reset