История страницы

1

Enable IPv4/IPv6 DHCP server.

esr(config)# ip dhcp-server [vrf <VRF>]

<VRF> – VRF instance name, set by the string of up to 31 characters, within which the NTP server will operate. Set by the string of up to 31 characters.

esr(config)# ipv6 dhcp-server [vrf <VRF>]

2

Set the DSCP code value for the use in IP headers of DHCP server egress packets (optional).

esr(config)# ip dhcp-server dscp <DSCP>

<DSCP> – DSCP code value, takes values in the range of [0..63].

Default value: 61.

3

Create pool of DHCP server IPv4/IPv6 addresses and switch to its configuration mode.

esr(config)# ip dhcp-server pool <NAME> [vrf <VRF>]

<NAME> – IPv4/IPv6 server profile name, set by the string of up to 31 characters.

<VRF> – VRF instance name, within which the NTP server will operate. Set by the string of up to 31 characters.

esr(config)# ipv6 dhcp-server pool <NAME> [vrf <VRF>]

4

Specify IPv4/IPv6 address and mask for the subnet from which IPv4/IPv6 addresses pool will be allocated.

esr(config-dhcp-server)# network <ADDR/LEN>

<ADDR/LEN> – IP address and prefix of a subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32].

esr(config-ipv6-dhcp-server)# network <IPV6-ADDR/LEN>

<IPV6-ADDR/LEN> – IP address and prefix of a subnet, defined as X:X:X:X::X/EE where each X part takes values in hexadecimal format [0..FFFF] and EE takes values of [1..128].

5

Add IPv4/IPv6 addresses range to the address pool of configurable DHCP server.

esr(config-dhcp-server)# address-range <FROM-ADDR>-<TO-ADDR>

<FROM-ADDR> – range starting IP address;

<TO-ADDR> – range ending IP address;

The addresses are defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].

You can specify up to 32 IP addresses separated by commas.

esr(config-ipv6-dhcp-server)# address-range <FROM-ADDR>-<TO-ADDR>

<FROM-ADDR> – range starting IP address;

<TO-ADDR> – range ending IP address;

The addresses are defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF].

6

Add IPv4/IPv6 address for a specific physical address to the address pool of configurable DHCP server (optional).

esr(config-dhcp-server)# address <ADDR>
{mac-address <MAC> | client-identifier <CI>}

<ADDR> – client IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];

<MAC> – MAC address of the client, which will be given the IP address, is defined as XX: XX: XX: XX: XX: XX where each part takes the values of [00..FF].

<CI> – client identifier according to DHCPOption61. Can be specified as follows:

• HH:HH:HH:HH:HH:HH:HH: – client identifier in hexadecimal format and client MAC address;
• STRING – text string from 1 to 64 characters.

esr(config-ipv6-dhcp-server)# address <ADDR> mac-address <MAC>

<IPV6-ADDR> – client IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF];

<MAC> – MAC address of the client, which will be given the IP address, defined as XX: XX: XX: XX: XX: XX where each part takes the values of [00..FF].

7

Specify the list of default gateway IPv4 addresses which will be transmitted by DHCP server to clients through DHCP option 3.

esr(config-dhcp-server)# default-router <ADDR>

<ADDR> – default gateway IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. Up to 8 IP addresses can be specified separated by commas.

8

Specify network domain DNS name. Domain name is transmitted to clients as part of DHCP option 15 (optional).

esr(config-dhcp-server)# domain-name <NAME>

<NAME> – router domain name, set by the string from 1 to 255 characters.

esr(config-ipv6-dhcp-server)# domain-name <NAME>

9

Specify DNS server IPv4/IPv6 addresses list. The list is transmitted to clients as part of DHCP option 6 (optional).

esr(config-dhcp-server)# dns-server <ADDR>

<ADDR> – DNS server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. Up to 8 IP addresses can be specified separated by commas.

esr(config-ipv6-dhcp-server)# dns-server <IPV6-ADDR>

<IPV6-ADDR> – DNS server IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF]. Up to 8 IP addresses can be specified separated by commas.

10

Specify maximum IP addresses lease time (optional).

If DHCP client requests the lease time that exceeds a maximum value, the time specified by the command will be set.

esr(config-dhcp-server)# max-lease-time <TIME>

<TIME> – maximal IP address lease time, sets in format DD:HH:MM, where:

• DD – amount of days, takes values of [0..364].
• HH – amount of hours, takes values of [0..23].
• MM – amount of minutes, takes the value of [0 ..59].

Default value: 1 day.

esr(config-ipv6-dhcp-server)# max-lease-time <TIME>

11

Specify the lease time for which a client will be given IP address (optional).

This time will be used if a client did not request the certain lease time.

esr(config-dhcp-server)# default-lease-time <TIME>

<TIME> – maximal IP address lease time, sets in format DD:HH:MM, where:

• DD – amount of days, takes values of [0..364].
• HH – amount of hours, takes values of [0..23].
• MM – amount of minutes, takes the value of [0 ..59].

Default value: 12 hours.

esr(config-ipv6-dhcp-server)# default-lease-time <TIME>

12

Create supplier class identifier (DHCP Option 60) (optional).

esr(config)# ip dhcp-server vendor-class-id <NAME>

<NAME> – carrier class identifier, set by the string of up to 31 characters.

esr(config)# ipv6 dhcp-server vendor-class-id <NAME>

13

Specify specific supplier information (DHCP Option 43).

esr(config-dhcp-vendor-id)# vendor-specific-options <HEX>

<HEX> – vendor-specific information, specified in hexadecimal format up to 128 symbols.

esr(config-ipv6-dhcp-vendor-id)# vendor-specific-options <HEX>

14

Specify NetBIOS server IP address (DHCP option 44) (optional).

esr(config-dhcp-server)# netbios-name-server <ADDR>

<ADDR> – NetBIOS server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. Up to 4 IP addresses can be specified.

15

Specify TFTP server IP address (DHCP option 150) (optional).

esr(config-dhcp-server)# tftp-server <ADDR>

<ADDR> – DNS server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].

1

Switch to the configuration mode of destination address translation service.

esr(config)# nat destination

2

Create a pool of IP addresses and/or TCP/UDP ports with a specific name (optional).

esr(config-dnat)# pool <NAME>

<NAME> – NAT addresses pool name, set by the string of up to 31 characters.

3

Set the internal IP address which will replace a destination IP address.

esr(config-dnat-pool)# ip address <ADDR>

<ADDR> – IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].

4

Set the internal TCP/UDP port which will replace a destination TCP/UDP port.

esr(config-dnat-pool)# ip port <PORT>

<PORT> – TCP/UDP port, takes values of [1..65535].

5

Create a rule group with a specific name.

esr(config-dnat)# ruleset <NAME>

<NAME> – rule group name, set by the string of up to 31 characters.

6

Specify VRF instance, in which the given rule group will operate (optional).

esr(config-dnat-ruleset)# ip vrf forwarding <VRF>

<VRF> – VRF name, set by the string of up to 31 characters.

7

Set the rule group scope. The rules will be applied only to traffic coming from a certain zone or interface.

esr(config-dnat-ruleset)# from { zone <NAME>
| interface <IF> | tunnel <TUN> | default }

<NAME> – isolation zone name;

<IF> – device interface name;

<TUN> – device tunnel name;

default – denotes a group of rules for all traffic, the source of which did not fall under the criteria of other groups of rules.

8

Specify a rule with a certain number. The rules are proceeded in ascending order.

esr(config-dnat-ruleset)# rule <ORDER>

<ORDER>  – rule number, takes values of [1..10000].

9

Specify the profile of IP addresses {sender | recipient} for which the rule should work.

esr(config-dnat-rule)# match [not]
{source|destination}-address <OBJ-GROUP-NETWORK-NAME>

<OBJ-GROUP-NETWORK-NAME> – IP addresses profile name, set by the string of up to 31 characters.

'Any' value points at any source IP address.

10

Specify the profile of services (TCP/UDP ports) {sender | recipient} for which the rule should work (optional).

esr(config-dnat-rule)# match [not]
{source|destination}-port <PORT-SET-NAME>

<PORT-SET-NAME> – port profile name, set by the string of up to 31 characters. 'Any' value points at any source TCP/UDP port.

11

Set name or number of IP for which the rule should work (optional).

esr(config-dnat-rule)# match [not]
{protocol <TYPE> | protocol-id <ID> }

<TYPE> – protocol type, takes the following values: esp, icmp, ah, eigrp, ospf, igmp, ipip, tcp, pim, udp, vrrp, rdp, l2tp, gre. 'Any' value points at any protocol type.

<ID> – IP identification number, takes values of [0x00-0xFF].

12

Specify the type and code of ICMP messages for which the rule should work (if ICMP is selected as protocol) (optional).

esr(config-dnat-rule)# match [not]
icmp {<ICMP_TYPE><ICMP_CODE> | <TYPE-NAME>}

<ICMP_TYPE> – ICMP message type, takes values of [0..255].

<ICMP_CODE> – ICMP message code, takes values of [0..255]. 'Any' value points at any message code.

<TYPE-NAME> – ICMP message type name.

13

Specify the action 'translation of source address and port' for the traffic meeting the requirements of 'match' commands.

esr(config-dnat-rule)# action destination-nat
{ off | pool <NAME> | netmap <ADDR/LEN> }

off – translation is disabled;

pool<NAME> – name of the pool that contains IP addresses and/or TCP/UDP ports set;

netmap <ADDR/LEN> – subnet IP address and mask used during translation. The parameter is defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32].

14

Activate a configured rule.

esr(config-dnat-rule)# enable

esr(config)# ip firewall sessions tracking

{<PROTOCOL> | sip [ port <OBJECT-GROUP-SERVICE> ] | all}

all – enables application layer session tracking for all available protocols;

<PROTOCOL> – application layer protocol whose sessions need to be monitored, takes values of [ftp, h323, pptp, netbios-ns];

<OBJECT-GROUP-SERVICE> – profile name of the TCP/UDP ports of the sip session, specified as a string of up to 31 characters. If the group is not specified, then sip sessions will be monitored for port 5060.

all – enables IP address translation in headers of all available protocols;

<PROTOCOL> – application layer protocol in whose headers address translation should work, takes values of [ftp, h323, pptp, netbios-ns].

1

Switch to the configuration mode of source address translation service.

esr(config)# nat source

2

Create a pool of IP addresses and/or TCP/UDP ports with a specific name (optional).

esr(config-snat)# pool <NAME>

<NAME> – NAT addresses pool name, set by the string of up to 31 characters.

3

Set the range of IP addresses which will replace a source IP address.

esr(config-snat-pool)# ip address-range <IP>[-<ENDIP>]

<IP> – IP address of the beginning of the range, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];

<ENDIP> – IP address of the end of the range, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. If IP address of the end of the range is not specified, only IP address of the beginning of the range is used as IP address for translation.

4

Specify the range of external TCP/UDP ports which will replace a source TCP/UDP port.

esr(config-snat-pool)# ip port-range <PORT>[-<ENDPORT>]

<PORT> – TCP/UDP port of the beginning of range, takes values of [1..65535];

<ENDPORT> – TCP/UDP port of the end of range, takes values of [1..65535]. If TCP/UDP port of the end of the range is not specified, only TCP/UDP port of the beginning of the range is used as TCP/UDP port for translation.

5

Set external TCP/UDP port which will replace a source TCP/UDP port.

esr(config-snat-pool)# ip port <PORT>

<PORT> – TCP/UDP port, takes values of [1..65535].

6

Enable NAT persistent functions.

esr(config-snat-pool)# persistent

7

Create a rule group with a specific name.

esr(config-snat)# ruleset <NAME>

<NAME> – rule group name, set by the string of up to 31 characters.

8

Specify VRF instance, in which the given rule group will operate (optionally).

esr(config-snat-ruleset)# ip vrf forwarding <VRF>

<VRF> – VRF name, set by the string of up to 31 characters.

9

Set the rule group scope. The rules will be applied only to traffic coming to a certain zone or interface.

esr(config-snat-ruleset)# to { zone <NAME> |
interface <IF> tunnel <TUN> | | default }

<NAME> – isolation zone name;

<IF> – device interface name;

<TUN> – device tunnel name
default – denotes a group of rules for all traffic, the source of which did not fall under the criteria of other groups of rules.

10

Specify a rule with a certain number. The rules are proceeded in ascending order.

esr(config-snat-ruleset)# rule <ORDER>

<ORDER>  – rule number, takes values of [1..10000].

11

Specify the profile of IP addresses {sender | recipient} for which the rule should work.

esr(config-snat-rule)# match [not]
{source|destination}-address <OBJ-GROUP-NETWORK-NAME>

<OBJ-GROUP-NETWORK-NAME> – IP addresses profile name, set by the string of up to 31 characters.

'Any' value points at any source IP address.

12

Specify the profile of IP addresses {sender| recipient} for which the rule should work (optional).

esr(config-snat-rule)# match [not]
{source | destination}-port <PORT-SET-NAME>

<PORT-SET-NAME> – port profile name, set by the string of up to 31 characters. 'Any' value points at any source TCP/UDP port.

13

Set name or number of IP for which the rule should work (optional).

esr(config-snat-rule)# match [not]
{protocol|protocol-id} <TYPE>

<TYPE> – protocol type, takes the following values: esp, icmp, ah, eigrp, ospf, igmp, ipip, tcp, pim, udp, vrrp, rdp, l2tp, gre. 'Any' value points at any protocol type.

<ID> – IP identification number, takes values of [0x00-0xFF].

14

Specify the type and code of ICMP messages for which the rule should work (optional).

esr(config-snat-rule)# match [not]
icmp {<ICMP_TYPE><ICMP_CODE> | <TYPE-NAME>}

<ICMP_TYPE> – ICMP message type, takes values of [0..255].

<ICMP_CODE> – ICMP message code, takes values of [0..255]. 'Any' value points at any message code.

<TYPE-NAME> – ICMP message type name

15

Specify the action 'translation of source address and port' for the traffic meeting the requirements of 'match' command.

esr(config-snat-rule)# action source-nat { off |
pool <NAME> | netmap <ADDR/LEN> [static] |
interface [FIRST_PORT – LAST_PORT] }

off – translation is disabled;

pool<NAME> – name of the pool that contains IP addresses and/or TCP/UDP ports set;

netmap <ADDR/LEN> – subnet IP address and mask used during translation; static – option for static NAT organization.

The parameter is defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32].

interface [FIRST_PORT – LAST_PORT] – specify the translation to the interface IP address. If the range of TCP/UDP ports is additionally specified, the translation will occur only for the sender TCP/UDP ports included in the specified range.

16

Activate a configured rule.

esr(config-snat-rule)# enable

esr(config)# ip firewall sessions tracking

{<PROTOCOL> | sip [ port <OBJECT-GROUP-SERVICE> ] | all}

all – enables application layer session tracking for all available protocols;

<PROTOCOL> – application layer protocol whose sessions need to be monitored, takes values of [ftp, h323, pptp, netbios-ns];

<OBJECT-GROUP-SERVICE> – profile name of the TCP/UDP ports of the sip session, specified as a string of up to 31 characters. If the group is not specified, then sip sessions will be monitored for port 5060.

all – enables IP address translation in headers of all available protocols;

<PROTOCOL> – application layer protocol whose sessions need to be monitored, takes values of [ftp, h323, pptp, netbios-ns].

1

Create an object with a URL.

esr(config)# object-group url <NAME>

2

Specify the set.

esr(config-object-group-url)# url <URL>

<URL> – web page, site address.

3

Create proxy profile.

esr(config)# ip http profile <NAME>

<NAME> – profile name.

4

Choose default action.

esr(config-profile)# default action {deny|permit|redirect}
[redirect-url <URL>]

<URL> – address of the host to which requests will be sent.

5

Specify description (optional).

esr(config-profile)# description <description>

<description> – up to 255 characters.

6

Specify a remote or local URL list and type of operation (block/traffic pass/redirect) (optional).

esr(config-profile)# urls {local|remote} <URL_OBJ_GROUP_NAME>
action {deny|permit|redirect} [redirect-url <URL>]

<URL_OBJ_GROUP_NAME> – specify the name of the object containing the URL set.

7

Specify the remote server where the necessary URL lists are (optional).

esr(config)# ip http proxy server-url <URL> 

<URL> – server address where remote url lists will be taken from.

8

Specify a listening port for proxying (optional).

esr(config)# ip http proxy listen-ports <OBJ_GROUP_NAME>

<OBJ_GROUP_NAME> – port profile name, set by string of up to 31 characters.

9

Specify a listening port for proxying (optional).

esr(config)# ip https proxy listen-ports <OBJ_GROUP_NAME>

<OBJ_GROUP_NAME> – port profile name, set by string of up to 31 characters.

10

Specify a base port for proxying (optional).

esr(config)# ip https proxy redirect-port <PORT>

<PORT> – port number, set in the range of [1..65535].

Default value: 3128.

11

Enable proxying on the interface based on the selected HTTP profile.

esr(config-if)# ip http proxy <PROFILE_NAME>

<PROFILE_NAME> – profile name.

12

Enable proxying on the interface based on the selected HTTPS profile.

esr(config-if)# ip https proxy <PROFILE_NAME>     

<PROFILE_NAME> – profile name.

13

Create services lists which will be used during filtration.

esr(config)# object-group service <obj-group-name>

<obj-group-name> – service profile name, set by the string of up to 31 characters.

14

Specify services list description (optional).

esr(config-object-group-service)# description <description>

<description> – profile description, set by the string of up to 255 characters.

15

Add necessary services (TCP/UDP ports) to the list.

esr(config-object-group-service)# port-range 3128-3135

ESR proxy server uses for its operation the ports starting from the base port defined in step 10.

The http proxy uses ports from base port to base port + the number of cpu of this ESR model - 1.

For https proxy, the ports used are from base port + number of cpu of the given ESR model to base port + number of cpu of the given ESR model * 2 - 1.

16

Create an interzone interaction rule set.

esr(config)# security zone-pair <src-zone-name1> self

<src-zone-name> – security zone in which the interfaces with the ip http proxy or ip https proxy function are located.

self – a predefined security zone for traffic entering the ESR itself.

17

Create an interzone interaction rule set.

esr(config-zone-pair)# rule <rule-number>

<rule-number> – 1..10000.

18

Specify rule description (optional).

esr(config-zone-rule)# description <description>

<description> – up to 255 characters..

19

Specify the given rule force.

esr(config-zone-rule)# action <action> [ log ]

<action> – permit.

log – activation key for logging of sessions established according to this rule.

20

Set name of IP protocol for which the rule should work.

esr(config-zone-rule)# match protocol <protocol-type>

<protocol-type> – TCP.

ESR proxy server uses ESR protocol.

21

Set the destination TCP/UDP ports profile for which the rule should work (if the protocol is specified).

esr(config-zone-rule)# match [not]
destination-port <obj-group-name>

<obj-group-name> – name of the service profile created in step 12.

22

Create an interzone interaction rule.

esr(config-zone-rule)# enable

1

Enable NTP.

esr(config)# ntp enable

2

Set the IP address of the NTP server or NTP synchronization participant.

esr(config)# ntp { server | peer } { <IP> }

<IP> – destination IP address (gateway), defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].

3

Set authentication key (optional).

esr(config-ntp)# key <ID>

<ID> – key identifier, set in the range of [1..255].

4

Set the maximum time interval between sending messages to the NTP server (optional).

esr(config-ntp)# maxpoll <INTERVAL>

<INTERVAL> – maximum value of poll interval. The command parameter is used as an indicator of the power of two when calculating the interval durability in seconds; it is calculated by raising two to power that is specified by the command parameter, takes the value of [10..17].

Default value: 10 (2¹⁰ = 1024 seconds or 17 minutes 4 seconds).

5

Set the minimum time interval between sending messages to the NTP server (optional).

esr(config-ntp)# minpoll <INTERVAL>

<INTERVAL> – minimum value of poll interval in seconds; it is calculated by raising two to power that is specified by the command parameter, takes the value of [4..6].

Default value: 6 (2⁶ = 64 seconds or 1 minutes 4 seconds).

6

Mark this NTP server as preferred (optional).

esr(config-ntp)# prefer

7

Define a list of trusted IP addresses with which ntp packets can be exchanged (optional).

esr(config)# ntp access-addresses <NAME>

<NAME> – IP addresses profile name, set by the string of up to 31 characters.

8

Specify the key ID from the key binding profile (optional).

esr(config)# ntp authentication trusted-key <ID>

<ID> – key ID from the key binding profile.

9

Specify the key binding profile name (optional).

esr(config)# ntp authentication key-chain <WORD>

<WORD> – key binding profile name.

10

Activate key-based authentication for NTP (optional).

esr(config)# ntp authentication enable

11

Enable the mode of receiving broadcast messages from NTP servers for the global configuration and all existing VRFs (optional).

esr(config)# ntp broadcast-client enable

12

Set the DSCP code value for the use in IP headers of NTP server egress packets (optional).

esr(config)# ntp dscp <DSCP>

<DSCP> – DSCP code value, takes values in the range of [0..63]

Default value: 46.

13

Enable query-only mode that limits interaction via NTP for a certain profile of IP addresses (optional).

esr(config)# ntp object-group query-only <NAME>

<NAME> – IP addresses profile name, set by the string of up to 31 characters.

14

Enable serve-only mode that limits interaction via NTP for a certain profile of IP addresses (optional).

esr(config)# ntp object-group serve-only <NAME>

<NAME> – IP addresses profile name, set by the string of up to 31 characters.

15

Specify source-IP addresses for NTP packets for all peers (optional).

esr(config)# ntp source address <ADDR>

<ADDR> – IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].

16

Set the current time and date manually (optional).

esr# set date <TIME> [<DAY> <MONTH> [ <YEAR> ] ]

<TIME> – system timer, defined as HH:MM:SS, where:

• HH – hours, takes the value of [0..23];
• MM – minutes, takes the value of [0 ..59];
• SS – seconds, takes the value of [0..59];
• <DAY> – day of the month, takes values of [1..31];

<MONTH> – month, takes the following values [January/February/March/April/May/June/July/August/September/October/November/December];

<YEAR> – year, takes values of [2001..2037].