Просмотреть исходный

ESR router factory configuration

The device is shipped to the consumer with the factory configuration installed that includes essential basic settings. Factory configuration allows using the router as a gateway with SNAT without applying any additional settings. Also, factory configuration contains settings that allow you to obtain network access to the device for advanced configuration.

Description of factory settings

To establish network connection, the configuration features 2 security zones named 'Trusted' for local area network and 'Untrusted' for public network. All interfaces are divided between two security zones:

'Untrusted' zone is meant for a public network (WAN) connection. In this zone, DHCP ports are open in order to obtain dynamic IP address from the provider. All incoming connections from this zone to the router are blocked.
This security zone includes the following interfaces:
- for WLC-15: GigabitEthernet 1/0/1, GigabitEthernet 1/0/6;
- for WLC-30: GigabitEthernet 1/0/1, Tengigabitethernt 1/0/1-2;
- for WLC-3200: TwentyfivegigabitEthernet 1/0/1-2;
- for ESR-10/12V: GigabitEthernet 1/0/1;
- for ESR-12VF/ESR-14VF: GigabitEthernet 1/0/1; GigabitEthernet 1/0/9;
- for ESR-15: GigabitEthernet 1/0/1; GigabitEthernet 1/0/6;
- for ESR-20: GigabitEthernet 1/0/1;
- for ESR-21: GigabitEthernet 1/0/1;
- for ESR-30: GigabitEthernet 1/0/1; GigabitEthernet 1/0/1-2;
- for ESR-100/200: GigabitEthernet 1/0/1;
- for ESR-1000/1500/3100: GigabitEthernet 1/0/1, TengigabitEthernet 1/0/1-2;
- for ESR-1200/1700: GigabitEthernet 1/0/1, TengigabitEthernet 1/0/1, TengigabitEthernet 1/0/2;
- for ESR-1511: GigabitEthernet 1/0/1, FortygigabitEthernet 1/0/1-2;
- for ESR-3200: GigabitEthernet 1/0/1-2.
  
  Zone interfaces are grouped into a single L2 segment via Bridge 2 network bridge.
'Trusted' zone is meant for a local area network (LAN) connection. Telnet and SSH ports for remote access, ICMP ports for router availability test, DHCP ports for clients obtaining IP addresses from the router. Outgoing connections from this zone into the Untrusted zone are allowed.
This security zone includes the following interfaces:
- for WLC-15: GigabitEthernet 1/0/2-5;
- for WLC-30: GigabitEthernet 1/0/2-4;
- for WLC-3200: TwentyfivegigabitEthernet 1/0/3-12;
- for ESR-10: GigabitEthernet 1/0/2-6;
- for ESR-12V(F)/ESR-14VF: GigabitEthernet 1/0/2-8;
- for ESR-15: GigabitEthernet 1/0/2-5;
- for ESR-20: GigabitEthernet 1/0/2-4;
- for ESR-21: GigabitEthernet 1/0/2-12;
- for ESR-30: GigabitEthernet 1/0/3-4;
- for ESR-100: GigabitEthernet 1/0/2-4;
- for ESR-200: GigabitEthernet 1/0/2-8;
- for ESR-1000: GigabitEthernet 1/0/2-24;
- for ESR-1200: GigabitEthernet 1/0/2-16, TengigabitEthernet 1/0/3-8;
- for ESR-1500: GigabitEthernet 1/0/2-8, TengigabitEthernet 1/0/3-4;
- for ESR-1511: GigabitEthernet 1/0/2-8, TengigabitEthernet 1/0/1-4;
- for ESR-1700: GigabitEthernet 1/0/2-4, TengigabitEthernet 1/0/3-12;
- for ESR-3100: GigabitEthernet 1/0/2-8, TengigabitEthernet 1/0/3-8;
- for ESR-3200: Twentyfivegigabitethernet 1/0/3-12.
  
  Zone interfaces are grouped into a single L2 segment via Bridge 2 network bridge.

On the Bridge 2 interface, DHCP client is enabled to obtain dynamic IP address from the provider. On Bridge 1 interface, static IP address 192.168.1.1/24 is configured. Created IP address acts as a gateway for LAN clients. For LAN clients, DHCP address pool 192.168.1.2-192.168.1.254 is configured with the mask 255.255.255.0. For clients in order to access the Internet, the router should have Source NAT service enabled.

Security zone policies have the following configuration:

Table 65 – Security zone policy description

Traffic origin zone	Traffic destination zone	Traffic type	Action
Trusted	Untrusted	TCP, UDP, ICMP	enabled
Trusted	Trusted	TCP, UDP, ICMP	enabled
Trusted	self	TCP/22 (SSH), ICMP, UDP/67 (DHCP Server), UDP/123 (NTP)	enabled
Untrusted	self	UDP/68 (DHCP Client)	enabled

To enable device configuration on the first startup, 'admin' user with 'password' password has been created in the router configuration. The user will be prompted to change administrator password during the initial configuration of the router.

To enable network access to the router on the first startup, static IP address 192.168.1.1/24 has been configured on Bridge 1 interface.

Device connection and configuration

ESR series routers and WLC controllers are intended to perform border gateway functions and securing the user network when it is connected to public data networks.

Basic router configuration should include:

Assigning IP addresses (static or dynamic) to the interfaces that participate in data routing;
Creation of security zones and distribution of interfaces between these zones;
Creation of policies governing data transfer through these zones;
Configuration of services that accompany the data routing (NAT, Firewall, etc.).

Advanced settings depend on the requirements of the specific device application pattern and may be easily added or modified with the existing management interfaces.

Connection to the device

There are several device connection options:

Ethernet LAN connection

Upon the initial startup, the device starts with the factory configuration.

Connect the network data cable (patch cord) to any port within the 'Trusted' zone and to the PC intended for management tasks.

In the router factory configuration, DHCP server is enabled with IP address pool in 192.168.1.0/24 subnet.

When network interface is connected to the management computer, the latter should obtain the network address from the server.

If IP address is not obtained for some reason, assign the interface address manually using any address except for 192.168.1.1 in 192.168.1.0/24 subnet.

RS-232 console port connection

Using RJ-45/DBF9 cable included into device delivery package, connect the router 'Console' port to the computer RS-232 port.

Launch terminal application (e.g. HyperTerminal or Minicom) and create a new connection. VT100 terminal emulation mode should be used.

Specify the following settings for RS-232 interface:

Data rate: 115200 bps
Data bits: 8 bits
Parity: none
Stop bits: 1
Flow control: none

Applying the configuration change

Any changes made in the configuration will take effect only after applying the command:

esr# commit
Configuration has been successfully committed

After applying the command above, the configuration rollback timer is started. To stop the timer and rollback mechanism, use the following command:

esr# confirm
Configuration has been successfully confirmed

The default 'rollback' timer value is 600 seconds. To change this timer, use the command:

esr(config)# system config-confirm timeout <TIME>

<TIME> – time period of configuration confirmation pending, takes value in seconds [120..86400].

Basic device configuration

Upon the first startup, the device configuration procedure includes the following steps:

Changing password for "admin" user.
Creation of new users.
Assigning device name (Hostname).
Setting parameters for public network connection in accordance with the provider requirements.
Configuring remote connection to router.
Applying basic settings.

Changing password for 'admin' user

To ensure the secure system access, you should change the password for the privileged 'admin' user.

'techsupport' account ('eltex' up to version 1.0.7) is required for service centre specialist remote access.

'remote' account – RADIUS, TACACS+, LDAP authentication.

'admin', 'techsupport', 'remote' users cannot be deleted. Only passwords and a privilege level can be changed.

If information about 'admin' user is not displayed in the configuration, then the parameters of this user are configured by default ('password' password, privilege level 15).

Username and password are required for login during the device administration sessions.

To change 'admin' password, use the following commands:

esr# configure
esr(config)# username admin
esr(config-user)# password <new-password>
esr(config-user)# exit

Creation of new users

Use the following commands to create a new system user or configure the username, password, or privilege level:

esr(config)# username <name>
esr(config-user)# password <password>
esr(config-user)# privilege <privilege>
esr(config-user)# exit

Privilege levels 1–9 allow accessing the device and viewing its operation status, but the device configuration is disabled. Privilege levels 10-14 allow both the access to the device and configuration of majority of its functions. Privilege level 15 allows both the access to the device and configuration of all its functions.

Example of commands, that allow you to create user 'fedor' with password '12345678' and privilege level 15 and create user 'ivan' with password 'password' and privilege level '1':

esr# configure
esr(config)# username fedor
esr(config-user)# password 12345678
esr(config-user)# privilege 15
esr(config-user)# exit
esr(config)# username ivan
esr(config-user)# password password
esr(config-user)# privilege 1
esr(config-user)# exit

Assigning device name

To assign the device name, use the following commands:

esr# configure
esr(config)# hostname <new-name>

When a new configuration is applied, command prompt will change to the value specified by <new-name> parameter.

Configuration of public network parameters

To configure router network interface in the public network, you should assign parameters defined by the network provider – default IP address, subnet mask and gateway address – to the device.

Example of static IP address configuration commands for Gigabit Ethernet 1/0/2.150 sub-interface used for obtaining access to the device via VLAN 150.

Interface parameters:

IP address: 192.168.16.144;
Subnet mask: 255.255.255.0;
Default gateway IP address: 192.168.16.1.

esr# configure
esr(config)# interface gigabitethernet 1/0/2.150 
esr(config-subif)# ip address 192.168.16.144/24
esr(config-subif)# exit
esr(config)# ip route 0.0.0.0/0 192.168.16.1

To ensure the correct IP address assigning for the interface, enter the following command when the configuration is applied:

esr# show ip interfaces
IP address            Interface                           Type
-------------------   ---------------------------------   -------
192.168.16.144/24     gigabitethernet 1/0/2.150           static

Provider may use dynamically assigned addresses in their network. If the there is DHCP server in the network, you can obtain the IP address via DHCP.

Configuration example for obtaining dynamic IP address from DHCP server on Gigabit Ethernet 1/0/10 interface:

esr# configure
esr(config)# interface gigabitethernet 1/0/10
esr(config-if)# ip address dhcp
esr(config-if)# exit

To ensure the correct IP address assigning for the interface, enter the following command when the configuration is applied:

esr# show ip interfaces
IP address            Interface                           Type
-------------------   ---------------------------------   -------
192.168.11.5/25       gigabitethernet 1/0/10              DHCP

Configuring remote connection to device

In the factory configuration, remote access to the router or controller may be established via Telnet or SSH from the 'trusted' zone. To enable remote access to the router or controller from other zones, e.g. from the public network, you should create the respective rules in the firewall.

When configuring access to the router or controller, rules should be created for the following pair of zones:

source-zone – zone that the remote access will originate from;
self – zone which includes device management interface.

Use the following commands to create the allowing rule:

esr# configure
esr(config)# security zone-pair <source-zone> self
esr(config-zone-pair)# rule <number>
esr(config-zone-rule)# action permit
esr(config-zone-rule)# match protocol tcp
esr(config-zone-rule)# match source-address <network object-group>
esr(config-zone-rule)# match destination-address <network object-group>
esr(config-zone-rule)# match destination-port <service object-group>
esr(config-zone-rule)# enable
esr(config-zone-rule)# exit
esr(config-zone-pair)# exit

Example of commands that allow users from 'untrusted' zone with IP addresses in range 132.16.0.5-132.16.0.10 to connect to the device with IP address 40.13.1.22 via SSH:

esr# configure
esr(config)# object-group network clients
esr(config-addr-set)# ip address-range 132.16.0.5-132.16.0.10
esr(config-addr-set)# exit
esr(config)# object-group network gateway
esr(config-addr-set)# ip address-range 40.13.1.22
esr(config-addr-set)# exit
esr(config)# object-group service ssh
esr(config-port-set)# port-range 22
esr(config-port-set)# exit
esr(config)# security zone-pair untrusted self
esr(config-zone-pair)# rule 10
esr(config-zone-rule)# action permit
esr(config-zone-rule)# match protocol tcp
esr(config-zone-rule)# match source-address clients
esr(config-zone-rule)# match destination-address gateway
esr(config-zone-rule)# match destination-port ssh
esr(config-zone-rule)# enable
esr(config-zone-rule)# exit
esr(config-zone-pair)# exit