1. ABSTRACT
This manual provides instructions for connecting to the power supply network, factory configuration of the device and recommendations for initial configuration of ESR-1000/1200/1700 routers. It describes the typical router power-up scheme, wireless-controller configuration, NAT, redundancy. This manual is intended for technicians who install, configure and commission the device.
2. DESIGN
ESR-1000/1200/1700 routers are made in a metal housing with the ability to install in a 19" frame. The height of the ESR-1000/1200 1U. The height of the ESR-1700 enclosure is 2U.
2.1 ESR-1000, ESR-1200 design
Fig. 2.1.1 ESR-1000 front panel.
№ | Front panel element | Description |
1 | SD | SD card connector. |
2 | USB1 | Port for USB device connection. |
3 | USB2 | Port for USB device connection. |
4 | XG1, XG2 | Slots for 10G SFP+/ 1G SFP transceivers. |
5 | [1 .. 24] | 24 ports of Gigabit Ethernet 10/100/1000 Base-T (RJ-45). |
6 | Status | Current device status LED. |
Alarm | Alarm LED. | |
VPN | Active VPN sessions indicator. | |
Flash | Activity indicator of exchange with data storages (SD card or USB Flash). | |
Power | Device power LED. | |
Master | Indicator of failover modes operation. | |
Fan | Fan operation LED. | |
RPS | Redundant power supply LED. | |
7 | F | Functional key that reboots the device and resets it to factory default configuration:
|
8 | Console | Console port RS-232 for local management of the device. |
Fig. 2.1.2 ESR-1200 front panel.
№ | Front panel element | Description |
1 | SD | SD card connector. |
2 | USB1 | Port for USB device connection. |
3 | USB2 | Port for USB device connection. |
4 | [1 .. 12] | 12 ports of Gigabit Ethernet 10/100/1000 Base-T (RJ-45). |
5 | Combo Ports | 4 ports of Gigabit Ethernet 10/100/1000 Base-X (SFP). |
6 | XG1 - XG8 | Slots for 10G SFP+/ 1G SFP transceivers. |
7 | Status | Current device status LED. |
Alarm | Alarm LED. | |
HA | НА operation mode LED. | |
Flash | Activity indicator of exchange with data storages (SD card or USB Flash). | |
Power | Device power LED. | |
Master | Indicator of failover modes operation. | |
Fan | Fan operation LED. | |
RPS | Redundant power supply LED. | |
8 | F | Functional key that reboots the device and resets it to factory default configuration:
|
9 | Console | Console port RS-232 for local management of the device. |
Fig. 2.1.3 ESR-1000, ESR-1200 rear panle.
№ | Description |
1 | Main power supply. |
2 | Place for installation of a redundant power supply. |
3 | Hot-swappable removable ventilation modules. |
4 | Earth bonding point of the device. |
Fig. 2.1.4 ESR-1000, ESR-1200 left side panel.
Fig. 2.1.5 ESR-1000, ESR-1200 right side panel.
Side panels of the device have air vents for heat removal. Do not block air vents. This may cause the components to overheat, which may result in device malfunction.
2.2 ESR-1700 design
Fig. 2.2.1 ESR-1700 front panel.
№ | Front panel element | Description |
1 | HDD1 | Connector for HDD installation. |
2 | HDD2 | Connector for HDD installation. |
3 | USB1 | Port for USB device connection. |
4 | USB2 | Port for USB device connection. |
5 | Combo Ports [1 .. 4] | 4 ports of Gigabit Ethernet 10/100/1000 Base-X (SFP). |
6 | XG1 - XG8 | Slots for 10G SFP+/ 1G SFP transceivers. |
7 | Status | Current device status LED |
Alarm | Alarm LED. | |
HA | НА operation mode LED. | |
Flash | Activity of exchange with data storage – SD card or USB Flash. | |
Power | Device power LED. | |
Master | Indicator of failover modes operation. | |
Fan | Fan operation LED. | |
RPS | Redundant power supply LED. | |
8 | F | Functional key that reboots the device and resets it to factory default configuration:
|
9 | Console | Console port RS-232 for local management of the device. |
10 | OOB | Ethernet port for router management. |
Fig. 2.2.2 ESR-1700 rear panel.
№ | Description |
1 | Earth bonding point of the device. |
2 | Hot-swappable removable ventilation modules. |
3 | Main power supply. |
4 | Place for installation of a redundant power supply. |
Fig. 2.2.3 Right side panel.
Fig. 2.2.4 Left side panel.
Side panels of the device have air vents for heat removal. Do not block air vents. This may cause the components to overheat, which may result in device malfunction.
2.3 Light indication.
Gigabit Ethernet copper interface statuses are represented by two LEDs – green LINK/ACT LED and amber SPEED LED. Location of the copper interface LEDs is depicted in figure 2.3.13. For light indication meaning, see table 2.3.1.
LINK/ACT SPEED
Fig. 2.3.1 Location of GigabitEthernet.
SFP interface status is represented by two LEDs – RX/ACT and TX/ACT – depicted in figure 2.3.13. For light indication meaning, see table 2.3.2.
RX/ACT TX/ACT
Fig. 2.3.2 Location of optical interface indicators.
Table 2.3.1 Light indication of cooper interface status.
SPEED indicator is lit | LINK/ACT indicator is lit | Ethernet interface state |
|---|---|---|
Off | Off | The port is disabled or connection is not established. |
Off | Solid on | 10Mbps or 100Mbps connection is established. |
Solid on | Solid on | 1000Mbps connection is established. |
X | Flashes | Data transfer is in progress. |
Table 2.3.2 Light indication of SFP/SFP+ interfaces status.
RX/ACT indicator is lit | TX/ACT indicator is lit | Ethernet interface state |
|---|---|---|
Off | Off | The port is disabled or connection is not established. |
Solid on | Solid on | Connection established. |
Flashes | X | Data reception in progress. |
X | Flashes | Data transfer is in progress. |
The following table describes the statuses of the system indicators of the device.
Table 2.3.3 Status of system indicators.
Indicator name | Indicator function | LED state | Device State |
|---|---|---|---|
| Status | Current device status LED. | Green | Device is in normal operation state. |
| Orange | The device is in the firmware download state. | ||
| Alarm | Alarm LED. | - | - |
| VPN | Active VPN sessions indicator. | - | - |
| Flash | Activity indicator of exchange with data storages: SD-card or USB Flash. | Orange | Read/write operation execution with 'copy' command. |
| Power | Device power LED. | Green | Device power is normal. Main power supply, if installed, is operational. |
| Orange | Main power supply failure, fault, or the primary network is missing. | ||
| Off | Device internal power supply failure. | ||
| Master | Indicator of failover modes operation. | - | - |
| Fan | Cooling fan status. | Off | All fans are operational. |
| Red | One or more fans has failed. Possible cause of failure: at least one of the fans has stopped or is working at lower rpm. | ||
| RPS | Backup power supply operation mode. | Green | Backup power supply is installed and operational. |
| Off | Backup power supply is not installed. | ||
| Red | Backup power supply is missing or failed. |
3. CONNECTION TO POWER SUPPLY
1. Ground the case of the device prior to connecting it to the power supply. An insulated multiconductor wire should be used for earthing. The device grounding and the earthing wire cross-section should comply with Electric Installation Code
2. If a PC or another device is supposed to be connected to the router console port, the device should be also securely grounded.
3. For ESR-1000/1200/1700. Connect the power supply cable to the device. Depending on the delivery package, the device can be powered by AC or DC electrical network. To connect the device to AC power supply, use the cable from the delivery package. To connect the device to DC power supply, use wires with a minimum crosssection of 1 мм2.
4. Turn the device on and check the front panel LEDs to make sure the terminal is in normal operating conditions.
4. ESR ROUTER FACTORY CONFIGURATION
The device is shipped to the consumer with the factory configuration installed that includes essential basic settings. Factory configuration allows using the router as a gateway with SNAT without applying any additional settings. Also, factory configuration contains settings that allow you to obtain network access to the device for advanced configuration.
4.1 Description of factory settings
To establish network connection, the configuration features 2 security zones named 'Trusted' for local area network and 'Untrusted' for public network. All interfaces are divided between two security zones:
- 'Untrusted' zone is meant for a public network (WAN) connection. In this zone, DHCP ports are open in order to obtain dynamic IP address from the provider. All incoming connections from this zone to the router are blocked. This security zone includes the following interfaces:
ESR-1000/1200/1700: GigabitEthernet1/0/1, TengigabitEthernet1/0/1, TengigabitEthernet1/0/2. Zone interfaces are grouped into a single L2 segment via Bridge 2 network bridge.
- 'Trusted' zone is meant for a local area network (LAN) connection. Telnet and SSH ports for remote access, ICMP ports for router availability test, DHCP ports for clients obtaining IP addresses from the router. Outgoing connections from this zone into the Untrusted zone are allowed.
This security zone includes the following interfaces:
ESR-1000: GigabitEthernet1/0/2-24. Zone interfaces are grouped into a single L2 segment via Bridge 1.
ESR-1200: GigabitEthernet1/0/2-16, TengigabitEthernet1/0/3-8. Zone interfaces are grouped into a single L2 segment via Bridge 1 network bridge.
ESR-1700: GigabitEthernet1/0/2-4, TengigabitEthernet1/0/3-8. Zone interfaces are grouped into a single L2 segment via Bridge 1 network bridge.
On the Bridge 2 interface, DHCP client is enabled to obtain dynamic IP address from the provider. On Bridge 1 interface, static IP address 192.168.1.1/24 is configured. Created IP address acts as a gateway for LAN clients. For LAN clients, DHCP address pool 192.168.1.2-192.168.1.254 is configured with the mask 255.255.255.0. For clients in order to access the Internet, the router should have Source NAT service enabled.
Security zone policies have the following configuration:
| Traffic origin zone | Traffic destination zone | Traffic type | Action |
|---|---|---|---|
| trusted | untrasted | TCP, UDP, ICMP | enabled |
| trusted | trusted | TCP, UDP, ICMP | enabled |
| trusted | self | TCP/23(Telnet), TCP/22(SSH), ICMP, UDP/67(DHCP Server), UDP/123(NTP) | enabled |
| untrusted | self | UDP/68(DHCP Client) | enabled |
To enable device configuration on the first startup, 'admin' user with 'password' password has been created in the router configuration. The user will be prompted to change administrator password during the initial configuration of the router.
To enable network access to the router on the first startup, static IP address 192.168.1.1/24 has been configured on Bridge 1 interface.
5. CONNECTING TO THE CLI OF ROUTER
At initial startup, the router boots with the factory configuration. The factory configuration is described in paragraph 4 of this document.
5.1. Ethernet LAN connection
1. Connect the network data cable (patch cord) to any port within the 'Trusted' zone and to the PC intended for management tasks.
2. In the router factory configuration, DHCP server is enabled with IP address pool in 192.168.1.0/24 subnet. When network interface is connected to the management computer, the latter should obtain the network address from the server. If IP address is not obtained for some reason, assign the interface address manually using any address except for 192.168.1.1 in 192.168.1.0/24 subnet.
5.2. RS-232 console port connection
1. Using RJ-45/DBF9 cable included into device delivery package, connect the router 'Console' port to the computer RS-232 port.
2. Launch terminal application (e.g. HyperTerminal or Minicom) and create a new connection. VT100 terminal emulation mode should be used. Specify the following settings for RS-232 interface:
| Parameter | Value |
|---|---|
| Data rate | 115200 bps |
| Data bits | 8 bits |
| Parity | none |
| Stop bits | 1 |
| Flow control | none |
6. BASIC ROUTER CONFIGURATION
Upon the first startup, the router configuration procedure includes the following steps:
1. Setting the factory configuration.
2. Changing password for "admin" user.
3. Creation of new users.
4. Assigning device name (Hostname).
5. Setting parameters for public network connection in accordance with the provider requirements.
6. Configuring remote connection to router.
7. Applying basic settings.
By default, the user "admin" with the password "password" is created.
6.1. Installing the default configuration
At initial startup, the router boots with the factory default configuration. The factory configuration is described in paragraph 4 of this document.
Before further configuration it is recommended to reset the configuration to default, this will allow to set only the required network parameters. Reset to default configuration should be performed by connecting to the router via RS-232 console access, because after it is applied all settings will be reset and network access to the router will be impossible.
esr-1700# copy system:default-config system:candidate-config
Entire candidate configuration will be reset to default, all settings will be lost upon commit.
Do you really want to continue? (y/N): y
|******************************************| 100% (21B) Default configuration loaded successfully.
esr-1700#commit
esr-1700#confirm
6.2. Changing the administrator password
The password of the privileged user "admin" must be changed for secure login. The user name and password are entered when logging in during device administration sessions. The following commands are used to change the password of the "admin" user:
esr-1700# configure
esr-1700(config)# username admin
esr-1700(config-user)# password <new-password>
esr-1700(config-user)# exit
esr-1700(config)#exit
esr-1700#commit
esr-1700#confirm
6.3. Creating the new users
The following commands are used to create a new system user or to configure any of the parameters - user name, password, privilege level:
esr-1700# configure
esr-1700(config)# username <user>
esr-1700(config-user)# password <user-password>
esr-1700(config-user)# privilege <1-15>
esr-1700(config-user)# exit
esr-1700(config)#exit
esr-1700#commit
esr-1700#confirm
Privilege levels 1-9 allow access to the device and view its operational status, but prohibit configuration. Privilege levels 10-14 allow both access to and configuration of most device functions. Privilege level 15 allows both access to and configuration of all device functions.
Example commands to create user <fedor> with password <12345678> and privilege level <15> and to create user <ivan> with password <87654321> and privilege level <1>:
esr-1700# configure
esr-1700(config)# username fedor
esr-1700(config-user)# password 12345678
esr-1700(config-user)# privilege 15
esr-1700(config-user)# exit
esr-1700(config)# username ivan
esr-1700(config-user)# password 87654321
esr-1700(config-user)# privilege 1
esr-1700(config-user)# exit
esr-1700(config)#exit
esr-1700#commit
esr-1700#confirm
6.4. Assigning a device name
The following commands are used to assign a device name:
esr-1700# configure
esr-1700(config)# hostname <new-name>
esr-1700(config)#
esr-1700(config)#exit
esr-1700#commit
esr-1700#confirm
After the configuration is applied, the command line prompt will change to the value specified by the <new-name> parameter.
6.5. Configuring public network settings
To configure the network interface of the router on a public network, you must assign the device the parameters defined by the network provider - IP address, subnet mask and default gateway address. Example GigabitEthernet 1/0/2.150 static IP address configuration commands for accessing the router through VLAN 150.
Interface parameters:
- Security zone – untrusted
- IP address – 192.168.16.144;
- Subnet mask – 255.255.255.0;
- default gateway IP address – 192.168.16.1.
esr-1700# configure
esr-1700(config)# security-zone untrusted
esr-1700(config)# exit
esr-1700(config)# interface gigabitethernet 1/0/2.150
esr-1700(config-subif)# security-zone untrusted
esr-1700(config-subif)# ip address 192.168.16.144/24
esr-1700(config-subif)# exit
esr-1700(config)# ip route 0.0.0.0/0 192.168.16.1
esr-1700(config)#exit
esr-1700#commit
esr-1700#confirm
To verify that an address has been assigned to an interface, enter the following command after applying the configuration:
esr-1700# show ip interfaces
IP address Interface Admin Link Type
--------------------------------------------------- ------------------ ----- ----- -------
192.168.16.144/24 gi1/0/2.150 Up UP static
Provider can use dynamically assigned addresses on its network. DHCP can be used to obtain an IP address if a DHCP server is present on the network. Example of a configuration designed to obtain a dynamic IP address from a DHCP server on GigabitEthernet interface 1/0/2 in VLAN 150:
esr-1700# configure
esr-1700(config)# security-zone untrusted
esr-1700(config)# exit
esr-1700(config)# interface gigabitethernet 1/0/2.150
esr-1700(config-subif)# security-zone untrusted
esr-1700(config-subif)# ip address dhcp
esr-1700(config-subif)# exit
esr-1700(config)#exit
esr-1700#commit
esr-1700#confirm
To verify that the address has been assigned to the interface, enter the following command after applying the configuration:
esr-1700# show ip interfaces
IP address Interface Admin Link Type
--------------------------------------------------- ------------------ ----- ----- -------
192.168.16.12/24 gi1/0/2.150 Up UP DHCP
6.6. Configuring remote access to the router
In the default configuration allowed remote access to the router is not configured, so if the default configuration was applied - then the configuration is possible only with the use of a console cable. In order to allow remote access to the router from certain hosts you need to perform the following actions:
Enable Telnet and SSH servers on the router:
esr-1700# configure
esr-1700(config)# ip telnet server
esr-1700(config)# ip ssh server
Create objects in which we specify the telnet and ssh ports:
esr-1700(config)# object-group service telnet
esr-1700(config-object-group-service)# port-range 23
esr-1700(config-object-group-service)# exit
esr-1700(config)# object-group service ssh
esr-1700(config-object-group-service)# port-range 22
esr-1700(config-object-group-service)# exit
Create security zone:
esr-1700(config)# security zone trusted
esr-1700(config-zone)# exit
Create an object in which we specify hosts IP addresses from which the access to router is allowed:
esr-1700(config)# object-group network mgmt
esr-1700(config-object-group-network)# ip address-range 192.168.110.1-192.168.110.254
esr-1700(config-object-group-network)# exit
Create an interface, assign the security zone and IP address:
esr-1700(config)# int gi1/0/1.2
esr-1700(config-subif)# security-zone trusted
esr-1700(config-subif)# ip address 192.168.110.37/24
esr-1700(config-subif)# exit
Create rules for Telnet and SSH traffic to the router from the addresses of the mgmt object:
- trusted – zone from which remote access will be performed;
- self – zone where the router management interface is located;
esr-1700(config)# security zone-pair trusted self
esr-1700(config-zone-pair)# rule 1
esr-1700(config-zone-pair-rule)# action permit
esr-1700(config-zone-pair-rule)# match protocol tcp
esr-1700(config-zone-pair-rule)# match source-address mgmt
esr-1700(config-zone-pair-rule)# match destination-address any
esr-1700(config-zone-pair-rule)# match source-port any
esr-1700(config-zone-pair-rule)# match destination-port telnet
esr-1700(config-zone-pair-rule)# enable
esr-1700(config-zone-pair-rule)# ex
esr-1700(config-zone-pair)# rule 2
esr-1700(config-zone-pair-rule)# action permit
esr-1700(config-zone-pair-rule)# match protocol tcp
esr-1700(config-zone-pair-rule)# match source-address mgmt
esr-1700(config-zone-pair-rule)# match destination-address any
esr-1700(config-zone-pair-rule)# match source-port any
esr-1700(config-zone-pair-rule)# match destination-port ssh
esr-1700(config-zone-pair-rule)# enable
esr-1700(config-zone-pair-rule)# exit
esr-1700(config-zone-pair)# exit
esr-1700(config)# exit
esr-1700#commit
esr-1700#confirm
Verify that the router is accessible via Telnet and SSH from authorized hosts.
6.7 Downloading the wireless-controller support license file
To access wireless-controller functionality you need a license file. In order to obtain it, please contact Eltex.
In order to view the installed licenses you need to perform from the router CLI:
esr-1700# show licence
Active licence not found!
To download the obtained license file to the router, you need to execute:
esr-1700# copy tftp://192.168.110.50:/NP07000041.lic system:licence
|******************************************| 100% (679B) Licence loaded successfully. Please reboot system to apply changes.
After that reload the router:
esr-1700# reload system
Do you really want to reload system ? (y/N): y
After reloading, verify that the license is installed:
esr-1700# show licence
Licence information
-------------------
Name: eltex
Version: 1.0
Type: ESR-1700
S/N: NP07000041
MAC: A8:F9:4B:AB:B4:80
Features:
WIFI - Wi-Fi controller
7. ROUTER CONFIGURATION
7.1 Resetting to factory configuration
The factory configuration allows remote access to the router via Telnet or SSH from a "trusted" zone (Chapter 4). The following commands are used to restore the configuration settings to this view:
esr-1700# copy system:factory-config system:candidate-config
esr-1700#commit
esr-1700#confirm
7.2 Resetting to default configuration
The factory configuration does not always meet the requirements for current tasks, so to prepare the device for configuration, you will need to install the default configuration (there are no settings) after which you can configure all the parameters of the device to meet the requirements of the network. The following commands are used to reset the configuration to default:
esr-1700# copy system:default-config system:candidate-config
esr-1700#commit
esr-1700#confirm
After applying the default configuration, remote access (via SSH, Telnet) to the device will not be possible.
7.3 Applying the settings
To apply the configuration changes made to the router, the following commands must be entered from the root section of the command interface.
esr-1700# commit
esr-1700# confirm
If remote access to the device was used during configuration and the network parameters of the management interface are changed, the connection to the device may be lost after entering the commit command. Use the new network parameters set in the configuration to connect to the device and enter the confirm command. If the confirm command cannot be entered, after the confirmation timer (10 minutes) expires, the device configuration will revert to the previous state that existed before the commit command was entered.
7.4 Software Upgrade
It is recommended that the router be upgraded to the latest version of software (SW) before beginning to configure the router. If the current software version is lower than version 1.2.0, before updating the router software, it is necessary to check the version of the boot loader xload and uboot loader, and if necessary to update to the same version.
The bootloader is checked from the console when booting the device, the version information can be found in the string:
BRCM XLP Stage 1 Loader (X-Loader:1.0.6.48) [Big-Endian] (Sep 30 2015 - 17:50:18)
To check the firmware version use the show version command:
ESR1000# show version
Boot version:
1.0.7.162 (date 25/02/2016 time 16:47:23)
SW version:
1.0.7 build 162[71e5eab] (date 25/02/2016 time 16:58:33)
HW version:
1v7
Updating the bootloader (XLOAD)
To update the preloader you will need a tftp server or sd-card, in the root you need to create a folder esr1000, in the folder esr1000 put the files xload.bin.
Stop the download by pressing any key at the moment:
Temp: LM75/0 temperature (PHYs 1G) 30 C
Temp: LM75/1 temperature (SFP+ 10G) 29 C
Temp: LM75/2 temperature (Switch) 42 C
CPLD: FW Revision 1
Hit any key to stop autoboot: 0
BRCM.XLP316Lite Rev B2.u-boot#
when you press enter, the following message should be displayed:
BRCM.XLP316Lite Rev B2.u-boot#
To update from the sd card, enter the commands:
mmc init
fatload mmc 0:1 ${xload_ram_base} ${xload_file}
sf probe && sf erase ${xload_sf_base} ${xload_sf_size}
sf write ${xload_ram_base} ${xload_sf_base} ${filesize}
To update from tftp, enter the commands:
Setenv serverip 192.168.11.11
Set up the router IP address
Setenv ipaddr 192.168.11.10
Update the xload
Run tftp_update_xload
Reset the router
reset
Updating the U-Boot
To update the router's secondary boot loader (U-Boot), you must enter the following commands from the root section of the command interface:
esr-1000# copy tftp://IP:/filename system:boot
For example server address 101.0.0.0.4 software file name esr1000-1.2.0-build162.uboot:
esr-1000# copy tftp://101.0.0.4:/esr1000-1.2.0-build162.uboot system:boot
esr-1000# reload system
Do you really want to reload system ? (y/N): y
Updating the firmware
To update the software, enter the following commands from the root section of the command interface:
esr-1000#
copy tftp://IP:/filename system:firmware
For example server address 101.0.0.0.24 software file name esr1000-1.4.0-build108.firmware:
esr-1000# copy tftp://101.0.0.24:/esr1000-1.4.0-build108.firmware system:firmware
Download firmware from tftp://101.0.0.24:/esr1000-1.4.0-build108.firmware...
esr1000-1.4.0-build108.firmware 100% |*******************************| 47298k 0:00:00 ETA
Verify image ... OK!Writing data to NAND...
###################################################################################################################################################################################
Firmware updated successfully.
Select the image to be downloaded by looking at the active image:
esr-1000# show bootvar
Image Version Date Status After reboot
----- ------------------------- -------------------- ------------ ------------
1 1.4.0 build date 02/04/2018 time Not Active
108[ad6366f86f] 11:39:31
2 1.2.1 build date 25/12/2017 time Active *
30[c6cfc39187] 10:20:12
The firmware will always be downloaded to the inactive image, so select it to download:
esr-1000# boot system image-1
Do you really want to set boot system image? (y/N): y
Check that it is assigned for download:
esr-1000# sh bootvar
Image Version Date Status After reboot
----- ------------------------- -------------------- ------------ ------------
1 1.4.0 build date 02/04/2018 time Not Active *
108[ad6366f86f] 11:39:31
2 1.2.1 build date 25/12/2017 time Active
30[c6cfc39187] 10:20:12
Reload the router:
esr-1000# reload system
Do you really want to reload system ? (y/N): y