Secure Routers
1001, 1002, 1004, and 3120
WAN Port LEDs 1-4
Typical 100X Chassis - Front
Power LED
1004 Router Front Panel
LINK/ACT
HS
DUP
Ethernet 1LEDs
LED DESCRIPTION COLORWAN Status 1-4 Indicates traffic activity on this interface Green = normal activity
Red = alarm stateYellow = test mode
Ethernet 0/1Link/Act Indicates traffic activity on this interface Green = link is operational
Blinking Yellow = either receiving or sending trafficRed = packet collisions
HS Indicates traffic speed on the interface Off = 10 MbpsGreen = 100 Mbps
DUP Indicates the type of duplex mode Off = Half duplexGreen = Full duplex
SR Logo Back lighted when power is applied BluePower Indicates router power status Off = power off
Green = power on
LINK/ACT
HS
DUP
Ethernet 0LEDs
WAN Port1-4
Typical 100X Chassis - Back
PowerTie-DownConsole
PortFast Ethernet
Port 0
AuxPort
Fast EthernetPort 1
12 VDCInput Jack
PORT DESCRIPTIONWAN 1 - WAN 4 WAN connection port. These ports accept cables with RJ-48C connectors. If drop and insert is configured, then
ports 1 and 2 are reserved for that feature.
FE 0 - FE 1 Ethernet LAN connection ports. These ports accept cables with RJ-45 cable connectors.
AUX Currently no functionality is supported on this interface.
Console Console management port. This port accepts a cable with an RJ-45 cable connector.
DC power 12 VDC power connection. This port accepts the 2 mm power connector on the power supply cablethat ships with the 1004 router.
1004 Router Rear Panel
Connect to the Console Port
> Connect to the Console port• Using a PC with a VT100 terminal emulation• Configure the terminal for:
• 9600• 8 data bits• 1 stop bit• No parity• XON/OFF flow control (note this is NOT the default setting for HyperTerminal)
• Use the two DB9 to RJ45 connectors and cable provided
Logon using the CLI
> Once the console cable is connected to the PC and SR device
> Press the Enter key• This should present the system prompt
> Now login to the device• login:admin• password:setup• You now see the initial CLI prompt
• SR-1004
Exercise the CLI
> Use the following command tips and shortcuts with command line interface commands.• The CLI is case sensitive• To display all commands, type tree.• To access help associated with a command, type help <command name>. You may also use
the ? key after any command.• To exit back one level in the command hierarchy, type exit and press Return.• To exit the command mode and/or return to the base CLI prompt, press the key combination
Ctrl-Z.• Type the first two letters of a command, and then press the Tab key to automatically spell out
the command.• Scroll through the available commands using the Tab key.
> Refer to the Command Reference Guide for additional navigation key shortcuts
Changing Admin Password
> The System Administrator login consists of two components: the user name and the password. The initial login name is always admin, but you can change this to suit your needs after logging in for the first time. The default password for user admin, setup, should be changed as soon as possible to ensure only authorized access to the router.
> To change the password• This procedure enables the system administrator to change any or all user passwords, or any user
to change their password on the 1004. The password must be 3-10 characters.• Access the password configuration mode.
• example: SR-1004# password• The system prompts for the current user name.
• Type admin, and then press Return.• The system prompts for the old password.
• Type setup, and then press Return.• The system prompts for the new password.
• Type your new password, and then press Return.• The system prompts you to verify the new password.
• Type the new password again and then press Return.• A message is appears confirming that the password has been changed.
Changing Admin Login
> This procedure changes the administrator login name (Level 1 access) to a user-specified name. The default is admin.
> To change the account name:• Access the configure mode.
• example:• admin-1004# configure term
• Change the account name.• example:• SR-1004/configure# admin_name Greg• This example above changes the Level 1 user name to Greg.• The system displays a confirming message: “Administrator account name changed to Greg.”
Modifying the System Host Name
> The default host name is SR-model_number.
> Use the configure hostname command to assign a host name to the Secure Router. Once assigned, the host name becomes the command line interface (CLI) prompt name.
> To configure the host name:• Access the terminal configuration mode: SR-1004# configure term• Type hostname, and then type a new host name.• Press Return.
• example:• SR-1004/configure# hostname Fremont• In the above example, the new host name for the system is Fremont. The CLI prompt• changes to Fremont, accordingly.• example:• Fremont/configure#
Modifying the Date and Time> To set the date:
• 1 Enter the terminal configuration mode: SR-1004# configure term• 2 Press Return.• 3 Use the date command to enter month, day, and year.
> To enter the date: March 19, 2003, see the following example:• example:• SR-1004/configure# date 03 19 2003
> To set the time:• 1 Enter the terminal configuration mode: SR-1004# configure term• 2 Press Return.• 3 Use the time command to enter hour, minute, and second.
> To enter the time: 2:40:35 pm, see the following example:• example:• SR-1004/configure# time 14 40 35
> The router confirms the setting by automatically displaying the date and time. To confirm the date and time parameters, use the display date command.
> Or, use the SNTP client to have a time server automatically set the time.
Configuring SNMP Monitoring> configure# snmp community private [rw|ro]
> configure# snmp contact “sysop”
> configure# snmp chassis-id sanjose_ca
> configure# snmp location R1MDF
> configure# snmp snmp-source 192.168.1.1
> configure# snmp trap-host 10.1.1.1 private
> configure# snmp trap-source 192.168.1.1
> configure# snmp enable traps [list below]bgp [established, backward trans]bundle [up, down]config [change,save]environment [temp,fan]frame_relay [vcstate]failover [success, failure]snmp [auth_failure]sntp [enable]system [shutdown,logon,logoff,loginfail]vrrp [enable]ospf [to many to list here]
Users Levels
> User privilege levels• 1 - Full privileges.• 2 - Can configure the system, view system data, conduct tests, and change the user’s current
access password. Cannot add users to or remove users from the system.• 3 - Can view system data, conduct tests, and change user’s current access password. Cannot
perform any other operations.• 4 - Can view system data and change user’s current access password. Cannot perform any
other operations. This level is automatically assigned to a user if you do not specify a level.
> Stored locally on NVRAM
> Network stored and used via RADIUS
> Admin password recovery requires physical access
> Recovery does not impact configuration file
Adding Users
> The configure user command allows the system administrator to add up to 15 users (login ID) and assign each user an access privilege (levels 2-4). Only the system administrator (level 1) can add, modify, or remove this information.
> To add a new user:• Enter the terminal configuration mode: SR-1004# configure term• Type user name, enter the name that you want to add, and then enter the access level to be
assigned to that name (optional). The user name may be up to 30 characters. The password must be 3-10 characters.
• example:• SR-1004/configure# user John level 2• The system prompts you to enter a new password.
• Enter the new password.• The system prompts you to re-enter the new password.
• Re-enter the new password.• The system confirms that the password is set and confirms the name of the added user.
• You can use the show user_accounts command to view user information.
Removing Users
> The no user name command allows the system administrator to remove configured user names from the Secure Router system.
> To remove a user name:• Type no user name, followed by the user’s name.• example:
• SR-1004/configure# no user John
• Press Return.• The user name is removed from the system.
Default Configuration> There are three ways to restore factory default configuration settings. Remember to
reboot the router after performing any of the following procedures.• Clear/Erase the contents of the system.cfg file
• clear cfg_file system.cfg• erase startup
• Delete the system.cfg file• rm system.cfg• erase flash system.cfg
• Rename and remove the system.cfg file• copy system.cfg system.bk• rm system.cfg
> After performing any of the above options, the system.cfg file no longer exists. Subsequently, a “file not found” error message is displayed upon rebooting the system. This message will not impact operation, and it should be ignored.
> NOTE: If you change any of the factory default settings, issue the wr mem command to retain the changed configuration before rebooting.
Basic WAN T1 Interface Configuration
> Connect the T1 crossover cable between the two devices being tested in the lab. You should now see a green link status on the T1
• This confirms that there are no layer one errors
> The following are examples of T1 interface configurations. To scroll through the options available at any command prompt, press the Tab key. For descriptions of the options available at any command prompt, type help and press Enter.
> T1 Interface• SR-1004# configure term• SR-1004/configure# module t1 1• SR-1004/configure/module/t1 1# framing esf (default esf)• SR-1004/configure/module/t1 1# clock_source line (default:internal)• SR-1004/configure/module/t1 1# linecode b8zs (default:b8zs)• SR-1004/configure/module/t1 1# exit 3
Software Selectable T1/E1 Option
> TiOS 8.3 adds E1 support on 1001 product line. All 1001 products that ship with TiOS 8.3 (and higher) will have the software selectable T1/E1 port option. The 1001 hardware supports both T1 and E1 signaling. This is unlike 1002 and 1004 products where T1 and E1 routers are manufactured and ordered separately. Hence, the software selectable option will only work on the 1001 product. The standard 1001 products with TiOS 8.3 will ship with T1 as the default ‘carrier-type’. The customer can use one CLI command to convert the T1 port into an E1 port. The procedure to convert T1 to E1 is as follows:
• Step 1: configure the ‘carrier-type’ of the port to convert from T1(default) to E1 • Host> configure term • Host/configure> module t1 1 • Host/configure/module/t1 1> carrier-type e1
> TiOS 9.0 added this same support for the 3120 T1/E1 modules the procedure to convert T1 to E1 is as follows?
• Step 1: configure the ‘carrier-type’ of the port to convert from T1(default) to E1 • SR/configure# system carrier-type 2 e1• E1 carrier set for slot 2• You need to REBOOT for the change to take effect
E1 Unchannelized Option (G.703)
To provide an E1 unframed and to get 2048M you need to disable framing on the E1• 1001/configure/module/e1 1 > framing disable• 1001/configure/interface/bundle wan >show int bundle wan
bundle wan
----------
status down, ipcp not in open state
number of links 1
total bandwidth 2048 kbps
link speed bw inverted status diffdelay(msec)
---- ----- -- -------- ------ ----------------
e1 1:unchannelised 64 2048 no up -
Saving the Configuration
> wr mem - Saves the current system configuration to flash memory. This allows the system to boot from the latest configuration upon a subsequent power-up or reboot.
SR-1004#write memory
> You also can assign a filename to the saved configuration. If a filename is not specified, the default file SYSTEM.CFG is used.
SR-1004#write mem test.cfg
> save network - Use the save network command to save the configuration to a network tftp server. You must specify a filename and the pathname to the destination file.
SR-1004#write network 10.1.100.16 /maindir/temp.cfg
Alarms and Statistics
Configuring T1 alarms thresholds
> When thresholds are exceeded, the system generates alarms that indicate the possible deterioration of a T1 link. Refer to the following parameters to determine the specific T1 data type that needs to be configured. You can define one alarm threshold for each parameter.Parameter Definition
> number Statistic alarm threshold number
The range is 1 - 10.
> variable Variable on which a threshold is to be configured.
> ses Threshold for Severely Errored Seconds
> es Threshold for Errored Seconds
> bes Threshold for Bursty Errored Seconds
> uas Threshold for Unavailable Seconds
> eev Threshold for Excessive Error Violation Seconds
> lofc Threshold for Loss-of-Frame Counts
> css Threshold for Controlled Slip Seconds
> oof Threshold for Out-of-Frame Seconds
> crc Threshold for CRC-6 errors
> bpv Threshold for Bipolar Violations
> interval Sampling interval, in seconds.
The range is 1 - 65535.
> rising_threshold Number of errored seconds or events which, if exceeded during any sampling interval, results in a rising alarm .
The range is 0 - 2147483647.
> falling_threshold Minimum number of errored seconds or events below which a falling alarm is reported. This alarm is reported if a rising alarm was previously reported and the number of errored seconds or events subsequently dropped below this minimum threshold. The falling threshold value must be less than the rising threshold value above.
The range is 0 - 2147483647.
> sampe_type Method of sampling, as follows: absolute The errored second or event count is compared directly to the specified threshold values, and the appropriate alarm type (rising or falling) is reported.
> delta The errored second or event count is compared to the difference between the rising and falling thresholds above, and a rising alarm is reported if the actual error count exceeds that difference. This is the default setting if you do not specify a sampling type.
T1 Module-Related Commands
SR-1004# show module config t1 1
> T1 1 is ENABLED
> Alarm Hierarchy: TRUE,
> Yellow Alarm: DISABLE
> Framing:ESF, LineCode:B8ZS, ClockSource:LINE, LineMode:CSU, LBO:0 db
> FDL: ANSI Unit Protocol enabled ,ATT Unit Protocol enabled ,
> CsuDsuType: CSU & DSU
> CIRCUIT-ID : Not Configured ,CONTACT-INFO : Not Configured ,
> DESCRIPTION : Not Configured ,
Line Status:
> RLOS:OFF RAIS:OFF RLOF:OFF RRAI:OFF TAIS:OFF
> TRAI:OFF TLnCod:OFF TPlCod:OFF TRstCod:OFF TPtrn:OFF
> Loop:OFF LORC:OFF
Other related commands> SR-1004# show module userstats t1 1
• Show all layer 1 errors
> SR-1004# show module test t1 1 • Provides BERT test status and results
> SR-1004# show module alarms t1 1• Shows all current alarms
Sample Test Configuration
Layer 3 Solutions
Ethernet Interface Configuration
> Each router has two Ethernet ports (0 and 1).
> To view the current configuration of an Ethernet port, use the display interface Ethernet command. To view a summary of information for both ports, use the display interface Ethernets command.
> Configure Ethernet parameters, including description, IP address and shutdown/no shutdown.
> Example:• SR-1004# configure term• SR-1004/configure# interface ethernet 0• SR-1004/configure/interface/ethernet 0# ip addr 192.168.1.1 24 (or 255.255.255.0 for the subnet
mask)• SR-1004/configure/interface/ethernet 0# description “backbone”• SR-1004/configure/interface/ethernet 0# no shutdown• SR-1004/configure/interface/ethernet 0# exit• SR-1004/configure#
WAN Interface Bundle Configuration-HDLC
> T1/Cisco-compatible HDLC Bundle• SR-1004# configure term• SR-1004/configure# interface bundle wan1• SR-1004/configure/interface/bundle wan1# link t1 1• SR-1004/configure/interface/bundle wan1# encapsulation hdlc• SR-1004/configure/interface/bundle wan1# hdlc keepalive 10 (default:10)• SR-1004/configure/interface/bundle wan1# ip address 192.168.2.1 24 (or 255.255.255.0 for the
subnet mask)• SR-1004/configure/interface/bundle wan1# exit 3
WAN Interface Bundle Configuration-PPP
> T1/PPP Bundle• SR-1004# configure term• SR-1004/configure# interface bundle wan1• SR-1004/configure/interface/bundle wan1# link t1 1• SR-1004/configure/interface/bundle wan1# encapsulation ppp• SR-1004/configure/interface/bundle wan1# ip address 192.168.2.1 24 (or 255.255.255.0 for the
subnet mask)• SR-1004/configure/interface/bundle wan1# exit 3
WAN Interface Bundle Configuration-FR
> T1/Frame Relay Bundle• SR-1004# configure term• SR-1004/configure# interface bundle wan1• SR-1004/configure/interface/bundle wan1# link t1 1• SR-1004/configure/interface/bundle wan1# encapsulation frelay• SR-1004/configure/interface/bundle wan1#fr• SR-1004/configure/interface/bundle wan1#pvc 100• SR-1004/configure/interface/bundle wan1/fr/pvc:100# ip address 192.168.2.1 24 (or
255.255.255.0 for the subnet mask)• SR-1004/configure/interface/bundle wan1# exit 3
WAN Interface Bundle Configuration-MLPPP
• T1/MLPPP Bundle– SR-1004# configure term– SR-1004/configure# interface bundle wan1– SR-1004/configure/interface/bundle wan1# link t1 1-4– SR-1004/configure/interface/bundle wan1# encapsulation ppp– SR-1004/configure/interface/bundle wan1# ip address 192.168.2.1 24 (or
255.255.255.0 for the subnet mask)– SR-1004/configure/interface/bundle wan1# exit 3
WAN Interface Bundle Configuration-MLFR
> T1/Frame Relay Bundle• SR-1004# configure term• SR-1004/configure# interface bundle wan1• SR-1004/configure/interface/bundle wan1# link t1 1-4• SR-1004/configure/interface/bundle wan1# encapsulation frelay• SR-1004/configure/interface/bundle wan1#fr• SR-1004/configure/interface/bundle wan1#pvc 100• SR-1004/configure/interface/bundle wan1/fr/pvc:100# ip address 192.168.2.1 24 (or
255.255.255.0 for the subnet mask)• SR-1004/configure/interface/bundle wan1# exit 3
Verify the WAN is up
SR-1004# show interface bundle wan1
bundle wan 1
----------
status up
number of links 1
total bandwidth 1536 kbps
link speed bw inverted status diffdelay(ms)
T1 1 0 1536 no up 0
encapsulation hdlc
keepalive 10
keepalive packet type unicast
mtu 1536
ip info
ipaddr 10.1.1.1
netmask 255.255.255.0
counters for the last five minutesBytes Rx 0 Bytes Tx 0Packets Rx 0 Packets Tx 0Err Packets Rx 0Up/Down States 0
RED Configuration-----------------Status: EnabledMinimum Threshold: 207Maximum Threshold: 621Wq Bias Factor : 9
Current Loaned Count = 0, Max Loaned Count = 0Current Average Queue Size = 0, Max Ave Queue Size = 0RED StatisticsThreshold Below Min Betn Mn-Mx Max Q Overflows Allowed 0 0 0 - Dropped 0 0 0 0
Configuring a Default Route
There are two methods to provide a default route for the device. This first points to the next hop routers IP interface as the gateway address. The second uses the interface name as the gateway.
> SR-1004/configure# ip route 0.0.0.0 0.0.0.0 10.1.1.1
> In the above example, “x.x.x.x” represents the gateway.
> SR-1004/configure# ip route 0.0.0.0 0.0.0.0 wan1
> In the above example, “wan1” represents the gateway interface.
Cisco to SR T1 using HDLCSingle T1 on the WAN L3 using default routes
Cisco 7513
SR CONFIGURATIONconf thostname Remoteinterface ethernet 0 ip address 192.168.0.1 24 exitmodule t1 1 framing esf linecode b8zs clock_source line exitinterface bundle wan link t1 1 encapsulation hdlc ip address 200.1.1.2 30 exitip route 0.0.0.0 0 200.1.1.1 exitwr mem
CISCO CONFIGURATIONconf thostname Hubint fast 0/0 ip address 192.168.2.1 255.255.255.0 exitcontroller T1 0/0 framing esf linecode b8zs clock source internal exitinterface Serial 0/0 ip address 200.1.1.1 255.255.255.252 encapsulation hdlc no cdp enable no fair-queue exitip route 0.0.0.0 0.0.0.0 200.1.1.2 exitcopy run start
192.168.2.100/24
fe 0/0-192.168.2.1/24
200.1.1.0/30
.1.2
192.168.0.7/24
HDLC
SR 1004
E0-192.168.0.1/24
Cisco to SR NxT1 using HDLCwith ECMP per packet load balance per packet
Cisco 7513
SR CONFIGURATIONconf thostname Remoteinterface ethernet 0 ip address 192.168.0.100 24 exitmodule t1 1-2 framing esf linecode b8zs clock_source internal exitinterface bundle LB1 link t1 1 encapsulation hdlc ip address 192.168.1.2 30 exitinterface bundle LB2 link t1 1 encapsulation hdlc ip address 192.168.1.6 30 exitIp load_balance per_packet route 0.0.0.0 0.0.0.0 192.168.1.2 route 0.0.0.0 0.0.0.0 192.168.1.5 exitwr mem
CISCO CONFIGURATIONconf tint fast 0/0 ip address 192.168.2.1 255.255.255.0 no ip mroute-cache exitcontroller T1 0/0 framing esf linecode b8zs clock source line exitcontroller T1 0/1 framing esf linecode b8zs clock source internal exitinterface Serial 0/0 ip address 192.168.1.1 255.255.255.252 encapsulation hdlc no ip mroute-cache no cdp enable ip load-sharing per-packet exitinterface Serial 0/1 ip address 192.168.1.5 255.255.252 encapsulation hdlc no ip mroute-cache no cdp enable ip load-sharing per-packet exitip route 0.0.0.0 0.0.0.0 192.168.1.2ip route 0.0.0.0 0.0.0.0 192.168.1.6 exitcopy run start
192.168.2.100/24
192.168.2.1/24
HDLC
.6.5
192.168.0.7/24
HDLC
SR 1004.1 .2
Cisco to SR T1 using PPPSingle T1 on the WAN L3 using default routes
Cisco 7513
SR CONFIGURATIONconf thostname Remoteinterface ethernet 0 ip address 192.168.0.10 24 exitmodule t1 1 framing esf linecode b8zs clock_source line exitinterface bundle wan link t1 1 encapsulation ppp ip address 192.168.1.1 24 exitip route 0.0.0.0 0 192.168.1.2 exitwr mem
CISCO CONFIGURATIONconf tint fast 0/0 ip address 192.168.2.1 255.255.255.0 exitcontroller T1 0/0 framing esf linecode b8zs clock source internal exitinterface Serial 0/0 ip address 192.168.1.2 255.255.255.0 encapsulation ppp no cdp enable no fair-queue exitip route 0.0.0.0 0.0.0.0 192.168.1.1 exitcopy run start
192.168.2.100/24
192.168.2.1/24
192.168.1.0/24
.1.2
192.168.0.7/24
PPP
SR 1004
Cisco to SR NxT1 using MLPPPNxT1 3Mbs on the WAN L3 using default routes
Cisco 7513
SR CONFIGURATIONconf thostname Remoteinterface ethernet 0 ip address 192.168.0.10 24 exitmodule t1 1-2 framing esf linecode b8zs clock_source line exitinterface bundle wan link t1 1-2 encapsulation ppp ip address 192.168.1.1 24 exitip route 0.0.0.0 0 192.168.1.2 exitwr mem
CISCO CONFIGURATIONconf tint fast 0/0 ip address 192.168.2.1 255.255.255.0 exitcontroller T1 0/0 framing esf linecode b8zs clock source internal exitcontroller T1 0/1 framing esf linecode b8zs clock source internal exitinterface Multilink1 ip address 192.168.1.2 255.255.255.0 no cdp enable ppp multilink multilink-group 1 exitinterface Serial 0/0 no ip address encapsulation ppp no fair-queue ppp multilink multilink-group 1 exitinterface Serial 0/1 no ip address encapsulation ppp no fair-queue ppp multilink multilink-group 1ip route 0.0.0.0 0.0.0.0 192.168.1.1 exitcopy run start
192.168.2.100/24
192.168.2.1/24
192.168.1.0/24
.1.2
192.168.0.7/24
MLPPP
SR 1004
Cisco CT3 NxT1 CPE SR MLPPP NxT1 3Mbs on the WAN L3 using default routes
Two T1 LinesUsing MLPPP
Channelized DS3Cisco 7505
CISCO CONFIGURATIONint fast 0/0 ip address 192.168.2.1 255.255.255.0 exitcontroller T3 0/0/0 t1 10 channel-group 0 timeslots 1-24 framing esf linecode b8zs clock source internal exit t1 11 channel-group 0 timeslots 1-24 framing esf linecode b8zs clock source internal exitno ip cefinterface Multilink1 -Admin to Elm ip address 172.16.64.1/24 no cdp enable ppp multilink multilink-group 1 exitinterface Serial0/0/0/10:0 no ip address encapsulation ppp no fair-queue ppp multilink multilink-group 1 exitinterface Serial0/0/0/11:0 no ip address encapsulation ppp no fair-queue ppp multilink multilink-group 1 exitip route 0.0.0.0 0.0.0.0 207.98.248.130 exitcopy run start
CarrierCO
SR CONFIGURATIONconf thostname Remoteinterface ethernet 0 ip address 192.168.0.10 24 exitmodule t1 1-2 framing esf linecode b8zs clock_source line exitinterface bundle wan link t1 1-2 encapsulation ppp ip address 192.168.1.1 24 exitip route 0.0.0.0 0.0.0.0 192.168.1.2 exitwr mem
SR 1004
192.168.2.1/24
192.168.2.100/24
192.168.1.0/24
.1.2
192.168.0.7/24
MLPPP
SR T1 NxT1 CPE MLPPP NxT1 3Mbs on the WAN L3 using default routes
Two T1Line-MLPPP
SR 1004
SR CONFIGURATIONconf thostname HUBmodule t1 1-2 clock_source internal exitint eth 0 ip add 192.168.1.1 30 exitint bundle wan link t1 1 1-2 encap ppp ip address 172.16.64.1 24 exit ip route 0.0.0.0 0.0.0.0 172.16.64.2 exitwr mem
SR CONFIGURATIONconf thostname CPEmodule t1 1-2 clock_source line exitinterface ethernet 0 ip address 172.16.72.1 24 exit interface bundle wan link t1 1-2 encapsulation ppp ip address 172.16.64.2 24 exitip route 0.0.0.0 0.0.0.0 172.16.64.1 exit wr mem
T1 CrossoverSimulatedT1 WAN
SR 1004
SR T1 NxT1 MLPPP RIP NxT1 3Mbs on the WAN L3 using RIP on the WAN interface
Two T1Line-MLPPP
SR 1004
SR CONFIGURATIONconf thostname HUBmodule t1 1-2 clock_source internal exitint eth 0 ip add 192.168.1.1 24 exitint bundle wan link t1 1-2 encap ppp ip address 172.16.64.1 30 exit router rip interface ethernet0 exit interface wan exit 2wr mem
SR CONFIGURATIONconf thostname REMOTE module t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.2.1 24 exit interface bundle wan link t1 1-2 encapsulation ppp ip address 172.16.64.2 30 exitrouter rip interface ethernet0 exit interface wan exit 2wr mem
T1 CrossoverSimulatedT1 WAN
SR 1004
SR T1 NxT1 MLPPP OSPF NxT1 3Mbs on the WAN L3 using OSPF on the WAN interface
Two T1Line-MLPPP
SR 1004
SR CONFIGURATIONconf thostname HUBmodule t1 1-2 clock_source internal exitint eth 0 ip add 192.168.1.1 24 exitint bundle wan link t1 1-2 encap ppp ip address 172.16.64.1 30 exit router routerid 192.168.1.1 exitrouter ospf area 0 exit interface ethernet0 area 0 exit interface wan area 0 exit 2wr mem
SR CONFIGURATIONconf thostname REMOTE module t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.2.1 24 exit interface bundle wan link t1 1-2 encapsulation ppp ip address 172.16.64.2 24 exitrouter routerid 192.168.2.1 exitrouter ospf area 0 exit interface ethernet0 area 0 exit interface wan area 0 exit 2wr mem
T1 CrossoverSimulatedT1 WAN
SR 1004
Cisco to SR Frame Relay OSPFCisco to SR with FR on single T1 on the WAN L3 OSPF routing
Cisco 7513SR CONFIGURATIONconf thostname Remoteinterface ethernet 0 ip address 192.168.0.1 24 exitmodule t1 1 clock_source internal exitinterface bundle wan link t1 1 encapsulation frelay fr intf_type dce frame_size 1500 lmi ansi exit pvc 100 ip address 192.168.1.1 30 exit 3router routerid 192.168.0.1router ospf area 0 exitinterface ethernet0 area 0 network broadcast exitinterface wan dlci 100 area 0 network point_to_point exitwr mem
CISCO CONFIGURATIONconf thostname Hubint fast 0/0 ip address 192.168.2.1 255.255.255.0 exitcontroller T1 0/0 framing esf linecode b8zs clock source internal exitinterface Serial 0/0 ip address 192.168.1.2 255.255.255.252 encapsulation frame-relay IETF frame-relay lmi-type ansi frame-relay interface-dlci 100 frame-relay intf-type dte ip ospf network point-to-point mtu 1500 exitrouter ospf 1 router-id 192.168.2.1 network 192.168.2.0 0.0.0.255 area 0 network 192.168.1.0 0.0.0.3 area 0 exitcopy run start
192.168.2.100/24
192.168.2.1/24
192.168.1.0/30
.1.2
192.168.0.7/24
FrameRelay
SR 1004
SR T1 PPP BGP with Loopback WAN L3 using BGP on the WAN interfaces and Loopback ID
AS 200AS 100
Loopback100.1.1.1/24
Router A Router B
10.1.1.1/24 10.1.1.2/24 Loopback200.1.1.1/24
HUB SIDEinter ether 0 ip address 192.168.1.1 24 exitinterface bundle wan link t1 1 encapsulation ppp ip address 10.1.1.1 24 exit bundleinterface loopback 0 ip address 100.1.1.1 32 exit ip route 0.0.0.0 0 10.1.1.2 exit router routerid 100.1.1.1router bgp 100 redistribute connected neighbor 200.1.1.1 200 ebgp_multihop update source 100.1.1.1 exit 2
REMOTE SIDEinter ether 0 ip address 192.168.2.1 24 exitinterface bundle t1 link t1 1 encapsulation ppp ip address 10.1.1.2 24 exit interface loopback 0 ip address 200.1.1.1 32 exit ip route 0.0.0.0 0 10.1.1.1 exitrouter routerid 200.1.1.1router bgp 200 redistribute connected neighbor 100.1.1.1 100 ebgp_multihop update source 200.1.1.1 exit 2
hostname R1 module t1 1 exit t1interface ethernet 0 ip address 10.1.1.1 24 exit ethernetinterface ethernet 0.1 ip address 20.1.1.1 24 exit ethernetinterface bundle wan link t1 1 encapsulation ppp ip address 100.1.1.2 30exit bundleip exit iprouter routerid 100.1.1.2router bgp 100 distance 170 redistribute connected group R1 external route_map Peer out exit group neighbor 100.1.1.1 99 neighbor_group R1 exit neighbor neighbor 10.1.1.2 100 exit neighbor exit bgppolicy ip_access_list 1 10 action permit network 10.1.1.0 netmask 0.0.0.255policy ip_access_list 2 20 action permit network 20.1.1.0 netmask 0.0.0.255policy route_map Peer 100 permit match ip ip_address 1 exit matchexitpolicy route_map Peer 200 permit match ip ip_address 2 exit match set as_path prepend 100 100 100 exit set exit route_mapexit
Two SR Dualhomed to 1 ISP BGP SR Load Sharing when Dualhomed to One ISP through Multiple Local Routers using BGP
AS 100
ISPAS 99
R1 R2
100.1.1.0/30
200.1.1.0/30
.1.1
.2 .2
10.1.1.0 & 20.1.1.0
hostname R2module t1 1 exit t1interface ethernet 0 ip address 10.1.1.2 24 exit ethernetinterface ethernet 0.1 ip address 20.1.1.2 24 exit ethernetinterface bundle wan link t1 1 encapsulation ppp ip address 200.1.1.2 30exit bundleip exit iprouter routerid 200.1.1.2router bgp 100 distance 170 redistribute connected group R2 external route_map Peer out exit group neighbor 200.1.1.1 99 neighbor_group R2 exit neighbor neighbor 10.1.1.1 100 exit neighbor exit bgppolicy ip_access_list 1 10 action permit network 20.1.1.0 netmask 0.0.0.255policy ip_access_list 2 20 action permit network 10.1.1.0 netmask 0.0.0.255policy route_map Peer 100 permit match ip ip_address 1 exit matchexitpolicy route_map Peer 200 permit match ip ip_address 2 exit match set as_path prepend 100 100 100 exit set exit route_mapexit
hostname Hub interface bundle wan1 link t1 1 encapsulation ppp ip address 100.1.1.1 30 exit bundleinterface bundle wan2 link t1 2 encapsulation ppp ip address 200.1.1.1 30 exit bundleinterface loopback LB0 ip address 99.1.1.1 32 exit loopbackrouter routerid 99.1.1.1router bgp 99 distance 170 redistribute connected neighbor 100.1.1.2 100 exit neighbor neighbor 200.1.1.2 100 exit neighbor exit bgp
hostname R1 module t1 1-2 clock_source line exit t1interface ethernet 0 ip address 10.1.1.1 24 exit ethernetinterface ethernet 0.1 ip address 20.1.1.1 24 exit ethernetinterface bundle wan link t1 1-2 encapsulation ppp ip address 100.1.1.2 30exit bundleip exit iprouter routerid 100.1.1.2router bgp 100 redistribute connected group R1 external route_map Peer out exit group neighbor 100.1.1.1 99 neighbor_group R1 exit neighbor neighbor 10.1.1.2 100 exit neighbor exit bgppolicy ip_access_list 1 10 action permit network 10.1.1.0 netmask 0.0.0.255policy ip_access_list 2 20 action permit network 20.1.1.0 netmask 0.0.0.255policy route_map Peer 100 permit match ip ip_address 1 exit matchexitpolicy route_map Peer 200 permit match ip ip_address 2 exit match set as_path prepend 100 100 100 exit set exit route_mapexit
Two SR Dualhomed to 2 ISP BGP SR Load Sharing when Dualhomed to two ISPUsing Multiple Local Routers using BGP
AS 100
AS 99
R1 R2
100.1.1.0/30 200.1.1.0/30
.2 .2
10.1.1.0
hostname R2module t1 1 clock_source line exit t1interface ethernet 0 ip address 10.1.1.2 24 exit ethernetinterface ethernet 0.1 ip address 20.1.1.2 24 exit ethernetinterface bundle wan link t1 1-2 encapsulation ppp ip address 200.1.1.2 30exit bundleip exit iprouter routerid 200.1.1.2router bgp 100 redistribute connected group R2 external route_map Peer out exit group neighbor 200.1.1.1 98 neighbor_group R2 exit neighbor neighbor 10.1.1.1 100 exit neighbor exit bgppolicy ip_access_list 1 10 action permit network 20.1.1.0 netmask 0.0.0.255policy ip_access_list 2 20 action permit network 10.1.1.0 netmask 0.0.0.255policy route_map Peer 100 permit match ip ip_address 1 exit matchexitpolicy route_map Peer 200 permit match ip ip_address 2 exit match set as_path prepend 100 100 100 exit set exit route_mapexit
ISP A
AS 98
ISP B
20.1.1.0
One SR Dualhomed to 2 ISP BGP SR Load Sharing when Multihomed to two ISPUsing Single Local Routers with BGP
AS 20356
AS 701
R1
157.130.235.112/30 160.81.70.104/30
.114.106
E0-65.165.135.254/29
hostname R1module t1 1 clock_source line exit t1interface ethernet 0 ip address 65.165.135.254 29 exit ethernetinterface bundle mercury link t1 1 encapsulation frelay fr intf_type dte lmi ansi exit lmi pvc 500 ip address 157.130.235.114 30 map 157.130.235.113 exit pvc exit frexit bundleinterface bundle sprint link t1 2 encapsulation hdlc ip address 160.81.70.106 30 exit bundlehostname DesMoines_SRip pname_server 64.7.161.13 name_server 64.7.161.12 name_server 64.7.172.13 route 0.0.0.0 0.0.0.0 157.130.135.113 route 0.0.0.0 0.0.0.0 160.81.70.105 route 65.165.135.0 255.255.255.192 65.165.135.252 1 route 65.165.135.64 255.255.255.192 65.165.135.252 1 route 65.165.135.128 255.255.255.192 65.165.135.252 1 route 65.167.126.0 255.255.255.0 65.165.135.252 1 route 65.171.120.0 255.255.255.0 65.165.135.252 1 exit ip
MCI
AS 1239
Sprint
.113 .105
E3/0-65.165.135.252/29
Cisco 3640E0/0-65.165.135.1/26 -65.167.126.1/24
ATM 1/0-65.165.135.65/26ATM 1/3-65.167.135.129/26
Cisco 2600
S0/1-65.165.134.0/24S3/0
router bgp 20356 redistribute connected redistribute static neighbor 157.130.235.113 701 route_map UPDATES-1 in exit neighbor neighbor 160.81.70.105 1239 route_map UPDATES-2 in exit 2policy ip_access_list 1 1 action permit network 0.0.0.0 netmask 127.255.255.255policy ip_access_list 2 1 action deny network 0.0.0.0 netmask 127.255.255.255 policy ip_access_list 2 2 action permit network 0.0.0.0 netmask 255.255.255.255policy route_map UPDATES-1 10 permit match ip ip_address 1 exit match set distance 100 exit 2policy route_map UPDATES-1 20 permitmatch ip ip_address 2 exit 2policy route_map UPDATES-2 10 permit match ip ip_address 1 exit 2policy route_map UPDATES-2 20 permit match ip ip_address 2 exit match set distance 100 exit 2
E0-65.171.120.0/24
SR Multicast support with PIM SMSR Using 3M NxT1 MLPPP WAN on OSPF with PIM SM
HUB Sideconf thostname HUBmodule t1 1-2 clock_source internal exitinterface ethernet 0 ip address 10.1.1.1 24 exit interface bundle wan link t1 1-2 encapsulation ppp ip address 192.168.1.2 24 exitip multicast exit pim interface wan exit interface ethernet0 exit cbsr interface wan exit crp group-add 224.1.1.0 mask 255.0.0.0 interface wan exit 2 igmp interface ethernet0 query-interval 60 exit 3 iprouter routerid 10.1.1.1router ospf area 0 exit interface wan area_id 0 exit interface interface ethernet0 area_id 0 exit interface exit
T1 CrossoverSimulatedT1 WAN
Laptop
Server
WAN
10.1.1.1.1
10.1.1.2 /24DG 10.1.1.1Local MC int-10.1.1.2MC 224.1.1.1
192.168.0.100.1
192.168.0.3/24DG 192.168.0.100Local MC int-192.168.0.3MC 224.1.1.1
REMOTE Sideconf thostname REMOTEmodule t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.0.100 24 exit interface bundle wan link t1 1-2 encapsulation ppp ip address 192.168.1.1 24 exitip multicast exit pim interface wan exit interface ethernet0 exit cbsr interface wan exit crp group-add 224.1.1.0 mask 255.0.0.0 interface wan exit 2 igmp interface ethernet0 query-interval 60 exit 3 iprouter routerid 192.168.0.100router ospf area 0 exit interface wan area_id 0 exit interface interface ethernet0 area_id 0 exit interface exit
SR1002
SR1002
192.168.1.0.1
.2
HUBSide
REMOTESide
SR Multicast support with PIM SMSR Using 3M NxT1 MLPPP WAN on OSPF with PIM SM
T1 CrossoverSimulatedT1 WAN
Laptop
Server
WAN
10.1.1.1.1
10.1.1.2 /24DG 10.1.1.1Local MC int-10.1.1.2MC 224.1.1.1
192.168.0.100.1
192.168.0.3/24DG 192.168.0.100Local MC int-192.168.0.3MC 224.1.1.1
SR1002
SR1002
192.168.1.0.1
.2
HUBSide
REMOTESide
Remote/show/ip# igmp groups allInterface Group Address Uptime Expires Last Reporter--------- ------------- ------ ------- -------------ethernet0 224.1.1.1 5:29 3:40 192.168.0.3
Remote/show/ip# mfc(10.1.1.2, 224.1.1.1) RPF: wan Exp: 0Outgoing Interface List: vif: 2 ethernet0 (ttl: 1)Remote/show/ip# mrouteflags: R - RP-bit set W - Wildcard T - SPT-bit set N - Neg cache I - wrong IIF E - external r - rejected i - null IIF J - Joining SPT L - local source PIM SM routes:(0.0.0.0/0, 224.1.1.1/32) age/exp: 00:12:18/00:02:42, flags: W (2) IIF: register (127.0.0.1, vif 0) RPF nbr: 127.0.0.1, pref: 0, metric: 1 Outgoing interface list: ethernet0 (192.168.0.100, vif 2) protos: none, exp: never
(10.1.1.2/32, 224.1.1.1/32) age/exp: 00:11:49/00:02:42, flags: T (4) IIF: wan (192.168.1.2, vif 1) RPF nbr: 192.168.1.2, pref: 1, metric: 0 Outgoing interface list: ethernet0 (192.168.0.100, vif 2) protos: none, exp: never
HUB/show/ip# mfc(10.1.1.2, 224.1.1.1) RPF: ethernet0 Exp: 0Outgoing Interface List: vif: 1 wan (ttl: 1)HUB/show/ip# mrouteflags: R - RP-bit set W - Wildcard T - SPT-bit set N - Neg cache I - wrong IIF E - external r - rejected i - null IIF J - Joining SPT L - local source PIM SM routes:(10.1.1.2/32, 224.1.1.1/32) age/exp: 00:28:58/00:02:21, flags: TL (40004) IIF: ethernet0 (10.1.1.1, vif 2) RPF nbr: 10.1.1.2, pref: 0, metric: 1 register suppression timeout: 27 Outgoing interface list: wan (192.168.1.1, vif 1) protos: none, exp: 2:53
Remote# sh ip igmp interface allIGMP Interface ethernet0 informationinterface: ethernet0 192.168.0.100/24, owner: PIM-SM Querier: 192.168.0.100 (this system) Version: 3 Query Interval: 125 secs Query Response Interval: 10 secs Last member Query Interval: 1 secs Last member Query Count: 2 Startup Query Interval: 31 secs Startup Query Count: 2 Send Router Alert: Enabled Require Router Alert: Disabled Ignore V1 Messages: Disabled Ignore V2 Messages: Disabled Robustness: 2 No of Joins on this interface: 2 Group Addr/mask: 224.1.1.1/32 Group age: 7:10 Group Expiry Time: 3:22 Address of last reporter: 192.168.0.3
Cisco to SR Multicast support SR to Cisco using T1 PPP WAN, with PIM SM
HUB Sideconf thostname HUBip subnet-zeroip multicast-routingmta receive maximum-recipients 0!interface FastEthernet0/0 ip address 10.1.1.1 255.255.255.0 ip pim sparse-mode ip igmp explicit-tracking ip igmp version 3 no ip mroute-cache duplex auto speed auto!interface Serial0/0 ip address 192.168.1.1 255.255.255.252 ip pim sparse-mode encapsulation ppp ip igmp explicit-tracking ip igmp version 3 no ip mroute-cache!ip classlessip route 0.0.0.0 0.0.0.0 192.168.1.2ip pim bidir-enableip pim bsr-candidate Serial0/0 0ip pim rp-candidate Serial0/0 group-list 10!access-list 10 permit 224.0.0.0 0.255.255.255snmp-server community public ROcall rsvp-sync
end
T1 CrossoverSimulatedT1 WAN
Laptop
Server
WAN
10.1.1.1.1
10.1.1.2 /24DG 10.1.1.1Local MC int-10.1.1.2MC 224.1.1.1
192.168.0.100.1
192.168.0.3/24DG 192.168.0.100Local MC int-192.168.0.3MC 224.1.1.1
REMOTE Sideconf thostname REMOTEmodule t1 1 clock_source line exitinterface ethernet 0 ip address 192.168.0.100 24 exit interface bundle wan link t1 1 encapsulation ppp ip address 192.168.1.1 24 exitip multicast exit pim interface wan exit interface ethernet0 exit cbsr interface wan exit crp group-add 224.1.1.0 mask 255.0.0.0 interface wan exit 2 igmp interface ethernet0 exit 3 Ip route 0.0.0.0 0 192.168.1.1 exit
Cisco
SR1002
192.168.1.0.1
.2
HUBSide
REMOTESide
Layer 3 Applications
Cisco to SR ML & IP based QoSQoS configured on both WAN interfaces based on source IP
Cisco 7513
SR CONFIGURATIONconf thostname Remoteinterface ethernet 0ip address 192.168.0.10 24exitmodule t1 1-2clock_source lineexitinterface bundle wanlink t1 1-2encapsulation pppip address 192.168.1.1 24qos add_class qostest root-out cr 10 br 10 priority 1 class qostest add_src_ip 192.168.0.7 exit class enable cbq outboundexitip route 0.0.0.0 0.0.0.0 192.168.1.2exitwr mem
CISCO CONFIGURATIONconf tint fast 0/0 ip address 192.168.2.1 255.255.255.0 exitinterface Multilink1 ip address 192.168.1.2 255.255.255.0 no cdp enable ppp multilink multilink-group 1 service-policy output qostest exitinterface Serial 0/0 no ip address encapsulation ppp no fair-queue ppp multilink multilink-group 1 exitinterface Serial 0/0 no ip address encapsulation ppp no fair-queue ppp multilink multilink-group 1ip route 0.0.0.0 0.0.0.0 192.168.1.1policy-map qostest class c1 shape peak 10000class-map match-all c1 match access-group 101access-list 102 permit ip any host 192.168.0.7access-list 102 deny ip any any
192.168.2.100/24
192.168.2.1/24
192.168.1.0/24
.1.2
192.168.0.7/24
MLPPP
SR 1004
SR Hierarchical QoS using DSCP Root QoS allows all traffic, with 2 branch classes for VoIP or Default
SR 1001 CONFIGURATIONconf thostname Remoteinterface ethernet 0 ip address 192.168.0.10 24 exitmodule t1 1 clock_source line exitinterface bundle wan link t1 1 encapsulation ppp ip address 192.168.1.2 30 qos add_class WAN root-out cr 1536 br 1536 priority 1 add_class VoIP WAN cr 768 br 1536 priority 1 add_class NonVoIP WAN cr 768 br 1536 priority 7 class WAN add_src_ip default exit class class VoIP add_dscp 43-44 exit class class NonVoIP add_dscp default exit class enable cbq outbound exitip route 0.0.0.0 0.0.0.0 192.168.1.1exitwr mem
192.168.1.0/30
.1
.2
192.168.0.7/24
SR 6300 CONFIGURATIONconf thostname Hubinterface ethernet 0 ip address 192.168.2.1 24 exitmodule ct3 1 t1 1-2 clock internal exitinterface bundle wan link ct3 1 1 encapsulation ppp ip address 192.168.1.1 30 qos add_class WAN root-out cr 1536 br 1536 priority 1 add_class VoIP WAN cr 768 br 1536 priority 1 add_class NonVoIP WAN cr 768 br 1536 priority 7 class WAN add_src_ip default exit class class VoIP add_dscp 43-44 exit class class NonVoIP add_dscp default exit class enable cbq outbound exitip route 0.0.0.0 0.0.0.0 192.168.1.2exitwr mem
SR 1004
T1 LineUsing PPP
Channelized DS3SR 3120
CarrierCO
VoIP PhoneMitel 5215
Marks packets withTOS = B0All 8 bits
1011 0000=B0DSCP= 44
Use only first 6 bits101100=44
VoIP PhoneMitel 5215
Marks packets withTOS = B0All 8 bits
1011 0000=B0DSCP= 44
Use only first 6 bits101100=44
192.168.2.10/24
SR Hierarchical QoS using 802.1p Root QoS allows all traffic, with 2 branch classes for VoIP or Default
SR 1001 CONFIGURATIONconf thostname Remoteinterface ethernet 0 ip address 192.168.0.10 24 exitmodule t1 1 clock_source line exitinterface bundle wan link t1 1 encapsulation ppp ip address 192.168.1.2 30 qos add_class WAN root-out cr 1536 br 1536 priority 1 add_class VoIP WAN cr 768 br 1536 priority 1 add_class NonVoIP WAN cr 768 br 1536 priority 7 class WAN add_dst_ip default exit class class VoIP add_dot1p 1 exit class class NonVoIP add_dot1p default exit class enable cbq outbound exitip route 0.0.0.0 0.0.0.0 192.168.1.1exitwr mem
192.168.1.0/30
.1
.2
192.168.0.7/24
SR 6300 CONFIGURATIONconf thostname Hubinterface ethernet 0 ip address 192.168.2.1 24 exitmodule ct3 1 t1 1-2 clock internal exitinterface bundle wan link ct3 1 1 encapsulation ppp ip address 192.168.1.1 30 qos add_class WAN root-out cr 1536 br 1536 priority 1 add_class VoIP WAN cr 768 br 1536 priority 1 add_class NonVoIP WAN cr 768 br 1536 priority 7 class WAN add_dst_ip default exit class class VoIP add_dot1p 1 exit class class NonVoIP add_dot1p default exit class enable cbq outbound exitip route 0.0.0.0 0.0.0.0 192.168.1.2exitwr mem
SR 1004
T1 LineUsing PPP
Channelized DS3SR 3120
CarrierCO
VoIP PhoneMitel 5215
Marks packets with802.1p=1
VoIP PhoneMitel 5215
Marks packets with802.1p=1
192.168.2.10/24
SR Hierarchical QoS using ports Root QoS allows all traffic, with 2 branch classes for VoIP or Default
SR 1001 CONFIGURATIONconf thostname Remoteinterface ethernet 0 ip address 192.168.0.10 24 exitmodule t1 1 clock_source line exitinterface bundle wan link t1 1 encapsulation ppp ip address 192.168.1.2 30 qos add_class WAN root-out cr 1536 br 1536 priority 1 add_class VoIP WAN cr 768 br 1536 priority 1 add_class NonVoIP WAN cr 768 br 1536 priority 7 class WAN add_src_ip default exit class class VoIP add_port 2205-3301 exit class class NonVoIP add_port default exit class enable cbq outbound exitip route 0.0.0.0 0.0.0.0 192.168.1.1exitwr mem
192.168.1.0/30
.1
.2
192.168.0.7/24
SR 6300 CONFIGURATIONconf thostname Hubinterface ethernet 0 ip address 192.168.2.1 24 exitmodule ct3 1 t1 1-2 clock internal exitinterface bundle wan link ct3 1 1 encapsulation ppp ip address 192.168.1.1 30 qos add_class WAN root-out cr 1536 br 1536 priority 1 add_class VoIP WAN cr 768 br 1536 priority 1 add_class NonVoIP WAN cr 768 br 1536 priority 7 class WAN add_src_ip default exit class class VoIP add_port 2205-3301 exit class class NonVoIP add_port default exit class enable cbq outbound exitip route 0.0.0.0 0.0.0.0 192.168.1.2exitwr mem
SR 1004
T1 LineUsing PPP
Channelized DS3SR 3120
CarrierCO
VoIP PhoneMitel 5215
Uses packets withPort 2205-3301
VoIP PhoneMitel 5215
Uses packets withPort 2205-3301
192.168.2.10/24
SR QoS used to monitor the WANQoS can be enabled to only monitor the classes and not enforce the rates
SR 3120
SR CONFIGURATIONconf thostname Remoteinterface ethernet 0ip address 192.168.0.10 24exitmodule t1 1-2clock_source lineexitinterface bundle wanlink t1 1-2encapsulation pppip address 192.168.1.2 24qos add_class bwmon root-out cr 3072 br 3072 priority 1 class bwmon add_src_ip default exit class enable mon outboundexitip route 0.0.0.0 0.0.0.0 192.168.1.1exitwr mem
MLPPP
SR 1004
SR CONFIGURATIONconf thostname Hubinterface ethernet 0ip address 192.168.2.1 24exitmodule t1 1-2clock_source lineexitinterface bundle wanlink t1 1-2encapsulation pppip address 192.168.1.1 24qos add_class bwmon root-out cr 3072 br 3072 priority 1 class bwmon add_src_ip default exit class enable mon outboundexitip route 0.0.0.0 0.0.0.0 192.168.1.2exitwr mem
SR QoS used for monitoring SR QoS for 3 T1 WAN (4608M) using CBQ, start with monitoring
Verizon
3 T1 MLPPPPipe to Verizon
LAN
module t1 1-3 clock_source line exit t1interface ethernet 0 ip address 10.1.1.1 24 exit ethernetinterface ethernet 1 exit ethernetinterface bundle wan link t1 1-3 encapsulation ppp ip address 200.1.1.1 30 qos add_class WAN root-out cr 4608 br 4608 add_class SNTP WAN cr 500 br 1000 priority 3 add_class SMTP WAN cr 1000 br 1500 priority 2 add_class WEB WAN cr 1000 br 2000 priority 4 add_class IPSEC WAN cr 608 br 1000 priority 6 add_class DNS WAN cr 500 br 1000 priority 1 add_class Default WAN cr 1000 br 4608 priority 7 class WAN add_src_ip default exit class class SNTP add_port 123 exit class class SMTP add_port 25 exit class class WEB add_port 80 exit class class IPSEC add_port 500 exit class class DNS add_port 53 exit class class Default add_port default exit class enable mon outbound exit qos nat enable dynamiciproute 0.0.0.0 0.0.0.0 200.1.1.2 30 exit ipwr mem
SNTPPort=123
CR 500 BR 1KPriority=3
SMTPPort=25
CR 1K BR 1.5KPriority=2
WEBPort=80
CR 1K BR 2KPriority=4
IPSECPort=500
CR 608 BR 1KPriority=6
DNSPort=53
CR 500 BR 1KPriority=1
DefaultPort=ANY
CR 1K BR 4608Priority=7
WANSIP=ANY
CR 4608 BR 4608
SR QoS using CBQSR QoS for 3 T1 WAN (4608M) using CBQ, then enable CBQ
module t1 1-3 clock_source line exit t1interface ethernet 0 ip address 10.1.1.1 24 exit ethernetinterface ethernet 1 exit ethernetinterface bundle wan link t1 1-3 encapsulation ppp ip address 200.1.1.1 30 qos add_class WAN root-out cr 4608 br 4608 add_class SNTP WAN cr 500 br 1000 priority 3 add_class SMTP WAN cr 1000 br 1500 priority 2 add_class WEB WAN cr 1000 br 2000 priority 4 add_class IPSEC WAN cr 608 br 1000 priority 6 add_class DNS WAN cr 500 br 1000 priority 1 add_class Default WAN cr 1000 br 4608 priority 7 class WAN add_src_ip default exit class class SNTP add_port 123 exit class class SMTP add_port 25 exit class class WEB add_port 80 exit class class IPSEC add_port 500 exit class class DNS add_port 53 exit class class Default add_port default exit class enable cbq outbound exit qos nat enable dynamiciproute 0.0.0.0 0.0.0.0 200.1.1.2 30 exit ipwr mem
SNTPPort=123
CR 500 BR 1KPriority=3
SMTPPort=25
CR 1K BR 1.5KPriority=2
WEBPort=80
CR 1K BR 2KPriority=4
IPSECPort=500
CR 608 BR 1KPriority=6
DNSPort=53
CR 500 BR 1KPriority=1
DefaultPort=ANY
CR 1K BR 4608Priority=7
WANSIP=ANY
CR 4608 BR 4608
SR1004# sh qos bundle wan
Interface: Bundle wan (Bandwidth = 4608Kbps)
Interface Outbound Configuration & Statistics---------------------------------------------CBQ: on Policing: off MON: off+------------------+------+------+------+-------+-------+----------+----------Traffic Class CBQ-CR CBQ-BR Police Avg Out Avg In Packets Packets (kbps) (kbps) (kbps) (kbps) (kbps) Fwded Dropped+------------------+------+------+------+-------+-------+----------+----------WAN 4608 4608 - 0 0 0 0 Default 1000 4608 - 0 0 0 0 DNS 500 1000 - 0 0 0 0 IPSEC 608 1000 - 0 0 0 0 WEB 1000 2000 - 0 0 0 0 SMTP 1000 1500 - 0 0 0 0 SNTP 500 1000 - 0 0 0 0
SR VRRP SR VRRP allows tracking of the WAN interfaces and switch if down
HUB Sideconf thostname HUB1module t1 1 clock_source internal exitint bundle wan link t1 1-2 encap ppp ip address 192.168.0.1 30 exit int ethernet 0 ip address 192.168.1.1 24 vrrp_mode 0 vrrp 10 authentication SR ipaddr 192.168.1.254 preempt priority 95 track wan 10 enable exit 2router routerid 192.168.1.1 exitrouter ospf area 0 exit inter ethernet0 area 0 exit inter wan area 0 exit 2wr mem
T1 CrossoverSimulatedT1 WAN
Laptop
Server
WAN WANT1 Crossover
SimulatedT1 WAN
192.168.1.0VRRP - .254
.1 .2
192.168.1.15/24DG 192.168.1.254
HUB Sideconf thostname HUB2module t1 1 clock_source internal exitint bundle wan link t1 1-2 encap ppp ip address 192.168.0.5 30 exit int ethernet 0 ip address 192.168.1.2 24 vrrp_mode 0 vrrp 10 authentication SR ipaddr 192.168.1.254 preempt priority 100 track wan 10 enable exit 2router routerid 192.168.1.2 exitrouter ospf area 0 exit inter ethernet0 area 0 exit inter wan area 0 exit 2wr mem
REMOTE Sideconf thostname REMOTE1module t1 1 clock_source line exitint bundle wan link t1 1-2 encap ppp ip address 192.168.0.2 30 exit int ethernet 0 ip address 192.168.2.1 24 vrrp_mode 0 vrrp 20 authentication SR ipaddr 192.168.2.254 preempt priority 100 track wan 10 enable exit 2router routerid 192.168.2.1 exitrouter ospf area 0 exit inter ethernet0 area 0 exit inter wan area 0 exit 2wr mem
192.168.2.0VRRP - .254
.1 .2
192.168.2.13/24DG 192.168.2.254
REMOTE Sideconf thostname REMOTE2module t1 1 clock_source line exitint bundle wan link t1 1-2 encap ppp ip address 192.168.0.6 30 exit int ethernet 0 ip address 192.168.2.2 24 vrrp_mode 0 vrrp 20 authentication SR ipaddr 192.168.2.254 preempt priority 95 track wan 10 enable exit 2router routerid 192.168.2.2 exitrouter ospf area 0 exit inter ethernet0 area 0 exit inter wan area 0 exit 2wr mem
SR1002
SR1002
SR1002
SR1002
SR using PAT on WAN interfacePublic IPs pass through and private IPs are dynamic PAT to the WAN IP
Laptop Laptop
SR CONFIGURATIONconf thostname Remote1 module t1 1 clock_source line exitinterface ethernet 0 ip address 192.168.1.1 24 exit interface ethernet 1 ip address 206.127.31.225 28 exit interface bundle wan link t1 1 encapsulation hdlc ip address 206.127.11.102 30 nat enable dynamic exit 2ip route 0.0.0.0 0.0.0.0 206.127.11.101 dhcps pool 192 domain test.com dnsserver 200.20.20.2 network 192.168.1.1 255.255.255.0 default_router 192.168.1.1 commit exit pool interface ethernet0 enable exit dhcps exit wr mem
IP Static206.127.31.226
255.255.255.240DG-206.127.31.225
IP Dynamic192.168.1.2
255.255.255.0DG-192.168.1.1
E0-192.168.1.1/24E1-206.127.31.225/28
WAN-206.127.11.102 30SR 1002Remote1
SR using PAT on WAN interfacePrivate IPs are dynamic PAT to the WAN IP
Customer CPEIP address DHCPDHCP-192.168.1.2 24
WAN
Core RouterInt fast 0/0ip address 10.2.2.1/24ip route 10.1.1.0 30 10.2.2.2
SR 1004
SR 3120
SR 1004conf thostname REMOTEmodule t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.1.1 24 exitinterface bundle wan link t1 1-2 encapsulation ppp ip address 200.1.1.2 30 nat enable dynamic exit 2ip route 0.0.0.0 0.0.0.0 200.1.1.1dhcps pool LAN domain test.com dnsserver 206.13.31.12 network 192.168.1.0 24 default_router 192.168.1.1 commit exit pool interface ethernet0 enable exit 3wr mem
SR 6302conf thostname HUBmodule ct3 1 t1 1-2 clock internal exit interface ethernet 0 ip add 10.2.2.2 24 exit interface bundle wan link ct3 1 1-2 encapsulation ppp ip address 200.1.1.1 30 exit wr mem
ChannelizedDS3
Remote side
Hub side
SR using NAT on WAN interfacePrivate IP using 1 to 1 static NAT
Two T1Line-MLPPP
1004
SR CONFIGURATIONconf thostname BOT module t1 1-2 clock_source line exitinterface ethernet 0 ip address 10.1.1.1 24 exit interface bundle wan link t1 1-2 encapsulation ppp ip address 172.16.64.2 24 nat enable static address 10.1.1.2 172.16.64.3 exit 2ip route 0.0.0.0 0.0.0.0 172.16.64.1 exit wr mem
T1 CrossoverSimulatedT1 WAN
1004
IP 192.168.1.2/24D.G. 192.168.1.1
IP 10.1.1.2/24D.G. 10.1.1.1
SR CONFIGURATIONconf thostname TOP module t1 1-2 clock_source internal exitinterface ethernet 0 ip address 192.168.0.1 24 exit interface bundle wan link t1 1-2 encapsulation ppp ip address 172.16.64.1 24 exit ip route 0.0.0.0 0.0.0.0 172.16.64.2 exit wr mem
SR using NAT on Ether interfaceStatic NAT on the Ethernet requires proxy arp and a static route
HUB Sideconf thostname HUBmodule t1 1-2 clock_source internal exitinterface ethernet 0 ip address 10.1.1.1 24 exit interface ethernet 1 ip address 200.1.1.1 24 exitiproute 0.0.0.0 0.0.0.0 200.1.1.2 exit wr mem
Laptop
Server
10.1.1.1.1
10.1.1.2 /24DG 10.1.1.1
192.168.1.1.1
192.168.1.2/24DG 192.168.1.1
REMOTE Sideconf thostname REMOTEmodule t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.1.1 24 exit ethernetinterface ethernet1 ip address 200.1.1.2 24 ip proxy_arp nat address 192.168.1.2 200.1.1.3 trans_addr 200.1.1.2 enable static enable dynamic exit nat exitip route 0.0.0.0 0.0.0.0 200.1.1.1 route 200.1.1.3 32 ethernet0exit ipwr mem
SR1002
SR1002
200.1.1.0
.2
.1
HUBSide
REMOTESide
WAN
SR using Global NAT under IP1 IP is configured for Static NAT & Dynamic PAT is enabled for other IPs
HUB Sideconf thostname HUBmodule t1 1-2 clock_source internal exitinterface ethernet 0 ip address 10.1.1.1 24 exit interface bundle wan link t1 1-2 encapsulation ppp ip address 200.1.1.1 24 exitiproute 0.0.0.0 0.0.0.0 200.1.1.2 exit wr mem
Laptop
Server
10.1.1.1.1
10.1.1.2 /24DG 10.1.1.1
192.168.1.1.1
192.168.1.2/24DG 192.168.1.1
REMOTE Sideconf thostname REMOTEmodule t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.1.1 24 exit ethernetinterface bundle wan link t1 1 encapsulation ppp ip address 200.1.1.2 24 exitip route 0.0.0.0 0.0.0.0 200.1.1.1 nat address 192.168.1.2 200.1.1.3 interface wan trans_addr 200.1.1.2 enable static enable dynamic exit natexit ipwr mem
SR1002
SR1002
200.1.1.0
.2
.1
HUBSide
REMOTESide
WAN
SR DHCP ServerOne DHCP scope is configured for Ethernet 0
Customer CPEIP address DHCPDHCP-192.168.1.2 24
WAN
SR 1004
SR 3120
SR 1004conf thostname REMOTEmodule t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.1.1 24 exitinterface bundle wan link t1 1-2 encapsulation ppp ip address 200.1.1.2 30 nat enable dynamic exit 2ip route 0.0.0.0 0.0.0.0 200.1.1.1dhcps pool LAN domain test.com dnsserver 206.13.31.12 network 192.168.1.0 24 default_router 192.168.1.1 commit exit pool interface ethernet0 enable exit dhcps exit 2wr mem
SR 6302conf thostname HUBmodule ct3 1 t1 1-2 clock internal exit interface ethernet 0 ip add 10.2.2.2 24 exit interface bundle wan link ct3 1 1-2 encapsulation ppp ip address 200.1.1.1 30 exit wr mem
ChannelizedDS3
Remote side
Hub side
SR Sub-interfaces using 802.1QEthernet 0 is configured using 802.1Q with Sub-interfaces and QoS
ServerIronXLFOUNDRYN E T W O R K S
1
2
3
4
5
6
7
8
13
14
15
16
9
10
11
12
Console
Power
F D X1 0 0
L in k / A c t
F D X1 0 0
L in k / A c t
F D X1 0 0
L in k / A c t
F D X1 0 0
L in k / A c t
SR CONFIGURATIONconf thostname Remote1 module t1 1-2 clock_source line exitinterface ethernet 0 description "test10" encapsulation dot1q 10 ip address 216.138.115.193 29 speed 100 full_duplex exit ethernetinterface ethernet 0.1 description "test20" encapsulation dot1q 20 ip address 216.138.115.201 29 exit ethernetinterface ethernet 0.2 description "test30" encapsulation dot1q 30 ip address 216.138.115.209 29 exit ethernetinterface bundle wan link t1 1-2 encapsulation ppp ip address 172.16.64.2 24 qos add_class test10 root-out cr 500 br 3000 priority 1 class test10 add_src_ip 216.138.115.192 29 exit class add_class test20 root-out cr 500 br 3000 priority 2 class test20 add_src_ip 216.138.115.200 29 exit class add_class test30 root-out cr 500 br 3000 priority 3 class test30 add_src_ip 216.138.115.208 29 exit class enable cbq outbound exit 2ip route 0.0.0.0 0.0.0.0 172.16.64.1 exit wr mem
VLAN 10 VLAN 20 VLAN 30
802.1QTRUNK
VLANSwitch
WAN
SR using IP unnumbered on WANPublic IP on LAN and IP Unnumbered on the WAN interface
Customer CPEIP address 201.1.2 24
WAN
SR 1004
SR 3120
SR 1004conf thostname REMOTEmodule t1 1-2 clock_source line exitinterface ethernet 0 ip address 201.1.1.2 24 exitinterface bundle wan link t1 1-2 encapsulation ppp ip address unnumbered ethernet0 exitip route 0.0.0.0 0.0.0.0 wanwr mem
SR 6302conf thostname HUBmodule ct3 1 t1 1-2 clock internal exit interface ethernet 0 ip add 10.2.2.2 24 exit interface bundle wan link ct3 1 1-2 encapsulation ppp ip address 200.1.1.1 24 exit wr mem
ChannelizedDS3
Remote side
Hub side
SR TDM Voice using ADM Single T1 PPP using ADM for PRI Voice and Data
Laptop
PBX/KSU
Digital TrunkPRI
Ethernet
Ethernet Switch
Voice & Data using single T1
1.5M PipeSR 1002
WAN
SR CONFIGURATIONconf tmodule t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.0.1 24 exit ethernetinterface drop_insert voice (Create the ADM interface) link t1 1 2 timeslots 1-7,24 signaling 2 (set: PBX to port 1, Network port to 2, DSO 1-7+24, and use ISDN signaling) mode 2 1 (set the Network port to 2, set mode type to 1:voice&data) clock_source 2 btclk (sets clock on T1 #1 to takes clock from backplane of T1#2) exit drop_insertinterface bundle wan link t1 2:8-23 encapsulation ppp ip address 200.1.1.2 30 exit bundlehostname remote1ip route 0.0.0.0 0.0.0.0 200.1.1.1 exit ipwr mem
SR TDM Voice using ADM Single F/T1 using ADM for T1 CAS Voice and 2T1 + 16DS0 MLPPP Data
Laptop
PBX/KSU
Digital TrunkT1/PRI
Ethernet
Ethernet Switch
SR 1004
Voice & Data using 3 T14.5M Pipe
SR CONFIGURATIONconf tmodule t1 1-4 clock_source line exitinterface ethernet 0 ip address 192.168.0.1 24 exit ethernetinterface drop_insert voice (Create the ADM interface) link t1 1 2 timeslots 1-7 signaling 1 (set: PBX to port 1, Network port to 2, DSO 1-7, and use RBS signaling) mode 2 1 (set the Network port to 2, set mode type to 1:voice&data) clock_source 2 line (sets clock on T1 #1 to takes clock from T1 #2) exit drop_insertinterface bundle wan link t1 2:8-23 link t1 3-4 encapsulation ppp ip address 200.1.1.2 30 exit bundlehostname remote1ip route 0.0.0.0 0.0.0.0 200.1.1.1 exit ipwr mem
WAN
SR SSH support Using SSH for secure Telnet connection to SR
Step 1: Generate the KEY (DSA or RSA)
SR/configure# ssh_keygen SR/configure/ssh_keygen# generate dsaGenerating public/private dsa (1024) key pair.passphrase comment wind@R4Your identification has been saved in /flash1/shdsakey.Your public key has been saved in /flash1/shdsakey.pub.The key fingerprint is:c0:2c:3c:7f:a2:55:d1:f8:fc:ae:92:f0:6e:11:c1:0c wind@R4
Step 2: Enable the server
SR/configure#ssh_serverSR/configure/ssh_server#enableSR/configure/ssh_server#logevents on (to log ssh events)SR/configure#events online (view ssh events from console)SR/debug/ip#ssh trace (view connection process)
Step 3: Now check configuration
SR/show/ip/ssh config
Using SSH ClientHost:192.168.0.100Port 22SSH V2Now connect to hostYou should get a prompt toTo accept the KEYOnce accepted you should getA login prompt, Login with your Norma login and passwordSR, SRnet
E0 IP Address192.168.0.100/24 PC IP Address
192.168.0.2/24SSH Software:F-Secure SSHClient Ver 5.2
SR SSH support Using SSH for secure Telnet connection to SR
E0 IP Address192.168.0.100/24 PC IP Address
192.168.0.2/24SSH Software:F-Secure SSHClient Ver 5.2
SR/configure/ssh_keygen# digest shdsakey.pub 1024 99:09:b6:0c:a8:61:c6:d1:e9:75:dd:89:34:c9:cb:ec /flash1/shdsakey.pub
SR# show ip ssh configSecure Shell Server - ENABLED
Protocol Version 2.0Listening on port 22Public Host key file : shdsakeySupported AlgorithmsKex : diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1Encryption : 3des-cbc,blowfish-cbc,aes128-cbc,aes192-cbc,aes256-cbcMAC : hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96Compression : none,zlib
SR# show ip ssh sessionsSession Client IP Address Client Port User State1 192.168.0.2 1401 SR Established
SR# show ip ssh session 1Server Version String : SSH-2.0-SR-1.0Client Version String : SSH-1.99-3.1.0 F-SECURE SSH for WindowsHost Key Algorithm : ssh-dssKey Exchange : diffie-hellman-group1-sha1Authentication : passwordEncryption (client -> server) : 3des-cbcMAC Algorithm (client -> server) : hmac-sha1Compression (client -> server) : noneEncryption (server -> client) : 3des-cbcMAC Algorithm (server -> client) : hmac-sha1Compression (server -> client) : none
Cisco to SR PPP PAP send nameCisco using PAP auth to SR using PAP send name and password
Cisco 7513
SR CONFIGURATIONconf thostname Remotemodule t1 1 clock_source line exit t1interface ethernet 0 ip address 192.168.1.1 24 exit ethernetinterface bundle wan link t1 1 encapsulation ppp ip address 100.1.1.2 30 pppconfig pap sent-username test SR exit pap exit bundlehostname SR-1001ip route 0.0.0.0 0.0.0.0 100.1.1.1 exit ip
CISCO CONFIGURATIONconf tversion 12.2hostname HUBusername test password 0 SRip subnet-zero!interface FastEthernet0/1 ip address 192.168.2.1 255.255.255.0 no ip mroute-cache duplex auto speed auto!interface Serial0/1 ip address 100.1.1.1 255.255.255.252 encapsulation ppp no ip mroute-cache service-module t1 clock source internal ppp authentication pap!ip classlessip route 0.0.0.0 0.0.0.0 100.1.1.2end
192.168.2.2/24192.168.1.2/24
SR 1004
Single T1 PPP
Cisco to SR PPP PAP authenticationCisco to SR over PPP WAN using PAP to authorize both ends
SR CONFIGURATIONconf thostname Remotemodule t1 1 clock_source line exit t1interface ethernet 0 ip address 192.168.1.1 24 exit ethernetinterface bundle wan link t1 1 encapsulation ppp ip address 100.1.1.2 30 pppconfig pap sent-username test SR peer-name root SR exit pap pppconfig authentication pap exit bundlehostname SR-1001ip route 0.0.0.0 0.0.0.0 100.1.1.1 exit ip
CISCO CONFIGURATIONconf tversion 12.2hostname HUBusername test password 0 SRip subnet-zero!interface FastEthernet0/1 ip address 192.168.2.1 255.255.255.0 no ip mroute-cache duplex auto speed auto!interface Serial0/1 ip address 100.1.1.1 255.255.255.252 encapsulation ppp no ip mroute-cache service-module t1 clock source internal ppp authentication pap ppp pap sent-username root password SR !ip classlessip route 0.0.0.0 0.0.0.0 100.1.1.2
Cisco 7513
192.168.2.2/24192.168.1.2/24
SR 1004
Single T1 PPP
Cisco to SR PPP CHAP send nameSR PPP WAN using CHAP to send name and password to the Cisco
SR CONFIGURATIONconf thostname Remotemodule t1 1 clock_source line exit t1interface ethernet 0 ip address 192.168.1.1 24 exit ethernetinterface bundle wan link t1 1 encapsulation ppp ip address 100.1.1.2 30 pppconfig chap sent-username test SR peer-name cisco SR exit chap exit bundlehostname SR-1001ip route 0.0.0.0 0.0.0.0 100.1.1.1 exit ip
CISCO CONFIGURATIONconf tversion 12.2hostname HUBusername test password 0 SRip subnet-zero!interface FastEthernet0/1 ip address 192.168.2.1 255.255.255.0 no ip mroute-cache duplex auto speed auto!interface Serial0/1 ip address 100.1.1.1 255.255.255.252 encapsulation ppp no ip mroute-cache service-module t1 clock source internal ppp authentication chap ppp chap hostname cisco!ip classlessip route 0.0.0.0 0.0.0.0 100.1.1.2
Cisco 7513
192.168.2.2/24192.168.1.2/24
SR 1004
Single T1 PPP
SR to Cisco PPP CHAP send name PPP WAN using CHAP on Cisco to send name & password to the SR
SR CONFIGURATIONconf thostname Remotemodule t1 1 clock_source line exit t1interface ethernet 0 ip address 192.168.1.1 24 exit ethernetinterface bundle wan link t1 1 encapsulation ppp ip address 100.1.1.2 30 pppconfig chap sent-username test SR peer-name cisco SR exit chap pppconfig authentication chap exit bundlehostname SR-1001ip route 0.0.0.0 0.0.0.0 100.1.1.1 exit ip
CISCO CONFIGURATIONconf tversion 12.2hostname HUBusername test password 0 SRip subnet-zero!interface FastEthernet0/1 ip address 192.168.2.1 255.255.255.0 no ip mroute-cache duplex auto speed auto!interface Serial0/1 ip address 100.1.1.1 255.255.255.252 encapsulation ppp no ip mroute-cache service-module t1 clock source internal ppp chap hostname cisco!ip classlessip route 0.0.0.0 0.0.0.0 100.1.1.2
Cisco 7513
192.168.2.2/24192.168.1.2/24
SR 1004
Single T1 PPP
Cisco to SR PPP CHAP authCisco to SR over PPP WAN using CHAP to authorize both sides
SR CONFIGURATIONconf thostname Remotemodule t1 1 clock_source line exit t1interface ethernet 0 ip address 192.168.1.1 24 exit ethernetinterface bundle wan link t1 1 encapsulation ppp ip address 100.1.1.2 30 pppconfig chap sent-username test SR peer-name cisco SR exit chap pppconfig authentication chap exit bundlehostname SR-1001ip route 0.0.0.0 0.0.0.0 100.1.1.1 exit ip
CISCO CONFIGURATIONconf tversion 12.2hostname HUBusername test password 0 SRip subnet-zero!interface FastEthernet0/1 ip address 192.168.2.1 255.255.255.0 no ip mroute-cache duplex auto speed auto!interface Serial0/1 ip address 100.1.1.1 255.255.255.252 encapsulation ppp no ip mroute-cache service-module t1 clock source internal ppp authentication chap ppp chap hostname cisco!ip classlessip route 0.0.0.0 0.0.0.0 100.1.1.2
Cisco 7513
192.168.2.2/24192.168.1.2/24
SR 1004
Single T1 PPP
SR ACL ACL test using both interfaces and direction to apply the rule
Step 1. Build the ACL R1/configure > ip access-list testR1/configure/ip/access-list test > add deny icmp any 192.168.0.2/32 log onR1/configure/ip/access-list test > add permit ip any anyR1/configure/ip/access-list test > exit
Step 2. Review the ACLR1# show ip acess-list testFilter Rule List : test1. deny icmp any 192.168.0.2/32 log on2. permit ip any any
R3-SR 1004
R4-SR 1004
CarrierCO
T1 CrossoverSimulatedT1 WAN
LaptopClient
10.1.1.10/24
Server
Server192.168.0.2
E0-10.1.1.1/24WAN-11.1.1.2/24IP route 0/0 11.1.1.1
E0-192.168.0.100/24WAN-11.1.1.1/24IP route 0/0 11.1.1.2
Step 3. Apply the filter to interface and directionR1/configure/ip# access-group ?SYNTAX access-group interface listname pktdir <cr>DESCRIPTION interface -- interface name - ethernet0, ethernet1 or bundle_name ( enter a word ) listname -- filter rule list name ( enter a word ) pktdir -- for inbound/outbound packets The parameter may have any of the following values: in -- On Inbound packets out -- On Outbound packets
R1/configure/ip# access-group wan test in (ping to 192.168.0.2 stopped)R1/configure/ip# no access-group wan test in (started again)R1/configure/ip# access-group ethernet0 test out (ping to 192.168.0.2 stopped)R1/configure/ip# no access-group ethernet0 test out (started again)
SR ACL for SSHACL test example to restrict SSH to only one subnet
R2-SR configurationconf thostname R2interface bundle wan link t1 1 encapsulation ppp ip address 10.1.1.2 255.255.255.252 exit bundlessh_server enable exit ssh_serveriproute 0.0.0.0 0.0.0.0 10.1.1.1 1 access-list SSH add permit tcp 192.168.0.0/24 10.1.1.2/32 dport =22 add deny tcp any 10.1.1.2/32 dport =22 add permit ip any any exit access-list access-group wan SSH in exit ip
R1-SR 1004
R2-SR 1004
CarrierCO
T1 CrossoverSimulatedT1 WAN
Laptop
SSH Client PuttySSH Version 2
192.168.0.102/24
E0-192.168.0.10/24WAN-10.1.1.1/30IP route 0/0 10.1.1.2
WAN-10.1.1.2/30IP route 0/0 10.1.1.1SSH Server enabled
The R2 SR had the SSH key generated.The SSH Server has been enabled on R2.Using an ACL to restrict access to TCP port 22to only one subnet that the SSH client are on is done using an ACL inbound on the WAN interface.
SR Radius support Test Radius authentication using Freeradius Server to user levels
Radius Server192.168.0.104
SR 1004 configurationconf taaa authentication login default radius/local authentication protocols default ascii enable radius primary_server 192.168.0.104 src_address 192.168.0.10 shared_key SRnet exit radius exit aaainterface ethernet 0 ip address 192.168.0.10 255.255.255.0 exit ethernet
Radius Client192.168.0.10
FreeRadius Server configurationNeed to modify four files on the Radius Server•Hosts file
• (/etc/hosts)•Need to add in client•192.168.0.10 T1004
•Client.conf file• (/usr/local/etc/raddb/clients.conf)•Need to add client and shared key•}•client 192.168.0.10 {
•secret = SRnet•shortname = T1004
•}•Users file
•(/usr/local/etc/raddb/user)•Need to add the user•kirk Auth-Type := Local, User-Password = “jamest”
•Service-Type = Admin-User•spock Auth-Type := Local, User-Password ="vulcan"
•Service-Type = Level2-User•mccoy Auth-Type := Local, User-Password ="bones"
•Service-Type = Level3-User•sulu Auth-Type := Local, User-Password ="helm"
•Service-Type = Level4-User•Dictionary file
•(/usr/local/share/freeradius/dictionary)•Need to add in the different user levels•#SR Dictionary:•VALUE Service-Type Admin-User 1•VALUE Service-Type Level2-User 2•VALUE Service-Type Level3-User 3•VALUE Service-Type Level4-User 4
SR TACACS+ Support Test TACACS authentication using TACACS Server
Tacacs+ Server192.168.0.104
SR 1004 configurationconf taaa authentication login default tacacs/local authentication protocols default ascii enable tacacs primary_server 192.168.0.104 src_address 192.168.0.10 shared_key SRnet exit tacacs exit aaainterface ethernet 0 ip address 192.168.0.10 255.255.255.0 exit ethernet
Tacacs+ Client192.168.0.10
TACACS+ Sample Config
# Please read user_guide and tacacs+ FAQ to more information to do more complex tacacs+ configuration files.
key = &*&^%&(0
#key = praveen
# Use /etc/passwd file to do authentication
default authentication = file /etc/passwd
# Now tacacs+ also use default PAM authentication
#default authentication = pam pap
#If you like to use DB authentication
#default authentication = db "db_type://db_user:db_pass@db_hostname/db_name/db_table?name_field&pass_field
# db_type: mysql or null
# db_user: Database connect username
# db_pass: Database connection password
# db_hostname : Database hostname
# db_name : Database name
# db_table : authentication table name
# name_field and pass_field: Username and password field name at the db_table
# Accounting records log file
accounting file = /var/log/tac_acc.log
# Would you like to store accounting records in database..
# db_accounting = "db_type://db_user:db_pass@db_hostname/db_name/db_table"
# Same as above..
#All services are alowed..
user = $enab1$ { login = cleartext "praveen“ member = poweruser}
user = praveen { # default service = permit
chap = cleartext chap
pap = cleartext pap
login = cleartext india
member = admin}
user = root {default service = permit global = cleartext rootpass member = poweruser}
user = fred {login = cleartext praveen member = config}
user = bob {login = cleartext tiaranet member = staff}
group = poweruser {cmd = debug_eng {permit .*} member = admin}
group = admin {cmd = reboot { permit .*} cmd = configure {permit .*}
cmd = show {permit .*} cmd = display {permit .*} cmd = clear {permit .*} member = config}
group = config {cmd = telnet {permit .* } cmd = configure {deny aaa permit .*}
cmd = clear {deny cfg_file deny crypto deny ip permit .*} member = staff}
group = staff {cmd = show {deny configuration permit .*} cmd = ping {permit .*}
cmd = trace {permit .* } cmd = debug {permit .*} cmd = display {deny configuration permit .*} cmd = enable {permit .*}}
user = $enab4$ {login = cleartext "praveen"}
user = raihan {default service = permit
chap = cleartext chap
pap = cleartext pap
login = cleartext ascii
member = admin}
SR Traffic Policing in on WANTraffic Policing allows for rate limiting traffic inbound on the WAN
Remote Sideconf thostname Remotemodule t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.0.1 24 exit interface bundle wan link t1 1-2 encapsulation ppp ip address 200.1.1.2 30 qos add_class ratelimit root-in class ratelimit police rate 512 burst 768 add_dst_ip 192.168.0.0 24 exit class enable policing inbound exit qos exit bundleip route 0.0.0.0 0 200.1.1.1 exit 2
Laptop
Server
WAN
E0-10.1.1.1/24
.1
10.1.1.2 /24DG 10.1.1.1
E0-192.168.0.1/24.1
192.168.0.2/24DG 192.168.0.1
Hub Sideconf thostname Hubmodule t1 1-2 clock_source internal exitinterface ethernet 0 ip address 10.1.1.1 24 exit interface bundle wan link t1 1-2 encapsulation ppp ip address 200.1.1.1 30 exit ip route 0.0.0.0 0.0.0.0 200.1.1.2 exit 2
SR1002
SR1002
200.1.1.2/30
.2
.1
HubSide
RemoteSide
SR Traffic Policing in on Ethernet Traffic Policing allows for rate limiting traffic inbound on Ethernet interface
Remote Sideconf thostname Remotemodule t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.0.1 24 qos add_class ratelimit root-in class ratelimit police rate 512 burst 768 add_src_ip 192.168.0.0 24 exit class enable policing inbound exit interface bundle wan link t1 1-2 encapsulation ppp ip address 200.1.1.2 30 exit bundleip route 0.0.0.0 0 200.1.1.1 exit 2
Laptop
Server
WAN
E0-10.1.1.1/24
.1
10.1.1.2 /24DG 10.1.1.1
E0-192.168.0.1/24.1
192.168.0.2/24DG 192.168.0.1
Hub Sideconf thostname Hubmodule t1 1-2 clock_source internal exitinterface ethernet 0 ip address 10.1.1.1 24 exit interface bundle wan link t1 1-2 encapsulation ppp ip address 200.1.1.1 30 exit ip route 0.0.0.0 0.0.0.0 200.1.1.2 exit 2
SR1002
SR1002
200.1.1.2/30
.2
.1
HubSide
RemoteSide
SR Sub-interfaces & Traffic policing Sub-interfaces, Traffic Policing for QoS in & out on the WAN interface
ServerIronXLFOUNDRYN E T W O R K S
1
2
3
4
5
6
7
8
13
14
15
16
9
10
11
12
Console
Power
F D X1 0 0
L in k / A c t
F D X1 0 0
L in k / A c t
F D X1 0 0
L in k / A c t
F D X1 0 0
L in k / A c t
SR CONFIGURATIONconf thostname Remote1 module t1 1-2 clock_source line exitinterface ethernet 0 description "test10" encapsulation dot1q 10 ip address 216.138.115.193 29 speed 100 full_duplex exit ethernetinterface ethernet 0.1 description "test20" encapsulation dot1q 20 ip address 216.138.115.201 29 exit ethernetinterface ethernet 0.2 description "test30" encapsulation dot1q 30 ip address 216.138.115.209 29 exit ethernet
VLAN 10 VLAN 20 VLAN 30
802.1QTRUNK
VLANSwitch
WAN
interface bundle wan link t1 1-2 encapsulation ppp ip address 172.16.64.2 24 qos add_class test10in root-in class test10in police rate 500 burst 1000 add_dst_ip 216.138.115.192 29 exit class add_class test20in root-in class test20in police rate 500 burst 1000 add_dst_ip 216.138.115.200 29 exit class add_class test30in root-in class test30in police rate 500 burst 1000 add_dst_ip 216.138.115.208 29 exit class add_class test10 root-out cr 500 br 1000 class test10 police rate 500 burst 1000 add_src_ip 216.138.115.192 29 exit class add_class test20 root-out cr 500 br 1000 class test20 police rate 500 burst 1000 add_src_ip 216.138.115.200 29 exit class add_class test30 root-out cr 500 br 1000 class test30 police rate 500 burst 1000 add_src_ip 216.138.115.208 29 exit class enable policing outbound enable policing inbound exit 2ip route 0.0.0.0 0.0.0.0 172.16.64.1 exit wr mem
SR ISDN BRI support128K BRI support used as a backup for a primary WAN interface (R8.3.5)
conf thostname 1001BRI_BOTinterface ethernet 0 ip address 192.168.1.1 24 exit ethernetinterface bundle wan link t1 1 encapsulation ppp ip address 200.0.0.2 30 exitinterface bundle isdn link bri 128 encapsulation ppp ip address 172.16.1.2 30 isdn spid1 55501010101 spid2 55501020101 idle_timeout 1 connect_delay 1 callednum 5550201 exit 2 ip route 0.0.0.0 0.0.0.0 wan route 0.0.0.0 0.0.0.0 isdn 50 exit 2
wr memLaptop
Top-SR 1001 BRI-U
192.168.0.2/24DG 192.168.0.1
WAN
Bot-SR 1001 BRI-U
Laptop
192.168.1.2/24DG 192.168.1.1
ISDNPort 1
555-0101
Port 2555-0201
conf thostname 1001BRI_TOPinterface ethernet 0 ip address 192.168.0.1 24 exit ethernetinterface bundle wan link t1 1 encapsulation ppp ip address 200.0.0.1 30 exitinterface bundle isdn link bri 128 encapsulation ppp ip address 172.16.1.1 30 isdn spid1 55502010101 spid2 55502020101 idle_timeout 1 connect_delay 1 callednum 5550101 exit 2 ip route 0.0.0.0 0.0.0.0 wan route 0.0.0.0 0.0.0.0 isdn 50 exit 2wr mem
Firewall and VPN
SR Firewall using PAT out to WAN Stateful Firewall using object for PAT out to the WAN
HUB Sideconf thostname HUBmodule t1 1-2 clock_source internal exitinterface ethernet 0 ip address 10.1.1.1 24 exit interface bundle wan link t1 1-2 encapsulation ppp ip address 200.1.1.1 30 exitiproute 0.0.0.0 0.0.0.0 200.1.1.2 exit wr mem
T1 CrossoverSimulatedT1 WAN
Laptop
Server
WAN
10.1.1.1.1
10.1.1.2 /24DG 10.1.1.1
192.168.1.1.1
192.168.1.2/24DG 192.168.1.1
REMOTE Sideconf thostname REMOTEmodule t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.1.1 24 exit ethernetinterface bundle wan link t1 1-2 encapsulation ppp ip address 200.1.1.2 30 exitip route 0.0.0.0 0.0.0.0 200.1.1.1 1exit ipfirewall internet interface wan exit 2firewall corpinterface ethernet0 object nat-pool NATWAN pat 200.1.1.2 exit object policy 100 out address 192.168.1.0 24 any any apply-object nat-pool NATWAN exit 2wr mem
SR1002
SR1002
200.1.1.0.2
.1
HUBSide
REMOTESide
SR Firewall using NAT out Ethernet Stateful Firewall using object for static NAT out the Ethernet
HUB Sideconf thostname HUBmodule t1 1-2 clock_source internal exitinterface ethernet 0 ip address 10.1.1.1 24 exit interface bundle wan link t1 1-2 encapsulation ppp ip address 200.1.1.1 24 exitiproute 0.0.0.0 0.0.0.0 200.1.1.2 exit wr mem
Laptop
Server
10.1.1.1.1
10.1.1.2 /24DG 10.1.1.1
192.168.1.1.1
192.168.1.2/24DG 192.168.1.1
REMOTE Sideconf thostname REMOTEmodule t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.1.1 24 exit ethernetinterface bundle ethernet1 ip address 200.1.1.2 24 ip proxy_arp exitip route 0.0.0.0 0.0.0.0 200.1.1.1 route 200.1.1.3 32 ethernet0exit ipfirewall internet interface ethernet1 exit 2firewall corpinterface ethernet0 object nat-pool NATWAN static 192.168.1.2 exit object policy 100 in address any any 200.1.1.3 32 apply-object nat-pool NATWAN exit 2wr mem
SR1002
SR1002
200.1.1.0
.2
.1
HUBSide
REMOTESide
WAN
SR Firewall using PAT and DMZStateful Firewall using object for PAT out to the WAN, & DMZ for FTP
HUB Sideconf thostname HUBmodule t1 1-2 clock_source internal exitinterface ethernet 0 ip address 10.1.1.1 24 exit interface bundle wan link t1 1-2 encapsulation ppp ip address 200.1.1.1 30 exitiproute 0.0.0.0 0.0.0.0 200.1.1.2 exit wr mem
T1 CrossoverSimulatedT1 WAN
Laptop
Server
WAN
10.1.1.1.1
10.1.1.2 /24DG 10.1.1.1
192.168.1.1
192.168.1.2/24DG 192.168.1.1
REMOTE Sideconf thostname REMOTEmodule t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.1.1 24 exit ethernetinterface ethernet 1 ip address 201.1.1.1 24 exit ethernetinterface bundle wan link t1 1-2 encapsulation ppp ip address 200.1.1.2 30 exitip route 0.0.0.0 0.0.0.0 200.1.1.1 1exit ipfirewall internet interface wan exit 2firewall corpinterface ethernet0 object nat-pool NATWAN pat 200.1.1.2 exit object policy 100 out address 192.168.1.0 24 any any apply-object nat-pool NATWAN exit 2firewall dmz interface ethernet1 policy 101 in address any any 201.1.1.0 24 service ftp exit 2 wr mem
SR1002
SR1002
200.1.1.0.2
.1
HUBSide
REMOTESide
201.1.1.1
FTPServer201.1.1.2
SR Firewall to block Telnet & SNMP Stateful Firewall used to block Telnet and SNMP to SR
Remote Sideconf thostname Remotemodule t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.0.1 24 exit interface bundle wan link t1 1-2 encapsulation ppp ip address 200.1.1.2 30 exit bundleip route 0.0.0.0 0 200.1.1.1 exit 2
Laptop
Server
WAN
E0-10.1.1.1/24.1
10.1.1.2 /24DG 10.1.1.1
E0-192.168.0.1/24.1
192.168.0.2/24DG 192.168.0.1
SR3120
SR1002
200.1.1.2/30
.2
.1
HubSide
RemoteSide
Hub Sideconf thostname Hubmodule ct3 1 t1 1-2 clock internal exit interface ethernet 0 ip address 10.1.1.1 24 exit interface bundle wan link ct3 1 1-2 encapsulation ppp ip address 200.1.1.1 30 exit ip route 0.0.0.0 0.0.0.0 200.1.1.2 exit firewall internet interface wan exit firewallfirewall corpobject address SR 10.1.1.1 address allowmgtIP 10.1.1.2 32 interface ethernet0 policy 10 in address allowmgtIP SR service telnet self exit policy policy 11 in address allowmgtIP SR service snmp self exit policy policy 12 in deny service telnet self enable-log exit policy policy 13 in deny service snmp self enable-log exit policypolicy 100 in enable-log exit 2
SR Firewall & IPSec VPN Stateful firewall and IPSec VPN site to site
R1 Sideconf thostname R1module t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.0.100 24 crypto trusted exit interface bundle wan link t1 1-2 encapsulation ppp ip address 192.168.1.2 30 crypto untrusted exit ip route 0.0.0.0 0.0.0.0 192.168.1.1 1 exit crypto ike policy toH1 192.168.1.1 local-address 192.168.1.2 key test proposal 1 encryption-algorithm 3des-cbc exit 2 ipsec policy toH1 192.168.1.1 match address 192.168.0.0 24 10.1.1.0 24 proposal 1 esp exit 4firewall internet policy 100 in service ike self exit firewall corp policy 100 in exit 2
T1 CrossoverSimulatedT1 WAN
Laptop
Server
WAN
10.1.1.1.1
10.1.1.2 /24DG 10.1.1.1
192.168.0.100.1
192.168.0.3/24DG 192.168.0.100
H1 Sideconf thostname H1module t1 1-2 clock_source internal exitinterface ethernet 0 ip address 10.1.1.1 24 crypto trusted exit interface bundle wan link t1 1-2 encapsulation ppp ip address 192.168.1.1 30 crypto untrusted exitip route 0.0.0.0 0.0.0.0 192.168.1.2 1 exit crypto ike policy toR1 192.168.1.2 local-address 192.168.1.1 key test proposal 1 encryption-algorithm 3des-cbc exit 2 ipsec policy toR1 192.168.1.2 match address 10.1.1.0 24 192.168.0.0 24 proposal 1 esp exit 4firewall internet policy 100 in service ike self exit firewall corp policy 100 in exit 2
SR1002
SR1002
192.168.1.0.1
.2
H1Side
R2Side
SR GRE tunnel with OSPFSR using GRE tunnels to allow OSPF routes to pass
Remote Sideconf thostname Remotemodule t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.0.100 24 exit interface bundle wan link t1 1-2 encapsulation ppp ip address 200.1.1.2 30 exit interface looback LB1 ip address 100.1.1.2 32 exitinterface tunnel t0 ip address 172.16.1.2 24 tunnel source 100.1.1.2 tunnel destination 100.1.1.1ip route 0.0.0.0 0 wan route 100.1.1 32 wan
router routerid 100.1.1.2 router ospf area 0 exit interface t0 area 0 exit interface ethernet0 area 0 exit 2
GRETunnel
t0
Laptop
Server
Internet
t0-172.16.1.1/30LB-100.1.1.1/32E0-10.1.1.1/24
.1
10.1.1.2 /24DG 10.1.1.1
E0-192.168.0.100/24LB1-100.1.1.2/32t0-172.16.1.2/30
.1
192.168.0.51/24DG 192.168.0.100
Hub Sideconf thostname Hubmodule t1 1-2 clock_source internal exitinterface ethernet 0 ip address 10.1.1.1 24 exit interface bundle wan link t1 1-2 encapsulation ppp ip address 200.1.1.1 30 exitinterface looback LB1 ip address 100.1.1.1 32 exitinterface tunnel t0 ip address 172.16.1.1 30 tunnel source 100.1.1.1 tunnel destination 100.1.1.2 exitip route 0.0.0.0 0 wan route 100.1.2 32 wan
router routerid 100.1.1.1 router ospf area 0 exit interface t0 area 0 exit interface ethernet0 area 0 exit 2
SR1002
SR1002
200.1.1.2/30
.2
.1
HubSide
RemoteSide
SR Firewall & IPSec with GREFirewall using IPSec site to site and GRE tunnel with OSPF
Remote Sideconf thostname Remotemodule t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.0.100 24 crypto trusted exit interface bundle wan link t1 1-2 encapsulation ppp ip address 200.1.1.2 30 crypto untrusted exit interface looback LB1 ip address 100.1.1.2 32 crypto trusted exitinterface tunnel t0 ip address 172.16.1.2 24 tunnel source 100.1.1.2 tunnel destination 100.1.1.1 tunnel protection toHUB test crypto untrustedip route 0.0.0.0 0 wan route 100.1.1 32 wan router routerid 100.1.1.2 router ospf area 0 exit interface t0 area 0 exit interface ethernet0 area 0 exit 2firewall internet policy 100 in proto gre self policy 110 in service ike self exit firewall corp policy 100 in exit
GRETunnel
t0
Laptop
Server
Internet
t0-172.16.1.1/30LB-100.1.1.1/32E0-10.1.1.1/24
.1
10.1.1.2 /24DG 10.1.1.1
E0-192.168.0.100/24LB1-100.1.1.2/32t0-172.16.1.2/30
.1
192.168.0.51/24DG 192.168.0.100
Hub Sideconf thostname Hubmodule t1 1-2 clock_source internal exitinterface ethernet 0 ip address 10.1.1.1 24 crypto trusted exit interface bundle wan link t1 1-2 encapsulation ppp ip address 200.1.1.1 30 crypto untrusted exitinterface looback LB1 ip address 100.1.1.1 32 crypto trusted exitinterface tunnel t0 ip address 172.16.1.1 30 tunnel source 100.1.1.1 tunnel destination 100.1.1.2 tunnel protection toRemote test crypto untrusted exitip route 0.0.0.0 0 wan route 100.1.2 32 wan router routerid 100.1.1.1 router ospf area 0 exit interface t0 area 0 exit interface ethernet0 area 0 exit 2firewall internet policy 100 in proto gre self policy 110 in service ike self exit firewall corp policy 100 in exit
SR1002
SR1002
200.1.1.2/30
.2
.1
HubSide
RemoteSide
SR Firewall & IPSec Clients Firewall and IPSec VPN to allow IPSec Clients to connect
Remote Sideconf thostname Remotemodule t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.0.100 24 exit interface bundle wan link t1 1-2 encapsulation ppp ip address 200.1.1.2 30 exitip route 0.0.0.0 0 wan exit 2
Laptop
Server
Internet
E0-10.1.1.1/24
.1
10.1.1.2 /24DG 10.1.1.1
E0-192.168.0.100/24.1
192.168.0.51/24DG 192.168.0.100
Hub Sideconf thostname Hubmodule t1 1-2 clock_source internal exitinterface ethernet 0 ip address 10.1.1.1 24 crypto trusted exit interface bundle wan link t1 1-2 encapsulation ppp ip address 200.1.1.1 30 crypto untrusted exit ip route 0.0.0.0 0.0.0.0 wan 1 exit crypto dynamic ike policy VPNuser modecfg-group local-address 200.1.1.1 remote-id email-id [email protected] key testVPNkey proposal 1 encryption-algorithm 3des-cbc exit proposal client configuration address-pool 1 20.1.1.100 20.1.1.110 exit 3 ipsec policy VPNuser modecfg-group match address 10.1.1.0 255.255.255.0 proposal 1 esp exit 2firewall internet interface wan policy 100 in service ike self policy 101 in protocol icmp self exit 2firewall corp interface ethernet0 policy 100 in address 20.1.1.100 20.1.1.110 any any exit 2
SR1002
SR1002
200.1.1.2/30
.2
.1
HubSide
RemoteSide
T1 CrossoverSimulatedT1 WAN
Cisco to SR IPSec IPIP transport Cisco to SR interop using IPSec with IPIP transport mode
Remote Sideconf thostname Remoteinterface ethernet 0 ip address 10.1.1.1 24 crypto trusted exit ethernetinterface bundle wan link t1 1 encapsulation ppp ip address 10.1.2.1 24 crypto untrusted exit bundleinterface tunnel to-cisco ip address 100.1.1.1 24 keepalive interval 0 retries 1 tunnel source 10.1.2.1 tunnel destination 192.168.1.2 tunnel mode ipip crypto untrusted exit tunnelip route 0.0.0.0 0.0.0.0 10.1.2.2 1 route 100.1.1.2 32 to-cisco 1 route 192.168.2.0 24 to-cisco 1 exit ipcrypto ike policy to-ns 192.168.1.2 local-address 10.1.2.1 key myvpn proposal 1 encryption-algorithm 3des-cbc exit 2 ipsec policy to-ns 192.168.1.2 match address 10.1.2.1 32 192.168.1.2 32 proposal 1 esp mode transport lifetime seconds 600 exit 3firewall internet interface wan to-cisco policy 10 in self exit 2firewall corp interface ethernet0policy 10 in exit 2
IPSecTunnel IPIP
Server
FA 0/1 –192.168.2.1/24
192.168.2.2 /24DG 192.168.2.1
E0-10.1.1.1/24.1
10.1.1.2/24DG 10.1.1.1
Hub Sideconf tVersion 12.2hostname HUbrip subnet-zeroip audit notify logip audit po max-events 100!crypto isakmp policy 1 encr 3des authentication pre-sharecrypto isakmp key myvpn address 10.1.2.1!crypto ipsec transform-set ESP1 esp-3des esp-sha-hmac mode transport!crypto map VTI 1 ipsec-isakmp set peer 10.1.2.1 set security-association lifetime seconds 600 set transform-set ESP1 match address 100!call rsvp-sync!interface Tunnel0 ip address 100.1.1.2 255.255.255.0 tunnel source 192.168.1.2 tunnel destination 10.1.2.1 tunnel mode ipip crypto map VTI!interface FastEthernet0/0 ip address 192.168.1.2 255.255.255.0 crypto map VTI!interface FastEthernet0/1 ip address 192.168.2.1 255.255.255.0!ip classlessip route 0.0.0.0 0.0.0.0 192.168.1.1ip route 10.1.1.0 255.255.255.0 Tunnel0ip route 100.1.1.1 255.255.255.255 Tunnel0!access-list 100 permit ip host 192.168.1.2 host 10.1.2.1
SR1002
SR1002
192.168.1.0
.1
.2
HubSide
RemoteSide
WAN-10.1.2.1/24
WAN-10.1.2.2/24
FA 0/0 –192.168.1.2/24
100.1.1.0
.2
.1
Laptop
CISCO
Cisco to SR IPSec IPIP tunnel Cisco to SR interop using IPSec with IPIP tunnel mode
Remote Sideconf thostname Remoteinterface ethernet 0 ip address 10.1.1.1 24 crypto trusted exit ethernetinterface bundle wan link t1 1 encapsulation ppp ip address 10.1.2.1 24 crypto untrusted exit bundleinterface tunnel to-cisco ip address 100.1.1.1 24 keepalive interval 0 retries 1 tunnel source 10.1.2.1 tunnel destination 192.168.1.2 tunnel mode ipip crypto untrusted exit tunnelip route 0.0.0.0 0.0.0.0 10.1.2.2 1 route 100.1.1.2 32 to-cisco 1 route 192.168.2.0 24 to-cisco 1 exit ipcrypto ike policy to-ns 192.168.1.2 local-address 10.1.2.1 key myvpn proposal 1 encryption-algorithm 3des-cbc exit 2 ipsec policy to-ns 192.168.1.2 match address 10.1.2.1 32 192.168.1.2 32 proposal 1 esp mode tunnel lifetime seconds 600 exit 3firewall internet interface wan to-cisco policy 10 in self exit 2firewall corp interface ethernet0policy 10 in exit 2
IPSecTunnel IPIP
Server
FA 0/1 –192.168.2.1/24
192.168.2.2 /24DG 192.168.2.1
E0-10.1.1.1/24.1
10.1.1.2/24DG 10.1.1.1
Hub Sideconf tVersion 12.2hostname HUbrip subnet-zeroip audit notify logip audit po max-events 100!crypto isakmp policy 1 encr 3des authentication pre-sharecrypto isakmp key myvpn address 10.1.2.1!crypto ipsec transform-set ESP1 esp-3des esp-sha-hmacmode tunnel!crypto map VTI 1 ipsec-isakmp set peer 10.1.2.1 set security-association lifetime seconds 600 set transform-set ESP1 match address 100!call rsvp-sync!interface Tunnel0 ip address 100.1.1.2 255.255.255.0 tunnel source 192.168.1.2 tunnel destination 10.1.2.1 tunnel mode ipip crypto map VTI!interface FastEthernet0/0 ip address 192.168.1.2 255.255.255.0 crypto map VTI!interface FastEthernet0/1 ip address 192.168.2.1 255.255.255.0!ip classlessip route 0.0.0.0 0.0.0.0 192.168.1.1ip route 10.1.1.0 255.255.255.0 Tunnel0ip route 100.1.1.1 255.255.255.255 Tunnel0!access-list 100 permit ip host 192.168.1.2 host 10.1.2.1
SR1002
SR1002
192.168.1.0
.1
.2
HubSide
RemoteSide
WAN-10.1.2.1/24
WAN-10.1.2.2/24
FA 0/0 –192.168.1.2/24
100.1.1.0
.2
.1
Laptop
CISCO
Cisco to SR IPSec GRE transportCisco to SR interop using IPSec with GRE transport mode
Remote Sideconf thostname Remoteinterface ethernet 0 ip address 10.1.1.1 24 crypto trusted exit ethernetinterface bundle wan link t1 1 encapsulation ppp ip address 10.1.2.1 24 crypto untrusted exit bundleinterface tunnel to-cisco ip address 100.1.1.1 24 keepalive interval 0 retries 1 tunnel source 10.1.2.1 tunnel destination 192.168.1.2 tunnel mode gre crypto untrusted exit tunnelip route 0.0.0.0 0.0.0.0 10.1.2.2 1 route 100.1.1.2 32 to-cisco 1 route 192.168.2.0 24 to-cisco 1 exit ipcrypto ike policy to-ns 192.168.1.2 local-address 10.1.2.1 key myvpn proposal 1 encryption-algorithm 3des-cbc exit 2 ipsec policy to-ns 192.168.1.2 match address 10.1.2.1 32 192.168.1.2 32 proposal 1 esp mode transport lifetime seconds 600 exit 3firewall internet interface wan to-cisco policy 10 in self exit 2firewall corp interface ethernet0policy 10 in exit 2
IPSecTunnel GRE
Server
FA 0/1 –192.168.2.1/24
192.168.2.2 /24DG 192.168.2.1
E0-10.1.1.1/24.1
10.1.1.2/24DG 10.1.1.1
Hub Sideconf tVersion 12.2hostname HUbrip subnet-zeroip audit notify logip audit po max-events 100!crypto isakmp policy 1 encr 3des authentication pre-sharecrypto isakmp key myvpn address 10.1.2.1!crypto ipsec transform-set ESP1 esp-3des esp-sha-hmac mode transport!crypto map VTI 1 ipsec-isakmp set peer 10.1.2.1 set security-association lifetime seconds 600 set transform-set ESP1 match address 100!call rsvp-sync!interface Tunnel0 ip address 100.1.1.2 255.255.255.0 tunnel source 192.168.1.2 tunnel destination 10.1.2.1 tunnel mode gre ip crypto map VTI!interface FastEthernet0/0 ip address 192.168.1.2 255.255.255.0 crypto map VTI!interface FastEthernet0/1 ip address 192.168.2.1 255.255.255.0!ip classlessip route 0.0.0.0 0.0.0.0 192.168.1.1ip route 10.1.1.0 255.255.255.0 Tunnel0ip route 100.1.1.1 255.255.255.255 Tunnel0!access-list 100 permit ip host 192.168.1.2 host 10.1.2.1
SR1002
SR1002
192.168.1.0
.1
.2
HubSide
RemoteSide
WAN-10.1.2.1/24
WAN-10.1.2.2/24
FA 0/0 –192.168.1.2/24
100.1.1.0
.2
.1
Laptop
CISCO
Cisco to SR IPSec IPIP tunnel OSPFCisco to SR interop using IPSec with IPIP tunnel mode to pass OSPF
Remote Sideconf thostname Remoteinterface ethernet 0 ip address 10.1.1.1 24 crypto trusted exit ethernetinterface bundle wan link t1 1 encapsulation ppp ip address 10.1.2.1 24 crypto untrusted exit bundleinterface tunnel to-cisco ip address 100.1.1.1 24 keepalive interval 0 retries 1 tunnel source 10.1.2.1 tunnel destination 192.168.1.2 tunnel mode ipip crypto untrusted exit tunnelinterface loopback LB0 ip address 3.3.3.1 255.255.255.0 exit loopbackip route 0.0.0.0 0.0.0.0 10.1.2.2 1exit iprouter routerid 3.3.3.1router ospf area 0 exit area interface ethernet0 area_id 0 exit interface interface to-cisco area_id 0 exit 2crypto ike policy to-ns 192.168.1.2 local-address 10.1.2.1 key myvpn proposal 1 encryption-algorithm 3des-cbc exit 2 ipsec policy to-ns 192.168.1.2 match address 10.1.2.1 32 192.168.1.2 32 proposal 1 esp mode tunnel lifetime seconds 600 exit 3firewall internet interface wan to-cisco policy 10 in self exit 2firewall corp interface ethernet0 policy 10 in exit 2
IPSecTunnel IPIP
Server
FA 0/1 –192.168.2.1/24
192.168.2.2 /24DG 192.168.2.1
E0-10.1.1.1/24.1
10.1.1.2/24DG 10.1.1.1
Hub Sideconf tVersion 12.2hostname HUbrip subnet-zeroip audit notify logip audit po max-events 100!crypto isakmp policy 1 encr 3des authentication pre-sharecrypto isakmp key myvpn address 10.1.2.1!crypto ipsec transform-set ESP1 esp-3des esp-sha-hmac mode tunnel!crypto map VTI 1 ipsec-isakmp set peer 10.1.2.1 set security-association lifetime seconds 600 set transform-set ESP1 match address 100!interface Loopback0 ip address 2.2.2.1 255.255.255.0!interface Tunnel0 ip address 100.1.1.2 255.255.255.0 tunnel source 192.168.1.2 tunnel destination 10.1.2.1 tunnel mode ipip crypto map VTI!interface FastEthernet0/0 ip address 192.168.1.2 255.255.255.0 crypto map VTI!interface FastEthernet0/1 ip address 192.168.2.1 255.255.255.0!router ospf 1 log-adjacency-changes network 100.1.1.0 0.0.0.255 area 0 network 192.168.2.0 0.0.0.255 area 0!ip classlessip route 0.0.0.0 0.0.0.0 192.168.1.1!access-list 100 permit ip host 192.168.1.2 host 10.1.2.1
SR1002
SR1002
192.168.1.0
.1
.2
HubSide
RemoteSide
WAN-10.1.2.1/24
WAN-10.1.2.2/24
FA 0/0 –192.168.1.2/24
100.1.1.0
.2
.1
Laptop
CISCO
Layer 2
SR bridging 802.3 over the PPP WANBCP used to forward the bridge group over WAN, manage from E0 IP
ENCODERconf thostname encodermodule t1 1 clock_source lineexitInterface ethernet 0 ip address 10.1.1.5 24 vlan vlanid 10 exit exitint bundle wan link t1 1 encap ppp bcp bridge vlan exit 2vlanfwd add vlanid 10 wan management vlanid 10 exit 3wr mem
DECODERconf thostname decodermodule t1 1 clock_source internalexit interface ethernet 0 ip address 10.1.1.6 24 vlan vlanid 10 exit exitint bundle wan link t1 1 encap ppp bcp bridge vlan exit 2vlanfwd add vlanid 10 wan management vlanid 10 exit 3wr mem
SR 1002Encoder side
SR 1002Decoder side
T1 CrossoverSimulatedT1 WAN
Laptop
Video Client10.1.1.10/24
Server
Video Server10.1.1.11/24
CarrierCO
SR bridging 802.3 over WAN, MAC learnBCP used to forward bridge group on WAN, and enable MAC learning
HUBconf thostname Remotemodule t1 1 clock_source lineexit interface ethernet 0 ip address 10.1.1.1 24 vlan vlanid 10 exit exitint bundle wan link t1 1 encap ppp bcp bridge vlan exit 2vlanfwd add vlanid 10 wan management vlanid 10 exit management macbridge exit macbridge exit vlanfwdwr mem
REMOTEconf thostname HUBmodule t1 1 clock_source internalexit interface ethernet 0 ip address 10.1.1.2 24 vlan vlanid 10 exit exitint bundle wan link t1 1 encap ppp no red bcp bridge vlan exit 2vlanfwd add vlanid 10 wan management vlanid 10 exit management macbridge exit macbridge exit vlanfwdwr mem
SR 1002HUB side
SR 1002REMOTE side
T1 CrossoverSimulatedT1 WAN
Laptop
Client10.1.1.10/24
Server
Server10.1.1.11/24
CarrierCO
SR bridging 802.3 MLPPP WAN BCP used to forward bridge group over WAN, manage from E0 IP
HUBconf thostname HUBmodule t1 1-2 clock_source internalexit interface ethernet 0 ip address 10.1.1.1 24 vlan vlanid 10 exit exitint bundle wan link t1 1-2 encap ppp bcp bridge lan exit vlan vlanid 10 exit 2vlanfwd management vlanid 10 exit 3wr mem
REMOTEconf thostname REMOTEmodule t1 1-2 clock_source lineexit interface ethernet 0 ip address 10.1.1.2 24 vlan vlanid 10 exit exitint bundle wan link t1 1-2 encap ppp bcp bridge lan exit vlan vlanid 10 exit 2vlanfwd management vlanid 10 exit 3wr mem
SR 1002HUB side
SR 1002REMOTE side
T1 CrossoverSimulatedT1 WAN
Laptop
Client10.1.1.10/24
Server
Server10.1.1.11/24
CarrierCO
SR bridge 802.3 & VMI interface Using BCP to forward over WAN and use VMI to manage the device
HUBconf thostname HUBmodule t1 1-2 clock_source internalexit interface ethernet 0 ip address 192.168.0.1 30 vlan vlanid 10 exit exitint bundle wan link t1 1-2 encap ppp bcp bridge vlan exit 2vlanfwd add vlanid 10 wan management vlanid 10 ip_interface address 10.1.1.3 24 default_route 10.1.1.1 VlanMgmt exit 3wr mem
REMOTEconf thostname REMOTEmodule t1 1-2 clock_source lineexit interface ethernet 0 ip address 192.168.0.1 30 vlan vlanid 10 exit exitint bundle wan link t1 1-2 encap ppp bcp bridge vlan exit 2vlanfwd add vlanid 10 wan management vlanid 10 ip_interface address 10.1.1.4 24 default_route 10.1.1.1 VlanMgmt exit 3wr mem
SR 1002HUB side
SR 1002REMOTE side
T1 CrossoverSimulatedT1 WAN
Laptop
Client10.1.1.10/24
Server
Server10.1.1.11/24
CarrierCO
Note: IP address on Ethernet
is only to bring up the interface.
This will not be used to manage
the device. To manage the device
the IP address under VLAN
Management is used and there is
a VLAN used only for management
SR bridge VLAN over WANUsing VLANFWD to define which VLAN will be forwarded, and VMI
F as tIron -IIFOUNDRYN E TW O RK S
HUB North
WAN
ChannelizedDS3
SR 3120
10/100Ethernet
2T1MLPPP
SR 1004
CustomerSwitch
VLAN 331
Customer XSite 1
TaggedPackets
forwarded
TaggedPackets
forwarded
SNMP MgrVLAN 1000
172.16.16.1.1/24
802.1QTrunk
SR 1004Site1module t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.1.1 30 exit interface bundle wan link t1 1-2 encapsulation ppp bcp bridge vlan exit 2vlanfwd add vlanid 331 ethernet0 add vlanid 1000 wan add vlanid 331 wan management vlanid 1000 ip_interface address 10.1.1.202 24 default_route 10.1.1.1.1 VlanMgmt
SR 3120hostname Hub1interface ethernet 0ip address 192.168.1.1 30exitmodule ct3 1 t1 1-4 clock line exit interface bundle wanlink ct3 1 1-2encapsulation ppp bcp bridge vlan exitvlanfwd add vlanid 1000 ethernet0 add vlanid 331 ethernet0 add vlanid 1000 wan add vlanid 331 wan management vlanid 1000 ip_interface address 10.1.1.201 24 default_route 10.1.1.1 VlanMgmt
VLAN 331VLAN 1000
802.1Q packets
Note: IP address on Ethernet
is only to bring up the interface.
This will not be used to manage
the device. To manage the device
the IP address under VLAN
Management is used and there is
a VLAN used only for management
SR VLAN tagging & forwarding CPE tags the ingress packets and forwards them to the HUB
F as tIron -IIFOUNDRYN E TW O RK S
F as tIron -IIFOUNDRYN E TW O RK S
HUB North HUB South
WAN
ChannelizedDS3
SR 3120
10/100Ethernet
2T1MLPPP
SR 1004
CustomerHub/Switch
Customer XSite 1
PacketsTaggedId 331
TaggedPackets
forwarded
SNMP MgrVLAN 1000
172.25.0.100/16
802.1QTrunk
WAN
ChannelizedDS3
SR 3120
10/100Ethernet
2T1MLPPP
SR 1004
CustomerHub/Switch
Customer XSite 2
PacketsTaggedId 331
TaggedPackets
forwarded
802.1QTrunk
SR 1004Site1module t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.1.1 30 vlan vlanid 331 exit 2interface bundle wan link t1 1-2 encapsulation ppp bcp bridge vlan exit 2vlanfwd add vlanid 1000 wan add vlanid 331 wan management vlanid 1000 ip_interface address 172.25.24.155 16 default_route 172.25.0.1 VlanMgmt
SR 1004Site2module t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.1.1 30 vlan vlanid 331 exit 2interface bundle wan link t1 1-2 encapsulation ppp bcp bridge vlan exit 2vlanfwd add vlanid 1000 wan add vlanid 331 wan management vlanid 1000 ip_interface address 172.25.24.157 16 default_route 172.25.0.1 VlanMgmt
SR 3120hostname Hub1interface ethernet 0ip address 192.168.1.1 30exitmodule ct3 1 t1 1-4 clock line exit interface bundle wanlink ct3 1 1-2encapsulation ppp bcp bridge vlan exitvlanfwd add vlanid 1000 ethernet0 add vlanid 331 ethernet0 add vlanid 1000 wan add vlanid 331 wan management vlanid 1000 ip_interface address 172.25.24.156 16 default_route 172.25.0.1 VlanMgmt
SR 3120hostname Hub2interface ethernet 0ip address 192.168.1.1 30exitmodule ct3 1 t1 1-4 clock line exit interface bundle wanlink ct3 1 1-2encapsulation ppp bcp bridge vlan exitvlanfwd add vlanid 1000 ethernet0 add vlanid 331 ethernet0 add vlanid 1000 wan add vlanid 331 wan management vlanid 1000 ip_interface address 172.125.24.158 16 default_route 172.25.0.1 VlanMgmt
VLAN 331 VLAN 331VLAN 1000 VLAN 1000
Internet
802.3 packets 802.3 packets
Note: IP address on Ethernet
is only to bring up the interface.
This will not be used to manage
the device. To manage the device
the IP address under VLAN
Management is used and there is
a VLAN used only for management
SR VLAN forwarding Device forwards the traffic based on VLAN id and managed inband
F as tIron -IIFOUNDRYN E TW O RK S
F as tIron -IIFOUNDRYN E TW O RK S
HUB North HUB South
WAN
ChannelizedDS3
SR 3120
10/100Ethernet
2T1MLPPP
SR 1004
CustomerSwitch
Customer XSite 1
TaggedPackets
forwarded
TaggedPackets
forwarded
SNMP MgrVLAN 1000
172.25.0.100/16
802.1QTrunk
WAN
ChannelizedDS3
SR 3120
10/100Ethernet
2T1MLPPP
SR 1004
CustomerSwitch
Customer XSite 2
TaggedPackets
forwarded
TaggedPackets
forwarded
802.1QTrunk
SR 1004Site1module t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.1.1 30 exit interface bundle wan link t1 1-2 encapsulation ppp bcp bridge vlan exit 2vlanfwd add vlanid 331 ethernet0 add vlanid 1000 wan add vlanid 331 wan management vlanid 1000 ip_interface address 172.25.24.155 16 default_route 172.25.0.1 VlanMgmt
SR 1004Site2module t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.1.1 30 exit interface bundle wan link t1 1-2 encapsulation ppp bcp bridge vlan exit 2vlanfwd add vlanid 331 ethernet0 add vlanid 1000 wan add vlanid 331 wan management vlanid 1000 ip_interface address 172.25.24.157 16 default_route 172.25.0.1 VlanMgmt
SR 3120hostname Hub1interface ethernet 0ip address 192.168.1.1 30exitmodule ct3 1 t1 1-4 clock line exit interface bundle wanlink ct3 1 1-2encapsulation ppp bcp bridge vlan exitvlanfwd add vlanid 1000 ethernet0 add vlanid 331 ethernet0 add vlanid 1000 wan add vlanid 331 wan management vlanid 1000 ip_interface address 172.25.24.156 16 default_route 172.25.0.1 VlanMgmt
SR 3120hostname Hub2interface ethernet 0ip address 192.168.1.1 30exitmodule ct3 1 t1 1-4 clock line exit interface bundle wanlink ct3 1 1-2encapsulation ppp bcp bridge vlan exitvlanfwd add vlanid 1000 ethernet0 add vlanid 331 ethernet0 add vlanid 1000 wan add vlanid 331 wan management vlanid 1000 ip_interface address 172.125.24.158 16 default_route 172.25.0.1 VlanMgmt
VLAN 331 VLAN 331VLAN 1000 VLAN 1000
Internet
802.1Q packets 802.1Q packets
Note: IP address on Ethernet
is only to bring up the interface.
This will not be used to manage
the device. To manage the device
the IP address under VLAN
Management is used and there is
a VLAN used only for management
B lac kDiamond1 2 3 4 A B 5 6 7 8
SR double tagging (QinQ)CPE tags the ingress packets and forwards them to the HUB with QinQ
B lac kDiamond1 2 3 4 A B 5 6 7 8
SR 1004Site1module t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.1.1 30 vlan vldid 102 exit 2interface bundle wan link t1 1-2 encapsulation ppp bcp bridge vlan exit 2vlanfwd vld_ether_type 37120 add vldid 1000 wan add vldid 102 wan management vldid 1000 ip_interface address 172.25.24.155 16 default_route 172.25.0.1 VlanMgmt
HUB North HUB South
WAN
ChannelizedDS3
SR 3120
10/100Ethernet
2T1MLPPP
SR 1004
CustomerSwitch VLAN10
Customer XSite 1
Packets TaggedVLD 102
TaggedPackets
forwarded
SNMP MgrVLD 1000
172.25.0.100/16
QinQTrunk
WAN
ChannelizedDS3
SR 3120
10/100Ethernet
2T1MLPPP
SR 1004
CustomerSwitch VLAN10
Customer XSite 2
Packets TaggedVLD 102
TaggedPackets
forwarded
QinQTrunk
SR 1004Site2module t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.1.1 30 vlan vldid 102 exit 2interface bundle wan link t1 1-2 encapsulation ppp bcp bridge vlan exit 2vlanfwd vld_ether_type 37120 add vldid 1000 wan add vldid 102 wan management vldid 1000 ip_interface address 172.25.24.157 16 default_route 172.25.0.1 VlanMgmt
SR 3120hostname Hub1interface ethernet 0ip address 192.168.1.1 30exitmodule ct3 1 t1 1-4 clock line exit interface bundle wanlink ct3 1 1-2encapsulation ppp bcp bridge vlan exitvlanfwd vld_ether_type 37120 add vldid 1000 ethernet0 add vldid 102 ethernet0 add vldid 1000 wan add vldid 102 wan management vldid 1000 ip_interface address 172.25.24.156 16 default_route 172.25.0.1 VlanMgmt
SR 3120hostname Hub2interface ethernet 0ip address 192.168.1.1 30exitmodule ct3 1 t1 1-4 clock line exit interface bundle wanlink ct3 1 1-2encapsulation ppp bcp bridge vlan exitvlanfwd vld_ether_type 37120 add vldid 1000 ethernet0 add vldid 102 ethernet0 add vldid 1000 wan add vldid 102 wan management vldid 1000 ip_interface address 172.125.24.158 16 default_route 172.25.0.1 VlanMgmt
VLD 102 VLD 102VLD 1000 VLD 1000
Internet
802.1Q packets 802.1Q packets
Note: IP address on Ethernet
is only to bring up the interface.
This will not be used to manage
the device. To manage the device
the IP address under VLAN
Management is used and there is
a VLAN used only for management
Note:Extreme’s VMAN uses Ethertype 9100. To interoperate we need toChange our default Ethertype of 8100 to Ether Type to 9100 Router/configure/vlanfwd> vld_ether_type 37120Global Vld Ethernet Type set to 37120 (0x9100)This can be changed per under each interface of VLD tagging
SR bridging 802.3 NxDS3 WAN NxDS3 MLPPP WAN bridging 802.3 packet & inband Management
SR 3120
SR 3120
2 DS-3 TX-RXSimulated one
DS3Circuits
3120#configure thostname HUBmodule t3 1 clock_source internal exitmodule t3 2 clock_source internal exitint ethernet 0 ip address 192.168.1.1 30 vlan vlanid 10 exit 2int ethernet 1 ip address 192.168.1.5 30 vlan vlanid 11 exit 2interface bundle wan link t3 1-2 encapsulation ppp bcp bridge vlan exit 2vlanfwd add vlanid 10 wan add vlanid 11 wan management vlanid 10 ip_interface address 10.1.1.10 24 default_route 10.1.1.1 VlanMgmt exit 3wr mem
HUB
REMOTE
WAN
HUBSide Switch
3120#configure thostname REMOTEmodule t3 1 clock_source line exitmodule t3 2 clock_source line exitint ethernet 0 ip address 192.168.1.1 30 vlan vlanid 10 exit 2int ethernet 1 ip address 192.168.1.5 30 vlan vlanid 11 exit 2interface bundle wan link t3 1-2 bcp bridge vlan exit 2vlanfwd add vlanid 10 wan add vlanid 11 wan management vlanid 10 ip_interface address 10.1.1.11 24 default_route 10.1.1.1 VlanMgmt exit 3wr mem
HUB Side Switch
REMOTESide Switch
REMOTE Side Switch
UntaggedPackets
UntaggedPackets
UntaggedPackets
UntaggedPackets
Note: IP address on Ethernet
is only to bring up the interface.
SR bridging 802.1Q NxDS3 WAN NxDS3 MLPPP WAN bridging 802.1Q packet & inband Management
SR 3120
SR 3120
2 DS-3 TX-RXSimulated one
DS3Circuits
3120#configure thostname HUBmodule t3 1 clock_source internal exitmodule t3 2 clock_source internal exitint ethernet 0 ip address 192.168.1.1 30 exit int ethernet 1 ip address 192.168.1.5 30 exit interface bundle wan link t3 1-2 encapsulation ppp bcp bridge vlan exit 2vlanfwd add vlanid 10 ethernet0 add vlanid 10 wan add vlanid 11 ethernet1 add vllanid 11 wan management vlanid 10 ip_interface address 10.1.1.10 24 default_route 10.1.1.1 VlanMgmt exit 3wr mem
HUB
REMOTE
WAN
HUB VLAN 10 Switch
3120#configure thostname REMOTEmodule t3 1 clock_source line exitmodule t3 2 clock_source line exitint ethernet 0 ip address 192.168.1.1 30 exit int ethernet 1 ip address 192.168.1.5 30 exitinterface bundle wan link t3 1-2 bcp bridge vlan exit 2vlanfwd add vlanid 10 ethernet0 add vlanid 10 wan add vlanid 11 ethernet1 add vllanid 11 wan management vlanid 10 ip_interface address 10.1.1.11 24 default_route 10.1.1.1 VlanMgmt exit 3wr mem
HUB VLAN 11 Switch
REMOTE VLAN 10 Switch
REMOTE VLAN 11 Switch
TaggedPackets
TaggedPackets
TaggedPackets
TaggedPackets
Note: IP address on Ethernet
is only to bring up the interface.
ServerIronXLFOUNDRYN E TW O R K S
1
2
3
4
5
6
7
8
13
14
15
16
9
10
11
12
Console
Power
F D X1 0 0
L in k / A c tF D X
1 0 0L in k / A c t
F D X1 0 0
L in k / A c tF D X
1 0 0L in k / A c t
ServerIronXLFOUNDRYN E TW O R K S
1
2
3
4
5
6
7
8
13
14
15
16
9
10
11
12
Console
Power
F D X1 0 0
L in k / A c tF D X
1 0 0L in k / A c t
F D X1 0 0
L in k / A c tF D X
1 0 0L in k / A c t
SR VLAN forwarding over WAN Using MLPPP Forward VLAN from Foundry over the WAN
SR CONFIGURATIONconf thostname Remote1interface ethernet 0ip address 192.168.0.1 30exitmodule t1 1-2 clock_source line exitinterface bundle wan1 link t1 1-2 encapsulation ppp bcp bridge vlan exit 2vlanfwd add vlanid 10 ethernet0 add vlanid 10 wan1 management vlanid 10 ip_interface address 10.1.1.3 24 default_route 10.1.1.1 VlanMgmt exit 3wr mem
Remote1SR 1004
Remote2SR 1004
SR CONFIGURATIONconf thostname Hubinterface ethernet 0ip address 192.168.0.1 30exitinterface ethernet 1ip address 192.168.0.5 30exitmodule t1 1-8 clock_source internal exitinterface bundle wan1 link t1 1-2 encapsulation ppp bcp bridge vlan exit 2interface bundle wan2 link t1 4-5 encapsulation ppp bcp bridge vlan exit 2vlanfwd add vlanid 10 ethernet0 add vlanid 10 wan1 add vlanid 20 ethernet1 add vlanid 20 wan2 management vlanid 10 ip_interface address 10.1.1.2 24 default_route 10.1.1.1 VlanMgmt exit 3wr mem
HubSR 3120
MLPPP2 T1, 3Meg
MLPPP2 T1, 3Meg SR CONFIGURATION
conf thostname Remote2interface ethernet 0ip address 192.168.0.1 30exitmodule t1 1-2 clock_source line exitinterface bundle wan2 link t1 1-2 encapsulation ppp bcp bridge vlan exit 2vlanfwd add vlanid 20 ethernet0 add vlanid 20 wan2 management vlanid 20 ip_interface address 10.1.1.3 24 default_route 10.1.1.1 VlanMgmt exit 3wr mem
Foundry
Foundry
VLAN 10
VLAN 20
F as tIron -IIFOUNDRYN E TW O RK S
Foundry
VLAN 20
VLAN 10
SR CONFIGURATIONconf thostname tas1interface ethernet 0ip address 192.168.0.1 30exitmodule t1 1 clock_source internal exitinterface bundle wan link t1 1 encapsulation ppp bcp bridge vlan exit 2vlanfwd add vlanid 75 ethernet0 add vlanid 75 wan add vlanid 130 ethernet0 add vlanid 130 wan add vlanid 176 ethernet0 add vlanid 176 wan add vlanid 200 ethernet0 add vlanid 200 wan management vlanid 200 ip_interface address 138.202.200.83 24 default_route 138.202.200.200 VlanMgmt exit 3wr mem
SR VLAN forwarding over WANUsing PPP Forward 802.1Q VLAN across the WAN
tas1SR 1004
tas2SR 1004
T1 CrossoverSimulatedT1 WAN
WAN
SR CONFIGURATIONconf thostname tas2interface ethernet 0ip address 192.168.0.1 30exitmodule t1 1 clock_source line exitinterface bundle wan link t1 1 encapsulation ppp bcp bridge vlan exit 2vlanfwd add vlanid 75 ethernet0 add vlanid 75 wan add vlanid 130 ethernet0 add vlanid 130 wan add vlanid 176 ethernet0 add vlanid 176 wan add vlanid 200 ethernet0 add vlanid 200 wan management vlanid 200 ip_interface address 138.202.200.84 24 default_route 138.202.200.200 VlanMgmt exit 3wr mem
TaggedPackets
VLAN 75 VLAN 130 VLAN 176
802.1QTRUNK
VLANSwitch
802.1QTRUNK
VLAN 75 VLAN 130 VLAN 176
VLANSwitch
TaggedPackets
F as tIron -IIFOUNDRYN E TW O RK S
BackboneLAN Router
VLAN 76 X.X.X.200VLAN 130 X.X.X.200VLAN 176 X.X.X.200VLAN 200 138.202.200.200/24
Typical Cisco 3550 config#config tinterface FastEthernet0/1 switchport trunk encapsulation dot1q switchport mode trunk no ip address channel-group 1 mode desirableinterface FastEthernet0/2 switchport access vlan 75 switchport mode access no ip address interface FastEthernet0/3 switchport access vlan 130 switchport mode access no ip address interface FastEthernet0/4 switchport access vlan 176 switchport mode access no ip address interface Vlan75ip address X.X.X.X 255.255.255.0
SR VLAN forwarding over WAN Using MLPPP Forward 802.1Q VLAN across
SR CONFIGURATIONconf thostname tas1interface ethernet 0ip address 192.168.0.1 30exitmodule t1 1-4 clock_source internal exitinterface bundle wan link t1 1-4 encapsulation ppp bcp bridge vlan exit 2vlanfwd add vlanid 75 ethernet0 add vlanid 75 wan add vlanid 130 ethernet0 add vlanid 130 wan add vlanid 176 ethernet0 add vlanid 176 wan add vlanid 200 ethernet0 add vlanid 200 wan management vlanid 200 ip_interface address 138.202.200.83 24 default_route 138.202.200.200 VlanMgmt exit 3wr mem
tas1SR 1004
tas2SR 1004
T1 CrossoverSimulatedT1 WAN
SR CONFIGURATIONconf thostname tas2interface ethernet 0ip address 192.168.0.1 30exitmodule t1 1-4 clock_source line exitinterface bundle wan link t1 1-4 encapsulation ppp bcp bridge vlan exit 2vlanfwd add vlanid 75 ethernet0 add vlanid 75 wan add vlanid 130 ethernet0 add vlanid 130 wan add vlanid 176 ethernet0 add vlanid 176 wan add vlanid 200 ethernet0 add vlanid 200 wan management vlanid 200 ip_interface address 138.202.200.84 24 default_route 138.202.200.200 VlanMgmt exit 3wr mem
TaggedPackets
VLAN 75 VLAN 130 VLAN 176
802.1QTRUNK
VLANSwitch
802.1QTRUNK
VLAN 75 VLAN 130 VLAN 176
VLANSwitch
TaggedPackets
F as tIron -IIFOUNDRYN E TW O RK S
BackboneLAN Router
VLAN 76 X.X.X.200VLAN 130 X.X.X.200VLAN 176 X.X.X.200VLAN 200 138.202.200.200/24
WAN
Note: IP address on Ethernetis only to bring up the interface.This will not be used to managethe device. To manage the devicethe IP address under VLANManagement is used and there isa VLAN used only for management
SR bridge 802.3 over FR (FRF.16)Using MLFR create bridge groups and bridge 802.3 over FR (FRF.16)
Two T1 LinesUsing MLFRCarrier
CO
SR 1004
SR CONFIGURATIONconf tmodule t1 1-2 clock_source line exitinterface ethernet 0 ip address 10.1.1.2 24 (just used to bring up interface) vlan vlanid 10 exit 2interface bundle wan link t1 1-2 encapsulation frelay fr intf_type dte pvc 100 shaping cir 3072000 bcmax 3072000 bcmin 65536 policing cir 3072000 bc 3072000 bridge vlan exit 3vlanfwd add vlanid 10 wan:100 management vlanid 10 ip_interface address 192.168.3.2 24 default_route 192.168.3.1 VlanMgmt exit 3hostname REMOTEwr mem
192.168.3.2/24SR CONFIGURATIONconf tmodule t1 1-2 clock_source internal exitinterface ethernet 0 ip address 10.1.1.1 24 vlan vlanid 10 exit 2interface bundle wan link t1 1-2 encapsulation frelay fr intf_type dce pvc 100 shaping cir 3072000 bcmax 3072000 bcmin 65536 policing cir 3072000 bc 3072000 bridge vlan exit 3vlanfwd add vlanid 10 wan:100 management vlanid 10 ip_interface address 192.168.3.3 24 default_route 192.168.3.1 VlanMgmt exit 3hostname HUBwr mem
192.168.3.1/24
SR 3120
SR bridge 802.3 over FR (FRF.15) Using MLFR create bridge groups and bridge 802.3 over FR (FRF.15)
Two T1 LinesUsing MLFRCarrier
CO
SR 1004
SR CONFIGURATIONconf tmodule t1 1-2 clock_source internal exit 1interface ethernet 0 ip add 10.1.1.1 24 vlan vlanid 10 exit 2interface bundle cvc1 link t1 1 encapsulation frelay fr intf_type dce pvc 101 exit 3interface bundle cvc2 link t1 2 encapsulation frelay fr intf_type dce pvc 102 exit 3interface avc frf15 100 cvc 101 cvc1 cvc 102 cvc2 bridge vlan enable mfr_e2e_enhanced exit 2 vlanfwd add vlanid 10 frf15:100wr mem
SR CONFIGURATIONconf tmodule t1 1-2 clock_source line exitinterface ethernet 0 ip address 10.1.1.2 24 vlan vlanid 10 exit 2interface bundle cvc1 link t1 1 encapsulation frelay fr intf_type dte pvc 101 exit 3interface bundle cvc2 link t1 2 encapsulation frelay fr intf_type dte pvc 102 exit 3interface avc frf15 100 cvc 101 cvc1 cvc 102 cvc2 bridge vlan enable mfr_e2e_enhanced exit 2vlanfwd add vlanid 10 frf15:100wr mem
192.168.3.2/24
192.168.3.1/24
SR 3120
SR bridge 802.3 over FR (FRF.15) Using MLFR create bridge groups and bridge 802.3 over FR (FRF.15)
Customer CPEIp address 192.168.1.2/30DG 192.168.1.1
Ethernet Packets are tagged into WAN and untagged out to LAN
WAN
T1 are bundled using MLFR and data
passed with VLAN tag
Core RouterInt fast 0/0.1Encap dot1Q 10ip address 192.168.1.1/30
Ethernet Packets forwarded to LAN with VLAN tags
SR 1004
SR 3120
192.168.3.2/24 SR 1004conf tmodule t1 1-2 clock_source line exitinterface ethernet 0 ip address 10.1.1.2 24 vlan vlanid 10 exit 2interface bundle cvc1 link t1 1 encapsulation frelay fr intf_type dte pvc 101 exit 3interface bundle cvc2 link t1 2 encapsulation frelay fr intf_type dte pvc 102 exit 3interface avc frf15 100 cvc 101 cvc1 cvc 102 cvc2 bridge vlan enable mfr_e2e_enhanced exit 2vlanfwd add vlanid 10 frf15:100wr mem
SR 3120conf tmodule ct3 1 t1 1-2 clock internal exit interface ethernet 0 ip add 10.1.1.1 24 exit interface bundle cvc1 link ct31 1 encapsulation frelay fr intf_type dce pvc 101 exit 3interface bundle cvc2 link ct31 2 encapsulation frelay fr intf_type dce pvc 102 exit 3interface avc frf15 100 cvc 101 cvc1 cvc 102 cvc2 bridge vlan enable mfr_e2e_enhanced exit 2 vlanfwd add vlanid 10 frf15:100 add vlanid 10 ethernet0wr mem
SR bridge 802.3 over FR (FRF.15) Using MLFR (FRF.15) packets are forwarded and inband Management
Customer CPEIp address 192.168.1.2/24DG 192.168.1.1
Ethernet Packets are tagged into WAN and untagged out to LAN
WAN
T1 are bundled using MLFR and data
passed with VLAN tag
Core RouterInt fast 0/0.1Encap dot1Q 10ip address 192.168.1.1/24
Ethernet Packets forwarded to LAN with VLAN tags
SR 1004
SR 3120
192.168.3.2/24 SR 1004conf tmodule t1 1-2 clock_source line exitinterface ethernet 0 ip address 10.1.1.2 24 vlan vlanid 10 exit 2interface bundle cvc1 link t1 1 encapsulation frelay fr intf_type dte pvc 101 exit 3interface bundle cvc2 link t1 2 encapsulation frelay fr intf_type dte pvc 102 exit 3interface avc frf15 100 cvc 101 cvc1 cvc 102 cvc2 bridge vlan enable mfr_e2e_enhanced exit 2vlanfwd add vlanid 10 frf15:100 managemnet vlanid 10 ip_interface address 192.168.3.4 24 default_route 192.168.3.1 VlanMgmt
wr mem
SR 3120conf tmodule ct3 1 t1 1-2 clock internal exit interface ethernet 0 ip add 10.1.1.1 24 exit interface bundle cvc1 link ct31 1 encapsulation frelay fr intf_type dce pvc 101 exit 3interface bundle cvc2 link ct31 2 encapsulation frelay fr intf_type dce pvc 102 exit 3interface avc frf15 100 cvc 101 cvc1 cvc 102 cvc2 bridge vlan enable mfr_e2e_enhanced exit 2 vlanfwd add vlanid 10 frf15:100 add vlanid 10 ethernet0 management vlanid 10 ip_interface address 192.168.3.3 24 default_route 192.168.3.1 VlanMgmtwr mem
SR VLAN forward over FR (FRF.15) Using MLFR (FRF.15) VLAN packets are forwarded & inband Management
SR 3120CONFIGURATIONconf thostname Hubinterface ethernet 0ip address 192.168.0.1 30exitmodule ct3 1 t1 27-28 clock internal exitinterface bundle cvc1link ct3 1 27encapsulation frelay fr intf_type dce pvc 210 exit 3interface bundle cvc2 link ct3 1 28encapsulation frelay fr intf_type dce pvc 211 exit 3interface avc frf15 100 cvc 210 cvc1 cvc 211 cvc2 bridge vlan enable mfr_e2e_enhanced exit 2 vlanfwd add vlanid 10 frf15:100 add vlanid 10 ethernet0 exitwr mem
SR 1002
Two T1 LinesUsing MLFR
Channelized DS3SR 3120
CarrierCO
Juniper M10
Full Duplex 100M Ethernet
VLAN 10
VLANTrunk
Ethernet Packets forwarded to LAN with VLAN tags
SR 1002CONFIGURATIONconf thostname Hubinterface ethernet 0ip address 192.168.0.1 30exitmodule t1 1-2 clocksource line exitinterface bundle cvc1link t1 1 encapsulation frelay fr intf_type dte pvc 210 exit 3interface bundle cvc2 link t1 2encapsulation frelay fr intf_type dte pvc 211 exit 3interface avc frf15 100 cvc 210 cvc1 cvc 211 cvc2 bridge vlan enable mfr_e2e_enhanced exit 2 vlanfwd add vlanid 10 frf15:100 add vlanid 10 ethernet0 management vlanid 10 ip_interface address 66.90.230.61 26 default_route 66.90.230.0 VlanMgmtwr mem
VLAN 10
SR to Cisco bridging over PPPCisco to SR interop with Bridging over PPP WAN
Cisco 7513
SR CONFIGURATIONconf thostname Remoteinterface ethernet 0 ip address 192.168.1.130 vlan vlanid 100 exit 2interface bundle cisco link t1 1 encapsulation ppp bcp bridge lan exit bcp vlan vlanid 100 exit vlan exit bundleVlanfwd managemnet vlanid 100 ip_interface address 11.1.1.2 24 default_route 11.1.1.1 VlanMgmt exit 3wr mem
CISCO CONFIGURATIONconf tbridge irbinterface Loopback1 ip address 11.1.1.1 255.255.255.0 no ip directed-broadcast!interface FastEthernet0/0 no ip address no ip directed-broadcast speed 100 full-duplex bridge-group 1!interface Serial0/0 no ip address no ip directed-broadcast encapsulation ppp no ip mroute-cache bridge-group 1!!no ip classlessip route 11.1.1.1 255.255.255.255 FastEthernet0/0!bridge 1 protocol ieee
11.1.1.10/2411.1.1.11/24
SR 1004
Single T1 PPP
SR to Cisco bridging over FRCisco to SR interop with Bridging over FR WAN
Cisco 7513
SR CONFIGURATIONconf thostname Remoteinterface ethernet 0 ip address 192.168.1.130 vlan vlanid 100 exit 2interface bundle cisco link t1 1 encapsulation frelay fr frame_size 1600 intf_type dce lmi ansi exit lmi pvc 100 bridge lan vlan vlanid 10 exit vlan exit pvc exit fr exit bundleVlanfwd managemnet vlanid 100 ip_interface address 11.1.1.2 24 default_route 11.1.1.1 VlanMgmt exit 3wr mem
CISCO CONFIGURATIONconf tbridge irbinterface Loopback1 ip address 11.1.1.1 255.255.255.0 no ip directed-broadcast!interface FastEthernet0/0 no ip address no ip directed-broadcast speed 100 full-duplex bridge-group 1!interface Serial0/0 mtu 1600 no ip address encapsulation frame-relay IETF no ip mroute-cache service-module t1 clock source internal frame-relay map bridge 100 broadcast frame-relay interface-dlci 100 frame-relay lmi-type ansi frame-relay intf-type dte bridge-group 1!!no ip classlessip route 11.1.1.1 255.255.255.255 FastEthernet0/0!bridge 1 protocol ieee
11.1.1.10/2411.1.1.11/24
SR 1004
Single T1 FR
SR to Cisco VLAN forward over PPPCisco to SR interop with VLAN forwarding over PPP WAN using BCP
Cisco 7206 with 12.4
SR CONFIGURATIONconf thostname Remoteinterface ethernet 0 ip address 192.168.1.130 exit interface bundle cisco link t1 1 encapsulation ppp bcp bridge vlan exit bcp exit bundleVlanfwd add vlanid 100 ethernet0 add vlanid 100 cisco managemnet vlanid 100 ip_interface address 10.1.1.2 24 default_route 10.1.1.1 VlanMgmt exit 3wr mem
CISCO CONFIGURATIONconf tbridge crbinterface Loopback1 ip address 10.1.1.1 255.255.255.0 no ip directed-broadcast!interface FastEthernet0/0 no ip address no ip directed-broadcast speed 100 full-duplexvlan-range dot1q 2 200 bridge-group 1!interface Serial0/0 no ip address no ip directed-broadcast encapsulation ppp no ip mroute-cache bridge-group 1!!no ip classlessip route 10.1.1.1 255.255.255.255 FastEthernet0/0!bridge 1 protocol ieee
10.1.1.10/24
10.1.1.11/24
SR 1004
Single T1 PPP
VLAN 100
VLANTrunk
VLANTrunk
VLAN 100
Note: IP address on Etherne0
is only to bring up the interface.
SR to Cisco VLAN forward over FRCisco to SR interop with VLAN forwarding over FR WAN
SR CONFIGURATIONconf thostname Remotemodule e1 1 clock_source line framing disable exitinterface ethernet 1 ip address 192.168.2.1 30 vlan vlanid 125 exit vlan exit ethernetinterface bundle wan link e1 1 encapsulation frelay fr intf_type dte frame_size 1500 lmi ansi exit lmipvc 125 shaping cir 1000000 bcmax 1000000 bcmin 65536 bridge lan vlan vlanid 125 exit pvc exit fr exit bundle
CISCO CONFIGURATIONconf tCisco 7206boot system slot0:c7200-p-mz.122-25.S4.bin
ip subnet-zeroip cefno ip domain-lookupframe-relay switching
interface FastEthernet0/0no ip address!interface FastEthernet0/0.125encapsulation dot1Q 125!interface Serial4/1:0 no ip address encapsulation frame-relay IETF frame-relay lmi-type ansi frame-relay intf-type dce!!connect test2 Serial4/1:0 125 FastEthernet0/0.125 interworking ethernet
10/100Ethernet
Frame Relay
UnTaggedPackets
forwarded
TaggedPackets
forwarded
802.1QTrunk
WAN
BackboneBackboneSwitchSwitch
BackboneBackboneSwitchSwitch
Cisco7206
1004
802.3
VLAN 125
Layer 2 Applications
SR bridge 802.3 & Monitor WAN b/wUsing QoS to classify based on bridge VLAN will allow WAN b/w monitoring
ENCODER Sideconf thostname encodermodule t1 1 clock_source lineexit int e 0 ip address 192.168.11.11 24 vlan vlanid 10 exit 2int bundle wan link t1 1 encap ppp bcp bridge vlan exit qos add_class qosbw root-out cr 1536 br 1536 class qosbw priority 1 add_vlan_id 10 exit enable mon outbound exit 2vlanfwd add vlanid 10 wan management vlanid 10 exit 3wr mem
DECODER Sideconf thostname decodermodule t1 1 clock_source internalexit int e 0 ip address 192.168.11.12 24 vlan vlanid 10 exit 2int bundle wan link t1 1 encap ppp bcp bridge vlan exit no red qos add_class qosbw root-out cr 1536 br 1536 class qosbw priority 1 add_vlan_id 10 exit enable mon outbound exit 2vlanfwd add vlanid 10 wan management vlanid 10 exit 3wr mem
SR 1002Encoder side
SR 1002Decoder side
T1 CrossoverSimulatedT1 WAN
Laptop
Video Client192.168.11.2
Server
Video Server192.168.11.5
CarrierCO
Note: to monitor bandwidth over WAN use: show qos bundle wan
SR bridging video When bridging video over MLPPP fragmentation needs to be disabled
ENCODERconf thostname encodermodule t1 1-4 clock_source lineexit interface ethernet 0 ip address 192.168.11.11 24 vlan vlanid 10 exit exitint bundle wan link t1 1-4 encap ppp mlppp seg_threshold 1024 bcp bridge vlan exit exitvlanfwd add vlanid 10 wan management vlanid 10 exit exitwr mem
DECODERconf thostname decodermodule t1 1-4 clock_source internalexit int e 0 ip address 192.168.11.12 24 vlan vlanid 10 exit exitint bundle wan link t1 1-4 encap ppp mlppp seg_threshold 1024 bcp bridge vlan exit exitvlanfwd add vlanid 10 wan management vlanid 10 exit exitwr mem
SR 1004
SR 1004
T1 CrossoverSimulatedT1 WAN
Laptop
Video Client192.168.11.
2
Server
Video Server192.168.11.5
CarrierCO
SR VLAN forwarding and QoSSR front-end Cisco CT3 WAN to T1 using QoS based on VLAN id
SR 1004CONFIGURATIONconf thostname Remoteinterface ethernet 0ip address 192.168.0.1 24exitmodule t1 1-4clock_source lineexitinterface bundle wan link t1 1-4 encapsulation ppp bcp bridge vlan exit qos add_class qosGOLD root-out cr 1000 br 6144 priority 1 add_class qosSILVER root-out cr 500 br 3072 priority 2 class qosGOLD add_vlan_id 10 exit class class qosSILVER add_vlan_id 20 exit class enable cbq outbound exit 2vlanfwd add vlanid 10 ethernet0 add vlanid 20 ethernet0 add vlanid 10 wan add vlanid 20 wan add vlanid 99 wan management vlanid 99 ip_interface address 10.1.1.2 24 default_route 10.1.1.1 VlanMgmtwr mem
SR 6302CONFIGURATIONconf thostname Hubinterface ethernet 0ip address 192.168.0.1 24exitmodule ct3 1 t1 1-4 clock internal exit interface bundle wanlink ct3 1 1-4encapsulation ppp bcp bridge vlan exit qos add_class qosGOLD root-out cr 1000 br 6144 priority 1 add_class qosSILVER root-out cr 500 br 3072 priority 2 class qosGOLD add_vlan_id 10 exit class class qosSILVER add_vlan_id 20 exit class enable cbq outbound exit 2vlanfwd add vlanid 10 ethernet0 add vlanid 20 ethernet0 add vlanid 99 ethernet0 add vlanid 10 wan add vlanid 20 wan add vlanid 99 wan management vlanid 99 ip_interface address 10.1.1.3 24 default_route 10.1.1.1 VlanMgmtwr mem
SR 1004
Two T1 LinesUsing MLPPP
Channelized DS3SR 3120
CarrierCO
Cisco 7505
Full Duplex 100M Ethernet
VLAN 10
VLAN 20
VLANTrunk
Ethernet Packets forwarded to LAN with VLAN tags
Core RouterInt fast 0/0.1Encap dot1Q 10ip address 10.10.10.1/24Int fast 0/0.2Encap dot1Q 20ip address 10.20.20.1/24Int fast 0/0.3Encap dot1Q 99ip address 10.1.1.1/24
Note: IP address on Ethernet
is only to bring up the interface.
ServerIronXLFOUNDRYN E TW O R K S
1
2
3
4
5
6
7
8
13
14
15
16
9
10
11
12
Console
Power
F D X1 0 0
L in k / A c tF D X
1 0 0L in k / A c t
F D X1 0 0
L in k / A c tF D X
1 0 0L in k / A c t
SR VLAN forwarding & QoS Using MLPPP WAN Forward VLAN with QoS based on IP
Remote 1SR 1004
Remote 2SR 1004
T1 CrossoverSimulatedT1 WAN
WAN
ServerIronXLFOUNDRYN E TW O R K S
1
2
3
4
5
6
7
8
13
14
15
16
9
10
11
12
Console
Power
F D X1 0 0
L in k / A c tF D X
1 0 0L in k / A c t
F D X1 0 0
L in k / A c tF D X
1 0 0L in k / A c t
VLAN 10Trunk Tagged
Packets
SR CONFIGURATIONconf thostname Remote 2interface ethernet 0ip address 192.168.0.1 30exitmodule t1 1-2 clock_source line exitinterface bundle wan link t1 1-2 encapsulation ppp bcp bridge vlan exitqos add_class VoIP root-out cr 1000 br 6144 priority 1 add_class Default root-out cr 5000 br 6144 priority 7 class VoIP add_src_ip 10.1.1.31 32 exit class class Default add_src_ip default exit class enable cbq outbound exit 2vlanfwd add vlanid 10 ethernet0 add vlanid 10 wan management vlanid 10 ip_interface address 10.1.1.4 24 default_route 10.1.1.1 VlanMgmt exit 3wr mem
SR CONFIGURATIONconf thostname Remote1interface ethernet 0ip address 192.168.0.1 30exitmodule t1 1-2 clock_source internal exitinterface bundle wan link t1 1-2 encapsulation ppp bcp bridge vlan exitqos add_class VoIP root-out cr 1000 br 6144 priority 1 add_class Default root-out cr 5000 br 6144 priority 7 class VoIP add_src_ip 10.1.1.30 32 exit class class Default add_src_ip default exit class enable cbq outbound exit 2vlanfwd add vlanid 10 ethernet0 add vlanid 10 wan management vlanid 10 ip_interface address 10.1.1.3 24 default_route 10.1.1.1 VlanMgmt exit 3wr mem
VLAN 10Trunk
TaggedPackets
IP-10.1.1.20/24
IP-10.1.1.21/24IP-10.1.1.31/24
IP-10.1.1.30/24VoIP Gateway
SR VLAN forwarding & QoS Using 2 T1 with MLPPP WAN Forward VLAN with QoS using 802.1p
ServerIronXLFOUNDRYN E TW O R K S
1
2
3
4
5
6
7
8
13
14
15
16
9
10
11
12
Console
Power
F D X1 0 0
L in k / A c tF D X
1 0 0L in k / A c t
F D X1 0 0
L in k / A c tF D X
1 0 0L in k / A c t
Remote 2SR 1004
Remote 2SR 1004
T1 CrossoverSimulatedT1 WAN
WAN
ServerIronXLFOUNDRYN E TW O R K S
1
2
3
4
5
6
7
8
13
14
15
16
9
10
11
12
Console
Power
F D X1 0 0
L in k / A c tF D X
1 0 0L in k / A c t
F D X1 0 0
L in k / A c tF D X
1 0 0L in k / A c t
VLAN 10Trunk Tagged
Packets
SR CONFIGURATIONconf thostname Remote 2interface ethernet 0ip address 192.168.0.1 30exitmodule t1 1-2 clock_source line exitinterface bundle wan link t1 1-2 encapsulation ppp bcp bridge vlan exitqos add_class VoIP root-out cr 1000 br 6144 priority 1 add_class Default root-out cr 5000 br 6144 priority 7 class VoIP add_dot1p 6 exit class class Default add_dot1p 0-5 add_dot1p 7 exit class enable cbq outbound exit 2vlanfwd add vlanid 10 ethernet0 add vlanid 10 wan management vlanid 10 ip_interface address 10.1.1.4 24 default_route 10.1.1.1 VlanMgmt exit 3wr mem
SR CONFIGURATIONconf thostname Remote1interface ethernet 0ip address 192.168.0.1 30exitmodule t1 1-2 clock_source internal exitinterface bundle wan link t1 1-2 encapsulation ppp bcp bridge vlan exitqos add_class VoIP root-out cr 1000 br 6144 priority 1 add_class Default root-out cr 5000 br 6144 priority 7 class VoIP add_dot1p 6 exit class class Default add_dot1p 0-5 add_dot1p 7 exit class enable cbq outbound exit 2vlanfwd add vlanid 10 ethernet0 add vlanid 10 wan management vlanid 10 ip_interface address 10.1.1.3 24 default_route 10.1.1.1 VlanMgmt exit 3wr mem
VLAN 10Trunk
TaggedPackets
IP-10.1.1.20/24
IP-10.1.1.21/24IP-10.1.1.31/24
VoIP packetsmarked
802.1p=6
VoIP packetsmarked
802.1p=6
IP-10.1.1.30/24VoIP Gateway
SR VLAN forwarding & QoS MLPPP WAN forward VLAN, QoS/802.1p, retagging VoIP to new VLAN
ServerIronXLFOUNDRYN E TW O R K S
1
2
3
4
5
6
7
8
13
14
15
16
9
10
11
12
Console
Power
F D X1 0 0
L in k / A c tF D X
1 0 0L in k / A c t
F D X1 0 0
L in k / A c tF D X
1 0 0L in k / A c t
Remote 1SR 1004
Remote 2SR 1004
T1 CrossoverSimulatedT1 WAN
WAN
ServerIronXLFOUNDRYN E TW O R K S
1
2
3
4
5
6
7
8
13
14
15
16
9
10
11
12
Console
Power
F D X1 0 0
L in k / A c tF D X
1 0 0L in k / A c t
F D X1 0 0
L in k / A c tF D X
1 0 0L in k / A c t
VLAN 10Trunk Tagged
Packets
SR CONFIGURATIONconf thostname Remote 2interface ethernet 0 ip address 192.168.0.1 30 qos add_class DOTP root-in class DOTP add_dot1p 6 mark_vlan 20 exit enable mon inbound exitmodule t1 1-2 clock_source line exitinterface bundle wan link t1 1-2 encapsulation ppp bcp bridge vlan exitqos add_class VoIP root-out cr 1000 br 6144 priority 1 add_class Default root-out cr 5000 br 6144 priority 7 class VoIP add_dot1p 6 exit class class Default add_dot1p 0-5 add_dot1p 7 exit class enable cbq outbound exit 2vlanfwd add vlanid 10 ethernet0 add vlanid 10 wan add vlanid 20 wan management vlanid 10 ip_interface address 10.1.1.4 24 default_route 10.1.1.1 VlanMgmt exit 3wr mem
SR CONFIGURATIONconf thostname Remote1interface ethernet 0ip address 192.168.0.1 30exitmodule t1 1-2 clock_source internal exitinterface bundle wan link t1 1-2 encapsulation ppp bcp bridge vlan exitqos add_class VoIP root-out cr 1000 br 6144 priority 1 add_class Default root-out cr 5000 br 6144 priority 7 class VoIP add_dot1p 6 exit class class Default add_dot1p 0-5 add_dot1p 7 exit class enable cbq outbound exit 2vlanfwd add vlanid 10 ethernet0 add vlanid 10 wan add vlanid 20 ethernet0 add vlanid 20 wan management vlanid 10 ip_interface address 10.1.1.3 24 default_route 10.1.1.1 VlanMgmt exit 3wr mem
VLAN 10-DataVLAN 20-VoIP
Trunk
TaggedPackets
IP-10.1.1.20/24IP-10.1.1.30/24VoIP Gateway
IP-10.1.1.21/24IP-10.1.1.31/24
VoIP packetsVLAN 20 marked
802.1p=6
VoIP packetsmarked
802.1p=6
OA604 Configconf thostname Hubinterface ethernet 0ip address 192.168.0.1 30exitmodule t1 1-2 clock_source line exitinterface bundle wanlink t1 1-2 encapsulation frelay fr intf_type dte lmi ansi exit lmi pvc 100 shaping cir 1000000 bcmax 1000000 bcmin 65536 policing cir 3072000 bc 3072000 bridge vlan exit pvc 200 shaping cir 1000000 bcmax 1000000 bcmin 65536 policing cir 3072000 bc 3072000 bridge vlan exit pvc 300 shaping cir 1000000 bcmax 1000000 bcmin 65536 policing cir 3072000 bc 3072000 bridge vlan exit 3vlanfwd add vlanid 10 wan:100 add vlanid 10 ethernet0 add vlanid 20 wan:200 add vlanid 20 ethernet0 add vlanid 30 wan:300 add vlanid 30 ethernet0 management vlanid 10 ip_interface address 66.90.230.60 26 default_route 66.90.230.0 VlanMgmt exit 3wr mem
SR VLAN forward over FR (FRF.16) Using MLFR (FRF.16) to forward VLAN packets & inband VLAN Mgt
1004Two T1 LinesUsing MLFR
CarrierCO
Juniper M10
Full Duplex 100M Ethernet
VLAN 10
VLANTrunk
Ethernet Packets forwarded to LAN with VLAN tags
OA604 Configconf thostname Remoteinterface ethernet 0ip address 192.168.0.1 30exitmodule t1 1-2 clock_source line exitinterface bundle wanlink t1 1-2 encapsulation frelay fr intf_type dte lmi ansi exit lmi pvc 100 shaping cir 1000000 bcmax 1000000 bcmin 65536 policing cir 3072000 bc 3072000 bridge vlan exit pvc 200 shaping cir 1000000 bcmax 1000000 bcmin 65536 policing cir 3072000 bc 3072000 bridge vlan exit pvc 300 shaping cir 1000000 bcmax 1000000 bcmin 65536 policing cir 3072000 bc 3072000 bridge vlan exit 3vlanfwd add vlanid 10 wan:100 add vlanid 10 ethernet0 add vlanid 20 wan:200 add vlanid 20 ethernet0 add vlanid 30 wan:300 add vlanid 30 ethernet0 management vlanid 10 ip_interface address 66.90.230.61 26 default_route 66.90.230.0 VlanMgmt exit 3wr mem
VLAN 10
VLAN 20
VLAN 30
1004
VLAN 20
VLAN 30
Note: IP address on Ethernet
is only to bring up the interface.
This will not be used to manage
the device. To manage the device
the IP address under VLAN
Management is used and there is
a VLAN used only for management
Note: IP address on Ethernet
is only to bring up the interface.
This will not be used to manage
the device. To manage the device
the IP address under VLAN
Management is used and there is
a VLAN used only for management
Trouble Shooting
Common Commands
> To clear to factor defaults
#clear cfg_file
> You then need to reboot the unit
#reboot
> Type Y for Yes
> To show wan bundle
#show interface bundle wan
> To remove any command
#no “command to be removed”
> To show the running configuration
#show conf run
> To show IP routes
#show ip route
> To show IP OSPF database
#show ip ospf database all
> To save the configuration
#wr mem
• To show T1 module alarms#show module alarms t1 1
• To show T1 module configuration#show module configuration t1 1
• To loopback the T1 on remote side#test t1 1#loopback remote line t1
• To begin bert on the T1 port 1 for 5 min.#test t1 1#bert interval 5
• To view the bert test on the T1 port 1#show module test t1 1
• To show system configuration#show system configuration
• To show version of code#show version
T1 BERT Tests
> To isolate problems with a faulty T1 WAN link, perform line or payload loopbacks at either end of the link and perform a BERT test. These functions isolate a problem to either the SR system, far-end equipment, interconnect cabling at either end, or the T1 line between the two systems.
> Loopback Test• To perform line and payload loopbacks at either end, use the appropriate command.• The following loopback commands are available:
• test t1 1 loopback
> BERT Test• This command is used to initiate a bit error rate test. The following BERT tests commands are available to test
specific T1 links or a Clear Channel T3.• test t1 1 bert interval 2
> View Bert Test• Once the test is started the results can be viewed using the command:
• SR-1004/show/module/test# t1 1
T1 BERT Testing example
(First raise the loopback on the T1 to test)
SR-1004/test/t1 4 (This will use port 4 for example)
SR-1004/test/t1 4#loopback remote line (raises the farend line loopback)
SR-1004/test/t1 4#bert interval 5 (runs bert test for 5 minutes)
(Now look at the bert test on T1 port 4)
SR-1004/test/t1 4#show module test t1 4
(You should see something like shown below)
Test Type: BERT Status: LOCKED Pattern: QRW
Locked Seconds: 3 Pattern Loss Count: 0 Bit Error Count: 0
Configured Time: 2 minutes
Elapsed Time: 0 min. 3 sec.
After the test is completed you now need to bring down the loopback
SR-1004/test/t1 4#no loopback remote line (drops the farend line loopback)
SR Device Manager
Device Manager
> Used primarily for VPN and Firewall configs
> Not complete for routing or WAN configs
Device Manager - status
Device Manager – guided config
Device Manager - guided config
Device Manager – guided config VPN
Device Manager – guided config FW
Device Manager – FW Rules
Device Manager – Config Expand All