Secure Routers 1001, 1002, 1004, and 3120. WAN Port LEDs 1-4 Typical 100X Chassis - Front Power LED 1004 Router Front Panel LINK/ACT HS DUP Ethernet 1

Secure Routers

1001, 1002, 1004, and 3120

WAN Port LEDs 1-4

Typical 100X Chassis - Front

Power LED

1004 Router Front Panel

LINK/ACT

HS

DUP

Ethernet 1LEDs

LED DESCRIPTION COLORWAN Status 1-4 Indicates traffic activity on this interface Green = normal activity

Red = alarm stateYellow = test mode

Ethernet 0/1Link/Act Indicates traffic activity on this interface Green = link is operational

Blinking Yellow = either receiving or sending trafficRed = packet collisions

HS Indicates traffic speed on the interface Off = 10 MbpsGreen = 100 Mbps

DUP Indicates the type of duplex mode Off = Half duplexGreen = Full duplex

SR Logo Back lighted when power is applied BluePower Indicates router power status Off = power off

Green = power on

LINK/ACT

HS

DUP

Ethernet 0LEDs

WAN Port1-4

Typical 100X Chassis - Back

PowerTie-DownConsole

PortFast Ethernet

Port 0

AuxPort

Fast EthernetPort 1

12 VDCInput Jack

PORT DESCRIPTIONWAN 1 - WAN 4 WAN connection port. These ports accept cables with RJ-48C connectors. If drop and insert is configured, then

ports 1 and 2 are reserved for that feature.

FE 0 - FE 1 Ethernet LAN connection ports. These ports accept cables with RJ-45 cable connectors.

AUX Currently no functionality is supported on this interface.

Console Console management port. This port accepts a cable with an RJ-45 cable connector.

DC power 12 VDC power connection. This port accepts the 2 mm power connector on the power supply cablethat ships with the 1004 router.

1004 Router Rear Panel

Connect to the Console Port

> Connect to the Console port• Using a PC with a VT100 terminal emulation• Configure the terminal for:

• 9600• 8 data bits• 1 stop bit• No parity• XON/OFF flow control (note this is NOT the default setting for HyperTerminal)

• Use the two DB9 to RJ45 connectors and cable provided

Logon using the CLI

> Once the console cable is connected to the PC and SR device

> Press the Enter key• This should present the system prompt

> Now login to the device• login:admin• password:setup• You now see the initial CLI prompt

• SR-1004

Exercise the CLI

> Use the following command tips and shortcuts with command line interface commands.• The CLI is case sensitive• To display all commands, type tree.• To access help associated with a command, type help <command name>. You may also use

the ? key after any command.• To exit back one level in the command hierarchy, type exit and press Return.• To exit the command mode and/or return to the base CLI prompt, press the key combination

Ctrl-Z.• Type the first two letters of a command, and then press the Tab key to automatically spell out

the command.• Scroll through the available commands using the Tab key.

> Refer to the Command Reference Guide for additional navigation key shortcuts

Changing Admin Password

> The System Administrator login consists of two components: the user name and the password. The initial login name is always admin, but you can change this to suit your needs after logging in for the first time. The default password for user admin, setup, should be changed as soon as possible to ensure only authorized access to the router.

> To change the password• This procedure enables the system administrator to change any or all user passwords, or any user

to change their password on the 1004. The password must be 3-10 characters.• Access the password configuration mode.

• example: SR-1004# password• The system prompts for the current user name.

• Type admin, and then press Return.• The system prompts for the old password.

• Type setup, and then press Return.• The system prompts for the new password.

• Type your new password, and then press Return.• The system prompts you to verify the new password.

• Type the new password again and then press Return.• A message is appears confirming that the password has been changed.

Changing Admin Login

> This procedure changes the administrator login name (Level 1 access) to a user-specified name. The default is admin.

> To change the account name:• Access the configure mode.

• example:• admin-1004# configure term

• Change the account name.• example:• SR-1004/configure# admin_name Greg• This example above changes the Level 1 user name to Greg.• The system displays a confirming message: “Administrator account name changed to Greg.”

Modifying the System Host Name

> The default host name is SR-model_number.

> Use the configure hostname command to assign a host name to the Secure Router. Once assigned, the host name becomes the command line interface (CLI) prompt name.

> To configure the host name:• Access the terminal configuration mode: SR-1004# configure term• Type hostname, and then type a new host name.• Press Return.

• example:• SR-1004/configure# hostname Fremont• In the above example, the new host name for the system is Fremont. The CLI prompt• changes to Fremont, accordingly.• example:• Fremont/configure#

Modifying the Date and Time> To set the date:

• 1 Enter the terminal configuration mode: SR-1004# configure term• 2 Press Return.• 3 Use the date command to enter month, day, and year.

> To enter the date: March 19, 2003, see the following example:• example:• SR-1004/configure# date 03 19 2003

> To set the time:• 1 Enter the terminal configuration mode: SR-1004# configure term• 2 Press Return.• 3 Use the time command to enter hour, minute, and second.

> To enter the time: 2:40:35 pm, see the following example:• example:• SR-1004/configure# time 14 40 35

> The router confirms the setting by automatically displaying the date and time. To confirm the date and time parameters, use the display date command.

> Or, use the SNTP client to have a time server automatically set the time.

Configuring SNMP Monitoring> configure# snmp community private [rw|ro]

> configure# snmp contact “sysop”

> configure# snmp chassis-id sanjose_ca

> configure# snmp location R1MDF

> configure# snmp snmp-source 192.168.1.1

> configure# snmp trap-host 10.1.1.1 private

> configure# snmp trap-source 192.168.1.1

> configure# snmp enable traps [list below]bgp [established, backward trans]bundle [up, down]config [change,save]environment [temp,fan]frame_relay [vcstate]failover [success, failure]snmp [auth_failure]sntp [enable]system [shutdown,logon,logoff,loginfail]vrrp [enable]ospf [to many to list here]

Users Levels

> User privilege levels• 1 - Full privileges.• 2 - Can configure the system, view system data, conduct tests, and change the user’s current

access password. Cannot add users to or remove users from the system.• 3 - Can view system data, conduct tests, and change user’s current access password. Cannot

perform any other operations.• 4 - Can view system data and change user’s current access password. Cannot perform any

other operations. This level is automatically assigned to a user if you do not specify a level.

> Stored locally on NVRAM

> Network stored and used via RADIUS

> Admin password recovery requires physical access

> Recovery does not impact configuration file

Adding Users

> The configure user command allows the system administrator to add up to 15 users (login ID) and assign each user an access privilege (levels 2-4). Only the system administrator (level 1) can add, modify, or remove this information.

> To add a new user:• Enter the terminal configuration mode: SR-1004# configure term• Type user name, enter the name that you want to add, and then enter the access level to be

assigned to that name (optional). The user name may be up to 30 characters. The password must be 3-10 characters.

• example:• SR-1004/configure# user John level 2• The system prompts you to enter a new password.

• Enter the new password.• The system prompts you to re-enter the new password.

• Re-enter the new password.• The system confirms that the password is set and confirms the name of the added user.

• You can use the show user_accounts command to view user information.

Removing Users

> The no user name command allows the system administrator to remove configured user names from the Secure Router system.

> To remove a user name:• Type no user name, followed by the user’s name.• example:

• SR-1004/configure# no user John

• Press Return.• The user name is removed from the system.

Default Configuration> There are three ways to restore factory default configuration settings. Remember to

reboot the router after performing any of the following procedures.• Clear/Erase the contents of the system.cfg file

• clear cfg_file system.cfg• erase startup

• Delete the system.cfg file• rm system.cfg• erase flash system.cfg

• Rename and remove the system.cfg file• copy system.cfg system.bk• rm system.cfg

> After performing any of the above options, the system.cfg file no longer exists. Subsequently, a “file not found” error message is displayed upon rebooting the system. This message will not impact operation, and it should be ignored.

> NOTE: If you change any of the factory default settings, issue the wr mem command to retain the changed configuration before rebooting.

Basic WAN T1 Interface Configuration

> Connect the T1 crossover cable between the two devices being tested in the lab. You should now see a green link status on the T1

• This confirms that there are no layer one errors

> The following are examples of T1 interface configurations. To scroll through the options available at any command prompt, press the Tab key. For descriptions of the options available at any command prompt, type help and press Enter.

> T1 Interface• SR-1004# configure term• SR-1004/configure# module t1 1• SR-1004/configure/module/t1 1# framing esf (default esf)• SR-1004/configure/module/t1 1# clock_source line (default:internal)• SR-1004/configure/module/t1 1# linecode b8zs (default:b8zs)• SR-1004/configure/module/t1 1# exit 3

Software Selectable T1/E1 Option

> TiOS 8.3 adds E1 support on 1001 product line. All 1001 products that ship with TiOS 8.3 (and higher) will have the software selectable T1/E1 port option. The 1001 hardware supports both T1 and E1 signaling. This is unlike 1002 and 1004 products where T1 and E1 routers are manufactured and ordered separately. Hence, the software selectable option will only work on the 1001 product. The standard 1001 products with TiOS 8.3 will ship with T1 as the default ‘carrier-type’. The customer can use one CLI command to convert the T1 port into an E1 port. The procedure to convert T1 to E1 is as follows:

• Step 1: configure the ‘carrier-type’ of the port to convert from T1(default) to E1 • Host> configure term • Host/configure> module t1 1 • Host/configure/module/t1 1> carrier-type e1

> TiOS 9.0 added this same support for the 3120 T1/E1 modules the procedure to convert T1 to E1 is as follows?

• Step 1: configure the ‘carrier-type’ of the port to convert from T1(default) to E1 • SR/configure# system carrier-type 2 e1• E1 carrier set for slot 2• You need to REBOOT for the change to take effect

E1 Unchannelized Option (G.703)

To provide an E1 unframed and to get 2048M you need to disable framing on the E1• 1001/configure/module/e1 1 > framing disable• 1001/configure/interface/bundle wan >show int bundle wan

bundle wan

----------

status down, ipcp not in open state

number of links 1

total bandwidth 2048 kbps

link speed bw inverted status diffdelay(msec)

---- ----- -- -------- ------ ----------------

e1 1:unchannelised 64 2048 no up -

Saving the Configuration

> wr mem - Saves the current system configuration to flash memory. This allows the system to boot from the latest configuration upon a subsequent power-up or reboot.

SR-1004#write memory

> You also can assign a filename to the saved configuration. If a filename is not specified, the default file SYSTEM.CFG is used.

SR-1004#write mem test.cfg

> save network - Use the save network command to save the configuration to a network tftp server. You must specify a filename and the pathname to the destination file.

SR-1004#write network 10.1.100.16 /maindir/temp.cfg

Alarms and Statistics

Configuring T1 alarms thresholds

> When thresholds are exceeded, the system generates alarms that indicate the possible deterioration of a T1 link. Refer to the following parameters to determine the specific T1 data type that needs to be configured. You can define one alarm threshold for each parameter.Parameter Definition

> number Statistic alarm threshold number

The range is 1 - 10.

> variable Variable on which a threshold is to be configured.

> ses Threshold for Severely Errored Seconds

> es Threshold for Errored Seconds

> bes Threshold for Bursty Errored Seconds

> uas Threshold for Unavailable Seconds

> eev Threshold for Excessive Error Violation Seconds

> lofc Threshold for Loss-of-Frame Counts

> css Threshold for Controlled Slip Seconds

> oof Threshold for Out-of-Frame Seconds

> crc Threshold for CRC-6 errors

> bpv Threshold for Bipolar Violations

> interval Sampling interval, in seconds.

The range is 1 - 65535.

> rising_threshold Number of errored seconds or events which, if exceeded during any sampling interval, results in a rising alarm .

The range is 0 - 2147483647.

> falling_threshold Minimum number of errored seconds or events below which a falling alarm is reported. This alarm is reported if a rising alarm was previously reported and the number of errored seconds or events subsequently dropped below this minimum threshold. The falling threshold value must be less than the rising threshold value above.

The range is 0 - 2147483647.

> sampe_type Method of sampling, as follows: absolute The errored second or event count is compared directly to the specified threshold values, and the appropriate alarm type (rising or falling) is reported.

> delta The errored second or event count is compared to the difference between the rising and falling thresholds above, and a rising alarm is reported if the actual error count exceeds that difference. This is the default setting if you do not specify a sampling type.

T1 Module-Related Commands

SR-1004# show module config t1 1

> T1 1 is ENABLED

> Alarm Hierarchy: TRUE,

> Yellow Alarm: DISABLE

> Framing:ESF, LineCode:B8ZS, ClockSource:LINE, LineMode:CSU, LBO:0 db

> FDL: ANSI Unit Protocol enabled ,ATT Unit Protocol enabled ,

> CsuDsuType: CSU & DSU

> CIRCUIT-ID : Not Configured ,CONTACT-INFO : Not Configured ,

> DESCRIPTION : Not Configured ,

Line Status:

> RLOS:OFF RAIS:OFF RLOF:OFF RRAI:OFF TAIS:OFF

> TRAI:OFF TLnCod:OFF TPlCod:OFF TRstCod:OFF TPtrn:OFF

> Loop:OFF LORC:OFF

Other related commands> SR-1004# show module userstats t1 1

• Show all layer 1 errors

> SR-1004# show module test t1 1 • Provides BERT test status and results

> SR-1004# show module alarms t1 1• Shows all current alarms

Sample Test Configuration

Layer 3 Solutions

Ethernet Interface Configuration

> Each router has two Ethernet ports (0 and 1).

> To view the current configuration of an Ethernet port, use the display interface Ethernet command. To view a summary of information for both ports, use the display interface Ethernets command.

> Configure Ethernet parameters, including description, IP address and shutdown/no shutdown.

> Example:• SR-1004# configure term• SR-1004/configure# interface ethernet 0• SR-1004/configure/interface/ethernet 0# ip addr 192.168.1.1 24 (or 255.255.255.0 for the subnet

mask)• SR-1004/configure/interface/ethernet 0# description “backbone”• SR-1004/configure/interface/ethernet 0# no shutdown• SR-1004/configure/interface/ethernet 0# exit• SR-1004/configure#

WAN Interface Bundle Configuration-HDLC

> T1/Cisco-compatible HDLC Bundle• SR-1004# configure term• SR-1004/configure# interface bundle wan1• SR-1004/configure/interface/bundle wan1# link t1 1• SR-1004/configure/interface/bundle wan1# encapsulation hdlc• SR-1004/configure/interface/bundle wan1# hdlc keepalive 10 (default:10)• SR-1004/configure/interface/bundle wan1# ip address 192.168.2.1 24 (or 255.255.255.0 for the

subnet mask)• SR-1004/configure/interface/bundle wan1# exit 3

WAN Interface Bundle Configuration-PPP

> T1/PPP Bundle• SR-1004# configure term• SR-1004/configure# interface bundle wan1• SR-1004/configure/interface/bundle wan1# link t1 1• SR-1004/configure/interface/bundle wan1# encapsulation ppp• SR-1004/configure/interface/bundle wan1# ip address 192.168.2.1 24 (or 255.255.255.0 for the

subnet mask)• SR-1004/configure/interface/bundle wan1# exit 3

WAN Interface Bundle Configuration-FR

> T1/Frame Relay Bundle• SR-1004# configure term• SR-1004/configure# interface bundle wan1• SR-1004/configure/interface/bundle wan1# link t1 1• SR-1004/configure/interface/bundle wan1# encapsulation frelay• SR-1004/configure/interface/bundle wan1#fr• SR-1004/configure/interface/bundle wan1#pvc 100• SR-1004/configure/interface/bundle wan1/fr/pvc:100# ip address 192.168.2.1 24 (or

255.255.255.0 for the subnet mask)• SR-1004/configure/interface/bundle wan1# exit 3

WAN Interface Bundle Configuration-MLPPP

• T1/MLPPP Bundle– SR-1004# configure term– SR-1004/configure# interface bundle wan1– SR-1004/configure/interface/bundle wan1# link t1 1-4– SR-1004/configure/interface/bundle wan1# encapsulation ppp– SR-1004/configure/interface/bundle wan1# ip address 192.168.2.1 24 (or

255.255.255.0 for the subnet mask)– SR-1004/configure/interface/bundle wan1# exit 3

WAN Interface Bundle Configuration-MLFR

> T1/Frame Relay Bundle• SR-1004# configure term• SR-1004/configure# interface bundle wan1• SR-1004/configure/interface/bundle wan1# link t1 1-4• SR-1004/configure/interface/bundle wan1# encapsulation frelay• SR-1004/configure/interface/bundle wan1#fr• SR-1004/configure/interface/bundle wan1#pvc 100• SR-1004/configure/interface/bundle wan1/fr/pvc:100# ip address 192.168.2.1 24 (or

255.255.255.0 for the subnet mask)• SR-1004/configure/interface/bundle wan1# exit 3

Verify the WAN is up

SR-1004# show interface bundle wan1

bundle wan 1

----------

status up

number of links 1

total bandwidth 1536 kbps

link speed bw inverted status diffdelay(ms)

T1 1 0 1536 no up 0

encapsulation hdlc

keepalive 10

keepalive packet type unicast

mtu 1536

ip info

ipaddr 10.1.1.1

netmask 255.255.255.0

counters for the last five minutesBytes Rx 0 Bytes Tx 0Packets Rx 0 Packets Tx 0Err Packets Rx 0Up/Down States 0

RED Configuration-----------------Status: EnabledMinimum Threshold: 207Maximum Threshold: 621Wq Bias Factor : 9

Current Loaned Count = 0, Max Loaned Count = 0Current Average Queue Size = 0, Max Ave Queue Size = 0RED StatisticsThreshold Below Min Betn Mn-Mx Max Q Overflows Allowed 0 0 0 - Dropped 0 0 0 0

Configuring a Default Route

There are two methods to provide a default route for the device. This first points to the next hop routers IP interface as the gateway address. The second uses the interface name as the gateway.

> SR-1004/configure# ip route 0.0.0.0 0.0.0.0 10.1.1.1

> In the above example, “x.x.x.x” represents the gateway.

> SR-1004/configure# ip route 0.0.0.0 0.0.0.0 wan1

> In the above example, “wan1” represents the gateway interface.

Cisco to SR T1 using HDLCSingle T1 on the WAN L3 using default routes

Cisco 7513

SR CONFIGURATIONconf thostname Remoteinterface ethernet 0 ip address 192.168.0.1 24 exitmodule t1 1 framing esf linecode b8zs clock_source line exitinterface bundle wan link t1 1 encapsulation hdlc ip address 200.1.1.2 30 exitip route 0.0.0.0 0 200.1.1.1 exitwr mem

CISCO CONFIGURATIONconf thostname Hubint fast 0/0 ip address 192.168.2.1 255.255.255.0 exitcontroller T1 0/0 framing esf linecode b8zs clock source internal exitinterface Serial 0/0 ip address 200.1.1.1 255.255.255.252 encapsulation hdlc no cdp enable no fair-queue exitip route 0.0.0.0 0.0.0.0 200.1.1.2 exitcopy run start

192.168.2.100/24

fe 0/0-192.168.2.1/24

200.1.1.0/30

.1.2

192.168.0.7/24

HDLC

SR 1004

E0-192.168.0.1/24

Cisco to SR NxT1 using HDLCwith ECMP per packet load balance per packet

Cisco 7513

SR CONFIGURATIONconf thostname Remoteinterface ethernet 0 ip address 192.168.0.100 24 exitmodule t1 1-2 framing esf linecode b8zs clock_source internal exitinterface bundle LB1 link t1 1 encapsulation hdlc ip address 192.168.1.2 30 exitinterface bundle LB2 link t1 1 encapsulation hdlc ip address 192.168.1.6 30 exitIp load_balance per_packet route 0.0.0.0 0.0.0.0 192.168.1.2 route 0.0.0.0 0.0.0.0 192.168.1.5 exitwr mem

CISCO CONFIGURATIONconf tint fast 0/0 ip address 192.168.2.1 255.255.255.0 no ip mroute-cache exitcontroller T1 0/0 framing esf linecode b8zs clock source line exitcontroller T1 0/1 framing esf linecode b8zs clock source internal exitinterface Serial 0/0 ip address 192.168.1.1 255.255.255.252 encapsulation hdlc no ip mroute-cache no cdp enable ip load-sharing per-packet exitinterface Serial 0/1 ip address 192.168.1.5 255.255.252 encapsulation hdlc no ip mroute-cache no cdp enable ip load-sharing per-packet exitip route 0.0.0.0 0.0.0.0 192.168.1.2ip route 0.0.0.0 0.0.0.0 192.168.1.6 exitcopy run start

192.168.2.100/24

192.168.2.1/24

HDLC

.6.5

192.168.0.7/24

HDLC

SR 1004.1 .2

Cisco to SR T1 using PPPSingle T1 on the WAN L3 using default routes

Cisco 7513

SR CONFIGURATIONconf thostname Remoteinterface ethernet 0 ip address 192.168.0.10 24 exitmodule t1 1 framing esf linecode b8zs clock_source line exitinterface bundle wan link t1 1 encapsulation ppp ip address 192.168.1.1 24 exitip route 0.0.0.0 0 192.168.1.2 exitwr mem

CISCO CONFIGURATIONconf tint fast 0/0 ip address 192.168.2.1 255.255.255.0 exitcontroller T1 0/0 framing esf linecode b8zs clock source internal exitinterface Serial 0/0 ip address 192.168.1.2 255.255.255.0 encapsulation ppp no cdp enable no fair-queue exitip route 0.0.0.0 0.0.0.0 192.168.1.1 exitcopy run start

192.168.2.100/24

192.168.2.1/24

192.168.1.0/24

.1.2

192.168.0.7/24

PPP

SR 1004

Cisco to SR NxT1 using MLPPPNxT1 3Mbs on the WAN L3 using default routes

Cisco 7513

SR CONFIGURATIONconf thostname Remoteinterface ethernet 0 ip address 192.168.0.10 24 exitmodule t1 1-2 framing esf linecode b8zs clock_source line exitinterface bundle wan link t1 1-2 encapsulation ppp ip address 192.168.1.1 24 exitip route 0.0.0.0 0 192.168.1.2 exitwr mem

CISCO CONFIGURATIONconf tint fast 0/0 ip address 192.168.2.1 255.255.255.0 exitcontroller T1 0/0 framing esf linecode b8zs clock source internal exitcontroller T1 0/1 framing esf linecode b8zs clock source internal exitinterface Multilink1 ip address 192.168.1.2 255.255.255.0 no cdp enable ppp multilink multilink-group 1 exitinterface Serial 0/0 no ip address encapsulation ppp no fair-queue ppp multilink multilink-group 1 exitinterface Serial 0/1 no ip address encapsulation ppp no fair-queue ppp multilink multilink-group 1ip route 0.0.0.0 0.0.0.0 192.168.1.1 exitcopy run start

192.168.2.100/24

192.168.2.1/24

192.168.1.0/24

.1.2

192.168.0.7/24

MLPPP

SR 1004

Cisco CT3 NxT1 CPE SR MLPPP NxT1 3Mbs on the WAN L3 using default routes

Two T1 LinesUsing MLPPP

Channelized DS3Cisco 7505

CISCO CONFIGURATIONint fast 0/0 ip address 192.168.2.1 255.255.255.0 exitcontroller T3 0/0/0 t1 10 channel-group 0 timeslots 1-24 framing esf linecode b8zs clock source internal exit t1 11 channel-group 0 timeslots 1-24 framing esf linecode b8zs clock source internal exitno ip cefinterface Multilink1 -Admin to Elm ip address 172.16.64.1/24 no cdp enable ppp multilink multilink-group 1 exitinterface Serial0/0/0/10:0 no ip address encapsulation ppp no fair-queue ppp multilink multilink-group 1 exitinterface Serial0/0/0/11:0 no ip address encapsulation ppp no fair-queue ppp multilink multilink-group 1 exitip route 0.0.0.0 0.0.0.0 207.98.248.130 exitcopy run start

CarrierCO

SR CONFIGURATIONconf thostname Remoteinterface ethernet 0 ip address 192.168.0.10 24 exitmodule t1 1-2 framing esf linecode b8zs clock_source line exitinterface bundle wan link t1 1-2 encapsulation ppp ip address 192.168.1.1 24 exitip route 0.0.0.0 0.0.0.0 192.168.1.2 exitwr mem

SR 1004

192.168.2.1/24

192.168.2.100/24

192.168.1.0/24

.1.2

192.168.0.7/24

MLPPP

SR T1 NxT1 CPE MLPPP NxT1 3Mbs on the WAN L3 using default routes

Two T1Line-MLPPP

SR 1004

SR CONFIGURATIONconf thostname HUBmodule t1 1-2 clock_source internal exitint eth 0 ip add 192.168.1.1 30 exitint bundle wan link t1 1 1-2 encap ppp ip address 172.16.64.1 24 exit ip route 0.0.0.0 0.0.0.0 172.16.64.2 exitwr mem

SR CONFIGURATIONconf thostname CPEmodule t1 1-2 clock_source line exitinterface ethernet 0 ip address 172.16.72.1 24 exit interface bundle wan link t1 1-2 encapsulation ppp ip address 172.16.64.2 24 exitip route 0.0.0.0 0.0.0.0 172.16.64.1 exit wr mem

T1 CrossoverSimulatedT1 WAN

SR 1004

SR T1 NxT1 MLPPP RIP NxT1 3Mbs on the WAN L3 using RIP on the WAN interface

Two T1Line-MLPPP

SR 1004

SR CONFIGURATIONconf thostname HUBmodule t1 1-2 clock_source internal exitint eth 0 ip add 192.168.1.1 24 exitint bundle wan link t1 1-2 encap ppp ip address 172.16.64.1 30 exit router rip interface ethernet0 exit interface wan exit 2wr mem

SR CONFIGURATIONconf thostname REMOTE module t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.2.1 24 exit interface bundle wan link t1 1-2 encapsulation ppp ip address 172.16.64.2 30 exitrouter rip interface ethernet0 exit interface wan exit 2wr mem


SR 1004

SR T1 NxT1 MLPPP OSPF NxT1 3Mbs on the WAN L3 using OSPF on the WAN interface

Two T1Line-MLPPP

SR 1004

SR CONFIGURATIONconf thostname HUBmodule t1 1-2 clock_source internal exitint eth 0 ip add 192.168.1.1 24 exitint bundle wan link t1 1-2 encap ppp ip address 172.16.64.1 30 exit router routerid 192.168.1.1 exitrouter ospf area 0 exit interface ethernet0 area 0 exit interface wan area 0 exit 2wr mem

SR CONFIGURATIONconf thostname REMOTE module t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.2.1 24 exit interface bundle wan link t1 1-2 encapsulation ppp ip address 172.16.64.2 24 exitrouter routerid 192.168.2.1 exitrouter ospf area 0 exit interface ethernet0 area 0 exit interface wan area 0 exit 2wr mem


SR 1004

Cisco to SR Frame Relay OSPFCisco to SR with FR on single T1 on the WAN L3 OSPF routing

Cisco 7513SR CONFIGURATIONconf thostname Remoteinterface ethernet 0 ip address 192.168.0.1 24 exitmodule t1 1 clock_source internal exitinterface bundle wan link t1 1 encapsulation frelay fr intf_type dce frame_size 1500 lmi ansi exit pvc 100 ip address 192.168.1.1 30 exit 3router routerid 192.168.0.1router ospf area 0 exitinterface ethernet0 area 0 network broadcast exitinterface wan dlci 100 area 0 network point_to_point exitwr mem

CISCO CONFIGURATIONconf thostname Hubint fast 0/0 ip address 192.168.2.1 255.255.255.0 exitcontroller T1 0/0 framing esf linecode b8zs clock source internal exitinterface Serial 0/0 ip address 192.168.1.2 255.255.255.252 encapsulation frame-relay IETF frame-relay lmi-type ansi frame-relay interface-dlci 100 frame-relay intf-type dte ip ospf network point-to-point mtu 1500 exitrouter ospf 1 router-id 192.168.2.1 network 192.168.2.0 0.0.0.255 area 0 network 192.168.1.0 0.0.0.3 area 0 exitcopy run start

192.168.2.100/24

192.168.2.1/24

192.168.1.0/30

.1.2

192.168.0.7/24

FrameRelay

SR 1004

SR T1 PPP BGP with Loopback WAN L3 using BGP on the WAN interfaces and Loopback ID

AS 200AS 100

Loopback100.1.1.1/24

Router A Router B

10.1.1.1/24 10.1.1.2/24 Loopback200.1.1.1/24

HUB SIDEinter ether 0 ip address 192.168.1.1 24 exitinterface bundle wan link t1 1 encapsulation ppp ip address 10.1.1.1 24 exit bundleinterface loopback 0 ip address 100.1.1.1 32 exit ip route 0.0.0.0 0 10.1.1.2 exit router routerid 100.1.1.1router bgp 100 redistribute connected neighbor 200.1.1.1 200 ebgp_multihop update source 100.1.1.1 exit 2

REMOTE SIDEinter ether 0 ip address 192.168.2.1 24 exitinterface bundle t1 link t1 1 encapsulation ppp ip address 10.1.1.2 24 exit interface loopback 0 ip address 200.1.1.1 32 exit ip route 0.0.0.0 0 10.1.1.1 exitrouter routerid 200.1.1.1router bgp 200 redistribute connected neighbor 100.1.1.1 100 ebgp_multihop update source 200.1.1.1 exit 2

hostname R1 module t1 1 exit t1interface ethernet 0 ip address 10.1.1.1 24 exit ethernetinterface ethernet 0.1 ip address 20.1.1.1 24 exit ethernetinterface bundle wan link t1 1 encapsulation ppp ip address 100.1.1.2 30exit bundleip exit iprouter routerid 100.1.1.2router bgp 100 distance 170 redistribute connected group R1 external route_map Peer out exit group neighbor 100.1.1.1 99 neighbor_group R1 exit neighbor neighbor 10.1.1.2 100 exit neighbor exit bgppolicy ip_access_list 1 10 action permit network 10.1.1.0 netmask 0.0.0.255policy ip_access_list 2 20 action permit network 20.1.1.0 netmask 0.0.0.255policy route_map Peer 100 permit match ip ip_address 1 exit matchexitpolicy route_map Peer 200 permit match ip ip_address 2 exit match set as_path prepend 100 100 100 exit set exit route_mapexit

Two SR Dualhomed to 1 ISP BGP SR Load Sharing when Dualhomed to One ISP through Multiple Local Routers using BGP

AS 100

ISPAS 99

R1 R2

100.1.1.0/30

200.1.1.0/30

.1.1

.2 .2

10.1.1.0 & 20.1.1.0

hostname R2module t1 1 exit t1interface ethernet 0 ip address 10.1.1.2 24 exit ethernetinterface ethernet 0.1 ip address 20.1.1.2 24 exit ethernetinterface bundle wan link t1 1 encapsulation ppp ip address 200.1.1.2 30exit bundleip exit iprouter routerid 200.1.1.2router bgp 100 distance 170 redistribute connected group R2 external route_map Peer out exit group neighbor 200.1.1.1 99 neighbor_group R2 exit neighbor neighbor 10.1.1.1 100 exit neighbor exit bgppolicy ip_access_list 1 10 action permit network 20.1.1.0 netmask 0.0.0.255policy ip_access_list 2 20 action permit network 10.1.1.0 netmask 0.0.0.255policy route_map Peer 100 permit match ip ip_address 1 exit matchexitpolicy route_map Peer 200 permit match ip ip_address 2 exit match set as_path prepend 100 100 100 exit set exit route_mapexit

hostname Hub interface bundle wan1 link t1 1 encapsulation ppp ip address 100.1.1.1 30 exit bundleinterface bundle wan2 link t1 2 encapsulation ppp ip address 200.1.1.1 30 exit bundleinterface loopback LB0 ip address 99.1.1.1 32 exit loopbackrouter routerid 99.1.1.1router bgp 99 distance 170 redistribute connected neighbor 100.1.1.2 100 exit neighbor neighbor 200.1.1.2 100 exit neighbor exit bgp

hostname R1 module t1 1-2 clock_source line exit t1interface ethernet 0 ip address 10.1.1.1 24 exit ethernetinterface ethernet 0.1 ip address 20.1.1.1 24 exit ethernetinterface bundle wan link t1 1-2 encapsulation ppp ip address 100.1.1.2 30exit bundleip exit iprouter routerid 100.1.1.2router bgp 100 redistribute connected group R1 external route_map Peer out exit group neighbor 100.1.1.1 99 neighbor_group R1 exit neighbor neighbor 10.1.1.2 100 exit neighbor exit bgppolicy ip_access_list 1 10 action permit network 10.1.1.0 netmask 0.0.0.255policy ip_access_list 2 20 action permit network 20.1.1.0 netmask 0.0.0.255policy route_map Peer 100 permit match ip ip_address 1 exit matchexitpolicy route_map Peer 200 permit match ip ip_address 2 exit match set as_path prepend 100 100 100 exit set exit route_mapexit

Two SR Dualhomed to 2 ISP BGP SR Load Sharing when Dualhomed to two ISPUsing Multiple Local Routers using BGP

AS 100

AS 99

R1 R2

100.1.1.0/30 200.1.1.0/30

.2 .2

10.1.1.0

hostname R2module t1 1 clock_source line exit t1interface ethernet 0 ip address 10.1.1.2 24 exit ethernetinterface ethernet 0.1 ip address 20.1.1.2 24 exit ethernetinterface bundle wan link t1 1-2 encapsulation ppp ip address 200.1.1.2 30exit bundleip exit iprouter routerid 200.1.1.2router bgp 100 redistribute connected group R2 external route_map Peer out exit group neighbor 200.1.1.1 98 neighbor_group R2 exit neighbor neighbor 10.1.1.1 100 exit neighbor exit bgppolicy ip_access_list 1 10 action permit network 20.1.1.0 netmask 0.0.0.255policy ip_access_list 2 20 action permit network 10.1.1.0 netmask 0.0.0.255policy route_map Peer 100 permit match ip ip_address 1 exit matchexitpolicy route_map Peer 200 permit match ip ip_address 2 exit match set as_path prepend 100 100 100 exit set exit route_mapexit

ISP A

AS 98

ISP B

20.1.1.0

One SR Dualhomed to 2 ISP BGP SR Load Sharing when Multihomed to two ISPUsing Single Local Routers with BGP

AS 20356

AS 701

R1

157.130.235.112/30 160.81.70.104/30

.114.106

E0-65.165.135.254/29

hostname R1module t1 1 clock_source line exit t1interface ethernet 0 ip address 65.165.135.254 29 exit ethernetinterface bundle mercury link t1 1 encapsulation frelay fr intf_type dte lmi ansi exit lmi pvc 500 ip address 157.130.235.114 30 map 157.130.235.113 exit pvc exit frexit bundleinterface bundle sprint link t1 2 encapsulation hdlc ip address 160.81.70.106 30 exit bundlehostname DesMoines_SRip pname_server 64.7.161.13 name_server 64.7.161.12 name_server 64.7.172.13 route 0.0.0.0 0.0.0.0 157.130.135.113 route 0.0.0.0 0.0.0.0 160.81.70.105 route 65.165.135.0 255.255.255.192 65.165.135.252 1 route 65.165.135.64 255.255.255.192 65.165.135.252 1 route 65.165.135.128 255.255.255.192 65.165.135.252 1 route 65.167.126.0 255.255.255.0 65.165.135.252 1 route 65.171.120.0 255.255.255.0 65.165.135.252 1 exit ip

MCI

AS 1239

Sprint

.113 .105

E3/0-65.165.135.252/29

Cisco 3640E0/0-65.165.135.1/26 -65.167.126.1/24

ATM 1/0-65.165.135.65/26ATM 1/3-65.167.135.129/26

Cisco 2600

S0/1-65.165.134.0/24S3/0

router bgp 20356 redistribute connected redistribute static neighbor 157.130.235.113 701 route_map UPDATES-1 in exit neighbor neighbor 160.81.70.105 1239 route_map UPDATES-2 in exit 2policy ip_access_list 1 1 action permit network 0.0.0.0 netmask 127.255.255.255policy ip_access_list 2 1 action deny network 0.0.0.0 netmask 127.255.255.255 policy ip_access_list 2 2 action permit network 0.0.0.0 netmask 255.255.255.255policy route_map UPDATES-1 10 permit match ip ip_address 1 exit match set distance 100 exit 2policy route_map UPDATES-1 20 permitmatch ip ip_address 2 exit 2policy route_map UPDATES-2 10 permit match ip ip_address 1 exit 2policy route_map UPDATES-2 20 permit match ip ip_address 2 exit match set distance 100 exit 2

E0-65.171.120.0/24

SR Multicast support with PIM SMSR Using 3M NxT1 MLPPP WAN on OSPF with PIM SM

HUB Sideconf thostname HUBmodule t1 1-2 clock_source internal exitinterface ethernet 0 ip address 10.1.1.1 24 exit interface bundle wan link t1 1-2 encapsulation ppp ip address 192.168.1.2 24 exitip multicast exit pim interface wan exit interface ethernet0 exit cbsr interface wan exit crp group-add 224.1.1.0 mask 255.0.0.0 interface wan exit 2 igmp interface ethernet0 query-interval 60 exit 3 iprouter routerid 10.1.1.1router ospf area 0 exit interface wan area_id 0 exit interface interface ethernet0 area_id 0 exit interface exit


Laptop

Server

WAN

10.1.1.1.1

10.1.1.2 /24DG 10.1.1.1Local MC int-10.1.1.2MC 224.1.1.1

192.168.0.100.1

192.168.0.3/24DG 192.168.0.100Local MC int-192.168.0.3MC 224.1.1.1

REMOTE Sideconf thostname REMOTEmodule t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.0.100 24 exit interface bundle wan link t1 1-2 encapsulation ppp ip address 192.168.1.1 24 exitip multicast exit pim interface wan exit interface ethernet0 exit cbsr interface wan exit crp group-add 224.1.1.0 mask 255.0.0.0 interface wan exit 2 igmp interface ethernet0 query-interval 60 exit 3 iprouter routerid 192.168.0.100router ospf area 0 exit interface wan area_id 0 exit interface interface ethernet0 area_id 0 exit interface exit

SR1002

SR1002

192.168.1.0.1

.2

HUBSide

REMOTESide

SR Multicast support with PIM SMSR Using 3M NxT1 MLPPP WAN on OSPF with PIM SM


Laptop

Server

WAN

10.1.1.1.1

10.1.1.2 /24DG 10.1.1.1Local MC int-10.1.1.2MC 224.1.1.1

192.168.0.100.1

192.168.0.3/24DG 192.168.0.100Local MC int-192.168.0.3MC 224.1.1.1

SR1002

SR1002

192.168.1.0.1

.2

HUBSide

REMOTESide

Remote/show/ip# igmp groups allInterface Group Address Uptime Expires Last Reporter--------- ------------- ------ ------- -------------ethernet0 224.1.1.1 5:29 3:40 192.168.0.3

Remote/show/ip# mfc(10.1.1.2, 224.1.1.1) RPF: wan Exp: 0Outgoing Interface List: vif: 2 ethernet0 (ttl: 1)Remote/show/ip# mrouteflags: R - RP-bit set W - Wildcard T - SPT-bit set N - Neg cache I - wrong IIF E - external r - rejected i - null IIF J - Joining SPT L - local source PIM SM routes:(0.0.0.0/0, 224.1.1.1/32) age/exp: 00:12:18/00:02:42, flags: W (2) IIF: register (127.0.0.1, vif 0) RPF nbr: 127.0.0.1, pref: 0, metric: 1 Outgoing interface list: ethernet0 (192.168.0.100, vif 2) protos: none, exp: never

(10.1.1.2/32, 224.1.1.1/32) age/exp: 00:11:49/00:02:42, flags: T (4) IIF: wan (192.168.1.2, vif 1) RPF nbr: 192.168.1.2, pref: 1, metric: 0 Outgoing interface list: ethernet0 (192.168.0.100, vif 2) protos: none, exp: never

HUB/show/ip# mfc(10.1.1.2, 224.1.1.1) RPF: ethernet0 Exp: 0Outgoing Interface List: vif: 1 wan (ttl: 1)HUB/show/ip# mrouteflags: R - RP-bit set W - Wildcard T - SPT-bit set N - Neg cache I - wrong IIF E - external r - rejected i - null IIF J - Joining SPT L - local source PIM SM routes:(10.1.1.2/32, 224.1.1.1/32) age/exp: 00:28:58/00:02:21, flags: TL (40004) IIF: ethernet0 (10.1.1.1, vif 2) RPF nbr: 10.1.1.2, pref: 0, metric: 1 register suppression timeout: 27 Outgoing interface list: wan (192.168.1.1, vif 1) protos: none, exp: 2:53

Remote# sh ip igmp interface allIGMP Interface ethernet0 informationinterface: ethernet0 192.168.0.100/24, owner: PIM-SM Querier: 192.168.0.100 (this system) Version: 3 Query Interval: 125 secs Query Response Interval: 10 secs Last member Query Interval: 1 secs Last member Query Count: 2 Startup Query Interval: 31 secs Startup Query Count: 2 Send Router Alert: Enabled Require Router Alert: Disabled Ignore V1 Messages: Disabled Ignore V2 Messages: Disabled Robustness: 2 No of Joins on this interface: 2 Group Addr/mask: 224.1.1.1/32 Group age: 7:10 Group Expiry Time: 3:22 Address of last reporter: 192.168.0.3

Cisco to SR Multicast support SR to Cisco using T1 PPP WAN, with PIM SM

HUB Sideconf thostname HUBip subnet-zeroip multicast-routingmta receive maximum-recipients 0!interface FastEthernet0/0 ip address 10.1.1.1 255.255.255.0 ip pim sparse-mode ip igmp explicit-tracking ip igmp version 3 no ip mroute-cache duplex auto speed auto!interface Serial0/0 ip address 192.168.1.1 255.255.255.252 ip pim sparse-mode encapsulation ppp ip igmp explicit-tracking ip igmp version 3 no ip mroute-cache!ip classlessip route 0.0.0.0 0.0.0.0 192.168.1.2ip pim bidir-enableip pim bsr-candidate Serial0/0 0ip pim rp-candidate Serial0/0 group-list 10!access-list 10 permit 224.0.0.0 0.255.255.255snmp-server community public ROcall rsvp-sync

end


Laptop

Server

WAN

10.1.1.1.1

10.1.1.2 /24DG 10.1.1.1Local MC int-10.1.1.2MC 224.1.1.1

192.168.0.100.1

192.168.0.3/24DG 192.168.0.100Local MC int-192.168.0.3MC 224.1.1.1

REMOTE Sideconf thostname REMOTEmodule t1 1 clock_source line exitinterface ethernet 0 ip address 192.168.0.100 24 exit interface bundle wan link t1 1 encapsulation ppp ip address 192.168.1.1 24 exitip multicast exit pim interface wan exit interface ethernet0 exit cbsr interface wan exit crp group-add 224.1.1.0 mask 255.0.0.0 interface wan exit 2 igmp interface ethernet0 exit 3 Ip route 0.0.0.0 0 192.168.1.1 exit

Cisco

SR1002

192.168.1.0.1

.2

HUBSide

REMOTESide

Layer 3 Applications

Cisco to SR ML & IP based QoSQoS configured on both WAN interfaces based on source IP

Cisco 7513

SR CONFIGURATIONconf thostname Remoteinterface ethernet 0ip address 192.168.0.10 24exitmodule t1 1-2clock_source lineexitinterface bundle wanlink t1 1-2encapsulation pppip address 192.168.1.1 24qos add_class qostest root-out cr 10 br 10 priority 1 class qostest add_src_ip 192.168.0.7 exit class enable cbq outboundexitip route 0.0.0.0 0.0.0.0 192.168.1.2exitwr mem

CISCO CONFIGURATIONconf tint fast 0/0 ip address 192.168.2.1 255.255.255.0 exitinterface Multilink1 ip address 192.168.1.2 255.255.255.0 no cdp enable ppp multilink multilink-group 1 service-policy output qostest exitinterface Serial 0/0 no ip address encapsulation ppp no fair-queue ppp multilink multilink-group 1 exitinterface Serial 0/0 no ip address encapsulation ppp no fair-queue ppp multilink multilink-group 1ip route 0.0.0.0 0.0.0.0 192.168.1.1policy-map qostest class c1 shape peak 10000class-map match-all c1 match access-group 101access-list 102 permit ip any host 192.168.0.7access-list 102 deny ip any any

192.168.2.100/24

192.168.2.1/24

192.168.1.0/24

.1.2

192.168.0.7/24

MLPPP

SR 1004

SR Hierarchical QoS using DSCP Root QoS allows all traffic, with 2 branch classes for VoIP or Default

SR 1001 CONFIGURATIONconf thostname Remoteinterface ethernet 0 ip address 192.168.0.10 24 exitmodule t1 1 clock_source line exitinterface bundle wan link t1 1 encapsulation ppp ip address 192.168.1.2 30 qos add_class WAN root-out cr 1536 br 1536 priority 1 add_class VoIP WAN cr 768 br 1536 priority 1 add_class NonVoIP WAN cr 768 br 1536 priority 7 class WAN add_src_ip default exit class class VoIP add_dscp 43-44 exit class class NonVoIP add_dscp default exit class enable cbq outbound exitip route 0.0.0.0 0.0.0.0 192.168.1.1exitwr mem

192.168.1.0/30

.1

.2

192.168.0.7/24

SR 6300 CONFIGURATIONconf thostname Hubinterface ethernet 0 ip address 192.168.2.1 24 exitmodule ct3 1 t1 1-2 clock internal exitinterface bundle wan link ct3 1 1 encapsulation ppp ip address 192.168.1.1 30 qos add_class WAN root-out cr 1536 br 1536 priority 1 add_class VoIP WAN cr 768 br 1536 priority 1 add_class NonVoIP WAN cr 768 br 1536 priority 7 class WAN add_src_ip default exit class class VoIP add_dscp 43-44 exit class class NonVoIP add_dscp default exit class enable cbq outbound exitip route 0.0.0.0 0.0.0.0 192.168.1.2exitwr mem

SR 1004

T1 LineUsing PPP

Channelized DS3SR 3120

CarrierCO

VoIP PhoneMitel 5215

Marks packets withTOS = B0All 8 bits

1011 0000=B0DSCP= 44

Use only first 6 bits101100=44


Marks packets withTOS = B0All 8 bits

1011 0000=B0DSCP= 44

Use only first 6 bits101100=44

192.168.2.10/24

SR Hierarchical QoS using 802.1p Root QoS allows all traffic, with 2 branch classes for VoIP or Default

SR 1001 CONFIGURATIONconf thostname Remoteinterface ethernet 0 ip address 192.168.0.10 24 exitmodule t1 1 clock_source line exitinterface bundle wan link t1 1 encapsulation ppp ip address 192.168.1.2 30 qos add_class WAN root-out cr 1536 br 1536 priority 1 add_class VoIP WAN cr 768 br 1536 priority 1 add_class NonVoIP WAN cr 768 br 1536 priority 7 class WAN add_dst_ip default exit class class VoIP add_dot1p 1 exit class class NonVoIP add_dot1p default exit class enable cbq outbound exitip route 0.0.0.0 0.0.0.0 192.168.1.1exitwr mem

192.168.1.0/30

.1

.2

192.168.0.7/24

SR 6300 CONFIGURATIONconf thostname Hubinterface ethernet 0 ip address 192.168.2.1 24 exitmodule ct3 1 t1 1-2 clock internal exitinterface bundle wan link ct3 1 1 encapsulation ppp ip address 192.168.1.1 30 qos add_class WAN root-out cr 1536 br 1536 priority 1 add_class VoIP WAN cr 768 br 1536 priority 1 add_class NonVoIP WAN cr 768 br 1536 priority 7 class WAN add_dst_ip default exit class class VoIP add_dot1p 1 exit class class NonVoIP add_dot1p default exit class enable cbq outbound exitip route 0.0.0.0 0.0.0.0 192.168.1.2exitwr mem

SR 1004

T1 LineUsing PPP


CarrierCO


Marks packets with802.1p=1


Marks packets with802.1p=1

192.168.2.10/24

SR Hierarchical QoS using ports Root QoS allows all traffic, with 2 branch classes for VoIP or Default

SR 1001 CONFIGURATIONconf thostname Remoteinterface ethernet 0 ip address 192.168.0.10 24 exitmodule t1 1 clock_source line exitinterface bundle wan link t1 1 encapsulation ppp ip address 192.168.1.2 30 qos add_class WAN root-out cr 1536 br 1536 priority 1 add_class VoIP WAN cr 768 br 1536 priority 1 add_class NonVoIP WAN cr 768 br 1536 priority 7 class WAN add_src_ip default exit class class VoIP add_port 2205-3301 exit class class NonVoIP add_port default exit class enable cbq outbound exitip route 0.0.0.0 0.0.0.0 192.168.1.1exitwr mem

192.168.1.0/30

.1

.2

192.168.0.7/24

SR 6300 CONFIGURATIONconf thostname Hubinterface ethernet 0 ip address 192.168.2.1 24 exitmodule ct3 1 t1 1-2 clock internal exitinterface bundle wan link ct3 1 1 encapsulation ppp ip address 192.168.1.1 30 qos add_class WAN root-out cr 1536 br 1536 priority 1 add_class VoIP WAN cr 768 br 1536 priority 1 add_class NonVoIP WAN cr 768 br 1536 priority 7 class WAN add_src_ip default exit class class VoIP add_port 2205-3301 exit class class NonVoIP add_port default exit class enable cbq outbound exitip route 0.0.0.0 0.0.0.0 192.168.1.2exitwr mem

SR 1004

T1 LineUsing PPP


CarrierCO


Uses packets withPort 2205-3301


Uses packets withPort 2205-3301

192.168.2.10/24

SR QoS used to monitor the WANQoS can be enabled to only monitor the classes and not enforce the rates

SR 3120

SR CONFIGURATIONconf thostname Remoteinterface ethernet 0ip address 192.168.0.10 24exitmodule t1 1-2clock_source lineexitinterface bundle wanlink t1 1-2encapsulation pppip address 192.168.1.2 24qos add_class bwmon root-out cr 3072 br 3072 priority 1 class bwmon add_src_ip default exit class enable mon outboundexitip route 0.0.0.0 0.0.0.0 192.168.1.1exitwr mem

MLPPP

SR 1004

SR CONFIGURATIONconf thostname Hubinterface ethernet 0ip address 192.168.2.1 24exitmodule t1 1-2clock_source lineexitinterface bundle wanlink t1 1-2encapsulation pppip address 192.168.1.1 24qos add_class bwmon root-out cr 3072 br 3072 priority 1 class bwmon add_src_ip default exit class enable mon outboundexitip route 0.0.0.0 0.0.0.0 192.168.1.2exitwr mem

SR QoS used for monitoring SR QoS for 3 T1 WAN (4608M) using CBQ, start with monitoring

Verizon

3 T1 MLPPPPipe to Verizon

LAN

module t1 1-3 clock_source line exit t1interface ethernet 0 ip address 10.1.1.1 24 exit ethernetinterface ethernet 1 exit ethernetinterface bundle wan link t1 1-3 encapsulation ppp ip address 200.1.1.1 30 qos add_class WAN root-out cr 4608 br 4608 add_class SNTP WAN cr 500 br 1000 priority 3 add_class SMTP WAN cr 1000 br 1500 priority 2 add_class WEB WAN cr 1000 br 2000 priority 4 add_class IPSEC WAN cr 608 br 1000 priority 6 add_class DNS WAN cr 500 br 1000 priority 1 add_class Default WAN cr 1000 br 4608 priority 7 class WAN add_src_ip default exit class class SNTP add_port 123 exit class class SMTP add_port 25 exit class class WEB add_port 80 exit class class IPSEC add_port 500 exit class class DNS add_port 53 exit class class Default add_port default exit class enable mon outbound exit qos nat enable dynamiciproute 0.0.0.0 0.0.0.0 200.1.1.2 30 exit ipwr mem

SNTPPort=123

CR 500 BR 1KPriority=3

SMTPPort=25

CR 1K BR 1.5KPriority=2

WEBPort=80

CR 1K BR 2KPriority=4

IPSECPort=500


DNSPort=53


DefaultPort=ANY

CR 1K BR 4608Priority=7

WANSIP=ANY

CR 4608 BR 4608

SR QoS using CBQSR QoS for 3 T1 WAN (4608M) using CBQ, then enable CBQ

module t1 1-3 clock_source line exit t1interface ethernet 0 ip address 10.1.1.1 24 exit ethernetinterface ethernet 1 exit ethernetinterface bundle wan link t1 1-3 encapsulation ppp ip address 200.1.1.1 30 qos add_class WAN root-out cr 4608 br 4608 add_class SNTP WAN cr 500 br 1000 priority 3 add_class SMTP WAN cr 1000 br 1500 priority 2 add_class WEB WAN cr 1000 br 2000 priority 4 add_class IPSEC WAN cr 608 br 1000 priority 6 add_class DNS WAN cr 500 br 1000 priority 1 add_class Default WAN cr 1000 br 4608 priority 7 class WAN add_src_ip default exit class class SNTP add_port 123 exit class class SMTP add_port 25 exit class class WEB add_port 80 exit class class IPSEC add_port 500 exit class class DNS add_port 53 exit class class Default add_port default exit class enable cbq outbound exit qos nat enable dynamiciproute 0.0.0.0 0.0.0.0 200.1.1.2 30 exit ipwr mem

SNTPPort=123


SMTPPort=25

CR 1K BR 1.5KPriority=2

WEBPort=80

CR 1K BR 2KPriority=4

IPSECPort=500


DNSPort=53


DefaultPort=ANY

CR 1K BR 4608Priority=7

WANSIP=ANY

CR 4608 BR 4608

SR1004# sh qos bundle wan

Interface: Bundle wan (Bandwidth = 4608Kbps)

Interface Outbound Configuration & Statistics---------------------------------------------CBQ: on Policing: off MON: off+------------------+------+------+------+-------+-------+----------+----------Traffic Class CBQ-CR CBQ-BR Police Avg Out Avg In Packets Packets (kbps) (kbps) (kbps) (kbps) (kbps) Fwded Dropped+------------------+------+------+------+-------+-------+----------+----------WAN 4608 4608 - 0 0 0 0 Default 1000 4608 - 0 0 0 0 DNS 500 1000 - 0 0 0 0 IPSEC 608 1000 - 0 0 0 0 WEB 1000 2000 - 0 0 0 0 SMTP 1000 1500 - 0 0 0 0 SNTP 500 1000 - 0 0 0 0

SR VRRP SR VRRP allows tracking of the WAN interfaces and switch if down

HUB Sideconf thostname HUB1module t1 1 clock_source internal exitint bundle wan link t1 1-2 encap ppp ip address 192.168.0.1 30 exit int ethernet 0 ip address 192.168.1.1 24 vrrp_mode 0 vrrp 10 authentication SR ipaddr 192.168.1.254 preempt priority 95 track wan 10 enable exit 2router routerid 192.168.1.1 exitrouter ospf area 0 exit inter ethernet0 area 0 exit inter wan area 0 exit 2wr mem


Laptop

Server

WAN WANT1 Crossover

SimulatedT1 WAN

192.168.1.0VRRP - .254

.1 .2

192.168.1.15/24DG 192.168.1.254

HUB Sideconf thostname HUB2module t1 1 clock_source internal exitint bundle wan link t1 1-2 encap ppp ip address 192.168.0.5 30 exit int ethernet 0 ip address 192.168.1.2 24 vrrp_mode 0 vrrp 10 authentication SR ipaddr 192.168.1.254 preempt priority 100 track wan 10 enable exit 2router routerid 192.168.1.2 exitrouter ospf area 0 exit inter ethernet0 area 0 exit inter wan area 0 exit 2wr mem

REMOTE Sideconf thostname REMOTE1module t1 1 clock_source line exitint bundle wan link t1 1-2 encap ppp ip address 192.168.0.2 30 exit int ethernet 0 ip address 192.168.2.1 24 vrrp_mode 0 vrrp 20 authentication SR ipaddr 192.168.2.254 preempt priority 100 track wan 10 enable exit 2router routerid 192.168.2.1 exitrouter ospf area 0 exit inter ethernet0 area 0 exit inter wan area 0 exit 2wr mem

192.168.2.0VRRP - .254

.1 .2

192.168.2.13/24DG 192.168.2.254

REMOTE Sideconf thostname REMOTE2module t1 1 clock_source line exitint bundle wan link t1 1-2 encap ppp ip address 192.168.0.6 30 exit int ethernet 0 ip address 192.168.2.2 24 vrrp_mode 0 vrrp 20 authentication SR ipaddr 192.168.2.254 preempt priority 95 track wan 10 enable exit 2router routerid 192.168.2.2 exitrouter ospf area 0 exit inter ethernet0 area 0 exit inter wan area 0 exit 2wr mem

SR1002

SR1002

SR1002

SR1002

SR using PAT on WAN interfacePublic IPs pass through and private IPs are dynamic PAT to the WAN IP

Laptop Laptop

SR CONFIGURATIONconf thostname Remote1 module t1 1 clock_source line exitinterface ethernet 0 ip address 192.168.1.1 24 exit interface ethernet 1 ip address 206.127.31.225 28 exit interface bundle wan link t1 1 encapsulation hdlc ip address 206.127.11.102 30 nat enable dynamic exit 2ip route 0.0.0.0 0.0.0.0 206.127.11.101 dhcps pool 192 domain test.com dnsserver 200.20.20.2 network 192.168.1.1 255.255.255.0 default_router 192.168.1.1 commit exit pool interface ethernet0 enable exit dhcps exit wr mem

IP Static206.127.31.226

255.255.255.240DG-206.127.31.225

IP Dynamic192.168.1.2

255.255.255.0DG-192.168.1.1

E0-192.168.1.1/24E1-206.127.31.225/28

WAN-206.127.11.102 30SR 1002Remote1

SR using PAT on WAN interfacePrivate IPs are dynamic PAT to the WAN IP

Customer CPEIP address DHCPDHCP-192.168.1.2 24

WAN

Core RouterInt fast 0/0ip address 10.2.2.1/24ip route 10.1.1.0 30 10.2.2.2

SR 1004

SR 3120

SR 1004conf thostname REMOTEmodule t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.1.1 24 exitinterface bundle wan link t1 1-2 encapsulation ppp ip address 200.1.1.2 30 nat enable dynamic exit 2ip route 0.0.0.0 0.0.0.0 200.1.1.1dhcps pool LAN domain test.com dnsserver 206.13.31.12 network 192.168.1.0 24 default_router 192.168.1.1 commit exit pool interface ethernet0 enable exit 3wr mem

SR 6302conf thostname HUBmodule ct3 1 t1 1-2 clock internal exit interface ethernet 0 ip add 10.2.2.2 24 exit interface bundle wan link ct3 1 1-2 encapsulation ppp ip address 200.1.1.1 30 exit wr mem

ChannelizedDS3

Remote side

Hub side

SR using NAT on WAN interfacePrivate IP using 1 to 1 static NAT

Two T1Line-MLPPP

1004

SR CONFIGURATIONconf thostname BOT module t1 1-2 clock_source line exitinterface ethernet 0 ip address 10.1.1.1 24 exit interface bundle wan link t1 1-2 encapsulation ppp ip address 172.16.64.2 24 nat enable static address 10.1.1.2 172.16.64.3 exit 2ip route 0.0.0.0 0.0.0.0 172.16.64.1 exit wr mem


1004

IP 192.168.1.2/24D.G. 192.168.1.1

IP 10.1.1.2/24D.G. 10.1.1.1

SR CONFIGURATIONconf thostname TOP module t1 1-2 clock_source internal exitinterface ethernet 0 ip address 192.168.0.1 24 exit interface bundle wan link t1 1-2 encapsulation ppp ip address 172.16.64.1 24 exit ip route 0.0.0.0 0.0.0.0 172.16.64.2 exit wr mem

SR using NAT on Ether interfaceStatic NAT on the Ethernet requires proxy arp and a static route

HUB Sideconf thostname HUBmodule t1 1-2 clock_source internal exitinterface ethernet 0 ip address 10.1.1.1 24 exit interface ethernet 1 ip address 200.1.1.1 24 exitiproute 0.0.0.0 0.0.0.0 200.1.1.2 exit wr mem

Laptop

Server

10.1.1.1.1

10.1.1.2 /24DG 10.1.1.1

192.168.1.1.1

192.168.1.2/24DG 192.168.1.1

REMOTE Sideconf thostname REMOTEmodule t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.1.1 24 exit ethernetinterface ethernet1 ip address 200.1.1.2 24 ip proxy_arp nat address 192.168.1.2 200.1.1.3 trans_addr 200.1.1.2 enable static enable dynamic exit nat exitip route 0.0.0.0 0.0.0.0 200.1.1.1 route 200.1.1.3 32 ethernet0exit ipwr mem

SR1002

SR1002

200.1.1.0

.2

.1

HUBSide

REMOTESide

WAN

SR using Global NAT under IP1 IP is configured for Static NAT & Dynamic PAT is enabled for other IPs

HUB Sideconf thostname HUBmodule t1 1-2 clock_source internal exitinterface ethernet 0 ip address 10.1.1.1 24 exit interface bundle wan link t1 1-2 encapsulation ppp ip address 200.1.1.1 24 exitiproute 0.0.0.0 0.0.0.0 200.1.1.2 exit wr mem

Laptop

Server

10.1.1.1.1

10.1.1.2 /24DG 10.1.1.1

192.168.1.1.1

192.168.1.2/24DG 192.168.1.1

REMOTE Sideconf thostname REMOTEmodule t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.1.1 24 exit ethernetinterface bundle wan link t1 1 encapsulation ppp ip address 200.1.1.2 24 exitip route 0.0.0.0 0.0.0.0 200.1.1.1 nat address 192.168.1.2 200.1.1.3 interface wan trans_addr 200.1.1.2 enable static enable dynamic exit natexit ipwr mem

SR1002

SR1002

200.1.1.0

.2

.1

HUBSide

REMOTESide

WAN

SR DHCP ServerOne DHCP scope is configured for Ethernet 0

Customer CPEIP address DHCPDHCP-192.168.1.2 24

WAN

SR 1004

SR 3120

SR 1004conf thostname REMOTEmodule t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.1.1 24 exitinterface bundle wan link t1 1-2 encapsulation ppp ip address 200.1.1.2 30 nat enable dynamic exit 2ip route 0.0.0.0 0.0.0.0 200.1.1.1dhcps pool LAN domain test.com dnsserver 206.13.31.12 network 192.168.1.0 24 default_router 192.168.1.1 commit exit pool interface ethernet0 enable exit dhcps exit 2wr mem


ChannelizedDS3

Remote side

Hub side

SR Sub-interfaces using 802.1QEthernet 0 is configured using 802.1Q with Sub-interfaces and QoS

ServerIronXLFOUNDRYN E T W O R K S

1

2

3

4

5

6

7

8

13

14

15

16

9

10

11

12

Console

Power

F D X1 0 0

L in k / A c t

F D X1 0 0

L in k / A c t

F D X1 0 0

L in k / A c t

F D X1 0 0

L in k / A c t

SR CONFIGURATIONconf thostname Remote1 module t1 1-2 clock_source line exitinterface ethernet 0 description "test10" encapsulation dot1q 10 ip address 216.138.115.193 29 speed 100 full_duplex exit ethernetinterface ethernet 0.1 description "test20" encapsulation dot1q 20 ip address 216.138.115.201 29 exit ethernetinterface ethernet 0.2 description "test30" encapsulation dot1q 30 ip address 216.138.115.209 29 exit ethernetinterface bundle wan link t1 1-2 encapsulation ppp ip address 172.16.64.2 24 qos add_class test10 root-out cr 500 br 3000 priority 1 class test10 add_src_ip 216.138.115.192 29 exit class add_class test20 root-out cr 500 br 3000 priority 2 class test20 add_src_ip 216.138.115.200 29 exit class add_class test30 root-out cr 500 br 3000 priority 3 class test30 add_src_ip 216.138.115.208 29 exit class enable cbq outbound exit 2ip route 0.0.0.0 0.0.0.0 172.16.64.1 exit wr mem

VLAN 10 VLAN 20 VLAN 30

802.1QTRUNK

VLANSwitch

WAN

SR using IP unnumbered on WANPublic IP on LAN and IP Unnumbered on the WAN interface

Customer CPEIP address 201.1.2 24

WAN

SR 1004

SR 3120

SR 1004conf thostname REMOTEmodule t1 1-2 clock_source line exitinterface ethernet 0 ip address 201.1.1.2 24 exitinterface bundle wan link t1 1-2 encapsulation ppp ip address unnumbered ethernet0 exitip route 0.0.0.0 0.0.0.0 wanwr mem


ChannelizedDS3

Remote side

Hub side

SR TDM Voice using ADM Single T1 PPP using ADM for PRI Voice and Data

Laptop

PBX/KSU

Digital TrunkPRI

Ethernet

Ethernet Switch

Voice & Data using single T1

1.5M PipeSR 1002

WAN

SR CONFIGURATIONconf tmodule t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.0.1 24 exit ethernetinterface drop_insert voice (Create the ADM interface) link t1 1 2 timeslots 1-7,24 signaling 2 (set: PBX to port 1, Network port to 2, DSO 1-7+24, and use ISDN signaling) mode 2 1 (set the Network port to 2, set mode type to 1:voice&data) clock_source 2 btclk (sets clock on T1 #1 to takes clock from backplane of T1#2) exit drop_insertinterface bundle wan link t1 2:8-23 encapsulation ppp ip address 200.1.1.2 30 exit bundlehostname remote1ip route 0.0.0.0 0.0.0.0 200.1.1.1 exit ipwr mem

SR TDM Voice using ADM Single F/T1 using ADM for T1 CAS Voice and 2T1 + 16DS0 MLPPP Data

Laptop

PBX/KSU

Digital TrunkT1/PRI

Ethernet

Ethernet Switch

SR 1004

Voice & Data using 3 T14.5M Pipe

SR CONFIGURATIONconf tmodule t1 1-4 clock_source line exitinterface ethernet 0 ip address 192.168.0.1 24 exit ethernetinterface drop_insert voice (Create the ADM interface) link t1 1 2 timeslots 1-7 signaling 1 (set: PBX to port 1, Network port to 2, DSO 1-7, and use RBS signaling) mode 2 1 (set the Network port to 2, set mode type to 1:voice&data) clock_source 2 line (sets clock on T1 #1 to takes clock from T1 #2) exit drop_insertinterface bundle wan link t1 2:8-23 link t1 3-4 encapsulation ppp ip address 200.1.1.2 30 exit bundlehostname remote1ip route 0.0.0.0 0.0.0.0 200.1.1.1 exit ipwr mem

WAN

SR SSH support Using SSH for secure Telnet connection to SR

Step 1: Generate the KEY (DSA or RSA)

SR/configure# ssh_keygen SR/configure/ssh_keygen# generate dsaGenerating public/private dsa (1024) key pair.passphrase comment wind@R4Your identification has been saved in /flash1/shdsakey.Your public key has been saved in /flash1/shdsakey.pub.The key fingerprint is:c0:2c:3c:7f:a2:55:d1:f8:fc:ae:92:f0:6e:11:c1:0c wind@R4

Step 2: Enable the server

SR/configure#ssh_serverSR/configure/ssh_server#enableSR/configure/ssh_server#logevents on (to log ssh events)SR/configure#events online (view ssh events from console)SR/debug/ip#ssh trace (view connection process)

Step 3: Now check configuration

SR/show/ip/ssh config

Using SSH ClientHost:192.168.0.100Port 22SSH V2Now connect to hostYou should get a prompt toTo accept the KEYOnce accepted you should getA login prompt, Login with your Norma login and passwordSR, SRnet

E0 IP Address192.168.0.100/24 PC IP Address

192.168.0.2/24SSH Software:F-Secure SSHClient Ver 5.2

mailto:wind@R4

SR SSH support Using SSH for secure Telnet connection to SR

E0 IP Address192.168.0.100/24 PC IP Address

192.168.0.2/24SSH Software:F-Secure SSHClient Ver 5.2

SR/configure/ssh_keygen# digest shdsakey.pub 1024 99:09:b6:0c:a8:61:c6:d1:e9:75:dd:89:34:c9:cb:ec /flash1/shdsakey.pub

SR# show ip ssh configSecure Shell Server - ENABLED

Protocol Version 2.0Listening on port 22Public Host key file : shdsakeySupported AlgorithmsKex : diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1Encryption : 3des-cbc,blowfish-cbc,aes128-cbc,aes192-cbc,aes256-cbcMAC : hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96Compression : none,zlib

SR# show ip ssh sessionsSession Client IP Address Client Port User State1 192.168.0.2 1401 SR Established

SR# show ip ssh session 1Server Version String : SSH-2.0-SR-1.0Client Version String : SSH-1.99-3.1.0 F-SECURE SSH for WindowsHost Key Algorithm : ssh-dssKey Exchange : diffie-hellman-group1-sha1Authentication : passwordEncryption (client -> server) : 3des-cbcMAC Algorithm (client -> server) : hmac-sha1Compression (client -> server) : noneEncryption (server -> client) : 3des-cbcMAC Algorithm (server -> client) : hmac-sha1Compression (server -> client) : none

Cisco to SR PPP PAP send nameCisco using PAP auth to SR using PAP send name and password

Cisco 7513

SR CONFIGURATIONconf thostname Remotemodule t1 1 clock_source line exit t1interface ethernet 0 ip address 192.168.1.1 24 exit ethernetinterface bundle wan link t1 1 encapsulation ppp ip address 100.1.1.2 30 pppconfig pap sent-username test SR exit pap exit bundlehostname SR-1001ip route 0.0.0.0 0.0.0.0 100.1.1.1 exit ip

CISCO CONFIGURATIONconf tversion 12.2hostname HUBusername test password 0 SRip subnet-zero!interface FastEthernet0/1 ip address 192.168.2.1 255.255.255.0 no ip mroute-cache duplex auto speed auto!interface Serial0/1 ip address 100.1.1.1 255.255.255.252 encapsulation ppp no ip mroute-cache service-module t1 clock source internal ppp authentication pap!ip classlessip route 0.0.0.0 0.0.0.0 100.1.1.2end

192.168.2.2/24192.168.1.2/24

SR 1004

Single T1 PPP

Cisco to SR PPP PAP authenticationCisco to SR over PPP WAN using PAP to authorize both ends

SR CONFIGURATIONconf thostname Remotemodule t1 1 clock_source line exit t1interface ethernet 0 ip address 192.168.1.1 24 exit ethernetinterface bundle wan link t1 1 encapsulation ppp ip address 100.1.1.2 30 pppconfig pap sent-username test SR peer-name root SR exit pap pppconfig authentication pap exit bundlehostname SR-1001ip route 0.0.0.0 0.0.0.0 100.1.1.1 exit ip

CISCO CONFIGURATIONconf tversion 12.2hostname HUBusername test password 0 SRip subnet-zero!interface FastEthernet0/1 ip address 192.168.2.1 255.255.255.0 no ip mroute-cache duplex auto speed auto!interface Serial0/1 ip address 100.1.1.1 255.255.255.252 encapsulation ppp no ip mroute-cache service-module t1 clock source internal ppp authentication pap ppp pap sent-username root password SR !ip classlessip route 0.0.0.0 0.0.0.0 100.1.1.2

Cisco 7513

192.168.2.2/24192.168.1.2/24

SR 1004

Single T1 PPP

Cisco to SR PPP CHAP send nameSR PPP WAN using CHAP to send name and password to the Cisco

SR CONFIGURATIONconf thostname Remotemodule t1 1 clock_source line exit t1interface ethernet 0 ip address 192.168.1.1 24 exit ethernetinterface bundle wan link t1 1 encapsulation ppp ip address 100.1.1.2 30 pppconfig chap sent-username test SR peer-name cisco SR exit chap exit bundlehostname SR-1001ip route 0.0.0.0 0.0.0.0 100.1.1.1 exit ip

CISCO CONFIGURATIONconf tversion 12.2hostname HUBusername test password 0 SRip subnet-zero!interface FastEthernet0/1 ip address 192.168.2.1 255.255.255.0 no ip mroute-cache duplex auto speed auto!interface Serial0/1 ip address 100.1.1.1 255.255.255.252 encapsulation ppp no ip mroute-cache service-module t1 clock source internal ppp authentication chap ppp chap hostname cisco!ip classlessip route 0.0.0.0 0.0.0.0 100.1.1.2

Cisco 7513

192.168.2.2/24192.168.1.2/24

SR 1004

Single T1 PPP

SR to Cisco PPP CHAP send name PPP WAN using CHAP on Cisco to send name & password to the SR

SR CONFIGURATIONconf thostname Remotemodule t1 1 clock_source line exit t1interface ethernet 0 ip address 192.168.1.1 24 exit ethernetinterface bundle wan link t1 1 encapsulation ppp ip address 100.1.1.2 30 pppconfig chap sent-username test SR peer-name cisco SR exit chap pppconfig authentication chap exit bundlehostname SR-1001ip route 0.0.0.0 0.0.0.0 100.1.1.1 exit ip

CISCO CONFIGURATIONconf tversion 12.2hostname HUBusername test password 0 SRip subnet-zero!interface FastEthernet0/1 ip address 192.168.2.1 255.255.255.0 no ip mroute-cache duplex auto speed auto!interface Serial0/1 ip address 100.1.1.1 255.255.255.252 encapsulation ppp no ip mroute-cache service-module t1 clock source internal ppp chap hostname cisco!ip classlessip route 0.0.0.0 0.0.0.0 100.1.1.2

Cisco 7513

192.168.2.2/24192.168.1.2/24

SR 1004

Single T1 PPP

Cisco to SR PPP CHAP authCisco to SR over PPP WAN using CHAP to authorize both sides

SR CONFIGURATIONconf thostname Remotemodule t1 1 clock_source line exit t1interface ethernet 0 ip address 192.168.1.1 24 exit ethernetinterface bundle wan link t1 1 encapsulation ppp ip address 100.1.1.2 30 pppconfig chap sent-username test SR peer-name cisco SR exit chap pppconfig authentication chap exit bundlehostname SR-1001ip route 0.0.0.0 0.0.0.0 100.1.1.1 exit ip

CISCO CONFIGURATIONconf tversion 12.2hostname HUBusername test password 0 SRip subnet-zero!interface FastEthernet0/1 ip address 192.168.2.1 255.255.255.0 no ip mroute-cache duplex auto speed auto!interface Serial0/1 ip address 100.1.1.1 255.255.255.252 encapsulation ppp no ip mroute-cache service-module t1 clock source internal ppp authentication chap ppp chap hostname cisco!ip classlessip route 0.0.0.0 0.0.0.0 100.1.1.2

Cisco 7513

192.168.2.2/24192.168.1.2/24

SR 1004

Single T1 PPP

SR ACL ACL test using both interfaces and direction to apply the rule

Step 1. Build the ACL R1/configure > ip access-list testR1/configure/ip/access-list test > add deny icmp any 192.168.0.2/32 log onR1/configure/ip/access-list test > add permit ip any anyR1/configure/ip/access-list test > exit

Step 2. Review the ACLR1# show ip acess-list testFilter Rule List : test1. deny icmp any 192.168.0.2/32 log on2. permit ip any any

R3-SR 1004

R4-SR 1004

CarrierCO


LaptopClient

10.1.1.10/24

Server

Server192.168.0.2

E0-10.1.1.1/24WAN-11.1.1.2/24IP route 0/0 11.1.1.1

E0-192.168.0.100/24WAN-11.1.1.1/24IP route 0/0 11.1.1.2

Step 3. Apply the filter to interface and directionR1/configure/ip# access-group ?SYNTAX access-group interface listname pktdir <cr>DESCRIPTION interface -- interface name - ethernet0, ethernet1 or bundle_name ( enter a word ) listname -- filter rule list name ( enter a word ) pktdir -- for inbound/outbound packets The parameter may have any of the following values: in -- On Inbound packets out -- On Outbound packets

R1/configure/ip# access-group wan test in (ping to 192.168.0.2 stopped)R1/configure/ip# no access-group wan test in (started again)R1/configure/ip# access-group ethernet0 test out (ping to 192.168.0.2 stopped)R1/configure/ip# no access-group ethernet0 test out (started again)

SR ACL for SSHACL test example to restrict SSH to only one subnet

R2-SR configurationconf thostname R2interface bundle wan link t1 1 encapsulation ppp ip address 10.1.1.2 255.255.255.252 exit bundlessh_server enable exit ssh_serveriproute 0.0.0.0 0.0.0.0 10.1.1.1 1 access-list SSH add permit tcp 192.168.0.0/24 10.1.1.2/32 dport =22 add deny tcp any 10.1.1.2/32 dport =22 add permit ip any any exit access-list access-group wan SSH in exit ip

R1-SR 1004

R2-SR 1004

CarrierCO


Laptop

SSH Client PuttySSH Version 2

192.168.0.102/24

E0-192.168.0.10/24WAN-10.1.1.1/30IP route 0/0 10.1.1.2

WAN-10.1.1.2/30IP route 0/0 10.1.1.1SSH Server enabled

The R2 SR had the SSH key generated.The SSH Server has been enabled on R2.Using an ACL to restrict access to TCP port 22to only one subnet that the SSH client are on is done using an ACL inbound on the WAN interface.

SR Radius support Test Radius authentication using Freeradius Server to user levels

Radius Server192.168.0.104

SR 1004 configurationconf taaa authentication login default radius/local authentication protocols default ascii enable radius primary_server 192.168.0.104 src_address 192.168.0.10 shared_key SRnet exit radius exit aaainterface ethernet 0 ip address 192.168.0.10 255.255.255.0 exit ethernet

Radius Client192.168.0.10

FreeRadius Server configurationNeed to modify four files on the Radius Server•Hosts file

• (/etc/hosts)•Need to add in client•192.168.0.10 T1004

•Client.conf file• (/usr/local/etc/raddb/clients.conf)•Need to add client and shared key•}•client 192.168.0.10 {

•secret = SRnet•shortname = T1004

•}•Users file

•(/usr/local/etc/raddb/user)•Need to add the user•kirk Auth-Type := Local, User-Password = “jamest”

•Service-Type = Admin-User•spock Auth-Type := Local, User-Password ="vulcan"

•Service-Type = Level2-User•mccoy Auth-Type := Local, User-Password ="bones"

•Service-Type = Level3-User•sulu Auth-Type := Local, User-Password ="helm"

•Service-Type = Level4-User•Dictionary file

•(/usr/local/share/freeradius/dictionary)•Need to add in the different user levels•#SR Dictionary:•VALUE Service-Type Admin-User 1•VALUE Service-Type Level2-User 2•VALUE Service-Type Level3-User 3•VALUE Service-Type Level4-User 4

SR TACACS+ Support Test TACACS authentication using TACACS Server

Tacacs+ Server192.168.0.104

SR 1004 configurationconf taaa authentication login default tacacs/local authentication protocols default ascii enable tacacs primary_server 192.168.0.104 src_address 192.168.0.10 shared_key SRnet exit tacacs exit aaainterface ethernet 0 ip address 192.168.0.10 255.255.255.0 exit ethernet

Tacacs+ Client192.168.0.10

TACACS+ Sample Config

# Please read user_guide and tacacs+ FAQ to more information to do more complex tacacs+ configuration files.

key = &*&^%&(0

#key = praveen

# Use /etc/passwd file to do authentication

default authentication = file /etc/passwd

# Now tacacs+ also use default PAM authentication

#default authentication = pam pap

#If you like to use DB authentication

#default authentication = db "db_type://db_user:db_pass@db_hostname/db_name/db_table?name_field&pass_field

# db_type: mysql or null

# db_user: Database connect username

# db_pass: Database connection password

# db_hostname : Database hostname

# db_name : Database name

# db_table : authentication table name

# name_field and pass_field: Username and password field name at the db_table

# Accounting records log file

accounting file = /var/log/tac_acc.log

# Would you like to store accounting records in database..

# db_accounting = "db_type://db_user:db_pass@db_hostname/db_name/db_table"

# Same as above..

#All services are alowed..

user = $enab1$ { login = cleartext "praveen“ member = poweruser}

user = praveen { # default service = permit

chap = cleartext chap

pap = cleartext pap

login = cleartext india

member = admin}

user = root {default service = permit global = cleartext rootpass member = poweruser}

user = fred {login = cleartext praveen member = config}

user = bob {login = cleartext tiaranet member = staff}

group = poweruser {cmd = debug_eng {permit .*} member = admin}

group = admin {cmd = reboot { permit .*} cmd = configure {permit .*}

cmd = show {permit .*} cmd = display {permit .*} cmd = clear {permit .*} member = config}

group = config {cmd = telnet {permit .* } cmd = configure {deny aaa permit .*}

cmd = clear {deny cfg_file deny crypto deny ip permit .*} member = staff}

group = staff {cmd = show {deny configuration permit .*} cmd = ping {permit .*}

cmd = trace {permit .* } cmd = debug {permit .*} cmd = display {deny configuration permit .*} cmd = enable {permit .*}}

user = $enab4$ {login = cleartext "praveen"}

user = raihan {default service = permit

chap = cleartext chap

pap = cleartext pap

login = cleartext ascii

member = admin}

SR Traffic Policing in on WANTraffic Policing allows for rate limiting traffic inbound on the WAN

Remote Sideconf thostname Remotemodule t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.0.1 24 exit interface bundle wan link t1 1-2 encapsulation ppp ip address 200.1.1.2 30 qos add_class ratelimit root-in class ratelimit police rate 512 burst 768 add_dst_ip 192.168.0.0 24 exit class enable policing inbound exit qos exit bundleip route 0.0.0.0 0 200.1.1.1 exit 2

Laptop

Server

WAN

E0-10.1.1.1/24

.1

10.1.1.2 /24DG 10.1.1.1

E0-192.168.0.1/24.1

192.168.0.2/24DG 192.168.0.1

Hub Sideconf thostname Hubmodule t1 1-2 clock_source internal exitinterface ethernet 0 ip address 10.1.1.1 24 exit interface bundle wan link t1 1-2 encapsulation ppp ip address 200.1.1.1 30 exit ip route 0.0.0.0 0.0.0.0 200.1.1.2 exit 2

SR1002

SR1002

200.1.1.2/30

.2

.1

HubSide

RemoteSide

SR Traffic Policing in on Ethernet Traffic Policing allows for rate limiting traffic inbound on Ethernet interface

Remote Sideconf thostname Remotemodule t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.0.1 24 qos add_class ratelimit root-in class ratelimit police rate 512 burst 768 add_src_ip 192.168.0.0 24 exit class enable policing inbound exit interface bundle wan link t1 1-2 encapsulation ppp ip address 200.1.1.2 30 exit bundleip route 0.0.0.0 0 200.1.1.1 exit 2

Laptop

Server

WAN

E0-10.1.1.1/24

.1

10.1.1.2 /24DG 10.1.1.1

E0-192.168.0.1/24.1

192.168.0.2/24DG 192.168.0.1

Hub Sideconf thostname Hubmodule t1 1-2 clock_source internal exitinterface ethernet 0 ip address 10.1.1.1 24 exit interface bundle wan link t1 1-2 encapsulation ppp ip address 200.1.1.1 30 exit ip route 0.0.0.0 0.0.0.0 200.1.1.2 exit 2

SR1002

SR1002

200.1.1.2/30

.2

.1

HubSide

RemoteSide

SR Sub-interfaces & Traffic policing Sub-interfaces, Traffic Policing for QoS in & out on the WAN interface

ServerIronXLFOUNDRYN E T W O R K S

1

2

3

4

5

6

7

8

13

14

15

16

9

10

11

12

Console

Power

F D X1 0 0

L in k / A c t

F D X1 0 0

L in k / A c t

F D X1 0 0

L in k / A c t

F D X1 0 0

L in k / A c t

SR CONFIGURATIONconf thostname Remote1 module t1 1-2 clock_source line exitinterface ethernet 0 description "test10" encapsulation dot1q 10 ip address 216.138.115.193 29 speed 100 full_duplex exit ethernetinterface ethernet 0.1 description "test20" encapsulation dot1q 20 ip address 216.138.115.201 29 exit ethernetinterface ethernet 0.2 description "test30" encapsulation dot1q 30 ip address 216.138.115.209 29 exit ethernet


802.1QTRUNK

VLANSwitch

WAN

interface bundle wan link t1 1-2 encapsulation ppp ip address 172.16.64.2 24 qos add_class test10in root-in class test10in police rate 500 burst 1000 add_dst_ip 216.138.115.192 29 exit class add_class test20in root-in class test20in police rate 500 burst 1000 add_dst_ip 216.138.115.200 29 exit class add_class test30in root-in class test30in police rate 500 burst 1000 add_dst_ip 216.138.115.208 29 exit class add_class test10 root-out cr 500 br 1000 class test10 police rate 500 burst 1000 add_src_ip 216.138.115.192 29 exit class add_class test20 root-out cr 500 br 1000 class test20 police rate 500 burst 1000 add_src_ip 216.138.115.200 29 exit class add_class test30 root-out cr 500 br 1000 class test30 police rate 500 burst 1000 add_src_ip 216.138.115.208 29 exit class enable policing outbound enable policing inbound exit 2ip route 0.0.0.0 0.0.0.0 172.16.64.1 exit wr mem

SR ISDN BRI support128K BRI support used as a backup for a primary WAN interface (R8.3.5)

conf thostname 1001BRI_BOTinterface ethernet 0 ip address 192.168.1.1 24 exit ethernetinterface bundle wan link t1 1 encapsulation ppp ip address 200.0.0.2 30 exitinterface bundle isdn link bri 128 encapsulation ppp ip address 172.16.1.2 30 isdn spid1 55501010101 spid2 55501020101 idle_timeout 1 connect_delay 1 callednum 5550201 exit 2 ip route 0.0.0.0 0.0.0.0 wan route 0.0.0.0 0.0.0.0 isdn 50 exit 2

wr memLaptop

Top-SR 1001 BRI-U

192.168.0.2/24DG 192.168.0.1

WAN

Bot-SR 1001 BRI-U

Laptop

192.168.1.2/24DG 192.168.1.1

ISDNPort 1

555-0101

Port 2555-0201

conf thostname 1001BRI_TOPinterface ethernet 0 ip address 192.168.0.1 24 exit ethernetinterface bundle wan link t1 1 encapsulation ppp ip address 200.0.0.1 30 exitinterface bundle isdn link bri 128 encapsulation ppp ip address 172.16.1.1 30 isdn spid1 55502010101 spid2 55502020101 idle_timeout 1 connect_delay 1 callednum 5550101 exit 2 ip route 0.0.0.0 0.0.0.0 wan route 0.0.0.0 0.0.0.0 isdn 50 exit 2wr mem

Firewall and VPN

SR Firewall using PAT out to WAN Stateful Firewall using object for PAT out to the WAN



Laptop

Server

WAN

10.1.1.1.1

10.1.1.2 /24DG 10.1.1.1

192.168.1.1.1

192.168.1.2/24DG 192.168.1.1

REMOTE Sideconf thostname REMOTEmodule t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.1.1 24 exit ethernetinterface bundle wan link t1 1-2 encapsulation ppp ip address 200.1.1.2 30 exitip route 0.0.0.0 0.0.0.0 200.1.1.1 1exit ipfirewall internet interface wan exit 2firewall corpinterface ethernet0 object nat-pool NATWAN pat 200.1.1.2 exit object policy 100 out address 192.168.1.0 24 any any apply-object nat-pool NATWAN exit 2wr mem

SR1002

SR1002

200.1.1.0.2

.1

HUBSide

REMOTESide

SR Firewall using NAT out Ethernet Stateful Firewall using object for static NAT out the Ethernet


Laptop

Server

10.1.1.1.1

10.1.1.2 /24DG 10.1.1.1

192.168.1.1.1

192.168.1.2/24DG 192.168.1.1

REMOTE Sideconf thostname REMOTEmodule t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.1.1 24 exit ethernetinterface bundle ethernet1 ip address 200.1.1.2 24 ip proxy_arp exitip route 0.0.0.0 0.0.0.0 200.1.1.1 route 200.1.1.3 32 ethernet0exit ipfirewall internet interface ethernet1 exit 2firewall corpinterface ethernet0 object nat-pool NATWAN static 192.168.1.2 exit object policy 100 in address any any 200.1.1.3 32 apply-object nat-pool NATWAN exit 2wr mem

SR1002

SR1002

200.1.1.0

.2

.1

HUBSide

REMOTESide

WAN

SR Firewall using PAT and DMZStateful Firewall using object for PAT out to the WAN, & DMZ for FTP



Laptop

Server

WAN

10.1.1.1.1

10.1.1.2 /24DG 10.1.1.1

192.168.1.1

192.168.1.2/24DG 192.168.1.1

REMOTE Sideconf thostname REMOTEmodule t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.1.1 24 exit ethernetinterface ethernet 1 ip address 201.1.1.1 24 exit ethernetinterface bundle wan link t1 1-2 encapsulation ppp ip address 200.1.1.2 30 exitip route 0.0.0.0 0.0.0.0 200.1.1.1 1exit ipfirewall internet interface wan exit 2firewall corpinterface ethernet0 object nat-pool NATWAN pat 200.1.1.2 exit object policy 100 out address 192.168.1.0 24 any any apply-object nat-pool NATWAN exit 2firewall dmz interface ethernet1 policy 101 in address any any 201.1.1.0 24 service ftp exit 2 wr mem

SR1002

SR1002

200.1.1.0.2

.1

HUBSide

REMOTESide

201.1.1.1

FTPServer201.1.1.2

SR Firewall to block Telnet & SNMP Stateful Firewall used to block Telnet and SNMP to SR

Remote Sideconf thostname Remotemodule t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.0.1 24 exit interface bundle wan link t1 1-2 encapsulation ppp ip address 200.1.1.2 30 exit bundleip route 0.0.0.0 0 200.1.1.1 exit 2

Laptop

Server

WAN

E0-10.1.1.1/24.1

10.1.1.2 /24DG 10.1.1.1

E0-192.168.0.1/24.1

192.168.0.2/24DG 192.168.0.1

SR3120

SR1002

200.1.1.2/30

.2

.1

HubSide

RemoteSide

Hub Sideconf thostname Hubmodule ct3 1 t1 1-2 clock internal exit interface ethernet 0 ip address 10.1.1.1 24 exit interface bundle wan link ct3 1 1-2 encapsulation ppp ip address 200.1.1.1 30 exit ip route 0.0.0.0 0.0.0.0 200.1.1.2 exit firewall internet interface wan exit firewallfirewall corpobject address SR 10.1.1.1 address allowmgtIP 10.1.1.2 32 interface ethernet0 policy 10 in address allowmgtIP SR service telnet self exit policy policy 11 in address allowmgtIP SR service snmp self exit policy policy 12 in deny service telnet self enable-log exit policy policy 13 in deny service snmp self enable-log exit policypolicy 100 in enable-log exit 2

SR Firewall & IPSec VPN Stateful firewall and IPSec VPN site to site

R1 Sideconf thostname R1module t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.0.100 24 crypto trusted exit interface bundle wan link t1 1-2 encapsulation ppp ip address 192.168.1.2 30 crypto untrusted exit ip route 0.0.0.0 0.0.0.0 192.168.1.1 1 exit crypto ike policy toH1 192.168.1.1 local-address 192.168.1.2 key test proposal 1 encryption-algorithm 3des-cbc exit 2 ipsec policy toH1 192.168.1.1 match address 192.168.0.0 24 10.1.1.0 24 proposal 1 esp exit 4firewall internet policy 100 in service ike self exit firewall corp policy 100 in exit 2


Laptop

Server

WAN

10.1.1.1.1

10.1.1.2 /24DG 10.1.1.1

192.168.0.100.1

192.168.0.3/24DG 192.168.0.100

H1 Sideconf thostname H1module t1 1-2 clock_source internal exitinterface ethernet 0 ip address 10.1.1.1 24 crypto trusted exit interface bundle wan link t1 1-2 encapsulation ppp ip address 192.168.1.1 30 crypto untrusted exitip route 0.0.0.0 0.0.0.0 192.168.1.2 1 exit crypto ike policy toR1 192.168.1.2 local-address 192.168.1.1 key test proposal 1 encryption-algorithm 3des-cbc exit 2 ipsec policy toR1 192.168.1.2 match address 10.1.1.0 24 192.168.0.0 24 proposal 1 esp exit 4firewall internet policy 100 in service ike self exit firewall corp policy 100 in exit 2

SR1002

SR1002

192.168.1.0.1

.2

H1Side

R2Side

SR GRE tunnel with OSPFSR using GRE tunnels to allow OSPF routes to pass

Remote Sideconf thostname Remotemodule t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.0.100 24 exit interface bundle wan link t1 1-2 encapsulation ppp ip address 200.1.1.2 30 exit interface looback LB1 ip address 100.1.1.2 32 exitinterface tunnel t0 ip address 172.16.1.2 24 tunnel source 100.1.1.2 tunnel destination 100.1.1.1ip route 0.0.0.0 0 wan route 100.1.1 32 wan

router routerid 100.1.1.2 router ospf area 0 exit interface t0 area 0 exit interface ethernet0 area 0 exit 2

GRETunnel

t0

Laptop

Server

Internet

t0-172.16.1.1/30LB-100.1.1.1/32E0-10.1.1.1/24

.1

10.1.1.2 /24DG 10.1.1.1

E0-192.168.0.100/24LB1-100.1.1.2/32t0-172.16.1.2/30

.1

192.168.0.51/24DG 192.168.0.100

Hub Sideconf thostname Hubmodule t1 1-2 clock_source internal exitinterface ethernet 0 ip address 10.1.1.1 24 exit interface bundle wan link t1 1-2 encapsulation ppp ip address 200.1.1.1 30 exitinterface looback LB1 ip address 100.1.1.1 32 exitinterface tunnel t0 ip address 172.16.1.1 30 tunnel source 100.1.1.1 tunnel destination 100.1.1.2 exitip route 0.0.0.0 0 wan route 100.1.2 32 wan

router routerid 100.1.1.1 router ospf area 0 exit interface t0 area 0 exit interface ethernet0 area 0 exit 2

SR1002

SR1002

200.1.1.2/30

.2

.1

HubSide

RemoteSide

SR Firewall & IPSec with GREFirewall using IPSec site to site and GRE tunnel with OSPF

Remote Sideconf thostname Remotemodule t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.0.100 24 crypto trusted exit interface bundle wan link t1 1-2 encapsulation ppp ip address 200.1.1.2 30 crypto untrusted exit interface looback LB1 ip address 100.1.1.2 32 crypto trusted exitinterface tunnel t0 ip address 172.16.1.2 24 tunnel source 100.1.1.2 tunnel destination 100.1.1.1 tunnel protection toHUB test crypto untrustedip route 0.0.0.0 0 wan route 100.1.1 32 wan router routerid 100.1.1.2 router ospf area 0 exit interface t0 area 0 exit interface ethernet0 area 0 exit 2firewall internet policy 100 in proto gre self policy 110 in service ike self exit firewall corp policy 100 in exit

GRETunnel

t0

Laptop

Server

Internet

t0-172.16.1.1/30LB-100.1.1.1/32E0-10.1.1.1/24

.1

10.1.1.2 /24DG 10.1.1.1

E0-192.168.0.100/24LB1-100.1.1.2/32t0-172.16.1.2/30

.1

192.168.0.51/24DG 192.168.0.100

Hub Sideconf thostname Hubmodule t1 1-2 clock_source internal exitinterface ethernet 0 ip address 10.1.1.1 24 crypto trusted exit interface bundle wan link t1 1-2 encapsulation ppp ip address 200.1.1.1 30 crypto untrusted exitinterface looback LB1 ip address 100.1.1.1 32 crypto trusted exitinterface tunnel t0 ip address 172.16.1.1 30 tunnel source 100.1.1.1 tunnel destination 100.1.1.2 tunnel protection toRemote test crypto untrusted exitip route 0.0.0.0 0 wan route 100.1.2 32 wan router routerid 100.1.1.1 router ospf area 0 exit interface t0 area 0 exit interface ethernet0 area 0 exit 2firewall internet policy 100 in proto gre self policy 110 in service ike self exit firewall corp policy 100 in exit

SR1002

SR1002

200.1.1.2/30

.2

.1

HubSide

RemoteSide

SR Firewall & IPSec Clients Firewall and IPSec VPN to allow IPSec Clients to connect

Remote Sideconf thostname Remotemodule t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.0.100 24 exit interface bundle wan link t1 1-2 encapsulation ppp ip address 200.1.1.2 30 exitip route 0.0.0.0 0 wan exit 2

Laptop

Server

Internet

E0-10.1.1.1/24

.1

10.1.1.2 /24DG 10.1.1.1

E0-192.168.0.100/24.1

192.168.0.51/24DG 192.168.0.100

Hub Sideconf thostname Hubmodule t1 1-2 clock_source internal exitinterface ethernet 0 ip address 10.1.1.1 24 crypto trusted exit interface bundle wan link t1 1-2 encapsulation ppp ip address 200.1.1.1 30 crypto untrusted exit ip route 0.0.0.0 0.0.0.0 wan 1 exit crypto dynamic ike policy VPNuser modecfg-group local-address 200.1.1.1 remote-id email-id [email protected] key testVPNkey proposal 1 encryption-algorithm 3des-cbc exit proposal client configuration address-pool 1 20.1.1.100 20.1.1.110 exit 3 ipsec policy VPNuser modecfg-group match address 10.1.1.0 255.255.255.0 proposal 1 esp exit 2firewall internet interface wan policy 100 in service ike self policy 101 in protocol icmp self exit 2firewall corp interface ethernet0 policy 100 in address 20.1.1.100 20.1.1.110 any any exit 2

SR1002

SR1002

200.1.1.2/30

.2

.1

HubSide

RemoteSide


Cisco to SR IPSec IPIP transport Cisco to SR interop using IPSec with IPIP transport mode

Remote Sideconf thostname Remoteinterface ethernet 0 ip address 10.1.1.1 24 crypto trusted exit ethernetinterface bundle wan link t1 1 encapsulation ppp ip address 10.1.2.1 24 crypto untrusted exit bundleinterface tunnel to-cisco ip address 100.1.1.1 24 keepalive interval 0 retries 1 tunnel source 10.1.2.1 tunnel destination 192.168.1.2 tunnel mode ipip crypto untrusted exit tunnelip route 0.0.0.0 0.0.0.0 10.1.2.2 1 route 100.1.1.2 32 to-cisco 1 route 192.168.2.0 24 to-cisco 1 exit ipcrypto ike policy to-ns 192.168.1.2 local-address 10.1.2.1 key myvpn proposal 1 encryption-algorithm 3des-cbc exit 2 ipsec policy to-ns 192.168.1.2 match address 10.1.2.1 32 192.168.1.2 32 proposal 1 esp mode transport lifetime seconds 600 exit 3firewall internet interface wan to-cisco policy 10 in self exit 2firewall corp interface ethernet0policy 10 in exit 2

IPSecTunnel IPIP

Server

FA 0/1 –192.168.2.1/24

192.168.2.2 /24DG 192.168.2.1

E0-10.1.1.1/24.1

10.1.1.2/24DG 10.1.1.1

Hub Sideconf tVersion 12.2hostname HUbrip subnet-zeroip audit notify logip audit po max-events 100!crypto isakmp policy 1 encr 3des authentication pre-sharecrypto isakmp key myvpn address 10.1.2.1!crypto ipsec transform-set ESP1 esp-3des esp-sha-hmac mode transport!crypto map VTI 1 ipsec-isakmp set peer 10.1.2.1 set security-association lifetime seconds 600 set transform-set ESP1 match address 100!call rsvp-sync!interface Tunnel0 ip address 100.1.1.2 255.255.255.0 tunnel source 192.168.1.2 tunnel destination 10.1.2.1 tunnel mode ipip crypto map VTI!interface FastEthernet0/0 ip address 192.168.1.2 255.255.255.0 crypto map VTI!interface FastEthernet0/1 ip address 192.168.2.1 255.255.255.0!ip classlessip route 0.0.0.0 0.0.0.0 192.168.1.1ip route 10.1.1.0 255.255.255.0 Tunnel0ip route 100.1.1.1 255.255.255.255 Tunnel0!access-list 100 permit ip host 192.168.1.2 host 10.1.2.1

SR1002

SR1002

192.168.1.0

.1

.2

HubSide

RemoteSide

WAN-10.1.2.1/24

WAN-10.1.2.2/24

FA 0/0 –192.168.1.2/24

100.1.1.0

.2

.1

Laptop

CISCO

Cisco to SR IPSec IPIP tunnel Cisco to SR interop using IPSec with IPIP tunnel mode

Remote Sideconf thostname Remoteinterface ethernet 0 ip address 10.1.1.1 24 crypto trusted exit ethernetinterface bundle wan link t1 1 encapsulation ppp ip address 10.1.2.1 24 crypto untrusted exit bundleinterface tunnel to-cisco ip address 100.1.1.1 24 keepalive interval 0 retries 1 tunnel source 10.1.2.1 tunnel destination 192.168.1.2 tunnel mode ipip crypto untrusted exit tunnelip route 0.0.0.0 0.0.0.0 10.1.2.2 1 route 100.1.1.2 32 to-cisco 1 route 192.168.2.0 24 to-cisco 1 exit ipcrypto ike policy to-ns 192.168.1.2 local-address 10.1.2.1 key myvpn proposal 1 encryption-algorithm 3des-cbc exit 2 ipsec policy to-ns 192.168.1.2 match address 10.1.2.1 32 192.168.1.2 32 proposal 1 esp mode tunnel lifetime seconds 600 exit 3firewall internet interface wan to-cisco policy 10 in self exit 2firewall corp interface ethernet0policy 10 in exit 2

IPSecTunnel IPIP

Server

FA 0/1 –192.168.2.1/24

192.168.2.2 /24DG 192.168.2.1

E0-10.1.1.1/24.1

10.1.1.2/24DG 10.1.1.1

Hub Sideconf tVersion 12.2hostname HUbrip subnet-zeroip audit notify logip audit po max-events 100!crypto isakmp policy 1 encr 3des authentication pre-sharecrypto isakmp key myvpn address 10.1.2.1!crypto ipsec transform-set ESP1 esp-3des esp-sha-hmacmode tunnel!crypto map VTI 1 ipsec-isakmp set peer 10.1.2.1 set security-association lifetime seconds 600 set transform-set ESP1 match address 100!call rsvp-sync!interface Tunnel0 ip address 100.1.1.2 255.255.255.0 tunnel source 192.168.1.2 tunnel destination 10.1.2.1 tunnel mode ipip crypto map VTI!interface FastEthernet0/0 ip address 192.168.1.2 255.255.255.0 crypto map VTI!interface FastEthernet0/1 ip address 192.168.2.1 255.255.255.0!ip classlessip route 0.0.0.0 0.0.0.0 192.168.1.1ip route 10.1.1.0 255.255.255.0 Tunnel0ip route 100.1.1.1 255.255.255.255 Tunnel0!access-list 100 permit ip host 192.168.1.2 host 10.1.2.1

SR1002

SR1002

192.168.1.0

.1

.2

HubSide

RemoteSide

WAN-10.1.2.1/24

WAN-10.1.2.2/24

FA 0/0 –192.168.1.2/24

100.1.1.0

.2

.1

Laptop

CISCO

Cisco to SR IPSec GRE transportCisco to SR interop using IPSec with GRE transport mode

Remote Sideconf thostname Remoteinterface ethernet 0 ip address 10.1.1.1 24 crypto trusted exit ethernetinterface bundle wan link t1 1 encapsulation ppp ip address 10.1.2.1 24 crypto untrusted exit bundleinterface tunnel to-cisco ip address 100.1.1.1 24 keepalive interval 0 retries 1 tunnel source 10.1.2.1 tunnel destination 192.168.1.2 tunnel mode gre crypto untrusted exit tunnelip route 0.0.0.0 0.0.0.0 10.1.2.2 1 route 100.1.1.2 32 to-cisco 1 route 192.168.2.0 24 to-cisco 1 exit ipcrypto ike policy to-ns 192.168.1.2 local-address 10.1.2.1 key myvpn proposal 1 encryption-algorithm 3des-cbc exit 2 ipsec policy to-ns 192.168.1.2 match address 10.1.2.1 32 192.168.1.2 32 proposal 1 esp mode transport lifetime seconds 600 exit 3firewall internet interface wan to-cisco policy 10 in self exit 2firewall corp interface ethernet0policy 10 in exit 2

IPSecTunnel GRE

Server

FA 0/1 –192.168.2.1/24

192.168.2.2 /24DG 192.168.2.1

E0-10.1.1.1/24.1

10.1.1.2/24DG 10.1.1.1

Hub Sideconf tVersion 12.2hostname HUbrip subnet-zeroip audit notify logip audit po max-events 100!crypto isakmp policy 1 encr 3des authentication pre-sharecrypto isakmp key myvpn address 10.1.2.1!crypto ipsec transform-set ESP1 esp-3des esp-sha-hmac mode transport!crypto map VTI 1 ipsec-isakmp set peer 10.1.2.1 set security-association lifetime seconds 600 set transform-set ESP1 match address 100!call rsvp-sync!interface Tunnel0 ip address 100.1.1.2 255.255.255.0 tunnel source 192.168.1.2 tunnel destination 10.1.2.1 tunnel mode gre ip crypto map VTI!interface FastEthernet0/0 ip address 192.168.1.2 255.255.255.0 crypto map VTI!interface FastEthernet0/1 ip address 192.168.2.1 255.255.255.0!ip classlessip route 0.0.0.0 0.0.0.0 192.168.1.1ip route 10.1.1.0 255.255.255.0 Tunnel0ip route 100.1.1.1 255.255.255.255 Tunnel0!access-list 100 permit ip host 192.168.1.2 host 10.1.2.1

SR1002

SR1002

192.168.1.0

.1

.2

HubSide

RemoteSide

WAN-10.1.2.1/24

WAN-10.1.2.2/24

FA 0/0 –192.168.1.2/24

100.1.1.0

.2

.1

Laptop

CISCO

Cisco to SR IPSec IPIP tunnel OSPFCisco to SR interop using IPSec with IPIP tunnel mode to pass OSPF

Remote Sideconf thostname Remoteinterface ethernet 0 ip address 10.1.1.1 24 crypto trusted exit ethernetinterface bundle wan link t1 1 encapsulation ppp ip address 10.1.2.1 24 crypto untrusted exit bundleinterface tunnel to-cisco ip address 100.1.1.1 24 keepalive interval 0 retries 1 tunnel source 10.1.2.1 tunnel destination 192.168.1.2 tunnel mode ipip crypto untrusted exit tunnelinterface loopback LB0 ip address 3.3.3.1 255.255.255.0 exit loopbackip route 0.0.0.0 0.0.0.0 10.1.2.2 1exit iprouter routerid 3.3.3.1router ospf area 0 exit area interface ethernet0 area_id 0 exit interface interface to-cisco area_id 0 exit 2crypto ike policy to-ns 192.168.1.2 local-address 10.1.2.1 key myvpn proposal 1 encryption-algorithm 3des-cbc exit 2 ipsec policy to-ns 192.168.1.2 match address 10.1.2.1 32 192.168.1.2 32 proposal 1 esp mode tunnel lifetime seconds 600 exit 3firewall internet interface wan to-cisco policy 10 in self exit 2firewall corp interface ethernet0 policy 10 in exit 2

IPSecTunnel IPIP

Server

FA 0/1 –192.168.2.1/24

192.168.2.2 /24DG 192.168.2.1

E0-10.1.1.1/24.1

10.1.1.2/24DG 10.1.1.1

Hub Sideconf tVersion 12.2hostname HUbrip subnet-zeroip audit notify logip audit po max-events 100!crypto isakmp policy 1 encr 3des authentication pre-sharecrypto isakmp key myvpn address 10.1.2.1!crypto ipsec transform-set ESP1 esp-3des esp-sha-hmac mode tunnel!crypto map VTI 1 ipsec-isakmp set peer 10.1.2.1 set security-association lifetime seconds 600 set transform-set ESP1 match address 100!interface Loopback0 ip address 2.2.2.1 255.255.255.0!interface Tunnel0 ip address 100.1.1.2 255.255.255.0 tunnel source 192.168.1.2 tunnel destination 10.1.2.1 tunnel mode ipip crypto map VTI!interface FastEthernet0/0 ip address 192.168.1.2 255.255.255.0 crypto map VTI!interface FastEthernet0/1 ip address 192.168.2.1 255.255.255.0!router ospf 1 log-adjacency-changes network 100.1.1.0 0.0.0.255 area 0 network 192.168.2.0 0.0.0.255 area 0!ip classlessip route 0.0.0.0 0.0.0.0 192.168.1.1!access-list 100 permit ip host 192.168.1.2 host 10.1.2.1

SR1002

SR1002

192.168.1.0

.1

.2

HubSide

RemoteSide

WAN-10.1.2.1/24

WAN-10.1.2.2/24

FA 0/0 –192.168.1.2/24

100.1.1.0

.2

.1

Laptop

CISCO

Layer 2

SR bridging 802.3 over the PPP WANBCP used to forward the bridge group over WAN, manage from E0 IP

ENCODERconf thostname encodermodule t1 1 clock_source lineexitInterface ethernet 0 ip address 10.1.1.5 24 vlan vlanid 10 exit exitint bundle wan link t1 1 encap ppp bcp bridge vlan exit 2vlanfwd add vlanid 10 wan management vlanid 10 exit 3wr mem

DECODERconf thostname decodermodule t1 1 clock_source internalexit interface ethernet 0 ip address 10.1.1.6 24 vlan vlanid 10 exit exitint bundle wan link t1 1 encap ppp bcp bridge vlan exit 2vlanfwd add vlanid 10 wan management vlanid 10 exit 3wr mem

SR 1002Encoder side

SR 1002Decoder side


Laptop

Video Client10.1.1.10/24

Server

Video Server10.1.1.11/24

CarrierCO

SR bridging 802.3 over WAN, MAC learnBCP used to forward bridge group on WAN, and enable MAC learning

HUBconf thostname Remotemodule t1 1 clock_source lineexit interface ethernet 0 ip address 10.1.1.1 24 vlan vlanid 10 exit exitint bundle wan link t1 1 encap ppp bcp bridge vlan exit 2vlanfwd add vlanid 10 wan management vlanid 10 exit management macbridge exit macbridge exit vlanfwdwr mem

REMOTEconf thostname HUBmodule t1 1 clock_source internalexit interface ethernet 0 ip address 10.1.1.2 24 vlan vlanid 10 exit exitint bundle wan link t1 1 encap ppp no red bcp bridge vlan exit 2vlanfwd add vlanid 10 wan management vlanid 10 exit management macbridge exit macbridge exit vlanfwdwr mem

SR 1002HUB side

SR 1002REMOTE side


Laptop

Client10.1.1.10/24

Server

Server10.1.1.11/24

CarrierCO

SR bridging 802.3 MLPPP WAN BCP used to forward bridge group over WAN, manage from E0 IP

HUBconf thostname HUBmodule t1 1-2 clock_source internalexit interface ethernet 0 ip address 10.1.1.1 24 vlan vlanid 10 exit exitint bundle wan link t1 1-2 encap ppp bcp bridge lan exit vlan vlanid 10 exit 2vlanfwd management vlanid 10 exit 3wr mem

REMOTEconf thostname REMOTEmodule t1 1-2 clock_source lineexit interface ethernet 0 ip address 10.1.1.2 24 vlan vlanid 10 exit exitint bundle wan link t1 1-2 encap ppp bcp bridge lan exit vlan vlanid 10 exit 2vlanfwd management vlanid 10 exit 3wr mem

SR 1002HUB side

SR 1002REMOTE side


Laptop

Client10.1.1.10/24

Server

Server10.1.1.11/24

CarrierCO

SR bridge 802.3 & VMI interface Using BCP to forward over WAN and use VMI to manage the device

HUBconf thostname HUBmodule t1 1-2 clock_source internalexit interface ethernet 0 ip address 192.168.0.1 30 vlan vlanid 10 exit exitint bundle wan link t1 1-2 encap ppp bcp bridge vlan exit 2vlanfwd add vlanid 10 wan management vlanid 10 ip_interface address 10.1.1.3 24 default_route 10.1.1.1 VlanMgmt exit 3wr mem

REMOTEconf thostname REMOTEmodule t1 1-2 clock_source lineexit interface ethernet 0 ip address 192.168.0.1 30 vlan vlanid 10 exit exitint bundle wan link t1 1-2 encap ppp bcp bridge vlan exit 2vlanfwd add vlanid 10 wan management vlanid 10 ip_interface address 10.1.1.4 24 default_route 10.1.1.1 VlanMgmt exit 3wr mem

SR 1002HUB side

SR 1002REMOTE side


Laptop

Client10.1.1.10/24

Server

Server10.1.1.11/24

CarrierCO

Note: IP address on Ethernet

is only to bring up the interface.

This will not be used to manage

the device. To manage the device

the IP address under VLAN

Management is used and there is

a VLAN used only for management

SR bridge VLAN over WANUsing VLANFWD to define which VLAN will be forwarded, and VMI

F as tIron -IIFOUNDRYN E TW O RK S

HUB North

WAN

ChannelizedDS3

SR 3120

10/100Ethernet

2T1MLPPP

SR 1004

CustomerSwitch

VLAN 331

Customer XSite 1

TaggedPackets

forwarded

TaggedPackets

forwarded

SNMP MgrVLAN 1000

172.16.16.1.1/24

802.1QTrunk

SR 1004Site1module t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.1.1 30 exit interface bundle wan link t1 1-2 encapsulation ppp bcp bridge vlan exit 2vlanfwd add vlanid 331 ethernet0 add vlanid 1000 wan add vlanid 331 wan management vlanid 1000 ip_interface address 10.1.1.202 24 default_route 10.1.1.1.1 VlanMgmt

SR 3120hostname Hub1interface ethernet 0ip address 192.168.1.1 30exitmodule ct3 1 t1 1-4 clock line exit interface bundle wanlink ct3 1 1-2encapsulation ppp bcp bridge vlan exitvlanfwd add vlanid 1000 ethernet0 add vlanid 331 ethernet0 add vlanid 1000 wan add vlanid 331 wan management vlanid 1000 ip_interface address 10.1.1.201 24 default_route 10.1.1.1 VlanMgmt

VLAN 331VLAN 1000

802.1Q packets








SR VLAN tagging & forwarding CPE tags the ingress packets and forwards them to the HUB



HUB North HUB South

WAN

ChannelizedDS3

SR 3120

10/100Ethernet

2T1MLPPP

SR 1004

CustomerHub/Switch

Customer XSite 1

PacketsTaggedId 331

TaggedPackets

forwarded

SNMP MgrVLAN 1000

172.25.0.100/16

802.1QTrunk

WAN

ChannelizedDS3

SR 3120

10/100Ethernet

2T1MLPPP

SR 1004

CustomerHub/Switch

Customer XSite 2

PacketsTaggedId 331

TaggedPackets

forwarded

802.1QTrunk

SR 1004Site1module t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.1.1 30 vlan vlanid 331 exit 2interface bundle wan link t1 1-2 encapsulation ppp bcp bridge vlan exit 2vlanfwd add vlanid 1000 wan add vlanid 331 wan management vlanid 1000 ip_interface address 172.25.24.155 16 default_route 172.25.0.1 VlanMgmt

SR 1004Site2module t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.1.1 30 vlan vlanid 331 exit 2interface bundle wan link t1 1-2 encapsulation ppp bcp bridge vlan exit 2vlanfwd add vlanid 1000 wan add vlanid 331 wan management vlanid 1000 ip_interface address 172.25.24.157 16 default_route 172.25.0.1 VlanMgmt



VLAN 331 VLAN 331VLAN 1000 VLAN 1000

Internet

802.3 packets 802.3 packets








SR VLAN forwarding Device forwards the traffic based on VLAN id and managed inband



HUB North HUB South

WAN

ChannelizedDS3

SR 3120

10/100Ethernet

2T1MLPPP

SR 1004

CustomerSwitch

Customer XSite 1

TaggedPackets

forwarded

TaggedPackets

forwarded

SNMP MgrVLAN 1000

172.25.0.100/16

802.1QTrunk

WAN

ChannelizedDS3

SR 3120

10/100Ethernet

2T1MLPPP

SR 1004

CustomerSwitch

Customer XSite 2

TaggedPackets

forwarded

TaggedPackets

forwarded

802.1QTrunk

SR 1004Site1module t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.1.1 30 exit interface bundle wan link t1 1-2 encapsulation ppp bcp bridge vlan exit 2vlanfwd add vlanid 331 ethernet0 add vlanid 1000 wan add vlanid 331 wan management vlanid 1000 ip_interface address 172.25.24.155 16 default_route 172.25.0.1 VlanMgmt

SR 1004Site2module t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.1.1 30 exit interface bundle wan link t1 1-2 encapsulation ppp bcp bridge vlan exit 2vlanfwd add vlanid 331 ethernet0 add vlanid 1000 wan add vlanid 331 wan management vlanid 1000 ip_interface address 172.25.24.157 16 default_route 172.25.0.1 VlanMgmt



VLAN 331 VLAN 331VLAN 1000 VLAN 1000

Internet

802.1Q packets 802.1Q packets








B lac kDiamond1 2 3 4 A B 5 6 7 8

SR double tagging (QinQ)CPE tags the ingress packets and forwards them to the HUB with QinQ

B lac kDiamond1 2 3 4 A B 5 6 7 8

SR 1004Site1module t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.1.1 30 vlan vldid 102 exit 2interface bundle wan link t1 1-2 encapsulation ppp bcp bridge vlan exit 2vlanfwd vld_ether_type 37120 add vldid 1000 wan add vldid 102 wan management vldid 1000 ip_interface address 172.25.24.155 16 default_route 172.25.0.1 VlanMgmt

HUB North HUB South

WAN

ChannelizedDS3

SR 3120

10/100Ethernet

2T1MLPPP

SR 1004

CustomerSwitch VLAN10

Customer XSite 1

Packets TaggedVLD 102

TaggedPackets

forwarded

SNMP MgrVLD 1000

172.25.0.100/16

QinQTrunk

WAN

ChannelizedDS3

SR 3120

10/100Ethernet

2T1MLPPP

SR 1004

CustomerSwitch VLAN10

Customer XSite 2

Packets TaggedVLD 102

TaggedPackets

forwarded

QinQTrunk

SR 1004Site2module t1 1-2 clock_source line exitinterface ethernet 0 ip address 192.168.1.1 30 vlan vldid 102 exit 2interface bundle wan link t1 1-2 encapsulation ppp bcp bridge vlan exit 2vlanfwd vld_ether_type 37120 add vldid 1000 wan add vldid 102 wan management vldid 1000 ip_interface address 172.25.24.157 16 default_route 172.25.0.1 VlanMgmt

SR 3120hostname Hub1interface ethernet 0ip address 192.168.1.1 30exitmodule ct3 1 t1 1-4 clock line exit interface bundle wanlink ct3 1 1-2encapsulation ppp bcp bridge vlan exitvlanfwd vld_ether_type 37120 add vldid 1000 ethernet0 add vldid 102 ethernet0 add vldid 1000 wan add vldid 102 wan management vldid 1000 ip_interface address 172.25.24.156 16 default_route 172.25.0.1 VlanMgmt

SR 3120hostname Hub2interface ethernet 0ip address 192.168.1.1 30exitmodule ct3 1 t1 1-4 clock line exit interface bundle wanlink ct3 1 1-2encapsulation ppp bcp bridge vlan exitvlanfwd vld_ether_type 37120 add vldid 1000 ethernet0 add vldid 102 ethernet0 add vldid 1000 wan add vldid 102 wan management vldid 1000 ip_interface address 172.125.24.158 16 default_route 172.25.0.1 VlanMgmt

VLD 102 VLD 102VLD 1000 VLD 1000

Internet

802.1Q packets 802.1Q packets








Note:Extreme’s VMAN uses Ethertype 9100. To interoperate we need toChange our default Ethertype of 8100 to Ether Type to 9100 Router/configure/vlanfwd> vld_ether_type 37120Global Vld Ethernet Type set to 37120 (0x9100)This can be changed per under each interface of VLD tagging

SR bridging 802.3 NxDS3 WAN NxDS3 MLPPP WAN bridging 802.3 packet & inband Management

SR 3120

SR 3120

2 DS-3 TX-RXSimulated one

DS3Circuits

3120#configure thostname HUBmodule t3 1 clock_source internal exitmodule t3 2 clock_source internal exitint ethernet 0 ip address 192.168.1.1 30 vlan vlanid 10 exit 2int ethernet 1 ip address 192.168.1.5 30 vlan vlanid 11 exit 2interface bundle wan link t3 1-2 encapsulation ppp bcp bridge vlan exit 2vlanfwd add vlanid 10 wan add vlanid 11 wan management vlanid 10 ip_interface address 10.1.1.10 24 default_route 10.1.1.1 VlanMgmt exit 3wr mem

HUB

REMOTE

WAN

HUBSide Switch

3120#configure thostname REMOTEmodule t3 1 clock_source line exitmodule t3 2 clock_source line exitint ethernet 0 ip address 192.168.1.1 30 vlan vlanid 10 exit 2int ethernet 1 ip address 192.168.1.5 30 vlan vlanid 11 exit 2interface bundle wan link t3 1-2 bcp bridge vlan exit 2vlanfwd add vlanid 10 wan add vlanid 11 wan management vlanid 10 ip_interface address 10.1.1.11 24 default_route 10.1.1.1 VlanMgmt exit 3wr mem

HUB Side Switch

REMOTESide Switch

REMOTE Side Switch

UntaggedPackets

UntaggedPackets

UntaggedPackets

UntaggedPackets



SR bridging 802.1Q NxDS3 WAN NxDS3 MLPPP WAN bridging 802.1Q packet & inband Management

SR 3120

SR 3120

2 DS-3 TX-RXSimulated one

DS3Circuits

3120#configure thostname HUBmodule t3 1 clock_source internal exitmodule t3 2 clock_source internal exitint ethernet 0 ip address 192.168.1.1 30 exit int ethernet 1 ip address 192.168.1.5 30 exit interface bundle wan link t3 1-2 encapsulation ppp bcp bridge vlan exit 2vlanfwd add vlanid 10 ethernet0 add vlanid 10 wan add vlanid 11 ethernet1 add vllanid 11 wan management vlanid 10 ip_interface address 10.1.1.10 24 default_route 10.1.1.1 VlanMgmt exit 3wr mem

HUB

REMOTE

WAN

HUB VLAN 10 Switch

3120#configure thostname REMOTEmodule t3 1 clock_source line exitmodule t3 2 clock_source line exitint ethernet 0 ip address 192.168.1.1 30 exit int ethernet 1 ip address 192.168.1.5 30 exitinterface bundle wan link t3 1-2 bcp bridge vlan exit 2vlanfwd add vlanid 10 ethernet0 add vlanid 10 wan add vlanid 11 ethernet1 add vllanid 11 wan management vlanid 10 ip_interface address 10.1.1.11 24 default_route 10.1.1.1 VlanMgmt exit 3wr mem

HUB VLAN 11 Switch

REMOTE VLAN 10 Switch

REMOTE VLAN 11 Switch

TaggedPackets

TaggedPackets

TaggedPackets

TaggedPackets



ServerIronXLFOUNDRYN E TW O R K S

1

2

3

4

5

6

7

8

13

14

15

16

9

10

11

12

Console

Power

F D X1 0 0

L in k / A c tF D X

1 0 0L in k / A c t

F D X1 0 0

L in k / A c tF D X

1 0 0L in k / A c t


1

2

3

4

5

6

7

8

13

14

15

16

9

10

11

12

Console

Power

F D X1 0 0

L in k / A c tF D X

1 0 0L in k / A c t

F D X1 0 0

L in k / A c tF D X

1 0 0L in k / A c t

SR VLAN forwarding over WAN Using MLPPP Forward VLAN from Foundry over the WAN

SR CONFIGURATIONconf thostname Remote1interface ethernet 0ip address 192.168.0.1 30exitmodule t1 1-2 clock_source line exitinterface bundle wan1 link t1 1-2 encapsulation ppp bcp bridge vlan exit 2vlanfwd add vlanid 10 ethernet0 add vlanid 10 wan1 management vlanid 10 ip_interface address 10.1.1.3 24 default_route 10.1.1.1 VlanMgmt exit 3wr mem

Remote1SR 1004

Remote2SR 1004

SR CONFIGURATIONconf thostname Hubinterface ethernet 0ip address 192.168.0.1 30exitinterface ethernet 1ip address 192.168.0.5 30exitmodule t1 1-8 clock_source internal exitinterface bundle wan1 link t1 1-2 encapsulation ppp bcp bridge vlan exit 2interface bundle wan2 link t1 4-5 encapsulation ppp bcp bridge vlan exit 2vlanfwd add vlanid 10 ethernet0 add vlanid 10 wan1 add vlanid 20 ethernet1 add vlanid 20 wan2 management vlanid 10 ip_interface address 10.1.1.2 24 default_route 10.1.1.1 VlanMgmt exit 3wr mem

HubSR 3120

MLPPP2 T1, 3Meg

MLPPP2 T1, 3Meg SR CONFIGURATION

conf thostname Remote2interface ethernet 0ip address 192.168.0.1 30exitmodule t1 1-2 clock_source line exitinterface bundle wan2 link t1 1-2 encapsulation ppp bcp bridge vlan exit 2vlanfwd add vlanid 20 ethernet0 add vlanid 20 wan2 management vlanid 20 ip_interface address 10.1.1.3 24 default_route 10.1.1.1 VlanMgmt exit 3wr mem

Foundry

Foundry

VLAN 10

VLAN 20


Foundry

VLAN 20

VLAN 10

SR CONFIGURATIONconf thostname tas1interface ethernet 0ip address 192.168.0.1 30exitmodule t1 1 clock_source internal exitinterface bundle wan link t1 1 encapsulation ppp bcp bridge vlan exit 2vlanfwd add vlanid 75 ethernet0 add vlanid 75 wan add vlanid 130 ethernet0 add vlanid 130 wan add vlanid 176 ethernet0 add vlanid 176 wan add vlanid 200 ethernet0 add vlanid 200 wan management vlanid 200 ip_interface address 138.202.200.83 24 default_route 138.202.200.200 VlanMgmt exit 3wr mem

SR VLAN forwarding over WANUsing PPP Forward 802.1Q VLAN across the WAN

tas1SR 1004

tas2SR 1004


WAN

SR CONFIGURATIONconf thostname tas2interface ethernet 0ip address 192.168.0.1 30exitmodule t1 1 clock_source line exitinterface bundle wan link t1 1 encapsulation ppp bcp bridge vlan exit 2vlanfwd add vlanid 75 ethernet0 add vlanid 75 wan add vlanid 130 ethernet0 add vlanid 130 wan add vlanid 176 ethernet0 add vlanid 176 wan add vlanid 200 ethernet0 add vlanid 200 wan management vlanid 200 ip_interface address 138.202.200.84 24 default_route 138.202.200.200 VlanMgmt exit 3wr mem

TaggedPackets


802.1QTRUNK

VLANSwitch

802.1QTRUNK


VLANSwitch

TaggedPackets


BackboneLAN Router

VLAN 76 X.X.X.200VLAN 130 X.X.X.200VLAN 176 X.X.X.200VLAN 200 138.202.200.200/24

Typical Cisco 3550 config#config tinterface FastEthernet0/1 switchport trunk encapsulation dot1q switchport mode trunk no ip address channel-group 1 mode desirableinterface FastEthernet0/2 switchport access vlan 75 switchport mode access no ip address interface FastEthernet0/3 switchport access vlan 130 switchport mode access no ip address interface FastEthernet0/4 switchport access vlan 176 switchport mode access no ip address interface Vlan75ip address X.X.X.X 255.255.255.0

SR VLAN forwarding over WAN Using MLPPP Forward 802.1Q VLAN across

SR CONFIGURATIONconf thostname tas1interface ethernet 0ip address 192.168.0.1 30exitmodule t1 1-4 clock_source internal exitinterface bundle wan link t1 1-4 encapsulation ppp bcp bridge vlan exit 2vlanfwd add vlanid 75 ethernet0 add vlanid 75 wan add vlanid 130 ethernet0 add vlanid 130 wan add vlanid 176 ethernet0 add vlanid 176 wan add vlanid 200 ethernet0 add vlanid 200 wan management vlanid 200 ip_interface address 138.202.200.83 24 default_route 138.202.200.200 VlanMgmt exit 3wr mem

tas1SR 1004

tas2SR 1004


SR CONFIGURATIONconf thostname tas2interface ethernet 0ip address 192.168.0.1 30exitmodule t1 1-4 clock_source line exitinterface bundle wan link t1 1-4 encapsulation ppp bcp bridge vlan exit 2vlanfwd add vlanid 75 ethernet0 add vlanid 75 wan add vlanid 130 ethernet0 add vlanid 130 wan add vlanid 176 ethernet0 add vlanid 176 wan add vlanid 200 ethernet0 add vlanid 200 wan management vlanid 200 ip_interface address 138.202.200.84 24 default_route 138.202.200.200 VlanMgmt exit 3wr mem

TaggedPackets


802.1QTRUNK

VLANSwitch

802.1QTRUNK


VLANSwitch

TaggedPackets


BackboneLAN Router

VLAN 76 X.X.X.200VLAN 130 X.X.X.200VLAN 176 X.X.X.200VLAN 200 138.202.200.200/24

WAN

Note: IP address on Ethernetis only to bring up the interface.This will not be used to managethe device. To manage the devicethe IP address under VLANManagement is used and there isa VLAN used only for management

SR bridge 802.3 over FR (FRF.16)Using MLFR create bridge groups and bridge 802.3 over FR (FRF.16)

Two T1 LinesUsing MLFRCarrier

CO

SR 1004

SR CONFIGURATIONconf tmodule t1 1-2 clock_source line exitinterface ethernet 0 ip address 10.1.1.2 24 (just used to bring up interface) vlan vlanid 10 exit 2interface bundle wan link t1 1-2 encapsulation frelay fr intf_type dte pvc 100 shaping cir 3072000 bcmax 3072000 bcmin 65536 policing cir 3072000 bc 3072000 bridge vlan exit 3vlanfwd add vlanid 10 wan:100 management vlanid 10 ip_interface address 192.168.3.2 24 default_route 192.168.3.1 VlanMgmt exit 3hostname REMOTEwr mem

192.168.3.2/24SR CONFIGURATIONconf tmodule t1 1-2 clock_source internal exitinterface ethernet 0 ip address 10.1.1.1 24 vlan vlanid 10 exit 2interface bundle wan link t1 1-2 encapsulation frelay fr intf_type dce pvc 100 shaping cir 3072000 bcmax 3072000 bcmin 65536 policing cir 3072000 bc 3072000 bridge vlan exit 3vlanfwd add vlanid 10 wan:100 management vlanid 10 ip_interface address 192.168.3.3 24 default_route 192.168.3.1 VlanMgmt exit 3hostname HUBwr mem

192.168.3.1/24

SR 3120

SR bridge 802.3 over FR (FRF.15) Using MLFR create bridge groups and bridge 802.3 over FR (FRF.15)

Two T1 LinesUsing MLFRCarrier

CO

SR 1004

SR CONFIGURATIONconf tmodule t1 1-2 clock_source internal exit 1interface ethernet 0 ip add 10.1.1.1 24 vlan vlanid 10 exit 2interface bundle cvc1 link t1 1 encapsulation frelay fr intf_type dce pvc 101 exit 3interface bundle cvc2 link t1 2 encapsulation frelay fr intf_type dce pvc 102 exit 3interface avc frf15 100 cvc 101 cvc1 cvc 102 cvc2 bridge vlan enable mfr_e2e_enhanced exit 2 vlanfwd add vlanid 10 frf15:100wr mem

SR CONFIGURATIONconf tmodule t1 1-2 clock_source line exitinterface ethernet 0 ip address 10.1.1.2 24 vlan vlanid 10 exit 2interface bundle cvc1 link t1 1 encapsulation frelay fr intf_type dte pvc 101 exit 3interface bundle cvc2 link t1 2 encapsulation frelay fr intf_type dte pvc 102 exit 3interface avc frf15 100 cvc 101 cvc1 cvc 102 cvc2 bridge vlan enable mfr_e2e_enhanced exit 2vlanfwd add vlanid 10 frf15:100wr mem

192.168.3.2/24

192.168.3.1/24

SR 3120

SR bridge 802.3 over FR (FRF.15) Using MLFR create bridge groups and bridge 802.3 over FR (FRF.15)

Customer CPEIp address 192.168.1.2/30DG 192.168.1.1

Ethernet Packets are tagged into WAN and untagged out to LAN

WAN

T1 are bundled using MLFR and data

passed with VLAN tag

Core RouterInt fast 0/0.1Encap dot1Q 10ip address 192.168.1.1/30

Ethernet Packets forwarded to LAN with VLAN tags

SR 1004

SR 3120

192.168.3.2/24 SR 1004conf tmodule t1 1-2 clock_source line exitinterface ethernet 0 ip address 10.1.1.2 24 vlan vlanid 10 exit 2interface bundle cvc1 link t1 1 encapsulation frelay fr intf_type dte pvc 101 exit 3interface bundle cvc2 link t1 2 encapsulation frelay fr intf_type dte pvc 102 exit 3interface avc frf15 100 cvc 101 cvc1 cvc 102 cvc2 bridge vlan enable mfr_e2e_enhanced exit 2vlanfwd add vlanid 10 frf15:100wr mem

SR 3120conf tmodule ct3 1 t1 1-2 clock internal exit interface ethernet 0 ip add 10.1.1.1 24 exit interface bundle cvc1 link ct31 1 encapsulation frelay fr intf_type dce pvc 101 exit 3interface bundle cvc2 link ct31 2 encapsulation frelay fr intf_type dce pvc 102 exit 3interface avc frf15 100 cvc 101 cvc1 cvc 102 cvc2 bridge vlan enable mfr_e2e_enhanced exit 2 vlanfwd add vlanid 10 frf15:100 add vlanid 10 ethernet0wr mem

SR bridge 802.3 over FR (FRF.15) Using MLFR (FRF.15) packets are forwarded and inband Management

Customer CPEIp address 192.168.1.2/24DG 192.168.1.1

Ethernet Packets are tagged into WAN and untagged out to LAN

WAN

T1 are bundled using MLFR and data

passed with VLAN tag

Core RouterInt fast 0/0.1Encap dot1Q 10ip address 192.168.1.1/24


SR 1004

SR 3120

192.168.3.2/24 SR 1004conf tmodule t1 1-2 clock_source line exitinterface ethernet 0 ip address 10.1.1.2 24 vlan vlanid 10 exit 2interface bundle cvc1 link t1 1 encapsulation frelay fr intf_type dte pvc 101 exit 3interface bundle cvc2 link t1 2 encapsulation frelay fr intf_type dte pvc 102 exit 3interface avc frf15 100 cvc 101 cvc1 cvc 102 cvc2 bridge vlan enable mfr_e2e_enhanced exit 2vlanfwd add vlanid 10 frf15:100 managemnet vlanid 10 ip_interface address 192.168.3.4 24 default_route 192.168.3.1 VlanMgmt

wr mem

SR 3120conf tmodule ct3 1 t1 1-2 clock internal exit interface ethernet 0 ip add 10.1.1.1 24 exit interface bundle cvc1 link ct31 1 encapsulation frelay fr intf_type dce pvc 101 exit 3interface bundle cvc2 link ct31 2 encapsulation frelay fr intf_type dce pvc 102 exit 3interface avc frf15 100 cvc 101 cvc1 cvc 102 cvc2 bridge vlan enable mfr_e2e_enhanced exit 2 vlanfwd add vlanid 10 frf15:100 add vlanid 10 ethernet0 management vlanid 10 ip_interface address 192.168.3.3 24 default_route 192.168.3.1 VlanMgmtwr mem

SR VLAN forward over FR (FRF.15) Using MLFR (FRF.15) VLAN packets are forwarded & inband Management

SR 3120CONFIGURATIONconf thostname Hubinterface ethernet 0ip address 192.168.0.1 30exitmodule ct3 1 t1 27-28 clock internal exitinterface bundle cvc1link ct3 1 27encapsulation frelay fr intf_type dce pvc 210 exit 3interface bundle cvc2 link ct3 1 28encapsulation frelay fr intf_type dce pvc 211 exit 3interface avc frf15 100 cvc 210 cvc1 cvc 211 cvc2 bridge vlan enable mfr_e2e_enhanced exit 2 vlanfwd add vlanid 10 frf15:100 add vlanid 10 ethernet0 exitwr mem

SR 1002

Two T1 LinesUsing MLFR


CarrierCO

Juniper M10

Full Duplex 100M Ethernet

VLAN 10

VLANTrunk


SR 1002CONFIGURATIONconf thostname Hubinterface ethernet 0ip address 192.168.0.1 30exitmodule t1 1-2 clocksource line exitinterface bundle cvc1link t1 1 encapsulation frelay fr intf_type dte pvc 210 exit 3interface bundle cvc2 link t1 2encapsulation frelay fr intf_type dte pvc 211 exit 3interface avc frf15 100 cvc 210 cvc1 cvc 211 cvc2 bridge vlan enable mfr_e2e_enhanced exit 2 vlanfwd add vlanid 10 frf15:100 add vlanid 10 ethernet0 management vlanid 10 ip_interface address 66.90.230.61 26 default_route 66.90.230.0 VlanMgmtwr mem

VLAN 10

SR to Cisco bridging over PPPCisco to SR interop with Bridging over PPP WAN

Cisco 7513

SR CONFIGURATIONconf thostname Remoteinterface ethernet 0 ip address 192.168.1.130 vlan vlanid 100 exit 2interface bundle cisco link t1 1 encapsulation ppp bcp bridge lan exit bcp vlan vlanid 100 exit vlan exit bundleVlanfwd managemnet vlanid 100 ip_interface address 11.1.1.2 24 default_route 11.1.1.1 VlanMgmt exit 3wr mem

CISCO CONFIGURATIONconf tbridge irbinterface Loopback1 ip address 11.1.1.1 255.255.255.0 no ip directed-broadcast!interface FastEthernet0/0 no ip address no ip directed-broadcast speed 100 full-duplex bridge-group 1!interface Serial0/0 no ip address no ip directed-broadcast encapsulation ppp no ip mroute-cache bridge-group 1!!no ip classlessip route 11.1.1.1 255.255.255.255 FastEthernet0/0!bridge 1 protocol ieee

11.1.1.10/2411.1.1.11/24

SR 1004

Single T1 PPP

SR to Cisco bridging over FRCisco to SR interop with Bridging over FR WAN

Cisco 7513

SR CONFIGURATIONconf thostname Remoteinterface ethernet 0 ip address 192.168.1.130 vlan vlanid 100 exit 2interface bundle cisco link t1 1 encapsulation frelay fr frame_size 1600 intf_type dce lmi ansi exit lmi pvc 100 bridge lan vlan vlanid 10 exit vlan exit pvc exit fr exit bundleVlanfwd managemnet vlanid 100 ip_interface address 11.1.1.2 24 default_route 11.1.1.1 VlanMgmt exit 3wr mem

CISCO CONFIGURATIONconf tbridge irbinterface Loopback1 ip address 11.1.1.1 255.255.255.0 no ip directed-broadcast!interface FastEthernet0/0 no ip address no ip directed-broadcast speed 100 full-duplex bridge-group 1!interface Serial0/0 mtu 1600 no ip address encapsulation frame-relay IETF no ip mroute-cache service-module t1 clock source internal frame-relay map bridge 100 broadcast frame-relay interface-dlci 100 frame-relay lmi-type ansi frame-relay intf-type dte bridge-group 1!!no ip classlessip route 11.1.1.1 255.255.255.255 FastEthernet0/0!bridge 1 protocol ieee

11.1.1.10/2411.1.1.11/24

SR 1004

Single T1 FR

SR to Cisco VLAN forward over PPPCisco to SR interop with VLAN forwarding over PPP WAN using BCP

Cisco 7206 with 12.4

SR CONFIGURATIONconf thostname Remoteinterface ethernet 0 ip address 192.168.1.130 exit interface bundle cisco link t1 1 encapsulation ppp bcp bridge vlan exit bcp exit bundleVlanfwd add vlanid 100 ethernet0 add vlanid 100 cisco managemnet vlanid 100 ip_interface address 10.1.1.2 24 default_route 10.1.1.1 VlanMgmt exit 3wr mem

CISCO CONFIGURATIONconf tbridge crbinterface Loopback1 ip address 10.1.1.1 255.255.255.0 no ip directed-broadcast!interface FastEthernet0/0 no ip address no ip directed-broadcast speed 100 full-duplexvlan-range dot1q 2 200 bridge-group 1!interface Serial0/0 no ip address no ip directed-broadcast encapsulation ppp no ip mroute-cache bridge-group 1!!no ip classlessip route 10.1.1.1 255.255.255.255 FastEthernet0/0!bridge 1 protocol ieee

10.1.1.10/24

10.1.1.11/24

SR 1004

Single T1 PPP

VLAN 100

VLANTrunk

VLANTrunk

VLAN 100

Note: IP address on Etherne0


SR to Cisco VLAN forward over FRCisco to SR interop with VLAN forwarding over FR WAN

SR CONFIGURATIONconf thostname Remotemodule e1 1 clock_source line framing disable exitinterface ethernet 1 ip address 192.168.2.1 30 vlan vlanid 125 exit vlan exit ethernetinterface bundle wan link e1 1 encapsulation frelay fr intf_type dte frame_size 1500 lmi ansi exit lmipvc 125 shaping cir 1000000 bcmax 1000000 bcmin 65536 bridge lan vlan vlanid 125 exit pvc exit fr exit bundle

CISCO CONFIGURATIONconf tCisco 7206boot system slot0:c7200-p-mz.122-25.S4.bin

ip subnet-zeroip cefno ip domain-lookupframe-relay switching

interface FastEthernet0/0no ip address!interface FastEthernet0/0.125encapsulation dot1Q 125!interface Serial4/1:0 no ip address encapsulation frame-relay IETF frame-relay lmi-type ansi frame-relay intf-type dce!!connect test2 Serial4/1:0 125 FastEthernet0/0.125 interworking ethernet

10/100Ethernet

Frame Relay

UnTaggedPackets

forwarded

TaggedPackets

forwarded

802.1QTrunk

WAN

BackboneBackboneSwitchSwitch

BackboneBackboneSwitchSwitch

Cisco7206

1004

802.3

VLAN 125

Layer 2 Applications

SR bridge 802.3 & Monitor WAN b/wUsing QoS to classify based on bridge VLAN will allow WAN b/w monitoring

ENCODER Sideconf thostname encodermodule t1 1 clock_source lineexit int e 0 ip address 192.168.11.11 24 vlan vlanid 10 exit 2int bundle wan link t1 1 encap ppp bcp bridge vlan exit qos add_class qosbw root-out cr 1536 br 1536 class qosbw priority 1 add_vlan_id 10 exit enable mon outbound exit 2vlanfwd add vlanid 10 wan management vlanid 10 exit 3wr mem

DECODER Sideconf thostname decodermodule t1 1 clock_source internalexit int e 0 ip address 192.168.11.12 24 vlan vlanid 10 exit 2int bundle wan link t1 1 encap ppp bcp bridge vlan exit no red qos add_class qosbw root-out cr 1536 br 1536 class qosbw priority 1 add_vlan_id 10 exit enable mon outbound exit 2vlanfwd add vlanid 10 wan management vlanid 10 exit 3wr mem

SR 1002Encoder side

SR 1002Decoder side


Laptop

Video Client192.168.11.2

Server

Video Server192.168.11.5

CarrierCO

Note: to monitor bandwidth over WAN use: show qos bundle wan

SR bridging video When bridging video over MLPPP fragmentation needs to be disabled

ENCODERconf thostname encodermodule t1 1-4 clock_source lineexit interface ethernet 0 ip address 192.168.11.11 24 vlan vlanid 10 exit exitint bundle wan link t1 1-4 encap ppp mlppp seg_threshold 1024 bcp bridge vlan exit exitvlanfwd add vlanid 10 wan management vlanid 10 exit exitwr mem

DECODERconf thostname decodermodule t1 1-4 clock_source internalexit int e 0 ip address 192.168.11.12 24 vlan vlanid 10 exit exitint bundle wan link t1 1-4 encap ppp mlppp seg_threshold 1024 bcp bridge vlan exit exitvlanfwd add vlanid 10 wan management vlanid 10 exit exitwr mem

SR 1004

SR 1004


Laptop

Video Client192.168.11.

2

Server

Video Server192.168.11.5

CarrierCO

SR VLAN forwarding and QoSSR front-end Cisco CT3 WAN to T1 using QoS based on VLAN id

SR 1004CONFIGURATIONconf thostname Remoteinterface ethernet 0ip address 192.168.0.1 24exitmodule t1 1-4clock_source lineexitinterface bundle wan link t1 1-4 encapsulation ppp bcp bridge vlan exit qos add_class qosGOLD root-out cr 1000 br 6144 priority 1 add_class qosSILVER root-out cr 500 br 3072 priority 2 class qosGOLD add_vlan_id 10 exit class class qosSILVER add_vlan_id 20 exit class enable cbq outbound exit 2vlanfwd add vlanid 10 ethernet0 add vlanid 20 ethernet0 add vlanid 10 wan add vlanid 20 wan add vlanid 99 wan management vlanid 99 ip_interface address 10.1.1.2 24 default_route 10.1.1.1 VlanMgmtwr mem

SR 6302CONFIGURATIONconf thostname Hubinterface ethernet 0ip address 192.168.0.1 24exitmodule ct3 1 t1 1-4 clock internal exit interface bundle wanlink ct3 1 1-4encapsulation ppp bcp bridge vlan exit qos add_class qosGOLD root-out cr 1000 br 6144 priority 1 add_class qosSILVER root-out cr 500 br 3072 priority 2 class qosGOLD add_vlan_id 10 exit class class qosSILVER add_vlan_id 20 exit class enable cbq outbound exit 2vlanfwd add vlanid 10 ethernet0 add vlanid 20 ethernet0 add vlanid 99 ethernet0 add vlanid 10 wan add vlanid 20 wan add vlanid 99 wan management vlanid 99 ip_interface address 10.1.1.3 24 default_route 10.1.1.1 VlanMgmtwr mem

SR 1004

Two T1 LinesUsing MLPPP


CarrierCO

Cisco 7505


VLAN 10

VLAN 20

VLANTrunk


Core RouterInt fast 0/0.1Encap dot1Q 10ip address 10.10.10.1/24Int fast 0/0.2Encap dot1Q 20ip address 10.20.20.1/24Int fast 0/0.3Encap dot1Q 99ip address 10.1.1.1/24




1

2

3

4

5

6

7

8

13

14

15

16

9

10

11

12

Console

Power

F D X1 0 0

L in k / A c tF D X

1 0 0L in k / A c t

F D X1 0 0

L in k / A c tF D X

1 0 0L in k / A c t

SR VLAN forwarding & QoS Using MLPPP WAN Forward VLAN with QoS based on IP

Remote 1SR 1004

Remote 2SR 1004


WAN


1

2

3

4

5

6

7

8

13

14

15

16

9

10

11

12

Console

Power

F D X1 0 0

L in k / A c tF D X

1 0 0L in k / A c t

F D X1 0 0

L in k / A c tF D X

1 0 0L in k / A c t

VLAN 10Trunk Tagged

Packets

SR CONFIGURATIONconf thostname Remote 2interface ethernet 0ip address 192.168.0.1 30exitmodule t1 1-2 clock_source line exitinterface bundle wan link t1 1-2 encapsulation ppp bcp bridge vlan exitqos add_class VoIP root-out cr 1000 br 6144 priority 1 add_class Default root-out cr 5000 br 6144 priority 7 class VoIP add_src_ip 10.1.1.31 32 exit class class Default add_src_ip default exit class enable cbq outbound exit 2vlanfwd add vlanid 10 ethernet0 add vlanid 10 wan management vlanid 10 ip_interface address 10.1.1.4 24 default_route 10.1.1.1 VlanMgmt exit 3wr mem

SR CONFIGURATIONconf thostname Remote1interface ethernet 0ip address 192.168.0.1 30exitmodule t1 1-2 clock_source internal exitinterface bundle wan link t1 1-2 encapsulation ppp bcp bridge vlan exitqos add_class VoIP root-out cr 1000 br 6144 priority 1 add_class Default root-out cr 5000 br 6144 priority 7 class VoIP add_src_ip 10.1.1.30 32 exit class class Default add_src_ip default exit class enable cbq outbound exit 2vlanfwd add vlanid 10 ethernet0 add vlanid 10 wan management vlanid 10 ip_interface address 10.1.1.3 24 default_route 10.1.1.1 VlanMgmt exit 3wr mem

VLAN 10Trunk

TaggedPackets

IP-10.1.1.20/24

IP-10.1.1.21/24IP-10.1.1.31/24

IP-10.1.1.30/24VoIP Gateway

SR VLAN forwarding & QoS Using 2 T1 with MLPPP WAN Forward VLAN with QoS using 802.1p


1

2

3

4

5

6

7

8

13

14

15

16

9

10

11

12

Console

Power

F D X1 0 0

L in k / A c tF D X

1 0 0L in k / A c t

F D X1 0 0

L in k / A c tF D X

1 0 0L in k / A c t

Remote 2SR 1004

Remote 2SR 1004


WAN


1

2

3

4

5

6

7

8

13

14

15

16

9

10

11

12

Console

Power

F D X1 0 0

L in k / A c tF D X

1 0 0L in k / A c t

F D X1 0 0

L in k / A c tF D X

1 0 0L in k / A c t

VLAN 10Trunk Tagged

Packets

SR CONFIGURATIONconf thostname Remote 2interface ethernet 0ip address 192.168.0.1 30exitmodule t1 1-2 clock_source line exitinterface bundle wan link t1 1-2 encapsulation ppp bcp bridge vlan exitqos add_class VoIP root-out cr 1000 br 6144 priority 1 add_class Default root-out cr 5000 br 6144 priority 7 class VoIP add_dot1p 6 exit class class Default add_dot1p 0-5 add_dot1p 7 exit class enable cbq outbound exit 2vlanfwd add vlanid 10 ethernet0 add vlanid 10 wan management vlanid 10 ip_interface address 10.1.1.4 24 default_route 10.1.1.1 VlanMgmt exit 3wr mem

SR CONFIGURATIONconf thostname Remote1interface ethernet 0ip address 192.168.0.1 30exitmodule t1 1-2 clock_source internal exitinterface bundle wan link t1 1-2 encapsulation ppp bcp bridge vlan exitqos add_class VoIP root-out cr 1000 br 6144 priority 1 add_class Default root-out cr 5000 br 6144 priority 7 class VoIP add_dot1p 6 exit class class Default add_dot1p 0-5 add_dot1p 7 exit class enable cbq outbound exit 2vlanfwd add vlanid 10 ethernet0 add vlanid 10 wan management vlanid 10 ip_interface address 10.1.1.3 24 default_route 10.1.1.1 VlanMgmt exit 3wr mem

VLAN 10Trunk

TaggedPackets

IP-10.1.1.20/24

IP-10.1.1.21/24IP-10.1.1.31/24

VoIP packetsmarked

802.1p=6

VoIP packetsmarked

802.1p=6

IP-10.1.1.30/24VoIP Gateway

SR VLAN forwarding & QoS MLPPP WAN forward VLAN, QoS/802.1p, retagging VoIP to new VLAN


1

2

3

4

5

6

7

8

13

14

15

16

9

10

11

12

Console

Power

F D X1 0 0

L in k / A c tF D X

1 0 0L in k / A c t

F D X1 0 0

L in k / A c tF D X

1 0 0L in k / A c t

Remote 1SR 1004

Remote 2SR 1004


WAN


1

2

3

4

5

6

7

8

13

14

15

16

9

10

11

12

Console

Power

F D X1 0 0

L in k / A c tF D X

1 0 0L in k / A c t

F D X1 0 0

L in k / A c tF D X

1 0 0L in k / A c t

VLAN 10Trunk Tagged

Packets

SR CONFIGURATIONconf thostname Remote 2interface ethernet 0 ip address 192.168.0.1 30 qos add_class DOTP root-in class DOTP add_dot1p 6 mark_vlan 20 exit enable mon inbound exitmodule t1 1-2 clock_source line exitinterface bundle wan link t1 1-2 encapsulation ppp bcp bridge vlan exitqos add_class VoIP root-out cr 1000 br 6144 priority 1 add_class Default root-out cr 5000 br 6144 priority 7 class VoIP add_dot1p 6 exit class class Default add_dot1p 0-5 add_dot1p 7 exit class enable cbq outbound exit 2vlanfwd add vlanid 10 ethernet0 add vlanid 10 wan add vlanid 20 wan management vlanid 10 ip_interface address 10.1.1.4 24 default_route 10.1.1.1 VlanMgmt exit 3wr mem

SR CONFIGURATIONconf thostname Remote1interface ethernet 0ip address 192.168.0.1 30exitmodule t1 1-2 clock_source internal exitinterface bundle wan link t1 1-2 encapsulation ppp bcp bridge vlan exitqos add_class VoIP root-out cr 1000 br 6144 priority 1 add_class Default root-out cr 5000 br 6144 priority 7 class VoIP add_dot1p 6 exit class class Default add_dot1p 0-5 add_dot1p 7 exit class enable cbq outbound exit 2vlanfwd add vlanid 10 ethernet0 add vlanid 10 wan add vlanid 20 ethernet0 add vlanid 20 wan management vlanid 10 ip_interface address 10.1.1.3 24 default_route 10.1.1.1 VlanMgmt exit 3wr mem

VLAN 10-DataVLAN 20-VoIP

Trunk

TaggedPackets

IP-10.1.1.20/24IP-10.1.1.30/24VoIP Gateway

IP-10.1.1.21/24IP-10.1.1.31/24

VoIP packetsVLAN 20 marked

802.1p=6

VoIP packetsmarked

802.1p=6

OA604 Configconf thostname Hubinterface ethernet 0ip address 192.168.0.1 30exitmodule t1 1-2 clock_source line exitinterface bundle wanlink t1 1-2 encapsulation frelay fr intf_type dte lmi ansi exit lmi pvc 100 shaping cir 1000000 bcmax 1000000 bcmin 65536 policing cir 3072000 bc 3072000 bridge vlan exit pvc 200 shaping cir 1000000 bcmax 1000000 bcmin 65536 policing cir 3072000 bc 3072000 bridge vlan exit pvc 300 shaping cir 1000000 bcmax 1000000 bcmin 65536 policing cir 3072000 bc 3072000 bridge vlan exit 3vlanfwd add vlanid 10 wan:100 add vlanid 10 ethernet0 add vlanid 20 wan:200 add vlanid 20 ethernet0 add vlanid 30 wan:300 add vlanid 30 ethernet0 management vlanid 10 ip_interface address 66.90.230.60 26 default_route 66.90.230.0 VlanMgmt exit 3wr mem

SR VLAN forward over FR (FRF.16) Using MLFR (FRF.16) to forward VLAN packets & inband VLAN Mgt

1004Two T1 LinesUsing MLFR

CarrierCO

Juniper M10


VLAN 10

VLANTrunk


OA604 Configconf thostname Remoteinterface ethernet 0ip address 192.168.0.1 30exitmodule t1 1-2 clock_source line exitinterface bundle wanlink t1 1-2 encapsulation frelay fr intf_type dte lmi ansi exit lmi pvc 100 shaping cir 1000000 bcmax 1000000 bcmin 65536 policing cir 3072000 bc 3072000 bridge vlan exit pvc 200 shaping cir 1000000 bcmax 1000000 bcmin 65536 policing cir 3072000 bc 3072000 bridge vlan exit pvc 300 shaping cir 1000000 bcmax 1000000 bcmin 65536 policing cir 3072000 bc 3072000 bridge vlan exit 3vlanfwd add vlanid 10 wan:100 add vlanid 10 ethernet0 add vlanid 20 wan:200 add vlanid 20 ethernet0 add vlanid 30 wan:300 add vlanid 30 ethernet0 management vlanid 10 ip_interface address 66.90.230.61 26 default_route 66.90.230.0 VlanMgmt exit 3wr mem

VLAN 10

VLAN 20

VLAN 30

1004

VLAN 20

VLAN 30















Trouble Shooting

Common Commands

> To clear to factor defaults

#clear cfg_file

> You then need to reboot the unit

#reboot

> Type Y for Yes

> To show wan bundle

#show interface bundle wan

> To remove any command

#no “command to be removed”

> To show the running configuration

#show conf run

> To show IP routes

#show ip route

> To show IP OSPF database

#show ip ospf database all

> To save the configuration

#wr mem

• To show T1 module alarms#show module alarms t1 1

• To show T1 module configuration#show module configuration t1 1

• To loopback the T1 on remote side#test t1 1#loopback remote line t1

• To begin bert on the T1 port 1 for 5 min.#test t1 1#bert interval 5

• To view the bert test on the T1 port 1#show module test t1 1

• To show system configuration#show system configuration

• To show version of code#show version

T1 BERT Tests

> To isolate problems with a faulty T1 WAN link, perform line or payload loopbacks at either end of the link and perform a BERT test. These functions isolate a problem to either the SR system, far-end equipment, interconnect cabling at either end, or the T1 line between the two systems.

> Loopback Test• To perform line and payload loopbacks at either end, use the appropriate command.• The following loopback commands are available:

• test t1 1 loopback

> BERT Test• This command is used to initiate a bit error rate test. The following BERT tests commands are available to test

specific T1 links or a Clear Channel T3.• test t1 1 bert interval 2

> View Bert Test• Once the test is started the results can be viewed using the command:

• SR-1004/show/module/test# t1 1

T1 BERT Testing example

(First raise the loopback on the T1 to test)

SR-1004/test/t1 4 (This will use port 4 for example)

SR-1004/test/t1 4#loopback remote line (raises the farend line loopback)

SR-1004/test/t1 4#bert interval 5 (runs bert test for 5 minutes)

(Now look at the bert test on T1 port 4)

SR-1004/test/t1 4#show module test t1 4

(You should see something like shown below)

Test Type: BERT Status: LOCKED Pattern: QRW

Locked Seconds: 3 Pattern Loss Count: 0 Bit Error Count: 0

Configured Time: 2 minutes

Elapsed Time: 0 min. 3 sec.

After the test is completed you now need to bring down the loopback

SR-1004/test/t1 4#no loopback remote line (drops the farend line loopback)

SR Device Manager

Device Manager

> Used primarily for VPN and Firewall configs

> Not complete for routing or WAN configs

Device Manager - status

Device Manager – guided config

Device Manager - guided config

Device Manager – guided config VPN

Device Manager – guided config FW

Device Manager – FW Rules

Device Manager – Config Expand All

Documents

Secure Routers 1001, 1002, 1004, and 3120. WAN Port LEDs 1-4 Typical 100X Chassis - Front Power LED 1004 Router Front Panel LINK/ACT HS DUP Ethernet 1