Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-H3C MSR Router Deployment on 5G Network | 8.99 MB |
5G access reliability technology
5G access security technologies
5G area positioning protection
5G link data encryption protection
5G dial-up Internet access scenario
5G + dual SIM cards primary/backup scenario
5G dual-link primary/backup scenario
5G + wired link primary/backup scenario
5G interface module compatibility with MSR routers
5G antenna compatibility with 5G interface modules
5G interface modules and SIM card installation
Installing antennas and extension antenna cables
Installation method for antenna configuration scheme 1
Installation method for antenna configuration scheme 2
Installation method for antenna configuration scheme 3
Installation method for antenna configuration scheme 4
Example: Configuring 5G modem dialup Internet access
Example: Configuring 5G modem dialup with Layer 3 backup
Example: Configuring 5G modem dialup Internet access with IPsec
Example: Configuring 5G modem dialup Internet access with ADVPN tunnels
5G modem dialup+VPDN tunnel configuration example
5G modem dialup+VPDN tunnel (IMSI/SN binding+local authentication) configuration example
5G modem dialup+VPDN tunnel (IMSI/SN binding+remote authentication) configuration example
Configuring 5G modem dial-up + VXLAN over IPsec tunnels
Configuring IPv6 dial-up for a 5G modem
Identifying whether the 3G/4G/5G interface module or USB 3G/4G modem is in good condition
Identifying whether the 3G/4G/5G modem is in good condition
Identifying whether the SIM card is in good condition
Identifying whether the 3G/4G/5G network signal is in good condition
Identifying whether the 3G/4G/5G interface is configured correctly
Related alarm and log messages
Overview
Conventions
This document describes application scenarios, device selection, key technologies, and configuration examples for deployment of H3C MSR routers for 5G. It does not cover deployment of H3C MSR routers in non-5G scenarios.
Procedures and information in the examples might be slightly different depending on the software or hardware version of the H3C devices.
Examples in this document might use devices that differ from your device in hardware model, configuration, or software version. It is normal that the port numbers, sample output, screenshots, and other information in the examples differ from what you have on your device.
Technical background
5G, the fifth-generation mobile communication technology, offers significant improvements over previous generations in key performance metrics such as user experience rate, peak data rate, and air interface latency. As 5G technology continues to proliferate, applications based on 5G, such as smart driving and smart healthcare, are becoming increasingly common. Consequently, the capability of network products to support 5G is becoming more critical.
MSR 5G is a key wide-area network access technology of MSR routers, often referred to as wireless wide-area network. The 5G capabilities of the MSR router enable wireless broadband access for enterprise branches or small and medium-sized enterprises (SMEs) and facilitate interconnection between headquarters and branches, better supporting the service requirements of enterprise users.
Basic concepts
· Evolved Packet Core (EPC)— 4G LTE core network. EPC comes in two types. One is the traditional LTE core network that only supports 4G base stations. The other is the upgraded LTE core network, which supports both 4G and 5G base stations.
· 5G Core (5GC)—5G core network, which supports access to 5G base stations.
· eNodeB (eNB)—4G base station, including traditional 4G base stations that support connection to the LTE core network only and enhanced 4G base stations that support connections to both the LTE and 5G core networks.
· gNodeB (gNB)—5G base station, which supports connection to the 5G core network.
· 5G modem—5G module, including integrated 5G modules and removable 5G modules. MSR routers provide 5G service through 5G modules and are also compatible with 3G and 4G.
· User Equipment (UE)—Endpoint that accesses wireless networks, or router in a wireless wide area network (WAN).
Benefits
5G networks feature high bandwidth, low latency, and extensive connectivity, and support the following application scenarios:
· Enhanced Mobile Broadband (eMBB)—Addresses the rapid growth of mobile Internet traffic, providing mobile Internet users with a superior application experience. eMBB features high-volume, high-speed concurrent data transmissions. It requires a peak user rate of 10 Gbps and a stable user experience rate of 1 Gbps.
· Massive Machine Type Communication (mMTC)—Addresses requirements of applications such as smart cities, smart homes, and environmental monitoring that focus on sensing and data collection. It enables seamless, large-scale IoT communication anytime and anywhere, requiring a connection density of one million per square kilometer.
· Ultra-Reliable Low Latency Connection (uRLLC)—Addresses requirements of vertical industry applications such as industrial control, telemedicine, and autonomous driving that require extremely high reliability and low latency. It provides real-time, reliable, and stable connections, with air interface latency requirements of less than 1 ms.
MSR 5G supports not only 5G New Radio (NR) in both standalone (SA) and non-standalone (NSA) configurations but also is compatible with 4G networks, including LTE-FDD and LTE-TDD, as well as 3G WCDMA networks. This compatibility allows it to adapt to various geographical environments. MSR 5G provides enterprise users WWAN access service with higher bandwidth. It offers features such as Layer 2 and Layer 3 VPNs, multi-link main-backup, and multi-link load balancing. These functionalities enable enterprises to use WWAN as a replacement or backup for traditional WAN, offering a more reliable and enriched operational environment for business activities.
In addition, MSR 5G supports GNSS, allowing devices to send location information to the carrier’s central authentication server, facilitating device management and maintenance. It supports clock synchronization across routers and endpoints. This is applicable to public facilities such as street lamps and surveillance cameras. Additionally, the router can be managed by the Cloudnet platform, enabling real-time monitoring and management of 5G configuration.
H3C MSR routers that support 5G include those use an H3C 5G SIC interface module to gain 5G capability, such as the MSR3610-IE-DP, and those with built-in 5G modules, such as the MSR1004S-5G.
|
|
NOTE: Application of MSR 5G is similar across IPv4 and IPv6. This document does not make a strict distinction between them. |
Implementation
5G network modes
MSR 5G supports both NSA and SA networking modes.
· NSA networking—NSA is a one-to-many networking mode where one core network supports both 4G and 5G base stations. The NSA mode facilitates transition from 4G to 5G. NSA features quick network setup but has complex network architecture and higher network latency.
· SA networking—SA is a one-to-one networking mode, with one core network having one type of base station. The core network is a 5G core network and the network architecture adheres to 5G standards. SA features lower network latency and larger bandwidth, but has higher construction costs and lower coverage.
Additionally, 5G features provided by MSR routers are downward compatible with 4G LTE and 3G WCDMA network modes. You can configure a 5G modem on an MSR router to operate in NSA, SA, LTE, or WCDMA network mode at the CLI. You can also configure the router to automatically search for and select an appropriate network mode. By default, an MSR router prioritizes the SA network mode.
Figure 1 NSA network diagram
Figure 2 SA network diagram
5G frequency bands
· Sub-6 GHz—Main frequency band for 5G, with a frequency range of 450 MHz to 6000 MHz. It includes 26 sections and features low frequency, strong diffraction ability, and good coverage. The commonly used sections are n1, n3, n28, n41, n77, n78, and n79. China Telecom and China Unicom use the n78 section, and China Mobile uses the n41 and n79 sections.
· Millimeter wave—Expansion band for 5G, with a frequency range of 24250 MHz to 52600 MHz. It includes sections n257, n258, and n260. It features ultra-wide bandwidth, clean spectrum, and minimal interference.
Table 1 Commonly used frequency bands
|
Frequency band |
Uplink (MHz) |
Downlink (MHz) |
Duplex mode |
|
n1 |
1920 to 1980 |
2110 to 2170 |
FDD |
|
n3 |
1710 to 1785 |
1805 to 1880 |
FDD |
|
n28 |
703 to 748 |
758 to 803 |
FDD |
|
n41 |
2496 to 2690 |
2496 to 2690 |
TDD |
|
n77 |
3300 to 4200 |
3300 to 4200 |
TDD |
|
n78 |
3300 to 3800 |
3300 to 3800 |
TDD |
|
n79 |
4400 to 5000 |
4400 to 5000 |
TDD |
Dual APN reliability
In a 5G network, you can configure an Access Point Name (APN) on an MSR router to connect to a specific data network, for example, a carrier's private network for important service traffic to be transmitted over the carrier dedicated line.
An MSR router supports configuration of two APNs for primary and backup network access. By default, the MSR router dials up by using the primary parameter profile. If dial-up fails with the primary parameter profile, it switches to the backup parameter profile. No matter whether dial-up by using the backup parameter profile succeeds or, the primary parameter profile will be used at the next dial-up, ensuring successful 5G dial-up when the primary APN is unavailable.
Figure 3 Dual APN reliability
5G VPN technology
An MSR router can rapidly connect to the Internet and access public cloud resources through dial-up but cannot directly access remote private networks. Using VPN technologies such as GRE, L2TP, VXLAN, IPsec VPN, ADVPN, and SD-WAN, enterprises can establish a 5G wireless dedicated line for branch users, facilitating communication between branches and the headquarters.
Table 2 Comparison of common VPN technologies
|
Tunnel |
Packet type |
L2VPN capability |
NAT traversal |
Security |
Recommended scenario |
|
GRE |
IP/MPLS/Ethernet |
Not supported |
Not supported |
Enhanced security with IPsec. |
Enterprise branches are connected to the headquarters, supporting Layer 2 and Layer 3 services. |
|
L2TP |
PPP |
Supported |
Supported |
Enhanced security with IPsec. |
Enterprise branches are connected to the headquarters, access authentication on branch users is required. |
|
VXLAN |
IP |
Supported |
Supported |
Enhanced security with IPsec. |
Enterprise branches are connected to the headquarters, supporting Layer 2 and Layer 3 services. |
|
IPsec |
IP |
Not supported |
Supported |
Strong |
Finance or government industry branches are connected to the headquarters, having higher security requirements. |
|
ADVPN |
IP |
Not supported |
Supported |
Enhanced security with IPsec. |
Enterprise branches are connected to the headquarters, supporting dynamic tunnel creation and allowing branches to use dynamic IP addresses. |
|
SD-WAN |
IP |
Not supported |
Supported |
Enhanced security with IPsec. |
Enterprise branches are connected to the headquarters, allowing branches to use dynamic IP addresses, supporting configuration deployment control, and supporting intelligent path selection. |
5G access reliability technology
Dual SIM card reliability
A router receives and sends traffic via a SIM card for 5G dialing. If the SIM card has late payment fees or has poor signal, 5G service provided by the router will be affected. An MSR router is equipped with two SIM card slots. For applications that require reliable data transmission on a single 5G link, you can insert two SIM cards on the device for dual-SIM single-standby. With a SIM card switching policy configured, when 5G dialing fails due to late payment fees on one SIM card, poor 5G network signal, or a network failure from the corresponding carrier, traffic will be automatically switched to the other SIM card, ensuring rapid service recovery. As a best practice to prevent dialing failures due to network issues from a specific carrier, select SIM cards from different carriers.
Figure 4 Dual SIM card reliability
Dual 5G link reliability
For MSR routers that use an H3C 5G SIC interface module, the device has multiple SIC interface module slots. With an H3C 5G SIC interface module installed, an MSR router can support 5G wireless networks. In scenarios where high data transmission reliability is required or large amount of traffic is transmitted, you can install two H3C 5G SIC interface modules on an MSR router to establish two 5G links. With a traffic forwarding policy configured for the dual 5G links, service reliability and user experience can be enhanced. The following are the techniques commonly used in conjunction with dual 5G links:
· BFD or NQA—Monitors link connectivity, enabling quick switchover between primary and backup links to ensure service continuity.
· Policy routing—Used for load sharing between wired and 5G links. Service traffic that requires low latency and high stability is transmitted via wired links, and service traffic with less real-time demands is forwarded through wireless links.
· Intelligent path selection—Enables applications to dynamically select paths based on link quality, bandwidth, and priority for load sharing or primary and backup path selection.
· WAAS packet duplication—Optimizes traffic by sending the same packet over two links, effectively reducing or solving issues such as packet loss, jitter, and errors on a single link.
Figure 5 Dual 5G link reliability
5G + wired link reliability
Mainstream applications use wired links as the primary link for traffic transmission, such as MPLS. To enhance traffic transmission reliability between branches or between headquarters and branches, MSR routers support establishing both wired and 5G links simultaneously. You can use a 5G link as a backup link. When the primary wired link fails, traffic can be quickly switched to the backup 5G link. The following are technologies used in scenarios for load sharing between 5G and wired links:
· BFD or NQA—Monitors link connectivity, enabling quick switchover between primary and backup links to ensure service continuity.
· Policy routing—Used for load sharing between wired and 5G links. Service traffic that requires low latency and high stability is transmitted via wired links, and service traffic with less real-time demands is forwarded through wireless links.
· Intelligent path selection—Enables applications to dynamically select paths based on link quality, bandwidth, and priority.
· WAAS packet duplication—Optimizes traffic by sending the same packet over two links, effectively reducing or solving issues such as packet loss, jitter, and errors on a single link.
Figure 6 5G + wired link reliability
5G access security technologies
5G PIN verification
Every SIM/USIM card has a unique Personal Identification Number (PIN). After PIN verification is enabled on an MSR router, a SIM/USIM card can be activated only when a correct PIN is provided, preventing unauthorized use of the SIM/USIM card. If PIN verification fails after a maximum number of attempts, the SIM/UIM card is locked, and a PIN Unlocking Key (PUK) is required to unlock the card.
|
|
NOTE: When PIN verification is enabled, PIN verification is performed after specific conditions are met, for example, the SIM/USIM card is inserted or the router is restarted. The PIN verification process shown in the figure below assumes that the conditions to trigger PIN verification have been met. |
Figure 7 PIN verification flowchart
5G IMSI code protection
The International Mobile Subscriber Identity (IMSI) in 4G serves the same function as the Subscription Permanent Identifier (SUPI) in 5G. IMSI is used as an example.
Configuring a trusted IMSI on the router prevents unauthorized SIM/USIM cards from accessing the network through a 5G router. Before dial-up, the router obtains the IMSI information of the dialing SIM/USIM card.
· If the obtained IMSI information matches the locally configured trusted IMSI, the SIM/USIM card is legitimate and dial-up is allowed.
· If the IMSI information does not match the locally configured trusted IMSI, the SIM/USIM card is unauthorized and dial-up is not allowed.
Figure 8 Local IMSI binding flowchart
5G area positioning protection
The area positioning feature prevents a router from accessing the headquarters network when the router is stolen. This feature operates as follows:
Table 3 After connecting to the carrier network, the router obtains information about the base station it has connected to, such as the base station's cell ID.
Table 4 The headquarters network management platform proactively obtains the base station information to which the router belongs through SNMP. Alternatively, the router proactively reports base station information to the headquarters network management platform through NETCONF.
Table 5 The network management platform generates a visual map based on the base station information, allowing you to timely and intuitively obtain the location of the router.
Figure 9 Area positioning
5G user access authentication
5G user access authentication prevents unauthorized users from connecting to the carrier’s private wireless network. It is typically used for user access to the carrier's VPDN. This feature requires a SIM/USIM card from the carrier, VPDN access point name, authentication method, username, and password. 5G user access authentication involves carrier access point authentication and 4-tuple authentication at the headquarters. The workflow is as follows:
Carrier access point authentication
On the carrier side, the following mechanism is used to prevent unauthorized dial-up users from accessing the VPDN network:
Table 6 When a router requests dial-up access to a carrier's network, the carrier's AAA server authenticates the 5G router's APN, account, and SIM/USIM card.
Table 7 The AAA server issues L2TP tunnel properties to the LAC device only when all the above information is authenticated. Then, the LAC device initiates a request to establish an L2TP tunnel with the LNS device at the headquarters.
Figure 10 Carrier access point authentication
4-tuple authentication
At the headquarters, the following mechanism is used to prevent routers from accessing the headquarters network by using unauthorized SIM/USIM cards when a VPDN account is stolen:
Table 8 After receiving the dial-up user's authentication information, the LNS device at the headquarters initiates a secondary authentication for the dial-up user with the AAA server.
Table 9 The AAA server at the headquarters authenticates dial-up users by binding their username, password, IMSI number, and SN in a quintuple. Only users that pass the authentication can access the VPDN network.
Figure 11 4-tuple authentication at the headquarters
5G link data encryption protection
5G link data encryption protection authenticates and encrypts/decrypts traffic transmitted over 5G links by using IPsec. By establishing an IPsec VPN tunnel between enterprise branches and headquarters, the router can encrypt data transmitted over the link to ensure secrecy, integrity, and authenticity of service data.
The router uses the following procedure to encrypt and decrypt user data by using IPsec:
Table 10 The 5G router dials in and establishes an IPsec VPN tunnel between the branch and the headquarters.
Table 11 The 5G router encrypts private network service data with IPsec and forwards it to the headquarters gateway through an IPsec VPN tunnel.
Table 12 After the headquarters gateway decrypts the received packet and forwards the packet to the destination IP address.
Figure 12 5G link data encryption
5G framed routing
A 5G framed route refers to the route configured on the core network destined to an endpoint attached to an MSR router. The route contains a subnet mask, a subnet address, and an international mobile subscriber identifier (IMSI).
When multiple network devices are attached to the MSR router acting as a customer premises equipment (CPE), the router can assign IP addresses to these devices through DHCP. When no 5G framed routes are configured, the attached devices can access applications within the public data network (PDN) unidirectionally after they obtain an IP address. In this case, the core network cannot detect the existence of any attached devices and has no entries for the devices. As a result, upon receiving packets sent from the PDN, the core network forwards only the packets destined to the MSR router, and discards other packets. After you configure 5G framed routes, the application server within the PDN can access the network devices attached to the MSR router.
Figure 13 5G framed routing diagram
|
|
NOTE: · The main function of a PDN is to provide data communications services to the public. The 5G link established between the router and the core network is also known as a PDN connection. · The PDN gateway (PGW) is a crucial network element in mobile communication networks, providing session management and bearer control, data forwarding, IP address allocation, and non-3GPP user access functions. · GPRS Tunneling Protocol (GTP) involves GTP-C and GTP-U. GTP-C is typically responsible for the establishment and maintenance of 5G network bearers. GTP-U is typically responsible for encapsulating UE payloads into the GTP tunnel. |
Application scenarios
5G dial-up Internet access scenario
Introduction
5G dial-up Internet access is a basic application scenario for the MSR router. Branch sites and small enterprise users can access the Internet and public cloud resources directly through the 5G interface of the MSR router.
Technical implementation
As shown in Figure 14, 5G dial-up Internet access refers to the process in which the router establishes a connection to the core network and successfully obtains an IP address. The dial-up process is as follows:
1. The MSR router accesses the 5G core network through dial-up by using the wireless air interface. After the ISP's AAA server authenticates the APN, account, and SIM/UIM card, the PGW device assigns an IP address to the 5G modem.
2. After obtaining the assigned IP address, the 5G modem negotiates with the MSR router to generate an interface IP address. The MSR router then establishes a 5G link with the PDN network by using the generated interface IP address.
Figure 14 5G dial-up Internet access scenario
Typical networking
As shown in Figure 15, install a 5G SIC interface module on the MSR router to connect to the 5G network through automatic scheduled dial-up access with DDR and establish a permanent online connection. Endpoint users can access public cloud resources through the MSR router.
Figure 15 5G dial-up Internet access network diagram
5G + Layer 3 VPN scenario
Introduction
An enterprise branch can access public cloud resources through 5G dial-up. It can also establish overlay VPN connections with the headquarters, such as GRE, L2TP, IPsec VPN, and ADVPN connections, to enable intercommunication and data encryption between the headquarters and branch.
Technical implementation
5G + Layer 3 VPN uses 5G links to establish VPN tunnels between enterprise branches and headquarters, enabling intercommunication between them. Typical tunneling technologies include GRE, L2TP, IPsec, and ADVPN. As shown in Figure 16, the basic process for communication between the branch and headquarters in the 5G + IPsec tunnel network is as follows. The communication processes for other tunnels are similar (details not shown).
1. Upon receiving a packet from a user endpoint, the MSR router uses the ACL rules (such as the packet's IP address) configured in the IPsec policy to determine that the packet needs to be forwarded through an IPsec tunnel. The MSR router establishes an IPsec SA (that is, an IPsec tunnel) with the headquarters gateway through IKE negotiation.
2. After establishing the IPsec tunnel, the MSR router sends the packet to the output interface of the tunnel. Upon receiving this packet, the output interface of the tunnel first encapsulates it with a security protocol header, and then encapsulates an IPv4 header. In the IPv4 header, the source address is the source address of the tunnel, and the destination address is the destination address of the tunnel.
3. The MSR router looks up the routing table based on the destination address in the encapsulated IPv4 header, and then forwards the encapsulated IPv4 packet through the output interface of the IPsec tunnel.
4. When the packet reaches the headquarters gateway (destination address of the packet), the gateway delivers the packet to the IPsec protocol for decapsulation. It removes the IPv4 header and security protocol header from the packet, and then forwards the packet through routing table lookup.
Figure 16 5G + IPsec application scenario
Typical networking
As shown in Figure 17, install a 5G SIC interface module on the MSR router for accessing the Internet through 5G dial-up. Establish an IPsec tunnel between the headquarters gateway and the MSR router to securely protect data flows between branch network 192.168.1.0/24 and headquarters network 192.168.2.0/24.
Figure 17 5G + IPsec tunnel network diagram
5G + Layer 2 VPN scenario
Introduction
In a scenario requiring Layer 2 service interactions, MSR routers support establishing Ethernet over GRE (EoGRE) tunnels or VXLAN tunnels between enterprise branches and headquarters. This enables the forwarding of interaction data through the 5G links.
Technical implementation
As shown in Figure 18, the basic process for communication between the branch and headquarters in a 5G + EoGRE tunnel network is as follows:
1. Upon receiving an Ethernet packet from the user endpoint, the MSR router determines that the packet needs to be forwarded through the EoGRE tunnel, and forwards it to the tunnel interface for processing.
2. Upon receiving this Ethernet packet, the tunnel interface first encapsulates it with a GRE header, and then encapsulates an IPv4 header. In the IPv4 header, the source address is the source address of the tunnel, and the destination address is the destination address of the tunnel.
3. The MSR router looks up the routing table based on the destination address in the encapsulated IPv4 header, and then forwards the encapsulated IPv4 packet through the actual physical interface of the EoGRE tunnel.
4. Upon receiving the packet, the headquarters gateway delivers the packet to the EoGRE protocol for decapsulation. (This is because the destination address of the packet is the gateway, and the protocol number in the IPv4 header is 6558, indicating that the encapsulated packet is a Layer 2 packet.) The gateway removes the IPv4 header and GRE header from the packet, and then performs MAC forwarding for the packet.
Figure 18 5G + Layer 2 VPN scenario
Typical networking
As shown in Figure 19, install a 5G SIC interface module on the MSR router for accessing the Internet through 5G dial-up. Establish an EoGRE over IPv4 tunnel between the headquarters gateway and the MSR router to enable Layer 2 intercommunication across the backbone network between two Layer 2 LANs.
Figure 19 5G + EoGRE network diagram
5G + VPDN scenario
Introduction
The 5G Virtual Private Dialup Network (VPDN) service is a type of VPN service implemented through dial-up over the Internet. It uses technologies like L2TP to build VPNs isolated from the public network for customers, meeting the internal network communication requirements between branches and headquarters.
In typical VPDN applications, the ISP deploys a VPN line between the LAC and LNS devices at enterprise headquarters. In such applications, service data encapsulated in L2TP tunnels is not encrypted. Industries such as finance and governments can use IPsec to encrypt service data to ensure the reliability and security of communication between branches and headquarters. IPsec supports various encryption algorithms such as DES, 3DES, AES128, AES192, AES256, SM1, SM2, and SM4. It also supports authentication algorithms such as MD5, SHA, and SM3. In addition, IPsec supports hardware encryption, effectively ensuring the confidentiality, integrity, and authenticity of service data.
Technical implementation
As shown in Figure 20, the basic process of communication between the branch and headquarters in a 5G VPDN network is as follows:
1. The MSR router acting as a CPE connects to the ISP network through wireless air interface dial-up. The ISP authenticates the APN, account, and SIM/USIM card information of the router.
2. After the router successfully pass the authentication, the ISP takes it as a VPDN user, and the ISP's AAA server issues L2TP tunnel attributes to the LAC device. The LAC device then initiates a tunnel establishment request to the LNS device at the VPDN user's headquarters based on the received L2TP tunnel attributes. After the L2TP tunnel is established, the LAC device transparently transmits the user's authentication information to the LNS device through this tunnel.
3. The LNS device initiates a second authentication for the VPDN user to the internal AAA server of the enterprise, and assigns an enterprise internal IP address to the VPDN user upon successful authentication.
4. The Headquarters and branch establish an IPsec VPN tunnel through IKE negotiation, allowing endpoint users in the branch to communicate with the headquarters. The communication data is encrypted through IPsec on the MSR router and transmitted to the ISP's LAC device. The LAC device uses a public IP address to perform L2TP encapsulation the IPsec-encrypted user data, and then transmits user data through the L2TP tunnel to the LNS. The LNS decapsulates the L2TP packet, performs IPsec decryption to restore the private network IP packet, and then forwards the packet based on its destination IP address.
Typical networking
As shown in Figure 21, install a 5G SIC interface module on the MSR router to access the ISP's VPDN network through 5G dial-up. Set up an IPsec tunnel between the MSR router and the headquarters gateway, and establish an L2TP tunnel between the ISP device and the headquarters gateway.
Figure 21 5G + VPDN networking diagram
5G + SDWAN scenario
Introduction
You can apply the SDWAN technology to 5G links for establishing SDWAN tunnels between the enterprise headquarters and branches, enabling intercommunication between them. Using traditional wired VPN lines can implement Resilient Intelligent Routing (RIR) based on link qualities and carry service traffic.
Technical implementation
As shown in Figure 22, in a 5G + SDWAN network, the basic process for communication between the branch and headquarters is as follows:
1. The 5G router acting as a CPE connects to the ISP network through wireless air interface dial-up, enabling the MSR router to access public cloud resources.
2. After an SDWAN tunnel is configured between the MSR router and the enterprise headquarters gateway, the router determines that the Ethernet packet received from the user endpoint needs to be forwarded through the SDWAN tunnel, and sends the packet to the SDWAN tunnel interface.
3. The router obtains the TTE ID of the next hop address based on the next hop address in the forwarding table. Then it obtains the information for the TTE connection based on the local and next hop TTE IDs.
4. The router performs SDWAN encapsulation for the packet based on the TTE connection information. The SDWAN header contains the VN ID of the VPN instance to which the packet belongs. After encapsulation, the router forwards the packet through the physical interface specified by the SDWAN tunnel.
5. After receiving and decapsulating the SDWAN packet, the remote CPE searches the routing table in the corresponding VPN instance based on the VN ID to forward the packet.
Typical networking
As shown in Figure 23, install a 5G SIC interface module on the MSR router to access the ISP network through 5G dial-up. The MSR router uses a wired VPN link to communicate with the headquarters gateway. An SDWAN tunnel is established between the MSR router and the headquarters gateway to form a dual links containing a wired VPN link and a 5G link.
Figure 23 5G + SDWAN network diagram
5G + dual SIM cards primary/backup scenario
Introduction
For applications requiring reliable data transmission over a single 5G link, using dual 5G SIM cards can create a single 5G link backup with one active SIM card, ensuring fast recovery upon link disconnection. In a 5G + dual SIM cards primary/backup scenario, you can associate the SIM card with Track and NQA to determine the availability of the current 5G link and implement fast switchover of the dial-up SIM card for quick service recovery. You can also use the EAA script to monitor the 5G signal strength of the link. If the signal strength falls below the specified threshold, disconnect the current dial-up connection and use the backup SIM card for dial-up to ensure stable service traffic bandwidth.
Technical implementation
As shown in Figure 24, the basic process for communication between the branch and headquarters in a 5G dual SIM cards primary/backup network is as follows:
1. The MSR router uses primary SIM card SIM0 to dial into the ISP's 5G network, and establishes a tunnel between the headquarters and branch, enabling intercommunication between them.
2. When SIM0 is functioning correctly, the traffic between the branch and the headquarters is controlled by SIM0. If SIM0 runs out of balance or an ISP 5G network failure occurs, the state of the track entry associated with SIM0 changes from Positive to Negative, and SIM0 is disabled.
3. When SIM0 is not out of balance and no ISP 5G network failure occurs, but the EAA script detects that the 5G link signal strength is below the threshold of 100, the router proactively disables SIM0.
4. After disabling SIM0, the MSR router immediately uses SIM card SIM1 to dial into the ISP's 5G network, reestablishes the tunnel with the headquarters gateway, and switches service traffic between the headquarters and branch to SIM1.
Figure 24 5G dual SIM cards primary/backup scenario
Typical networking
As shown in Figure 25, install a 5G SIC interface module with two SIM cards on an MSR router. The MSR router uses SIM card 0 to dial into the 5G network. Associate the SIM card with a track entry. When the track entry state changes from Positive to Negative, the current 5G link will be disabled and service traffic will switch over to the backup SIM card. Configure the EAA script to monitor the 5G signal strength of the current link. If the signal strength drops below -100, the current 5G link will be disabled and service traffic will switch over to the backup SIM card.
Figure 25 5G dual SIM cards primary/backup network diagram
5G dual-link primary/backup scenario
Introduction
For an application scenario that uses a single 5G link and requires data transmission reliability, the MSR router supports 5G dual-link backup to ensure service traffic continuity. The MSR router supports installing two 5G SIC interface modules to dial up and establish two 5G links for backup. The dual 5G links can also implement traffic load sharing. This section illustrates only the scenario where dual 5G links are used for primary and backup purposes.
Dual 5G link backup can detect link connectivity and adjust traffic in time through collaboration between static routing, NQA, and Track. It can also compare 5G signal strengths on both links through EAA script configuration. If the signal strength of one link is below -100, the other link becomes the primary link.
Technical implementation
As shown in Figure 26, the basic process for communication between the branch and headquarters in a dual 5G links primary/backup network is as follows:
1. The MSR router connects to the ISP's 5G network through dial-up access by using the 5G-SIC1 and 5G-SIC2 interface modules, and establishes a tunnel between the headquarters and branch. The route of the 5G link established through the 5G-SIC1 interface module has a higher priority.
2. When 5G link 1 is operating correctly, the service traffic between the branch and headquarters is transmitted through 5G link 1. If NQA detects an anomaly in 5G link 1 (for example, 5G dial-up disconnection because the SIM card runs out of balance or an ISP 5G network failure occurs), the track entry state of 5G link 1 changes from Positive to Negative, and 5G link 1 is disabled.
3. When NQA detects that both 5G links are operating correctly, but the signal strength of 5G link 1 is below the threshold of -100, the router will disable 5G link 1.
4. After disabling 5G link 1, the MSR router immediately switches the service traffic between the headquarters and the branch to 5G link 2 for forwarding.
Figure 26 Dual 5G links primary/backup scenario
Typical networking
As shown in Figure 27, install two 5G SIC interface modules on the MSR router to connect to the 5G network through dial-up access with DDR and establish two 5G links for backup. Configure collaboration between static routing, NQA, and Track for the 5G links. When the primary 5G link is operating correctly, the enterprise branch accesses the headquarters through the primary link. If the primary link fails, the enterprise branch accesses the headquarters through the backup link.
Figure 27 Dual 5G links primary/backup network diagram
5G + wired link primary/backup scenario
Introduction
Typically, a wired connection, such as an MPLS VPN line, is used between the headquarters and a branch, as well as between two branches. Wired connections are expensive and difficult to deploy. Typically a single link is deployed, which results in service interruption upon a link failure. You can use a 5G link as a backup link to effectively enhance service continuity and stability. To implement 5G + wired link backup, you can configure collaboration between static routing, NQA, and Track to detect link connectivity and adjust traffic forwarding paths in time.
Technical implementation
As shown in Figure 28, the basic process for communication between the branch and headquarters in the 5G+ wired link primary and backup networking is as follows:
1. The MSR router connects to the ISP core network through wired and 5G links, and establishes tunnels between the headquarters and branch. The wired link serves as the primary link with higher preference than the 5G link.
2. When the wired link is operating correctly, the traffic between the branch and headquarters is transmitted through the wired link. If NQA detects an anomaly in the wired link, the track entry status of the wired link changes from Positive to Negative. The wired link is disabled and service traffic switches to the 5G link. When NQA detects the recovery of the wired link, the traffic switches back to the wired link.
Figure 28 5G + wired link primary/backup scenario
Typical networking
As shown in Figure 29, install a 5G SIC interface module on the MSR router to connect to the 5G network through dial-up with DDR, and establish a 5G link as a backup link for the wired link. Configure collaboration between static routing, NQA, and Track. When the wired link is operating correctly, enterprise branch users access the headquarters through the wired link. If the wired link fails, enterprise branch users can access the headquarters through the 5G link.
Figure 29 5G + wired link primary/backup network diagram
5G framed routing scenario
Introduction
Traditional 5G communication networks require enabling NAT on 5G devices, configuring PDN routes, and creating tunnels. The configuration is complicated, and increases the delay in device packet processing, which can hardly meet the low-latency and high-bandwidth demands of vertical industries such as rail transit, electric power, and industrial control. After applying a UE framed route, the 5G core network sends the routing information to the PGW gateway and associates it with the specified PDU session. Then, it forwards data packets from the attached devices based on the routing information and PDU session. This method reduces the processing delay for network devices to forward user data packets, and simplifies the configuration complexity of network devices.
Technical implementation
As shown in Figure 30, the basic process for communication between the branch and headquarters in the 5G framed routing network is as follows:
1. The MSR router connects to the 5G core network through a 5G link. After a 5G framed route is configured on the PGW, the framed route entry that is generated contains the IMSI of the SIM card and the subnet address of the attached endpoint device.
2. When an application service in the headquarters network accesses the endpoint device attached to the MSR router, the PGW device searches for the corresponding framed route entry, selects the appropriate GTP tunnel to encapsulate the original packet, and forwards it to the 5G base station.
3. Upon receiving the encapsulated packet, the 5G base station removes the outer IP header to obtain the original IP packet. The 5G interface forwards the original packet to the MSR router.
4. Upon receiving the original packet, the MSR router forwards it to the attached endpoint device based on the destination IP address.
Figure 30 Packet forwarding diagram in the 5G framed routing scenario
Typical networking
As shown in Figure 31, Branch 1 and Branch 2 of the enterprise connect to the 5G network through DDR dial-up via the MSR routers, and establish 5G links. In the EPC core network, configure 5G framed routes to Branch 1 and Branch 2 to generate 5G framed route entries, and associate the route entries with the branch subnets and IMSI. When an application server at the headquarters needs to access a branch device, it forwards the packet to the corresponding MSR router based on the framed route entry. Upon receiving the packet, the router forwards it based on the destination subnet through routing table lookup.
Figure 31 5G framed routing network diagram
Device selection
This section introduces the MSR router models supported in 5G scenarios, and information about how to install SIM cards and antennas.
5G interface module compatibility with MSR routers
This chapter describes the 5G SIC interface module compatibility with MSR routers.
|
|
NOTE: · The actual interface module compatibility with a router varies by software version. For more information, see the release notes. · For more information about interface module compatibility with MSR routers, see H3C MSR Router Series Interface Module Guide. |
Table 13 RT-SIC-5G/RT-SIC-5G-CN interface module compatibility with MSR routers (1)
|
Interface module model |
MSR2600-6-X1/MSR2600-6-X1-GL/MSR2630-XS |
MSR2600-10-X1 |
MSR2600-15-X1/MSR2600-15-X1-T |
MSR 26-30 |
MSR2630E-X1/MSR2680-XS |
|
RT-SIC-5G |
Supported (only in slot 1) |
Not supported |
Supported |
Not supported |
Supported |
|
RT-SIC-5G-CN |
Supported (only in slot 1) |
Not supported |
Supported |
Not supported |
Not supported |
Table 14 RT-SIC-5G/RT-SIC-5G-CN interface module compatibility with MSR routers (2)
|
Interface module model |
MSR 36-10 |
MSR3610E-X1/MSR3610E-X1-DP |
MSR3610-I-DP/MSR3610-IE-DP |
MSR3610-I-XS/MSR3610-IE-XS/MSR3610-IE-ES |
MSR3610-IE-EAD/MSR-EAD-AK770/MSR-iMC |
MSR3610-X1/MSR3610-X1-DC/MSR3610-X1-DP/MSR3610-X1-DP-DC/MSR3610-XS |
MSR3610-I-IG/MSR3610-IE-IG |
|
RT-SIC-5G |
Not supported |
Supported (only in slots 1 and 3) |
Supported (only in slots 1 and 3) |
Supported (only in slots 1 and 3) |
Supported (only in slot 3) |
Supported (only in slots 1 and 3) |
Supported (only in slots 1 and 3) |
|
RT-SIC-5G-CN |
Not supported |
Not supported |
Supported (only in slots 1 and 3) |
Supported (only in slots 1 and 3) |
Supported (only in slot 3) |
Supported (only in slot 3) |
Supported (only in slots 1 and 3) |
Table 15 RT-SIC-5G/RT-SIC-5G-CN interface module compatibility with MSR routers (3)
|
Interface module model |
MSR3610-G |
MSR3620-G |
MSR 36-20 |
MSR3620-DP/MSR3620-XS |
MSR 36-40 |
MSR 36-60 |
|
RT-SIC-5G |
Supported (only in slots 1 and 3) |
Supported (only in slots 1 and 3) |
Not supported |
Not supported |
Not supported |
Not supported |
|
RT-SIC-5G-CN |
Supported (only in slots 1 and 3) |
Supported (only in slots 1 and 3) |
Not supported |
Not supported |
Not supported |
Not supported |
Table 16 RT-SIC-5G/RT-SIC-5G-CN interface module compatibility with MSR routers (4)
|
Interface module model |
MSR3600-28 |
MSR3600-28-SI/MSR3600-28-SI-GL |
MSR3600-28-X1/MSR3600-28-XS |
MSR3600-28-X1-DP |
MSR3600-51 |
MSR3600-51-SI |
MSR3600-51-X1 |
MSR3600-51-X1-DP |
MSR 56-20 |
|
RT-SIC-5G |
Not supported |
Supported (only in slot 3) |
Supported (only in slots 1 and 3) |
Supported (only in slots 1 and 3) |
Not supported |
Supported (only in slot 3) |
Supported (only in slot 3) |
Supported (only in slot 3) |
Not supported |
|
RT-SIC-5G-CN |
Not supported |
Supported (only in slot 3) |
Supported (only in slots 1 and 3) |
Supported (only in slots 1 and 3) |
Not supported |
Supported (only in slot 3) |
Supported (only in slot 3) |
Supported (only in slot 3) |
Not supported |
Table 17 RT-SIC-5G/RT-SIC-5G-CN interface module compatibility with MSR routers (5)
|
Interface module model |
MSR3600-28-G-DP/MSR3600-51-G-DP |
MSR3620-X1/MSR3620-X1-XS |
MSR3640-G (code: 0235A4G9) |
MSR3640-G (code: 0235A4W8) |
MSR3640-X1/MSR3640-XS |
MSR3640-X1-HI/MSR3660-XS |
MSR5680-X3 (MSU-200) |
|
RT-SIC-5G |
Supported (only in slots 1, 2, and 3) |
Supported (only in slots 1 and 3) |
Supported (only in slots 1 and 3) |
Supported (only in slots 1 and 3) |
Not supported |
Supported |
Supported |
|
RT-SIC-5G-CN |
Supported (only in slots 1, 2, and 3) |
Supported (only in slots 1 and 3) |
Supported (only in slots 1 and 3) |
Not supported |
Not supported |
Supported (only in slots 1, 2, and 3) |
Not supported |
5G antenna compatibility with 5G interface modules
Table 18 Appearance and applicable 5G interface module models of stick antennas and extension cables
|
Product |
Appearance |
Applicable interface module models |
|
Stick antenna A |
|
RT-SIC-5G RT-SIC-5G-CN |
|
Stick antenna B |
|
RT-SIC-5G RT-SIC-5G-CN |
|
3 m (9.84 ft) antenna extension cable (with a magnetic antenna mount base) |
|
RT-SIC-5G RT-SIC-5G-CN |
|
1 m (3.28 ft) antenna extension cable (with a magnetic antenna mount base) |
|
RT-SIC-5G RT-SIC-5G-CN |
|
10 cm (3.94 in) cable |
|
RT-SIC-5G RT-SIC-5G-CN |
|
5 m (16.40 ft)/10 m (32.81 ft) antenna extension cable |
|
RT-SIC-5G RT-SIC-5G-CN |
|
Antenna bracket |
|
RT-SIC-5G RT-SIC-5G-CN |
Table 19 Technical specifications for stick antenna A
|
Item |
Specification |
|
Frequency range |
698 to 960 MHz 1710 to 2170 MHz 2300 to 2700 MHz 3300 to 3800 MHz 4400 to 5000 MHz 5150 to 5850 MHz |
|
Voltage standing wave ratio (VSWR) |
≤ 4 |
|
Input impedance |
50 ohms |
|
Gain |
617 to 960 MHz, 0.59 dBi 1710 to 2170 MHz, 3.74 dBi 2300 to 2700 MHz, 3.51dBi 3300 to 3800 MHz, 3.7 dBi 4400 to 5000 MHz, 4.0 dBi 5150 to 5850 MHz, 4.87 dBi |
|
Polarization |
Vertical |
|
Max input power |
1 W |
|
Interface |
SMA male |
|
Height |
20.3 cm (7.99 in) |
|
Weight |
19.63 g (0.69 oz) |
|
Color |
Black |
|
Operating temperature |
–20 °C to +65 °C (–4°F to +149°F) |
Table 20 Technical specifications for stick antenna B
|
Item |
Specification |
|
Frequency range |
0.6 to 6 GHz |
|
VSWR |
≤ 6 |
|
Input impedance |
50 ohms |
|
Max gain |
2.74 dBi @ 0.617 to 0.96 GHz 1.01 dBi @ 1.4 to 1.612 GHz 4.48 dBi @ 1.71 to 2.17 GHz 3.98 dBi @ 2.3 to 2.7 GHz 4.74 dBi @ 3.3 to 4.0 GHz 5.50 dBi @ 4.0 to 5.0 GHz 5.82 dBi @ 5.15 to 5.85 GHz |
|
Polarization |
Vertical |
|
Max input power |
1 W |
|
Interface |
SMA male |
|
Height |
17.6 cm (6.93 in) |
|
Weight |
20 g (0.71 oz) |
|
Color |
Black |
|
Operating temperature |
–20°C to +70°C (–4°F to +158°F) |
Table 21 Technical specifications for the 3 m (9.84 ft) antenna extension cable (with a magnetic antenna mount base)
|
Item |
Specification |
|
Frequency range |
DC to 6 GHz |
|
VSWR |
≤ 5 |
|
Input impedance |
50 ohms |
|
Cable type |
RG-174 |
|
Max input power |
1 W |
|
Interface |
SMA |
|
Cable length |
3000 mm (118.11 in) |
|
Weight |
65.3 g (2.30 oz) |
|
Color |
Black |
|
Operating temperature |
–40°C to +85°C (–40°F to +185°F) |
Table 22 Technical specifications for the 1m (3.28 ft) antenna extension cable (with a magnetic antenna mount base)
|
Item |
Specification |
|
Frequency range |
DC to 6 GHz |
|
VSWR |
≤ 1.7 |
|
Input impedance |
50 ohms |
|
Cable type |
RG-174 |
|
Interface |
SMA |
|
Cable length |
1 m (3.28 ft) |
|
Weight |
202 g (7.13 oz) |
|
Color |
Black |
|
Operating temperature |
–20°C to +70°C (–4°F to +158°F) |
Table 23 Technical specifications for the 10 cm (3.94 in) cable
|
Item |
Specification |
|
Frequency range |
DC to 6 GHz |
|
VSWR |
≤ 1.2 @ (3 GHz) ≤ 1.4 @ (3 to 6 GHz) |
|
Input impedance |
50 ohms |
|
Cable type |
RG174 |
|
Max input power |
N/A |
|
Interface |
SMA |
|
Cable length |
10 cm (3.94 in) |
|
Weight |
N/A |
|
Color |
Black |
|
Operating temperature |
–40°C to +85°C (–40°F to +185°F) |
Table 24 Technical specifications for the 5 m (16.40 ft) antenna extension cable
|
Item |
Specification |
|
Frequency range |
DC to 6 GHz |
|
VSWR |
< 1.2 @ (0.3 to 2.4 GHz) < 1.4 @ (5 to 6 GHz) |
|
Input impedance |
50 ohms |
|
Cable type |
RG8 |
|
Max input power |
N/A |
|
Interface |
SMA |
|
Cable length |
5 m (16.40 ft) |
|
Weight |
N/A |
|
Color |
White |
|
Operating temperature |
–40°C to +85°C (–40°F to +185°F) |
Table 25 Technical specifications for the 10 m (32.81 ft) antenna extension cable
|
Item |
Specification |
|
Frequency range |
DC to 6 GHz |
|
VSWR |
≤ 1.2 @ (2.4GHz) ≤ 1.5 @ (5 to 6 GHz) |
|
Input impedance |
50 ohms |
|
Cable type |
RG8 |
|
Max input power |
N/A |
|
Interface |
SMA |
|
Cable length |
10 m (32.81 ft) |
|
Weight |
N/A |
|
Color |
White |
|
Operating temperature |
–40°C to +85°C (–40°F to +185°F) |
5G interface modules and SIM card installation
5G interface modules provide 5G WLAN access. Only the following 5G SIC interface modules are supported:
· RT-SIC-5G
· RT-SIC-5G-CN
RT-SIC-5G
|
|
CAUTION: Before you remove an RT-SIC-5G interface module, execute the remove command or press and hold the remove button for more than 3 seconds and wait for the remove LED to turn off. The device might reboot unexpectedly if you remove the interface module with its remove LED on. |
Introduction
The RT-SIC-5G module provides 5G WLAN access and supports the following technologies:
· 5G NR
· LTE-A
· WCDMA
· FDD-LTE
· TDD-LTE
Interface specifications
Table 26 Interface specifications
|
Item |
Description |
|
Connector type |
SMA, used for connecting to antennas for GPS or WLAN access |
|
Connector quantity |
4 |
|
Standard and working mode |
SMA: · GNSS: GPS/GLONASS/BeiDou/Galileo · Omnidirectional antenna: WCDMA/FDD-LTE/TDD-LTE/5G NR |
|
Supported services |
· 5G/4G/3G networking · 5G and LTE-A full coverage · NSA and SA modes · Integrating multi-constellation GNSS receiver for fast and precise positioning in different environments |
Interface LEDs
Figure 32 RT-SIC-5G panel
Table 27 LED description
|
LED |
Status |
Description |
|
WWAN |
Steady green |
A WWAN link is present. |
|
Fast flashing green |
Data is being transmitted or received on the WWAN link. |
|
|
Slow flashing green |
The module is searching for and connecting to a WWAN. |
|
|
Off |
No WWAN link is present. |
|
|
5G |
Steady green (SA mode) |
High 5G signal strength (RSRP ≥ –85 dBm). |
|
Fast flashing green (SA mode) |
Medium 5G signal strength (–100 dBm ≤ RSRP < –85 dBm). |
|
|
Slow flashing green (SA mode) |
Low 5G signal strength (–115 dBm ≤ RSRP < –100 dBm). |
|
|
Steady yellow (NSA mode) |
High 5G signal strength (RSRP ≥ –85 dBm). |
|
|
Fast flashing yellow (NSA mode) |
Medium 5G signal strength (–100 dBm ≤ RSRP < –85 dBm). |
|
|
Slow flashing yellow (NSA mode) |
Low 5G signal strength (–115 dBm ≤ RSRP < –100 dBm). |
|
|
Off |
No 5G service. |
|
|
LTE |
Steady green |
The module is operating in 4G mode with high signal strength (RSSI ≥ –70 dBm). |
|
Fast flashing green |
The module is operating in 4G mode with medium signal strength (–100 dBm ≤ RSSI < –70 dBm). |
|
|
Slow flashing green |
The module is operating in 4G mode with low 4G signal strength (–125 dBm ≤ RSSI < –100 dBm). |
|
|
Steady yellow |
The module is operating in 3G mode with high signal strength (RSSI ≥ –70 dBm). |
|
|
Fast flashing yellow |
The module is operating in 3G mode with medium signal strength (–100 dBm ≤ RSSI < –70 dBm). |
|
|
Slow flashing yellow |
The module is operating in 3G mode with low signal strength (–125 dBm ≤ RSSI < –100 dBm). |
|
|
Off |
No 3G or 4G service. |
|
|
SIM |
Steady green |
SIM card 1 is operating. |
|
Steady yellow |
SIM card 2 is operating. |
|
|
Off |
No SIM card is available. |
|
|
GNSS |
Steady green |
Valid GNSS service. |
|
Off |
No GNSS service. |
|
|
REMOVE |
Steady green |
The module is operating correctly and can be hot swapped. |
|
Fast flashing green |
The module is initializing and cannot be hot swapped. |
|
|
Off |
You can remove the module if all the other LEDs on the module are also off. |
Antennas, interface cables, and connection methods
For more information about antennas, interface cables, and connection methods, see "Installing antennas and extension antenna cables."
Installing a SIM card
|
|
CAUTION: To avoid damage to the SIM card or the 5G interface module, insert the SIM card into the slot with the cut corner oriented as shown by the mark on the module. |
The RT-SIC-5G interface module provides two SIM card slots. You can install one or two SIM cards as required. SIM card 1 is operating by default when two SIM cards are installed on the RT-SIC-5G interface module. In Figure 33, two SIM cards are installed.
To install a 5G SIM card:
1. Use a screwdriver to remove the two screws on the SIM card retainer cover.
2. Lift the cover up and away from the retainer, as shown by callout 2 in Figure 33.
3. Orient the SIM card as shown by the mark.
4. Insert the SIM card into the SIM card slot along the slide rails.
5. Slightly push the SIM card edge to secure it into the slot.
6. Reattach the retainer cover and use the two screws to secure the cover.
7. Execute the display cellular [ interface-number ] command after the router starts. If SIM Status = OK is displayed in the command output, the SIM card is identified correctly.
Figure 33 Installing 5G SIM cards
RT-SIC-5G-CN
|
|
CAUTION: Before you remove an RT-SIC-5G-CN interface module, execute the remove command or press and hold the remove button for more than 3 seconds and wait for the remove LED to turn off. The device might reboot unexpectedly if you remove the interface module with its remove LED on. |
Introduction
The RT-SIC-5G-CN module provides 5G WLAN access and supports the following technologies:
· 5G NR
· LTE-A
· WCDMA
· FDD-LTE
· TDD-LTE
Interface specifications
Table 28 Interface specifications
|
Item |
Description |
|
Connector type |
SMA, used for connecting to antennas for WLAN access |
|
Connector quantity |
4 |
|
Standard and working mode |
SMA Omnidirectional antenna: WCDMA/FDD-LTE/TDD-LTE/5G NR |
|
Supported services |
· 5G/4G/3G networking · 5G and LTE-A full coverage · NSA and SA modes |
Interface LEDs
Figure 34 RT-SIC-5G-CN panel
Table 29 LED description
|
LED |
Status |
Description |
|
WWAN |
Steady green |
A WWAN link is present. |
|
Fast flashing green |
Data is being transmitted or received on the WWAN link. |
|
|
Slow flashing green |
The module is searching for and connecting to a WWAN. |
|
|
Off |
No WWAN link is present. |
|
|
5G |
Steady green (SA mode) |
High 5G signal strength (RSRP ≥ –85 dBm). |
|
Fast flashing green (SA mode) |
Medium 5G signal strength (–100 dBm ≤ RSRP < –85 dBm). |
|
|
Slow flashing green (SA mode) |
Low 5G signal strength (–115 dBm ≤ RSRP < –100 dBm). |
|
|
Steady yellow (NSA mode) |
High 5G signal strength (RSRP ≥ –85 dBm). |
|
|
Fast flashing yellow (NSA mode) |
Medium 5G signal strength (–100 dBm ≤ RSRP < –85 dBm). |
|
|
Slow flashing yellow (NSA mode) |
Low 5G signal strength (–115 dBm ≤ RSRP < –100 dBm). |
|
|
Off |
No 5G service. |
|
|
LTE |
Steady green |
The module is operating in 4G mode with high signal strength (RSSI ≥ –70 dBm). |
|
Fast flashing green |
The module is operating in 4G mode with medium signal strength (–100 dBm ≤ RSSI < –70 dBm). |
|
|
Slow flashing green |
The module is operating in 4G mode with low signal strength (–125 dBm ≤ RSSI < –100 dBm). |
|
|
Steady yellow |
The module is operating in 3G mode with high signal strength (RSSI ≥ –70 dBm). |
|
|
Fast flashing yellow |
The module is operating in 3G mode with medium signal strength (–100 dBm ≤ RSSI < –70 dBm). |
|
|
Slow flashing yellow |
The module is operating in 3G mode with low signal strength (–125 dBm ≤ RSSI < –100 dBm). |
|
|
Off |
No 3G or 4G service. |
|
|
SIM |
Steady green |
SIM card 1 is operating. |
|
Steady yellow |
SIM card 2 is operating. |
|
|
Off |
No SIM card is available. |
|
|
REMOVE |
Steady green |
The module is operating correctly and can be hot swapped. |
|
Fast flashing green |
The module is initializing and cannot be hot swapped. |
|
|
Off |
You can remove the module if all the other LEDs on the module are also off. |
Antennas, interface cables, and connection methods
For more information about antennas, interface cables, and connection methods, see "Installing antennas and extension antenna cables."
Installing a SIM card
|
|
CAUTION: To avoid damage to the SIM card or the 5G interface module, insert the SIM card into the slot with the cut corner oriented as shown by the mark on the module. |
The RT-SIC-5G-CN interface module provides two SIM card slots. You can install one or two SIM cards as required. SIM card 1 is operating by default when two SIM cards are installed on the SIC-5G interface module. In Figure 35, two SIM cards are installed.
To install a 5G SIM card:
1. Use a screwdriver to remove the two screws on the SIM card retainer cover.
2. Lift the cover up and away from the retainer, as shown by callout 2 in Figure 35.
3. Orient the SIM card as shown by the mark.
4. Insert the SIM card into the SIM card slot along the slide rails.
5. Slightly push the SIM card edge to secure it into the slot.
6. Reattach the retainer cover and use the two screws to secure the cover.
7. Execute the display cellular [ interface-number ] command after the router starts. If SIM Status = OK is displayed in the command output, the SIM card is identified correctly.
Figure 35 Installing 5G SIM cards
Installing antennas and extension antenna cables
The figures of the interface modules and antenna accessories in this document are for illustration only.
The antenna configuration scheme varies by antenna extension length and application scenario. The antenna installation method varies by antenna configuration scheme. Use the installation method corresponding to the selected antenna configuration scheme. Table 30 shows the antenna configuration schemes and corresponding antenna installation methods.
Table 30 Antenna configuration schemes and corresponding antenna installation methods
|
Antenna extension length |
Antenna configuration scheme |
Description |
|
1 m (3.28 ft) |
Stick antenna 1 m (3.28 ft) antenna extension cable (with a magnetic antenna mount base) |
Desktop or rack mounting. For the antenna installation method, see "Installation method for antenna configuration scheme 1." |
|
3 m (9.84 ft) |
Stick antenna 3 m (9.84 ft) antenna extension cable (with a magnetic antenna mount base) |
Rack mounting. For the antenna installation method, see "Installation method for antenna configuration scheme 2." |
|
5 m (16.40 ft) |
Stick antenna 10 cm (3.94 in) cable 5 m (16.40 ft) antenna extension cable 1 m (3.28 ft) antenna extension cable (with a magnetic antenna mount base) |
Desktop or rack mounting. For the antenna installation method, see "Installation method for antenna configuration scheme 3." |
|
Stick antenna 10 cm (3.94 in) cable 5 m (16.40 ft) antenna extension cable Antenna bracket |
Wall mounting. For the antenna installation method, see "Installation method for antenna configuration scheme 4." |
|
|
10 m (32.81 ft) |
Stick antenna 10 cm (3.94 in) cable 10 m (32.81 ft) antenna extension cable 1 m (3.28 ft) antenna extension cable (with a magnetic antenna mount base) |
Desktop or rack mounting. For the antenna installation method, see "Installation method for antenna configuration scheme 3." |
|
Stick antenna 10 cm (3.94 in) cable 10 m (32.81 ft) antenna extension cable Antenna bracket |
Wall mounting. For the antenna installation method, see "Installation method for antenna configuration scheme 4." |
|
|
15 m (49.21 ft) |
Stick antenna 10 cm (3.94 in) cable 5 m (16.40 ft) antenna extension cable 10 m (32.81 ft) antenna extension cable 1 m (3.28 ft) antenna extension cable (with a magnetic antenna mount base) |
Desktop or rack mounting. For the antenna installation method, see "Installation method for antenna configuration scheme 3." |
|
Stick antenna 10 cm (3.94 in) cable 5 m (16.40 ft) antenna extension cable 10 m (32.81 ft) antenna extension cable Antenna bracket |
Wall mounting. For the antenna installation method, see "Installation method for antenna configuration scheme 4." |
|
|
NOTE: · Stick antennas are provided with the interface module. Purchase antenna accessories yourself as required. · An increase in the extension cable length causes high antenna loss, which might cause weak signals. Select an antenna configuration scheme based on the actual situation. |
Installation method for antenna configuration scheme 1
1. Insert each SMA male connector of the 1 m (3.28 ft) antenna extension cable (with a magnetic antenna mount base) into an antenna port on the interface module, and then fasten the SMA male connectors.
2. Connect a stick antenna to each SMA female connector on the magnetic antenna mount base. Make sure the antennas stand upright.
Figure 36 Connecting a 1 m (3.28 ft) antenna extension cable (with a magnetic antenna mount base) to the interface module
Figure 37 Mounting a 1 m (3.28 ft) antenna extension cable (with a magnetic antenna mount base) in the rack
Installation method for antenna configuration scheme 2
1. Insert the SMA male connector of the 3 m (9.84 ft) antenna extension cable (with a magnetic antenna mount base) into an antenna port on the interface module, and then fasten the SMA male connector.
2. Connect a stick antenna to the SMA female connector on the magnetic antenna mount base. Make sure the antenna stands upright.
Figure 38 Connecting a 3 m (9.84 ft) antenna extension cable (with a magnetic antenna mount base) to the interface module
Figure 39 Mounting a 3 m (9.84 ft) antenna extension cable (with a magnetic antenna mount base) in the rack
Installation method for antenna configuration scheme 3
|
|
IMPORTANT: · When the required antenna extension length is longer than 10 m (32.81 ft), connect a 5 m (16.40 ft) antenna extension cable and a 10 m (32.81 ft) antenna extension cable. Then, connect the combined extension cable to a 1 m (3.28 ft) antenna extension cable (with a magnetic antenna mount base). · After you connect 5 m (16.40 ft) or 10 m (32.81 ft) antenna extension cables to 10 cm (3.94 in) cables, secure the cables by binding them at an appropriate location near the connection. This avoids damage to the 10 cm (3.94 in) cables due to excessive force during vertical stretching. · Due to the small distance between antenna ports on the interface module, do not connect 5 m (16.40 ft) or 10 m (32.81 ft) antenna extension cables to adjacent antenna ports. |
To install antennas:
1. Insert the SMA male connectors of two 5 m (16.40 ft) or 10 m (32.81 ft) antenna extension cables and two 10 cm (3.94 in) cables into antenna ports on the interface module, and then fasten the SMA male connectors.
Figure 40 Connecting 5 m (16.40 ft) or 10 m (32.81 ft) antenna extension cables and 10 cm (3.94 in) cables to the interface module
2. Connect each SMA male connector of the other two 5 m (16.40 ft) or 10 m (32.81 ft) antenna extension cables to the other end of each 10 cm (3.94 in) cable. Bind the cables at an appropriate location to secure the 5 m (16.40 ft) or 10 m (32.81 ft) antenna extension cables and avoid damage to the 10 cm (3.94 in) cables due to excessive force.
To avoid damaging the cable cores, never bend the 10 cm (3.94 in) cables or 5 m (16.40 ft) or 10 m (32.81 ft) antenna extension cables.
Figure 41 Connecting 5 m (16.40 ft) or 10 m (32.81 ft) antenna extension cables to 10 cm (3.94 in) cables
3. Connect each SMA female connector of the four 5 m (16.40 ft) or 10 m (32.81 ft) antenna extension cables to each SMA male connector of the 1 m (3.28 ft) antenna extension cable (with a magnetic antenna mount base).
Figure 42 Connecting 5 m (16.40 ft) or 10 m (32.81 ft) antenna extension cables to a 1 m (3.28 ft) antenna extension cable (with a magnetic antenna mount base)
4. Connect a stick antenna to each SMA female connector on the magnetic antenna mount base. Make sure the antennas stand upright.
Figure 43 Mounting a 1 m (3.28 ft) antenna extension cable (with a magnetic antenna mount base) in the rack
Installation method for antenna configuration scheme 4
|
|
IMPORTANT: · When the required antenna extension length is longer than 10 m (32.81 ft), connect a 5 m (16.40 ft) antenna extension cable and a 10 m (32.81 ft) antenna extension cable. Then, connect the combined extension cable to an antenna bracket. · After you connect 5 m (16.40 ft) or 10 m (32.81 ft) antenna extension cables to 10 cm (3.94 in) cables, secure the cables by binding them at an appropriate location near the connection. This avoids damage to the 10 cm (3.94 in) cables due to excessive force during vertical stretching. |
To install antennas:
1. The first two installation steps of this antenna configuration scheme are the same as those of the installation method for antenna configuration scheme 3. For more information, see "Installation method for antenna configuration scheme 3."
2. Drill two holes with a distance of 160 mm (6.30 in) and a depth of 60 mm (2.36 in) on a vertical wall. Make sure the two holes are on the same horizontal line.
3. Insert an anchor screw into each hole and make sure they are both flush with the wall surface.
Figure 44 Installing screw anchors
4. Align the two holes in the antenna bracket with the two wall-mounting holes in the wall. Fasten a screw into each screw anchor to secure the antenna bracket to the wall.
Figure 45 Securing the antenna bracket to the wall
5. Use screws and washers to secure the 5 m (16.40 ft) or 10 m (32.81 ft) antenna extension cables to the antenna bracket.
Figure 46 Installing 5 m (16.40 ft) or 10 m (32.81 ft) antenna extension cables
6. Connect antennas to the 5 m (16.40 ft) or 10 m (32.81 ft) antenna extension cables through the antenna bracket.
Figure 47 Connecting antennas to the 5 m (16.40 ft) or 10 m (32.81 ft) antenna extension cables
Installing a GNSS antenna
Install the GNSS antenna on the M2 antenna port. Insert the SMA male connector of the GNSS antenna into the GNSS antenna port on the panel and fasten the SMA male connector. Keep the other end of the GNSS antenna as close to outdoors as possible.
Figure 48 Installing a GNSS antenna
|
|
IMPORTANT: · No GNSS antenna is provided with the interface module. Purchase one yourself as required. · Only the RT-SIC-5G interface module supports GNSS. |
Configuration examples
Introduction
The following information provides configuration examples for MSR routers to offer 5G access services through 5G SIC interface modules.
Prerequisites
The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.
The following information is provided based on the assumption that you have basic knowledge of mobile communication modem management, DDR, L2TP, IPsec, ADVPN, VXLAN, and IPv6.
Applicable product matrix
|
Product |
Software version |
|
MSR centralized routers |
R6728P13 and later |
|
MSR distributed routers |
R6728P13 and later |
Example: Configuring 5G modem dialup Internet access
Network configuration
As shown in Figure 49, Router A has a 5G modem. Users automatically dial up to the 5G network through DDR and establish a permanent online connection. The following information details the configuration:
· On Router A, channelize interface Cellular 1/0 into Eth-channel interface 1/0:0, use this Eth-channel interface as the DDR dialer interface, and obtain the service provider-assigned IP address by using the modem manufacturer's proprietary protocol.
· On Router A, enable traditional DDR and specify the dial string to reach the remote site according to the service provider. Typically, the dial string is *99# for China Mobile or China Unicom, and #777 for China Telecom.
· On Router A, configure the 5G modem profile to use the dynamic access point. The service provider assigns the access point name during dialup negotiation.
· Router A is on subnet 192.168.1.0/24 and only performs DDR dialup for IPv4 protocol packets.
Restrictions and guidelines
If a standard 5G SIM card is used for Internet access, configure the dynamic access point in the 5G modem profile as the 5G network access point.
If a 5G IoT card or a VPDN dedicated SIM card is used for Internet access, specify a static access point in the 5G modem profile as the 5G network access point. Additionally, configure the authentication mode for accessing the 5G network by using the username and password provided by the service provider.
Procedures
Table 31 Assign IP addresses to interfaces. (Details not shown.)
Table 32 Configure 5G modem dialup.
# Configure a dialup rule for dialer group 1.
<RouterA> system-view
[RouterA] dialer-group 1 rule ip permit
# Create a 5G modem profile, and configure it to use an APN automatically assigned by the service provider.
[RouterA] apn-profile dynamic1
[RouterA-apn-profile-dynamic] apn dynamic
[RouterA-apn-profile-dynamic] quit
# Channelize interface Cellular 1/0 into an Ethernet channel interface.
[RouterA] controller cellular 1/0
[RouterA-Cellular1/0] eth-channel 0
[RouterA-Cellular1/0] quit
# Configure interface Eth-channel 1/0:0 to obtain an IP address by using the modem manufacturer's proprietary protocol. The IP address is automatically assigned by the service provider.
[RouterA] interface eth-channel 1/0:0
[RouterA-Eth-channel1/0:0] ip address cellular-alloc
# Specify a 5G modem profile for interface Eth-channel 1/0:0.
[RouterA-Eth-channel1/0:0] apn-profile apply dynamic1
# Enable traditional DDR on interface Eth-channel 1/0:0 and associate it with dialer group 1.
[RouterA-Eth-channel1/0:0] dialer circular enable
[RouterA-Eth-channel1/0:0] dialer-group 1
# Set the link idle-timeout timer to 0 seconds, the wait-carrier timer to 30 seconds, and the auto-dial interval to 5 seconds.
[RouterA-Eth-channel1/0:0] dialer timer idle 0
[RouterA-Eth-channel1/0:0] dialer timer wait-carrier 30
[RouterA-Eth-channel1/0:0] dialer timer autodial 5
# Specify the dial string to reach the remote site. The dial string is specific to the service provider. Typically, use *99# for China Mobile or China Unicom and #777 for China Telecom.
[RouterA-Eth-channel1/0:0] dialer number *99# autodial
# Configure interface Eth-channel 1/0:0 to allow address translation for all internal packets.
[RouterA-Eth-channel1/0:0] nat outbound
[RouterA-Eth-channel1/0:0] quit
# Configuring a default route.
[RouterA] ip route-static 0.0.0.0 0 eth-channel 1/0:0
Verify the configuration
# Display the routing table. Verify that the default route configuration is effective, and users can access the Internet through the device.
[RouterA] display ip routing-table
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/0 Static 60 0 0.0.0.0 E-Ch1/0:0
0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
1.0.0.2/32 Direct 0 0 127.0.0.1 InLoop0
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
...
Configuration files
#
interface gigabitethernet 1/0/1
ip address 192.168.1.1 255.255.255.0
#
dialer-group 1 rule ip permit
#
apn-profile dynamic1
apn dynamic
#
controller cellular 1/0
eth-channel 0
#
interface eth-channel 1/0:0
ip address cellular-alloc
apn-profile apply dynamic1
dialer circular enable
dialer-group 1
dialer timer idle 0
dialer timer wait-carrier 30
dialer timer autodial 5
dialer number *99# autodial
nat outbound
#
ip route-static 0.0.0.0 0 eth-channel 1/0:0
#
Example: Configuring 5G modem dialup with Layer 3 backup
Network configuration
As shown in Figure 50, Router A can access the Internet through the wired link from Router A to Router B. Additionally, Router A has a 5G modem module and can also access the Internet via DDR dialup to the 5G network. The following information details the configuration:
· Configure traditional DDR auto-dial on Router A to access the 5G network and establish a permanent 5G online connection.
· Configure two routes on Router A to access the Internet, with one route using the wired link and the other using the 5G link. Use the wired link as the primary link for data forwarding and use the 5G link as the backup link for data forwarding.
· On Router A, monitor the state of the wired link and promptly perform a switchover when the link state changes.
Analysis
· To use the wired link as the primary link for data forwarding, configure its routing precedence to be higher than that of the 5G link.
· To monitor the link state, configure NQA on Router A to track wired link’s state changes in real time.
· To promptly switchover the link when the wired link state changes, associate the track entry with the static route. When NQA detects a wired link failure, it automatically sets the static route for the wired link to an inactive state. The static route for the 5G link then takes effect, forwarding data through the 5G network. When NQA detects that the wired link has become available again, it automatically activates the static route for the wired link, and data will once again be forwarded through the wired link.
Restrictions and guidelines
If a standard 5G SIM card is used for Internet access, configure the dynamic access point in the 5G modem profile as the 5G network access point.
If a 5G IoT card or a VPDN dedicated SIM card is used for Internet access, specify a static access point in the 5G modem profile as the 5G network access point. Additionally, configure the authentication mode for accessing the 5G network by using the username and password provided by the service provider.
Procedures
Configuring Router A
Table 33 Assign IP addresses to interfaces. (Details not shown.)
Table 34 Configure 5G modem dialup.
# Configure a dialup rule for dialer group 1.
<RouterA> system-view
[RouterA] dialer-group 1 rule ip permit
# Create a 5G modem profile, and configure it to use an APN automatically assigned by the service provider.
[RouterA] apn-profile dynamic1
[RouterA-apn-profile-dynamic] apn dynamic
[RouterA-apn-profile-dynamic] quit
# Channelize interface Cellular 1/0 into an Ethernet channel interface.
[RouterA] controller cellular 1/0
[RouterA-Cellular1/0] eth-channel 0
[RouterA-Cellular1/0] quit
# Configure interface Eth-channel 1/0:0 to obtain an IP address by using the modem manufacturer's proprietary protocol. The IP address is automatically assigned by the service provider.
[RouterA] interface eth-channel 1/0:0
[RouterA-Eth-channel1/0:0] ip address cellular-alloc
# Specify a 5G modem profile for interface Eth-channel1/0:0 interface.
[RouterA-Eth-channel1/0:0] apn-profile apply dynamic1
# Enable traditional DDR on interface Eth-channel 1/0:0 and associate it with dialer group 1.
[RouterA-Eth-channel1/0:0] dialer circular enable
[RouterA-Eth-channel1/0:0] dialer-group 1
# Set the link idle-timeout timer to 0 seconds, the wait-carrier timer to 30 seconds, and the auto-dial interval to 5 seconds.
[RouterA-Eth-channel1/0:0] dialer timer idle 0
[RouterA-Eth-channel1/0:0] dialer timer wait-carrier 30
[RouterA-Eth-channel1/0:0] dialer timer autodial 5
# Configure a dial string to reach to the remote site. The dial string is specific to the service provider. Typically, use *99# for China Mobile or China Unicom and #777 for China Telecom.
[RouterA-Eth-channel1/0:0] dialer number *99# autodial
# Configure interface Eth-channel 1/0:0 to allow address translation for all internal packets.
[RouterA-Eth-channel1/0:0] nat outbound
[RouterA-Eth-channel1/0:0] quit
# Configure the default routes. Set the precedence value to 50 for the wired link's route and associated the route with Track 1. Set the precedence value to 60 for the 5G link’s route.
[RouterA] ip route-static 0.0.0.0 0 gigabitethernet 1/0/2 192.168.2.2 track 1 preference 50
[RouterA] ip route-static 0.0.0.0 0 eth-channel 1/0:0 preference 60
Table 35 Configure an NQA group:
# Create an NQA operation with administrator name admin and operation tag test. Specify the operation type as ICMP echo and specify the destination address for probe packets. This example uses 1.1.1.1, the address of interface GigabitEthernet 1/0/2.
[RouterA] nqa entry admin test
[RouterA-nqa-admin-test] type icmp-echo
[RouterA-nqa-admin-test-icmp-echo] destination ip 1.1.1.1
# Set the next hop address for probe packets to 192.168.2.2.
[RouterA-nqa-admin-test-icmp-echo] next-hop ip 192.168.2.2
# Configure the NQA operation to perform 5 probes. Set the probe timeout to 500 milliseconds. Configure the NQA operation to repeat every 1000 milliseconds.
[RouterA-nqa-admin-test-icmp-echo] probe count 5
[RouterA-nqa-admin-test-icmp-echo] probe timeout 500
[RouterA-nqa-admin-test-icmp-echo] frequency 5000
# Create reaction entry 1. If the number of consecutive probe failures reaches 2, collaboration is triggered.
[RouterA-nqa-admin-test-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 2 action-type trigger-only
[RouterA-nqa-admin-test-icmp-echo] quit
# Configure track entry 1, and associate it with reaction entry 1 of the NQA operation with administrator name admin and operation tag test.
[RouterA] track 1 nqa entry admin test reaction 1
[RouterA-track-1] quit
# Start the NQA operation immediately and continue performing it constantly until it is stopped.
[RouterA] nqa schedule admin test start-time now lifetime forever
Configuring Router B
Table 36 Assign IP addresses to interfaces. (Details not shown.)
Table 37 Configure settings for routing:
# Configure interface GigabitEthernet 1/0/2 to allow address translation for all internal packets.
<RouterB> system-view
[RouterB] interface gigabitethernet 1/0/2
[RouterB-GigabitEthernet1/0/2] nat outbound
[RouterB-GigabitEthernet1/0/2] quit
# Configure a static route to subnet 192.168.1.0/24.
[RouterB] ip route-static 192.168.1.0 255.255.255.0 gigabitethernet 1/0/1 192.168.2.1
Verify the configuration
# Display the routing table of Router A. Verify that the default route for the wired link is active.
[RouterA] display ip routing-table
Destinations : 20 Routes : 20
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/0 Static 50 0 192.168.2.2 GE1/0/2
0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
1.0.0.2/32 Direct 0 0 127.0.0.1 InLoop0
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
...
# Shut down interface GigabitEthernet 1/0/2, and display the routing table of Router A. Verify that the default route for the 5G network is active.
[RouterA] display ip routing-table
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/0 Static 60 0 0.0.0.0 E-Ch1/0:0
0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
1.0.0.2/32 Direct 0 0 127.0.0.1 InLoop0
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
...
Configuration files
· Router A:
#
interface gigabitethernet 1/0/1
ip address 192.168.1.1 255.255.255.0
#
interface gigabitethernet 1/0/2
ip address 192.168.2.1 255.255.255.0
#
dialer-group 1 rule ip permit
#
apn-profile dynamic1
apn dynamic
#
controller cellular 1/0
eth-channel 0
#
interface eth-channel 1/0:0
ip address cellular-alloc
apn-profile apply dynamic1
dialer circular enable
dialer-group 1
dialer timer idle 0
dialer timer wait-carrier 30
dialer timer autodial 5
dialer number *99# autodial
nat outbound
#
ip route-static 0.0.0.0 0 gigabitethernet 1/0/2 192.168.2.2 track 1 preference 50
ip route-static 0.0.0.0 0 eth-channel 1/0:0 preference 60
nqa entry admin test
type icmp-echo
destination ip 1.1.1.1
next-hop ip 192.168.2.2
probe count 5
probe timeout 500
frequency 5000
reaction 1 checked-element probe-fail threshold-type consecutive 2 action-type trigger-only
#
nqa schedule admin test start-time now lifetime forever
track 1 nqa entry admin test reaction 1
#
· Router B:
#
interface gigabitethernet 1/0/1
ip address 192.168.2.2 255.255.255.0
#
interface gigabitethernet 1/0/2
ip address 1.1.1.1 255.255.255.0
nat outbound
#
ip route-static 192.168.1.0 255.255.255.0 gigabitethernet 1/0/1 192.168.2.1
#
Example: Configuring 5G modem dialup Internet access with IPsec
Network configuration
As shown in Figure 51, Router A has a 5G modem module, allowing users to automatically access the 5G network via DDR auto-dial. Establish an IPsec tunnel between branch gateway Router A and headquarters gateway Router B to secure the data flow between the branch network 192.168.1.0/24 and the headquarters network 192.168.2.0/24. The following information details the configuration:
· Configure traditional DDR auto-dial on Router A to access the 5G network and establish a permanent 5G online connection.
· Configure the IPsec encapsulation mode as tunnel, use ESP as the security protocol, CBC-mode DES as the encryption algorithm, and SHA1 as the authentication algorithm, and establish IPsec SAs through IKE negotiation.
Analysis
On Router A, channelize interface Cellular 1/0 into interface Eth-channel 1/0:0, and configure this Eth-channel interface and obtain the service provider-assigned IP address by using the modem manufacturer's proprietary protocol. Configure DDR auto-dial on interface Eth-channel 1/0:0 to access the 5G network and set up a permanent online connection.
The address of the dialer interface Eth-channel 1/0:0 changes dynamically. Therefore, when configuring the IPsec tunnel, use the IPsec policy template on the headquarters gateway Router B, specify the peer address as 0.0.0.0/0, and let the branch gateway Router A initiate the tunnel setup request.
To ensure that headquarters gateway Router B has private network routes to any branch gateway, enable IPsec reverse route injection (RRI) on Router B. Static routes from the headquarters to branches will be dynamically generated with the establishment of IPsec SAs.
Restrictions and guidelines
If a standard 5G SIM card is used for Internet access, configure the dynamic access point in the 5G modem profile as the 5G network access point.
If a 5G IoT card or a VPDN dedicated SIM card is used for Internet access, specify a static access point in the 5G modem profile as the 5G network access point. Additionally, configure the authentication mode for accessing the 5G network by using the username and password provided by the service provider.
Procedures
Configuring Router A
Table 38 Assign IP addresses to interfaces. (Details not shown.)
Table 39 Configure 5G modem dialup.
# Configure a dialup rule for dialer group 1.
<RouterA> system-view
[RouterA] dialer-group 1 rule ip permit
# Create a 5G modem profile, and configure it to use an access point dynamically assigned by the service provider.
[RouterA] apn-profile dynamic1
[RouterA-apn-profile-vpdn1] apn dynamic
[RouterA-apn-profile-vpdn1] quit
# Channelize interface Cellular 1/0 into an Ethernet channel interface.
[RouterA] controller cellular 1/0
[RouterA-Cellular1/0] eth-channel 0
[RouterA-Cellular1/0] quit
# Configure interface Eth-channel 1/0:0 to obtain an IP address via the modem manufacturer’s proprietary protocol.
[RouterA] interface eth-channel 1/0:0
[RouterA-Eth-channel1/0:0] ip address cellular-alloc
# Specify a 5G modem profile for interface Eth-channel1/0:0.
[RouterA-Eth-channel1/0:0] apn-profile apply dynamic1
# Enable traditional DDR on interface Eth-channel 1/0:0 and associate it with dialer group 1.
[RouterA-Eth-channel1/0:0] dialer circular enable
[RouterA-Eth-channel1/0:0] dialer-group 1
# Set the link idle-timeout timer to 0 seconds, the wait-carrier timer to 30 seconds, and the auto-dial interval to 5 seconds.
[RouterA-Eth-channel1/0:0] dialer timer idle 0
[RouterA-Eth-channel1/0:0] dialer timer wait-carrier 30
[RouterA-Eth-channel1/0:0] dialer timer autodial 5
# Specify the dial string to reach the remote site. The dial string is specific to the service provider. Typically, use *99# for China Mobile or China Unicom and #777 for China Telecom.
[RouterA-Eth-channel1/0:0] dialer number *99# autodial
[RouterA-Eth-channel1/0:0] quit
# Configuring a default route.
[RouterA] ip route-static 0.0.0.0 0 eth-channel 1/0:0
Table 40 Configure an IPsec policy:
# Configure IPv4 advanced ACL 3001 to permit IP packets from subnet 192.168.1.0/24 to subnet 192.168.2.0/24.
[RouterA] acl advanced 3001
[RouterA-acl-ipv4-adv-3001] rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
[RouterA-acl-ipv4-adv-3001] quit
# Create an IPsec transform set named tran1. The encapsulation mode is tunnel, authentication algorithm is SHA1, and encryption algorithm is DES in CBC mode.
[RouterA] ipsec transform-set tran1
[RouterA-ipsec-transform-set-tran1] encapsulation-mode tunnel
[RouterA-ipsec-transform-set-tran1] protocol esp
[RouterA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[RouterA-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc
[RouterA-ipsec-transform-set-tran1] quit
# Create IKE proposal 1, and configure it to use the preshared key authentication method, 3DES encryption algorithm, and HMAC-SHA1 authentication algorithm.
[RouterA] ike proposal 1
[RouterA-ike-proposal-1] encryption-algorithm 3des-cbc
[RouterA-ike-proposal-1] authentication-algorithm sha
[RouterA-ike-proposal-1] authentication-method pre-share
[RouterA-ike-proposal-1] quit
# Create an IKE keychain named key1, and specify the preshared key used for IKE negotiation with peer 1.1.1.1 as 123456 in plain text.
[RouterA] ike keychain key1
[RouterA-ike-keychain-key1] pre-shared-key address 1.1.1.1 255.255.255.0 key simple 123456
[RouterA-ike-keychain-key1] quit
# Create an IKE profile named ike1, reference IKE keychain key1, specify peer address 1.1.1.1 as the peer ID for IKE profile matching, and set on-demand DPD triggering interval to 5 seconds.
[RouterA] ike profile ike1
[RouterA-ike-profile-ike1] keychain key1
[RouterA-ike-profile-ike1] match remote identity address 1.1.1.1 255.255.255.0
[RouterA-ike-profile-ike1] dpd interval 5 on-demand
[RouterA-ike-profile-ike1] quit
# Create an IPsec policy named policy1, reference IPsec proposal set tran1, IKE profile ike1, and advanced IPv4 ACL 3001, and set the peer IPv4 address of the IPsec tunnel to 1.1.1.1.
[RouterA] ipsec policy policy1 10 isakmp
[RouterA-ipsec-policy-isakmp-policy1-10] transform-set tran1
[RouterA-ipsec-policy-isakmp-policy1-10] ike-profile ike1
[RouterA-ipsec-policy-isakmp-policy1-10] security acl 3001
[RouterA-ipsec-policy-isakmp-policy1-10] remote-address 1.1.1.1
[RouterA-ipsec-policy-isakmp-policy1-10] quit
# Apply IPsec policy policy1 to interface Eth-channel 1/0:0.
[RouterA] interface eth-channel 1/0:0
[RouterA-Eth-channel1/0:0] ipsec apply policy policy1
[RouterA-Eth-channel1/0:0] quit
Configuring Router B
Table 41 Assign IP addresses to interfaces. (Details not shown.) As the headquarters gateway, Router B has a default route to the next hop towards the public network by default.
Table 42 Configure an IPsec policy:
# Configure IPv4 advanced ACL 3003 to permit IP packets from subnet 192.168.2.0/ 24 to subnet 192.168.1.0/24.
<RouterB> system-view
[RouterB] acl advanced 3003
[RouterB-acl-ipv4-adv-3003] rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
[RouterB-acl-ipv4-adv-3003] quit
# Create an IPsec transform set named tran1. The authentication algorithm is SHA1 and the encryption algorithm is DES in CBC mode.
[RouterB] ipsec transform-set tran1
[RouterB-ipsec-transform-set-tran1] encapsulation-mode tunnel
[RouterB-ipsec-transform-set-tran1] protocol esp
[RouterB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[RouterB-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc
[RouterB-ipsec-transform-set-tran1] quit
# Create IKE proposal 1, and configure it to use the preshared key authentication method, 3DES encryption algorithm, and HMAC-SHA1 authentication algorithm.
[RouterB] ike proposal 1
[RouterB-ike-proposal-1] encryption-algorithm 3des-cbc
[RouterB-ike-proposal-1] authentication-algorithm sha
[RouterB-ike-proposal-1] authentication-method pre-share
[RouterB-ike-proposal-1] quit
# Create an IKE keychain named key1, and specify the preshared key used for IKE negotiation with the peer as 123456 in plain text.
[RouterB] ike keychain key1
[RouterB-ike-keychain-key1] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[RouterB-ike-keychain-key1] quit
# Create an IKE profile named ike1, reference IKE keychain key1, and specify peer address 0.0.0.0 as the peer ID for IKE profile matching.
[RouterB] ike profile ike1
[RouterB-ike-profile-ike1] keychain key1
[RouterB-ike-profile-ike1] match remote identity address 0.0.0.0 0.0.0.0
[RouterB-ike-profile-ike1] quit
# Create an IPsec policy template named temp1, and reference IPsec proposal set tran1, IKE profile ike1, and advanced IPv4 ACL 3003.
[RouterB] ipsec policy-template temp1 1
[RouterB-ipsec-policy-template-temp1-1] transform-set tran1
[RouterB-ipsec-policy-template-temp1-1] ike-profile ike1
[RouterB-ipsec-policy-template-temp1-1] security acl 3003
# Enable IPsec RRI to dynamically generate static routes based on successfully negotiated IPsec SAs.
[RouterB-ipsec-policy-template-temp1-1] reverse-route dynamic
[RouterB-ipsec-policy-template-temp1-1] quit
# Create an IKE-based IPsec policy entry by using IPsec policy template temp1. Specify the IPsec policy name as policy1 and set the sequence number to 10.
[RouterB] ipsec policy policy1 10 isakmp template temp1
# Apply IPsec policy policy1 to interface GigabitEthernet 1/0/1.
[RouterB] interface gigabitethernet 1/0/1
[RouterB-GigabitEthernet1/0/1] ipsec apply policy policy1
[RouterB-GigabitEthernet1/0/1] quit
Verify the configuration
When a data packet is sent from the branch network (192.168.1.0/24) to the headquarters network (192.168.2.0/24), IKE negotiation between Router A and Router B will be triggered. Once IPsec SAs are successfully negotiated, data transmission between the headquarters and branch subnets will be protected by the IPsec SAs.
# Router A and Router B can ping each other's private networks.
<RouterA> ping -a 192.168.1.1 192.168.2.1
Ping 192.168.2.1 (192.168.2.1): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.2.1: icmp_seq=0 ttl=254 time=7.343 ms
56 bytes from 192.168.2.1: icmp_seq=1 ttl=254 time=1.164 ms
56 bytes from 192.168.2.1: icmp_seq=2 ttl=254 time=1.080 ms
56 bytes from 192.168.2.1: icmp_seq=3 ttl=254 time=1.234 ms
56 bytes from 192.168.2.1: icmp_seq=4 ttl=254 time=1.391 ms
--- Ping statistics for 192.168.2.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.080/2.442/7.343/2.452 ms
# View the negotiated IPsec SA on Router A.
<RouterA> display ipsec sa
-------------------------------
Interface: Eth-channel1/0:0
-------------------------------
-----------------------------
IPsec policy: policy
Sequence number: 10
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Transmitting entity: Initiator
Path MTU: 1444
Tunnel:
local address/port: 2.2.2.1/500
remote address/port: 1.1.1.1/500
Flow:
sour addr: 192.168.1.0/255.255.255.0 port: 4500 protocol: ip
dest addr: 192.168.2.0/255.255.255.0 port: 4500 protocol: ip
...
Configuration files
· Router A:
#
interface gigabitethernet 1/0/1
ip address 192.168.1.1 255.255.255.0
#
dialer-group 1 rule ip permit
#
apn-profile dynamic1
apn dynamic
#
controller cellular 1/0
eth-channel 0
#
interface eth-channel 1/0:0
ip address cellular-alloc
apn-profile apply dynamic1
dialer circular enable
dialer-group 1
dialer timer idle 0
dialer timer wait-carrier 30
dialer timer autodial 5
dialer number *99# autodial
#
ip route-static 0.0.0.0 0.0.0.0 eth-channel 1/0:0
#
acl advanced 3001
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp authentication-algorithm sha1
esp encryption-algorithm des-cbc
#
ike proposal 1
encryption-algorithm 3des-cbc
authentication-algorithm sha
authentication-method pre-share
#
ike keychain key1
pre-shared-key address 1.1.1.1 255.255.255.0 key cipher $c$3$6xffbOeJQiOn1UzvH2Vdd1H+2PenaF8c3g==
#
ike profile ike1
dpd interval 5 on-demand
keychain key1
match remote identity address 1.1.1.1 255.255.255.0
#
ipsec policy policy1 10 isakmp
transform-set tran1
ike-profile ike1
security acl 3001
remote-address 1.1.1.1
#
interface eth-channel 1/0:0
ipsec apply policy policy1
#
· Router B:
#
interface gigabitethernet 1/0/1
ip address 1.1.1.1 255.255.255.0
#
interface gigabitethernet 1/0/2
ip address 192.168.2.1 255.255.255.0
#
acl advanced 3003
rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp authentication-algorithm sha1
esp encryption-algorithm des-cbc
#
ike proposal 1
encryption-algorithm 3des-cbc
authentication-algorithm sha
authentication-method pre-share
#
ike keychain key1
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$6xffbOeJQiOn1UzvH2Vdd1H+2PenaF8c3g==
#
ike profile ike1
keychain key1
match remote identity address 0.0.0.0 0.0.0.0
#
ipsec policy-template temp1 1
transform-set tran1
ike-profile ike1
security acl 3003
#
reverse-route dynamic
#
ipsec policy policy1 10 isakmp template temp1
#
interface gigabitethernet 1/0/1
ipsec apply policy policy1
#
Example: Configuring 5G modem dialup Internet access with ADVPN tunnels
Network configuration
As shown in Figure 52, Router A has a 5G modem module, allowing users to automatically access the 5G network via DDR auto-dial. ADVPN tunnels are established among branch gateways (Router A and Router B) and headquarters gateway (Router C) to achieve full-mesh connectivity between branch networks as well as between branch and headquarters networks. The following information details the configuration:
· Configure traditional DDR auto-dial on Router A to access the 5G network and establish a permanent online connection.
· Router A and Router B act as spokes, while Router C acts as a hub to establish permanent ADVPN tunnels between the spokes and the hub.
· When Router A and Router B need to exchange data, they dynamically establish an ADVPN tunnel directly between them.
|
Device |
Interface |
IP address |
Device |
Interface |
IP address |
|
Router A (Spoke 1) |
GE1/0/1 |
192.168.1.1/24 |
Router C (Hub) |
GE1/0/1 |
192.168.3.1/24 |
|
|
Tunnel1 |
192.168.0.1/24 |
|
GE1/0/2 |
1.1.1.1/24 |
|
Router B (Spoke 2) |
GE1/0/1 |
192.168.2.1/24 |
|
Tunnel1 |
192.168.0.3/24 |
|
|
Tunnel1 |
192.168.0.2/24 |
Router D (VAM server) |
GE1/0/1 |
1.1.1.2/24 |
Analysis
On Router A, channelize interface Cellular 1/0 into Eth-channel interface 1/0:0, and configure this Eth-channel interface and obtain the service provider-assigned IP address by using the modem manufacturer's proprietary protocol. Configure DDR auto-dial on interface Eth-channel 1/0:0 to access the 5G network and set up a permanent online connection.
To ensure privacy of data between branches and the headquarters, as well as among branches, encrypt the data by applying IPsec profiles to the ADVPN tunnels. The address of the dialer interface Eth-channel 1/0:0 changes dynamically. Therefore, when configuring IPsec profiles for ADVPN tunnels, specify the peer address as 0.0.0.0/0.
In this example, Router D (the VAM server) does not to perform AAA authentication on the identities of Router A, Router B, and Router C (VAM clients). If identity authentication is required, you can configure Router D to perform AAA authentication for VAM clients.
Restrictions and guidelines
If a standard 5G SIM card is used for Internet access, configure the dynamic access point in the 5G modem profile as the 5G network access point.
If a 5G IoT card or a VPDN dedicated SIM card is used for Internet access, specify a static access point in the 5G modem profile as the 5G network access point. Additionally, configure the authentication mode for accessing the 5G network by using the username and password provided by the service provider.
Procedures
Configuring Router A
Table 43 Assign IP addresses to interfaces. (Details not shown.)
Table 44 Configure 5G modem dialup.
# Configure a dialup rule for dialer group 1.
<RouterA> system-view
[RouterA] dialer-group 1 rule ip permit
# Create a 5G modem profile, and configure it to use an access point dynamically assigned by the service provider.
[RouterA] apn-profile dynamic1
[RouterA-apn-profile-vpdn1] apn dynamic
[RouterA-apn-profile-vpdn1] quit
# Channelize interface Cellular 1/0 into an Ethernet channel interface.
[RouterA] controller cellular 1/0
[RouterA-Cellular1/0] eth-channel 0
[RouterA-Cellular1/0] quit
# Configure interface Eth-channel 1/0:0 to obtain an IP address by using the modem manufacturer's proprietary protocol. The IP address is automatically assigned by the service provider.
[RouterA] interface eth-channel 1/0:0
[RouterA-Eth-channel1/0:0] ip address cellular-alloc
# Specify a 5G modem profile for interface Eth-channel1/0:0.
[RouterA-Eth-channel1/0:0] apn-profile apply dynamic1
# Enable traditional DDR on interface Eth-channel 1/0:0 and associate it with dialer group 1.
[RouterA-Eth-channel1/0:0] dialer circular enable
[RouterA-Eth-channel1/0:0] dialer-group 1
# Set the link idle-timeout timer to 0 seconds, the wait-carrier timer to 30 seconds, and the auto-dial interval to 5 seconds.
[RouterA-Eth-channel1/0:0] dialer timer idle 0
[RouterA-Eth-channel1/0:0] dialer timer wait-carrier 30
[RouterA-Eth-channel1/0:0] dialer timer autodial 5
# Specify the dial string to reach the remote site. The dial string is specific to the service provider. Typically, use *99# for China Mobile or China Unicom and #777 for China Telecom.
[RouterA-Eth-channel1/0:0] dialer number *99# autodial
# Configure interface Eth-channel 1/0:0 to allow address translation for all internal packets.
[RouterA-Eth-channel1/0:0] nat outbound
[RouterA-Eth-channel1/0:0] quit
# Configuring a default route.
[RouterA] ip route-static 0.0.0.0 0 eth-channel 1/0:0
Table 45 Configure the VAM client spoke:
# Create VAM client spoke1 and specify ADVPN domain abc for the VAM client.
[RouterA] vam client name spoke1
[RouterA-vam-client-Spoke1] advpn-domain abc
# Configure the preshared key of the VAM client as 123456.
[RouterA-vam-client-Spoke1] pre-shared-key simple 123456
# Configure the IP address of the VAM server and enable the VAM client function.
[RouterA-vam-client-Spoke1] server primary ip-address 1.1.1.2
[RouterA-vam-client-Spoke1] client enable
[RouterA-vam-client-Spoke1] quit
# Create an IKE keychain named key, and specify the preshared key used for IKE negotiation with the peer as 123456 in plain text.
[RouterA] ike keychain key
[RouterA-ike-keychain-key] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[RouterA-ike-keychain-key] quit
# Create an IKE profile named ike and reference IKE keychain key.
[RouterA] ike profile ike
[RouterA-ike-profile-abc] keychain key
[RouterA-ike-profile-ike] quit
# Create an IPsec transform set named tran. The encapsulation mode is transport, authentication algorithm is SHA1, and encryption algorithm is DES in CBC mode.
[RouterA] ipsec transform-set tran
[RouterA-ipsec-transform-set-tran] encapsulation-mode transport
[RouterA-ipsec-transform-set-tran] esp encryption-algorithm des-cbc
[RouterA-ipsec-transform-set-tran] esp authentication-algorithm sha1
[RouterA-ipsec-transform-set-tran] quit
# Create an IPsec profile named profile1, establish SAs through IKE negotiation, and reference IPsec transform set tran and IKE profile ike.
[RouterA] ipsec profile profile1 isakmp
[RouterA-ipsec-profile-isakmp-profile1] transform-set tran
[RouterA-ipsec-profile-isakmp-profile1] ike-profile ike
[RouterA-ipsec-profile-isakmp-profile1] quit
# Configure OSPF private network routes.
[RouterA] ospf 1
[RouterA-ospf-1] area 0
[RouterA-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[RouterA-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[RouterA-ospf-1-area-0.0.0.0] quit
[RouterA-ospf-1] quit
# Configure a GRE-mode IPv4 ADVPN tunnel interface named Tunnel1. Set the DR priority of Router A to 0 to exclude Router A from DR/BDR election.
[RouterA] interface tunnel1 mode advpn gre
[RouterA-Tunnel1] ip address 192.168.0.1 255.255.255.0
[RouterA-Tunnel1] vam client spoke1
[RouterA-Tunnel1] ospf network-type broadcast
[RouterA-Tunnel1] ospf dr-priority 0
[RouterA-Tunnel1] source eth-channel 1/0:0
[RouterA-Tunnel1] tunnel protection ipsec profile ipsec
[RouterA-Tunnel1] quit
Configuring Router B
Table 46 Assign IP addresses to interfaces. (Details not shown.)
Table 47 Configure 5G modem dialup.
# Configure a dialup rule for dialer group 1.
<RouterB> system-view
[RouterB] dialer-group 1 rule ip permit
# Create a 5G modem profile, and configure it to use an access point dynamically assigned by the service provider.
[RouterB] apn-profile dynamic1
[RouterB-apn-profile-vpdn1] apn dynamic
[RouterB-apn-profile-vpdn1] quit
# Channelize interface Cellular 1/0 into an Ethernet channel interface.
[RouterB] controller cellular 1/0
[RouterB-Cellular1/0] eth-channel 0
[RouterB-Cellular1/0] quit
# Configure interface Eth-channel 1/0:0 to obtain an IP address by using the modem manufacturer's proprietary protocol. The IP address is automatically assigned by the service provider.
[RouterB] interface eth-channel 1/0:0
[RouterB-Eth-channel1/0:0] ip address cellular-alloc
# Specify a 5G modem profile for interface Eth-channel1/0:0.
[RouterB-Eth-channel1/0:0] apn-profile apply dynamic1
# Enable traditional DDR on interface Eth-channel 1/0:0 and associate it with dialer group 1.
[RouterB-Eth-channel1/0:0] dialer circular enable
[RouterB-Eth-channel1/0:0] dialer-group 1
# Set the link idle-timeout timer to 0 seconds, the wait-carrier timer to 30 seconds, and the auto-dial interval to 5 seconds.
[RouterB-Eth-channel1/0:0] dialer timer idle 0
[RouterB-Eth-channel1/0:0] dialer timer wait-carrier 30
[RouterB-Eth-channel1/0:0] dialer timer autodial 5
# Specify the dial string to reach the remote site. The dial string is specific to the service provider. Typically, use *99# for China Mobile or China Unicom and #777 for China Telecom.
[RouterB-Eth-channel1/0:0] dialer number *99# autodial
# Configure interface Eth-channel 1/0:0 to allow address translation for all internal packets.
[RouterB-Eth-channel1/0:0] nat outbound
[RouterB-Eth-channel1/0:0] quit
# Configuring a default route.
[RouterB] ip route-static 0.0.0.0 0 eth-channel 1/0:0
Table 48 Configure the VAM client spoke:
# Create VAM client spoke2 and specify ADVPN domain abc for the VAM client.
[RouterB] vam client name spoke2
[RouterB-vam-client-Spoke2] advpn-domain abc
# Configure the preshared key of the VAM client as 123456.
[RouterB-vam-client-Spoke2] pre-shared-key simple 123456
# Configure the IP address of the VAM server and enable the VAM client function.
[RouterB-vam-client-Spoke2] server primary ip-address 1.1.1.2
[RouterB-vam-client-Spoke2] client enable
[RouterB-vam-client-Spoke2] quit
# Create an IKE keychain named key, and specify the preshared key used for IKE negotiation with the peer as 123456 in plain text.
[RouterB] ike keychain key
[RouterB-ike-keychain-key] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[RouterB-ike-keychain-key] quit
# Create an IKE profile named ike and reference IKE keychain key.
[RouterB] ike profile ike
[RouterB-ike-profile-ike] keychain key
[RouterB-ike-profile-ike] quit
# Create an IPsec transform set named tran. The encapsulation mode is transport, authentication algorithm is SHA1, and encryption algorithm is DES in CBC mode.
[RouterB] ipsec transform-set tran
[RouterB-ipsec-transform-set-tran] encapsulation-mode transport
[RouterB-ipsec-transform-set-tran] esp encryption-algorithm des-cbc
[RouterB-ipsec-transform-set-tran] esp authentication-algorithm sha1
[RouterB-ipsec-transform-set-tran] quit
# Create an IPsec profile named profile1, establish SAs through IKE negotiation, and reference IPsec transform set tran and IKE profile ike.
[RouterB] ipsec profile profile1 isakmp
[RouterB-ipsec-profile-isakmp-profile1] transform-set tran
[RouterB-ipsec-profile-isakmp-profile1] ike-profile ike
[RouterB-ipsec-profile-isakmp-profile1] quit
# Configure OSPF private network routes.
[RouterB] ospf 1
[RouterB-ospf-1] area 0
[RouterB-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255
[RouterB-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[RouterB-ospf-1-area-0.0.0.0] quit
[RouterB-ospf-1] quit
# Configure a GRE-mode IPv4 ADVPN tunnel interface named Tunnel1. Set the DR priority of Router B to 0 to exclude Router B from DR/BDR election.
[RouterB] interface tunnel1 mode advpn gre
[RouterB-Tunnel1] ip address 192.168.0.2 255.255.255.0
[RouterB-Tunnel1] vam client spoke2
[RouterB-Tunnel1] ospf network-type broadcast
[RouterB-Tunnel1] ospf dr-priority 0
[RouterB-Tunnel1] source eth-channel 1/0:0
[RouterB-Tunnel1] tunnel protection ipsec profile ipsec
[RouterB-Tunnel1] quit
Configuring Router C
Table 49 Assign IP addresses to interfaces. (Details not shown.) Router C has a default route to the next hop of the public network by default.
Table 50 Configure the VAM client hub:
# Configure interface GigabitEthernet 1/0/2 to allow address translation for all internal packets.
<RouterC> system-view
[RouterC] interface gigabitethernet 1/0/2
[RouterC-GigabitEthernet1/0/2] nat outbound
[RouterC-GigabitEthernet1/0/2] quit
# Create VAM client Hub and specify ADVPN domain abc for the VAM client.
[RouterC] vam client name Hub
[RouterC-vam-client-Hub] advpn-domain abc
# Configure the preshared key of the VAM client as 123456.
[RouterC-vam-client-Hub] pre-shared-key simple 123456
# Configure the IP address of the VAM server and enable the VAM client function.
[RouterC-vam-client-Hub] server primary ip-address 1.1.1.2
[RouterC-vam-client-Hub] client enable
[RouterC-vam-client-Hub] quit
# Create an IKE keychain named key, and specify the preshared key used for IKE negotiation with the peer as 123456 in plain text.
[RouterC] ike keychain key
[RouterC-ike-keychain-key] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[RouterC-ike-keychain-key] quit
# Create an IKE profile named ike and reference IKE keychain key.
[RouterC] ike profile ike
[RouterC-ike-profile-ike] keychain key
[RouterC-ike-profile-ike] quit
# Create an IPsec transform set named tran. The encapsulation mode is transport, authentication algorithm is SHA1, and encryption algorithm is DES in CBC mode.
[RouterC] ipsec transform-set tran
[RouterC-ipsec-transform-set-tran] encapsulation-mode transport
[RouterC-ipsec-transform-set-tran] esp encryption-algorithm des-cbc
[RouterC-ipsec-transform-set-tran] esp authentication-algorithm sha1
[RouterC-ipsec-transform-set-tran] quit
# Create an IPsec profile named profile1, establish SAs through IKE negotiation, and reference IPsec transform set tran and IKE profile ike.
[RouterC] ipsec profile profile1 isakmp
[RouterC-ipsec-profile-isakmp-profile1] transform-set tran
[RouterC-ipsec-profile-isakmp-profile1] ike-profile ike
[RouterC-ipsec-profile-isakmp-profile1] quit
# Configure OSPF private network routes.
[RouterC] ospf 1
[RouterC-ospf-1] area 0
[RouterC-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[RouterC-ospf-1-area-0.0.0.0] network 192.168.3.0 0.0.0.255
[RouterC-ospf-1-area-0.0.0.0] quit
[RouterC-ospf-1] quit
# Configure a GRE-mode IPv4 ADVPN tunnel interface named Tunnel1.
[RouterC] interface tunnel1 mode advpn gre
[RouterC-Tunnel1] ip address 192.168.0.3 255.255.255.0
[RouterC-Tunnel1] vam client Hub
[RouterC-Tunnel1] ospf network-type broadcast
[RouterC-Tunnel1] source gigabitethernet 1/0/2
[RouterC-Tunnel1] tunnel protection ipsec profile ipsec
[RouterC-Tunnel1] quit
Configuring Router D
Table 51 Assign IP addresses to interfaces. (Details not shown.) Router D has a default route to the next hop of the public network by default.
Table 52 Configure the VAM server:
# Create ADVPN domain abc.
<RouterD> system-view
[RouterD] vam server advpn-domain abc id 1
# Create hub group 0.
[RouterD-vam-server-domain-abc] hub-group 0
# Add a hub to the hub group. Specify the IPv4 private network address of the hub as 192.168.0.3 and the NATed public address of the hub as 1.1.1.1.
[RouterD-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.3 public-address 1.1.1.1
# Specify the IPv4 private network address range for spokes in the hub group.
[RouterD-vam-server-domain-abc-hub-group-0] spoke private-address network 192.168.0.0 255.255.255.0
[RouterD-vam-server-domain-abc-hub-group-0] quit
# Configure the preshared key of the VAM server as 123456, and the authentication method for VAM clients as none (no authentication).
[RouterD-vam-server-domain-abc] pre-shared-key simple 123456
[RouterD-vam-server-domain-abc] authentication-method none
# Enable the VAM server for the ADVPN domain.
[RouterD-vam-server-domain-abc] server enable
[RouterD-vam-server-domain-abc] quit
Verify the configuration
After the previous configuration is completed, Router A, Router B, and Router C will establish ADVPN tunnels, enabling the interconnection of their private networks.
# Display IPv4 address mapping information for all VAM clients registered with the VAM server.
[RouterD] display vam server address-map
Total private address mappings: 3
Group Private address Public address Type NAT Holding time
0 192.168.0.1 1.1.1.2 Spoke Yes 0H 4M 35S
0 192.168.0.2 1.1.1.3 Spoke Yes 0H 4M 17S
0 192.168.0.3 1.1.1.1 Hub No 0H 2M 42S
The output shows that Hub, Spoke 1, and Spoke 2 have all registered their address mapping information with the VAM server.
On Spoke 1, use the ping command to verify connectivity to the private network address 192.168.2.1 of Spoke 2.
<RouterA> ping 192.168.2.1
Ping 192.168.2.1 (192.168.2.1): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.2.1: icmp_seq=0 ttl=255 time=2.000 ms
56 bytes from 192.168.2.1: icmp_seq=1 ttl=255 time=60.000 ms
56 bytes from 192.168.2.1: icmp_seq=2 ttl=255 time=7.000 ms
56 bytes from 192.168.2.1: icmp_seq=3 ttl=255 time=1.000 ms
56 bytes from 192.168.2.1: icmp_seq=4 ttl=255 time=1.000 ms
--- Ping statistics for 192.168.2.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.080/2.442/7.343/2.452 ms
# Display IPv4 ADVPN tunnel information on Spoke 1.
[RouterA] display advpn session
Interface : Tunnel1
Number of sessions: 2
Private address Public address Port Type State Holding time
192.168.0.2 1.1.1.3 -- S-S Establishing 0H 0M 22S
192.168.0.3 1.1.1.1 -- S-H Success 0H 1M 25S
# Display IPv4 ADVPN tunnel information on the hub.
[RouterC] display advpn session
Interface : Tunnel1
Number of sessions: 2
Private address Public address Port Type State Holding time
192.168.0.1 1.1.1.2 -- H-S Success 0H 2M 40S
192.168.0.2 1.1.1.3 -- H-S Success 0H 1M 53S
Configuration files
· Router A:
#
interface gigabitethernet 1/0/1
ip address 192.168.1.1 255.255.255.0
#
dialer-group 1 rule ip permit
#
apn-profile dynamic1
apn dynamic
#
controller cellular 1/0
eth-channel 0
#
interface eth-channel 1/0:0
ip address cellular-alloc
apn-profile apply dynamic1
dialer circular enable
dialer-group 1
dialer timer idle 0
dialer timer wait-carrier 30
dialer timer autodial 5
dialer number *99# autodial
nat outbound
#
ip route-static 0.0.0.0 0 eth-channel 1/0:0
vam client name spoke1
advpn-domain abc
pre-shared-key cipher $c$3$k4hxzHYdkYZ8QUIr6+XsNTxsG/lGk6SGeQ==
server primary ip-address 1.1.1.2
client enable
#
ike keychain key
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$i/ODxQdpM7b0kmqHCMj+VpV6G+x/IBDycg==
#
ike profile ike
keychain key
#
ipsec transform-set tran
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile profile1 isakmp
transform-set tran
ike-profile ike
#
ospf 1
area 0
network 192.168.1.0 0.0.0.255
network 192.168.0.0 0.0.0.255
#
interface tunnel1 mode advpn gre
ip address 192.168.0.1 255.255.255.0
vam client spoke1
ospf network-type broadcast
ospf dr-priority 0
source eth-channel 1/0:0
tunnel protection ipsec profile ipsec
#
· Router B:
#
interface gigabitethernet 1/0/1
ip address 192.168.2.1 255.255.255.0
#
dialer-group 1 rule ip permit
#
apn-profile dynamic1
apn dynamic
#
controller cellular 1/0
eth-channel 0
#
interface eth-channel 1/0:0
ip address cellular-alloc
apn-profile apply dynamic1
dialer circular enable
dialer-group 1
dialer timer idle 0
dialer timer wait-carrier 30
dialer timer autodial 5
dialer number *99# autodial
nat outbound
#
ip route-static 0.0.0.0 0 eth-channel 1/0:0
vam client name spoke2
advpn-domain abc
pre-shared-key cipher $c$3$k4hxzHYdkYZ8QUIr6+XsNTxsG/lGk6SGeQ==
server primary ip-address 1.1.1.2
client enable
#
ike keychain key
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$i/ODxQdpM7b0kmqHCMj+VpV6G+x/IBDycg==
#
ike profile ike
keychain key
#
ipsec transform-set tran
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile profile1 isakmp
transform-set tran
ike-profile ike
#
ospf 1
area 0
network 192.168.2.0 0.0.0.255
network 192.168.0.0 0.0.0.255
#
interface tunnel1 mode advpn gre
ip address 192.168.0.2 255.255.255.0
vam client spoke2
ospf network-type broadcast
ospf dr-priority 0
source eth-channel 1/0:0
tunnel protection ipsec profile ipsec
#
· Router C:
#
interface gigabitethernet 1/0/1
ip address 192.168.3.1 255.255.255.0
#
interface gigabitethernet 1/0/2
ip address 1.1.1.1 255.255.255.0
nat outbound
#
vam client name Hub
advpn-domain abc
pre-shared-key cipher $c$3$k4hxzHYdkYZ8QUIr6+XsNTxsG/lGk6SGeQ==
server primary ip-address 1.1.1.2
client enable
#
ike keychain key
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$i/ODxQdpM7b0kmqHCMj+VpV6G+x/IBDycg==
#
ike profile ike
keychain key
#
ipsec transform-set tran
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile profile1 isakmp
transform-set tran
ike-profile ike
#
ospf 1
area 0
network 192.168.0.0 0.0.0.255
network 192.168.3.0 0.0.0.255
#
interface tunnel1 mode advpn gre
ip address 192.168.0.3 255.255.255.0
vam client Hub
ospf network-type broadcast
source gigabitethernet 1/0/2
tunnel protection ipsec profile ipsec
#
· Router D:
#
interface gigabitethernet 1/0/1
ip address 1.1.1.2 255.255.255.0
#
vam server advpn-domain abc id 1
hub-group 0
hub private-address 192.168.0.3 public-address 1.1.1.1
spoke private-address network 192.168.0.0 255.255.255.0
#
pre-shared-key cipher $c$3$qb30FA4sK0lRsl3UgtHXhVZwwJtz4YdPrg==
authentication-method none
server enable
#
5G modem dialup+VPDN tunnel configuration example
Network configuration
As shown in Figure 53, Router A is installed with a 5G modem module, allowing users to automatically dial in to the service provider's VPDN through DDR. Establish an IPsec tunnel between the branch gateway Router A and the headquarters gateway Router B, and establish an L2TP tunnel between the service provider's LAC and Router B. The specific requirements are as follows:
· Configure traditional DDR on Router A for dial in to the 5G network via IPv4 and IPv6 dual protocol stacks, and establish permanent 5G connections.
· Use the NAS-initiated mode to establish an L2TP tunnel between the LAC and Router B, allowing traffic between the branch and the headquarters gateways to go through the service provider's dedicated line, isolating it from the public network.
· Configure an IKE-based IPsec tunnel between Router A and Router B to encrypt traffic between the branch and headquarters gateways.
Figure 53 5G modem dialup+VPDN tunnel
Analysis
Channelize Cellular 1/0 on Router A into Eth-channel 1/0:0, and configure Eth-channel 1/0:0 to use the modem-manufacturer's proprietary protocol to obtain IP addresses assigned by the service provider. Configure DDR auto-dial to the service provider's VPDN on Eth-channel 1/0:0, and set up a permanent connection.
Use the NAS-initiated mode to establish an L2TP tunnel between the LAC and Router B. Use local authentication for both the LAC and the LNS (headquarters gateway).
Restrictions and guidelines
To ensure that the branch gateway can dial in to the service provider's VPDN, use a dedicated VPDN SIM card for DDR dialup. Use the VPDN APN, authentication method, username, and password provided by the service provider to configure a 5G modem profile and dialup authentication.
Procedures
Configuring Router A
Table 53 Assign IP addresses to interfaces. (Details not shown.).
Table 54 Configure 5G modem dialup:
# Configure a dialup rule for dialer group 1.
<RouterA> system-view
[RouterA] dialer-group 1 rule ip permit
[RouterA] dialer-group 1 rule ipv6 permit
# Create a 5G modem profile named vpdn1. Specify APN vpdn, and specify the PDP data carrying protocol as IPv4 and IPv6. Specify the CHAP or PAP authentication mode, and specify the username as user1 and the password as password1. You must use the APN, authentication mode, username, and password provided by the service provider.
[RouterA] apn-profile vpdn1
[RouterA-apn-profile-vpdn1] pdp-type ipv4v6
[RouterA-apn-profile-vpdn1] apn static vpdn
[RouterA-apn-profile-vpdn1] authentication-mode pap-chap user1 password simple password1
[RouterA-apn-profile-vpdn1] quit
# Channelize Cellular 1/0 into an Eth-channel interface.
[RouterA] controller cellular 1/0
[RouterA-Cellular1/0] eth-channel 0
[RouterA-Cellular1/0] quit
# Enable Eth-channel 1/0:0 to obtain an IPv4 address and an IPv6 address by using the modem-manufacturer's proprietary protocol.
[RouterA] interface eth-channel 1/0:0
[RouterA-Eth-channel1/0:0] ip address cellular-alloc
[RouterA-Eth-channel1/0:0] ipv6 address cellular-alloc
# Specify primary 5G modem profile vpdn1 for Eth-channel 1/0:0.
[RouterA-Eth-channel1/0:0] apn-profile apply vpdn1
# Enable traditional DDR on Eth-channel 1/0:0, and associate Eth-channel 1/0:0 with dialer group 1.
[RouterA-Eth-channel1/0:0] dialer circular enable
[RouterA-Eth-channel1/0:0] dialer-group 1
# Set the link idle-timeout timer to 0 seconds, set the wait-carrier timer to 30 seconds, and set the interval for DDR to make the next call attempt to 5 seconds.
[RouterA-Eth-channel1/0:0] dialer timer idle 0
[RouterA-Eth-channel1/0:0] dialer timer wait-carrier 30
[RouterA-Eth-channel1/0:0] dialer timer autodial 5
# Configure the dial string for placing calls as *99# (for China Mobile or China Unicom). For China Telecommunications, set the value to #777.
[RouterA-Eth-channel1/0:0] dialer number *99# autodial
[RouterA-Eth-channel1/0:0] quit
# Configure default routes.
[RouterA] ip route-static 0.0.0.0 0 eth-channel 1/0:0
[RouterA] ipv6 route-static 0::0 0 eth-channel 1/0:0
Table 55 Configure an IPsec tunnel:
# Create IPv4 advanced ACL 3000, and configure a rule to allow the packets from the 192.168.1.0/24 network to the 192.168.2.0/24 network.
[RouterA] acl advanced 3000
[RouterA-acl-ipv4-adv-3000] rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
[RouterA-acl-ipv4-adv-3000] quit
# Create IPv6 advanced ACL 3500, and configure a rule to allow the packets from the 2001::/64 network to the 2002::/64 network.
[RouterA] acl ipv6 advanced 3500
[RouterA-acl-ipv6-adv-3500] rule 0 permit ipv6 source 2001::0 64 destination 2002::0 64
[RouterA-acl-ipv6-adv-3500] quit
# Create an IPsec transform set named tran1. Specify ESP and DES in CBC mode as the authentication and encryption algorithms, respectively.
[RouterA] ipsec transform-set tran1
[RouterA-ipsec-transform-set-tran1] encapsulation-mode tunnel
[RouterA-ipsec-transform-set-tran1] protocol esp
[RouterA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[RouterA-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc
[RouterA-ipsec-transform-set-tran1] quit
# Create an IKE keychain named key1. Specify 123456 in plain text as the preshared key to be used with the remote peer at 192.168.0.1 and 2003::1.
[RouterA] ike keychain key1
[RouterA-ike-keychain-key1] pre-shared-key address 192.168.0.1 24 key simple 123456
[RouterA-ike-keychain-key1] pre-shared-key address ipv6 2003::1 64 key simple 123456
[RouterA-ike-keychain-key1] quit
# Create an IKE profile named ike1. Specify IKE keychain key1, configure a peer ID with the identity type of IPv4 address and the value of 192.168.0.1, and configure a peer ID with the identity type of IPv6 address and the value of 2003::1.
[RouterA] ike profile ike1
[RouterA-ike-profile-ike1] keychain key1
[RouterA-ike-profile-ike1] match remote identity address 192.168.0.1 24
[RouterA-ike-profile-ike1] match remote identity address ipv6 2003::1 64
[RouterA-ike-profile-ike1] quit
# Create an IKE-based IPv4 IPsec policy entry named policy1. Specify IPsec transform set tran1, specify IKE profile ike1, specify IPv4 advanced ACL 3000, and specify the remote IPv4 address of the IPsec tunnel as 192.168.0.1.
[RouterA] ipsec policy policy1 10 isakmp
[RouterA-ipsec-policy-isakmp-policy1-10] transform-set tran1
[RouterA-ipsec-policy-isakmp-policy1-10] ike-profile ike1
[RouterA-ipsec-policy-isakmp-policy1-10] security acl 3000
[RouterA-ipsec-policy-isakmp-policy1-10] remote-address 192.168.0.1
[RouterA-ipsec-policy-isakmp-policy1-10] quit
# Create an IKE-based IPv6 IPsec policy entry named policy2. Specify IPsec transform set tran1, specify IKE profile ike1, specify IPv6 advanced ACL 3500, and specify the remote IPv6 address of the IPsec tunnel as 2003::1.
[RouterA] ipsec ipv6-policy policy2 20 isakmp
[RouterA-ipsec-policy-isakmp-policy2-20] transform-set tran1
[RouterA-ipsec-policy-isakmp-policy2-20] ike-profile ike1
[RouterA-ipsec-policy-isakmp-policy2-20] security acl ipv6 3500
[RouterA-ipsec-policy-isakmp-policy2-20] remote-address ipv6 2003::1
[RouterA-ipsec-policy-isakmp-policy2-20] quit
# Apply IPv4 IPsec policy policy1 and IPv6 IPsec policy policy2 to Eth-channel 1/0:0.
[RouterA] interface eth-channel 1/0:0
[RouterA-Eth-channel1/0:0] ipsec apply policy policy1
[RouterA-Eth-channel1/0:0] ipsec apply ipv6-policy policy2
[RouterA-Eth-channel1/0:0] quit
Configuring the LAC
|
|
NOTE: The LAC is managed and configured by the service provider. |
Table 56 Assign IP addresses to interfaces. (Details not shown.)
Table 57 Configure the LAC for the L2TP tunnel:
# Create a local VPDN user named user1, set the password to password1 in plaintext form, and assign the PPP service to the local user.
<LAC> system-view
[LAC] local-user user1 class network
[LAC-luser-network-user1] password simple password1
[LAC-luser-network-user1] service-type ppp
[LAC-luser-network-user1] quit
# Configure ISP domain system to perform local AAA for VPDN users.
[LAC] domain system
[LAC-isp-system] authentication ppp local
[LAC-isp-system] quit
# Enable L2TP.
[LAC] l2tp enable
# Create L2TP group 1 in LAC mode, configure the local tunnel name as LAC, and specify PPP user user1 as the condition for the LAC to initiate tunneling requests. Specify the LNS IP address as 10.1.1.2.
[LAC] l2tp-group 1 mode lac
[LAC-l2tp1] tunnel name LAC
[LAC-l2tp1] user fullusername user1
[LAC-l2tp1] lns-ip 10.1.1.2
# Enable tunnel authentication, and set the tunnel authentication key to aabbcc.
[LAC-l2tp1] tunnel authentication
[LAC-l2tp1] tunnel password simple aabbcc
[LAC-l2tp1] quit
Configuring Router B
Table 58 Assign IP addresses to interfaces. (Details not shown.) As the gateway in the headquarters, Router B has a default route to the next hop in the public network.
Table 59 Configure the LNS for the L2TP tunnel:
# Create a local VPDN user named user1, set the password to password1 in plaintext form, and assign the PPP service to the local user.
<RouterB> system-view
[RouterB] local-user user1 class network
[RouterB-luser-network-user1] password simple password1
[RouterB-luser-network-user1] service-type ppp
[RouterB-luser-network-user1] quit
# Configure ISP domain system to perform local AAA for VPDN users.
[RouterB] domain system
[RouterB-isp-system] authentication ppp local
# In ISP domain system, authorize an IPv6 prefix for users.
[RouterB-isp-system] authorization-attribute ipv6-prefix 2003:: 64
[RouterB-isp-system] quit
# Enable L2TP, and create L2TP group 1 in LNS mode.
[RouterB] l2tp enable
[RouterB] l2tp-group 1 mode lns
# Configure the local tunnel name as LNS on the LNS, and specify VT interface 1 for receiving calls from the peer (LAC) named LAC.
[RouterB-l2tp1] tunnel name LNS
[RouterB-l2tp1] allow l2tp virtual-template 1 remote LAC
# Enable tunnel authentication, and set the tunnel authentication key to aabbcc.
[RouterB-l2tp1] tunnel authentication
[RouterB-l2tp1] tunnel password simple aabbcc
[RouterB-l2tp1] quit
# Create an IPv6 PPP address pool.
[RouterB] ip pool aaa 192.168.0.10 192.168.0.20
[RouterB] ip pool aaa gateway 192.168.0.1
# Create Virtual-Template 1, assign IPv4 address 192.168.0.1/24 and IPv6 address 2003::1/64 to it, and disable RA message suppression. # Configure Virtual-Template 1 to use CHAP and PAP for authentication and use PPP address pool aaa for IP address assignment.
[RouterB] interface virtual-template 1
[RouterB-virtual-template1] ip address 192.168.0.1 255.255.255.0
[RouterB-virtual-template1] ipv6 address 2003::1 64
[RouterB-virtual-template1] undo ipv6 nd ra halt
[RouterB-virtual-template1] ppp authentication-mode chap pap domain system
[RouterB-virtual-template1] remote address pool aaa
[RouterB-virtual-template1] quit
Table 60 Configure an IPsec tunnel:
# Create an IPsec transform set tran1. Specify security protocol ESP, and specify SHA1 and DES in CBC mode as the authentication and encryption algorithms, respectively.
[RouterB] ipsec transform-set tran1
[RouterB-ipsec-transform-set-tran1] encapsulation-mode tunnel
[RouterB-ipsec-transform-set-tran1] protocol esp
[RouterB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[RouterB-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc
[RouterB-ipsec-transform-set-tran1] quit
# Create an IKE keychain named key1. Specify 123456 in plain text as the preshared key to be used with the remote peer.
[RouterB] ike keychain key1
[RouterB-ike-keychain-key1] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[RouterB-ike-keychain-key1] pre-shared-key address ipv6 0::0 0 key simple 123456
[RouterB-ike-keychain-key1] quit
# Create an IKE profile named ike1. Specify IKE keychain key1, configure a peer ID with the identity type of IPv4 address and the value of 0.0.0.0, and configure a peer ID with the identity type of IPv6 address and the value of 0::0.
[RouterB] ike profile ike1
[RouterB-ike-profile-ike1] keychain key1
[RouterB-ike-profile-ike1] match remote identity address 0.0.0.0 0.0.0.0
[RouterB-ike-profile-ike1] match remote identity address ipv6 0::0 0
[RouterB-ike-profile-ike1] quit
# Create an IPv4 IPsec policy template named temp1. Specify IPsec transform set tran1 and IKE profile ike1 for the IPsec policy template. Enable IPsec RRI.
[RouterB] ipsec policy-template temp1 1
[RouterB-ipsec-policy-template-temp1-1] transform-set tran1
[RouterB-ipsec-policy-template-temp1-1] ike-profile ike1
[RouterB-ipsec-policy-template-temp1-1] reverse-route dynamic
[RouterB-ipsec-policy-template-temp1-1] quit
# Create an IPv6 IPsec policy template named temp2. Specify IPsec transform set tran1 and IKE profile ike1 for the IPsec policy template. Enable IPsec RRI.
[RouterB] ipsec ipv6-policy-template temp2 2
[RouterB-ipsec-ipv6-policy-template-temp2-2] transform-set tran1
[RouterB-ipsec-ipv6-policy-template-temp2-2] ike-profile ike1
[RouterB-ipsec-ipv6-policy-template-temp2-2] reverse-route dynamic
[RouterB-ipsec-ipv6-policy-template-temp2-2] quit
# Create an IKE-based IPv4 IPsec policy entry by using IPsec policy template temp1, with the policy name as policy1 and the sequence number as 10.
[RouterB] ipsec policy policy1 10 isakmp template temp1
# Create an IKE-based IPv6 IPsec policy entry by using IPsec policy template temp2, with the policy name as policy2 and the sequence number as 20.
[RouterB] ipsec ipv6-policy policy2 20 isakmp template temp2
# Apply IPv4 IPsec policy policy1 and IPv6 IPsec policy policy2 to Virtual-Template 1.
[RouterB] interface virtual-template 1
[RouterB-Virtual-Template1] ipsec apply policy policy1
[RouterB-Virtual-Template1] ipsec apply ipv6-policy policy2
[RouterB-Virtual-Template1] quit
Verify the configuration
When Router A successfully dials in via DDR, it will trigger the establishment of an L2TP tunnel and L2TP session with the LAC. Then, Router A and Router B can communicate with each other. When there is traffic between Router A and Router B, an IPsec tunnel will be established to encrypt the private network traffic between Router A and Router B.
# On Router B, use the following command to view the established L2TP tunnel and L2TP session:
[RouterB] display l2tp tunnel
LocalTID RemoteTID State Sessions RemoteAddress RemotePort RemoteName
18986 558 Established 1 10.1.1.1 1701 LAC
[RouterB] display l2tp session
LocalSID RemoteSID LocalTID State
50693 61202 18986 Established
# On Router A, use the following command to view the IPsec SA negotiated.
[RouterA] display ipsec sa
-------------------------------
Interface: Eth-channel1/0:0
-------------------------------
-----------------------------
IPsec policy: policy1
Sequence number: 10
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Transmitting entity: Initiator
Path MTU: 1444
Tunnel:
local address/port: 192.168.0.10/500
remote address/port: 192.168.0.1/500
Flow:
sour addr: 192.168.1.0/255.255.255.0 port: 0 protocol: ip
dest addr: 192.168.2.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 367543574 (0x15e84516)
Connection ID: 4294967296
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3533
Max received sequence-number: 4
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 4212574134 (0xfb16c7b6)
Connection ID: 4294967297
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3533
Max sent sequence-number: 4
UDP encapsulation used for NAT traversal: N
Status: Active
-----------------------------
IPsec policy: policy2
Sequence number: 20
Alias: policy2-20
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Transmitting entity: Initiator
Path MTU: 1424
Tunnel:
local address/port: 2003::F85B:7EE1:1410:74C9/500
remote address/port: 2003::1/500
Flow:
sour addr: 2001::/64 port: 0 protocol: ipv6
dest addr: 2002::/64 port: 0 protocol: ipv6
[Inbound ESP SAs]
SPI: 3314600301 (0xc590c96d)
Connection ID: 4294967296
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843196/3462
Max received sequence-number: 29
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 3370073640 (0xc8df3e28)
Connection ID: 4294967297
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843196/3462
Max sent sequence-number: 29
UDP encapsulation used for NAT traversal: N
Status: Active
Configuration files
· Router A:
#
interface gigabitethernet 1/0/1
ip address 192.168.1.1 255.255.255.0
ipv6 address 2001::1 64
#
dialer-group 1 rule ip permit
dialer-group 1 rule ipv6 permit
#
apn-profile vpdn1
pdp-type ipv4v6
apn static vpdn
authentication-mode pap-chap user1 password simple password1
#
controller cellular 1/0
eth-channel 0
#
interface eth-channel 1/0:0
ip address cellular-alloc
ipv6 address cellular-alloc
apn-profile apply vpdn1
dialer circular enable
dialer-group 1
dialer timer idle 0
dialer timer wait-carrier 30
dialer timer autodial 5
dialer number *99# autodial
ipsec apply policy policy1
ipsec apply ipv6-policy policy2
#
ip route-static 0.0.0.0 0 eth-channel 1/0:0
ipv6 route-static :: 0 eth-channel 1/0:0
#
acl advanced 3000
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
#
acl ipv6 advanced 3500
rule 0 permit ipv6 source 2001::/64 destination 2002::/64
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp authentication-algorithm sha1
esp encryption-algorithm des-cbc
#
ike keychain key1
pre-shared-key address 192.168.0.1 255.255.255.0 key cipher $c$3$0kzuqazKcTGikVRekZ1E8R7jTOC2ZrJR2A==
pre-shared-key address ipv6 2003::1 64 key cipher $c$3$+93VGZhgfe4yG5D0d9VsLxWS6dlGVw2/Fw==
#
ike profile ike1
keychain key1
match remote identity address 192.168.0.1 255.255.255.0
match remote identity address ipv6 2003::1 64
#
ipsec policy policy1 10 isakmp
transform-set tran1
ike-profile ike1
security acl 3000
remote-address 192.168.0.1
#
ipsec ipv6-policy policy2 20 isakmp
transform-set tran1
security acl ipv6 3500
remote-address ipv6 2003::1
ike-profile ike1
#
· LAC:
#
interface gigabitethernet 1/0/1
ip address 10.1.1.1 255.255.255.0
#
local-user user1 class network
password simple password1
service-type ppp
#
domain system
authentication ppp local
#
l2tp enable
l2tp-group 1 mode lac
tunnel name LAC
user fullusername user1
lns-ip 10.1.1.2
tunnel authentication
tunnel password simple aabbcc
#
· Router B:
#
interface gigabitethernet 1/0/1
ip address 10.1.1.2 255.255.255.0
#
interface gigabitethernet 1/0/2
ip address 192.168.1.2 255.255.255.0
ipv6 address 2002::1 64
#
interface virtual-template 1
ip address 192.168.0.1 255.255.255.0
ipv6 address 2003::1 64
undo ipv6 nd ra halt
ppp authentication-mode chap pap domain system
remote address pool aaa
ipsec apply policy policy1
ipsec apply ipv6-policy policy2
#
local-user user1 class network
password simple password1
service-type ppp
#
domain system
authentication ppp local
authorization-attribute ipv6-prefix 2003:: 64
#
l2tp enable
l2tp-group 1 mode lns
tunnel name LNS
allow l2tp virtual-template 1 remote LAC
tunnel authentication
tunnel password simple aabbcc
#
ip pool aaa 192.168.0.10 192.168.0.20
ip pool aaa gateway 192.168.0.1
#
acl advanced 3000
rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
acl ipv6 advanced 3500
rule 0 permit ipv6 source 2002::/64 destination 2001::/64
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp authentication-algorithm sha1
esp encryption-algorithm des-cbc
#
ike keychain key1
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$vZXXcxKbhB/YCMg4oFr5IVJyrxwQTcB4Mg==
pre-shared-key address ipv6 0::0 0 key cipher $c$3$ua9potCkbZArSufmcQhY+LgLA+38vxmiXw==
#
ike profile ike1
keychain key1
match remote identity address 0.0.0.0 0.0.0.0
match remote identity address ipv6 :: 0
#
ipsec policy-template temp1 1
transform-set tran1
ike-profile ike1
security acl 3000
reverse-route dynamic
#
ipsec ipv6-policy-template temp2 2
transform-set tran1
security acl ipv6 3500
ike-profile ike1
reverse-route dynamic
#
ipsec policy policy1 10 isakmp template temp1
#
ipsec ipv6-policy policy2 20 isakmp template temp2
#
5G modem dialup+VPDN tunnel (IMSI/SN binding+local authentication) configuration example
Network configuration
As shown in Figure 54, Router A is installed with a 5G modem module, allowing users to automatically dial in to the service provider's VPDN through DDR. Establish an IPsec tunnel between the branch gateway Router A and the headquarters gateway Router B, and establish an L2TP tunnel between the service provider's LAC and Router B. The specific requirements are as follows:
· Configure traditional DDR on Router A to dial in to the 5G network via the IPv4 protocol stack, and establish permanent 5G connections.
· Use the NAS-initiated mode to establish an L2TP tunnel between the LAC and Router B, allowing traffic between the branch gateway and the headquarters gateway to go through the service provider's dedicated line, isolating it from the public network.
· Configure an IPsec tunnel between Router A and Router B to encrypt traffic.
Figure 54 5G modem dialup+VPDN tunnel
Analysis
Channelize Cellular1/0 on Router A into Eth-channel 1/0:0, and configure Eth-channel 1/0:0 to use the modem-manufacturer's proprietary protocol to obtain IP addresses assigned by the service provider. Configure DDR auto-dial to the service provider's VPDN on Eth-channel 1/0:0, and set up a permanent connection.
Use the NAS-initiated mode to establish an L2TP tunnel between the LAC and Router B. The core network and LAC are managed by the service provider (consult the service provider for specific configuration parameters). Router B (the LNS) uses local authentication.
Restrictions and guidelines
To ensure that the branch gateway can dial in to the service provider's VPDN, use a dedicated VPDN SIM card for DDR dialing. Use the VPDN APN, authentication method, username, and password provided by the service provider to configure a 5G modem profile and dialup authentication.
Procedures
Configuring Router A
Table 61 Assign IP addresses to interfaces.
(Details not shown.)
Table 62 Configure 5G modem dialup:
# Configure a dialup rule for dialer group 1.
<RouterA> system-view
[RouterA] dialer-group 1 rule ip permit
# Create a 5G modem profile named vpdn1. Specify APN vpdn, and specify the PDP data carrying protocol as IPv4. Specify the CHAP or PAP authentication mode, and specify the username as user1 and the password as password1. You must use the APN, authentication mode, username, and password provided by the service provider.
[RouterA] apn-profile vpdn1
[RouterA-apn-profile-vpdn1] pdp-type ipv4
[RouterA-apn-profile-vpdn1] apn static vpdn
[RouterA-apn-profile-vpdn1] authentication-mode pap-chap user user1@dm1 password simple password1
# Configure the pound sign (#) as the delimiter for the IMSI/SN binding authentication information. The authentication information will be sent in the imsiinfo#sninfo#username format.
[RouterA-apn-profile-vpdn1] attach-format imsi-sn split #
[RouterA-apn-profile-vpdn1] quit
# Channelize the cellular interface into an Eth-channel interface.
[RouterA] controller cellular 1/0
[RouterA-Cellular1/0] eth-channel 0
[RouterA-Cellular1/0] quit
# Enable Eth-channel 1/0:0 to obtain an IPv6 address by using the modem-manufacturer's proprietary protocol.
[RouterA] interface eth-channel 1/0:0
[RouterA-Eth-channel1/0:0] ip address cellular-alloc
Specify primary 5G modem profile vpdn1 for Eth-channel 1/0:0.
[RouterA-Eth-channel1/0:0] apn-profile apply vpdn1
# Enable traditional DDR on Eth-channel 1/0:0, and associate Eth-channel 1/0:0 with dialer group 1.
[RouterA-Eth-channel1/0:0] dialer circular enable
[RouterA-Eth-channel1/0:0] dialer-group 1
# Set the link idle-timeout timer to 0 seconds, set the wait-carrier timer to 5 seconds, and set the interval for DDR to make the next call attempt to 5 seconds.
[RouterA-Eth-channel1/0:0] dialer timer idle 0
[RouterA-Eth-channel1/0:0] dialer timer wait-carrier 5
[RouterA-Eth-channel1/0:0] dialer timer autodial 5
# Configure the dial string for placing calls as *99# (for China Mobile or China Unicom). For China Telecommunications, set the value to #777.
[RouterA-Eth-channel1/0:0] dialer number *99# autodial
[RouterA-Eth-channel1/0:0] quit
# Configure default routes.
[RouterA] ip route-static 0.0.0.0 0 eth-channel 1/0:0
Table 63 Configure an IPsec tunnel:
# Create IPv4 advanced ACL 3000, and configure a rule to allow packets from the 192.168.1.0/24 network to the 192.168.2.0/24 network.
[RouterA] acl advanced 3000
[RouterA-acl-ipv4-adv-3000] rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
[RouterA-acl-ipv4-adv-3000] quit
# Create an IPsec transform set named tran1. Specify SHA1 and DES in CBC mode as the authentication and encryption algorithms, respectively.
[RouterA] ipsec transform-set tran1
[RouterA-ipsec-transform-set-tran1] encapsulation-mode tunnel
[RouterA-ipsec-transform-set-tran1] protocol esp
[RouterA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[RouterA-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc
[RouterA-ipsec-transform-set-tran1] quit
# Create an IKE keychain named key1. Specify 123456 in plain text as the preshared key to be used with the remote peer at 192.168.0.1.
[RouterA] ike keychain key1
[RouterA-ike-keychain-key1] pre-shared-key address 192.168.0.1 24 key simple 123456
[RouterA-ike-keychain-key1] quit
# Create an IKE profile named ike1. Specify IKE keychain key1, and configure a peer ID with the identity type of IPv4 address and the value of 192.168.0.1.
[RouterA] ike profile ike1
[RouterA-ike-profile-ike1] keychain key1
[RouterA-ike-profile-ike1] match remote identity address 192.168.0.1 24
[RouterA-ike-profile-ike1] quit
# Create an IKE-based Ipv4 IPsec policy entry named policy1. Specify IPsec transform set tran1, Specify IKE profile ike1, specify IPv4 advanced ACL 3000, and specify the remote IPv4 address of the IPsec tunnel as 192.168.0.1.
[RouterA] ipsec policy policy1 10 isakmp
[RouterA-ipsec-policy-isakmp-policy1-10] transform-set tran1
[RouterA-ipsec-policy-isakmp-policy1-10] ike-profile ike1
[RouterA-ipsec-policy-isakmp-policy1-10] security acl 3000
[RouterA-ipsec-policy-isakmp-policy1-10] remote-address 192.168.0.1
[RouterA-ipsec-policy-isakmp-policy1-10] quit
# Apply IPv4 IPsec policy policy1 to Eth-channel 1/0:0.
[RouterA] interface eth-channel 1/0:0
[RouterA-Eth-channel1/0:0] ipsec apply policy policy1
[RouterA-Eth-channel1/0:0] quit
Configuring Router B
Table 64 Assign IP addresses to interfaces. (Details not shown.) As the gateway in the headquarters, Router B has a default route to the next hop in the public network.
Table 65 Configure the LNS for the L2TP tunnel:
# Create a local VPDN user named user1, set the password to password1 in plaintext form, and assign the PPP service to the local user.
<RouterB> system-view
[RouterB] local-user 460070000000034#210231UNIS020400005#user1 class network
|
|
NOTE: The format of the username is IMSI#SN#account. For the SN part: · Use the device SN if the router has a built-in 5G modem. · Use the SN of the SIC card if the router is inserted with a SIC card. |
[RouterB-luser-network-user1] password simple password1
[RouterB-luser-network-user1] service-type ppp
[RouterB-luser-network-user1] quit
# Configure ISP domain dm1 to perform local authentication for VPDN users.
[RouterB] domain name dm1
[RouterB-isp-dm1] authentication ppp local
[RouterB-isp-dm1] authorization ppp local
[RouterB-isp-dm1] accounting ppp local
[RouterB-isp-dm1] quit
# Enable L2TP, and create L2TP group 1 in LNS mode.
[RouterB] l2tp enable
[RouterB] l2tp-group 1 mode lns
# Configure the local tunnel name as LNS on the LNS, and specify VT interface 1 for receiving calls from the peer (LAC) named LAC.
[RouterB-l2tp1] tunnel name LNS
[RouterB-l2tp1] allow l2tp virtual-template 1 remote LAC
# Enable tunnel authentication, and set the tunnel authentication key to aabbcc.
[RouterB-l2tp1] tunnel authentication
[RouterB-l2tp1] tunnel password simple aabbcc
[RouterB-l2tp1] quit
# Create an IPv4 PPP address pool.
[RouterB] ip pool aaa 192.168.0.10 192.168.0.20
[RouterB] ip pool aaa gateway 192.168.0.1
# Create Virtual-Template 1, and assign IPv4 address 192.168.0.1/24 to the interface. # Configure Virtual-Template 1 to use CHAP and PAP for authentication and use PPP address pool aaa for IP address assignment. Enable PPP accounting.
[RouterB] interface virtual-template 1
[RouterB-virtual-template1] ip address 192.168.0.1 255.255.255.0
[RouterB-virtual-template1] ppp authentication-mode pap chap
[RouterB-virtual-template1] ppp account-statistics enable
[RouterB-virtual-template1] remote address pool aaa
[RouterB-virtual-template1] quit
# Configure a static default route.
[RouterB] ip route-static 0.0.0.0 0 10.1.1.1
Table 66 Configure an IPsec tunnel:
# Create an IPsec transform set tran1. Specify security protocol ESP, and specify SHA1 and DES in CBC mode as the authentication and encryption algorithms, respectively.
[RouterB] ipsec transform-set tran1
[RouterB-ipsec-transform-set-tran1] encapsulation-mode tunnel
[RouterB-ipsec-transform-set-tran1] protocol esp
[RouterB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[RouterB-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc
[RouterB-ipsec-transform-set-tran1] quit
# Create an IKE keychain named key1. Specify 123456 in plain text as the preshared key to be used with the remote peer.
[RouterB] ike keychain key1
[RouterB-ike-keychain-key1] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[RouterB-ike-keychain-key1] quit
# Create an IKE profile named ike1. Specify IKE keychain key1, and configure a peer ID with the identity type of IPv4 address and the value of 0.0.0.0.
[RouterB] ike profile ike1
[RouterB-ike-profile-ike1] keychain key1
[RouterB-ike-profile-ike1] match remote identity address 0.0.0.0 0.0.0.0
[RouterB-ike-profile-ike1] quit
# Create an IPsec policy template named temp1. Specify IPsec transform set tran1 and IKE profile ike1 for the IPsec policy template. Enable IPsec RRI.
[RouterB] ipsec policy-template temp1 1
[RouterB-ipsec-policy-template-temp1-1] transform-set tran1
[RouterB-ipsec-policy-template-temp1-1] ike-profile ike1
[RouterB-ipsec-policy-template-temp1-1] reverse-route dynamic
[RouterB-ipsec-policy-template-temp1-1] quit
# Create an IKE-based IPv4 IPsec policy entry by using IPsec policy template temp1, with the policy name as policy1 and the sequence number as 10.
[RouterB] ipsec policy policy1 10 isakmp template temp1
# Apply IPsec policy policy1 to interface Virtual-Template 1.
[RouterB] interface virtual-template 1
[RouterB-Virtual-Template1] ipsec apply policy policy1
[RouterB-Virtual-Template1] quit
Verify the configuration
When Router A successfully dials in via DDR, it will trigger the establishment of an L2TP tunnel and L2TP session with the LAC. Then, Router A and Router B can communicate with each other. When there is traffic between Router A and Router B, an IPsec tunnel will be established to encrypt the private network traffic between Router A and Router B.
# On Router B, use the following command to view the established L2TP tunnel and L2TP session:
[RouterB] display l2tp tunnel
LocalTID RemoteTID State Sessions RemoteAddress RemotePort RemoteName
18986 558 Established 1 10.1.1.1 1701 LAC
[RouterB] display l2tp session
LocalSID RemoteSID LocalTID State
50693 61202 18986 Established
# On Router B, use the following command to view PPP user information:
[RouterB] display ppp access-user domain dm1
display ppp access-user domain dm1
Interface Username MAC address IP address IPv6 address IPv6 PDPrefix
VA21 46007000 - 192.168.0.10 - -
0000034#
210231UN
IS020400
005#user
1@dm1
# On Router A, use the following command to view the IPsec SA negotiated.
[RouterA] display ipsec sa
-------------------------------
Interface: Eth-channel1/0:0
-------------------------------
-----------------------------
IPsec policy: policy1
Sequence number: 10
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Transmitting entity: Initiator
Path MTU: 1444
Tunnel:
local address/port: 192.168.0.10/500
remote address/port: 192.168.0.1/500
Flow:
sour addr: 192.168.1.0/255.255.255.0 port: 0 protocol: ip
dest addr: 192.168.2.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 367543574 (0x15e84516)
Connection ID: 4294967296
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3533
Max received sequence-number: 4
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 4212574134 (0xfb16c7b6)
Connection ID: 4294967297
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3533
Max sent sequence-number: 4
UDP encapsulation used for NAT traversal: N
Status: Active
Configuration files
· Router A:
#
interface gigabitethernet 1/0/1
ip address 192.168.1.1 255.255.255.0
#
dialer-group 1 rule ip permit
#
apn-profile vpdn1
pdp-type ipv4
apn static vpdn
authentication-mode pap-chap user user1@dm1 password cipher $c$3$naN3XokzBMi+fk31u+dsFJn1d/Ht8OphPP3Mzg==
attach-format imsi-sn split #
#
controller cellular 1/0
eth-channel 0
#
interface eth-channel 1/0:0
ip address cellular-alloc
apn-profile apply vpdn1
dialer circular enable
dialer-group 1
dialer timer idle 0
dialer timer wait-carrier 5
dialer timer autodial 5
dialer number *99# autodial
ipsec apply policy policy1
#
ip route-static 0.0.0.0 0 eth-channel 1/0:0
#
acl advanced 3000
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp authentication-algorithm sha1
esp encryption-algorithm des-cbc
#
ike keychain key1
pre-shared-key address 192.168.0.1 255.255.255.0 key cipher $c$3$0kzuqazKcTGikVRekZ1E8R7jTOC2ZrJR2A==
#
ike profile ike1
keychain key1
match remote identity address 192.168.0.1 255.255.255.0
#
ipsec policy policy1 10 isakmp
transform-set tran1
ike-profile ike1
security acl 3000
remote-address 192.168.0.1
#
· Router B:
#
interface gigabitethernet 1/0/1
ip address 10.1.1.2 255.255.255.0
#
interface gigabitethernet 1/0/2
ip address 192.168.2.1 255.255.255.0
#
interface virtual-template 1
ip address 192.168.0.1 255.255.255.0
ppp authentication-mode pap chap
ppp account-statistics enable
remote address pool aaa
ipsec apply policy policy1
#
local-user 460070000000034#210231UNIS020400005#user1 class network
password cipher $c$3$KomD5MUpUoQGTHdg0v+FqReKwCcKvg01Lz3/kw==
service-type ppp
#
domain dm1
authentication ppp local
authorization ppp local
accounting ppp local
#
l2tp enable
l2tp-group 1 mode lns
tunnel name LNS
allow l2tp virtual-template 1 remote LAC
tunnel authentication
tunnel password cipher $c$3$KaQ9NnaU6nE4n8L9L6YTy/je8hYc1vEBLA==
#
ip pool aaa 192.168.0.10 192.168.0.20
ip pool aaa gateway 192.168.0.1
#
ip route-static 0.0.0.0 0 10.1.1.1
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp authentication-algorithm sha1
esp encryption-algorithm des-cbc
#
ike keychain key1
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$vZXXcxKbhB/YCMg4oFr5IVJyrxwQTcB4Mg==
#
ike profile ike1
keychain key1
match remote identity address 0.0.0.0 0.0.0.0
#
ipsec policy-template temp1 1
transform-set tran1
ike-profile ike1
security acl 3000
reverse-route dynamic
#
ipsec policy policy1 10 isakmp template temp1
#
5G modem dialup+VPDN tunnel (IMSI/SN binding+remote authentication) configuration example
Network configuration
As shown in Figure 55, Router A is installed with a 5G modem module, allowing users to automatically dial in to the service provider's VPDN through DDR. Establish an IPsec tunnel between the branch gateway Router A and the headquarters gateway Router B, and establish an L2TP tunnel between the service provider's LAC and Router B. The specific requirements are as follows:
· Configure traditional DDR on Router A to dial in to the 5G network via the IPv4 protocol stack, and establish permanent 5G connections.
· Use the NAS-initiated mode to establish an L2TP tunnel between the LAC and Router B, allowing traffic between the branch gateway and the headquarters gateway to go through the service provider's dedicated line, isolating it from the public network.
· Configure an IPsec tunnel between Router A and Router B to encrypt traffic.
· A server with H3C iMC installed acts as the RADIUS server.
Figure 55 5G modem dialup+VPDN tunnel
Analysis
Channelize Cellular1/0 on Router A into Eth-channel 1/0:0, and configure Eth-channel 1/0:0 to use the modem-manufacturer's proprietary protocol to obtain IP addresses assigned by the service provider. Configure DDR auto-dial to the service provider's VPDN on Eth-channel 1/0:0, and set up a permanent connection.
Use the NAS-initiated mode to establish an L2TP tunnel between the LAC and Router B. The core network and LAC are managed by the service provider (consult the service provider for specific configuration parameters). Router B (the LNS) uses remote authentication.
Restrictions and guidelines
To ensure that the branch gateway can dial in to the service provider's VPDN, use a dedicated VPDN SIM card for DDR dialing. Use the VPDN APN, authentication method, username, and password provided by the service provider to configure a 5G modem profile and dialup authentication.
Procedures
Configuring Router A
Table 67 Assign IP addresses to interfaces. (Details not shown.)
Table 68 Configure 5G modem dialup:
# Configure a dialup rule for dialer group 1.
<RouterA> system-view
[RouterA] dialer-group 1 rule ip permit
# Create a 5G modem profile named vpdn1. Specify APN vpdn, and specify the PDP data carrying protocol as IPv4. Specify the CHAP or PAP authentication mode, and specify the username as user1 and the password as password1. You must use the APN, authentication mode, username, and password provided by the service provider.
[RouterA] apn-profile vpdn1
[RouterA-apn-profile-vpdn1] pdp-type ipv4
[RouterA-apn-profile-vpdn1] apn static vpdn
[RouterA-apn-profile-vpdn1] authentication-mode pap-chap user user1@dm1 password simple password1
# Configure the pound sign (#) as the delimiter for the IMSI/SN binding authentication information. The authentication information will be sent in the imsiinfo#sninfo#username format.
[RouterA-apn-profile-vpdn1] attach-format imsi-sn split #
[RouterA-apn-profile-vpdn1] quit
# Channelize the cellular interface into an Eth-channel interface.
[RouterA] controller cellular 1/0
[RouterA-Cellular1/0] eth-channel 0
[RouterA-Cellular1/0] quit
# Enable Eth-channel 1/0:0 to obtain an IPv6 address by using the modem-manufacturer's proprietary protocol.
[RouterA] interface eth-channel 1/0:0
[RouterA-Eth-channel1/0:0] ip address cellular-alloc
# Specify primary 5G modem profile vpdn1 for Eth-channel 1/0:0.
[RouterA-Eth-channel1/0:0] apn-profile apply vpdn1
# Enable traditional DDR on Eth-channel 1/0:0, and associate Eth-channel 1/0:0 with dialer group 1.
[RouterA-Eth-channel1/0:0] dialer circular enable
[RouterA-Eth-channel1/0:0] dialer-group 1
# Set the link idle-timeout timer to 0 seconds, set the wait-carrier timer to 5 seconds, and set the interval for DDR to make the next call attempt to 5 seconds.
[RouterA-Eth-channel1/0:0] dialer timer idle 0
[RouterA-Eth-channel1/0:0] dialer timer wait-carrier 5
[RouterA-Eth-channel1/0:0] dialer timer autodial 5
# Configure the dial string for placing calls as *99# (for China Mobile or China Unicom). For China Telecommunications, set the value to #777.
[RouterA-Eth-channel1/0:0] dialer number *99# autodial
[RouterA-Eth-channel1/0:0] quit
# Configure default routes.
[RouterA] ip route-static 0.0.0.0 0 eth-channel 1/0:0
Table 69 Configure an IPsec tunnel:
# Create IPv4 advanced ACL 3000, and configure a rule to allow packets from the 192.168.1.0/24 network to the 192.168.2.0/24 network.
[RouterA] acl advanced 3000
[RouterA-acl-ipv4-adv-3000] rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
[RouterA-acl-ipv4-adv-3000] quit
# Create an IPsec transform set named tran1. Specify ESP and DES in CBC mode as the encryption and authentication algorithms, respectively.
[RouterA] ipsec transform-set tran1
[RouterA-ipsec-transform-set-tran1] encapsulation-mode tunnel
[RouterA-ipsec-transform-set-tran1] protocol esp
[RouterA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[RouterA-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc
[RouterA-ipsec-transform-set-tran1] quit
# Create an IKE keychain named key1. Specify 123456 in plain text as the preshared key to be used with the remote peer at 192.168.0.1.
[RouterA] ike keychain key1
[RouterA-ike-keychain-key1] pre-shared-key address 192.168.0.1 24 key simple 123456
[RouterA-ike-keychain-key1] quit
# Create an IKE profile named ike1. Specify IKE keychain key1, and configure a peer ID with the identity type of IPv4 address and the value of 192.168.0.1.
[RouterA] ike profile ike1
[RouterA-ike-profile-ike1] keychain key1
[RouterA-ike-profile-ike1] match remote identity address 192.168.0.1 24
[RouterA-ike-profile-ike1] quit
# Create an IKE-based Ipv4 IPsec policy entry named policy1. Specify IPsec transform set tran1, Specify IKE profile ike1, specify IPv4 advanced ACL 3000, and specify the remote IPv4 address of the IPsec tunnel as 192.168.0.1.
[RouterA] ipsec policy policy1 10 isakmp
[RouterA-ipsec-policy-isakmp-policy1-10] transform-set tran1
[RouterA-ipsec-policy-isakmp-policy1-10] ike-profile ike1
[RouterA-ipsec-policy-isakmp-policy1-10] security acl 3000
[RouterA-ipsec-policy-isakmp-policy1-10] remote-address 192.168.0.1
[RouterA-ipsec-policy-isakmp-policy1-10] quit
# Apply IPv4 IPsec policy policy1 to Eth-channel 1/0:0.
[RouterA] interface eth-channel 1/0:0
[RouterA-Eth-channel1/0:0] ipsec apply policy policy1
[RouterA-Eth-channel1/0:0] quit
Configuring Router B
Table 70 Assign IP addresses to interfaces. (Details not shown.) As the gateway in the headquarters, Router B has a default route to the next hop in the public network.
Table 71 Configure the LNS for the L2TP tunnel:
# Create a RADIUS scheme named rs1 and enter its view.
<RouterB> system-view
[RouterB] radius scheme rs1
[RouterB-radius-rs1] primary authentication 192.168.2.2
[RouterB-radius-rs1] primary accounting 192.168.2.2
[RouterB-radius-rs1] key authentication simple radius
[RouterB-radius-rs1] key accounting simple radius
[RouterB-radius-rs1] quit
# Enable the RADIUS session-control feature. As a best practice, enable this feature when iMC acts as a RADIUS server.
[RouterB] radius session-control enable
# Configure an ISP domain for VPDN users.
[RouterB] domain name dm1
[RouterB-isp-dm1] authentication ppp radius-scheme rs1
[RouterB-isp-dm1] authorization ppp radius-scheme rs1
[RouterB-isp-dm1] accounting ppp radius-scheme rs1
[RouterB-isp-dm1] quit
# Enable L2TP, and create L2TP group 1 in LNS mode.
[RouterB] l2tp enable
[RouterB] l2tp-group 1 mode lns
# Configure the local tunnel name as LNS on the LNS, and specify VT interface 1 for receiving calls from the peer (LAC) named LAC.
[RouterB-l2tp1] tunnel name LNS
[RouterB-l2tp1] allow l2tp virtual-template 1 remote LAC
# Enable tunnel authentication, and set the tunnel authentication key to aabbcc.
[RouterB-l2tp1] tunnel authentication
[RouterB-l2tp1] tunnel password simple aabbcc
[RouterB-l2tp1] quit
# Create an IPv6 PPP address pool.
[RouterB] ip pool aaa 192.168.0.10 192.168.0.20
[RouterB] ip pool aaa gateway 192.168.0.1
# Create Virtual-Template 1, and assign IPv4 address 192.168.0.1/24 to the interface. # Configure Virtual-Template 1 to use CHAP and PAP for authentication and use PPP address pool aaa for IP address assignment. Enable PPP accounting.
[RouterB] interface virtual-template 1
[RouterB-virtual-template1] ip address 192.168.0.1 255.255.255.0
[RouterB-virtual-template1] ppp authentication-mode pap chap
[RouterB-virtual-template1] ppp account-statistics enable
[RouterB-virtual-template1] remote address pool aaa
# Configure the pound sign (#) as the delimiter for the IMSI/SN binding authentication information.
[RouterB-virtual-template1] ppp user accept-format imsi-sn split #
[RouterB-virtual-template1] quit
# Configure a static default route.
[RouterB] ip route-static 0.0.0.0 0 10.1.1.1
Table 72 Configure an IPsec tunnel:
# Create an IPsec transform set tran1. Specify security protocol ESP, and specify SHA1 and DES in CBC mode as the authentication and encryption algorithms, respectively.
[RouterB] ipsec transform-set tran1
[RouterB-ipsec-transform-set-tran1] encapsulation-mode tunnel
[RouterB-ipsec-transform-set-tran1] protocol esp
[RouterB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[RouterB-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc
[RouterB-ipsec-transform-set-tran1] quit
# Create an IKE keychain named key1. Specify 123456 in plain text as the preshared key to be used with the remote peer.
[RouterB] ike keychain key1
[RouterB-ike-keychain-key1] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[RouterB-ike-keychain-key1] quit
# Create an IKE profile named ike1. Specify IKE keychain key1, and configure a peer ID with the identity type of IPv4 address and the value of 0.0.0.0.
[RouterB] ike profile ike1
[RouterB-ike-profile-ike1] keychain key1
[RouterB-ike-profile-ike1] match remote identity address 0.0.0.0 0.0.0.0
[RouterB-ike-profile-ike1] quit
# Create an IPsec policy template named temp1. Specify IPsec transform set tran1 and IKE profile ike1 for the IPsec policy template. Enable IPsec RRI.
[RouterB] ipsec policy-template temp1 1
[RouterB-ipsec-policy-template-temp1-1] transform-set tran1
[RouterB-ipsec-policy-template-temp1-1] ike-profile ike1
[RouterB-ipsec-policy-template-temp1-1] reverse-route dynamic
[RouterB-ipsec-policy-template-temp1-1] quit
# Create an IKE-based IPv4 IPsec policy entry by using IPsec policy template temp1, with the policy name as policy1 and the sequence number as 10.
[RouterB] ipsec policy policy1 10 isakmp template temp1
# Apply IPsec policy policy1 to interface Virtual-Template 1.
[RouterB] interface virtual-template 1
[RouterB-Virtual-Template1] ipsec apply policy policy1
[RouterB-Virtual-Template1] quit
Configuring the RADIUS server
|
|
NOTE: This section covers only key points for configuring the RADIUS server. For detailed configuration methods, see the configuration guide for the corresponding product. |
Table 73 Install components:
Install the Intelligent Management Platform (iMC PLAT) component and the Endpoint Intelligent Access (iMC EIA) component on the RADIUS server. After deployment, you can view the deployment status through the Intelligent Deployment Monitoring Proxy.
Table 74 Configure the LNS:
|
|
NOTE: You need to configure SNMP on the LNS only if you need to manage it in iMC. For specific configuration methods, see the configuration guide for the LNS. |
a. Log in to H3C iMC, and add the LNS on the Resource > Add Device page. After adding the LNS, view the configuration on the Resource > Device View-All-Exclude PCs page.
b. On the User > User Access Policy > Access Device Management > Add Access Device page, edit the shared key and use the default values for other parameters.
c. On the Device List > Select > Select Device or Interface page, add the LNS. After adding the LNS, view the configuration on the User > User Access Policy > Access Device Management page.
Table 75 Configure an access policy:
Click the User tab, and select User Access Policy > Access Policy from the navigation tree. Then, click Add to add an access policy as follows:
¡ In the Basic Information area, enter access policy name example.
¡ In the Authorization Information area, select Yes from the Allocate IP list.
¡ In the Authentication Binding Information area, do not select the Bind User IP option.
|
|
NOTE: If you select this option, the endpoint will fail authentication because it is not assigned an address. |
¡ In the Authentication Binding Information area, select the Bind User IMSI option.
¡ In the Authentication Binding Information area, select the Bind Access Device SN option.
¡ Use the default values for other parameters.
Table 76 Configure an access service:
Click the User tab, and select User Access Policy > Access Service from the navigation tree. Then, click Add to configure an access service as follows:
¡ In the Basic Information area, enter service name example.
¡ In the Basic Information area, enter service suffix dm1.
|
|
NOTE: The service suffix must be same as the domain name configured on the LNS. |
¡ In the Basic Information area, enter service name example.
¡ In the Basic Information area, select example from the Default Access Policy list.
¡ Click OK.
Table 77 Add an access user:
Click the User tab. and select Access User > All Access Users from the navigation tree. Then, click Add to add an access user as follows:
¡ In the Basic Information area, enter a username.
¡ In the Access Information area, enter an account name.
¡ In the Access Information area, enter a password.
¡ In the Access Information area, confirm the password.
|
|
NOTE: The account name and password must be the same as that configured on Router A. |
¡ In the Access Service area, select service example.
¡ In the Access Service area, enter 192.168.0.10 in the Allocate IP field.
|
|
NOTE: This IP address is a fixed IP address assigned to the endpoint. |
¡ In the Binding Information area, enter device SN 210231UNIS020400005.
|
|
NOTE: Use the device SN if the router has a built-in 5G modem. Enter the SN of the SIC card if the router is inserted with a SIC card. |
¡ In the Binding Information area, enter IMSI 460070000000034.
After a successful dialup, you can view user information on the User > Access User > Online Users page.
Table 78 View logs:
On the User > User Access Log page, view the logs. For user authentication failures, you can view the detailed logs on the User > User Access Log > Authentication Failure Log page. You can take corresponding measures according to the failure reason and recommended action.
Verify the configuration
When Router A successfully dials in via DDR, it will trigger the establishment of an L2TP tunnel and L2TP session with the LAC. Then, Router A and Router B can communicate with each other. When there is traffic between Router A and Router B, an IPsec tunnel will be established to encrypt the private network traffic between Router A and Router B.
# On Router B, use the following command to view the established L2TP tunnel and L2TP session:
[RouterB] display l2tp tunnel
LocalTID RemoteTID State Sessions RemoteAddress RemotePort RemoteName
18986 558 Established 1 10.1.1.1 1701 LAC
[RouterB] display l2tp session
LocalSID RemoteSID LocalTID State
50693 61202 18986 Established
# On Router B, use the following command to view PPP user information:
[RouterB] display ppp access-user domain dm1
Interface Username MAC address IP address IPv6 address IPv6 PDPrefix
VA21 46007000 - 192.168.0.10 - -
0000034#
210231UN
IS020400
005#user
1@dm1
# On Router A, use the following command to view the IPsec SA negotiated:
[RouterA] display ipsec sa
-------------------------------
Interface: Eth-channel1/0:0
-------------------------------
-----------------------------
IPsec policy: policy1
Sequence number: 10
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Transmitting entity: Initiator
Path MTU: 1444
Tunnel:
local address/port: 192.168.0.10/500
remote address/port: 192.168.0.1/500
Flow:
sour addr: 192.168.1.0/255.255.255.0 port: 0 protocol: ip
dest addr: 192.168.2.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 367543574 (0x15e84516)
Connection ID: 4294967296
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3533
Max received sequence-number: 4
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 4212574134 (0xfb16c7b6)
Connection ID: 4294967297
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3533
Max sent sequence-number: 4
UDP encapsulation used for NAT traversal: N
Status: Active
Configuration files
· Router A:
#
interface gigabitethernet 1/0/1
ip address 192.168.1.1 255.255.255.0
#
dialer-group 1 rule ip permit
#
apn-profile vpdn1
pdp-type ipv4
apn static vpdn
authentication-mode pap-chap user user1@dm1 password cipher $c$3$naN3XokzBMi+fk31u+dsFJn1d/Ht8OphPP3Mzg==
attach-format imsi-sn split #
#
controller cellular 1/0
eth-channel 0
#
interface eth-channel 1/0:0
ip address cellular-alloc
apn-profile apply vpdn1
dialer circular enable
dialer-group 1
dialer timer idle 0
dialer timer wait-carrier 5
dialer timer autodial 5
dialer number *99# autodial
ipsec apply policy policy1
#
ip route-static 0.0.0.0 0 eth-channel 1/0:0
#
acl advanced 3000
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp authentication-algorithm sha1
esp encryption-algorithm des-cbc
#
ike keychain key1
pre-shared-key address 192.168.0.1 255.255.255.0 key cipher $c$3$0kzuqazKcTGikVRekZ1E8R7jTOC2ZrJR2A==
#
ike profile ike1
keychain key1
match remote identity address 192.168.0.1 255.255.255.0
#
ipsec policy policy1 10 isakmp
transform-set tran1
ike-profile ike1
security acl 3000
remote-address 192.168.0.1
#
· Router B:
#
interface gigabitethernet 1/0/1
ip address 10.1.1.2 255.255.255.0
#
interface gigabitethernet 1/0/2
ip address 192.168.2.1 255.255.255.0
#
interface virtual-template 1
ip address 192.168.0.1 255.255.255.0
ppp authentication-mode pap chap
ppp account-statistics enable
ppp user accept-format imsi-sn split #
remote address pool aaa
ipsec apply policy policy1
#
radius session-control enable
#
radius scheme rs1
primary authentication 192.168.2.2
primary accounting 192.168.2.2
key authentication cipher $c$3$wMts9KlGJpYJbI0tJgKsjMBqMCH7BgJiyA==
key accounting cipher $c$3$tAjhL6GWxUfZDjhu+4wsTqPFaFouDzUq3g==
#
domain dm1
authentication ppp radius-scheme rs1
authorization ppp radius-scheme rs1
accounting ppp radius-scheme rs1
#
l2tp enable
l2tp-group 1 mode lns
tunnel name LNS
allow l2tp virtual-template 1 remote LAC
tunnel authentication
tunnel password cipher $c$3$CAux/EN8ED19D8wg/tYrPiHvrztunTOPjf5b
#
ip pool aaa 192.168.0.10 192.168.0.20
ip pool aaa gateway 192.168.0.1
#
ip route-static 0.0.0.0 0 10.1.1.1
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp authentication-algorithm sha1
esp encryption-algorithm des-cbc
#
ike keychain key1
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$vZXXcxKbhB/YCMg4oFr5IVJyrxwQTcB4Mg==
#
ike profile ike1
keychain key1
match remote identity address 0.0.0.0 0.0.0.0
#
ipsec policy-template temp1 1
transform-set tran1
ike-profile ike1
security acl 3000
reverse-route dynamic
#
ipsec policy policy1 10 isakmp template temp1
#
Configuring 5G modem dial-up + VXLAN over IPsec tunnels
Network configuration
As shown in Figure 56, the branch switch and the headquarters switch are connected by fibers, allowing Layer 2 communication between the branch and the headquarters. The branch gateway (Router A) is installed with a 5G modem module, supporting 5G network access through auto-dial DDR. A Layer 2 tunnel needs to be deployed between the branch gateway and the headquarters gateway over the 5G link, acting as a backup for the fiber link. In addition, when the branch network and the headquarters network exchange data through the 5G-based Layer 2 tunnel, data encryption is required to ensure data security. The specific network requirements are as follows:
· On Router A, configure traditional auto-dial DDR for 5G network access, and establish a 5G connection in permanent mode.
· On the 5G link, configure a VXLAN over IPsec tunnel to enable Layer 2 communication between the branch and the headquarters. IPsec can provide data encryption for traffic passing through the tunnel.
· Configure the fiber link as the primary link and the VXLAN over IPsec as the backup. When the primary link is running correctly, STP places the tunnel interfaces in Discarding state, and traffic is forwarded through the primary link. If the primary link fails, the tunnel interface state is changed to Forwarding, and Layer 2 traffic is forwarded through the backup link. When the primary link restores to normal, STP resets the tunnel interface state to Discarding, and the primary link continues to forward Layer 2 traffic.
Analysis
· On Router A, channelize cellular interface Cellular 1/0 into Eth-channel interface Eth-channel 1/0:0, enable the Eth-channel interface to obtain an IP address by using the modem-manufacturer's proprietary protocol, and then enable auto-dial DDR to establish a permanent 5G connection with the public network.
· Establish an IPsec tunnel between Router A and Router B. The IPsec tunnel interconnects network segment 10.1.1.0/24 on Router A and network segment 20.1.1.0/24 on Router B. Meanwhile, IPsec can protect the data exchanged between the two networks by data encryption and decryption.
· Establish a VXLAN tunnel between Router A and Router B. The source and destination addresses of the tunnel must be in the source and destination network segments connected by the IPsec tunnel, respectively. The VXLAN tunnel enables the branch and the headquarters to exchange VPN traffic.
· Configure MSTP on Switch A and Switch B, configure Switch B as the root bridge. The cost value for the Router A-facing interface on Switch A should be higher than that for the Router B-facing interface on Switch B. Configure the fiber link as the primary link and the 5G link as the backup.
· When the primary link is used to forward VPN traffic from the branch to the headquarters, the traffic is directly forwarded from Switch A to Switch B through the fiber. The traffic forwarding path is Branch > Switch A > Switch B > Headquarters. When the backup link is used to forward VPN traffic from the branch to the headquarters, the traffic forwarding path is Branch > Switch A > Router A > Router B > Switch B > Headquarters. After receiving the traffic from Switch A, Router A performs the following operations:
a. Performs VXLAN encapsulation for the received packets, changing their source address to 10.1.1.1/24 and destination address to 20.1.1.1.
b. Matches the packets against the related ACL for further IPsec encapsulation. For the matching packets, their source and destination addresses are changed to the IP address of Eth-channel 1/0:0 and the IP address of GigabitEthernet 1/0/1 on Router B.
c. Looks up the routing table for a route to forward the packets to Router B. Router B will then perform IPsec and VXLAN decapsulation for those packets, and forward them to the headquarters.
Restrictions and guidelines
When you use a standard 5G SIM card for dial-up Internet access, 5G network access is available as long as dynamic APN is specified in the 5G modem profile. If a 5G IoT or VPDN-dedicated SIM card is used, you must specify a static APN in the 5G modem profile, and configure 5G network access authentication based on the username and password provided by the service provider.
When you configure the VXLAN tunnel, make sure the source and destination addresses of each tunnel interface match those of the related IPsec-protected traffic, respectively. If you fail to do so, the VXLAN tunnel cannot come up.
Procedures
Configuring Router A
1. Assign IP addresses to interfaces. (Details not shown.).
2. Configure dial-up settings for the 5G modem.
# Configure dialer group 1 and configure a dial-up rule for the dialer group.
<RouterA> system-view
[RouterA] dialer-group 1 rule ip permit
# Configure an 5G modem profile named vpdn1, and use an APN automatically assigned by the service provider.
[RouterA] apn-profile vpdn1
[RouterA-apn-profile-vpdn1] apn dynamic
[RouterA-apn-profile-vpdn1] quit
# Channelize Cellular 1/0 into an Eth-channel interface.
[RouterA] controller cellular 1/0
[RouterA-Cellular1/0] eth-channel 0
[RouterA-Cellular1/0] quit
# Enable Eth-channel 1/0:0 to obtain an IP address by using the modem-manufacturer's proprietary protocol.
[RouterA] interface eth-channel 1/0:0
[RouterA-Eth-channel1/0:0] ip address cellular-alloc
# Apply 5G modem template vpdn1 to Eth-channel 1/0:0.
[RouterA-Eth-channel1/0:0] apn-profile apply vpdn1
# Enable traditional DDR on Eth-channel 1/0:0, and then associate the interface with dialer group 1.
[RouterA-Eth-channel1/0:0] dialer circular enable
[RouterA-Eth-channel1/0:0] dialer-group 1
# Set the link idle-timeout timer to 0, the wait-carrier timer to 30 seconds, and the auto-dial timer to 5 seconds.
[RouterA-Eth-channel1/0:0] dialer timer idle 0
[RouterA-Eth-channel1/0:0] dialer timer wait-carrier 30
[RouterA-Eth-channel1/0:0] dialer timer autodial 5
# Configure a dial string for placing calls to the remote end. The dial string varies by service provider. In the Chinese mainland, configure *99# as the dial string if the service provider is China Mobile or Unicom, and configure #777 as the dial string if the service provider is China Telecom.
[RouterA-Eth-channel1/0:0] dialer number *99# autodial
[RouterA-Eth-channel1/0:0] quit
# Configure a static route.
[RouterA] ip route-static 0.0.0.0 0 eth-channel 1/0:0
3. Configure IPsec policy settings.
# Configure IPv4 advanced ACL 3001 to permit IP packets sent from subnet 10.1.1.0/24 to subnet 20.1.1.0/24.
[RouterA] acl advanced 3001
[RouterA-acl-ipv4-adv-3001] rule 0 permit ip source 10.1.1.0 0.0.0.255 destination 20.1.1.0 0.0.0.255
[RouterA-acl-ipv4-adv-3001] quit
# Create IPsec transform set tran1, and then set the encapsulation mode to tunnel, the security protocol to ESP, the ESP authentication algorithm to HMAC-SHA1-96, and the ESP encryption algorithm to DES in CBC mode.
[RouterA] ipsec transform-set tran1
[RouterA-ipsec-transform-set-tran1] encapsulation-mode tunnel
[RouterA-ipsec-transform-set-tran1] protocol esp
[RouterA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[RouterA-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc
[RouterA-ipsec-transform-set-tran1] quit
# Create IKE proposal 1, and then set the authentication method to preshared key, the encryption algorithm to 3DES in CBC mode, and the authentication algorithm to HMAC-SHA1.
[RouterA] ike proposal 1
[RouterA-ike-proposal-1] encryption-algorithm 3des-cbc
[RouterA-ike-proposal-1] authentication-algorithm sha
[RouterA-ike-proposal-1] authentication-method pre-share
[RouterA-ike-proposal-1] quit
# Create IKE keychain key1, and then specify 123456 in plain text as the preshared key to be used for IKE negotiation with peer 1.1.1.1.
[RouterA] ike keychain key1
[RouterA-ike-keychain-key1] pre-shared-key address 1.1.1.1 255.255.255.0 key simple 123456
[RouterA-ike-keychain-key1] quit
# Create IKE profile ike1, associate IKE keychain key1 with the IKE profile, configure a peer ID with the identity type of IP address and the value of 1.1.1.1, and then set the triggering interval for on-demand DPD to 5 seconds.
[RouterA] ike profile ike1
[RouterA-ike-profile-ike1] keychain key1
[RouterA-ike-profile-ike1] match remote identity address 1.1.1.1 255.255.255.0
[RouterA-ike-profile-ike1] dpd interval 5 on-demand
[RouterA-ike-profile-ike1] quit
# Create IPsec policy policy1, associate IPsec transform set tran1, IKE profile ike1, and IPv4 advanced ACL 3001 with the IPsec policy, and then configure 1.1.1.1 as the remote IPv4 address for the IPsec tunnel.
[RouterA] ipsec policy policy1 10 isakmp
[RouterA-ipsec-policy-isakmp-policy1-10] transform-set tran1
[RouterA-ipsec-policy-isakmp-policy1-10] ike-profile ike1
[RouterA-ipsec-policy-isakmp-policy1-10] security acl 3001
[RouterA-ipsec-policy-isakmp-policy1-10] remote-address 1.1.1.1
[RouterA-ipsec-policy-isakmp-policy1-10] quit
# Apply IPsec policy policy1 to Eth-channel 1/0:0.
[RouterA] interface eth-channel 1/0:0
[RouterA-Eth-channel1/0:0] ipsec apply policy policy1
[RouterA-Eth-channel1/0:0] quit
4. Configure VXLAN tunnel settings.
# Enable L2VPN, and then create VSI vpna and VXLAN 10.
[RouterA] l2vpn enable
[RouterA] vsi vpna
[RouterA-vsi-vpna] vxlan 10
[RouterA-vsi-vpna-vxlan-10] quit
[RouterA-vsi-vpna] quit
# Create a VXLAN tunnel to Router B. The tunnel interface name is Tunnel1. The source address is the IP address of Loopback0 on Router A, 10.1.1.1. The destination address is the IP address of Loopback0 on Router B, 20.1.1.1.
[RouterA] interface tunnel 1 mode vxlan
[RouterA-Tunnel1] source 10.1.1.1
[RouterA-Tunnel1] destination 20.1.1.1
[RouterA-Tunnel1] quit
# Assign tunnel interface Tunnel1 to VXLAN 10.
[RouterA] vsi vpna
[RouterA-vsi-vpna] vxlan 10
[RouterA-vsi-vpna-vxlan-10] tunnel 1
[RouterA-vsi-vpna-vxlan-10] quit
[RouterA-vsi-vpna] quit
# Associate GigabitEthernet 1/0/1 with VSI vpna.
[RouterA] interface gigabitethernet 1/0/1
[RouterA-GigabitEthernet1/0/1] xconnect vsi vpna
[RouterA-GigabitEthernet1/0/1] quit
Configuring Router B
1. Assign IP addresses to interfaces. (Details not shown.). As the headquarters gateway, Router B has a default static route to the next hop that forwards traffic to the public network.
2. Configure IPsec policy settings.
# Configure IPv4 advanced ACL 3003 to permit IP packets sent from subnet 20.1.1.0/24 to subnet 10.1.1.0/24.
<RouterB> system-view
[RouterB] acl advanced 3003
[RouterB-acl-ipv4-adv-3003] rule 0 permit ip source 20.1.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[RouterB-acl-ipv4-adv-3003] quit
# Create IPsec transform set tran1, and then set the encapsulation mode to tunnel, the security protocol to ESP, the ESP authentication algorithm to HMAC-SHA1-96, and the ESP encryption algorithm to DES in CBC mode.
[RouterB] ipsec transform-set tran1
[RouterB-ipsec-transform-set-tran1] encapsulation-mode tunnel
[RouterB-ipsec-transform-set-tran1] protocol esp
[RouterB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[RouterB-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc
[RouterB-ipsec-transform-set-tran1] quit
# Create IKE proposal 1, and then set the authentication method to preshared key, the encryption algorithm to 3DES in CBC mode, and the authentication algorithm to HMAC-SHA1.
[RouterB] ike proposal 1
[RouterB-ike-proposal-1] encryption-algorithm 3des-cbc
[RouterB-ike-proposal-1] authentication-algorithm sha
[RouterB-ike-proposal-1] authentication-method pre-share
[RouterB-ike-proposal-1] quit
# Create IKE keychain key1, and then specify 123456 in plain text as the preshared key to be used for IKE negotiation with the peer.
[RouterB] ike keychain key1
[RouterB-ike-keychain-key1] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[RouterB-ike-keychain-key1] quit
# Create IKE profile ike1, associate IKE keychain key1 with the IKE profile, and then configure a peer ID with the identity type of IP address and the value of 0.0.0.0.
[RouterB] ike profile ike1
[RouterB-ike-profile-ike1] keychain key1
[RouterB-ike-profile-ike1] match remote identity address 0.0.0.0 0.0.0.0
[RouterB-ike-profile-ike1] quit
# Create IPsec policy template temp1, and then associate IPsec transform set tran1, IKE profile ike1, and IPv4 advanced ACL 3003 with the IPsec policy template.
[RouterB] ipsec policy-template temp1 1
[RouterB-ipsec-policy-template-temp1-1] transform-set tran1
[RouterB-ipsec-policy-template-temp1-1] ike-profile ike1
[RouterB-ipsec-policy-template-temp1-1] security acl 3003
# Enable IPsec reverse route inject (RRI). When IPsec SAs are renegotiated, the router can generate static routes accordingly.
[RouterB-ipsec-policy-template-temp1-1] reverse-route dynamic
[RouterB-ipsec-policy-template-temp1-1] quit
# Create IKE-based IPsec policy policy1 by using IPsec policy template temp1. The sequence number of the IPsec policy is 10.
[RouterB] ipsec policy policy1 10 isakmp template temp1
# Apply IPsec policy policy1 to GigabitEthernet 1/0/1.
[RouterB] interface gigabitethernet 1/0/1
[RouterB-GigabitEthernet1/0/1] ipsec apply policy policy1
[RouterB-GigabitEthernet1/0/1] quit
3. Configure VXLAN tunnel settings.
# Enable L2VPN, and then create VSI vpna and VXLAN 10.
[RouterB] l2vpn enable
[RouterB] vsi vpna
[RouterB-vsi-vpna] vxlan 10
[RouterB-vsi-vpna-vxlan-10] quit
[RouterB-vsi-vpna] quit
# Create a VXLAN tunnel to Router A. The tunnel interface name is Tunnel1. The source address is the IP address of Loopback0 on Router B, 20.1.1.1. The destination address is the IP address of Loopback0 on Router A, 10.1.1.1.
[RouterB] interface tunnel 1 mode vxlan
[RouterB-Tunnel1] source 20.1.1.1
[RouterB-Tunnel1] destination 10.1.1.1
[RouterB-Tunnel1] quit
# Assign tunnel interface Tunnel1 to VXLAN 10.
[RouterB] vsi vpna
[RouterB-vsi-vpna] vxlan 10
[RouterB-vsi-vpna-vxlan-10] tunnel 1
[RouterB-vsi-vpna-vxlan-10] quit
[RouterB-vsi-vpna] quit
# Associate GigabitEthernet 1/0/2 with VSI vpna.
[RouterB] interface gigabitethernet 1/0/2
[RouterB-GigabitEthernet1/0/2] xconnect vsi vpna
[RouterB-GigabitEthernet1/0/2] quit
Configuring Switch A
1. Configuring VLAN and port settings.
<SwitchA> system-view
[SwitchA] vlan 10
[SwitchA-vlan10] quit
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port access vlan 10
[SwitchA-GigabitEthernet1/0/1] description To_fenzhi
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type trunk
[SwitchA-GigabitEthernet1/0/2] port trunk permit vlan all
[SwitchA-GigabitEthernet1/0/2] description To_SwitchB
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] port link-type trunk
[SwitchA-GigabitEthernet1/0/3] port trunk permit vlan all
[SwitchA-GigabitEthernet1/0/3] description To_RouterA
[SwitchA-GigabitEthernet1/0/3] quit
2. Configure STP settings.
# Configure the MST region name as example, map VLAN 10 to MSTI 0, and then set the MSTP revision level of the MST region to 0.
[SwitchA] stp region-configuration
[SwitchA-mst-region] region-name example
[SwitchA-mst-region] instance 0 vlan 10
[SwitchA-mst-region] revision-level 0
# Activate the MST region configuration.
[SwitchA-mst-region] active region-configuration
[SwitchA-mst-region] quit
# Configure GigabitEthernet 1/0/1 as an edge port, and then enable the BPDU guard feature globally.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] stp edged-port
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] stp bpdu-protection
# Set the path cost of GigabitEthernet 1/0/2 to 100 and the path cost of GigabitEthernet 1/0/3 to 200, and then enable the loop guard feature on the two interfaces separately.
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] stp instance 0 cost 100
[SwitchA-GigabitEthernet1/0/2] stp loop-protection
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] stp instance 0 cost 200
[SwitchA-GigabitEthernet1/0/3] stp loop-protection
[SwitchA-GigabitEthernet1/0/3] quit
# Enable the spanning tree protocol globally.
[SwitchA] stp global enable
Configuring Switch B
1. Configuring VLAN and port settings.
<SwitchB> system-view
[SwitchB] vlan 10
[SwitchB-vlan10] quit
[SwitchB] interface gigabitethernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] port access vlan 10
[SwitchB-GigabitEthernet1/0/1] description To_zongbu
[SwitchB-GigabitEthernet1/0/1] quit
[SwitchB] interface gigabitethernet 1/0/2
[SwitchB-GigabitEthernet1/0/2] port link-type trunk
[SwitchB-GigabitEthernet1/0/2] port trunk permit vlan all
[SwitchB-GigabitEthernet1/0/2] description To_SwitchA
[SwitchB-GigabitEthernet1/0/2] quit
[SwitchB] interface gigabitethernet 1/0/3
[SwitchB-GigabitEthernet1/0/3] port link-type trunk
[SwitchB-GigabitEthernet1/0/3] port trunk permit vlan all
[SwitchB-GigabitEthernet1/0/3] description To_RouterB
[SwitchB-GigabitEthernet1/0/3] quit
2. Enable STP.
# Configure the MST region name as example, map VLAN 10 to MSTI 0, and then set the MSTP revision level of the MST region to 0.
[SwitchB] stp region-configuration
[SwitchB-mst-region] region-name example
[SwitchB-mst-region] instance 0 vlan 10
[SwitchB-mst-region] revision-level 0
# Activate the MST region configuration.
[SwitchB-mst-region] active region-configuration
[SwitchB-mst-region] quit
# Configure Switch B as the root bridge of MSTI 0.
[SwitchB] stp instance 0 root primary
# Configure GigabitEthernet 1/0/1 as an edge port, and then enable the BPDU guard feature globally.
[SwitchB] interface gigabitethernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] stp edged-port
[SwitchB-GigabitEthernet1/0/1] quit
[SwitchB] stp bpdu-protection
# Set the path cost of GigabitEthernet 1/0/2 to 100 and the path cost of GigabitEthernet 1/0/3 to 200, and then enable the loop guard feature on the two interfaces separately.
[SwitchB] interface gigabitethernet 1/0/2
[SwitchB-GigabitEthernet1/0/2] stp instance 0 cost 100
[SwitchB-GigabitEthernet1/0/2] stp loop-protection
[SwitchB-GigabitEthernet1/0/2] quit
[SwitchB] interface gigabitethernet 1/0/3
[SwitchB-GigabitEthernet1/0/3] stp instance 0 cost 200
[SwitchB-GigabitEthernet1/0/3] stp loop-protection
[SwitchB-GigabitEthernet1/0/3] quit
# Set the network diameter of the switched network to 3.
[SwitchB] stp bridge-diameter 3
# Enable the spanning tree protocol globally.
[SwitchB] stp global enable
Verifying the configuration
1. When the primary link is running correctly, verify that the host and the server is in good condition.
# Verify that the host and the server can ping each other's private network successfully.
<Host> ping -a 192.168.1.2 192.168.1.4
Ping 192.168.1.4 (192.168.1.4): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.1.4: icmp_seq=0 ttl=254 time=7.343 ms
56 bytes from 192.168.1.4: icmp_seq=1 ttl=254 time=1.164 ms
56 bytes from 192.168.1.4: icmp_seq=2 ttl=254 time=1.080 ms
56 bytes from 192.168.1.4: icmp_seq=3 ttl=254 time=1.234 ms
56 bytes from 192.168.1.4: icmp_seq=4 ttl=254 time=1.391 ms
--- Ping statistics for 192.168.1.4 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.080/2.442/7.343/2.452 ms
2. View spanning tree information on each device.
# Execute the display stp brief command on Switch A to view brief STP information. GigabitEthernet1/0/2 acts as the root port and forwards traffic when it is operating correctly. GigabitEthernet1/0/3 is an alternate port and acts as a temporary root port when the current root port fails.
[SwitchA] display stp brief
MST ID Port Role STP State Protection
0 GigabitEthernet1/0/1 DESI FORWARDING NONE
0 GigabitEthernet1/0/2 ROOT FORWARDING NONE
0 GigabitEthernet1/0/3 ALTE DISCARDING NONE
3. Destroy the primary link and verify that the backup link can function correctly.
# Shut down GigabitEthernet 1/0/2 on Switch A to destroy the primary link.
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] shutdown
# Verify that the host and the server can ping each other's private network successfully.
<Host> ping -a 192.168.1.2 192.168.1.4
Ping 192.168.1.4 (192.168.1.4): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.1.4: icmp_seq=0 ttl=254 time=7.343 ms
56 bytes from 192.168.1.4: icmp_seq=1 ttl=254 time=1.164 ms
56 bytes from 192.168.1.4: icmp_seq=2 ttl=254 time=1.080 ms
56 bytes from 192.168.1.4: icmp_seq=3 ttl=254 time=1.234 ms
56 bytes from 192.168.1.4: icmp_seq=4 ttl=254 time=1.391 ms
--- Ping statistics for 192.168.1.4 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.080/2.442/7.343/2.452 ms
4. View spanning tree information on each device.
# Execute the display stp brief command on Switch A to view brief STP information. The port role of GigabitEthernet1/0/3 have been switched from alternate to root port and when it is operating correctly, and the backup link takes over to forward traffic.
[SwitchA] display stp brief
MST ID Port Role STP State Protection
0 GigabitEthernet1/0/1 DESI FORWARDING NONE
0 GigabitEthernet1/0/3 ROOT FORWARDING NONE
5. View VXLAN tunnel information.
# View tunnel interface information on Router A. You can find that the tunnel interface in VXLAN mode is in up state.
[RouterA] display interface tunnel 1
Tunnel1
Current state: UP
Line protocol state: UP
Description: Tunnel1 Interface
Bandwidth: 64 kbps
Maximum transmission unit: 1464
Internet protocol processing: Disabled
Output queue - Urgent queuing: Size/Length/Discards 0/1024/0
Output queue - Protocol queuing: Size/Length/Discards 0/500/0
Output queue - FIFO queuing: Size/Length/Discards 0/75/0
Last clearing of counters: Never
Tunnel source 10.1.1.1, destination 20.1.1.1
Tunnel protocol/transport UDP_VXLAN/IP
Last 300 seconds input rate: 131 bytes/sec, 1048 bits/sec, 1 packets/sec
Last 300 seconds output rate: 69 bytes/sec, 552 bits/sec, 0 packets/sec
Input: 699 packets, 76394 bytes, 0 drops
Output: 399 packets, 40694 bytes, 0 drops
# View VSI information on Router A. You can find information about the VXLAN created in the VSI, the VXLAN tunnels associated with the VXLAN, and the Layer 3 interfaces associated with the VSI.
[RouterA] display l2vpn vsi verbose
VSI Name: vpna
VSI Index : 0
VSI State : Up
MTU : 1500
Bandwidth : -
Broadcast Restrain : 5120 kbps
Multicast Restrain : 5120 kbps
Unknown Unicast Restrain: 5120 kbps
MAC Learning : Enabled
MAC Table Limit : Unlimited
MAC Learning rate : Unlimited
Drop Unknown : Disabled
PW Redundancy Mode : Slave
Flooding : Enabled
Statistics : Disabled
VXLAN ID : 10
Tunnel Statistics : Disabled
Tunnels:
Tunnel Name Link ID State Type Flood Proxy Split horizon
Tunnel1 0x5000001 UP Manual Disabled Enabled
ACs:
AC Link ID State
GE1/0/1 0x0 Up
Statistics: Disabled
# View MAC address entries in the VSI on Router A. You can find the MAC address entries that have been learned.
<RouterA> display l2vpn mac-address
MAC Address State VSI Name Link ID/Name Aging
5cb2-2286-0106 Dynamic vpna 0x0 Aging
5cb2-2db0-0206 Dynamic vpna Tunnel1 Aging
--- 2 mac address(es) found ---
6. View IPsec tunnel information.
# Execute the display ipsec sa command on Router A to view the IPsec SAs generated after negotiation.
[RouterA] display ipsec sa
-------------------------------
Interface: Eth-channel1/0:0
-------------------------------
-----------------------------
IPsec policy: policy1
Sequence number: 10
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Transmitting entity: Initiator
Path MTU: 1444
Tunnel:
local address/port: 2.2.2.1/500
remote address/port: 1.1.1.1/500
Flow:
sour addr: 10.1.1.0/255.255.255.0 port: 0 protocol: ip
dest addr: 20.1.1.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 367543574 (0x15e84516)
Connection ID: 4294967296
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3533
Max received sequence-number: 4
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 4212574134 (0xfb16c7b6)
Connection ID: 4294967297
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3533
Max sent sequence-number: 4
UDP encapsulation used for NAT traversal: N
Status: Active
Configuration files
Router A
#
interface LoopBack 0
ip address 10.1.1.1 255.255.255.0
#
[RouterA] dialer-group 1 rule ip permit
#
apn-profile vpdn1
apn dynamic
#
controller cellular 1/0
eth-channel 0
#
interface eth-channel 1/0:0
ip address cellular-alloc
apn-profile apply vpdn1
dialer circular enable
dialer-group 1
dialer timer idle 0
dialer timer wait-carrier 30
dialer timer autodial 5
dialer number *99# autodial
ipsec apply policy policy1
#
ip route-static 0.0.0.0 0 eth-channel 1/0:0
#
acl advanced 3001
rule 0 permit ip source 10.1.1.0 0.0.0.255 destination 20.1.1.0 0.0.0.255
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp authentication-algorithm sha1
esp encryption-algorithm des-cbc
#
ike proposal 1
encryption-algorithm 3des-cbc
authentication-algorithm sha
authentication-method pre-share
#
ike keychain key1
pre-shared-key address 1.1.1.1 255.255.255.0 key cipher $c$3$1IVqHzr6Wp1kgcR4XWXyxik9rCwvG3FOmw==
#
ike profile ike1
keychain key1
match remote identity address 1.1.1.1 255.255.255.0
dpd interval 5 on-demand
#
ipsec policy policy1 10 isakmp
transform-set tran1
ike-profile ike1
security acl 3001
remote-address 1.1.1.1
#
l2vpn enable
#
vsi vpna
vxlan 10
tunnel 1
#
interface tunnel 1 mode vxlan
source 10.1.1.1
destination 20.1.1.1
#
interface gigabitethernet 1/0/1
xconnect vsi vpna
#
Router B
#
interface LoopBack 0
ip address 20.1.1.1 255.255.255.0
#
interface gigabitethernet 1/0/1
ip address 1.1.1.1 255.255.255.0
ipsec apply policy policy1
#
interface gigabitethernet 1/0/2
xconnect vsi vpna
#
acl advanced 3003
rule 0 permit ip source 20.1.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp authentication-algorithm sha1
esp encryption-algorithm des-cbc
#
ike proposal 1
encryption-algorithm 3des-cbc
authentication-algorithm sha
authentication-method pre-share
#
ike keychain key1
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$J/tEjH4+0j2aWav//RIR5lEL0hInl7vsGw==
#
ike profile ike1
keychain key1
match remote identity address 0.0.0.0 0.0.0.0
#
ipsec policy-template temp1 1
transform-set tran1
ike-profile ike1
security acl 3003
reverse-route dynamic
#
ipsec policy policy1 10 isakmp template temp1
#
l2vpn enable
#
vsi vpna
vxlan 10
tunnel 1
#
interface tunnel 1 mode vxlan
source 20.1.1.1
destination 10.1.1.1
#
Switch A
#
[SwitchA] vlan 10
#
interface gigabitethernet 1/0/1
port access vlan 10
description To_fenzhi
stp edged-port
#
interface gigabitethernet 1/0/2
port link-type trunk
port trunk permit vlan all
description To_SwitchB
stp instance 0 cost 100
stp loop-protection
#
interface gigabitethernet 1/0/3
port link-type trunk
port trunk permit vlan all
description To_RouterA
stp instance 0 cost 200
stp loop-protection
#
stp region-configuration
region-name example
instance 0 vlan 10
revision-level 0
active region-configuration
#
stp bpdu-protection
stp global enable
#
Switch B
#
vlan 10
#
interface gigabitethernet 1/0/1
port access vlan 10
description To_zongbu
stp edged-port
#
interface gigabitethernet 1/0/2
port link-type trunk
port trunk permit vlan all
description To_SwitchA
stp instance 0 cost 100
stp loop-protection
#
interface gigabitethernet 1/0/3
port link-type trunk
port trunk permit vlan all
description To_RouterB
stp instance 0 cost 200
stp loop-protection
#
stp region-configuration
region-name example
instance 0 vlan 10
revision-level 0
active region-configuration
#
stp instance 0 root primary
stp bpdu-protection
stp bridge-diameter 3
stp global enable
#
Configuring IPv6 dial-up for a 5G modem
Network configuration
As shown in Figure 57, Router A is installed with a 5G modem module. The host needs to access the IPv6 5G network through auto-dial DDR, and establish a 5G connection in permanent mode. The specific network requirements are as follows:
· On Router A, configure traditional auto-dial DDR for IPv6 5G network access, and establish a 5G connection in permanent mode.
· On Router A, enable traditional DDR and configure a dial string for placing calls to the remote end. The dial string varies by service provider. In the Chinese mainland, configure *99# as the dial string if the service provider is China Mobile or Unicom, and configure #777 as the dial string if the service provider is China Telecom.
· Place Router A on IPv6 subnet 2001::/64, and enable Router A to perform DDR only for IPv6 packets.
Analysis
On Router A, channelize cellular interface Cellular 1/0 into Eth-channel interface Eth-channel 1/0:0, and then enable the Eth-channel interface to obtain an IP address by using the modem-manufacturer's proprietary protocol. On Eth-channel 1/0:0, enable auto-dial DDR to establish a permanent 5G connection with the IPv6 5G network.
Procedure
1. Assign IP addresses to interfaces. (Details not shown.).
2. Configure dial-up settings for the 5G modem.
# Configure dialer group 1 and configure a dial-up rule for the dialer group.
<RouterA> system-view
[RouterA] dialer-group 1 rule ipv6 permit
# Configure an 5G modem profile named dynamic1, and use an APN automatically assigned by the service provider.
[RouterA] apn-profile dynamic1
[RouterA-apn-profile-vpdn1] apn dynamic
[RouterA-apn-profile-vpdn1] quit
# Channelize Cellular 1/0 into an Eth-channel interface.
[RouterA] controller cellular 1/0
[RouterA-Cellular1/0] eth-channel 0
[RouterA-Cellular1/0] quit
# Enable Eth-channel 1/0:0 to obtain an IP address by using the modem-manufacturer's proprietary protocol.
[RouterA] interface eth-channel 1/0:0
[RouterA-Eth-channel1/0:0] ipv6 address cellular-alloc
# Apply 5G modem template vpdn1 to Eth-channel 1/0:0.
[RouterA-Eth-channel1/0:0] apn-profile apply dynamic1
# Enable traditional DDR on Eth-channel 1/0:0, and then associate the interface with dialer group 1.
[RouterA-Eth-channel1/0:0] dialer circular enable
[RouterA-Eth-channel1/0:0] dialer-group 1
# Set the link idle-timeout timer to 0, the wait-carrier timer to 30 seconds, and the auto-dial timer to 5 seconds.
[RouterA-Eth-channel1/0:0] dialer timer idle 0
[RouterA-Eth-channel1/0:0] dialer timer wait-carrier 30
[RouterA-Eth-channel1/0:0] dialer timer autodial 5
# Configure a dial string for placing calls to the remote end. The dial string varies by service provider. In the Chinese mainland, configure *99# as the dial string if the service provider is China Mobile or Unicom, and configure #777 as the dial string if the service provider is China Telecom.
[RouterA-Eth-channel1/0:0] dialer number *99# autodial
# On Eth-channel 1/0:0, configure an IPv6 prefix mapping between 2001::/64 and 2002:0DF8:0001::/48 for IPv6 source address translation. This example assumes that the IPv6 prefix obtained by the dialup interface on Router A is 2002:0DF8:0001::/48.
[RouterA-Eth-channel1/0:0] nat66 prefix source 2001:: 64 2002:0df8:0001:: 48
[RouterA-Eth-channel1/0:0] quit
# Configure a static route.
[RouterA] ipv6 route-static :: 0 eth-channel 1/0:0
Verifying the configuration
# Verify that the static route is active in the routing table, and the host can access the network via Router A.
[RouterA] display ipv6 routing-table
Destinations : 6 Routes : 6
Destination: ::/0 Protocol : Static
NextHop : ::1 Preference: 60
Interface : E-CH1/0:0 Cost : 0
Destination: 100::/128 Protocol : Direct
NextHop : ::1 Preference: 4
Interface : InLoop0 Cost : 0
Destination: 100::1/128 Protocol : Direct
NextHop : ::1 Preference: 4
Interface : InLoop0 Cost : 0
Destination: 100::7B/128 Protocol : Direct
NextHop : ::1 Preference: 4
Interface : InLoop0 Cost : 0
...
# Verify that the host can ping an external network successfully, such as Baidu.
C:\Users\host1>ping www.a.shifen.com
Pinging www.a.shifen.com [153.3.238.110] with 32 bytes of data:
Reply from 153.3.238.110: bytes=32 time=27ms TTL=44
Reply from 153.3.238.110: bytes=32 time=27ms TTL=44
Reply from 153.3.238.110: bytes=32 time=27ms TTL=44
Reply from 153.3.238.110: bytes=32 time=27ms TTL=44
Ping statistics for 153.3.238.110:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 27ms, Maximum = 27ms, Average = 27ms
Configuration files
#
interface gigabitethernet 1/0/1
ipv6 address 2001::1 64
#
dialer-group 1 rule ipv6 permit
#
apn-profile dynamic1
apn dynamic
#
controller cellular 1/0
eth-channel 0
#
dialer-group 1 rule ipv6 permit
controller cellular 1/0
eth-channel 0
#
interface eth-channel 1/0:0
ipv6 address cellular-alloc
apn-profile apply dynamic1
dialer circular enable
dialer-group 1
dialer timer idle 0
dialer timer wait-carrier 30
dialer timer autodial 5
dialer number *99# autodial
nat66 prefix source 2001:: 64 2002:0df8:0001:: 48
#
ipv6 route-static :: 0 eth-channel 1/0:0
#
Troubleshooting
Symptom
When an MSR router is using a 3G/4G/5G interface module to access the Internet, LAN users cannot access the Internet and the WWAN LED for the 3G/4G/5G interface is in abnormal state.
Common causes
· The model of the 3G/4G/5G interface module or USB 3G/4G modem is incompatible with the host model.
· The current software version on the host does not support the 3G/4G/5G interface module.
· The 3G/4G/5G interface module is installed in an incorrect slot.
· The 3G/4G/5G interface module is not properly installed.
· The 3G/4G/5G interface module is hot-swapped incorrectly.
· The 3G/4G/5G interface module or USB 3G/4G modem fails.
· The device cannot recognize the 3G/4G/5G modem.
· The SIM card is in abnormal state.
· The 3G/4G/5G network is instable.
· The 3G/4G/5G interface is configured incorrectly.
Troubleshooting flow
Figure 58 shows the troubleshooting flowchart.
Figure 58 Flowchart for troubleshooting 3G/ 4G/5G link failures
Solution
Identifying whether the 3G/4G/5G interface module or USB 3G/4G modem is in good condition
1. Check the LEDs on the 3G/4G/5G interface module. If all of them are off, execute the display device and display device manuinfo commands to view hardware electronic label information and the slot where the interface module was installed.
<Sysname> display device
Slot No. Board Type Status Max Ports
--------------------------------------------------------------
0 RPU Normal 30
1 Unknown Abnormal Unknown
<Sysname>display device manuinfo
...
Slot 1:
DEVICE_NAME : NONE
DEVICE_SERIAL_NUMBER : NONE
MAC_ADDRESS : NONE
MANUFACTURING_DATE : NONE
VENDOR_NAME : NONE
2. If the slot status is Unknown and hardware electronic label information is NONE, identify whether the interface module model matches the host model and whether the interface module is in the correct slot. For more information, see H3C MSR Router Series Interface Module Guide. If the interface module is a USB 3G/4G modem, contact Technical Support to confirm whether the host supports the modem.
3. Identify whether the 3G/4G/5G interface module is installed properly. If not, reinstall the interface module. Before reinstallation, make sure the connector of the interface module is not distorted or dirty.
4. Move the 3G/4G/5G interface module to another slot, or move a normal interface module from another slot to the slot where the 3G/4G/5G interface module is installed. This operation helps you identify whether the 3G/4G/5G interface module is faulty.
5. Only some interface modules carrying a REMOVE button support hot-swapping. Before removing such an interface module, you must press the REMOVE button. An improper operation will cause the device or interface module to malfunction. If you have hot-swapped the interface module, power off and restart the host to make the interface module recover.
6. Identify whether the current software version on the host supports the interface module.
a. Execute the display version command to view the software version of the host.
b. Contact Technical Support to confirm whether the current software version of the host supports the interface module.
c. If the current software version does not support the interface module, upgrade it to a compatible version.
7. If the interface module is a USB 3G/4G modem, insert it into a PC, and then identify whether the PC recognizes the modem correctly.
Identifying whether the 3G/4G/5G modem is in good condition
If no problem is found during the previous check, but information about the 3G/4G/5G modem cannot be displayed, perform the following operations:
1. Execute the display cellular command. The command output does not display information for the specified cellular interface.
<Sysname> display cellular 1/0
^
% Wrong parameter found at '^' position.
2. Identify whether the MSR router model is correct and whether the interface module is in the correct slot. Make sure the MSR router model supports the interface module and the interface module is in the correct slot. For more information, see H3C MSR Router Series Interface Module Guide.
3. Check the interface module and pins for any damage.
4. Identify whether the interface module has been removed by using the remove command or the REMOVE button. In some scenarios, after you remove an interface module carrying a REMOVE button and the REMOVE LED is off, you must perform one of the following operations:
a. Reinstall the interface module.
b. Restart the interface module by executing the reboot command in user view.
5. Identify whether the interface module is restarting. The initialization of the interface module takes some time. In this situation, wait for one or two minutes.
6. Identify whether the device version supports the modem. If not, upgrade the version to a version compatible with the modem.
7. Some 3G CDMA modems cannot be recognized without a SIM card inserted. Please insert a SIM card and test again. Do not insert a 4G SIM card, because these 3G modems do not support 4G SIM cards.
8. Only some interface modules carrying a REMOVE button support hot-swapping. Before removing such an interface module, you must press the REMOVE button. An improper operation will cause the device or interface module to malfunction. If you have hot-swapped the interface module, power off and restart the host to make the interface module recover.
Identifying whether the SIM card is in good condition
1. The host might fail to dial up and thus cannot obtain an IP address when no problem is found during the previous checks. In this situation, view the WWAN LED for the interface module. If it is steadily off, the wireless WLAN link is not connected. Execute the display ip interface brief command, and then view the command output. You can find that the channelized Ethernet interface does not have an IP address.
<Sysname> display ip interface brief
*down: administratively down
(s): spoofing (l): loopback
Interface Physical Protocol IP address/Mask VPN instance Description
E-Ch1/0:0 down down -- -- --
2. Identify whether the SIM card is supported by the modem. For example, a WCDMA modem inserted with a China Telecom (CDMA carrier) SIM card cannot register for network access.
3. Execute the display cellular command to identify whether the SIM card is operating correctly. Supported SIM card states include OK, Not Inserted, Locked, Unknown, Network Reject.
<Sysname> display cellular 1/0
...
SIM Status: OK
...
¡ OK: The SIM card is operating correctly, and no action is required.
¡ Not Inserted: The SIM card was installed incorrectly. Identify whether the SIM card is correctly inserted and whether its surface is damaged.
The notch of the SIM card must align with that of the slot, and the chip side of the SIM card must face downwards to ensure good contact with the slot. Alternatively, you can use another device or mobile SIM card for a cross test. If no problem is found, upgrade the device version to the latest.
¡ Locked: The SIM card is locked. Please unlock it before use. If it not completely locked, you can unlock it by executing the pin unlock command. If it is completely locked, go to a service center for unlocking.
<Sysname> system-view
[Sysname] controller Cellular 1/0
[Sysname-Cellular1/0]pin unlock 87654321 1234
PIN will be unlocked and changed to “1234”. Continue? [Y/N]:y
PIN has been unlocked and changed successfully.
¡ Unknown: The state of the SIM card is unknown. You must reinsert the SIM card or execute the modem reboot command to restart the modem.
<Sysname> system-view
[Sysname] controller cellular 1/0
[Sysname-Cellular1/0] modem reboot
¡ Network Reject: The SIM card is rejected from accessing the network. Resolve this issue as if the SIM card is in Locked or Unknown state.
4. Identify whether the SIM card charge is overdue. Execute the display cellular command to view modem information. If the Current Service Status field displays Emergency, call the service center to confirm whether the SIM card charge is overdue. If yes, recharge the SIM card. After the SIM card becomes available, restart the modem or insert the SIM card into a mobile phone to identify whether it can access the Internet.
<Sysname> display cellular 1/0
...
Network Information:
Current Service Status:Emergency
...
Identifying whether the 3G/4G/5G network signal is in good condition
1. If no problem is found during the previous checks, you can check the current status of the 3G/4G/5G network signal. The 3G/4G/5G interface module provides an LED that indicates the network signal strength. For example, a 5G interface module provides a 5G LED. If the 5G LED is steadily off, no 5G signal is available. If the 5G LED flashes slowly, the 5G signal strength is weak. Information conveyed by the network signal LED varies by interface module. For more information, see H3C MSR Router Series Interface Module Guide.
2. Alternatively, you can execute the display cellular command to view the current network signal strength.
¡ For 3G modems, RSSI can be used to represent signal strength. If the RSSI is below -90 dBm, the signal is very poor, which might interrupt the use of network services.
<Sysname> display cellular 1/0
...
Radio Information:
Current Band: ANY
Current RSSI: -51 dBm
¡ For 4G modems, you must check RSRP together with RSSI. If the RSRP is below -100 dBm, the signal is very poor.
<Sysname> display cellular 1/0
...
LTE related info:
Current RSSI: -79 dBm
Current RSRQ: -9 dB
Current RSRP: -106 dBm
Current SNR: 5 dB
¡ For 5G modems, check the signal strength of 5G NR. If the RSRP is below -89 dBm, the signal strength is weak. If the RSRP is around -100 dB, the modem might not be able to stay in 5G condition.
<Sysname> display cellular 1/0
...
Radio Information:
Technology Preference: No preference specified (AUTO)
Technology Selected: NR && LTE
Configured LTE Band = 1,2,3,4,5,7,8,12,13,14,17,18,19,20,25,26,28,29,30,32,34,38,39,40,41,42,43
5G availability under LTE system info:
Current PCI: 537
Endc Available: 1
Restrict Dcnr: 0
R15Availabe: 1
NR related info:
Current RSRQ: -12 dB
Current RSRP: -93 dBm
Current SNR: 14 dB
LTE related info:
Current RSSI: -65 dBm
Current RSRQ: -13 dB
Current RSRP: -103 dBm
Current SNR: -2 dB
Tx Power: 10 dBm
3. If no 3G/4G/5G signal is available, identify whether the antenna is connected properly.
a. If the device has built-in modules or SIC cards, external antennas are required. USB modem do not need external antennas. You can install only one antenna for a 3G modem, but the antenna must be installed to the MAIN antenna interface, not the DIV antenna interface. For a 4G modem, you must install two antennas. As a best practice, install four antennas for a 5G modem.
b. If the antenna is connected correctly, identify whether the surrounding area is covered by a 3G/4G/5G network. You can use a mobile phone or another terminal inserted with a SIM card to dial up. If the dialup fails, contact the service provider to resolve the issue.
4. If the 3G/4G/5G signal is found weak, adjust the antenna position to boost the wireless signal. Generally, the antenna should be vertically upward, and rod-shaped antennas can be staggered in a cross or scissor shape. In indoor places where the network signal is relatively weak, you can boost the wireless signal by adding antenna extension cables.
Identifying whether the 3G/4G/5G interface is configured correctly
1. If the LEDs for the 3G/4G/5G interface module are all in normal state, but the 3G/4G/5G link still does not function normally, identify whether the 3G/4G/5G cellular interface is correctly configured. For more information, see mobile communication modem management configuration in Layer 2 WAN Access Configuration Guide. As a best practice, use the permanent mode. If on-demand dialup is enabled, the cellular interface dials up only when it receives traffic. In this situation, ping the Eth-channel several times to identify whether the Eth-channel interface can go up.
2. USB 4G modems do not support CLI-based management. If the modem is a USB 4G modem, see the Web configuration guide accompanying with the host for specific configurations.
3. To access a VPDN network, you must obtain a valid APN, username, and password from the service provider.
¡ For 3G modems, you can use the profile create command to set the APN, username, and password settings.
<Sysname> system-view
[Sysname] controller cellular 1/0
[Sysname-Cellular1/0] profile create 1 static cmnet authentication-mode pap user abc password abc
¡ For 4G or 5G modems, you can use the apn-profile command to set the APN, username, and password settings.
[Sysname] apn-profile test
[Sysname-apn-profile-test]apn static 3gnet
[Sysname-apn-profile-test]authentication-mode chap user card password simple card
4. Identify whether the specified bands are not supported by the current SIM card. The specified bands determine the frequency bands on which the modem operates. Support for bands varies by service provider. Generally, multiple bands are configured by default to support these frequency bands simultaneously. Dialup will fail if one of the following conditions exists:
¡ The bands supported by the SIM card are not in the default band group.
¡ When some bands are required, none of them is supported by the SIM card.
As a best practice, do not change the band configuration unless necessary. If a dialup failure occurs due to the configuration of an incompatible band, you can remove the incompatible band configuration.
5. Execute the display cellular command to view the IMSI string of the SIM card. If the modem is configured with an IMSI binding, but the configured IMSI is different from the actual IMSI of the SIM card, dialup failure will occur.
<sysname>display cellular 1/0
Cellular1/0:
Modem State:
Hardware Information:
Model: RM500QGL_VH
Manufacturer: QUALCOMM INCORPORATED
Modem Firmware Version: RM500QGLABR01A01M4G
International Mobile Equipment Identity (IMEI): 863305040121609
International Mobile Subscriber Identity (IMSI): 460028012255957
Hardware Version: 20000
Modem Status: Online
Modem Status: IPv4 Active.
...
6. If the issue persists, collect the following information and contact Technical Support:
¡ Results of each step.
¡ The configuration file, log messages, and alarm messages.
Related alarm and log messages
Alarm messages
N/A
Log messages
N/A
