Académique Documents
Professionnel Documents
Culture Documents
Date : 2015-02-03
Cahier VABF DATA
Page : 1 sur 102
Objectif du document :
Ce document constitue le cahier de VABF des CPE Data Cisco. Il dcrit les quipements membres du
sous-systme CPE, les configurations valides sur ces quipements ainsi que les tests raliss.
Edition
Evolution du document
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0
Date : 2015-02-03
Cahier VABF DATA
Page : 2 sur 102
Hajer YOUNES
1.0 15/01/2014 Houssem BEN DHIA Cration du document
Nidhal TALEB
1.1 08/09/2014 Houssem Ben Dhia Changement wording suite au rebranding
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0
Date : 2015-02-03
Cahier VABF DATA
Page : 3 sur 102
SOMMAIRE
Table des illustrations .........................................................................................................................4
Liste des tableaux ...............................................................................................................................4
Liste des configurations ......................................................................................................................4
Acronymes..........................................................................................................................................6
1. Introduction ................................................................................................................................7
1.1. Objet ...................................................................................................................................7
1.2. Primtre du document........................................................................................................7
1.3. Architecture gnrique .........................................................................................................8
1.3.1. Architecture base sur une connexion au Backbone de Ooredoo .................................8
1.3.2. Architecture base sur une connexion un Backbone tierce .............................................9
2. Equipements CPE ......................................................................................................................9
3. Configurations CPE .................................................................................................................. 10
3.1. Les configurations daccs WAN ........................................................................................ 10
3.1.1. Configuration du CPE Wan mode FH ......................................................................11
3.1.1.1. Configuration Service High Speed Internet : Vlan HSI ....................................... 12
3.1.1.2. Configuration du Service management............................................................... 13
3.1.1.3. Configuration de l'interface LAN ......................................................................... 14
3.1.1.4. Configuration DHCP et DNS ................................................................................ 15
3.1.1.5. Configuration SNMP ............................................................................................ 16
3.1.1.6. Configuration d'accs web https (optionnelle) ............................................... 17
3.1.1.7. Configuration d'accs ssh ................................................................................... 17
3.1.1.8. Configuration du NAT statique (en cas de besoin) ............................................. 19
3.1.1.9. Limitation de dbit au niveau du routeur ........................................................... 19
3.1.1.10. Dploiement de SLA......................................................................................... 21
3.1.1.11. Configuration complte - Connexion FH ......................................................... 23
3.1.2. Configuration du CPE Wan mode FO ......................................................................30
3.1.3. Configuration du CPE Wan mode FTTH ..................................................................30
3.1.3.1. Configuration complte Connexion FTTH........................................................ 31
3.1.4. Configuration du CPE- Connexion avec PBA en RJ45................................................ 39
3.1.5. Configuration du CPE Wan mode xDSL (Bitstream) ................................................ 39
3.1.6. Configuration du CPE Wan mode xDSL (Dgroupage) ............................................ 42
3.1.6.1. Connexion ADSL ..................................................................................................42
3.1.6.2. Connexion VDSL ..................................................................................................43
3.1.6.3. Connexion SHDSL: EFM (1 paire) ........................................................................ 44
3.1.6.4. Connexion SHDSL : ATM (1 paire) ......................................................................46
3.1.7. Configuration CPE- 3G............................................................................................... 47
3.2. Les Configurations WAN avec des liens de backup ............................................................ 48
3.2.1. Connexion FTTH avec backup 3G............................................................................. 49
3.2.2. Connexion FH avec Backup SHDSL .......................................................................... 51
3.2.3. Connexion FH avec Backup VDSL ............................................................................. 53
3.2.4. Connexion ADSL avec Backup 3G ............................................................................. 55
3.2.5. Connexion FH/FO avec Backup ADSL ....................................................................... 56
ANNEXE A ....................................................................................................................................... 57
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0
Date : 2015-02-03
Cahier VABF DATA
Page : 4 sur 102
Date : 2015-02-03
Cahier VABF DATA
Page : 5 sur 102
Date : 2015-02-03
Cahier VABF DATA
Page : 6 sur 102
Acronymes
ADSL Asymmetric Digital Subscriber Line
ATM Asynchronous Transfer Mode
CPE Customer Premises Equipment
DHCP Dynamic Host Configuration Protocol
DNS Domain Name System
EFM Ethernet on the First Mile
FH Faisceaux Hertziens
FO Fibre Optique
FTTH Fiber To The Home
GE Gigabit Ethernet
HSDSL Single-pair High-speed Digital Subscriber Line
HSI High Speed Internet
IOS Internetwork Operating System
LAN Local Area Network
NAT Network Address Translation
OM Operation and Management
PBA Packet Backhaul Aggregation
PPP Point-to-Point Protocol
SLA Service Level Agreement
SNMP Simple Network Management Protocol
SSH Secure Shell
VABF Vrification de l'Aptitude au Bon Fonctionnement
VDSL Very High Bitrate Digital Subscriber Line
VLAN Virtual LAN
VPN Virtual Private Network
VRF Virtual Routing and Forwarding
WAN Wide Area Network
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0
Date : 2015-02-03
Cahier VABF DATA
Page : 7 sur 102
1. Introduction
1.1. Objet
Dans le cadre de la VABF Data base sur des quipements Cisco, ce document a t rdig pour
prsenter les diffrentes architectures testes et valides ainsi que les configurations des CPEs
utiliss pour limplmentation de ces architectures. Les configurations prsentes dans ce document
constituent une rfrence pour limplmentation darchitectures similaires.
Ce document dcrit comment le CPE est configur pour chaque cas dutilisation.
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0
Date : 2015-02-03
Cahier VABF DATA
Page : 8 sur 102
Le CPE du client, tant connect au rseau OM, est gr et monitor distance. Pour un client
dsireux de joindre en VPN un autre site, ce service est assur via un VPN_Corp ddi sur le
backbone MPLS de Ooredoo.
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0
Date : 2015-02-03
Cahier VABF DATA
Page : 9 sur 102
2. Equipements CPE
Les quipements utiliss pour les tests VABF sont :
- Cisco 867 VAE : Cet quipement est appropri pour les architectures non complexes. Il est
largement dploy chez des clients ayant juste le besoin du service HSI, ou ayant le besoin
dinterconnecter un petit nombre de sites distants en VPN.
- Cisco 1921 : Cet quipement est appropri pour linterconnexion de sites distants via le VPN.
Il est gnralement dploy chez des PME ayant des architectures plus ou moins complexes
et un nombre dutilisateurs relativement important.
- Cisco 2901 : cet quipement est adapt des architectures plus complexes o se prsente le
besoin dinterconnecter un nombre de sites importants, de prvoir des liaisons de backup ou
de juxtaposer dautres quipements fournissant dautres services pour le client.
Le tableau ci-aprs fournit un aperu gnral sur les principales caractristiques de chaque
quipement utilis dans les tests de VABF.
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0
Date : 2015-02-03
Cahier VABF DATA
Page : 10 sur 102
2 EHWIC slots
(Enhanced
High-Speed
WAN Interface
Card ).
The GE
Cisco interfaces can (EHWIC) can
2 GE WAN
be configured host 2 single
1921 interfaces
to work as wide or 1 double
LAN interfaces wide EHWIC
4 EHWIC slots
The GE
( The use of a
Cisco interfaces can
2 GE WAN double-wide
be configured
2901 interfaces EHWIC slot will
to work as
consume two
LAN interfaces
EHWIC slots)
3. Configurations CPE
3.1. Les configurations daccs WAN
Cette partie sera consacre la prsentation des configs CPE dans le cas o le besoin du client
est limit au service HSI.
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0
Date : 2015-02-03
Cahier VABF DATA
Page : 11 sur 102
Remarque: Les VLANs utiliss dans ce document suivent les rgles dingnierie du
backbone IPMPLS et peuvent tre sujet des modifications. Voir formulaire routage pour
chaque cas particulier [fromulaire routage client Neda Tunisie - Annexe A].
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0
Date : 2015-02-03
Cahier VABF DATA
Page : 12 sur 102
Date : 2015-02-03
Cahier VABF DATA
Page : 13 sur 102
Date : 2015-02-03
Cahier VABF DATA
Page : 14 sur 102
Pour les CPEs de type Cisco 2901 qui supportent les VRF, et afin garantir un niveau de scurit
optimal, le service management est configur en utilisant un VRF ddi.
Les tapes de configuration du service management sur un VRF sont les suivantes :
- Cration dun VRF (VRF_management)
- Configuration de linterface loopback
- Configuration de linterface WAN avec le VRF (dfinition de lencapsulation, vlan ID, adresse
IP et forwarding)
- Configuration du routage vers linterface management du PBA
Ci-dessous la configuration du service OM pour lquipement Cisco 2901 IOS : C2900-
UNIVERSALK9-M, Version 15.3(1)T.
Date : 2015-02-03
Cahier VABF DATA
Page : 15 sur 102
Date : 2015-02-03
Cahier VABF DATA
Page : 16 sur 102
### Specifying network number and mask for DHCP clients ###
network <Lan ip> <mask>
### Specifying the IP address of the default router for a DHCP client ###
default-router <IP address of the router LAN interface>
### Specifying the duration of the lease. The default is a one-day lease
###
lease 0 2
### Specifying the IP addresses that the DHCP Server should not assign to
DHCP clients ###
ip dhcp excluded-address <Gateway IP>
dns-server 41.228.2.37
Date : 2015-02-03
Cahier VABF DATA
Page : 17 sur 102
### Specifying how the HTTP server users are authenticated ###
ip http authentication local!
Date : 2015-02-03
Cahier VABF DATA
Page : 18 sur 102
- Ajout doptions au service ssh : Un timeout de 30 secondes est ajout pour les sessions ssh
en cas d'inactivit.
- Dsactivation de telnet pour l'accs au CPE
Ci-dessous la config daccs SSH pour lquipement Cisco 867 VAE IOS C860VAE-
ADVSECURITYK9-M, Version 15.3(3)M
No ip domain-name tunisiana.com
### Only SSH access to the IPs defined in the access list 20 is permitted,
any other is denied access ###
access-class 20 in
### Preventing non-SSH Telnets ###
transport input ssh
login local
privilege level 15
!
### Dfinition de laccess list pour limitation daccs SSH uniquement aux
adresses autorises ###
!
access-list 20 permit 10.220.0.5
access-list 20 permit 10.220.0.2
access-list 20 permit 10.220.0.3
access-list 20 permit 10.220.0.1
!
Date : 2015-02-03
Cahier VABF DATA
Page : 19 sur 102
### Only SSH access to the IPs defined in the access list 20 is permitted,
any other is denied access ###
access-class 20 in vrf-also
### Dfinition de laccess list pour limitation daccs SSH uniquement aux
adresses autorises ###
!
access-list 20 permit 10.220.0.5
access-list 20 permit 10.220.0.2
access-list 20 permit 10.220.0.3
access-list 20 permit 10.220.0.1
!
Date : 2015-02-03
Cahier VABF DATA
Page : 20 sur 102
Dfinitions:
NB = CAR * (1/8)*1.5
EB = 2*NB
Shaping
Durant la VABF, des tests de limitation de dbit 5 Mbps, 7 Mbps et 10 Mbps ont t effectus pour
les deux types dquipements : Cisco 867 VAE IOS C860VAE-ADVSECURITYK9-M, Version
15.3(3)M et Cisco 2901 IOS : C2900-UNIVERSALK9-M, Version 15.3(1)T
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0
Date : 2015-02-03
Cahier VABF DATA
Page : 21 sur 102
Limitation 5 Mbps
### La limitation du dbit se fait au niveau de linterface du
vlan HSI: <Wan Interface>.850 ###
!
Interface <Wan Interface>.850
rate-limit input 5240000 982500 1965000 conform-action transmit
exceed-action drop
rate-limit output 5240000 982500 1965000 conform-action transmit
exceed-action drop
!
Limitation 7 Mbps
### La limitation du dbit se fait au niveau de linterface du
vlan HSI: <Wan Interface>.850 ###
!
Interface <Wan Interface>.850
rate-limit input 7340032 1376256 2752512 conform-action transmit
exceed-action drop
rate-limit output 7340032 1376256 2752512 conform-action transmit
exceed-action drop
!
Limitation 10 Mbps
### La limitation du dbit se fait au niveau de linterface du
vlan HSI: <Wan Interface>.850 ###
!
Interface <Wan Interface>.850
rate-limit input 10485760 1966080 3932160 conform-action transmit
exceed-action drop
rate-limit output 10485760 1966080 3932160 conform-action transmit
exceed-action drop
!
Cisco IOS IP SLA fournit une instrumentation fiable et rentable pour les mesures des niveaux de
service rseau.
Cisco IOS IP SLA rassemble un certain nombre de mtriques permettant de caractriser le rseau en
temps rel :
Le temps de rponse,
La latence
La gigue
La perte de paquets
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0
Date : 2015-02-03
Cahier VABF DATA
Page : 22 sur 102
Cisco IOS IP SLA utilise un monitoring actif permettant de surveiller en continu les caractristiques du
rseau. Les mesures sont effectues de bout en bout et peuvent utiliser les diffrents chemins de
donnes entre deux points.
Les mesures effectues permettent de dterminer une ligne de base (baseline) caractristique du
comportement des services rseau. Il est ensuite possible de positionner des seuils de notification qui
permettront un administrateur dtre averti, de faon proactive, si les rsultats des mesures actives
changent.
Cisco IOS IP SLA permet galement daider au diagnostic dun problme rseau en gnrant des
mesures saut par saut et permettant didentifier quel tronon de rseau est responsable dune
dgradation.
De plus, Cisco IOS IP SLA permet de prendre en compte la qualit de service. Il est en effet possible
de marquer le trafic gnr par Cisco IOS IP SLA afin quil soit associ aux classes de service
souhaites.
Cisco IOS IP SLA permet galement de surveiller de faon proactive le niveau de qualit VoIP dun
rseau. Il est en effet possible de simuler prcisment un trafic VoIP et de calculer les scores de
qualit de voix MOS (Mean Opinion Score) et ICPIF (Calculated Planning Impairment Factor) entre
deux quipements dun rseau.
Pour notre cas, la config du SLA est aussi commune aux deux types dquipements : Cisco 867 VAE
IOS C860VAE-ADVSECURITYK9-M, Version 15.3(3)M et Cisco 2901 IOS : C2900-
UNIVERSALK9-M, Version 15.3(1)T
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0
Date : 2015-02-03
Cahier VABF DATA
Page : 23 sur 102
ip sla monitor 10
### Setting IP address to monitor (to ping). It can be any address that
is stable and will be up reliably. In this case 8.8.8.8 ###
buckets-of-history-kept 25
exit
Date : 2015-02-03
Cahier VABF DATA
Page : 24 sur 102
description IV CEI;DT_FIXE;UPLINK;INCLUDE_SC;
encapsulation dot1Q 850
ip address <IPHSI cot CPE> <masque rseau>
ip nat outside
!
Date : 2015-02-03
Cahier VABF DATA
Page : 25 sur 102
### Creating a name for the a DHCP Server address pool ###
ip dhcp pool <poolname>
### Specifying the IP address of the default router for a DHCP client ###
default-router <IP address of the router LAN interface>
### Specifying the duration of the lease. The default is a one-day lease
###
lease 0 2
### Specifying the IP addresses that the DHCP Server should not assign to
DHCP clients ###
ip dhcp excluded-address <Gateway IP>
Date : 2015-02-03
Cahier VABF DATA
Page : 26 sur 102
ip domain-name tunisiana.com
### Only SSH access to the IPs defined in the access list 20 is
permitted, any other is denied access ###
access-class 20 in
### Preventing non-SSH Telnets ###
transport input ssh
login local
privilege level 15
!
### Dfinition de laccess list pour limitation daccs SSH uniquement
aux adresses autorises ###
!
access-list 20 permit 10.220.0.5
access-list 20 permit 10.220.0.2
access-list 20 permit 10.220.0.3
access-list 20 permit 10.220.0.1
!
### Vrification du service ssh ###
show ip ssh
### Creating an IP SLA operation and enter IP SLA configuration mode ###
ip sla monitor 10
### Setting IP address to monitor (to ping). It can be any address that is
stable and will be up reliably. In this case 8.8.8.8 ###
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0
Date : 2015-02-03
Cahier VABF DATA
Page : 27 sur 102
buckets-of-history-kept 25
exit
Date : 2015-02-03
Cahier VABF DATA
Page : 28 sur 102
### Creating a name for the a DHCP Server address pool ###
ip dhcp pool <poolname>
### Specifying network number and mask for DHCP clients ###
network <Lan ip> <mask>
### Specifying the IP address of the default router for a DHCP client ###
default-router <IP address of the router LAN interface>
### Specifies the duration of the lease. The default is a one-day lease
###
lease 0 2
### Specifying the IP addresses that the DHCP Server should not assign to
DHCP clients ###
ip dhcp excluded-address <Gateway IP>
Date : 2015-02-03
Cahier VABF DATA
Page : 29 sur 102
### Only SSH access to the IPs defined in the access list 20 is
permitted, any other is denied access ###
access-class 20 in vrf-also
### Dfinition de laccess list pour limitation daccs SSH uniquement aux
adresses autorises ###
!
access-list 20 permit 10.220.0.5
access-list 20 permit 10.220.0.2
access-list 20 permit 10.220.0.3
access-list 20 permit 10.220.0.1
!
### Vrification du service ssh ###
show ip ssh
Date : 2015-02-03
Cahier VABF DATA
Page : 30 sur 102
### Create an IP SLAs operation and enter IP SLAs configuration mode ###
ip sla monitor 10
### Setting IP address to monitor (to ping). It can be any address that is
stable and will be up reliably. In this case 8.8.8.8 ###
buckets-of-history-kept 25
exit
Date : 2015-02-03
Cahier VABF DATA
Page : 31 sur 102
Configuration 16: La configuration complte - Wan mode FTTH - Cisco 867 VAE
### Dclaration de linterface GE ###
!
interface <Wan Interface>
no sh
ip tcp adjust-mss 1300
Date : 2015-02-03
Cahier VABF DATA
Page : 32 sur 102
ip nat outside
ip virtual-reassembly in
encapsulation ppp
logging event subif-link-status
dialer pool 1
ppp authentication chap callin
ppp chap hostname <username>
ppp chap password 0 <password>
!
Date : 2015-02-03
Cahier VABF DATA
Page : 33 sur 102
ip nat inside
ip tcp adjust-mss 1300
ip virtual-reassembly in
!
### Creating a name for the a DHCP Server address pool ###
ip dhcp pool <poolname>
### Specifying the IP address of the default router for a DHCP client ###
default-router <IP address of the router LAN interface>
### Specifies the duration of the lease. The default is a one-day lease
###
lease 0 2
### Specifying the IP addresses that the DHCP Server should not assign to
DHCP clients ###
ip dhcp excluded-address <Gateway IP>
Date : 2015-02-03
Cahier VABF DATA
Page : 34 sur 102
### Create an IP SLAs operation and enter IP SLAs configuration mode ###
ip sla monitor 10
### Setting IP address to monitor (to ping). It can be any address that is
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0
Date : 2015-02-03
Cahier VABF DATA
Page : 35 sur 102
buckets-of-history-kept 25
exit
Date : 2015-02-03
Cahier VABF DATA
Page : 36 sur 102
!
ip vrf VRF_management
description VRF_management
!
!
### Creating a name for the a DHCP Server address pool ###
ip dhcp pool <poolname>
### Specifying the IP address of the default router for a DHCP client ###
default-router <IP address of the router LAN interface>
### Specifying the duration of the lease. The default is a one-day lease
###
lease 0 2
### Specifying the IP addresses that the DHCP Server should not assign to
DHCP clients ###
ip dhcp excluded-address <Gateway IP>
Date : 2015-02-03
Cahier VABF DATA
Page : 37 sur 102
client ###
dns-server 41.228.2.37
Date : 2015-02-03
Cahier VABF DATA
Page : 38 sur 102
### Create an IP SLAs operation and enter IP SLAs configuration mode ###
ip sla monitor 10
### Setting IP address to monitor (to ping). It can be any address that is
stable and will be up reliably. In this case 8.8.8.8 ###
Date : 2015-02-03
Cahier VABF DATA
Page : 39 sur 102
Ce test a t ralis en connectant le CPE directement au PBA (sans passer par aucune
infrastructure WAN).
Les quipements utiliss sont le Cisco VAE 867 et le Cisco 2901.
La configuration du CPE est la mme que celle utilise pour le cas du FH (ou du FO) pour les deux
modles Cisco utiliss.
Remarque : Pour connecter le CPE Cisco au routeur Alcatel il faut utiliser un convertisseur TP-
link avec un cble crois.
xDSL
Pr-authentification locale
pour le domaine @tunet.tn
ou @tunet.com
Si Pr-authentification OK,
Session PPP passer le trafic au BRAS
Tunet
Dans ce qui suit, on prsentera la partie de la configuration qui porte sur la connexion du CPE au
service HSI pour chaque type dquipement : Cisco 867 VAE - IOS: C860VAE-ADVSECURITYK9-M,
Version 15.3(3)M et Cisco 2901 - IOS: C2900-UNIVERSALK9-M, Version 15.3(1)T.
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0
Date : 2015-02-03
Cahier VABF DATA
Page : 40 sur 102
De mme que pour larchitecture FTTH une session PPP est utilise.
### Creating an ATM PVC for each end node (up to ten) with which the
router communicates & Entering ATM virtual circuit configuration mode ###
pvc 0/35
### Configuring the PPPoE client and specifying the dialer interface to
use for cloning on the PVC ###
pppoe-client dial-pool-number 2
!
### Specifies that the IP address for the dialer interface is obtained
through PPP/IPCP (IP Control Protocol) address negotiation ###
ip address negotiated
ip nat outside
ip virtual-reassembly in
### Setting the encapsulation type to PPP for the data packets being
transmitted and received ###
encapsulation ppp
Date : 2015-02-03
Cahier VABF DATA
Page : 41 sur 102
### Entering interface configuration mode for the ATM interface ###
interface ATM 0/0/0
### Creating an ATM PVC for each end node (up to ten) with which the
router communicates & Entering ATM virtual circuit configuration mode ###
pvc 0/35
### Configuring the PPPoE client and specifying the dialer interface to
use for cloning on the PVC ###
pppoe-client dial-pool-number 2
### Specifies that the IP address for the dialer interface is obtained
through PPP/IPCP (IP Control Protocol) address negotiation ###
ip address negotiated
ip nat outside
ip virtual-reassembly in
### Setting the encapsulation type to PPP for the data packets being
transmitted and received ###
encapsulation ppp
Date : 2015-02-03
Cahier VABF DATA
Page : 42 sur 102
Figure 8: Dgroupage
Date : 2015-02-03
Cahier VABF DATA
Page : 43 sur 102
!
interface ATM 0/0/0
no ip address
pvc 0/35
pppoe-client dial-pool-number 2
!
!
interface Dialer10
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 2
ppp authentication chap callin
ppp chap hostname <username>
ppp chap password 0 <password>
!
!
!
Date : 2015-02-03
Cahier VABF DATA
Page : 44 sur 102
### Entering controller configuration mode and the controller number ###
controller VDSL 0/2/0
### Entering the configuration mode for Ethernet Layer 2 transport on the
VDSL WAN interface on the router ###
interface Ethernet0/2/0
no ip address
### VLAN configuration ###
interface Ethernet0/2/0.1200
encapsulation dot1Q 1200
### Enabling pppoe ###
pppoe enable
pppoe-client dial-pool-number 1
### Configuring Dialer interface needed to connect with the PPPOE
connection ###
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
logging event subif-link-status
dialer pool 1
ppp authentication chap callin
ppp chap hostname <username>
ppp chap password 0 <password>
!
Date : 2015-02-03
Cahier VABF DATA
Page : 45 sur 102
Les connexions sont construites sur des DSLAM GE via un support cuivre SDSL en 1,2 ou 4 paires
avec technologie de transmission EFM.
- Equipements Cisco 2901 - IOS : C2900-UNIVERSALK9-M, Version 15.3(1)T
- Carte : HWIC-4SHDSL-E
Configuration 22: Connexion SHDSL - EFM 1 paire
Date : 2015-02-03
Cahier VABF DATA
Page : 46 sur 102
Date : 2015-02-03
Cahier VABF DATA
Page : 47 sur 102
interface Cellular0/0/0
### Enabling DDR (Dial on Demand Routing) and configures the specified
serial interface to use in-band dialing ###
dialer in-band
### Specifying the number or string to dial. Use the name of the CHAT
script here ###
dialer string hspa-R7
### Specifying the number of the dialer access group to which the specific
interface belongs ###
dialer-group 1
### Returns a line that has been placed into dedicated asynchronous
network mode to interactive mode, thereby enabling
the SLIP and PPPcommands in privileged EXEC mode ###
async mode interactive
Date : 2015-02-03
Cahier VABF DATA
Page : 48 sur 102
### To display the current active connection state and data statistics ###
show cellular 0/0/0 connection
Lien de
Lien principal CPE
backup
Cisco 2901 IOS C2900-
UNIVERSALK9-M,
FTTH 3G Version 15.3(1)T
Date : 2015-02-03
Cahier VABF DATA
Page : 49 sur 102
Le basculement doit se faire correctement sur le lien secondaire si linternet est injoignable sur le lien
primaire. Le basculement doit se faire automatiquement sur le lien primaire lorsque celui-ci reprend
son tat normal.
La mise en place dun lien secondaire de backup repose sur le principe du tracking. Lide est
de tracker la route primaire et de dfinir une route secondaire ayant une mtrique plus leve, ce
qui signifie quelle ne sera utilise que si le track dfini pour la route primaire est perdu suite la
dtection de la dfaillance du lien par lP SLA.
Date : 2015-02-03
Cahier VABF DATA
Page : 50 sur 102
### monitoring ip sla 1 and removing the track 10 route if unreachable ###
track 10 ip sla 1 reachability
### Creating the route map WAN-FTTH entry and entering route-map
configuration mode. Route map entries are read in order. Its possible
to identify the order using thesequence_number option. (10 in this
case) ###
route-map WAN-FTTH permit 10
### Matching any routes that have a destination network that matches the
ACL LAN. If more than one ACL is specified, then the route can match
any of the ACLS ###
match ip address LAN
### Matching any routes with the specified next hop interface, in this
case, it matches <Wan Interface>.100 interface. If more than one
interface is specified, then the route can match
either interface ###
match interface <Wan Interface>.100
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0
Date : 2015-02-03
Cahier VABF DATA
Page : 51 sur 102
### Creating the route map WAN-3G entry and entering route-map
configuration mode ###
route-map WAN-3G permit 10
### Matching any routes with the specified next hop interface, in this
case, it matches <Wan Interface>.100 interface ###
match ip address LAN
### Matching any routes with the specified next hop interface,in this
case, it matches cellular interface ###
match interface cellular 0/0/0
Date : 2015-02-03
Cahier VABF DATA
Page : 52 sur 102
!
ip sla auto discovery
ip sla 10
icmp-echo 4.2.2.2 source-interface <Wan Interface>.850
ip sla schedule 10 life forever start-time now
!
route-map FH permit 10
match ip address LAN
match interface <Wan Interface>.850
!
!
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0
Date : 2015-02-03
Cahier VABF DATA
Page : 53 sur 102
Remarque : Une licence Data ou Security doit tre active pour lutilisation de lIPSLA.
Date : 2015-02-03
Cahier VABF DATA
Page : 54 sur 102
Date : 2015-02-03
Cahier VABF DATA
Page : 55 sur 102
Remarque : La licence Data ou Security doit tre active pour lutilisation des IPSLA
Date : 2015-02-03
Cahier VABF DATA
Page : 56 sur 102
ip sla 1
icmp-echo 4.2.2.2 source-interface dialer 1
threshold 2000
frequency 5
ip sla schedule 1 life forever start-time now
!
track 10 ip sla 1 reachability
Date : 2015-02-03
Cahier VABF DATA
Page : 57 sur 102
Date : 2015-02-03
Cahier VABF DATA
Page : 58 sur 102
### Creation of the Phase 2 Policy for actual data encryption ###
crypto ipsec transform-set <RAVPNSET> esp-3des esp-sha-hmac
### Creation of a dynamic map and application of the transform set that
was created earlier ###
### Creation of the actual crypto map and application of the AAA lists
that were created earlier ###
!
crypto map clientmap client authentication list <RAVPNusr>
crypto map clientmap isakmp authorization list <RAVPNgrp>
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic DRAVPN
!
Date : 2015-02-03
Cahier VABF DATA
Page : 59 sur 102
### Create a pool of addresses to be assigned to the VPN Clients ### Mis en forme : Prformat HTML
ip local pool <ourpool> <1st IP> <last IP>
Remarque: Le VPN client utilis est VPN client Cisco. Pour le routeur, une licence security
doit tre active.
Date : 2015-02-03
Cahier VABF DATA
Page : 60 sur 102
Date : 2015-02-03
Cahier VABF DATA
Page : 61 sur 102
### Site 1
### Entering config-isakmp command mode and identifying the policy to
create. (Each policy is uniquely identified by the priority number you
assign) ###
crypto isakmp policy 1
### Specify the encryption algorithm ###
encr 3des
### Specify the hash algorithm ###
hash md5
### Specify the authentication methodpre-shared keys ###
authentication pre-share
### Specify the Diffie-Hellman group identifier768-bit Diffie-Hellman (1)
or 1024-bit Diffie-Hellman (2) ###
group 2
### At the local peer: Specify the shared key the headquarters router will
use with the remote office router. This example configures the shared key
firewallcx to be used with the remote peer 0.0.0.0 ###
crypto isakmp key <firewallcx> address 0.0.0.0
### Define a transform set and enter crypto-transform configuration mode
###
crypto ipsec transform-set TS esp-3des esp-md5-hmac
### Change the mode associated with the transform set. The mode setting is
only applicable to traffic whose source and destination addresses are the
IPSec peer addresses; it is ignored for all other traffic. (All other
traffic is in tunnel mode only.) This config configures tunnel mode for the
transport set TS, which creates an IPSec tunnel between the IPSec peer
addresses ###
mode tunnel
### Enter crypto map configuration mode, specify a sequence number for the
crypto map created in Step 1, and configure the crypto map to use IKE
to establish SAs ###
crypto map CMAP 10 ipsec-isakmp
### Specify a remote IPSec peer (by host name or IP address). This is the
peer to which IPSec protected traffic can be forwarded ###
set peer <197.14.1.17>
### Specify which transform sets are allowed for this crypto map entry ###
set transform-set TS
### Accesses list number or name of an extended access list. This access
list determines which traffic should be protected by IPSec and which
traffic should not be protected by IPSec security in the context of this
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0
Date : 2015-02-03
Cahier VABF DATA
Page : 62 sur 102
###Site 2
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key <firewallcx> address 0.0.0.0
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0
Date : 2015-02-03
Cahier VABF DATA
Page : 63 sur 102
!
crypto map CMAP 10 ipsec-isakmp
set peer 197.14.1.21 set transform-set TS
match address VPN-TRAFFIC
!
!
ip access-list extended VPN-TRAFFIC
permit ip 10.10.20.0 0.0.0.255 10.10.20.0 0.0.0.25
!
ip nat inside source route-map WAN-FH interface <Wan Interface>.850
overload
!
ip access-list extended LAN
deny ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 10.10.20.0 0.0.0.255 any
!
!
route-map WAN-FH permit 10
match ip address LAN
match interface <Wan Interface>.850
!
interface <Wan Interface>.850
crypto map CMAP
!
Date : 2015-02-03
Cahier VABF DATA
Page : 64 sur 102
Configuration 33: VPN IPSec site to site (Site1 ADSL - Site 2 FH)
### Site 1
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key firewallcx address 0.0.0.0
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
crypto map CMAP 10 ipsec-isakmp
set peer 197.14.1.17
set transform-set TS
match address VPN-TRAFFIC
!
ip access-list extended VPN-TRAFFIC
permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
!
###Site 2
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key firewallcx address 0.0.0.0
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
crypto map CMAP 10 ipsec-isakmp
set peer 197.14.1.21 set transform-set TS
match address VPN-TRAFFIC
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0
Date : 2015-02-03
Cahier VABF DATA
Page : 65 sur 102
!
!
ip access-list extended VPN-TRAFFIC
permit ip 10.10.20.0 0.0.0.255 10.10.20.0 0.0.0.255
!
!
Date : 2015-02-03
Cahier VABF DATA
Page : 66 sur 102
Configuration 34: VPN IPSec site to site (Site1 FTTH - Site 2 FH)
### Site 1
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key firewallcx address 0.0.0.0
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map CMAP 10 ipsec-isakmp
set peer 197.14.1.17
set transform-set TS
match address VPN-TRAFFIC
!
!
ip access-list extended VPN-TRAFFIC
permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
!
###Site 2
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key firewallcx address 0.0.0.0
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0
Date : 2015-02-03
Cahier VABF DATA
Page : 67 sur 102
mode tunnel
!
!
!
crypto map CMAP 10 ipsec-isakmp
set peer 197.14.1.21 set transform-set TS
match address VPN-TRAFFIC
!
!
ip access-list extended VPN-TRAFFIC
permit ip 10.10.20.0 0.0.0.255 10.10.20.0 0.0.0.255
!
Figure 16: Connexion en VPN IPSec entre deux sites connects en ADSL
Date : 2015-02-03
Cahier VABF DATA
Page : 68 sur 102
Configuration 35: VPN IPSec site to site (Site1 ADSL - Site 2 ADSL)
### Site 1
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key firewallcx address 0.0.0.0
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map CMAP 10 ipsec-isakmp
set peer 197.14.1.17
set transform-set TS
match address VPN-TRAFFIC
!
!
ip access-list extended VPN-TRAFFIC
permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
!
###Site 2
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key firewallcx address 0.0.0.0
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0
Date : 2015-02-03
Cahier VABF DATA
Page : 69 sur 102
mode tunnel
!
!
!
crypto map CMAP 10 ipsec-isakmp
set peer 197.14.1.21 set transform-set TS
match address VPN-TRAFFIC
!
!
ip access-list extended VPN-TRAFFIC
permit ip 10.10.20.0 0.0.0.255 10.10.20.0 0.0.0.255
!
Date : 2015-02-03
Cahier VABF DATA
Page : 70 sur 102
Date : 2015-02-03
Cahier VABF DATA
Page : 71 sur 102
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 10
ppp authentication chap callin
ppp chap hostname jrahhppb@tunet.tn
ppp chap password 0 YeMp78V3
crypto map CMAP
!
!
!
ip nat inside source list LAN interface Dialer10 overload
ip route 0.0.0.0 0.0.0.0 Dialer10
!
ip access-list extended LAN
deny ip 10.10.10.0 0.0.0.255 10.10.30.0 0.0.0.255
deny ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
permit ip 10.10.10.0 0.0.0.255 any
ip access-list extended VPN-TRAFFIC
permit ip 10.10.10.0 0.0.0.255 10.10.30.0 0.0.0.255
ip access-list extended VPN-TRAFFIC1
permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
!
### CPE 1921 FTTH
!
interface GigabitEthernet0/1.100
encapsulation dot1Q 100
pppoe enable group global
pppoe-client dial-pool-number 10
!
interface Dialer10
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 10
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0
Date : 2015-02-03
Cahier VABF DATA
Page : 72 sur 102
Date : 2015-02-03
Cahier VABF DATA
Page : 73 sur 102
Date : 2015-02-03
Cahier VABF DATA
Page : 74 sur 102
pppoe-client dial-pool-number 10
!
interface Dialer10
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 10
ppp authentication chap callin
ppp chap hostname kamdgxuz@tunet.tn
ppp chap password 0 YwD338Gt
crypto map CMAP
!
ip nat inside source list LAN interface Dialer10 overload
ip route 0.0.0.0 0.0.0.0 Dialer10
!
ip access-list extended LAN
deny ip 10.10.30.0 0.0.0.255 10.10.20.0 0.0.0.255
deny ip 10.10.30.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 10.10.30.0 0.0.0.255 any
ip access-list extended VPN-TRAFFIC
permit ip 10.10.30.0 0.0.0.255 10.10.20.0 0.0.0.255
ip access-list extended VPN-TRAFFIC1
permit ip 10.10.30.0 0.0.0.255 10.10.10.0 0.0.0.255
!
Remarque: Tous les CPE utiliss ont une licence Security active
Date : 2015-02-03
Cahier VABF DATA
Page : 75 sur 102
Figure 18: Connexion IPSec VPN entre deux sites travers le site central
Date : 2015-02-03
Cahier VABF DATA
Page : 76 sur 102
Configuration 37: Connexion IPSec VPN entre deux sites travers le site central
Date : 2015-02-03
Cahier VABF DATA
Page : 77 sur 102
Date : 2015-02-03
Cahier VABF DATA
Page : 78 sur 102
!
ip nat inside source list LAN interface GigabitEthernet1.850 overload
ip route 0.0.0.0 0.0.0.0 197.14.1.16
ip route 10.220.0.0 255.255.255.0 10.243.243.1
!
ip access-list extended LAN
deny ip 10.10.30.0 0.0.0.255 10.10.20.0 0.0.0.255
deny ip 10.10.30.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 10.10.30.0 0.0.0.255 any
interface Ethernet0/0/0.1200
encapsulation dot1Q 1200
pppoe enable group global
pppoe-client dial-pool-number 1
!
!
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
logging event subif-link-status
dialer pool 1
ppp authentication chap callin
ppp chap hostname nawucyfr@tunet.tn
ppp chap password 0 x8SAs3c7
crypto map CMAP
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0
Date : 2015-02-03
Cahier VABF DATA
Page : 79 sur 102
Remarque: Tous les CPE utiliss ont une licence Security active
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0
Date : 2015-02-03
Cahier VABF DATA
Page : 80 sur 102
Date : 2015-02-03
Cahier VABF DATA
Page : 81 sur 102
###Site 1
!
interface GigabitEthernet0/1.850
encapsulation dot1Q 850
ip address 197.14.1.19 255.255.255.254
ip nat outside
ip virtual-reassembly in
crypto map CMAP
!
!
interface GigabitEthernet0/1.851
encapsulation dot1Q 851
ip address 10.243.243.6 255.255.255.248
!
interface GigabitEthernet0/1.852
encapsulation dot1Q 852
ip address 10.99.99.2 255.255.255.252
!
ip route 10.10.10.0 255.255.255.0 10.99.99.1
###Site 2
!
interface GigabitEthernet0/1.850
description IV CEI;DT_FIXE;UPLINK_HSI;INCLUDE_SC;
encapsulation dot1Q 850
ip address 197.14.1.17 255.255.255.254
ip nat outside
ip virtual-reassembly in
crypto map CMAP
!
interface GigabitEthernet0/1.851
description IV CEI;DT_FIXE;UPLINK_VRF_OM_CORP;INCLUDE_SC;
encapsulation dot1Q 851
ip address 10.243.243.2 255.255.255.252
!
interface GigabitEthernet0/1.852
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0
Date : 2015-02-03
Cahier VABF DATA
Page : 82 sur 102
Date : 2015-02-03
Cahier VABF DATA
Page : 83 sur 102
Configuration 39: VPN MPLS avec backup VPN IPSec - Site 1 : Connexion FH/FO Site 2 :
Connexion ADSL
###CPE_2901
!
track 10 ip sla 10
!
track 20 ip sla 20
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key firewallcx address 0.0.0.0
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map CMAP 10 ipsec-isakmp
set peer 197.14.1.17
set peer 10.155.0.4
set transform-set TS
match address VPN-TRAFFIC
!
!
interface GigabitEthernet0/1.850
encapsulation dot1Q 850
ip address 197.14.1.19 255.255.255.254
ip nat outside
ip virtual-reassembly in
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0
Date : 2015-02-03
Cahier VABF DATA
Page : 84 sur 102
Date : 2015-02-03
Cahier VABF DATA
Page : 85 sur 102
!
!
ip access-list extended LAN
deny ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 10.10.20.0 0.0.0.255 any
ip access-list extended VPN-TRAFFIC
permit ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
!
ip sla auto discovery
ip sla 10
icmp-echo 4.2.2.2 source-interface GigabitEthernet0/1.850
ip sla schedule 10 life forever start-time now
ip sla 20
icmp-echo 197.14.1.17 source-interface GigabitEthernet0/1.850
ip sla schedule 20 life forever start-time now
!
route-map SDSL permit 10
match ip address LAN
match interface Dialer2
!
route-map FH permit 10
match ip address LAN
match interface GigabitEthernet0/1.850
!
!
### CPE 1921
!
track 10 ip sla 10
!
track 20 ip sla 20
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0
Date : 2015-02-03
Cahier VABF DATA
Page : 86 sur 102
Date : 2015-02-03
Cahier VABF DATA
Page : 87 sur 102
pppoe-client dial-pool-number 1
!
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
logging event subif-link-status
dialer pool 1
ppp authentication chap callin
ppp chap hostname nawucyfr@tunet.tn
ppp chap password 0 x8SAs3c7
crypto map CMAP
!
ip forward-protocol nd
!
!
ip nat inside source route-map FH interface GigabitEthernet0/1.850
overload
ip nat inside source route-map VDSL interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 197.14.1.16 track 10
ip route 10.10.20.0 255.255.255.0 10.99.99.5 track 20
ip route 0.0.0.0 0.0.0.0 Dialer1 20
!
!
ip access-list extended LAN
deny ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
permit ip 10.10.10.0 0.0.0.255 any
ip access-list extended VPN-TRAFFIC
permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
!
ip sla auto discovery
ip sla 10
icmp-echo 4.2.2.2 source-interface GigabitEthernet0/1.850
ip sla schedule 10 life forever start-time now
ip sla 20
icmp-echo 197.14.1.19 source-interface GigabitEthernet0/1.850
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0
Date : 2015-02-03
Cahier VABF DATA
Page : 88 sur 102
3.3.11. DMVPN
Figure 21 : DMVPN
Date : 2015-02-03
Cahier VABF DATA
Page : 89 sur 102
Configuration 40 : DMVPN
Date : 2015-02-03
Cahier VABF DATA
Page : 90 sur 102
!
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
pvc 0/35
pppoe-client dial-pool-number 10
!
interface Dialer10
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 10
ppp authentication chap callin
ppp chap hostname jrahhppb@tunet.tn
ppp chap password 0 YeMp78V3
!
!
router eigrp 100
network 10.0.0.0
network 172.16.0.0
!
ip nat inside source list LAN interface Dialer10 overload
ip route 0.0.0.0 0.0.0.0 Dialer10
!
ip access-list extended LAN
permit ip 10.10.20.0 0.0.0.255 any
!
### CPE Spoke_1921 FTTH
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key firewall.cx address 0.0.0.0
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0
Date : 2015-02-03
Cahier VABF DATA
Page : 91 sur 102
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
!
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TS
!
!
!
!
!
!
interface Tunnel0
description R2 mGRE - DMVPN Tunnel
ip address 172.16.0.2 255.255.255.0
no ip redirects
ip nhrp authentication firewall
ip nhrp map multicast dynamic
ip nhrp map 172.16.0.1 197.14.9.82
ip nhrp map multicast 197.14.9.82
ip nhrp network-id 1
ip nhrp nhs 172.16.0.1
tunnel source Dialer10
tunnel mode gre multipoint
tunnel protection ipsec profile protect-gre
!
!
interface GigabitEthernet0/1.100
encapsulation dot1Q 100
pppoe enable group global
pppoe-client dial-pool-number 10
!
!
interface Dialer10
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0
Date : 2015-02-03
Cahier VABF DATA
Page : 92 sur 102
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 10
ppp authentication chap callin
ppp chap hostname kamdgxuz@tunet.tn
ppp chap password 0 YwD338Gt
!
!
router eigrp 100
network 10.0.0.0
network 172.16.0.0
!
ip nat inside source list LAN interface Dialer10 overload
ip route 0.0.0.0 0.0.0.0 Dialer10
!
ip access-list extended LAN
permit ip 10.10.10.0 0.0.0.255 any
ip access-list extended VPN-TRAFFIC
permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
!
### CPE HUB 2901 FTTH
!
interface GigabitEthernet0/1.100
encapsulation dot1Q 100
pppoe enable group global
pppoe-client dial-pool-number 10
!
!
interface Dialer10
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 10
ppp authentication chap callin
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0
Date : 2015-02-03
Cahier VABF DATA
Page : 93 sur 102
Date : 2015-02-03
Cahier VABF DATA
Page : 94 sur 102
interface Tunnel0
description mGRE - DMVPN Tunnel
ip address 172.16.0.1 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 100
no ip split-horizon eigrp 100
ip nhrp authentication firewall
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source Dialer10
tunnel mode gre multipoint
tunnel protection ipsec profile protect-gre
!
Remarque : Tous les CPE utiliss ont une licence Security active. Le CPE 867 VAE ne
supporte pas le DMVPN.
3.3.12. VPN 3G
Figure 22 : VPN 3G
- Equipements : Cisco ACS, Concentrateur VPN ASR 1006, Cisco 1921 et 2911 (IOS :
C2900-UNIVERSALK9-M, Version 15.3(1)T) + carte 3G
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0
Date : 2015-02-03
Cahier VABF DATA
Page : 95 sur 102
Configuration 41 : VPN 3G
Date : 2015-02-03
Cahier VABF DATA
Page : 96 sur 102
40. dialer-group 1
41. async mode interactive
42. crypto ipsec client ezvpn ez2
43. !
44. interface Cellular0/0/1
45. no ip address
46. encapsulation slip
47. !
48. interface Virtual-Template1 type tunnel
49. ip unnumbered GigabitEthernet0/1
50. tunnel mode ipsec ipv4
51. !
52. !
53. router eigrp 1
54. network 192.168.1.0
55. network 192.168.90.0
56. !
57. !
58. ip nat inside source list 101 interface Cellular0/0/0 overload
59. ip route 0.0.0.0 0.0.0.0 Cellular0/0/0
60. !
61. access-list 10 permit any
62. access-list 101 permit ip 192.168.90.0 0.0.0.255 any
63. dialer-list 1 protocol ip list 10
64. !
65. line 2
66. no activation-character
67. no exec
68. transport preferred none
69. transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
70. stopbits 1
71. line 0/0/0
72. script dialer hspa-R7
73. no exec
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0
Date : 2015-02-03
Cahier VABF DATA
Page : 97 sur 102
Remarque : Tous les CPE utiliss ont une licence Security active.
Date : 2015-02-03
Cahier VABF DATA
Page : 98 sur 102
hostname C2911
interface GigabitEthernet0/2.853
encapsulation dot1Q 853
ip address 10.11.11.2 255.255.255.248
!
router ospf 1
passive-interface default
no passive-interface GigabitEthernet0/2.853
network 10.11.11.0 0.0.0.7 area 10
network 10.100.100.2 0.0.0.0 area 10
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 10.0.0.0 255.0.0.0 10.11.11.3
!
hostname C1921
!
!
controller SHDSL 0/0/0
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key firewallcx address 0.0.0.0
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0
Date : 2015-02-03
Cahier VABF DATA
Page : 99 sur 102
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map CMAP 10 ipsec-isakmp
set peer 197.14.1.19
set transform-set TS
match address VPN-TRAFFIC
!
!
interface GigabitEthernet0/1.850
encapsulation dot1Q 850
ip address 197.14.1.17 255.255.255.254
ip nat outside
ip virtual-reassembly in
rate-limit input 1000000 1500 3000 conform-action transmit exceed-action
drop
rate-limit output 1000000 1500 3000 conform-action transmit exceed-action
drop
!
interface GigabitEthernet0/1.851
encapsulation dot1Q 851
ip address 10.243.243.6 255.255.255.248
!
interface GigabitEthernet0/1.853
encapsulation dot1Q 853
ip address 10.11.11.1 255.255.255.248
!
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
logging event subif-link-status
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0
Date : 2015-02-03
Cahier VABF DATA
Page : 100 sur 102
dialer pool 1
ppp authentication chap callin
ppp chap hostname nawucyfr@tunet.tn
ppp chap password 0 x8SAs3c7
crypto map CMAP
!
router ospf 1
passive-interface default
no passive-interface GigabitEthernet0/1.853
network 10.11.11.0 0.0.0.7 area 10
network 10.100.100.1 0.0.0.0 area 10
!
!
ip nat inside source route-map FH interface GigabitEthernet0/1.850
overload
ip nat inside source route-map VDSL interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 197.14.1.16
ip route 0.0.0.0 0.0.0.0 Dialer1 20
!
ip access-list standard SNMP_FILTER
permit 10.220.0.2
permit 10.220.0.1
deny any
!
ip access-list extended LAN
permit ip 10.10.40.0 0.0.0.255 any
ip access-list extended VPN-TRAFFIC
permit ip host 10.100.100.1 host 10.100.100.3
permit ip host 10.100.100.1 host 10.100.100.2
permit ip host 10.100.100.2 host 10.100.100.1
permit ip host 10.100.100.3 host 10.100.100.1
!
route-map VDSL permit 10
match ip address LAN
match interface Dialer1
!
route-map FH permit 10
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0
Date : 2015-02-03
Cahier VABF DATA
Page : 101 sur 102
Remarque : Tous les CPE utiliss ont une licence Security active. Cisco 867 VAE ne
supporte pas le protocole OSPF.
ANNEXE A
- Configuration du TR069
Cette partie de la configuration sert fournir au CPE les paramtres du Management Server qui lui
permettront de senregistrer auprs de lACS conformment au standard TR-069 et ce afin de pouvoir
effectuer des oprations de remote management.
### Configuration des paramtres du CPE WAN Management Protocol CWMP ###
interface <Wan Interface>.850
cwmp wan default
exit
cwmp agent
enable download
session retry limit 12
request outstanding 3
parameter change notify interval 120
cwmp agent
enable
- Connexion Wifi
Cette config na pas t teste dans la VABF. Elle est prsente titre indicatif.
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0
Date : 2015-02-03
Cahier VABF DATA
Page : 102 sur 102