Вы находитесь на странице: 1из 102

2014/FIXE/052

Direction Technique du Fixe


Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 1 sur 102

Cahier VABF DATA

Service: Intgration et Terminaux

Direction Technique du Fixe

Objectif du document :

Ce document constitue le cahier de VABF des CPE Data Cisco. Il dcrit les quipements membres du
sous-systme CPE, les configurations valides sur ces quipements ainsi que les tests raliss.

Documents associs en amont :

# Rfrence / Titre Auteur Version

Rgles dIngnierie des quipements BNG Nidhal


1.0
Taleb

Edition

Date de version : 15/01/2014 Diffusion : Equipe Solutions Fixes Entreprises


Equipe Intgration et Terminaux
Numro de version : 1 Rfrence : 2014/FIXE/052
Entit Nom
Auteur DT/FIXE Hajer YOUNES Ingnieur Etude Produits Entreprises
Validation DT/FIXE Ali REBAI Chef de service Intgration et Terminaux
Propritaire DT/FIXE Sami LANDOULSI Directeur Technique Fixe

Evolution du document
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 2 sur 102

Version Date Intervenants Nature

Hajer YOUNES
1.0 15/01/2014 Houssem BEN DHIA Cration du document
Nidhal TALEB
1.1 08/09/2014 Houssem Ben Dhia Changement wording suite au rebranding
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 3 sur 102

SOMMAIRE
Table des illustrations .........................................................................................................................4
Liste des tableaux ...............................................................................................................................4
Liste des configurations ......................................................................................................................4
Acronymes..........................................................................................................................................6
1. Introduction ................................................................................................................................7
1.1. Objet ...................................................................................................................................7
1.2. Primtre du document........................................................................................................7
1.3. Architecture gnrique .........................................................................................................8
1.3.1. Architecture base sur une connexion au Backbone de Ooredoo .................................8
1.3.2. Architecture base sur une connexion un Backbone tierce .............................................9
2. Equipements CPE ......................................................................................................................9
3. Configurations CPE .................................................................................................................. 10
3.1. Les configurations daccs WAN ........................................................................................ 10
3.1.1. Configuration du CPE Wan mode FH ......................................................................11
3.1.1.1. Configuration Service High Speed Internet : Vlan HSI ....................................... 12
3.1.1.2. Configuration du Service management............................................................... 13
3.1.1.3. Configuration de l'interface LAN ......................................................................... 14
3.1.1.4. Configuration DHCP et DNS ................................................................................ 15
3.1.1.5. Configuration SNMP ............................................................................................ 16
3.1.1.6. Configuration d'accs web https (optionnelle) ............................................... 17
3.1.1.7. Configuration d'accs ssh ................................................................................... 17
3.1.1.8. Configuration du NAT statique (en cas de besoin) ............................................. 19
3.1.1.9. Limitation de dbit au niveau du routeur ........................................................... 19
3.1.1.10. Dploiement de SLA......................................................................................... 21
3.1.1.11. Configuration complte - Connexion FH ......................................................... 23
3.1.2. Configuration du CPE Wan mode FO ......................................................................30
3.1.3. Configuration du CPE Wan mode FTTH ..................................................................30
3.1.3.1. Configuration complte Connexion FTTH........................................................ 31
3.1.4. Configuration du CPE- Connexion avec PBA en RJ45................................................ 39
3.1.5. Configuration du CPE Wan mode xDSL (Bitstream) ................................................ 39
3.1.6. Configuration du CPE Wan mode xDSL (Dgroupage) ............................................ 42
3.1.6.1. Connexion ADSL ..................................................................................................42
3.1.6.2. Connexion VDSL ..................................................................................................43
3.1.6.3. Connexion SHDSL: EFM (1 paire) ........................................................................ 44
3.1.6.4. Connexion SHDSL : ATM (1 paire) ......................................................................46
3.1.7. Configuration CPE- 3G............................................................................................... 47
3.2. Les Configurations WAN avec des liens de backup ............................................................ 48
3.2.1. Connexion FTTH avec backup 3G............................................................................. 49
3.2.2. Connexion FH avec Backup SHDSL .......................................................................... 51
3.2.3. Connexion FH avec Backup VDSL ............................................................................. 53
3.2.4. Connexion ADSL avec Backup 3G ............................................................................. 55
3.2.5. Connexion FH/FO avec Backup ADSL ....................................................................... 56
ANNEXE A ....................................................................................................................................... 57
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 4 sur 102

Table des illustrations


Figure 1: Connexions WAN bases sur le rseau Backbone de Ooredoo ...........................................8
Figure 2: Connexions WAN bases sur un rseau Backbone tierce .....................................................9
Figure 3: Architecture- Wan mode FH ............................................................................................... 11
Figure 4: Architecture - Wan mode FO .............................................................................................. 30
Figure 5: Architecture- Wan mode FTTH ........................................................................................... 31
Figure 6: CPE raccord localement au PBA ( travers un switch) ................................................ 39
Figure 7: Rseau Bitstream ............................................................................................................... 39
Figure 8: Dgroupage ....................................................................................................................... 42
Figure 9: Chane Data 3G en vue globale .......................................................................................... 47
Figure 10: Connexion FTTH avec backup 3G .................................................................................... 49
Figure 11: Connexion FH avec Backup SHDSL ................................................................................. 51
Figure 12: Connexion FH avec Backup VDSL ................................................................................... 53
Figure 13: Connexion ADSL avec Backup 3G ................................................................................... 55
Figure 14: Connexion FH/FO avec Backup ADSL ............................................................................. 56

Liste des tableaux

Tableau 1: Equipements utiliss dans la VABF.................................................................................. 10


Tableau 2: Les combinaisons testes ................................................................................................ 48

Liste des configurations


Configuration 1: Vlan HSI -Wan mode FH ......................................................................................... 12
Configuration 2: Vlan OM - Wan mode FH ........................................................................................ 13
Configuration 3: VRF OM - Wan mode FH ........................................................................................ 14
Configuration 4: Interface LAN - Wan mode FH - Equipement Cisco 867VAE ....................................15
Configuration 5: Interface LAN - Wan mode FH - Equipement Cisco 2901 ......................................... 15
Configuration 6: DHCP et DNS ......................................................................................................... 16
Configuration 7: SNMP ..................................................................................................................... 16
Configuration 8: Accs web via https .................................................................................................17
Configuration 9: Accs SSH - Cisco 867VAE .................................................................................... 18
Configuration 10: Accs SSH - Cisco 2901........................................................................................ 18
Configuration 11: NAT statique ......................................................................................................... 19
Configuration 12: Limitation du dbit .................................................................................................21
Configuration 13: Dploiement de SLA .............................................................................................. 23
Configuration 14: La configuration complte - Wan mode FH Cisco 867 VAE .................................23
Configuration 15: La configuration complte - Wan mode FH Cisco 2901 ....................................... 27
Configuration 16: La configuration complte - Wan mode FTTH - Cisco 867 VAE .............................. 31
Configuration 17: La configuration complte - Wan mode FTTH - Cisco 2901 ....................................35
Configuration 18: Wan mode ADSL - Bitstream - Cisco 867 VAE ...................................................... 40
Configuration 19: Wan mode ADSL - Bitstream - Cisco 2901 ............................................................ 41
Configuration 20: Wan mode ADSL - dgroupage - Cisco 2901......................................................... 43
Configuration 21: Wan mode VDSL - dgroupage - Cisco 2901......................................................... 44
Configuration 22: Connexion SHDSL - EFM 1 paire .......................................................................... 45
Configuration 23: Connexion SHDL - ATM 1 paire ............................................................................. 46
Configuration 24: Connexion 3G ....................................................................................................... 47
Configuration 25 : Connexion FTTH avec backup 3G ........................................................................ 50
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 5 sur 102

Configuration 26: Connexion FH avec Backup SHDSL(ATM) ............................................................ 52


Configuration 27: Connexion FH avec Backup VDSL (EFM) .............................................................. 54
Configuration 28: Connexion ADSL avec Backup 3G ........................................................................ 56
Configuration 29: Connexion FH/FO avec Backup ADSL ...................................................................57
Configuration 30: TR069 ................................................................................................................. 101
Configuration 31: Connexion Wifi .................................................................................................... 102
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 6 sur 102

Acronymes
ADSL Asymmetric Digital Subscriber Line
ATM Asynchronous Transfer Mode
CPE Customer Premises Equipment
DHCP Dynamic Host Configuration Protocol
DNS Domain Name System
EFM Ethernet on the First Mile
FH Faisceaux Hertziens
FO Fibre Optique
FTTH Fiber To The Home
GE Gigabit Ethernet
HSDSL Single-pair High-speed Digital Subscriber Line
HSI High Speed Internet
IOS Internetwork Operating System
LAN Local Area Network
NAT Network Address Translation
OM Operation and Management
PBA Packet Backhaul Aggregation
PPP Point-to-Point Protocol
SLA Service Level Agreement
SNMP Simple Network Management Protocol
SSH Secure Shell
VABF Vrification de l'Aptitude au Bon Fonctionnement
VDSL Very High Bitrate Digital Subscriber Line
VLAN Virtual LAN
VPN Virtual Private Network
VRF Virtual Routing and Forwarding
WAN Wide Area Network
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 7 sur 102

1. Introduction
1.1. Objet
Dans le cadre de la VABF Data base sur des quipements Cisco, ce document a t rdig pour
prsenter les diffrentes architectures testes et valides ainsi que les configurations des CPEs
utiliss pour limplmentation de ces architectures. Les configurations prsentes dans ce document
constituent une rfrence pour limplmentation darchitectures similaires.

1.2. Primtre du document


Ce document prsente un ensemble de scnarii de tests drouls pendant la VABF.
Ces tests peuvent tre diviss en trois catgories :
1- Tests basiques : Au cours de ces tests, des architectures type ont t implmentes. Ces
architectures sont dployes dans le cas o le besoin du client est limit au service HSI.
Diffrents cas traits :
- Connexion au service HSI via un lien WAN FH
- Connexion au service HSI via un lien WAN FO
- Connexion au service HSI via un lien WAN FTTH
- Connexion au service HSI via un lien WAN xDSL (Bitstream)
- Connexion au service HSI via un lien WAN xDSL (dgroupage) : ce cas inclut les types
de connexion suivants :
ADSL
VDSL
SHDSL ATM 1 paire
SHDSL ATM 2 paires
SHDSL EFM 1 paire
- Connexion au service HSI via le rseau 3G
2- Tests plus avancs o une liaison de backup (au service HSI) est prvue pour le cas o le
lien primaire est indisponible
Lien FTTH Backup 3G
Lien FH - Backup SHDSL
Lien FH Backup VDSL
Lien ADSL Backup 3G
Lien FH/FH Backup ADSL
3- Tests complexes : ces tests portent sur la mise en uvre de diffrents types de VPNs via des
VPN_Corp ddis sur le backbone ou des Tunnels IPSec sur diverses connexions WAN.

Ce document dcrit comment le CPE est configur pour chaque cas dutilisation.
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 8 sur 102

1.3. Architecture gnrique


1.3.1. Architecture base sur une connexion au Backbone de
Ooredoo
La figure ci-dessous montre les diffrents types de connexion WAN bass sur le backbone
dOoredoo.
Dans cette architecture, le client bnficie du service HSI (High Speed Internet) via lune des liaisons
WAN suivantes :
- FTTH
- FH
- FO
- ADSL/VDSL dgroup
- 3G

Figure 1: Connexions WAN bases sur le rseau Backbone de Ooredoo

Le CPE du client, tant connect au rseau OM, est gr et monitor distance. Pour un client
dsireux de joindre en VPN un autre site, ce service est assur via un VPN_Corp ddi sur le
backbone MPLS de Ooredoo.
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 9 sur 102

1.3.2. Architecture base sur une connexion un Backbone tierce


La figure ci-dessous reprsente une architecture type dploye pour un grand nombre de clients.
Cette architecture fournit le service HSI en utilisant des connexions WAN qui sont bases sur un
backbone tierce.
Ces connexions WAN sont en loccurrence les connexions xDSL en Bitstream

Figure 2: Connexions WAN bases sur un rseau Backbone tierce

2. Equipements CPE
Les quipements utiliss pour les tests VABF sont :
- Cisco 867 VAE : Cet quipement est appropri pour les architectures non complexes. Il est
largement dploy chez des clients ayant juste le besoin du service HSI, ou ayant le besoin
dinterconnecter un petit nombre de sites distants en VPN.
- Cisco 1921 : Cet quipement est appropri pour linterconnexion de sites distants via le VPN.
Il est gnralement dploy chez des PME ayant des architectures plus ou moins complexes
et un nombre dutilisateurs relativement important.
- Cisco 2901 : cet quipement est adapt des architectures plus complexes o se prsente le
besoin dinterconnecter un nombre de sites importants, de prvoir des liaisons de backup ou
de juxtaposer dautres quipements fournissant dautres services pour le client.
Le tableau ci-aprs fournit un aperu gnral sur les principales caractristiques de chaque
quipement utilis dans les tests de VABF.
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 10 sur 102

Tableau 1: Equipements utiliss dans la VABF


CPE
Interfaces Interfaces
Aperu Cartes
WAN LAN

GE WAN Ethernet LAN


Cisco interface or xDSL GE and FE
867VAE port interfaces
(only one Wan (GE0 interface -
interface is usable and FE0
either GE or through FE3
xDSL) interfaces)

2 EHWIC slots
(Enhanced
High-Speed
WAN Interface
Card ).
The GE
Cisco interfaces can (EHWIC) can
2 GE WAN
be configured host 2 single
1921 interfaces
to work as wide or 1 double
LAN interfaces wide EHWIC

4 EHWIC slots
The GE
( The use of a
Cisco interfaces can
2 GE WAN double-wide
be configured
2901 interfaces EHWIC slot will
to work as
consume two
LAN interfaces
EHWIC slots)

3. Configurations CPE
3.1. Les configurations daccs WAN
Cette partie sera consacre la prsentation des configs CPE dans le cas o le besoin du client
est limit au service HSI.
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 11 sur 102

Etapes suivre pour la configuration du CPE


1- Configuration du VLAN HSI
2- Configuration du Service Management
- Configuration du VRF Management pour un CPE de type Cisco 2901
- Configuration du VLAN Management pour un CPE de type Cisco 867 VAE
3- Configuration de l'interface du CPE lie au LAN du client
- Configuration de linterface LAN pour un CPE de type Cisco 867 VAE
- Configuration de linterface LAN pour un CPE de type Cisco 2901
4- Configuration DHCP et DNS
5- Configuration SNMP
6- Configuration d'accs web https (optionnelle)
7- Configuration d'accs ssh
- Configuration daccs SSH pour un CPE de type Cisco 2901
- Configuration daccs SSH pour un CPE de type Cisco 867 VAE
8- Configuration du NAT statique (en cas de besoin)
9- Configuration IP SLA
10- Limitation de dbit
11- Configuration du TR-069 (voir Annexe A)

3.1.1. Configuration du CPE Wan mode FH

Figure 3: Architecture- Wan mode FH

Remarque: Les VLANs utiliss dans ce document suivent les rgles dingnierie du
backbone IPMPLS et peuvent tre sujet des modifications. Voir formulaire routage pour
chaque cas particulier [fromulaire routage client Neda Tunisie - Annexe A].
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 12 sur 102

3.1.1.1. Configuration Service High Speed Internet : Vlan HSI


La configuration du CPE pour avoir un accs au service HSI via une liaison WAN de type FH
ncessite :
- La configuration de linterface WAN
- La configuration du vlan correspondant au service HSI (en loccurrence vlan 850). Dans cette
configuration on dfinit le type dencapsulation (dot1q), ladresse IP qui sera attribue
linterface WAN du CPE, le masque de sous-rseau et le type du nat (outside).
- La configuration de la route par dfaut (le next hop de notre CPE tant le premier quipement
L3 du backbone).
- La configuration du nat pour permettre au trafic provenant des quipements dont les adresses
IP sont dfinies et gres par laccess list (LAN) de franchir linterface Wan sur le vlan HSI.
- Dfinition de laccess list (LAN).
Ci-dessous la config du vlan HIS pour les 2 types dquipements Cisco :
867 VAE IOS C860VAE-ADVSECURITYK9-M, Version 15.3(3)M
2901 IOS : C2900-UNIVERSALK9-M, Version 15.3(1)T

Configuration 1: Vlan HSI -Wan mode FH


### Dclaration de linterface GE ###
!
interface <Wan Interface>
no sh
ip tcp adjust-mss 1300
!
### Configuration du vlan HSI: Vlan 850 ###
!
interface <Wan Interface>.850
description IV CEI;DT_FIXE;UPLINK;INCLUDE_SC;
encapsulation dot1Q 850
ip address <IPHSI cot CPE> <masque rseau>
ip nat outside
!

### Configuration de la route par dfaut et du nat ###


!
ip nat inside source list LAN interface <Wan Interface>.850 overload
ip route 0.0.0.0 0.0.0.0 <IPHSI ct PBA> name Default_Route
!

### Dfinition de laccess list LAN ###


!
ip access-list extended LAN
permit ip any any
!
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 13 sur 102

3.1.1.2. Configuration du Service management


Le CPE tant mis en place chez le client, il doit tre supervis et gr par Ooredoo. Comme
indiqu prcdemment, ce service nest valable que pour les connexions bases sur le Backbone
Ooredoo. Le monitoring des quipements CPE installs chez les clients est une opration primordiale
pour :
- Assurer le suivi du bon fonctionnement du CPE
- Dtecter larrt du service et intervenir dans les dlais
- Contrler les performances du CPE en termes de taux dutilisation CPU, mmoire
- Collecter les informations utiles relatives lusage du CPE, laborer des statistiques et des
rapports afin de prendre les mesures ncessaires en cas de prsence de risques qui
pourraient impacter le client (crash ou dbordement de mmoire)
Afin de garantir cette opration de monitoring, le service management est configur dans chaque
CPE.
Pour les CPEs du type Cisco 867VAE qui ne supportent pas les VRF, ce service est configur via le
vlan 851 en suivant les tapes ci-dessous :
- Configuration de linterface loopback
- Cration du vlan management (vlan 851) sur linterface Wan
- Configuration de la route vers le rseau de management (le next hop de notre CPE tant le
premier quipement L3 du backbone)
Ci-aps la config du vlan OM pour lquipement Cisco 867 VAE IOS C860VAE-ADVSECURITYK9-
M, Version 15.3(3)M.

Configuration 2: Vlan OM - Wan mode FH


### Configuration de linterface Loopback ###
!
interface Loopback0
description IV CEI;DT_FIXE;LOOPBACK_OM_CORP;INCLUDE_SC;
ip address <IP Loopback OM> <masque rseau>
!

### Configuration du VLAN OM ###


!
interface <Wan Interface>.851
description IV CEI;DT_FIXE;UPLINK_VRF_OM_CORP;INCLUDE_SC;
encapsulation dot1Q 851
ip address <IPOMentreprise ct CPE> <masque rseau>
!

### Configuration de la route vers linterface management PBA ###


!
ip route 10.220.0.0 255.255.255.0 <IPOMentreprise ct PBA> name
Management
!
Remarque: Cisco 867 VAE ne supporte pas les VRF et le protocole de routage OSPF.
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 14 sur 102

Pour les CPEs de type Cisco 2901 qui supportent les VRF, et afin garantir un niveau de scurit
optimal, le service management est configur en utilisant un VRF ddi.
Les tapes de configuration du service management sur un VRF sont les suivantes :
- Cration dun VRF (VRF_management)
- Configuration de linterface loopback
- Configuration de linterface WAN avec le VRF (dfinition de lencapsulation, vlan ID, adresse
IP et forwarding)
- Configuration du routage vers linterface management du PBA
Ci-dessous la configuration du service OM pour lquipement Cisco 2901 IOS : C2900-
UNIVERSALK9-M, Version 15.3(1)T.

Configuration 3: VRF OM - Wan mode FH


### Dclaration du vrf Management ###
!
ip vrf VRF_management
description VRF_management
!
### Configuration de linterface Loopback ###
!
interface Loopback0
description IV CEI;DT_FIXE;LOOPBACK_OM_CORP;INCLUDE_SC;
ip vrf forwarding VRF_management
ip address <IP Loopback OM> <masque rseau>
!

### Configuration du VRF OM ###


!
interface <Wan Interface>.851
description IV CEI;DT_FIXE;UPLINK_VRF_OM_CORP;INCLUDE_SC;
encapsulation dot1Q 851
ip vrf forwarding VRF_management
ip address <IPOMentreprise cot CPE> <masque rseau>
!

### Configuration de la route du vrf management vers le rseau de


management ###
!
ip route vrf VRF_management 10.220.0.0 255.255.255.0 <IPOMentreprise cot
PBA> name Management
!

3.1.1.3. Configuration de l'interface LAN


Une fois les services HSI et Management configurs sur le CPE, on passe la configuration de
linterface LAN qui servira de passerelle pour les quipements LAN du client.
Sur un quipement Cisco 867 VAE- IOS C860VAE-ADVSECURITYK9-M, Version 15.3(3)M), il faut
passer par un vlan configur en mode accs sur lune des interfaces FastEthernet.
La config correspondante est donc:
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 15 sur 102

Configuration 4: Interface LAN - Wan mode FH - Equipement Cisco 867VAE


### Dclaration de linterface LAN ###
!
interface <FastEthernet LAN Interface>
no sh
switchport access vlan 10
no ip address
!

### Configuration de linterface LAN ###


!
interface vlan 10
description IV CEI;DT_FIXE;LAN;INCLUDE_SC;
ip address <lan ip> <masque rseau>
ip nat inside
ip tcp adjust-mss 1300
ip virtual-reassembly in
!

Pour un Cisco 2901 IOS : C2900-UNIVERSALK9-M, Version 15.3(1)T, la deuxime interface GE


est directement configure en tant quinterface LAN en lui attribuant une adresse IP appartenant la
plage dadresses du LAN du client et en dfinissant le nat inside. Le client fournit son plan
dadressage interne Ooredoo.

Configuration 5: Interface LAN - Wan mode FH - Equipement Cisco 2901


### Configuration de linterface LAN ###
!
interface <GigabitEthernet_LAN Interface>
description IV CEI;DT_FIXE;LAN;INCLUDE_SC;
ip address <lan ip> <masque rseau>
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1300
!

3.1.1.4. Configuration DHCP et DNS


La configuration du service DHCP se fait en 3 tapes :
- Cration dune pool DHCP. Une pool regroupe les adresses qui seront distribues ainsi que
ses options.
- Indication du rseau couter
- Dfinition des options de la pool : On dfinit les options suivantes pour notre pool :
o La passerelle par dfaut
o Le nom du domaine (configur sous la partie SSH, voir section 3.1.1.7 Configuration
9)
o La dure du bail (lease)
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 16 sur 102

o Ladresse de notre serveur DNS


o Exclusion dadresse IP : on exclut les adresses IP que le serveur ne doit pas
distribuer, comme par exemple ladresse de la passerelle ou du serveur DNS. Cette
manip permet dviter les ventuels conflits dadresse IP
La configuration DHCP et DNS demeure la mme pour les deux types dquipements : Cisco 867
VAE IOS C860VAE-ADVSECURITYK9-M, Version 15.3(3) M et Cisco 2901 IOS : C2900-
UNIVERSALK9-M, Version 15.3(1)T

Configuration 6: DHCP et DNS


### Creating a name for the a DHCP Server address pool ###
ip dhcp pool <poolname>

### Specifying network number and mask for DHCP clients ###
network <Lan ip> <mask>

### Specifying the IP address of the default router for a DHCP client ###
default-router <IP address of the router LAN interface>

### Specifying the duration of the lease. The default is a one-day lease
###
lease 0 2

### Specifying the IP addresses that the DHCP Server should not assign to
DHCP clients ###
ip dhcp excluded-address <Gateway IP>

### Specifying the IP address of a DNS server that is available to a DHCP


client ###

dns-server 41.228.2.37

3.1.1.5. Configuration SNMP


La configuration SNMP est aussi la mme pour les deux types dquipements : Cisco 867 VAE
IOS C860VAE-ADVSECURITYK9-M, Version 15.3(3)M et Cisco 2901 IOS : C2900-
UNIVERSALK9-M, Version 15.3(1)T
Configuration 7: SNMP
### Config Param SNMP ###
### Creating a view record ###
snmp-server view <view name> iso included

### Defining the community access string ###


snmp-server community MonitoringPro view <view name> RO SNMP_FILTER

### Setting the system location string ###


snmp-server location <Ville>;<Gouvernorat>;<Pays>;
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 17 sur 102

### Setting the system contact string ###


snmp-server contact IV CER;DT_Fixe;<CPE_Name>;;

### Limitation daccs SNMP- Dfinition de lACL SNMP_FILTER ###


!
ip access-list standard SNMP_FILTER
permit 10.220.0.2
permit 10.220.0.1
deny any
!
### Commande de vrification ###
Show snmp view

3.1.1.6. Configuration d'accs web https (optionnelle)


LIOS Cisco comprend une interface utilisateur Web (UI) partir de laquelle il est possible
dexcuter des commandes Cisco IOS. Linterface utilisateur est accessible depuis la page d'accueil
du routeur, et peut tre personnalise pour lenvironnement d'entreprise.
La configuration daccs web se fait en 2 tapes principales :
- Activation de l'interface utilisateur Web de Cisco
- Configuration de l'accs l'interface utilisateur Web UI Cisco
Cette configuration est commune aux quipements Cisco 867 VAE IOS C860VAE-
ADVSECURITYK9-M, Version 15.3(3)M et Cisco 2901 IOS : C2900-UNIVERSALK9-M, Version
15.3(1)T.
Configuration 8: Accs web via https
### Configuration daccs via https ###
!
### Enabling the HTTPS server (web server) on the system ###
ip http secure-server

### Specifying how the HTTP server users are authenticated ###
ip http authentication local!

### Vrification de ltat du serveur https


show ip http server status

3.1.1.7. Configuration d'accs ssh


En gnral, il y a le choix entre l'administration en ligne de commande scurise ou pas (telnet ou
ssh). Le second tant nettement plus scuris que le premier, il est prfrable (quand cela est
possible) d'activer uniquement ssh sur le CPE.
Tout d'abord, il faut vrifier que l'IOS du CPE supporte ssh. La mention k9 (crypto) doit figurer dans le
nom de l'IOS.
Les tapes de configuration du ssh :
- Configuration du nom d'hte et du nom de domaine
- Cration de la cl
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 18 sur 102

- Ajout doptions au service ssh : Un timeout de 30 secondes est ajout pour les sessions ssh
en cas d'inactivit.
- Dsactivation de telnet pour l'accs au CPE
Ci-dessous la config daccs SSH pour lquipement Cisco 867 VAE IOS C860VAE-
ADVSECURITYK9-M, Version 15.3(3)M

Configuration 9: Accs SSH - Cisco 867VAE


### Configure the DNS domain of the CPE ###
ip domain-name tunisiana.com

### Generate an SSH key to be used with SSH ###


crypto key generate rsa general-keys modulus 1024
exec-timeout 30 0

### il faut supprimer le domaine configur juste aprs reload ###

No ip domain-name tunisiana.com

### By default the vtys' transport is Telnet. In this case,Telnet is


disabled and only SSH is supported ###
line vty 0 4

### Only SSH access to the IPs defined in the access list 20 is permitted,
any other is denied access ###
access-class 20 in
### Preventing non-SSH Telnets ###
transport input ssh

login local
privilege level 15
!
### Dfinition de laccess list pour limitation daccs SSH uniquement aux
adresses autorises ###
!
access-list 20 permit 10.220.0.5
access-list 20 permit 10.220.0.2
access-list 20 permit 10.220.0.3
access-list 20 permit 10.220.0.1
!

### Vrification du service ssh ###


show ip ssh
Ci-dessous la config daccs SSH pour lquipement Cisco 2901 IOS : C2900-UNIVERSALK9-M,
Version 15.3(1)T.
Configuration 10: Accs SSH - Cisco 2901
### Configuring the DNS domain of the CPE ###
ip domain-name tunisiana.com

### Generate an SSH key to be used with SSH ###


crypto key generate rsa general-keys modulus 1024
exec-timeout 30 0
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 19 sur 102

### By default the vtys' transport is Telnet. In this case, Telnet is


disabled and only SSH is supported ###
line vty 0 4
### Preventing non-SSH Telnets ###
transport input ssh
login local
privilege level 15

### Only SSH access to the IPs defined in the access list 20 is permitted,
any other is denied access ###
access-class 20 in vrf-also

### Dfinition de laccess list pour limitation daccs SSH uniquement aux
adresses autorises ###
!
access-list 20 permit 10.220.0.5
access-list 20 permit 10.220.0.2
access-list 20 permit 10.220.0.3
access-list 20 permit 10.220.0.1
!

#### Vrification du service ssh ###


show ip ssh

3.1.1.8. Configuration du NAT statique (en cas de besoin)


Cette configuration est spcifique au cas o le client souhaite utiliser une application qui fonctionne
avec un port particulier. Elle est valable pour les deux types dquipements : Cisco 867 VAE IOS
C860VAE-ADVSECURITYK9-M, Version 15.3(3)M et Cisco 2901 IOS : C2900-UNIVERSALK9-M,
Version 15.3(1)T.

Configuration 11: NAT statique

ip nat inside source static tcp <IP_PRIVEE_SERVEUR_LAN> <port number>


interface <Wan Interface>.850 <port number>

3.1.1.9. Limitation de dbit au niveau du routeur


Pour pouvoir proposer aux clients diffrentes variantes doffres, il est important de pouvoir grer les
restrictions sur la bande passante maximale qui pourrait tre offerte. Les CPE Cisco assurent cette
fonctionnalit et permettent de limiter le dbit dans les deux sens.
Les commandes de limitation de dbit sont :
rate-limit input CAR NB EB conform-action transmit exceed-action
drop
rate-limit output CAR NB EB conform-action transmit exceed-action
drop
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 20 sur 102

Dfinitions:

CAR: Committed Access Rate (in bits) ou dbit garanti


NB: Normal Burst (in bytes) dpassement de dbit normal
EB: Extended Burst (in bytes) dpassement de dbit tendu

CAR, BN et EB sont identifis selon les formules suivantes :

NB = CAR * (1/8)*1.5

EB = 2*NB

Shaping

Durant la VABF, des tests de limitation de dbit 5 Mbps, 7 Mbps et 10 Mbps ont t effectus pour
les deux types dquipements : Cisco 867 VAE IOS C860VAE-ADVSECURITYK9-M, Version
15.3(3)M et Cisco 2901 IOS : C2900-UNIVERSALK9-M, Version 15.3(1)T
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 21 sur 102

Configuration 12: Limitation du dbit

Limitation 5 Mbps
### La limitation du dbit se fait au niveau de linterface du
vlan HSI: <Wan Interface>.850 ###
!
Interface <Wan Interface>.850
rate-limit input 5240000 982500 1965000 conform-action transmit
exceed-action drop
rate-limit output 5240000 982500 1965000 conform-action transmit
exceed-action drop
!
Limitation 7 Mbps
### La limitation du dbit se fait au niveau de linterface du
vlan HSI: <Wan Interface>.850 ###
!
Interface <Wan Interface>.850
rate-limit input 7340032 1376256 2752512 conform-action transmit
exceed-action drop
rate-limit output 7340032 1376256 2752512 conform-action transmit
exceed-action drop
!
Limitation 10 Mbps
### La limitation du dbit se fait au niveau de linterface du
vlan HSI: <Wan Interface>.850 ###
!
Interface <Wan Interface>.850
rate-limit input 10485760 1966080 3932160 conform-action transmit
exceed-action drop
rate-limit output 10485760 1966080 3932160 conform-action transmit
exceed-action drop
!

3.1.1.10. Dploiement de SLA

Cisco IOS IP SLA fournit une instrumentation fiable et rentable pour les mesures des niveaux de
service rseau.
Cisco IOS IP SLA rassemble un certain nombre de mtriques permettant de caractriser le rseau en
temps rel :
Le temps de rponse,
La latence
La gigue
La perte de paquets
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 22 sur 102

Cisco IOS IP SLA utilise un monitoring actif permettant de surveiller en continu les caractristiques du
rseau. Les mesures sont effectues de bout en bout et peuvent utiliser les diffrents chemins de
donnes entre deux points.
Les mesures effectues permettent de dterminer une ligne de base (baseline) caractristique du
comportement des services rseau. Il est ensuite possible de positionner des seuils de notification qui
permettront un administrateur dtre averti, de faon proactive, si les rsultats des mesures actives
changent.
Cisco IOS IP SLA permet galement daider au diagnostic dun problme rseau en gnrant des
mesures saut par saut et permettant didentifier quel tronon de rseau est responsable dune
dgradation.
De plus, Cisco IOS IP SLA permet de prendre en compte la qualit de service. Il est en effet possible
de marquer le trafic gnr par Cisco IOS IP SLA afin quil soit associ aux classes de service
souhaites.
Cisco IOS IP SLA permet galement de surveiller de faon proactive le niveau de qualit VoIP dun
rseau. Il est en effet possible de simuler prcisment un trafic VoIP et de calculer les scores de
qualit de voix MOS (Mean Opinion Score) et ICPIF (Calculated Planning Impairment Factor) entre
deux quipements dun rseau.

Pour notre cas, la config du SLA est aussi commune aux deux types dquipements : Cisco 867 VAE
IOS C860VAE-ADVSECURITYK9-M, Version 15.3(3)M et Cisco 2901 IOS : C2900-
UNIVERSALK9-M, Version 15.3(1)T
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 23 sur 102

Configuration 13: Dploiement de SLA


### Analyzing IP service Levels by using the ICMP Echo Operation ###

### Creating an IP SLAs operation and enter IP SLAs configuration mode


###

ip sla monitor 10

### Configuring the scheduling parameters for an individual IP SLAs


operation ###
### ip sla monitor schedule operation-number[life {forever | seconds}]
[start-time {hh:mm[:ss] [month day | day month]
| pending |now | after hh:mm:ss] [ageout seconds] [recurring]###
ip sla monitor schedule 10 life forever start-time now
exit

### Setting IP address to monitor (to ping). It can be any address that
is stable and will be up reliably. In this case 8.8.8.8 ###

type pathEcho protocol ipIcmpEcho 8.8.8.8

### repeat Rate ###


frequency 30

buckets-of-history-kept 25
exit

Remarque: Une licence DATA ou Security doit tre active


La syntaxe des commandes utilises pour la configuration de lip sla peuvent
varier en fonction de lIOS utilis.

3.1.1.11. Configuration complte - Connexion FH


Aprs avoir trait chaque partie de la configuration sparment, on rassemble dans la partie
suivante lensemble des parties pour prsenter la configuration complte qui doit figurer dans chaque
CPE pour un quipement Cisco 867 VAE IOS C860VAE-ADVSECURITYK9-M, Version 15.3(3)M et
pour un quipement Cisco 2901 IOS : C2900-UNIVERSALK9-M, Version 15.3(1)T

Configuration 14: La configuration complte - Wan mode FH Cisco 867 VAE


### Dclaration de linterface GE ###
!
interface <Wan Interface>
no sh
ip tcp adjust-mss 1300
!

### Configuration du vlan HSI: Vlan 850 ###


!
interface <Wan Interface>.850
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 24 sur 102

description IV CEI;DT_FIXE;UPLINK;INCLUDE_SC;
encapsulation dot1Q 850
ip address <IPHSI cot CPE> <masque rseau>
ip nat outside
!

### Configuration de la route par dfaut et du nat ###


!
ip nat inside source list LAN interface <Wan Interface>.850 overload
ip route 0.0.0.0 0.0.0.0 <IPHSI ct PBA> name Default_Route
!

### Dfinition de laccess list LAN ###


!
ip access-list extended LAN
permit ip any any
!

### Configuration de linterface Loopback ###


!
interface Loopback0
description IV CEI;DT_FIXE;LOOPBACK_OM_CORP;INCLUDE_SC;
ip address <IP Loopback OM> <masque rseau>
!

### Configuration du VLAN OM ###


!
interface <Wan Interface>.851
description IV CEI;DT_FIXE;UPLINK_VRF_OM_CORP;INCLUDE_SC;
encapsulation dot1Q 851
ip address <IPOMentreprise ct CPE> <masque rseau>
!

### Configuration de la route vers linterface management PBA ###


!
ip route 10.220.0.0 255.255.255.0 <IPOMentreprise ct PBA> name
Management
!

### Dclaration de linterface LAN ###


!
interface <FastEthernet LAN Interface>
no sh
switchport access vlan 10
no ip address
!

### Configuration de linterface LAN ###


!
interface vlan 10
description IV CEI;DT_FIXE;LAN;INCLUDE_SC;
ip address <lan ip> <masque rseau>
ip nat inside
ip tcp adjust-mss 1300
ip virtual-reassembly in
!
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 25 sur 102

### Creating a name for the a DHCP Server address pool ###
ip dhcp pool <poolname>

### Specifying network number and mask for DHCP clients


network <Lan ip> <mask>

### Specifying the IP address of the default router for a DHCP client ###
default-router <IP address of the router LAN interface>

### Specifying the duration of the lease. The default is a one-day lease
###
lease 0 2

### Specifying the IP addresses that the DHCP Server should not assign to
DHCP clients ###
ip dhcp excluded-address <Gateway IP>

### Specifying the IP address of a DNS server that is available to a DHCP


client ###
dns-server 41.228.2.37

### configuration nat et pat ###


ip nat inside source static tcp <IP_PRIVEE_SERVEUR_LAN> <port number>
interface <Wan Interface>.850 <port number>
### Config Param SNMP ###
### Creating a view record ###
snmp-server view <view name> iso included

### Defining the community access string ###


snmp-server community MonitoringPro view <view name> RO SNMP_FILTER

### Setting the system location string ###


snmp-server location <Ville>;<Gouvernorat>;<Pays>;

### Setting the system contact string ###


snmp-server contact IV CER;DT_Fixe;CPE_MGHIRA;;

### Limitation daccs SNMP- Dfinition de lACL SNMP_FILTER ###


!
ip access-list standard SNMP_FILTER
permit 10.220.0.2
permit 10.220.0.1
deny any
!

### Configuration daccs via https ###


!
ip http secure-server
ip http authentication local!

### Vrification de ltat du serveur https ###


show ip http server status

### Configuration du SSH ###

### Configure the DNS domain of the CPE ###


2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 26 sur 102

ip domain-name tunisiana.com

### Generate an SSH key to be used with SSH ###


crypto key generate rsa general-keys modulus 1024
exec-timeout 30 0

### By default the vtys' transport is Telnet. In this case,Telnet is


disabled and only SSH is supported ###
line vty 0 4

### Only SSH access to the IPs defined in the access list 20 is
permitted, any other is denied access ###
access-class 20 in
### Preventing non-SSH Telnets ###
transport input ssh

login local
privilege level 15
!
### Dfinition de laccess list pour limitation daccs SSH uniquement
aux adresses autorises ###
!
access-list 20 permit 10.220.0.5
access-list 20 permit 10.220.0.2
access-list 20 permit 10.220.0.3
access-list 20 permit 10.220.0.1
!
### Vrification du service ssh ###
show ip ssh

### La limitation du dbit se fait au niveau de linterface du vlan HSI:


<Wan Interface>.850 ###
!
Interface <Wan Interface>.850
rate-limit input 5240000 982500 1965000 conform-action transmit exceed-
action drop
rate-limit output 5240000 982500 1965000 conform-action transmit exceed-
action drop
!
### Analyzing IP service Levels by using the ICMP Echo Operation ###

### Creating an IP SLA operation and enter IP SLA configuration mode ###

ip sla monitor 10

### Configuring the scheduling parameters for an individual IP SLAs


operation ###
### ip sla monitor schedule operation-number[life {forever | seconds}]
[start-time {hh:mm[:ss] [month day | day month]
| pending |now | after hh:mm:ss] [ageout seconds] [recurring]###
ip sla monitor schedule 10 life forever start-time now
exit

### Setting IP address to monitor (to ping). It can be any address that is
stable and will be up reliably. In this case 8.8.8.8 ###
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 27 sur 102

type pathEcho protocol ipIcmpEcho 8.8.8.8

### repeat Rate ###


frequency 30

buckets-of-history-kept 25
exit

Configuration 15: La configuration complte - Wan mode FH Cisco 2901


### Dclaration de linterface GE ###
!
interface <Wan Interface>
no sh
ip tcp adjust-mss 1300
!

### Configuration du vlan HSI: Vlan 850 ###


!
interface <Wan Interface>.850
description IV CEI;DT_FIXE;UPLINK_HSI;INCLUDE_SC;
encapsulation dot1Q 850
ip address <IPHSI cot CPE> <masque rseau>
ip nat outside
!

### Configuration de la route par dfaut et du nat ###


!
ip nat inside source list LAN interface <Wan Interface>.850 overload
ip route 0.0.0.0 0.0.0.0 <IPHSI ct PBA> name Default_Route
!

### Dfinition de laccess list LAN ###


!
ip access-list extended LAN
permit ip any any
!

### Dclaration du vrf Management ###


!
ip vrf VRF_management
description VRF_management
!
### Configuration de linterface Loopback ###
!
interface Loopback0
description IV CEI;DT_FIXE;LOOPBACK_OM_CORP;INCLUDE_SC;
ip vrf forwarding VRF_management
ip address <IP Loopback OM> <masque rseau>
!

### Configuration du VRF OM ###


!
interface <Wan Interface>.851
description IV CEI;DT_FIXE;UPLINK_VRF_OM_CORP;INCLUDE_SC;
encapsulation dot1Q 851
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 28 sur 102

ip vrf forwarding VRF_management


ip address <IPOMentreprise cot CPE> <masque rseau>
!

### Configuration de la route du vrf management vers linterface


management PBA ###
!
ip route vrf VRF_management 10.220.0.0 255.255.255.0 <IPOMentreprise cot
PBA> name Management
!

### Configuration de linterface LAN ###


!
interface <GigabitEthernet_LAN Interface>
description IV CEI;DT_FIXE;LAN;INCLUDE_SC;
ip address <lan ip> <masque rseau>
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1300
!

### Creating a name for the a DHCP Server address pool ###
ip dhcp pool <poolname>

### Specifying network number and mask for DHCP clients ###
network <Lan ip> <mask>

### Specifying the IP address of the default router for a DHCP client ###
default-router <IP address of the router LAN interface>

### Specifies the duration of the lease. The default is a one-day lease
###
lease 0 2

### Specifying the IP addresses that the DHCP Server should not assign to
DHCP clients ###
ip dhcp excluded-address <Gateway IP>

### Specifying the IP address of a DNS server that is available to a DHCP


client ###
dns-server 41.228.2.37

### Config Param SNMP ###


### Creating a view record ###
snmp-server view <view name> iso included

### Defining the community access string ###


snmp-server community MonitoringPro view <view name> RO SNMP_FILTER

### Setting the system location string ###


snmp-server location <Ville>;<Gouvernorat>;<Pays>;

### Setting the system contact string ###


snmp-server contact IV CER;DT_Fixe;<CPE_Name>;;
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 29 sur 102

### Limitation daccs SNMP- Dfinition de lACL SNMP_FILTER ###


!
ip access-list standard SNMP_FILTER
permit 10.220.0.2
permit 10.220.0.1
deny any
!
### Commande de vrification ###
Show snmp view

### Configuration daccs via https ###


ip http secure-server
ip http authentication local!

### Configure the DNS domain of the CPE ###


ip domain-name tunisiana.com

### Generate an SSH key to be used with SSH ###


crypto key generate rsa general-keys modulus 1024
exec-timeout 30 0

### By default the vtys' transport is Telnet. In this case, Telnet is


disabled and only SSH is supported ###
line vty 0 4

### Only SSH access to the IPs defined in the access list 20 is
permitted, any other is denied access ###
access-class 20 in vrf-also

### Preventing non-SSH Telnets ###


transport input ssh
login local
privilege level 15

### Dfinition de laccess list pour limitation daccs SSH uniquement aux
adresses autorises ###
!
access-list 20 permit 10.220.0.5
access-list 20 permit 10.220.0.2
access-list 20 permit 10.220.0.3
access-list 20 permit 10.220.0.1
!
### Vrification du service ssh ###
show ip ssh

### La limitation du dbit se fait au niveau de linterface du vlan HSI:


<Wan Interface>.850 ###
!
Interface <Wan Interface>.850
rate-limit input 5240000 982500 1965000 conform-action transmit exceed-
action drop
rate-limit output 5240000 982500 1965000 conform-action transmit exceed-
action drop
!
### Analyzing IP service Levels by using the ICMP Echo Operation ###
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 30 sur 102

### Create an IP SLAs operation and enter IP SLAs configuration mode ###

ip sla monitor 10

### Configuring the scheduling parameters for an individual IP SLAs


operation ###
### ip sla monitor schedule operation-number[life {forever | seconds}]
[start-time {hh:mm[:ss] [month day | day month]
| pending |now | after hh:mm:ss] [ageout seconds] [recurring]###
ip sla monitor schedule 10 life forever start-time now
exit

### Setting IP address to monitor (to ping). It can be any address that is
stable and will be up reliably. In this case 8.8.8.8 ###

type pathEcho protocol ipIcmpEcho 8.8.8.8

### repeat Rate ###


frequency 30

buckets-of-history-kept 25
exit

3.1.2. Configuration du CPE Wan mode FO

Figure 4: Architecture - Wan mode FO


La configuration des CPEs avec cette architecture est identique celle utilise pour le Wan mode
FH (se rfrer la section prcdente 3.1.1.)

3.1.3. Configuration du CPE Wan mode FTTH


Le rseau FTTH de Ooredoo permet doffrir du trs haut dbit Internet (HSI sur le vlan 100) ainsi que
de la VoIP (sur le vlan 200) travers le backbone Ooredoo.
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 31 sur 102

Figure 5: Architecture- Wan mode FTTH

3.1.3.1. Configuration complte Connexion FTTH


A la diffrence des deux modes WAN prcits (FH et FO) connects en IP natif, lutilisation du
mode FTTH ncessite une connexion PPP entre le CPE et un BNG.
Du point de vue configuration, seule la configuration du vlan HSI est impacte. Pour configurer laccs
WAN, on doit passer par une interface dialer o on spcifie :
- Le type dencapsulation (ppp dans notre cas)
- Les paramtres dauthentification
- Le numro du pool auquel appartient le dialer
Ci-dessous la configuration complte des CPE Cisco 867VAE et Cisco 2901 pour le mode FTTH.

Configuration 16: La configuration complte - Wan mode FTTH - Cisco 867 VAE
### Dclaration de linterface GE ###
!
interface <Wan Interface>
no sh
ip tcp adjust-mss 1300

### Configuration du vlan HSI: Vlan 100 ###


!
Interface <Wan Interface>.100
description IV CEI;DT_FIXE;UPLINK;INCLUDE_SC;
encapsulation dot1Q 100
ip nat outside
pppoe enable
pppoe-client dial-pool-number 1
!

### Configuration de linterface Dialer1 ###


!
interface dialer1
ip address negotiated
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 32 sur 102

ip nat outside
ip virtual-reassembly in
encapsulation ppp
logging event subif-link-status
dialer pool 1
ppp authentication chap callin
ppp chap hostname <username>
ppp chap password 0 <password>
!

### Configuration de la route par dfaut et du nat ###


!
ip route 0.0.0.0 0.0.0.0 dialer1
ip nat inside source list LAN interface dialer1 overload
!

### Dfinition de laccess list LAN ###


!
ip access-list extended LAN
permit ip any any
!

### Configuration de linterface Loopback ###


!
interface Loopback0
description IV CEI;DT_FIXE;LOOPBACK_OM_CORP;INCLUDE_SC;
ip address <IP Loopback OM> <masque rseau>
!

### Configuration du VLAN OM ###


!
interface <Wan Interface>.851
description IV CEI;DT_FIXE;UPLINK_VRF_OM_CORP;INCLUDE_SC;
encapsulation dot1Q 851
ip address <IPOMentreprise cot CPE> <masque rseau>
!

### Configuration de la route vers linterface management PBA ###


!
ip route 10.220.0.0 255.255.255.0 <IPOMentreprise ct PBA> name
Management
!

### Dclaration de linterface LAN ###


!
interface <FastEthernet LAN Interface>
no sh
switchport access vlan 10
no ip address
!

### Configuration de linterface LAN ###


!
interface vlan 10
description IV CEI;DT_FIXE;LAN;INCLUDE_SC;
ip address <lan ip> <masque rseau>
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 33 sur 102

ip nat inside
ip tcp adjust-mss 1300
ip virtual-reassembly in
!

### Creating a name for the a DHCP Server address pool ###
ip dhcp pool <poolname>

### Specifying network number and mask for DHCP clients


network <Lan ip> <mask>

### Specifying the IP address of the default router for a DHCP client ###
default-router <IP address of the router LAN interface>

### Specifies the duration of the lease. The default is a one-day lease
###
lease 0 2

### Specifying the IP addresses that the DHCP Server should not assign to
DHCP clients ###
ip dhcp excluded-address <Gateway IP>

### Specifying the IP address of a DNS server that is available to a DHCP


client ###
dns-server 41.228.2.37

### configuration nat et pat ###


ip nat inside source static tcp <IP_PRIVEE_SERVEUR_LAN> <port number>
interface dialer1 <port number>
### Config Param SNMP ###
### Creating a view record ###
snmp-server view <view name> iso included

### Defining the community access string ###


snmp-server community MonitoringPro view <view name> RO SNMP_FILTER

### Setting the system location string ###


snmp-server location <Ville>;<Gouvernorat>;<Pays>;

### Setting the system contact string ###


snmp-server contact IV CER;DT_Fixe;CPE_MGHIRA;;

### Limitation daccs SNMP- Dfinition de lACL SNMP_FILTER ###


!
ip access-list standard SNMP_FILTER
permit 10.220.0.2
permit 10.220.0.1
deny any
!
### Configuration daccs via https ###
!
ip http secure-server
ip http authentication local!

### Vrification de ltat du serveur https ###


2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 34 sur 102

show ip http server status

### Configuration du SSH ###

### Configure the DNS domain of the CPE ###


ip domain-name tunisiana.com

### Generate an SSH key to be used with SSH ###


crypto key generate rsa general-keys modulus 1024
exec-timeout 30 0

### By default the vtys' transport is Telnet. In this case,Telnet is


disabled and only SSH is supported ###
line vty 0 4
access-class 20 in

### Preventing non-SSH Telnets ###


transport input ssh
login local
privilege level 15
!
### Dfinition de laccess list pour limitation daccs SSH uniquement
aux adresses autorises ###
!
access-list 20 permit 10.220.0.5
access-list 20 permit 10.220.0.2
access-list 20 permit 10.220.0.3
access-list 20 permit 10.220.0.1
!
### Vrification du service ssh ###
show ip ssh

### La limitation du dbit se fait au niveau de linterface du vlan HSI:


<Wan Interface>.100 ###
!
Interface <Wan Interface>.100
rate-limit input 5240000 982500 1965000 conform-action transmit exceed-
action drop
rate-limit output 5240000 982500 1965000 conform-action transmit exceed-
action drop
!
### Analyzing IP service Levels by using the ICMP Echo Operation ###

### Create an IP SLAs operation and enter IP SLAs configuration mode ###

ip sla monitor 10

### Configuring the scheduling parameters for an individual IP SLAs


operation ###
### ip sla monitor schedule operation-number[life {forever | seconds}]
[start-time {hh:mm[:ss] [month day | day month]
| pending |now | after hh:mm:ss] [ageout seconds] [recurring]###
ip sla monitor schedule 10 life forever start-time now
exit

### Setting IP address to monitor (to ping). It can be any address that is
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 35 sur 102

stable and will be up reliably. In this case 8.8.8.8 ###

type pathEcho protocol ipIcmpEcho 8.8.8.8

### repeat Rate ###


frequency 30

buckets-of-history-kept 25
exit

Configuration 17: La configuration complte - Wan mode FTTH - Cisco 2901


### Dclaration de linterface GE ###
!
interface <Wan Interface>
no sh
ip tcp adjust-mss 1300
!

### Configuration du vlan HSI: Vlan 100 ###


!
Interface <Wan Interface>.100
description IV CEI;DT_FIXE;UPLINK;INCLUDE_SC;
encapsulation dot1Q 100
ip nat outside
pppoe enable
pppoe-client dial-pool-number 1
!

### Configuration de linterface Dialer1 ###


!
interface dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
logging event subif-link-status
dialer pool 1
ppp authentication chap callin
ppp chap hostname <username>
ppp chap password 0 <password>
!

### Configuration de la route par dfaut et du nat ###


!
ip route 0.0.0.0 0.0.0.0 dialer1
ip nat inside source list LAN interface dialer1 overload
!

### Dfinition de laccess list LAN ###


!
ip access-list extended LAN
permit ip any any
!

### Dclaration du vrf Management ###


2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 36 sur 102

!
ip vrf VRF_management
description VRF_management
!

### Configuration de linterface Loopback ###


!
interface Loopback0
description IV CEI;DT_FIXE;LOOPBACK_OM_CORP;INCLUDE_SC;
ip vrf forwarding VRF_management
ip address <IP Loopback OM> <masque rseau>
!

### Configuration du VRF OM ###


!
interface <Wan Interface>.851
description IV CEI;DT_FIXE;UPLINK_VRF_OM_CORP;INCLUDE_SC;
encapsulation dot1Q 851
ip vrf forwarding VRF_management
ip address <IPOMentreprise cot CPE> <masque rseau>
!

### Configuration de la route du vrf management vers linterface


management PBA ###
!
ip route vrf VRF_management 10.220.0.0 255.255.255.0 <IPOMentreprise ct
PBA> name Management
!

### Configuration de linterface LAN ###


!
interface <GigabitEthernet LAN Interface>
description IV CEI;DT_FIXE;LAN;INCLUDE_SC;
ip address <lan ip> <masque rseau>
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1300

!
### Creating a name for the a DHCP Server address pool ###
ip dhcp pool <poolname>

### Specifying network number and mask for DHCP clients


network <Lan ip> <mask>

### Specifying the IP address of the default router for a DHCP client ###
default-router <IP address of the router LAN interface>

### Specifying the duration of the lease. The default is a one-day lease
###
lease 0 2
### Specifying the IP addresses that the DHCP Server should not assign to
DHCP clients ###
ip dhcp excluded-address <Gateway IP>

### Specifying the IP address of a DNS server that is available to a DHCP


2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 37 sur 102

client ###
dns-server 41.228.2.37

### configuration nat et pat ###


ip nat inside source static tcp <IP_PRIVEE_SERVEUR_LAN> <port number>
interface dialer1 <port number>
### Config Param SNMP ###
### Creating a view record ###
snmp-server view <view name> iso included

### Defining the community access string ###


snmp-server community MonitoringPro view <view name> RO SNMP_FILTER

### Setting the system location string ###


snmp-server location <Ville>;<Gouvernorat>;<Pays>;

### Setting the system contact string ###


snmp-server contact IV CER;DT_Fixe;CPE_MGHIRA;;

### Limitation daccs SNMP- Dfinition de lACL SNMP_FILTER ###


!
ip access-list standard SNMP_FILTER
permit 10.220.0.2
permit 10.220.0.1
deny any
!
### Configuration daccs via https ###
!
ip http secure-server
ip http authentication local!

### Vrification de ltat du serveur https ###


show ip http server status

### Configuration du SSH ###

### Configure the DNS domain of the CPE ###


ip domain-name tunisiana.com

### Generate an SSH key to be used with SSH ###


crypto key generate rsa general-keys modulus 1024
exec-timeout 30 0

### By default the vtys' transport is Telnet. In this case, Telnet is


disabled and only SSH is supported ###
line vty 0 4
access-class 20 in vrf-also

### Preventing non-SSH Telnets ###


transport input ssh
login local
privilege level 15

### Dfinition de laccess list pour limitation daccs SSH uniquement


aux adresses autorises ###
!
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 38 sur 102

access-list 20 permit 10.220.0.5


access-list 20 permit 10.220.0.2
access-list 20 permit 10.220.0.3
access-list 20 permit 10.220.0.1
!
### Vrification du service ssh ###
show ip ssh

### La limitation du dbit se fait au niveau de linterface du vlan HSI:


<Wan Interface>.100 ###
!
Interface <Wan Interface>.100
rate-limit input 5240000 982500 1965000 conform-action transmit exceed-
action drop
rate-limit output 5240000 982500 1965000 conform-action transmit exceed-
action drop
!
### Analyzing IP service Levels by using the ICMP Echo Operation ###

### Create an IP SLAs operation and enter IP SLAs configuration mode ###

ip sla monitor 10

### Configuring the scheduling parameters for an individual IP SLAs


operation ###
### ip sla monitor schedule operation-number[life {forever | seconds}]
[start-time {hh:mm[:ss] [month day | day month]
| pending |now | after hh:mm:ss] [ageout seconds] [recurring]###
ip sla monitor schedule 10 life forever start-time now
exit

### Setting IP address to monitor (to ping). It can be any address that is
stable and will be up reliably. In this case 8.8.8.8 ###

type pathEcho protocol ipIcmpEcho 8.8.8.8

### repeat Rate ###


frequency 30
buckets-of-history-kept 25
exit
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 39 sur 102

3.1.4. Configuration du CPE- Connexion avec PBA en RJ45

Figure 6: CPE raccord localement au PBA ( travers un switch)

Ce test a t ralis en connectant le CPE directement au PBA (sans passer par aucune
infrastructure WAN).
Les quipements utiliss sont le Cisco VAE 867 et le Cisco 2901.
La configuration du CPE est la mme que celle utilise pour le cas du FH (ou du FO) pour les deux
modles Cisco utiliss.
Remarque : Pour connecter le CPE Cisco au routeur Alcatel il faut utiliser un convertisseur TP-
link avec un cble crois.

3.1.5. Configuration du CPE Wan mode xDSL (Bitstream)


Le rseau ADSL Bitstream Ooredoo est le rsultat du rachat du FSI Tunet. Il reprend une
hirarchie classique : Collecte, BRAS, Internet.
Authentification
Si authentification OK -> Session PPP OK

ATM (PVC 0/35) Radius IP


Tunnel L2TP
Pr-tabli

xDSL

CPE BRAS TT BRAS Tunet Frontal Vers lATI


DSLAM TT Rseau
(LAC) (LNS) Tunet
Daggrgation TT

Pr-authentification locale
pour le domaine @tunet.tn
ou @tunet.com
Si Pr-authentification OK,
Session PPP passer le trafic au BRAS
Tunet

Figure 7: Rseau Bitstream

Dans ce qui suit, on prsentera la partie de la configuration qui porte sur la connexion du CPE au
service HSI pour chaque type dquipement : Cisco 867 VAE - IOS: C860VAE-ADVSECURITYK9-M,
Version 15.3(3)M et Cisco 2901 - IOS: C2900-UNIVERSALK9-M, Version 15.3(1)T.
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 40 sur 102

De mme que pour larchitecture FTTH une session PPP est utilise.

Configuration 18: Wan mode ADSL - Bitstream - Cisco 867 VAE


!
wan mode dsl
!
### Entering interface configuration mode for the ATM interface ###
interface ATM0

### Creating an ATM PVC for each end node (up to ten) with which the
router communicates & Entering ATM virtual circuit configuration mode ###
pvc 0/35

### Configuring the PPPoE client and specifying the dialer interface to
use for cloning on the PVC ###
pppoe-client dial-pool-number 2
!

### Creating a dialer interface (numbered 0-255), and entering into


interface configuration mode ###
interface dialer 1

### Specifies that the IP address for the dialer interface is obtained
through PPP/IPCP (IP Control Protocol) address negotiation ###
ip address negotiated
ip nat outside
ip virtual-reassembly in

### Setting the encapsulation type to PPP for the data packets being
transmitted and received ###
encapsulation ppp

### Specifying the dialer pool to use to connect to a specific destination


subnetwork, it must match pppoe-client dial-pool-number ###
dialer pool 2

### Sets the PPP authentication method ###


ppp authentication chap callin
ppp chap hostname <username>
ppp chap password <password>

### Enabling dynamic translation of addresses on the inside interface ###


ip nat inside source list LAN interface dialer 1 overload

### Defining default route ###


ip route 0.0.0.0 0.0.0.0 dialer 1 name Default_Route

### Defining LAN access list ###


ip access-list extended LAN
permit ip any any
Pour lquipement Cisco 2901, une carte est monte dans la slot EHWIC.
La rfrence de cette carte est : VDSL2/ADSL/2/2+ EHWIC
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 41 sur 102

Configuration 19: Wan mode ADSL - Bitstream - Cisco 2901

### Entering interface configuration mode for the ATM interface ###
interface ATM 0/0/0

### Creating an ATM PVC for each end node (up to ten) with which the
router communicates & Entering ATM virtual circuit configuration mode ###
pvc 0/35

### Configuring the PPPoE client and specifying the dialer interface to
use for cloning on the PVC ###

pppoe-client dial-pool-number 2

### Creating a dialer interface (numbered 0-255), and entering into


interface configuration mode ###
interface dialer 1

### Specifies that the IP address for the dialer interface is obtained
through PPP/IPCP (IP Control Protocol) address negotiation ###
ip address negotiated
ip nat outside
ip virtual-reassembly in

### Setting the encapsulation type to PPP for the data packets being
transmitted and received ###
encapsulation ppp

### Specifies the dialer pool to use to connect to a specific destination


subnetwork ###
dialer pool 2

### Setting the PPP authentication method ###


ppp authentication chap callin
ppp chap hostname <username>
ppp chap password <password>

### Enabling dynamic translation of addresses on the inside interface ###


ip nat inside source list LAN interface dialer 1 overload

### Defining default route ###


ip route 0.0.0.0 0.0.0.0 dialer 1 name Default_Route

### Defining LAN access list ###


ip access-list extended LAN
permit ip any any
!
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 42 sur 102

3.1.6. Configuration du CPE Wan mode xDSL (Dgroupage)

Figure 8: Dgroupage

Les connexions de type xDSL en mode dgroupage permettront Ooredoo de se passer de la


chane classique qui la contraint utiliser les quipements dun autre oprateur.
En mode dgroupage, Ooredoo ralisera son indpendance par le fait quelle utilisera ses propres
quipements et son propre rseau Backbone.

3.1.6.1. Connexion ADSL


- Equipement Cisco 2901 - IOS: C2900-UNIVERSALK9-M, Version 15.3(1)T
- Carte : VDSL2/ADSL/2/2+ EHWIC
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 43 sur 102

Configuration 20: Wan mode ADSL - dgroupage - Cisco 2901

!
interface ATM 0/0/0
no ip address
pvc 0/35
pppoe-client dial-pool-number 2
!
!
interface Dialer10
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 2
ppp authentication chap callin
ppp chap hostname <username>
ppp chap password 0 <password>
!
!
!

3.1.6.2. Connexion VDSL


Equipement Cisco 2901 - IOS: C2900-UNIVERSALK9-M, Version 15.3(1)T
Carte : VDSL2/ADSL/2/2+ EHWIC
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 44 sur 102

Configuration 21: Wan mode VDSL - dgroupage - Cisco 2901

### Entering controller configuration mode and the controller number ###
controller VDSL 0/2/0
### Entering the configuration mode for Ethernet Layer 2 transport on the
VDSL WAN interface on the router ###
interface Ethernet0/2/0
no ip address
### VLAN configuration ###
interface Ethernet0/2/0.1200
encapsulation dot1Q 1200
### Enabling pppoe ###
pppoe enable
pppoe-client dial-pool-number 1
### Configuring Dialer interface needed to connect with the PPPOE
connection ###
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
logging event subif-link-status
dialer pool 1
ppp authentication chap callin
ppp chap hostname <username>
ppp chap password 0 <password>
!

3.1.6.3. Connexion SHDSL: EFM (1 paire)


Pour relier en haut dbit des sites distants, dans des zones non quipes en fibre optique, l'EFM
reprsente une solution intressante. Des performances de 40 Mbits/s peuvent tre envisages.
L'EFM (Ethernet in the First Mile) est un protocole haut dbit qui permet de relier des sites distants. Il
porte aussi le nom de protocole 802.3ah. L'EFM permet de remplacer la norme SDSL en proposant
d'agrger jusqu 4 paires de cuivre SDSL. C'est une alternative la fois au simple SDSL et la fibre
optique.
Afin quun site soit ligible EFM, il faut que le DSLAM soit quip en Gigabit Ethernet.
Les flux issus des CPE EFM sont transports dans un VLAN d'Accs jusqu'au DSLAM GE.
La trame Ethernet est ensuite transporte au sein du rseau Backbone de Ooredoo.
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 45 sur 102

Les connexions sont construites sur des DSLAM GE via un support cuivre SDSL en 1,2 ou 4 paires
avec technologie de transmission EFM.
- Equipements Cisco 2901 - IOS : C2900-UNIVERSALK9-M, Version 15.3(1)T
- Carte : HWIC-4SHDSL-E
Configuration 22: Connexion SHDSL - EFM 1 paire

### Selecting the controller and entering config-controller mode ###


controller SHDSL 0/0/0
### Creating a DSL group and entering config-controller-dsl-group mode ###
dsl-group pairs 0 efm-bond
!
### Entering the configuration mode for Ethernet Layer 2 transport on the
SHDSL WAN interface on the router ###
interface Ethernet0/0/0
no sh
no ip address
!
### Vlan configuration ###
interface Ethernet0/0/0.1200
encapsulation dot1Q 1200
### Enabling pppoe ###
pppoe enable
pppoe-client dial-pool-number 1
### Configuring Dialer interface needed to connect with the PPPOE
connection ###
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
logging event subif-link-status
dialer pool 1
ppp authentication chap callin
ppp chap hostname <username>
ppp chap password 0 <password>
!
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 46 sur 102

3.1.6.4. Connexion SHDSL : ATM (1 paire)


- Equipement Cisco 2901-IOS - C2900-UNIVERSALK9-M, Version 15.3(1)T
- Carte : HWIC-2SHDSL
Configuration 23: Connexion SHDL - ATM 1 paire

controller SHDSL 0/1/0


dsl-group auto
!
interface ATM0/1/0
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
logging event subif-link-status
shutdown
dialer pool 1
ppp authentication chap callin
ppp chap hostname <username>
ppp chap password 0 <password>
!

3.1.6.5. Connexion SHDSL : ATM (2 paires)


- Equipement : 2901- IOS : C2900-UNIVERSALK9-M, Version 15.3(1)T
- Carte : HWIC-2SHDSL
En cours
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 47 sur 102

3.1.7. Configuration CPE- 3G

Figure 9: Chane Data 3G en vue globale

- Equipement : Cisco 2901 - IOS : C2900-UNIVERSALK9-M, Version 15.3(1)T


- Carte 3G: Cisco EHWIC (EHWIC-3G-HSPA+7)
Configuration 24: Connexion 3G
### Dfinition de la chaine de connexion loprateur ###
chat-script hspa-R7 "" "AT!SCACT=1,1" TIMEOUT 60 "OK"

### Configuration de linterface Cellular0

### Spcifier linterface cellulaire ###

interface Cellular0/0/0

### Specifying that the IP address for a particular interface is obtained


via address negociation ###
!
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
!

### Enabling DDR (Dial on Demand Routing) and configures the specified
serial interface to use in-band dialing ###
dialer in-band

### Specifying the number or string to dial. Use the name of the CHAT
script here ###
dialer string hspa-R7

### Specifying the number of the dialer access group to which the specific
interface belongs ###
dialer-group 1

### Returns a line that has been placed into dedicated asynchronous
network mode to interactive mode, thereby enabling
the SLIP and PPPcommands in privileged EXEC mode ###
async mode interactive

### Spcifier les flux nater :


access-list 2 permit <LAN IP>
ip nat inside source list 2 interface Cellular0 overload
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 48 sur 102

### Dfinition de la route par dfaut ###


ip route 0.0.0.0 0.0.0.0 Cellular0/0/0
!
!
dialer-list 1 protocol ip list 1
!
!
access-list 1 permit any
!
### Specifying the line configuration mode (line <slot>/<wic>/<port> ###
Line 0/0/0

### Specifying a default chat script ###


script dialer hspa-R7

### To display the current active connection state and data statistics ###
show cellular 0/0/0 connection

### To display the cellular modem radio statistics ###


show cellular 0/0/0 radio

3.2. Les Configurations WAN avec des liens de backup


Cette section sera consacre aux configurations des CPEs pour lesquels on a prvu une
connexion de backup.
Les scnarii tests et valids sont lists dans le tableau suivant.

Tableau 2: Les combinaisons testes

Lien de
Lien principal CPE
backup
Cisco 2901 IOS C2900-
UNIVERSALK9-M,
FTTH 3G Version 15.3(1)T

Cisco 2901 IOS C2900-


FH SHDSL UNIVERSALK9-M,
Version 15.3(1)

Cisco 2901 IOS C2900-


FH VDSL UNIVERSALK9-M,
Version 15.3(1)
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 49 sur 102

Cisco 2901 IOS C2900-


ADSL 3G UNIVERSALK9-M,
Version 15.3(1

Cisco 867 (IOS:


C860VAE-
ADVSECURITYK9-M,
FH/FO ADSL Version 15.3(3)M

Cisco 2901 (IOS : C2900-


UNIVERSALK9-M,
Version 15.3(1)T)

Le basculement doit se faire correctement sur le lien secondaire si linternet est injoignable sur le lien
primaire. Le basculement doit se faire automatiquement sur le lien primaire lorsque celui-ci reprend
son tat normal.
La mise en place dun lien secondaire de backup repose sur le principe du tracking. Lide est
de tracker la route primaire et de dfinir une route secondaire ayant une mtrique plus leve, ce
qui signifie quelle ne sera utilise que si le track dfini pour la route primaire est perdu suite la
dtection de la dfaillance du lien par lP SLA.

3.2.1. Connexion FTTH avec backup 3G

Figure 10: Connexion FTTH avec backup 3G


2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 50 sur 102

Configuration 25 : Connexion FTTH avec backup 3G


### ip sla identity number ###
ip sla 1

### IP address to monitor and interface to ping. It can be any address


that is stable and will be up reliably. In this case the gateway IP
address of the WAN Interface connection is used ###
icmp-echo 4.2.2.2 source-interface <Wan Interface>.100
threshold 2000

### repeat rate ###


frequency 5

### starting the ip sla and scheduling it to run forever ###


ip sla schedule 1 life forever start-time now

### monitoring ip sla 1 and removing the track 10 route if unreachable ###
track 10 ip sla 1 reachability

ip nat inside source route-map WAN-FTTH interface <Wan Interface>.100


overload
ip nat inside source route-map WAN-3G interface cellular 0/0/0 overload

### Establishing a floating static route with the configured


administrative distance through the specified interface.
A higher administrative distance should be configured for the route
through the backup interface, so that the backup interface is used only
when the primary interface is down ###

ip route 0.0.0.0 0.0.0.0 <Wan Interface>.100 track 10


ip route 0.0.0.0 0.0.0.0 Cellular0/0/0 100

### Creating Access List LAN ###


ip access-list extended LAN
permit ip <LAN IP> any

### Creating the route map WAN-FTTH entry and entering route-map
configuration mode. Route map entries are read in order. Its possible
to identify the order using thesequence_number option. (10 in this
case) ###
route-map WAN-FTTH permit 10
### Matching any routes that have a destination network that matches the
ACL LAN. If more than one ACL is specified, then the route can match
any of the ACLS ###
match ip address LAN
### Matching any routes with the specified next hop interface, in this
case, it matches <Wan Interface>.100 interface. If more than one
interface is specified, then the route can match
either interface ###
match interface <Wan Interface>.100
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 51 sur 102

### Creating the route map WAN-3G entry and entering route-map
configuration mode ###
route-map WAN-3G permit 10
### Matching any routes with the specified next hop interface, in this
case, it matches <Wan Interface>.100 interface ###
match ip address LAN

### Matching any routes with the specified next hop interface,in this
case, it matches cellular interface ###
match interface cellular 0/0/0

3.2.2. Connexion FH avec Backup SHDSL

Figure 11: Connexion FH avec Backup SHDSL


2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 52 sur 102

Configuration 26: Connexion FH avec Backup SHDSL(ATM)

Controller SHDSL 0/0/0


dsl-group auto
!
!
interface ATM 0/0/0
no ip address
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface Dialer 1
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
logging event subif-link-status
dialer pool 1
ppp authentication chap callin
ppp chap <username>
ppp chap password 0 <password>
!
!
ip nat inside source route-map FH interface <Wan Interface>.850 overload
ip nat inside source route-map SDSL interface Dialer 1 overload
ip route 0.0.0.0 0.0.0.0 197.14.1.18 track 10
ip route 0.0.0.0 0.0.0.0 Dialer 1 100
!
!
ip access-list extended LAN

permit ip <LAN IP> any

!
ip sla auto discovery
ip sla 10
icmp-echo 4.2.2.2 source-interface <Wan Interface>.850
ip sla schedule 10 life forever start-time now
!

route-map SDSL permit 10


match ip address LAN
match interface Dialer 1
!

route-map FH permit 10
match ip address LAN
match interface <Wan Interface>.850
!
!
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 53 sur 102

Remarque : Une licence Data ou Security doit tre active pour lutilisation de lIPSLA.

3.2.3. Connexion FH avec Backup VDSL

Figure 12: Connexion FH avec Backup VDSL


2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 54 sur 102

Configuration 27: Connexion FH avec Backup VDSL (EFM)

controller VDSL 0/0/0


!
!
track 10 ip sla 10
!
!
interface <Wan Interface>
no ip address
!
interface <Wan Interface>.850
description IV CEI;DT_FIXE;UPLINK;INCLUDE_SC;
encapsulation dot1Q 850
ip address <IPHSI cot CPE> <masque rseau>
ip nat outside
ip virtual-reassembly in
!
interface <Wan Interface>.851
description IV CEI;DT_FIXE;UPLINK_VRF_OM_CORP;INCLUDE_SC;
encapsulation dot1Q 851
ip address <IPOMentreprise ct CPE> <masque rseau>
!
!
interface Ethernet0/0/0.1200
encapsulation dot1Q 1200
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
logging event subif-link-status
dialer pool 1
ppp authentication chap callin
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 55 sur 102

ppp chap hostname <username>


ppp chap password 0 <password>
!
ip nat inside source route-map FH interface <Wan Interface>.850 overload
ip nat inside source route-map VDSL interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 197.14.1.16 track 10
ip route 0.0.0.0 0.0.0.0 Dialer1 20
!
!
ip access-list extended LAN
permit <LAN IP > any
!
ip sla auto discovery
ip sla 10
icmp-echo 4.2.2.2 source-interface <Wan Interface>.850
ip sla schedule 10 life forever start-time now
!
route-map VDSL permit 10
match ip address LAN
match interface Dialer1
!
route-map FH permit 10
match ip address LAN
match interface <Wan Interface>.850
!
!

Remarque : La licence Data ou Security doit tre active pour lutilisation des IPSLA

3.2.4. Connexion ADSL avec Backup 3G

Figure 13: Connexion ADSL avec Backup 3G


2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 56 sur 102

Configuration 28: Connexion ADSL avec Backup 3G

ip sla 1
icmp-echo 4.2.2.2 source-interface dialer 1
threshold 2000
frequency 5
ip sla schedule 1 life forever start-time now
!
track 10 ip sla 1 reachability

ip nat inside source route-map WAN-ADSL interface dialer 1 overload


ip nat inside source route-map WAN-3G interface cellu0/0/0 overload

ip route 0.0.0.0 0.0.0.0 dialer 1 track 10


ip route 0.0.0.0 0.0.0.0 Cellular0/0/0 10

ip access-list extended LAN


permit ip <LAN IP > 0.0.0.255 any

route-map WAN-ADSL permit 10


match ip address LAN
match interface dialer 1
route-map WAN-3G permit 10
match ip address LAN
match interface cellul0/0/0

3.2.5. Connexion FH/FO avec Backup ADSL

Figure 14: Connexion FH/FO avec Backup ADSL


2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 57 sur 102

Configuration 29: Connexion FH/FO avec Backup ADSL

track 10 ip sla 1 reachability


ip nat inside source route-map WAN-FH interface <Wan Interface>.850
overload
ip nat inside source route-map WAN-ADSL interface dialer 1 overload

ip route 0.0.0.0 0.0.0.0 <Wan Interface>.850 track 10


ip route 0.0.0.0 0.0.0.0 dialer1 10
ip access-list extended LAN
permit ip <LAN IP> any
ip sla 1
icmp-echo 4.2.2.2 source-interface <Wan Interface>.850
threshold 2000
frequency 5
ip sla schedule 1 life forever start-time now

route-map WAN-ADSL permit 10


match ip address LAN
match interface dialer 1

route-map WAN-FH permit 10


match ip address LAN
match interface <Wan Interface>.850

3.3. Les connexions VPN


3.3.1. VPN client to site
Equipement Cisco 2901 - IOS: C2900-UNIVERSALK9-M, Version 15.3(1)T
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 58 sur 102

Configuration 30: VPN client to site


### Create an Internet Security Association and Key Management Protocol
(ISAKMP) policy for Phase 1 negociations ###
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!

### configuration du groupe des clients VPN :Creation of a group that is


used to specify the domain to the VPN Client, along with the pre-shared
key for authentication ###
!
crypto isakmp client configuration group <tunisiana>
key <tunisiana>
domain <wr>
pool <ourpool>
acl SPLIT-TUNEL
!
### Enabling authentication, authorization and accounting (AAA) for user
authentication and group authorization ###
aaa new-model

### Enabling the aaa authentication commands ###

aaa authentication login default local


aaa authentication login <RAVPNusr> local

### In order to enable group authorization, enable the aaa authorization


commands ###
aaa authorization network <RAVPNgrp> local

### Creation of the Phase 2 Policy for actual data encryption ###
crypto ipsec transform-set <RAVPNSET> esp-3des esp-sha-hmac

### Creation of a dynamic map and application of the transform set that
was created earlier ###

crypto dynamic-map DRAVPN 10


set transform-set <RAVPNSET>
reverse-route

### Creation of the actual crypto map and application of the AAA lists
that were created earlier ###
!
crypto map clientmap client authentication list <RAVPNusr>
crypto map clientmap isakmp authorization list <RAVPNgrp>
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic DRAVPN
!

### Application of the crypto map on the interface ###


2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 59 sur 102

<Wan Interface>.850 crypto map clientmap

### Enabling Network Address Translation (NAT) of the inside source


address that matches access list 101 and gets PATed with the <Wan
Interface>.850 IP address ###
ip nat inside source list 101 interface <Wan Interface>.850 overload

### Create a pool of addresses to be assigned to the VPN Clients ### Mis en forme : Prformat HTML
ip local pool <ourpool> <1st IP> <last IP>

### The access list is used to specify which traffic is to be translated


for the outside Internet ###
access-list 101 deny ip 10.10.20.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 101 permit ip 10.10.10.0 0.0.0.255 any

Remarque: Le VPN client utilis est VPN client Cisco. Pour le routeur, une licence security
doit tre active.

3.3.2. FTTH : OM et VPN

Figure 15: Architecture FTTH

Equipements : 2901 (IOS : C2900-UNIVERSALK9-M, Version15.3(1)T) + ONT + OLT


2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 60 sur 102

Configuration 31: FTTH: OM et VPN

1. interface GigabitEthernet0/1.851 (OM)


2. encapsulation dot1Q 851
3. ip address 10.243.243.10 255.255.255.252
4. !
5. interface GigabitEthernet0/1.853 (VPN)
6. encapsulation dot1Q 853
7. ip address 10.99.99.18 255.255.255.252
8. !
9. ip route 10.10.10.0 255.255.255.0 10.99.99.17
ip route 10.220.0.0 255.255.255.0 10.243.243.9

3.3.3. VPN IPSEC - Sites 1 et 2 : connexion FH


- Equipement Cisco 867 VAE IOS C860VAE-ADVSECURITYK9-M, Version 15.3(3)M
- Equipement Cisco 2901 - IOS: C2900-UNIVERSALK9-M, Version 15.3(1)T
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 61 sur 102

Configuration 32: VPN IPSec site to site (Site1 FH -Site 2 FH)

### Site 1
### Entering config-isakmp command mode and identifying the policy to
create. (Each policy is uniquely identified by the priority number you
assign) ###
crypto isakmp policy 1
### Specify the encryption algorithm ###
encr 3des
### Specify the hash algorithm ###
hash md5
### Specify the authentication methodpre-shared keys ###
authentication pre-share
### Specify the Diffie-Hellman group identifier768-bit Diffie-Hellman (1)
or 1024-bit Diffie-Hellman (2) ###
group 2
### At the local peer: Specify the shared key the headquarters router will
use with the remote office router. This example configures the shared key
firewallcx to be used with the remote peer 0.0.0.0 ###
crypto isakmp key <firewallcx> address 0.0.0.0
### Define a transform set and enter crypto-transform configuration mode
###
crypto ipsec transform-set TS esp-3des esp-md5-hmac
### Change the mode associated with the transform set. The mode setting is
only applicable to traffic whose source and destination addresses are the
IPSec peer addresses; it is ignored for all other traffic. (All other
traffic is in tunnel mode only.) This config configures tunnel mode for the
transport set TS, which creates an IPSec tunnel between the IPSec peer
addresses ###
mode tunnel
### Enter crypto map configuration mode, specify a sequence number for the
crypto map created in Step 1, and configure the crypto map to use IKE
to establish SAs ###
crypto map CMAP 10 ipsec-isakmp

### Specify a remote IPSec peer (by host name or IP address). This is the
peer to which IPSec protected traffic can be forwarded ###
set peer <197.14.1.17>
### Specify which transform sets are allowed for this crypto map entry ###
set transform-set TS
### Accesses list number or name of an extended access list. This access
list determines which traffic should be protected by IPSec and which
traffic should not be protected by IPSec security in the context of this
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 62 sur 102

crypto map entry ###


match address VPN-TRAFFIC
!
### the access list associated with the crypto map ###
ip access-list extended VPN-TRAFFIC
permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
!
ip nat inside source route-map WAN-FH interface <Wan Interface>.850
overload
!
ip access-list extended LAN
deny ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
permit ip 10.10.10.0 0.0.0.255 any
!
!
route-map WAN-FH permit 10
### Accesses list name of an extended access list. This access list
determines which traffic should be protected by IPSec and which traffic
should not be protected by IPSec security in the context of this crypto map
entry ###
match ip address LAN
### Specifying the name of the output interface used as a match criterion
against which packets are checked to determine if they belong to the class
###
match input-interface <Wan Interface>.850
!
interface <Wan Interface>.850
crypto map CMAP

###Site 2
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key <firewallcx> address 0.0.0.0
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 63 sur 102

!
crypto map CMAP 10 ipsec-isakmp
set peer 197.14.1.21 set transform-set TS
match address VPN-TRAFFIC
!
!
ip access-list extended VPN-TRAFFIC
permit ip 10.10.20.0 0.0.0.255 10.10.20.0 0.0.0.25
!
ip nat inside source route-map WAN-FH interface <Wan Interface>.850
overload
!
ip access-list extended LAN
deny ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 10.10.20.0 0.0.0.255 any
!
!
route-map WAN-FH permit 10
match ip address LAN
match interface <Wan Interface>.850
!
interface <Wan Interface>.850
crypto map CMAP
!

Remarque: Une licence security doit tre active.

3.3.4. VPN IPSEC - Site 1 : Connexion ADSL - Site 2 : connexion FH

- Equipement Cisco 867 VAE IOS C860VAE-ADVSECURITYK9-M, Version 15.3(3)M


- Equipement Cisco 2901 - IOS: C2900-UNIVERSALK9-M, Version 15.3(1)T
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 64 sur 102

Configuration 33: VPN IPSec site to site (Site1 ADSL - Site 2 FH)

### Site 1
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key firewallcx address 0.0.0.0
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
crypto map CMAP 10 ipsec-isakmp
set peer 197.14.1.17
set transform-set TS
match address VPN-TRAFFIC
!
ip access-list extended VPN-TRAFFIC
permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
!
###Site 2
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key firewallcx address 0.0.0.0
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
crypto map CMAP 10 ipsec-isakmp
set peer 197.14.1.21 set transform-set TS
match address VPN-TRAFFIC
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 65 sur 102

!
!
ip access-list extended VPN-TRAFFIC
permit ip 10.10.20.0 0.0.0.255 10.10.20.0 0.0.0.255
!
!

Remarque : Une licence security doit tre active.

3.3.5. VPN IPSEC - Site 1 : Connexion FTTH - Site 2 : connexion FH


- Equipement Cisco 867 VAE IOS C860VAE-ADVSECURITYK9-M, Version 15.3(3)M
- Equipement Cisco 2901 - IOS: C2900-UNIVERSALK9-M, Version 15.3(1)T
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 66 sur 102

Configuration 34: VPN IPSec site to site (Site1 FTTH - Site 2 FH)

### Site 1
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key firewallcx address 0.0.0.0
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map CMAP 10 ipsec-isakmp
set peer 197.14.1.17
set transform-set TS
match address VPN-TRAFFIC
!
!
ip access-list extended VPN-TRAFFIC
permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
!
###Site 2
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key firewallcx address 0.0.0.0
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 67 sur 102

mode tunnel
!
!
!
crypto map CMAP 10 ipsec-isakmp
set peer 197.14.1.21 set transform-set TS
match address VPN-TRAFFIC
!
!
ip access-list extended VPN-TRAFFIC
permit ip 10.10.20.0 0.0.0.255 10.10.20.0 0.0.0.255
!

Remarque: Une licence security doit tre active.

3.3.6. VPN IPSEC - Site 1 : Connexion ADSL - Site 2 : connexion


ADSL

Figure 16: Connexion en VPN IPSec entre deux sites connects en ADSL

- Equipement Cisco 867 VAE IOS C860VAE-ADVSECURITYK9-M, Version 15.3(3)M


- Equipement Cisco 2901 - IOS: C2900-UNIVERSALK9-M, Version 15.3(1)T
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 68 sur 102

Configuration 35: VPN IPSec site to site (Site1 ADSL - Site 2 ADSL)

### Site 1
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key firewallcx address 0.0.0.0
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map CMAP 10 ipsec-isakmp
set peer 197.14.1.17
set transform-set TS
match address VPN-TRAFFIC
!
!
ip access-list extended VPN-TRAFFIC
permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
!
###Site 2
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key firewallcx address 0.0.0.0
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 69 sur 102

mode tunnel
!
!
!
crypto map CMAP 10 ipsec-isakmp
set peer 197.14.1.21 set transform-set TS
match address VPN-TRAFFIC
!
!
ip access-list extended VPN-TRAFFIC
permit ip 10.10.20.0 0.0.0.255 10.10.20.0 0.0.0.255
!

Remarque: Une licence security doit tre active.

3.3.7. VPN Any-to-Any FullMesh

Figure 17: VPN IPSec Any-to-Any FullMesh

- Equipement Cisco 1921 / 2901 (IOS : C2900-UNIVERSALK9-M, Version 15.3(1)T)


2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 70 sur 102

Configuration 36: VPN IPSec Any-to-Any FullMesh

### CPE 867 ADSL


!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key firewallcx1 address 197.14.9.84
crypto isakmp key firewallcx2 address 197.14.9.91
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map CMAP 10 ipsec-isakmp
set peer 197.14.9.84
set transform-set TS
match address VPN-TRAFFIC
crypto map CMAP 20 ipsec-isakmp
set peer 197.14.9.91
set transform-set TS
match address VPN-TRAFFIC1
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/35
pppoe-client dial-pool-number 10
!
!
interface Dialer10
ip address negotiated
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 71 sur 102

ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 10
ppp authentication chap callin
ppp chap hostname jrahhppb@tunet.tn
ppp chap password 0 YeMp78V3
crypto map CMAP
!
!
!
ip nat inside source list LAN interface Dialer10 overload
ip route 0.0.0.0 0.0.0.0 Dialer10
!
ip access-list extended LAN
deny ip 10.10.10.0 0.0.0.255 10.10.30.0 0.0.0.255
deny ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
permit ip 10.10.10.0 0.0.0.255 any
ip access-list extended VPN-TRAFFIC
permit ip 10.10.10.0 0.0.0.255 10.10.30.0 0.0.0.255
ip access-list extended VPN-TRAFFIC1
permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
!
### CPE 1921 FTTH
!
interface GigabitEthernet0/1.100
encapsulation dot1Q 100
pppoe enable group global
pppoe-client dial-pool-number 10
!
interface Dialer10
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 10
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 72 sur 102

ppp authentication chap callin


ppp chap hostname nawucyfr@tunet.tn
ppp chap password 0 x8SAs3c7
crypto map CMAP
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key firewallcx address 197.14.9.84
crypto isakmp key firewallcx2 address 41.228.224.48
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map CMAP 10 ipsec-isakmp
set peer 197.14.9.84
set transform-set TS
match address VPN-TRAFFIC
crypto map CMAP 20 ipsec-isakmp
set peer 41.228.224.48
set transform-set TS
match address VPN-TRAFFIC1
!
!
!
ip nat inside source list LAN interface Dialer10 overload
ip route 0.0.0.0 0.0.0.0 Dialer10
!
ip access-list extended LAN
deny ip 10.10.20.0 0.0.0.255 10.10.30.0 0.0.0.255
deny ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 73 sur 102

permit ip 10.10.20.0 0.0.0.255 any


ip access-list extended VPN-TRAFFIC
permit ip 10.10.20.0 0.0.0.255 10.10.30.0 0.0.0.255
ip access-list extended VPN-TRAFFIC1
permit ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
!
### CPE 2901 FTTH
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key firewallcx address 197.14.9.91
crypto isakmp key firewallcx1 address 41.228.224.48
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map CMAP 10 ipsec-isakmp
set peer 197.14.9.91
set transform-set TS
match address VPN-TRAFFIC
crypto map CMAP 20 ipsec-isakmp
set peer 41.228.224.48
set transform-set TS
match address VPN-TRAFFIC1
!
!
!
interface GigabitEthernet0/1.100
encapsulation dot1Q 100
pppoe enable group global
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 74 sur 102

pppoe-client dial-pool-number 10
!
interface Dialer10
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 10
ppp authentication chap callin
ppp chap hostname kamdgxuz@tunet.tn
ppp chap password 0 YwD338Gt
crypto map CMAP
!
ip nat inside source list LAN interface Dialer10 overload
ip route 0.0.0.0 0.0.0.0 Dialer10
!
ip access-list extended LAN
deny ip 10.10.30.0 0.0.0.255 10.10.20.0 0.0.0.255
deny ip 10.10.30.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 10.10.30.0 0.0.0.255 any
ip access-list extended VPN-TRAFFIC
permit ip 10.10.30.0 0.0.0.255 10.10.20.0 0.0.0.255
ip access-list extended VPN-TRAFFIC1
permit ip 10.10.30.0 0.0.0.255 10.10.10.0 0.0.0.255
!

Remarque: Tous les CPE utiliss ont une licence Security active

3.3.8. Connexion VPN IPSec entre deux sites travers le site


central
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 75 sur 102

Figure 18: Connexion IPSec VPN entre deux sites travers le site central

Equipements: Cisco 1921 / 2901 (IOS : C2900-UNIVERSALK9-M, Version 15.3(1)T)


2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 76 sur 102

Configuration 37: Connexion IPSec VPN entre deux sites travers le site central

###Site intermdiaire : CPE_3 Cisco 2901


!
Interface GigabitEthernet0/1.850
encapsulation dot1Q 850
ip address 197.14.1.19 255.255.255.254
ip nat outside
ip virtual-reassembly in
crypto map CMAP
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key firewallcx address 0.0.0.0
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map CMAP 10 ipsec-isakmp
set peer 197.14.1.17
set transform-set TS
match address VPN-TRAFFIC
crypto map CMAP 20 ipsec-isakmp
set peer 197.14.1.21
set transform-set TS
match address VPN-TRAFFIC1
!
!
ip access-list extended VPN-TRAFFIC1
permit ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 77 sur 102

permit ip 10.10.30.0 0.0.0.255 10.10.10.0 0.0.0.255


!
ip nat inside source route-map FTTH interface GigabitEthernet0/1.850
overload
ip route 0.0.0.0 0.0.0.0 197.14.1.18
###Site 2 Cisco 867 FTTH
!
!
interface GigabitEthernet1.850
description IV CEI;DT_FIXE;UPLINK_HSI;INCLUDE_SC;
encapsulation dot1Q 850
ip address 197.14.1.17 255.255.255.254
ip nat outside
ip virtual-reassembly in
crypto map CMAP
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key firewallcx address 0.0.0.0
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map CMAP 10 ipsec-isakmp
set peer 197.14.1.19
set transform-set TS
match address VPN-TRAFFIC
!
ip access-list extended VPN-TRAFFIC
permit ip 10.10.30.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 10.10.30.0 0.0.0.255 10.10.20.0 0.0.0.255
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 78 sur 102

!
ip nat inside source list LAN interface GigabitEthernet1.850 overload
ip route 0.0.0.0 0.0.0.0 197.14.1.16
ip route 10.220.0.0 255.255.255.0 10.243.243.1
!
ip access-list extended LAN
deny ip 10.10.30.0 0.0.0.255 10.10.20.0 0.0.0.255
deny ip 10.10.30.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 10.10.30.0 0.0.0.255 any

###Site 2 Cisco 1921 VDSL

interface Ethernet0/0/0.1200
encapsulation dot1Q 1200
pppoe enable group global
pppoe-client dial-pool-number 1
!
!
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
logging event subif-link-status
dialer pool 1
ppp authentication chap callin
ppp chap hostname nawucyfr@tunet.tn
ppp chap password 0 x8SAs3c7
crypto map CMAP
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 79 sur 102

crypto isakmp key firewallcx address 0.0.0.0


!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map CMAP 10 ipsec-isakmp
set peer 197.14.1.19
set transform-set TS
match address VPN-TRAFFIC
!
!
!
ip nat inside source route-map VDSL interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list standard SNMP_FILTER
permit 10.220.0.2
permit 10.220.0.1
deny any
!
ip access-list extended LAN
deny ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
deny ip 10.10.10.0 0.0.0.255 10.10.30.0 0.0.0.255
permit ip 10.10.10.0 0.0.0.255 any
ip access-list extended VPN-TRAFFIC
permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
permit ip 10.10.10.0 0.0.0.255 10.10.30.0 0.0.0.255
!

Remarque: Tous les CPE utiliss ont une licence Security active
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 80 sur 102

3.3.9. MPLS (connexion FH/FO) : Vlan VPN_Corp

Figure 19 : VPN_Corp via Backbone MPLS Ooredoo

- Equipement Cisco 867 VAE IOS C860VAE-ADVSECURITYK9-M, Version 15.3(3)M


- Equipement Cisco 2901 - IOS: C2900-UNIVERSALK9-M, Version 15.3(1)T
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 81 sur 102

Configuration 38: VPN MPLS - Connexion FH/FO

###Site 1
!
interface GigabitEthernet0/1.850
encapsulation dot1Q 850
ip address 197.14.1.19 255.255.255.254
ip nat outside
ip virtual-reassembly in
crypto map CMAP
!
!
interface GigabitEthernet0/1.851
encapsulation dot1Q 851
ip address 10.243.243.6 255.255.255.248
!
interface GigabitEthernet0/1.852
encapsulation dot1Q 852
ip address 10.99.99.2 255.255.255.252
!
ip route 10.10.10.0 255.255.255.0 10.99.99.1
###Site 2
!
interface GigabitEthernet0/1.850
description IV CEI;DT_FIXE;UPLINK_HSI;INCLUDE_SC;
encapsulation dot1Q 850
ip address 197.14.1.17 255.255.255.254
ip nat outside
ip virtual-reassembly in
crypto map CMAP
!
interface GigabitEthernet0/1.851
description IV CEI;DT_FIXE;UPLINK_VRF_OM_CORP;INCLUDE_SC;
encapsulation dot1Q 851
ip address 10.243.243.2 255.255.255.252
!
interface GigabitEthernet0/1.852
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 82 sur 102

encapsulation dot1Q 852


ip address 10.99.99.6 255.255.255.252
!
ip route 10.10.20.0 255.255.255.0 10.99.99.5

3.3.10. VPN MPLS avec backup VPN IPSec - Site 1 : Connexion


FH/FO Site 2 : Connexion ADSL

Figure 20: VPN MPLS +Backup VPN IPSec


2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 83 sur 102

Configuration 39: VPN MPLS avec backup VPN IPSec - Site 1 : Connexion FH/FO Site 2 :
Connexion ADSL

###CPE_2901
!
track 10 ip sla 10
!
track 20 ip sla 20
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key firewallcx address 0.0.0.0
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map CMAP 10 ipsec-isakmp
set peer 197.14.1.17
set peer 10.155.0.4
set transform-set TS
match address VPN-TRAFFIC
!
!
interface GigabitEthernet0/1.850
encapsulation dot1Q 850
ip address 197.14.1.19 255.255.255.254
ip nat outside
ip virtual-reassembly in
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 84 sur 102

crypto map CMAP


!
!
interface GigabitEthernet0/1.851
encapsulation dot1Q 851
ip address 10.243.243.6 255.255.255.248
!
interface GigabitEthernet0/1.852
encapsulation dot1Q 852
ip address 10.99.99.2 255.255.255.252
!
!
interface Ethernet0/1/0.1200
encapsulation dot1Q 1200
pppoe enable group global
pppoe-client dial-pool-number 2
!
!
interface Dialer2
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
logging event subif-link-status
dialer pool 2
ppp authentication chap callin
ppp chap hostname nawucyfr@tunet.tn
ppp chap password 0 x8SAs3c7
crypto map CMAP
!
!
ip nat inside source route-map FH interface GigabitEthernet0/1.850
overload
ip nat inside source route-map SDSL interface Dialer2 overload
ip route 0.0.0.0 0.0.0.0 197.14.1.18 track 10
ip route 10.10.10.0 255.255.255.0 10.99.99.1 track 20
ip route 0.0.0.0 0.0.0.0 Dialer2
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 85 sur 102

!
!
ip access-list extended LAN
deny ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 10.10.20.0 0.0.0.255 any
ip access-list extended VPN-TRAFFIC
permit ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
!
ip sla auto discovery
ip sla 10
icmp-echo 4.2.2.2 source-interface GigabitEthernet0/1.850
ip sla schedule 10 life forever start-time now
ip sla 20
icmp-echo 197.14.1.17 source-interface GigabitEthernet0/1.850
ip sla schedule 20 life forever start-time now
!
route-map SDSL permit 10
match ip address LAN
match interface Dialer2
!
route-map FH permit 10
match ip address LAN
match interface GigabitEthernet0/1.850
!
!
### CPE 1921
!
track 10 ip sla 10
!
track 20 ip sla 20
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 86 sur 102

crypto isakmp key firewallcx address 0.0.0.0


!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map CMAP 10 ipsec-isakmp
set peer 197.14.1.19
set peer 10.155.0.2
set transform-set TS
match address VPN-TRAFFIC
!
!
!
interface GigabitEthernet0/1.850
description IV CEI;DT_FIXE;UPLINK_HSI;INCLUDE_SC;
encapsulation dot1Q 850
ip address 197.14.1.17 255.255.255.254
ip nat outside
ip virtual-reassembly in
crypto map CMAP
!
interface GigabitEthernet0/1.851
description IV CEI;DT_FIXE;UPLINK_VRF_OM_CORP;INCLUDE_SC;
encapsulation dot1Q 851
ip address 10.243.243.2 255.255.255.252
!
interface GigabitEthernet0/1.852
encapsulation dot1Q 852
ip address 10.99.99.6 255.255.255.252
!
!
interface Ethernet0/0/0.1200
encapsulation dot1Q 1200
pppoe enable group global
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 87 sur 102

pppoe-client dial-pool-number 1
!
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
logging event subif-link-status
dialer pool 1
ppp authentication chap callin
ppp chap hostname nawucyfr@tunet.tn
ppp chap password 0 x8SAs3c7
crypto map CMAP
!
ip forward-protocol nd
!
!
ip nat inside source route-map FH interface GigabitEthernet0/1.850
overload
ip nat inside source route-map VDSL interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 197.14.1.16 track 10
ip route 10.10.20.0 255.255.255.0 10.99.99.5 track 20
ip route 0.0.0.0 0.0.0.0 Dialer1 20
!
!
ip access-list extended LAN
deny ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
permit ip 10.10.10.0 0.0.0.255 any
ip access-list extended VPN-TRAFFIC
permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
!
ip sla auto discovery
ip sla 10
icmp-echo 4.2.2.2 source-interface GigabitEthernet0/1.850
ip sla schedule 10 life forever start-time now
ip sla 20
icmp-echo 197.14.1.19 source-interface GigabitEthernet0/1.850
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 88 sur 102

ip sla schedule 20 life forever start-time now


access-list 23 permit 10.10.10.0 0.0.0.7
!
route-map VDSL permit 10
match ip address LAN
match interface Dialer1
!
route-map FH permit 10
match ip address LAN
match interface GigabitEthernet0/1.850
!

3.3.11. DMVPN

Figure 21 : DMVPN

- Equipements Cisco 1921 / 2901 (IOS : C2900-UNIVERSALK9-M, Version 15.3(1)T)


2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 89 sur 102

Configuration 40 : DMVPN

### CPE Spoke_1921 ADSL


!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key firewall.cx address 0.0.0.0
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
!
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TS
!
!
!
!
interface Tunnel0
description R3 mGRE - DMVPN Tunnel
ip address 172.16.0.3 255.255.255.0
no ip redirects
ip nhrp authentication firewall
ip nhrp map multicast dynamic
ip nhrp map 172.16.0.1 197.14.9.82
ip nhrp map multicast 197.14.9.82
ip nhrp network-id 1
ip nhrp nhs 172.16.0.1
tunnel source Dialer10
tunnel mode gre multipoint
tunnel protection ipsec profile protect-gre
!
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 90 sur 102

!
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
pvc 0/35
pppoe-client dial-pool-number 10
!
interface Dialer10
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 10
ppp authentication chap callin
ppp chap hostname jrahhppb@tunet.tn
ppp chap password 0 YeMp78V3
!
!
router eigrp 100
network 10.0.0.0
network 172.16.0.0
!
ip nat inside source list LAN interface Dialer10 overload
ip route 0.0.0.0 0.0.0.0 Dialer10
!
ip access-list extended LAN
permit ip 10.10.20.0 0.0.0.255 any
!
### CPE Spoke_1921 FTTH
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key firewall.cx address 0.0.0.0
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 91 sur 102

!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
!
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TS
!
!
!
!
!
!
interface Tunnel0
description R2 mGRE - DMVPN Tunnel
ip address 172.16.0.2 255.255.255.0
no ip redirects
ip nhrp authentication firewall
ip nhrp map multicast dynamic
ip nhrp map 172.16.0.1 197.14.9.82
ip nhrp map multicast 197.14.9.82
ip nhrp network-id 1
ip nhrp nhs 172.16.0.1
tunnel source Dialer10
tunnel mode gre multipoint
tunnel protection ipsec profile protect-gre
!
!
interface GigabitEthernet0/1.100
encapsulation dot1Q 100
pppoe enable group global
pppoe-client dial-pool-number 10
!
!
interface Dialer10
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 92 sur 102

ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 10
ppp authentication chap callin
ppp chap hostname kamdgxuz@tunet.tn
ppp chap password 0 YwD338Gt
!
!
router eigrp 100
network 10.0.0.0
network 172.16.0.0
!
ip nat inside source list LAN interface Dialer10 overload
ip route 0.0.0.0 0.0.0.0 Dialer10
!
ip access-list extended LAN
permit ip 10.10.10.0 0.0.0.255 any
ip access-list extended VPN-TRAFFIC
permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
!
### CPE HUB 2901 FTTH
!
interface GigabitEthernet0/1.100
encapsulation dot1Q 100
pppoe enable group global
pppoe-client dial-pool-number 10
!
!
interface Dialer10
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 10
ppp authentication chap callin
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 93 sur 102

ppp chap hostname kamdgxuz@tunet.tn


ppp chap password 0 YwD338Gt
!
!
router eigrp 100
network 10.0.0.0
network 172.16.0.0
!
ip nat inside source list LAN interface Dialer10 overload
ip route 0.0.0.0 0.0.0.0 Dialer10
!
!
ip access-list extended LAN
permit ip 10.10.30.0 0.0.0.255 any
ip access-list extended VPN-TRAFFIC
permit ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key firewall.cx address 0.0.0.0
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
!
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TS
!
!
!
!
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 94 sur 102

interface Tunnel0
description mGRE - DMVPN Tunnel
ip address 172.16.0.1 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 100
no ip split-horizon eigrp 100
ip nhrp authentication firewall
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source Dialer10
tunnel mode gre multipoint
tunnel protection ipsec profile protect-gre
!

Remarque : Tous les CPE utiliss ont une licence Security active. Le CPE 867 VAE ne
supporte pas le DMVPN.

3.3.12. VPN 3G

Figure 22 : VPN 3G

- Equipements : Cisco ACS, Concentrateur VPN ASR 1006, Cisco 1921 et 2911 (IOS :
C2900-UNIVERSALK9-M, Version 15.3(1)T) + carte 3G
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 95 sur 102

Configuration 41 : VPN 3G

10. controller Cellular 0/0


11. !
12. crypto isakmp policy 1
13. encr 3des
14. authentication pre-share
15. group 2
16. !
17. crypto ipsec client ezvpn ez2
18. connect auto
19. group xyz.com key cisco
20. local-address Cellular0/0/0
21. mode client
22. peer 197.14.1.19
23. virtual-interface 1
24. username site2S@xyz.com password 1234
25. xauth userid mode local
26. !
27. interface GigabitEthernet0/1
28. ip address 192.168.90.1 255.255.255.0
29. duplex auto
30. speed auto
31. crypto ipsec client ezvpn ez2 inside
32. !
33. interface Cellular0/0/0
34. ip address negotiated
35. ip nat outside
36. ip virtual-reassembly in
37. encapsulation slip
38. dialer in-band
39. dialer string hspa-R7
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 96 sur 102

40. dialer-group 1
41. async mode interactive
42. crypto ipsec client ezvpn ez2
43. !
44. interface Cellular0/0/1
45. no ip address
46. encapsulation slip
47. !
48. interface Virtual-Template1 type tunnel
49. ip unnumbered GigabitEthernet0/1
50. tunnel mode ipsec ipv4
51. !
52. !
53. router eigrp 1
54. network 192.168.1.0
55. network 192.168.90.0
56. !
57. !
58. ip nat inside source list 101 interface Cellular0/0/0 overload
59. ip route 0.0.0.0 0.0.0.0 Cellular0/0/0
60. !
61. access-list 10 permit any
62. access-list 101 permit ip 192.168.90.0 0.0.0.255 any
63. dialer-list 1 protocol ip list 10
64. !
65. line 2
66. no activation-character
67. no exec
68. transport preferred none
69. transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
70. stopbits 1
71. line 0/0/0
72. script dialer hspa-R7
73. no exec
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 97 sur 102

74. rxspeed 21600000


75. txspeed 5760000
76. line 0/0/1
77. no exec
78. Router#sh cry se
79. Crypto session current status
80.
81. Interface: Virtual-Access1
82. Session status: UP-ACTIVE
83. Peer: 197.14.1.19 port 4500
84. IKEv1 SA: local 10.227.68.247/4500 remote 197.14.1.19/4500 Active
85. IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map

Remarque : Tous les CPE utiliss ont une licence Security active.

3.3.13. L2VPN, VPN IPSec et VPN MPLS

Figure 23: L2VPN, VPN IPSec et VPN MPLS

- Equipements : Cisco 1921/2901/2911 (IOS : C2900-UNIVERSALK9-M, Version 15.3(1)T)


2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 98 sur 102

Configuration 42 : L2VPN, VPN IPSec et VPN MPLS

hostname C2911

interface GigabitEthernet0/2.853
encapsulation dot1Q 853
ip address 10.11.11.2 255.255.255.248
!
router ospf 1
passive-interface default
no passive-interface GigabitEthernet0/2.853
network 10.11.11.0 0.0.0.7 area 10
network 10.100.100.2 0.0.0.0 area 10
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 10.0.0.0 255.0.0.0 10.11.11.3
!
hostname C1921
!
!
controller SHDSL 0/0/0
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key firewallcx address 0.0.0.0
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 99 sur 102

!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map CMAP 10 ipsec-isakmp
set peer 197.14.1.19
set transform-set TS
match address VPN-TRAFFIC
!
!
interface GigabitEthernet0/1.850
encapsulation dot1Q 850
ip address 197.14.1.17 255.255.255.254
ip nat outside
ip virtual-reassembly in
rate-limit input 1000000 1500 3000 conform-action transmit exceed-action
drop
rate-limit output 1000000 1500 3000 conform-action transmit exceed-action
drop
!
interface GigabitEthernet0/1.851
encapsulation dot1Q 851
ip address 10.243.243.6 255.255.255.248
!
interface GigabitEthernet0/1.853
encapsulation dot1Q 853
ip address 10.11.11.1 255.255.255.248
!
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
logging event subif-link-status
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 100 sur 102

dialer pool 1
ppp authentication chap callin
ppp chap hostname nawucyfr@tunet.tn
ppp chap password 0 x8SAs3c7
crypto map CMAP
!
router ospf 1
passive-interface default
no passive-interface GigabitEthernet0/1.853
network 10.11.11.0 0.0.0.7 area 10
network 10.100.100.1 0.0.0.0 area 10
!
!
ip nat inside source route-map FH interface GigabitEthernet0/1.850
overload
ip nat inside source route-map VDSL interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 197.14.1.16
ip route 0.0.0.0 0.0.0.0 Dialer1 20
!
ip access-list standard SNMP_FILTER
permit 10.220.0.2
permit 10.220.0.1
deny any
!
ip access-list extended LAN
permit ip 10.10.40.0 0.0.0.255 any
ip access-list extended VPN-TRAFFIC
permit ip host 10.100.100.1 host 10.100.100.3
permit ip host 10.100.100.1 host 10.100.100.2
permit ip host 10.100.100.2 host 10.100.100.1
permit ip host 10.100.100.3 host 10.100.100.1
!
route-map VDSL permit 10
match ip address LAN
match interface Dialer1
!
route-map FH permit 10
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 101 sur 102

match ip address LAN

Remarque : Tous les CPE utiliss ont une licence Security active. Cisco 867 VAE ne
supporte pas le protocole OSPF.

ANNEXE A

- Configuration du TR069
Cette partie de la configuration sert fournir au CPE les paramtres du Management Server qui lui
permettront de senregistrer auprs de lACS conformment au standard TR-069 et ce afin de pouvoir
effectuer des oprations de remote management.

Equipement Cisco 867 VAE IOS C860VAE-ADVSECURITYK9-M, Version 15.3(3)M

Configuration 43: TR069


### Configuration du port 51005 ###
ip nat inside source static tcp 10.221.255.241 23 interface
<Wan Interface>.850 51005

### Configuration des paramtres du management server ###


cwmp agent
management server url https://196.203.32.117:443/openacs/acs
management server username cpe
management server password cpe
exit

### Configuration des paramtres du CPE WAN Management Protocol CWMP ###
interface <Wan Interface>.850
cwmp wan default
exit
cwmp agent
enable download
session retry limit 12
request outstanding 3
parameter change notify interval 120
cwmp agent
enable

- Connexion Wifi
Cette config na pas t teste dans la VABF. Elle est prsente titre indicatif.
2014/FIXE/052
Direction Technique du Fixe
Ver. : 1.0

Date : 2015-02-03
Cahier VABF DATA
Page : 102 sur 102

Configuration 44: Connexion Wifi


### Configurer le Root Radio Station :
interface dot11radio 0
broadcast-key vlan 1 change 45
encryption vlan 1 mode ciphers tkip
ssid cisco
vlan 1
authentication open
wpa-psk ascii 0 cisco123
authentication network-eap eap_methods
authentication key-management wpa
exit
ssid cisco-2
vlan 2
authentication open
authentication network-eap eap_methods
authentication key-management wpa
exit
station-role root

### Configurer le Bridging des interfaces pour les VLANs cres


bridge irb
interface vlan 1
bridge-group 1
bridge-group 1 spanning-disabled
interface vlan 2
bridge-group 2
bridge-group 2 spanning-disabled
interface bvi 1
bridge 1 route ip
ip address 10.0.1.1 255.255.255.0
interface bvi 2
bridge 2 route ip
ip address 10.0.2.1 255.255.255.0

### Configurer les sub-interfaces pour les Radio stations :

interface dot11radio 0.1


description Cisco open
encapsulation dot1q 1
no cdp enable
bridge-group 1
exit
interface dot11radio 0.2
description Cisco open
encapsulation dot1q 2
no cdp enable
bridge-group 2
exit