FALCON

1Interface Basis
1.1 Overview

The interfaces can be classified into physical interface and logical interface. The
physical interface includes Ethernet interface, E1 interface, CE1 interface, 3G
interface,and 4G interface. The logical interface includes Ethernet subinterface,
aggregation group interface, VLAN interface, loopback interface, null interface, and
tunnel interface.

z Physical interface

The physical interfaces can be classified into fast Ethernet interface and slow WAN
interface. Ethernet, characterized with highly flexible, relatively simple, and easy to
realize, currently has become a most important LAN networking technology. The WAN
interfaces are classified into E1 interface, CE1 interface, and
synchronous/asynchronous serial interface. These interfaces can capsulate WAN link
protocols such as HDLC and PPP. The device supports the following physical
interfaces:

L2 Ethernet interface: also called port, is a physical interface. It works in layer 2, the
data link layer. It only switches and forwards the received packets in layer 2.

L3 Ethernet interface: is a physical interface. It works in the network layer and can
configure the IP address. It forwards the received packets in layer 3. That is, it can
receives and transmits packets with the source IP address and destination IP address
in the different network segment.

E1 interface: is a physical interface. It works in the physical layer. The highest rate 2
Mbps can be divided into 32 timeslots. It can transmit different data via TDM.

CE1 interface: is a physical interface. It works in the physical layer. The 2 Mbps E1 line
is divided into 1 to 31 timeslots, providing 31 logical channels. Each channel is 64 kbps.
Timeslot 0 transmits the signaling, which means that complete transparent
transmission is impossible. Other 31 timeslots are used for data transmission.

Version 1.0
 FALCON

Synchronous/Asynchronous serial interface: is a physical interface. It works in the

physical layer and used for receiving and transmitting data. Synchronous serial
interface: Clocks are only configured on the DCE port. In the V.35mode, the highest
rate is 2 Mbps. In the V.24mode, the highest rate is 128 kbps. Asynchronous serial
interface: The two ports must be configured with the same rate. In the V.35 or V.24
mode, the highest rate is 115200 bps.

3G interface: is the third generation mobile communications interface. It provides slow

WAN access based on different access modes, which is a mainstream wireless mobile
communications WAN access mode currently. It provides convenient, fast, and flexible
networking method for users.

4G interface: is the fourth generation mobile communications interface and provides

the high-speed wireless communication access mode. It provides the faster and better
data communication service for the user. The networking mode is more flexible.

z Logical interface

The logical interface does not exist physically but it can achieve data switching,
interacting, and forwarding. The device supports the following logical interfaces:

L3 Ethernet subinterface: is a logical interface. It works in the network layer and can
configure the IP address and handle the L3 protocol. The VLAN tagged packets are
received and transmitted on the L3 Ethernet interface. Users can configure multiple
subinterfaces on one Ethernet interface. Therefore, packets from different VLANs can
be forwarded from different subinterfaces, providing high flexibility for users.

Virtual Ethernet interface: is a logical interface. It can be divided into L3 VE interface

(Virtual-Ethernet) and L2 VE interface (VE-Bridge). It is realized on the interface board,
which applies to Ethernet protocol carrying other data link layer protocol.

Aggregation group interface: is a logical interface. It can be formed by binding multiple

physical links between two devices. It works in the data link layer, expanding the link
bandwidth and improving the link reliability.

VLAN interface: is a logical interface. It is bound with VLAN and forwards the packet
between different VLANs.

loopback interface: is a logical interface. For the packets sent to the loopback interface,
the device regards that the packets are sent to itself, so it does not forward the packets.

Null interface: is a logical interface. Any packet sent to null interface is dropped.

Tunnel interface: is a logical interface, providing the transmission link for the
point-to-point mode.

Version 1.0
 FALCON

For different interfaces, there are corresponding configuration modes. The related
configuration modes of the interfaces include:

z Interface configuration mode, corresponds to L3 Ethernet interface, E1 interface,

CE1 interface, 3G interface, synchronous/asynchronous serial interface, and all
logical interfaces except the aggregation group interface.

z L2 Ethernet configuration mode: corresponds to L2 Ethernet interface, also called

port.

z Aggregation group configuration mode: corresponds to the aggregation group

interface.

This chapter mainly describes the common function configuration of various interfaces.
For the featured function configuration of various interfaces, refer to the corresponding
interface chapter.

1.2 Basic Function Configuration of Interfaces

Table 1-1 Basic function configuration list of interfaces

Configuration Task

Configure the basic Enter the interface configuration mode

functions of the interfaces
Enable/Disable the interface

Configure the interface MTU

Configure the interface description information

Configure the interface logical bandwidth

Configure the interface delay

Configure the statistics interval of interface traffic.

Configure the interface Configure the interface group

group function

Configure the interface Configure the interface status SNMP proxy concern layer
status SNMP proxy
concern layer

Version 1.0
 FALCON

1.2.1 Configure Basic Functions of Interfaces

Configuration Condition

None

Enter Interface Configuration Mode

Table 1-2 Enter the interface configuration mode

Step Command Description

Enter the global configure terminal -

configuration mode

Enter the interface interface interface-name Mandatory

configuration mode

z If a logical interface is not created, the preceding command will be used to create
the logical interface and then enter its configuration mode.

Enable/Disable Interface

Users can enable/disable an interface manually.

Table 1-3 Enable/Disable the interface

Step Command Description

Enter the global configure terminal -

configuration mode

Enter the interface interface interface-name Either

configuration mode
Enter the L2 Ethernet
interface configuration
mode
Enter the aggregation
interface interface-name
link-aggregation
After entering the interface
configuration mode, the
follow-up configuration can
take effect only on the
current interface. After
entering the L2 Ethernet
interface configuration

Version 1.0
 FALCON

Step Command Description

group configuration mode link-aggregation-id mode, the follow-up

configuration can take
effect only on the current
port. After entering the
aggregation group
configuration mode, the
follow-up configuration can
take effect only on the
aggregation group
interface.

Disable the interface shutdown Mandatory

By default, the interface is
enabled.

Enable the interface no shutdown Mandatory

By default, the interface is
enabled.

z The null interface does not support the function of disabling the interface.

Configure Interface MTU

The MTU configured on the interface takes effect at the same time for the ingress and
egress packets, and the set values are the same. When the length of the received and
sent packets exceeds the set value, the packets are dropped directly.

In contrast, the MTU configured on L3 Ethernet interface only takes effect for the
egress packets. When the length of the sent packet exceeds the set value, the packet
first performs the IP fragmenting, making the length of the fragmented packet not
exceed the set value, and then send it out.

Table 1-3 Configure interface MTU

Step Command Description

Enter the global configure terminal -

Version 1.0
 FALCON

Step Command Description

configuration mode

Enter the interface interface interface-name Either

configuration mode
Enter the L2 Ethernet
interface configuration
mode
interface interface-name
After entering the interface
configuration mode, the
follow-up configuration can
take effect only on the
current interface. After
entering the interface
configuration mode, the
follow-up configuration can
take effect only on the
current port.

Configure the interface mtu mtu-size Mandatory

MTU
The default MTU value
varies for different interface
types. For details, refer to
the command manual.

z The null interface, loopback interface, tunnel interface, and aggregation group
interface do not support the MTU configuration.
z The MTU value of the tunnel interface varies with MTU value of the egress
interface.
z The actual valid port MTU is the multiples of 4 bytes. If the setting value is not the
multiples of 4 bytes, the actual valid MTU = (setting value / 4) x 4. For example, if the
set MTU is 1501 bytes, the actual valid MTU is 1500 bytes. If the length of the frame
received and transmitted by the port exceeds the set MTU, the frame is dropped
directly.

Configure Interface Description Information

Users can describe the interface through configuring the interface description
information.

Table 1-4 Configure the interface configuration information

Step Command Description

Enter the global configure terminal -

Version 1.0
 FALCON

Step Command Description

configuration mode

Enter the interface interface interface-name Either

configuration mode
Enter the L2 Ethernet
interface configuration
mode
Enter the aggregation
group configuration mode
interface interface-name
link-aggregation
link-aggregation-id
After entering the interface
configuration mode, the
follow-up configuration can
take effect only on the current
interface. After entering the
interface configuration mode,
the follow-up configuration
can take effect only on the
current port. After entering the
aggregation group
configuration mode, the
follow-up configuration can
take effect only on the
aggregation group interface.

Configure the interface description description-name Mandatory

description information
By default, the interface
description information is not
configured

z The null interface does not support the function of configuring the interface
description.

Configure Interface Logical Bandwidth

The interface logical bandwidth affects the routing costs and QoS calculation, which
does not affect the interface physical bandwidth. Generally, when the interface is
connected to the WAN, it is recommended that the interface logical bandwidth and the
actual bandwidth of the leased line be consistent.

Table 1-5 Configure the interface logical bandwidth

Step Command Description

Enter the global configure terminal -

configuration mode

Version 1.0
 FALCON

Step Command Description

Enter the interface interface interface-name -

configuration mode

Configure the interface bandwidth width-value Mandatory

logical bandwidth
The default logical
bandwidth varies for
different interface types.
For details, refer to the
command manual.

z The interface logical bandwidth does not vary with the rate negotiated at the
physical layer. For example, the gigabit-Ethernet port negotiates a rate as 100 M. The
logical bandwidth still remains at the default value 1,000,000 kbps.
z The default logical bandwidth varies for different interface types. You can run the
show interface interface-name command to check.
z The null interface, aggregation group interface, and L2 Ethernet interface do not
support the function of configuring the logical bandwidth.

Configure Interface Delay

The interface delay configuration affects the calculation of the IRMP routing protocol
cost, but does not affect the actual transmission delay of the interface. Users can
change the cost of the routing protocol by configuring the interface delay.

Table 1-6 Configure the interface delay

Step Command Description

Enter the global configure terminal -

configuration mode

Enter the interface interface interface-name -

configuration mode

Configure the interface delay delay-time Mandatory

delay
The interface delay is in the
unit of 10 microseconds.
The default delay varies for

Version 1.0
 FALCON

Step Command Description

different interface types.

The default delay value of
the gigabit Ethernet
interface is 1, that is, 10
microseconds (1x10
microseconds). If the
configured delay is 2, that is
20 microseconds (2x10
microseconds).

z The default delay value varies for different interface types. You can run the show
interface interface-name command to check.
z The null interface, aggregation group interface, and L2 Ethernet interface do not
support the function of configuring the delay.

Configure Statistics Interval of Interface Traffic

The device measures the interface traffic regularly. Users can change the statistics
interval of the interface traffic by manual configuration.

Table 1-7 Configure statistics interval of interface traffic

Step Command Description

Enter the global configure terminal -

configuration mode

Enter the interface interface interface-name Either

configuration mode
Enter the L2 Ethernet
interface configuration
mode
Enter the aggregation
group configuration mode
After entering the interface
configuration mode, the
interface interface-name follow-up configuration can
take effect only on the
current interface. After
entering the interface
configuration mode, the
link-aggregation follow-up configuration can
link-aggregation-id take effect only on the
current port. After entering
the aggregation group
configuration mode, the
follow-up configuration can
take effect only on the

Version 1.0
 FALCON

Step Command Description

aggregation group
interface.

Configure the statistics load-interval interval Mandatory

interval for the average
interface traffic rate The default statistic interval
is 300s.

z The null interface does not support the function of configuring the statistics interval
of the interface traffic.

1.2.2 Configure Interface Group Functions

Bind multiple interfaces as one interface group. Configuring various interface

commands on the interface group is equivalent to configuring on all interfaces of the
interface group, while it is not necessary to configure on each interface repeatedly.
Display the information of one interface group is to display the information of all
interfaces in the interface group.

Configuration Condition

Before configuring the interface group function, first complete the following task:

z The interfaces covered by the interface group should already exist.

Configure Interface Group

Table 1-8 Configure the interface group

Step Command Description

Enter the global configure terminal -

configuration mode

Create the interface group interface group group-id Mandatory

enum interface-name1
in the enumeration mode
interface-name2 … By default, the interface
interface-nameN group is not created.
[ point-to-point |
multipoint ]

Version 1.0
 FALCON

Step Command Description

Enter the global exit -

configuration mode

Create the interface group interface group group-id Mandatory

range | start-interface-name
in the specified scope
end-interface-name By default, the interface
[ point-to-point | group is not created.
multipoint ]

z The interface types in the interface group should be the same. The user can
configure multiple interface groups as desired.
z The user can configure the commands supported by all types of interfaces in the
interface group, but if the interfaces covered by the interface group do not support, the
commands do not take effect and there may be no error prompt. Please check
whether the commands take effect by viewing the configuration.
z If the interface group covers the logical interface and when the logical interface is
deleted, the logical interface in the interface group is also deleted automatically.

1.2.3 Configure Interface Status SNMP Proxy Concerned Layer

In fact, the interface UP/DOWN status has two layers of status in the system. One is
the L2 link layer status and the other is L3 protocol layer status. You can adopt the
show ip interface brief command to view. Usually, the two status vary with the
physical interface UO/DOWN, but when configuring keepalive gateway on the Ethernet
interface, the L3 prototcol layer status is controlled by the keepalive detection status.

If the SNMP proxy function is enabled on the device, the network management server
can get the interface status information via the public mib. If SNMP Trap is enabled, the
interface status change information can be sent to the network management server.

With the function command, you can set the SNMP proxy concerned interface status
layer. By default, the SNMP procy concerned interface status layer is L2 link layer, but
to make the interface status displayed by the network management server be
consistent with the keepalive detection status when keepalive gateway is configured on
the Ethernet interface, it is necessary to set the SNMP proxy concerned interface
status is the L3 protocol layer. Therefore, in the environment enabled with keepalive
detection (such as MSTP WAN line environment), it is suggested to configure
link-status-care l3.

Version 1.0
 FALCON

Configuration Condition

None

Table 1-9 Configure the interface status SNMP proxy concerned layer

Step Command Description

Enter the global configure terminal -

configuration mode

Configure the network link-status-care { l2 | l3 } Mandatory

management layer of the
interface status By default, the interface
status SNMP proxy
concerned layer is L2 link
layer.

Exit the global configuration exit -

mode

1.2.4 Basic Monitoring and Maintaining of Interfaces

Table 1-10 Basic monitoring and maintaining of interfaces

Command Description

clear interface interface-name Clear the statistics information of the

master interfaces and subinterfaces

clear interface interface-name original Clear the statistics information of the

statistics master interfaces

clear interface group group-id Clear the statistics information of all

interfaces in the interface group

show interface [ interface-name ] Display the statistics information of the

master interfaces and subinterfaces

show interface interface-name original Display the statistics information of the

statistics mater interfaces

show interface group group-id Display the information of interfaces in the

interface group

Version 1.0
 FALCON

2Ethernet Interface
2.1 Overview

Ethernet adopts the CSMA/CD media access mechanism, enabling any workstation to
access the network at any time. Before transmitting data, the workstation first
monitors whether the network is available. If no data is transmitted on the network, the
workstation sends the information to be transmitted to the network. Ethernet,
characterized with highly flexible, relatively simple, and easy to realize, currently has
become a most important network technology.

Gigabit Ethernet, as a high-speed Ethernet technology, provides an efficient solution

for improving the core network. The biggest advantage of this solution lies in that it
inherits cost effective character of the traditional Ethernet technology. The gigabit
Ethernet adopts the same frame format, frame structure, network protocol,
full-/half-duplex work mode, flow control mode, and wiring system as the 10 M Ethernet.
The gigabit Ethernet does not change the desktop application, operating system,
application programs, and network management components of the traditional
Ethernet, therefore it can be perfectly compatible with the 10 M/100 M Ethernet and
protect the investment to a large extent. In addition, the IEEE standard supports the
multimode fiber with a maximum distance of 550 m, single mode fiber with a maximum
distance of 70 km, and coaxial cable with a maximum distance of 100 m. The gigabit
Ethernet fills the gap of the 802.3 Ethernet/fast Ethernet standards.

The ten gigabit Ethernet standard is contained in the complementary standard IEEE
802.3ae of the IEEE802.3. It extends the IEEE 802.3 protocol and MAC standard,
enabling them to support the 10 Gb/s transmission rate. In addition, through the WIS
(WAN interface sublayer), the 10 gigabit Ethernet can be adjusted to a low
transmission rate, which requires that the transmission format of the 10 gigabit
Ethernet device and of the SONET (synchronous optic network) STS -192c are
compatible.

The Ethernet interfaces are classified into L2 Ethernet interface and L3 Ethernet
interface.

Ethernet interface, also called L2 Ethernet interface or port, is a physical interface. It

works at layer 2 in the OSI reference model-data link layer. It is mainly used to execute

Version 1.0
 FALCON

two basic operations:

Data frame forwarding: According to the MAC address (that is physical address) of the
data frame, forward the data frame. Ethernet interface can only perform the L2
switching forwarding for the received packets, that is, can only receive and send the
packets whose source IP and destination IP are at the same segment.

MAC address learning: Construct and maintain the MAC address table, used to
support forwarding the data frames.

L3 Ethernet interface works at layer 3 in the OSI reference model-network layer. It

configures the IP address, handles the L3 protocol, and provides the routing function.

According to the maximum rate supported by the port, the ports can be divided to the
following three types:

Fastethernet: 100M port, can be abbreviated as Fa, such as fastethernet0/1 or Fa0/1;

Gigabitethernet: 1000M port, can be abbreviated as Gi, such as gigabitethernet0/25 or

Gi0/25;

Tengigabitethernet: 10 Gigabit port, can be abbreviated as Te, such as

tengigabitethernet1/1 or Te1/1.

According to the media type of the port, the port type can be divided to copper
(electrical port) and fiber (optical port).

L2 Ethernet interface and L3 Ethernet interface differ in functions, resulting in different

configuration modes. L2 Ethernet interface and L3 Ethernet interface correspond to L2
Ethernet configuration mode and L3 Ethernet configuration mode, respectively.

2.2 Ethernet Interface Function Configuration

Table 2-1 Function configuration list of Ethernet interface

Configuration Task

Configure basic functions of Configure the rate and duplex mode

Ethernet interface
Configure the switching of Ethernet interface fiber
and electrical modes

Configure features of L3 Ethernet Configure the MAC address of the Ethernet

interface
interface

Configure the automatic negotiation of the Ethernet

interface fiber mode

Version 1.0
 FALCON

Configuration Task

Configure features of L2 Ethernet Enter the L2 Ethernet interface configuration mode

interface

Enter the batch configuration mode of L2 Ethernet

interface

Configure the port MDIX (Media Dependent

Interface Crossover) mode

Configure the port media type

Configure the head-of-line blocking

Configure the port flow control

Configure the delay time

Configure automatic energy-saving of the port

Configure the status flap detection of the port

Enable port loopback test

Configure the storm suppression parameter

Configure the action executed after the storm

suppression

Configure the UNI/NNI attribute of the port

Configure the uni port connectivity

2.2.1 Configure Basic Functions of Ethernet interface

Configuration Condition

None

Configure Rate and Duplex Mode

The interface rate can be set in the following two methods:

One is to set the fixed rate according to the port rate capability set. The optional

Version 1.0
 FALCON

parameters include 10 (10M), 100 (100M), 1000 (1000M), 10000 (10000M).

The other is to set the rate as auto (auto-negotiation), specifying that the rate is
negotiated by the local end and the peer port.

Similarly, the port duplex mode can be set in the following two methods:

One is to set the duplex mode according to the capability set of the port duplex mode.
The optional parameters include full (full-duplex mode), indicating that the port can
send packets when receiving the packets; half (half-duplex mode), indicating that the
port can only receive or send packets at one moment, but cannot perform at the same
time;

The other is to set the duplex mode as auto (auto-negotiation), indicating that the
duplex mode is negotiated automatically by the local end and the peer port.

Table 2-2 Configure the rate and duplex mode of the port 

Step Command Description

Enter the global configure terminal -

configuration mode

Enter the interface interface interface-name Either

configuration mode
Enter the L2 Ethernet
interface configuration
mode
interface interface-name
After entering the interface
configuration mode, the
follow-up configuration can
take effect only on the
current interface. After
entering the interface
configuration mode, the
follow-up configuration can
take effect only on the
current port.

Configure the port rate speed { 10 | 100 | 1000 | Mandatory

auto }
By default, the port rate is
set to auto.

Configure the duplex mode duplex { auto | full | duplex } Mandatory

of the port
By default, the duplex
mode of the port is set to
auto.

Configure Switching of Ethernet Fiber and Electrical Modes

Version 1.0
 FALCON

Table 2-3 Configure the switching of Ethernet fiber and electrical modes

Step Command Description

Enter the global configure terminal -

configuration mode

Enter the interface interface interface-name Either

configuration mode
Enter the L2 Ethernet
interface configuration
mode
interface interface-name
After entering the interface
configuration mode, the
follow-up configuration can
take effect only on the
current interface. After
entering the interface
configuration mode, the
follow-up configuration can
take effect only on the
current port.

Configure the interface media-type { auto | copper | Mandatory

media type
fiber } By default, the media type
of the electrical port is
copper, the media type of
the optical port is fiber, and
the media type of the
Combo port is copper.

2.2.2 Configure Features of L3 Ethernet Interface

Configuration Condition

None

Configure the MAC Address of the Ethernet Interface

Table 2-4 Configure the MAC address of the Ethernet interface

Step Command Description

Enter the global configure terminal -

configuration mode

Enter the interface interface interface-name -

configuration mode

Configure the MAC address mac-address Mandatory

mac-address-value
By default, the MAC

Version 1.0
 FALCON

Step Command Description

address of the Ethernet
interface is the factory
defaults.

Restore the MAC address no mac-address Restore the MAC address

of the Ethernet interface to
the factory defaults.

z The MAC address is 48 bytes. The preceding command can be only used to set the
unicast MAC address. The MAC address of the interface cannot be set to all 0,
broadcast address, or multicast address.

Configure Automatic Negotiation of Ethernet Interface Fiber Mode

Table 2-5 Configure the automatic negotiation of the optical Ethernet interface mode

Step Command Description

Enter the global configure terminal -

configuration mode

Enter the interface interface interface-name -

configuration mode

Configure the automatic fiber-mode negotiation Mandatory

negotiation of the Ethernet
interface fiber mode
{ enable | disable }
By default, the automatic
negotiation of the Ethernet
interface fiber mode is set
to disable.

2.2.3 Configure Features of L2 Ethernet Interface

Enter the L2 Ethernet Interface Configuration Mode

To configure on the specified port, first enter the L2 Ethernet interface configuration
mode of the port and then execute the corresponding configuration command.

Version 1.0
 FALCON

Table 2-6 Enter the L2 Ethernet interface configuration mode

Step Command Description

Enter the global configure terminal -

configuration mode

Enter the L2 Ethernet interface interface-name Mandatory

interface configuration
mode

z The naming rule of the port number is S/P (Slot/Port). Slot indicates the slot on the
device, numbered from 0. If there is fixed port, slot 0 is reserved for the fixed port. The
service slot is numbered from 1. Port indicates the physical port on the device or
service card. The port on each device and service card is numbered from 1.
z The naming rule of the port name interface-name is port type + port number. For
example, fastethernet0/1 indicates the fixed port numbered 1 and the type is 100 M
port.

Enter Batch Configuration Mode of L2 Ethernet Interface

When performing the same configuration on multiple ports, to improve the

configuration efficiency and reduce the repeated steps, select entering the batch
configuration mode of the L2 Ethernet interface, including the following three cases:
single port, such as fastethernet0/1; successive ports, using “-” to indicate one section
of successive ports, such as fastethernet0/3-0/5, indicating port 0/3, 0/4, 0/5; single
port and successive ports, using comma to separate, such as “fastethernet0/1, 0/3-0/4,
0/6”, indicating port 0/1, 0/3, 0/4, 0/6.

Table 2‐7 Enter the batch configuration mode of the L2 Ethernet interface 

Step Command Description

Enter the global configure terminal -

configuration mode

Enter the batch interface interface-list Mandatory

configuration mode of the
L2 Ethernet interface

Configure Port MDIX Mode

Version 1.0
 FALCON

We can send and receive signals only after connecting the local end and the peer port.
Therefore, the MDIX mode is used with connection cables.

The cables connecting ports are divided to two types: straight-through cable and
crossover cable. To support the two types of cables, provide three kinds of MDIX
modes: normal, cross, and auto.

The optical port can only support straight-through cable. Therefore, MDIX mode can
only be set as normal.

The electrical port is formed by eight pins. You can change the roles of the pins by
setting the MDIX mode. When setting as normal, use pin 1 and 2 to send signals, and
pin 3, 6 to receive signals; when setting as cross, use pin 1, 2 to receive signals, pin 3,
6 to send signals; when setting as auto, the local and peer electrical ports
automatically negotiate the functions of the pins by connecting the cables.

When using the straight-through cable, the MDIX modes of the local and peer ports
cannot be the same.

When using crossover cable, the MDIX modes of the local and peer ports should be
the same or at least one is auto.

Table 2-8 Configure port MDIX mode 

Step Command Description

Enter the global configure terminal -

configuration mode

Enter the L2 Ethernet interface interface-name -

interface configuration
mode

Configure the mode of mdix { auto | cross | Mandatory

receiving and transmitting
signal via the network cable
normal }
By default, the MDIX mode
of the electrical port is set
to auto and the MDIX mode
of the optical port is set to
normal.

Configure Head-of-Line Blocking

When the port is blocked and if the head-of-line blocking function is enabled, the
packets causing the block are directly dropped; if the head-of-line blocking function is
disabled, process the packets causing the block according to the configuration of the
port flow control.

Version 1.0
 FALCON

Table 2-9 Configure head-of-line blocking

Step Command Description

Enter the global configure terminal -

configuration mode

Enter the L2 Ethernet interface interface-name -

interface configuration
mode

Configure the head-of-line hol-blocking { enable | Mandatory

blocking disable }
By default, the head-of-line
blocking function of the port
is enabled.

Configure Port Flow Control

When the sending or receiving buffer is full and if the duplex mode of the port is half-duplex,
send the blocking signals back to the source end by the back pressure mode; if the duplex
mode of the port is full-duplex mode, the port informs the source end to stop sending by the
flow control mode.

Table 2-10 Configure the port flow control

Step Command Description

Enter the global configure terminal -

configuration mode

Enter the L2 Ethernet interface interface-name -

interface configuration
mode

Configure the port flow flowcontrol { on | off } Mandatory

control
By default, the flow control
function of the port is
disabled.

z When enabling the flow control function, first disable the head-of-line blocking
function; when enabling the head-of-line blocking function, enabling the flow control
function cannot take effect.

Version 1.0
 FALCON

z The local flow control can be realized only when the local and peer ends both
enable the flow control function.

Configure Delay Time

When the port changes from Up to Down, first enter the set suppression time period
and the switching of the port status is not felt by the system; and then after the set
suppression time, report the port status change to the system. In this way, we can
avoid the unnecessary running cost caused by the frequent switching of the ports
status in short time.

Table 2-11 Configure delay time

Step Command Description

Enter the global configure terminal -

configuration mode

Enter the L2 Ethernet interface interface-name -

interface configuration
mode

Configure the delay time link-delay link-delay-value Mandatory

By default, the delay report
time of the port changing
from Up to Down is 0, that
is, disable the delay report
function; when the port
changes from Up to Down,
report and process
immediately.

Configure Port Auto Energy-Saving

When disabling or enabling port auto energy-saving, but not connecting cables, the
port inside is always in the polling port state. To reduce the unnecessary energy
consumption, automatically switch to the low energy consumption state when the port
is idle by configuring the port auto energy-saving.

Table 2-12 Configure the port auto energy-saving

Step Command Description

Enter the global configure terminal -

configuration mode

Version 1.0
 FALCON

Step Command Description

Enter the L2 Ethernet interface interface-name -

interface configuration
mode

Configure the port auto auto-power-down enable Mandatory

energy-saving
By default, the auto
energy-saving function of
the port is disabled.

Configure Port Status Flap Detection

When the port changes from Down to Up and if the port status flap detection is
configured and it meets the detection condition, it is regarded that the status flap
happens to the specified port or called Link-Flap and the port is automatically disabled
and set as Error-Disabled.

Table 2-13 Configure the port status flap detection

Step Command Description

Enter the global configure terminal -

configuration mode

Configure the port status errdisable flap-setting cause Mandatory

flap detection link-flap max-flaps
max-flaps-number time
time-value
By default, the trigger
condition of executing
Link-Flap is within 10s. the
detected port becomes Up
for at least 5 times.

z When the port is disabled by the Link-Flap function and set as Error-Disabled and if
it is necessary to recover automatically, you can configure the command errdisable
recovery cause to set the above function.

Enable Port Loopback Test

When performing some troubleshooting, such as locating the port fault initially, you can
enable the port loopback test function. The port enabled with the loopback test function

Version 1.0
 FALCON

cannot forward packets normally.

The port loopback test function includes internal loopback test and external loopback
test.

During internal loopback test, change the internal receiving end and sending end of the
specified port to make the packets sent by the port loopback in the device and received
by the port. If the internal loopback test succeeds, it indicates that the port inside works
normally.

During the external loopback test, first insert one self-loop cable on the port and the
packets sent by the specified port return to the port via the self-loop cable and received
by the port. If the external loopback test succeeds, it indicates that the port works
normally.

Table 2-14 Enable the port loopback test

Step Command Description

Enter the global configure terminal -

configuration mode

Enter the L2 Ethernet interface interface-name -

interface configuration
mode

Enable the port loopback loopback { internal | Mandatory

test external }
By default, the port
loopback test function is not
enabled.

Configure Storm Suppression Parameters

Limit the broadcast, multicast or unknown unicast traffic on the port by configuring the
storm suppression parameters. When the broadcast, multicast or unknown unicast
traffic on the port exceeds the set threshold, the system drops the excessive packets,
so as to make the proportion of the broadcast, multicast or unknown unicast traffic on
the port reduce to the limited range and ensure the normal running of the network
services.

Table 2-15 Configure the storm suppression parameters

Step Command Description

Enter the global configure terminal -

configuration mode

Version 1.0
 FALCON

Step Command Description

Enter the L2 Ethernet interface interface-name -

interface configuration
mode

Configure the storm storm-control { broadcast | Mandatory

suppression parameters multicast | unicast }
{ percent-value | bps By default, the port storm
bps-value | pps pps-value } suppression parameters
are not configured.

Configure Action Executed after Storm Suppression

When the storm is detected on the specified port and the storm suppression is enabled,
you can select two policies to process the storms on the port:

One is to disable the port and send the alarm information of detecting storm and
disabling the port to the configured log server via trap. In the mode, the port is disabled,
so the port cannot receive the subsequent traffic and the storm on the port is removed
at once.

The other is to send the alarm information of detecting storm to the configured log
server via trap. In the mode, the port is enabled, so the port can receive the
subsequent traffic and the storm on the port cannot be removed.

Table 2-16 Configure the action executed after storm suppression

Step Command Description

Enter the global configure terminal -

configuration mode

Enter the L2 Ethernet interface interface-name -

interface configuration
mode

Configure the action storm-control action Mandatory

executed after storm { shutdown | trap | logging }
suppression 缺省情况下，端口在检测到
风暴后执行的动作为在设备
上记录并且在终端上打印输
出检测到风暴的告警信息

Version 1.0
 FALCON

z When the port is disabled by the storm suppression function and set as
Error-Disabled and it is necessary to recover automatically, you can set the above
function by configuring the command errdisable recovery cause.

Configure Port UNI/NNI Type

Uni port is the connection port between the user device and network; nni port is the
connection interface between networks. On one device, the nni port and uni port or nni
ports are interconnected; uni ports are separated from each other.

Table 2-17 Configure the UNI/NNI attribute of the port 

Step Command Description

Enter the global configure terminal -

configuration mode

Enter the L2 Ethernet interface interface-name -

interface configuration
mode

Configure the UNI/NNI port-type { nni | uni } Mandatory

attribute of the port
By default, the UNI/NNI
type of the port is nni.

Configure Connectivity of uni Port

By default, all uni ports of one device are separated from each other. However, to
realize the intercommunication between the specified multiple uni ports, but not change
the separation relation between these uni ports and other uni ports, you can configure
the connectivity of the uni port.

When configuring the connectivity on the specified uni port, you can only set whether
the uni port can forward packets to other uni ports, not affecting whether other uni ports
can forward packets to the specified uni port. Therefore, to realize the
intercommunication among multiple uni ports, you should configure as community on
these uni ports respectively.

Table 2-18 Configure the connectivity of uni port 

Step Command Description

Enter the global configure terminal -

configuration mode

Version 1.0
 FALCON

Step Command Description

Enter the L2 Ethernet interface interface-name -

interface configuration
mode

Configure the connectivity uni-isolate { community | Mandatory

of uni port isolated }
By default, the uni port
cannot forward packets to
other uni ports.

z The command can only take effect on the uni port.

2.2.4 Ethernet Interface Monitoring and Maintaining

Table 2-19 Ethernet interface monitoring and maintaining 

Command Description

clear interface { interface-list | switchport } Clear the packet and traffic statistics
information of the port
statistics

clear interface interface-name Clear the statistics information of the

specified L3 Ethernet interface

show errdisable flap-values Display the current setting of triggering

executing Link-Flap function

show interface { interface-list | switchport Display all information or abstract

[ brief [ down | up ]] } information of the Ethernet interface or
virtual switch link member port

show interface interface-list statistics Display the packet and traffic statistics
information of the port

show interface switchport statistics [ packet Display the packet and traffic statistics
information of all ports on the device
| rate ]

show optical { all | interface interface-list } Display the information of the optical
[ detail ] module inserted on the Ethernet port

Version 1.0
 FALCON

Command Description

show port-type [ interface-list | { uni | nni } Display the UNI/NNI attribute information
[ interface interface-list ] ] of the port

show storm-control [ interface interface-list ] Display the storm suppression setting of

the specified port

2.3 Typical Configuration Example of Ethernet Interface

2.3.1 Configure Storm Suppression Function

Network Requirements

z Configure the storm suppression function on the port of Device to suppress the
broadcast, unknown unicast and multicast packets, realizing that PC2 can access
Internet normally when PC1 sends lots of broadcast, unknown unicast and
multicast packets.

Network Topology

Figure 2-1 Networking of configuring storm suppression 

Configuration Steps

Step 1: Configure VLAN and port link type on Device.

#Create VLAN2 on Device.

Device#configure terminal
Device(config)#vlan 2
Device(config-vlan2)#exit

#Configure the link type of port fastethernet0/1 and fastethernet0/2 on Device as

Access, permitting the services of VLAN2 to pass.

Version 1.0
 FALCON

Device(config)#interface fastethernet 0/1,0/2

Device(config-if-range)#switchport mode access
Device(config-if-range)#switchport access vlan 2
Device(config-if-range)#exit

#Configure the link type of port fastethernet0/3 on Device as Trunk, permitting the
services of VLAN2 to pass.
Device(config)#interface fastethernet 0/3
Device(config-if-fastethernet0/3)#switchport mode trunk
Device(config-if-fastethernet0/3)#switchport trunk allowed vlan add 2
Device(config-if-fastethernet0/3)#exit

Step 2: Configure the storm suppression function

#Adopt bps limitation mode to suppress the broadcast, unknown unicast and multicast
packets on port fastethernet0/1 and the suppression rate is 1024 kbps.
Device(config)#interface fastethernet 0/1
Device(config-if-fastethernet0/1)#storm-control broadcast bps 1024
Device(config-if-fastethernet0/1)#storm-control unicast bps 1024
Device(config-if-fastethernet0/1)#storm-control multicast bps 1024
Device(config-if-fastethernet0/1)#exit

Step 3: Check the result

#View the storm suppression information of port fastethernet0/1 on Device.

Device#show storm-control interface fastethernet 0/1
Interface Unicast Broadcast Multicast Action
---------------------------------------------------------------------------
fa0/1 enable enable enable logging

#When PC1 sends lots of broadcast, unknown unicast and multicast packets, PC2 also
can access Internet normally.

Version 1.0
 FALCON

3Aggregation Group Interface

3.1 Overview

Aggregation group interface is one logical interface. When enabling the link
aggregation function on multiple ports, the multiple ports with the same link
aggregation feature form the aggregation group and are abstracted to aggregation
group interface; meanwhile, the multiple ports with the same attribute are called the
member ports of the aggregation group. It is mainly used to expand the link bandwidth
and improve the connection reliability.

3.2 Aggregation Group Interface Function Configuration

Table 3-1 Function configuration list of aggregation group interface 

Configuration Task

Configure the basic functions of Enter the aggregation group configuration mode
the aggregation group interface

3.2.1 Configure Basic Functions of Aggregation Group Interface

Configuration Condition

None

Enter the aggregation group configuration mode

Table 3-2 Enter the aggregation group configuration mode

Step Command Description

Enter the global configure terminal -

Version 1.0
 FALCON

Step Command Description

configuration mode

Enter the aggregation link-aggregation Mandatory

group configuration mode link-aggregation-id

z Before entering the specified aggregation group configuration mode, first create the
corresponding aggregation group.

3.2.2 Aggregation Group Interface Monitoring and Maintaining

Table 3-3 Monitoring and maintaining of aggregation group interface 

Command Description

clear link-aggregation link-aggregation-id Clear the packet and traffic statistics

information of the specified aggregation
statistics
group

show link-aggregation [ link-aggregation-id | Display all information of the aggregation

group
brief ]

show link-aggregation link-aggregation-id Display the packet and traffic statistics

information of the specified aggregation
statistics
group

show port-type link-aggregation Display the UNI/NNI attribute information

of the specified aggregation group
link-aggregation-id | { uni | nni }
link-aggregation link-aggregation-id

Version 1.0
 FALCON

4VLAN Interface
4.1 Overview

VLAN interface is one logical interface, used to be bound with VLAN and complete the
packet forwarding between different VLANs. One VLAN can only be bound to one
VLAN interface. One VLAN interface also can only be bound with one VLAN.

4.2 VLAN Interface Function Configuration

Table 4-1 VLAN interface function configuration list

Configuration Task

Configure the basic functions of the Configure VLAN interface

VLAN interface

4.2.1 Configure VLAN Interface

Configuration Condition

None

Configure VLAN Interface

Table 4-2 Configure the VLAN interface

Step Command Description

Enter the global configure terminal -

configuration mode

Create the VLAN interface vlan vlan-id Mandatory

interface
By default, the VLAN
interface is not configured.

Version 1.0
 FALCON

z There is no order requirement for creating VLAN interface, creating VLAN and
adding physical port to VLAN.
z For how to create a VLAN and add the physical port to the VLAN, refer the VLAN
chapter in the configuration manual.

4.2.2 VLAN Interface Monitoring and Maintaining

Table 4-3 VLAN interface monitoring and maintaining

Command Description

clear interface vlan vlan-id Clear the statistics information of the

specified VLAN interface

show interface vlan vlan-id Display the information of the specified

VLAN interface

show interface vlan vlan-id original Display the statistics information of the
statistics
specified VLAN interface

4.3 Typical Configuration Example of VLAN Interface

4.3.1 Configure VLAN Interface

Network Requirements

z Configure the VLAN interface on Device to realize the intercommunication between

PC1 and PC2 of different VLANs.

Network Topology

Figure 4-1 Networking of configuring VLAN interface 

Configuration Steps

Step 1: Configure VLAN and port link type on Device.

Version 1.0
 FALCON

# Create VLAN2 and VLAN3 on Device.

Device#configure terminal
Device(config)#vlan 2-3

# Configure the link type of port fastethernet0/1 and fastethernet0/2 on Device as

Access. Port fastethernet 0/1 permits the services of VLAN2 to pass and fastethernet
0/2 permits the services of VLAN3 to pass.
Device(config)#interface fastethernet 0/1
Device(config-if-fastethernet0/1)#switchport mode access
Device(config-if-fastethernet0/1)#switchport access vlan 2
Device(config-if-fastethernet0/1)#exit
Device(config)#interface fastethernet 0/2
Device(config-if-fastethernet0/2)#switchport mode access
Device(config-if-fastethernet0/2)#switchport access vlan 3
Device(config-if-fastethernet0/2)#exit

Step 2: Configure the VLAN interface and IP address on Device.

# Create VLAN2 interface on Device whose IP address is 1.1.1.1 and subnet mask is
255.255.255.0; create VLAN3 interface whose IP address is 2.1.1.1 and subnet mask
is 255.255.255.0.
Device(config)#interface vlan 2
Device(config-if-vlan2)#ip address 1.1.1.1 255.255.255.0
Device(config-if-vlan2)#exit
Device(config)#interface vlan 3
Device(config-if-vlan3)#ip address 2.1.1.1 255.255.255.0
Device(config-if-vlan3)#exit

Step 3: Check the result.

#View the information of VLAN interface on Device.

Device#show interface vlan 2
vlan2:
line protocol is up
Flags: (0xc008063) BROADCAST MULTICAST ARP RUNNING
Type: ETHERNET_CSMACD
Internet address: 1.1.1.1/24
Broadcast address: 1.1.1.255
Queue strategy: FIFO , Output queue: 0/1 (current/max packets)(0)
Metric: 0, MTU: 1500, BW: 100000 Kbps, DLY: 100 usec, VRF: global
Reliability 255/255, Txload 1/255, Rxload 1/255
Ethernet address is 0045.1023.0032
5 minutes input rate 0 bits/sec, 0 packets/sec
5 minutes output rate 0 bits/sec, 0 packets/sec
0 packets received; 1 packets sent
0 multicast packets received
1 multicast packets sent
0 input errors; 0 output errors
0 collisions; 0 dropped
Unknown protocol 0
Device#show interface vlan 3
vlan3:
line protocol is up
Flags: (0xc008063) BROADCAST MULTICAST ARP RUNNING

Version 1.0
 FALCON

Type: ETHERNET_CSMACD
Internet address: 2.1.1.1/24
Broadcast address: 2.1.1.255
Queue strategy: FIFO , Output queue: 0/1 (current/max packets)(0)
Metric: 0, MTU: 1500, BW: 100000 Kbps, DLY: 100 usec, VRF: global
Reliability 255/255, Txload 1/255, Rxload 1/255
Ethernet address is 0045.1023.0032
5 minutes input rate 0 bits/sec, 0 packets/sec
5 minutes output rate 0 bits/sec, 0 packets/sec
0 packets received; 1 packets sent
0 multicast packets received
1 multicast packets sent
0 input errors; 0 output errors
0 collisions; 0 dropped
Unknown protocol 0

#PC1 can ping PC2.

Version 1.0
 FALCON

5E1 Interface
5.1 Overview

With the emerging of the PCM (Pulse Code Modulation), the TDM (Time Division
Multiplexing) has been extensively applied in the digital communication system.
Currently, two TDM systems exist in the digital communication system. One is the E1
system recommended by ITU-T, which is extensively applied in Europe and China. The
other is the T1 system recommended by ANSI, which is mainly applied in North
America and Japan. The T1 rate is 1.544 Mbit/s and the E1 rate is 2.048 Mbit/s.

PCM coding theory and rule: The PCM digital interface uses the G.703 standard,
performing asymmetric or symmetric transmission via the 75 Ω coaxial cables or 120 Ω
twisted-pair cables. HDB3 codes containing timing relationship are the transmission
codes. The receiving end recovers the timing by decoding and achieves clock
synchronization.

The E1 interface follows the G.703 unframed structure standard. All 2.048 Mbit/s
bandwidth are used for data transmission. When the E1 interface is used for the frame
structure, it can be used for G.704 CCS structure and G.704 CAS structure. G.704 CCS
structure TS16 can transmit data, but G.704 CAS structure TS16 transmits signaling,
instead of data. In both G.704 CCS structure and G.704 CAS structure modes, TS0
cannot transmit data. TS16 indicates timeslot 16 on the E1 channel and TS0 indicates
timeslot 0 on the E1 channel.

When the E1 interface is used, all timeslots can be bound as an interface in random.
This logical interface is the same as the synchronous serial port, supporting the link
layer protocol such as PPP and HDLC.

5.2 E1 Interface Function Configuration

Table 5-1 Function configuration list of the E1 interface

Configuration Task

Version 1.0
 FALCON

Configuration Task

Configure the E1 framing CAS mode

Configure the basic functions of the E1
interface
Configure the E1framing CCS mode

Configure the E1 data line CRC-4

verification mode

Configure the E1 transmit clock source

Configure other features of the E1 interface

Configure the E1 matching impedance

Configure the E1 line code

Configure the E1 looping mode

5.2.1 Configure Basic Functions of E1 Interface

Configuration Condition

None

Configure E1 Framing CAS Mode

When configuring the E1 framing mode, TS0 is used to transmit frame synchronous
signal, CRC-4, and peer end asynchronous alarm indicator and TS16 is used to
transmit CAS multiframe alignment signal and multiframe peer end asynchronous
alarm indicator. Thus, other 30 timeslots are used to transmit data.

Table 5-2 Configure E1 framing CAS mode

Step Command Description

Enter the global configure terminal -

configuration mode

Enter the interface interface interface-name -

configuration mode

Configure the timeslot timeslot timeslot-range Mandatory

By default, the interface is
the unframed mode.

Version 1.0
 FALCON

z When configuring the framing mode, the start timeslot number must be greater than
the end timeslot number. Otherwise, the configuration is invalid.

Configure E1 Framing CCS Mode

When configuring the E1 framing mode, TS0 is used to transmit frame synchronous
signal, CRC-4, and peer end asynchronous alarm indicator and TS16 is used to
transmit data, that is, the CCS mode. Thus, a total of 31 timeslots on the E1 channel
are used to transmit data.

Table 5-3 Configure the E1 framing CCS mode

Step Command Description

Enter the global configure terminal -

configuration mode

Enter the interface interface interface-name -

configuration mode

Configure the TS16 ts16 Mandatory

By default, the interface is
the CAS mode.

z When configuring the interface working in the CCS mode, the interface must be in
the framing mode. CCS indicates the common channel signaling and CAS indicates
the channel associated signaling.

5.2.2 Configure Other Features of E1 Interface

Configuration Condition

None

Configure E1 Data Line CRC-4 Verification Mode

Version 1.0
 FALCON

The E1 supports protocols such as PPP and HDLC. The CRC is used to check the data
frame. The following commands can be used to configure data CRC verification
mode.

Table 5-4 Configure E1 data line CRC4 verification mode

Step Command Description

Enter the global configure terminal -

configuration mode

Enter the interface interface interface-name -

configuration mode

Configure the CRC-4 crc4 { rcrc4 | tcrc4 } Mandatory

verification mode
By default, the E1 interface
receiving and transmitting
CRC-4 are invalid.

Configure E1 Transmit Clock Source

During the data transmission, both frame synchronization and clock synchronization
must be ensured. Packet loss may occur when the clock is not synchronized.
Therefore, to ensure clock synchronization, a unified clock must be used. One end is
configured with an internal clock and the other end is configured with a line clock. Thus,
a unified clock is ensured on the line.

Table 5-5 Configure E1 transmit clock source

Step Command Description

Enter the global configure terminal -

configuration mode

Enter the interface interface interface-name -

configuration mode

Configure the transmit clock source { internal | line } Mandatory

clock source
By default, the E1 interface
transmit clock is the line
clock.

Configure E1 Matching Impedance

The E1 is the standard dual-line circuit. One is used to receive data and the other is

Version 1.0
 FALCON

used to send data. Meanwhile, two cables are used. One is 75 Ω unbalanced coaxial
cables and the other is 120 Ω balanced twisted-pair cables. The following command
can be used to configure the line matching impedance.

Table 5-6 Configure the E1 matching impedance

Step Command Description

Enter the global configure terminal -

configuration mode

Enter the interface interface interface-name -

configuration mode

Configure the matching resistance { 120 | 75 } Mandatory

impedance
By default, the matching
impedance of the interface
is 75 Ω.

Configure E1 Line Coding

The E1 receiving and transmitting directions are independent without interfering each
other. The E1 adopts the differential transmission mode, which has a stronger ability of
resisting common-mode interference and a transmission distance of 1 km. Because
the clock is extracted from the line clock, an independent clock line is not required. The
E1 line transmits the baseband signal, generally HDB3 (High Density Bipolar 3) codes
or AMI. Both the preceding two codes are ternary return to zero codes.

Table 5-7 Configure the E1 line coding

Step Command Description

Enter the global configure terminal -

configuration mode

Enter the interface interface interface-name -

configuration mode

Configure the E1 linecode { ami | hdb3 } Mandatory

interface line coding
By default, the interface
line coding is HDB3
coding.

Configure E1 Looping Mode

Version 1.0
 FALCON

Different looping modes are used to diagnose the line status. The local loop is used to
diagnose whether exceptions occur to the local device for receiving and transmitting
data. The remote loop is used to diagnose whether exceptions occur to the remote
device for receiving and transmitting data.

Table 5-8 Configure the E1 looping mode

Step Command Description

Enter the global configure terminal -

configuration mode

Enter the interface interface interface-name -

configuration mode

Configure the interface loopback { local | remote } Mandatory

looping mode
By default, the looping
mode for the E1 interface is
not configured.

z When configuring the interface looping, the interface transmit clock source must be
configured as the internal clock.

5.2.3 E1 Interface Monitoring and Maintaining

Table 5-9 The E1 interface monitoring and maintaining

Command Description

clear interface interface-name Clear related statistics of the E1 interface

show controllers e1 slot/sub-slot/unit Display related information of the E1

controller

show interface interface-name Display all configuration parameters and

current running status information of the
E1 interface

show running-config View the configuration of the E1 interface

Version 1.0
 FALCON

5.3 Typical Configuration Example of E1 Interface

5.3.1 Configure E1 Unframed Mode

Network Requirements

z Use a cable to connect the E1 interface of Device1 and Device2. The E1 interface is
configured as the unframed mode by default. The interface encapsulation type is HDLC
to enable the intercommunication between Device1 and Device2.

Network Topology

Figure 5-1 Networking of the E1 unframed mode

Configuration Steps

Step 1: Configure the clock mode for the E1 interface. Device1 is configured with an internal
clock and Device2 in configured with an external clock. The external clock is the default
setting, which does not need to be configured manually.

#Configure Device1.
Device1#configure terminal
Device1(config)#interface serial1/0
Device1(config-if-serial1/0)#clock source internal

#Configure Device2.
Device2#configure terminal
Device2(config)#interface serial1/0

Step 2: Configure the IP addresses for all interfaces.

#Configure Device1.
Device1(config-if-serial1/0)#ip address 1.0.0.1 255.255.255.0
Device1(config-if-serial1/0)#exit

#Configure Device2.
Device2(config-if-serial1/0)#ip address 1.0.0.2 255.255.255.0
Device2(config-if-serial1/0)#exit

Version 1.0
 FALCON

Step 3: Check the result.

#View the interface status of serial1/0 on Device1.

Device1#show interface serial1/0
serial1/0:
line protocol is up
Flags: (0xc0080f1) POINT-TO-POINT MULTICAST RUNNING
Type: HDLC
Internet address: 1.0.0.1/24
Destination Internet address: 1.0.0.2
Metric: 0, MTU: 1500, BW: 2048 Kbps, DLY: 20000 usec, VRF: global
Reliability 255/255, Txload 1/255, Rxload 1/255
Last clearing of "show interface" counters never
input peak rate 51 bits/sec, 0 hour 0 minute 18 seconds ago
output peak rate 51 bits/sec, 0 hour 0 minute 18 seconds ago
3 minutes 30 seconds input rate 0 bit/sec, 0 packet/sec
3 minutes 30 seconds output rate 0 bit/sec, 0 packet/sec
29 packets received; 29 packets sent
0 multicast packets received
0 multicast packets sent
0 input errors; 0 output errors
0 collisions; 0 dropped
hdlc version: 3.5
rxFrames 29, rxChars 643
txFrames 29, txChars 643
rxNoOctet 0, rxAbtErrs 0, rxCrcErrs 0
rxOverrun 0, rxLenErrs 0, txUnderrun 0
DCD=up
rate=2048000 bps

#Ping the IP address of the peer interface serial1/0 on Device1 and can be pinged
through.
Device1#ping 1.0.0.2

Press key (ctrl + shift + 6) interrupt it.

Sending 5, 76-byte ICMP Echos to 1.0.0.2 , timeout is 2 seconds:
!!!!!
Success rate is 100% (5/5). Round-trip min/avg/max = 0/0/0 ms.

z The encapsulation type of the E1 interface is HDLC by default. Therefore, the

encapsulation type does not need to be configured for the interfaces. Run the show
interface command, it can be observed that Type is set to HDLC. If other WAN
protocols need to be configured, refer to WAN protocol-related documentation.
z In the E1 unframed mode, a 2 M interface is generated. This mode is mainly applied
in DDN (Digital Data Network).

Version 1.0
 FALCON

5.3.2 Configure E1 Framing CAS Mode

Network Requirements

z Use a cable to connect the E1 interface of Device1 and Device2. The E1 interface is
configured as framing CAS mode with timeslot 16 transmitting signaling. The framing
mode is CAS by default. The interface encapsulation type is HDLC to enable the
intercommunication between Device1 and Device2.

Network Topology

Figure 5-2 Networking of configuring E1 framing CAS mode

Configuration Steps

Step 1: When configuring timeslots of the E1 interface, both Device1 and Device2 use timeslot
from 1 to 20.

#Configure Device1.
Device1#configure terminal
Device1(config)#interface serial1/0
Device1(config-if-serial1/0)#timeslot 1-20

#Configure Device2.
Device2#configure terminal
Device2(config)#interface serial1/0
Device2(config-if-serial1/0)#timeslot 1-20

Step 2: Configure the clock mode for the E1 interface. Device1 is configured with an internal
clock and Device2 in configured with an external clock. The external clock is the default
setting, which does not need to be configured manually.

#Configure Device1.
Device1(config-if-serial1/0)#clock source internal

Step 3: Configure the IP addresses for all interfaces.

#Configure Device1.
Device1(config-if-serial1/0)#ip address 1.0.0.1 255.255.255.0
Device1(config-if-serial1/0)#exit

Version 1.0
 FALCON

#Configure Device2.
Device2(config-if-serial1/0)#ip address 1.0.0.2 255.255.255.0
Device2(config-if-serial1/0)#exit

Step 4: Check the result.

# View the interface status of serial1/0 on Device1.

Device1#show interface serial1/0
serial1/0:
line protocol is up
Flags: (0xc0080f1) POINT-TO-POINT MULTICAST RUNNING
Type: HDLC
Internet address: 1.0.0.1/24
Destination Internet address: 1.0.0.2
Metric: 0, MTU: 1500, BW: 1216 Kbps, DLY: 20000 usec, VRF: global
Reliability 255/255, Txload 1/255, Rxload 1/255
Last clearing of "show interface" counters never
input peak rate 360 bits/sec, 0 hour 18 minutes 8 seconds ago
output peak rate 360 bits/sec, 0 hour 18 minutes 8 seconds ago
5 minutes input rate 23 bits/sec, 0 packet/sec
5 minutes output rate 23 bits/sec, 0 packet/sec
264 packets received; 264 packets sent
0 multicast packets received
0 multicast packets sent
0 input errors; 0 output errors
0 collisions; 0 dropped
hdlc version: 3.5
rxFrames 264, rxChars 6864
txFrames 264, txChars 6864
rxNoOctet 0, rxAbtErrs 0, rxCrcErrs 0
rxOverrun 0, rxLenErrs 0, txUnderrun 0
DCD=up
rate=1216000 bps

# Ping the IP address of the peer interface serial1/0 on Device1 and can be pinged
through.
Device1#ping 1.0.0.2

Press key (ctrl + shift + 6) interrupt it.

Sending 5, 76-byte ICMP Echos to 1.0.0.2 , timeout is 2 seconds:
!!!!!
Success rate is 100% (5/5). Round-trip min/avg/max = 0/0/0 ms.

z When the E1 interface is configured as the framing mode, timeslots used by both
ends must be the same. For example, in the preceding case, Device 1 uses timeslots
from 1 to 20 and Device 2 must also use the timeslots from 1 to 20. Otherwise, the
port cannot be up.
z When the E1 interface is configured as the framing mode, if the E1 interface is in the
CAS mode, then the peer interface must also be configured in the CAS mode.
Otherwise, the interface cannot be up.

Version 1.0
 FALCON

z The encapsulation type of the E1 interface is HDLC by default. Therefore, the

encapsulation type does not need to be configured for the interfaces. Run the show
interface command, it can be observed that Type is set to HDLC. If other WAN
protocols need to be configured, refer to WAN protocol-related documentation.
z The typical application of the CAS mode of the E1 interface is as follows: The digital
trunk, as the voice switch, considers the E1 interface as 32 64 kbit/s. However,
timeslot 16 (configurable) is used to transmit signaling.

5.3.3 Configure E1 Framing CCS Mode

Network Requirements

z Use a cable to connect the E1 interface of Device1 and Device2. The E1 interface is
configured as framing CCS mode with timeslot 16 transmitting data. The interface
encapsulation type is HDLC to enable the intercommunication between Device1 and
Device2.

Network Topology

Figure 5-3 Networking of E1 framing CCS mode

Configuration Steps

Step 1: When configuring timeslots of the E1 interface, both Device1 and Device2 use timeslot
from 1 to 20.

#Configure Device1.
Device1#configure terminal
Device1(config)#interface serial1/0
Device1(config-if-serial1/0)#timeslot 1-20

#Configure Device2.
Device2#configure terminal
Device2(config)#interface serial1/0
Device2(config-if-serial1/0)#timeslot 1-20

Step 2: Configure TS16 and CCS mode for the E1 interface.

#Configure Device1.
Device1(config-if-serial1/0)#ts16

Version 1.0
 FALCON

#Configure Device2.
Device2(config-if-serial1/0)#ts16

Step 3: Configure the clock mode for the E1 interface. Device1 is configured with an internal
clock and Device2 in configured with an external clock. The external clock is the default
setting, which does not need to be configured manually.

#Configure Device1.
Device1(config-if-serial1/0)#clock source internal

Step 4: Configure the IP addresses for all interfaces.

#Configure Device1.
Device1(config-if-serial1/0)#ip address 1.0.0.1 255.255.255.0
Device1(config-if-serial1/0)#exit

#Configure Device2.
Device2(config-if-serial1/0)#ip address 1.0.0.2 255.255.255.0
Device2(config-if-serial1/0)#exit

Step 5: Check the result.

#View the interface status of serial1/0 on Device1.

Device1#show interface serial1/0
serial1/0:
line protocol is up
Flags: (0xc0080f1) POINT-TO-POINT MULTICAST RUNNING
Type: HDLC
Internet address: 1.0.0.1/24
Destination Internet address: 1.0.0.2
Metric: 0, MTU: 1500, BW: 1280 Kbps, DLY: 20000 usec, VRF: global
Reliability 255/255, Txload 1/255, Rxload 1/255
Last clearing of "show interface" counters never
input peak rate 368 bits/sec, 0 hour 3 minutes 33 seconds ago
output peak rate 368 bits/sec, 0 hour 3 minutes 33 seconds ago
5 minutes input rate 49 bits/sec, 0 packet/sec
5 minutes output rate 49 bits/sec, 0 packet/sec
515 packets received; 515 packets sent
0 multicast packets received
0 multicast packets sent
5 input errors; 0 output errors
0 collisions; 0 dropped
hdlc version: 3.5
rxFrames 515, rxChars 13520
txFrames 515, txChars 13520
rxNoOctet 0, rxAbtErrs 0, rxCrcErrs 0
rxOverrun 0, rxLenErrs 0, txUnderrun 0
DCD=up
rate=1280000 bps

Version 1.0
 FALCON

# Ping the IP address of the peer interface serial1/0 on Device1 and can be pinged
through.
Device1#ping 1.0.0.2

Press key (ctrl + shift + 6) interrupt it.

Sending 5, 76-byte ICMP Echos to 1.0.0.2 , timeout is 2 seconds:
!!!!!
Success rate is 100% (5/5). Round-trip min/avg/max = 0/0/0 ms.

z When the E1 interface is configured as the framing mode, timeslots used by both
ends must be the same. For example, in the preceding case, Device 1 uses timeslots
from 1 to 20 and Device 2 must also use the timeslots from 1 to 20. Otherwise, the
interface cannot be up.
z When the E1 interface is configured as the framing mode, if the E1 interface is in the
CCS mode, then the peer interface must also be configured in the CCS mode.
Otherwise, the interface cannot be up.
z The encapsulation type of the E1 interface is HDLC by default. Therefore, the
encapsulation type does not need to be configured for the interfaces. Run the show
interface command, it can be observed that Type is set to HDLC. If other WAN
protocols need to be configured (for example, PPP protocol), refer to WAN
protocol-related documentation.
z The typical application of the CCS mode of the E1 interface is as follows: The digital
trunk, as the voice switch, considers the E1 interface as 32 64 kbit/s. However,
timeslot 16 (configurable) is used to transmit data.

Version 1.0
 FALCON

6CE1 Interface
6.1 Overview

CE1 means channelized E1. A 2.048Mbit/s E1 is used as multiple 64 kbit/s and its
combination, such as 128 kbit/s and 256 kbit/s. The difference between CE1 and E1
lies in that timeslots cannot be divided for the E1 but can be divided for CE1. CE1 has
a total of 32 timeslot and each timeslot is 64 kbit/s. It can be divided into N x 64 kbit/s.
Timeslot 0 of CE1 is used to transmit synchronous information. CE1 and E1 can be
interconnected, but CE1 must be used as E1 in this case, that is, timeslots cannot be
divided. The link layer supports the link layer protocols such as PPP and HDLC.

6.2 CE1 Interface Function Configuration

Table 6-1 Function configuration list of the CE1 interface

Configuration Task

Configure the CE1 framing mode

Configure the basic functions for the
CE1 interface
Configure the CE1 unframed mode

Configure the CE1 data line CRC-4

verification mode

Configure the CE1 transmit clock source

Configure other feature for the CE1
interface Configure the CE1 matching impedance

Configure the CE1 line coding mode

Configure the CE1 looping mode

Version 1.0
 FALCON

6.2.1 Configure Basic Functions of CE1 Interface

Configuration Condition

None

Configure CE1 Framing Mode

When configuring the CE1 framing mode, CE1 at this time is the E1 in the CCS mode.
But the difference between CE1 and E1 lies in that timeslots of CE1 can be divided into
multiple channels to transmit data independently. The E1 can be only divided into one
channel, but this channel has a bandwidth of N x 64 kbit/s. However, the CE1 can be
divided into multiple N s 64 kbit/s.

Table 6-2 Configure the CE1 interface

Step Command Description

Enter the global configure terminal -

configuration mode

Enter the CE1 controller controller e1 slot/sub-slot/unit -

configuration mode

Enter the channel channel-group Mandatory

channel-group-number
timeslots timeslots-range By default, the CE1
channel is not configured.

z When configuring the framing mode, the start timeslot number must be smaller than
the end timeslot number. Otherwise, the configuration is invalid.
z If a timeslot is configured for both two channels, this configuration is invalid and
interfaces cannot be generated.
z During the configuration, the timeslot scope must match the channel group number.
The timeslot of the channel group is defined by the service provider.

Configure CE1 Unframed Mode

Configuring CE1 unframed mode equals to the transparent 2 M mode of the E1

interface. All the 32 timeslots are used to transmit data and the bandwidth is 2048 kbps.

Table 6-3 Configure the CE1 unframed mode

Version 1.0
 FALCON

Step Command Description

Enter the global configure terminal -

configuration mode

Enter the CE1 controller controller e1 slot/sub-slot/unit -

configuration mode

Configure the unframed unframed Mandatory

CE1 interface of
transparent 2 M By default, the unframed
mode is not configured.

z If other channels are configured, the unframed mode cannot be configured any
more.

6.2.2 Configure Other Features of CE1 Interface

Configuration Condition

None

Configure CE1 Data Line CRC-4 Verification Mode

The CE1 interface supports the protocols such as PPP and HDLC. CRC can be used to
verify the data frame. The following command can configure the data CRC verification
mode.

Table 6-4 Configure the CE1 data line CRC-4 verification mode

Step Command Description

Enter the global configure terminal -

configuration mode

Enter the CE1 controller controller e1 slot/sub-slot/unit -

configuration mode

Configure the CRC-4 framing { crc4 | default | Mandatory

verification mode no-crc4 }
By default, the CRC-4
verification is used only

Version 1.0
 FALCON

Step Command Description

when data is transmitted.

Configure CE1 Transmit Clock Source

During the data transmission, both frame synchronization and clock synchronization
must be ensured. Packet loss may occur when the clock is not synchronized.
Therefore, to ensure clock synchronization, a unified clock must be used. One end is
configured with an internal clock and the other end is configured with a line clock. Thus,
a unified clock is ensured on the line.

Table 6-5 Configure the CE1 transmit clock source

Step Command Description

Enter the global configure terminal -

configuration mode

Enter the CE1 controller controller e1 slot/sub-slot/unit -

configuration mode

Configure the transmit clock source { internal | line } Mandatory

clock source
By default, the transmit
clock of the CE1 interface is
the line clock.

Configure CE1 Matching Impedance

The CE1 is the standard dual-line circuit. One is used to receive data and the other is
used to send data. Meanwhile, two cables are used. One is 75 Ω unbalanced coaxial
cables and the other is 120 Ω balanced twisted-pair cables. The following command
can be used to configure the line matching impedance.

Table 6-6 Configure the CE1 matching impedance

Step Command Description

Enter the global configure terminal -

configuration mode

Enter the CE1 controller controller e1 slot/sub-slot/unit -

configuration mode

Configure the matching resistance { 120 | 75 } Mandatory

Version 1.0
 FALCON

Step Command Description

impedance By default, the matching
impedance of the interface
is 75 Ω.

Configure CE1 Line Coding

The CE1 receiving and transmitting directions are independent without interfering each
other. The CE1 adopts the differential transmission mode, which has a stronger ability
of resisting common-mode interference and a transmission distance of 1 km. Because
the clock is extracted from the line clock, an independent clock line is not required. The
CE1 line transmits the baseband signal, generally HDB3 (High Density Bipolar 3)
codes or AMI. Both the preceding two codes are ternary return to zero codes.

Table 6-7 Configure the CE1 line coding

Step Command Description

Enter the global configure terminal -

configuration mode

Enter the CE1 controller controller e1 slot/sub-slot/unit -

configuration mode

Configure the CE1 linecode { ami | hdb3 } Mandatory

interface line coding
By default, the interface line
coding is HDB3 coding.

Configure CE1 Looping Mode

Different looping modes are used to diagnose the line status. The local loop is used to
diagnose whether exceptions occur to the local device for receiving and transmitting
data. The remote loop is used to diagnose whether exceptions occur to the remote
device for receiving and transmitting data.

Table 6-8 Configure the CE1 looping mode

Step Command Description

Enter the global configure terminal -

configuration mode

Version 1.0
 FALCON

Step Command Description

Enter the CE1 controller controller e1 slot/sub-slot/unit -

configuration mode

Configure the interface loopback { local | remote } Mandatory

looping mode
By default, the looping
mode for the CE1 interface
is not configured.

z When configuring the interface looping, the interface transmit clock source must be
configured as the internal clock.

6.2.3 CE1 Interface Monitoring and Maintaining

Table 6-9 The CE1 interface monitoring and maintaining

Command Description

clear interface interface-name Clear related statistics of the CE1 interface

show controllers e1 slot/sub-slot/unit Display related information of the CE1

controller

show interface interface-name Display all configuration parameters and

current running status information of the
CE1 interface

show running-config View the configuration of the CE1 interface

6.3 Typical Configuration Example of CE1 Interface

6.3.1 Configure CE1 Unframed Mode

Network Requirements

z Use a cable to connect the CE1 interface of Device1 and Device2. The CE1

Version 1.0
 FALCON

interface is configured as the unframed mode by default. The interface encapsulation

type is HDLC to enable the intercommunication between Device1 and Device2.

Network Topology

Figure 6–1 Networking of the CE1 unframed mode

Configuration Steps

Step 1: Configure the clock mode for the CE1 controller. Device1 is configured with an internal
clock and Device2 in configured with an external clock. The external clock is the default
setting, which does not need to be configured manually.

#Configure the CE1 interface of Device1.

Device1#configure terminal
Device1(config)#controller e1 1/0
Device1(config-controller)#clock source internal

#Configure the CE1 interface of Device2.

Device2#configure terminal
Device2(config)#controller e1 1/0

Step 2: Configure the unframed mode in the CE1 controller and the interface serial1/0:0 is
automatically generated.

#Configure the CE1 interface of Device1.

Device1(config-controller)#unframed
Device1(config-controller)#exit

#Configure the CE1 interface of Device2.

Device2(config-controller)#unframed
Device2(config-controller)#exit

Step 3: Configure the IP addresses for all interfaces.

#Configure the IP address for serial1/0:0 created in Step 2 on Device1.

Device1(config)#interface serial1/0:0
Device1(config-if-serial1/0:0)#ip address 1.0.0.1 255.255.255.0
Device1(config-if-serial1/0:0)#exit

# Configure the IP address for serial1/0:0 created in Step 2 on Device2.

Device2(config)#interface serial 0/1/0:0

Version 1.0
 FALCON

Device2(config-if-serial1/0:0)#ip address 1.0.0.2 255.255.255.0

Device2(config-if-serial1/0:0)#exit

Step 4: Check the result.

#View the status of serial1/0:0 on Device1.

Device1#show interface serial 1/0:0
serial1/0:0:
line protocol is up
Flags: (0xc0080f1) POINT-TO-POINT MULTICAST RUNNING
Type: HDLC
Internet address: 1.0.0.1/24
Destination Internet address: 1.0.0.2
Metric: 0, MTU: 1500, BW: 2048 Kbps, DLY: 20000 usec, VRF: global
Reliability 255/255, Txload 1/255, Rxload 1/255
Last clearing of "show interface" counters never
input peak rate 52 bits/sec, 0 hour 1 minute 44 seconds ago
output peak rate 52 bits/sec, 0 hour 1 minute 44 seconds ago
5 minutes input rate 23 bits/sec, 0 packet/sec
5 minutes output rate 23 bits/sec, 0 packet/sec
46 packets received; 46 packets sent
0 multicast packets received
0 multicast packets sent
0 input errors; 0 output errors
0 collisions; 0 dropped
hdlc version: 3.5
rxFrames 46, rxChars 1104
txFrames 46, txChars 1104
rxNoOctet 0, rxAbtErrs 0, rxCrcErrs 0
rxOverrun 0, rxLenErrs 0, txUnderrun 0
DCD=up
rate=2048000 bps

# Ping the IP address of the peer interface serial1/0 on Device1.

Device1#ping 1.0.0.2

Press key (ctrl + shift + 6) interrupt it.

Sending 5, 76-byte ICMP Echos to 1.0.0.2 , timeout is 2 seconds:
!!!!!
Success rate is 100% (5/5). Round-trip min/avg/max = 0/0/0 ms.

z In the CE1 unframed mode, the ":" contained in the generated interface name
followed by number 0.
z The encapsulation type of the CE1 interface is HDLC by default. Therefore, the
encapsulation type does not need to be configured for the interfaces. Run the show
interface command, it can be observed that Type is set to HDLC. If other WAN
protocols need to be configured, refer to WAN protocol-related documentation.

Version 1.0
 FALCON

6.3.2 Configure CE1 Framing Mode

Network Requirements

z Use a cable to connect the CE1 interface of Device1 and Device2. The CE1
interface is configured as the framing mode. The interface encapsulation type is
HDLC to enable the intercommunication between Device1 and Device2.

Network Topology

Figure 6–2 Networking of configuring the CE1 framing mode

Configuration Steps

Step 1: Configure the framing mode for the CE1 controller. Channel 0 uses timeslots form 0 to 10
and channel 1 uses timeslots from 11 to 20. serial1/0:0 and serial1/0:1 are automatically
generated.

#Configure the CE1 interface of Device1.

Device1#configure terminal
Device1(config)#controller e1 1/0
Device1(config-controller)#channel-group 0 timeslots 1-10
Device1(config-controller)#channel-group 1 timeslots 11-20

#Configure the CE1 interface of Device2.

Device2#configure terminal
Device2(config)#controller e1 1/0
Device2(config-controller)#channel-group 0 timeslots 1-10
Device2(config-controller)#channel-group 1 timeslots 11-20

Step 2: Configure the clock mode for the CE1 controller. Device1 is configured with an internal
clock and Device2 in configured with an external clock. The external clock is the default
setting, which does not need to be configured manually.

#Configure the CE1 interface of Device1.

Device1(config-controller)#clock source internal
Device1(config-controller)#exit

Step 3: Configure the IP addresses for all interfaces.

Version 1.0
 FALCON

#Configure the IP addresses for serial1/0:0 and serial1/0:1 created in Step 2 on

Device1.
Device1(config)#interface serial 1/0:0
Device1(config-if-serial1/0:0)#ip address 1.0.0.1 255.255.255.0
Device1(config-if-serial1/0:0)#exit
Device1(config)#interface serial 1/0:1
Device1(config-if-serial1/0:1)#ip address 2.0.0.1 255.255.255.0
Device1(config-if-serial1/0:0)#exit
Device1(config)#exit

#Configure the IP addresses for serial1/0:0 and serial1/0:1 created in Step 2 on

Device2.
Device2(config)#interface serial 1/0:0
Device2(config-if-serial1/0:0)#ip address 1.0.0.2 255.255.255.0
Device2(config-if-serial1/0:0)#exit
Device2(config)#interface serial 1/0:1
Device2(config-if-serial1/0:1)#ip address 2.0.0.2 255.255.255.0
Device2(config-if-serial1/0:1)#exit
Device2(config)#exit

Step 4: Check the result.

#View the status of serial1/0:0 and serialer1/0:1 on Device1.

Device1#show interface serial 1/0:0
serial1/0:0:
line protocol is up
Flags: (0xc0080f1) POINT-TO-POINT MULTICAST RUNNING
Type: HDLC
Internet address: 1.0.0.1/24
Destination Internet address: 1.0.0.2
Metric: 0, MTU: 1500, BW: 640 Kbps, DLY: 20000 usec, VRF: global
Reliability 255/255, Txload 1/255, Rxload 1/255
Last clearing of "show interface" counters never
input peak rate 52 bits/sec, 0 hour 5 minutes 32 seconds ago
output peak rate 52 bits/sec, 0 hour 5 minutes 32 seconds ago
5 minutes input rate 26 bits/sec, 0 packet/sec
5 minutes output rate 26 bits/sec, 0 packet/sec
69 packets received; 69 packets sent
0 multicast packets received
0 multicast packets sent
0 input errors; 0 output errors
0 collisions; 0 dropped
hdlc version: 3.5
rxFrames 69, rxChars 1656
txFrames 69, txChars 1656
rxNoOctet 0, rxAbtErrs 0, rxCrcErrs 0
rxOverrun 0, rxLenErrs 0, txUnderrun 0
DCD=up
rate=640000 bps

Device1#show interface serial 1/0:1

serial1/0:1:
line protocol is up
Flags: (0xc0080f1) POINT-TO-POINT MULTICAST RUNNING
Type: HDLC
Internet address: 2.0.0.1/24
Destination Internet address: 2.0.0.2
Metric: 0, MTU: 1500, BW: 640 Kbps, DLY: 20000 usec, VRF: global
Reliability 255/255, Txload 1/255, Rxload 1/255
Last clearing of "show interface" counters never

Version 1.0
 FALCON

input peak rate 69 bits/sec, 0 hour 5 minutes 21 seconds ago

output peak rate 69 bits/sec, 0 hour 5 minutes 21 seconds ago
5 minutes input rate 26 bits/sec, 0 packet/sec
5 minutes output rate 29 bits/sec, 0 packet/sec
125 packets received; 125 packets sent
0 multicast packets received
0 multicast packets sent
0 input errors; 0 output errors
0 collisions; 0 dropped
hdlc version: 3.5
rxFrames 125, rxChars 3290
txFrames 125, txChars 3290
rxNoOctet 0, rxAbtErrs 0, rxCrcErrs 0
rxOverrun 0, rxLenErrs 0, txUnderrun 0
DCD=up
rate=640000 bps

# Ping the IP addresses of the peer interface serial 1/0:0 and serial 1/0:1 on Device1
and can be pinged through.
Device1#ping 1.0.0.2

Press key (ctrl + shift + 6) interrupt it.

Sending 5, 76-byte ICMP Echos to 1.0.0.2 , timeout is 2 seconds:
!!!!!
Success rate is 100% (5/5). Round-trip min/avg/max = 0/0/0 ms.

Device1#ping 2.0.0.2

Press key (ctrl + shift + 6) interrupt it.

Sending 5, 76-byte ICMP Echos to 2.0.0.2 , timeout is 2 seconds:
!!!!!
Success rate is 100% (5/5). Round-trip min/avg/max = 0/0/0 ms.

z serial1/0:0 and serial1/0:1 in the network topology are two logical interfaces on a physical
interface. Because the two interfaces communicate independently, two solid lines in the
topology indicates two logical channels, which is a physical channel actually.
z When the CE1 interface is configured as the framing mode, timeslots used by both
ends must be the same. For example, in the preceding case, Device 1 uses timeslots
from 1 to 10 and timeslots from 11 to 20 and Device 2 must also use the timeslots from
1 to 10 and timeslots from 11 to 20. Otherwise, the port cannot be up.
z In the CE1 unframed mode, the ":" contained in the interface name indicates the
channel number.
z The encapsulation type of the CE1 interface is HDLC by default. Therefore, the
encapsulation type does not need to be configured for the interfaces. Run the show
interface command, it can be observed that Type is set to HDLC. If other WAN
protocols need to be configured, refer to WAN protocol-related documentation.

Version 1.0
 FALCON

7Synchronous/Asynchronous Serial
Interface

7.1 Overview

Generally, a conductor or voltage fluctuation on the cable is used to transmit data

among data communication devices. During the communication, if multiple channels
transmit a byte, this is called parallel communication. Conversely, if data is transmitted
on the channel bit by bit, this is called serial communication.

In the parallel communication, data bits of one character are transmitted over different
channels. Therefore, the data is transmitted in high speed. When eighth data bits are
transmitted in the parallel communication, at least eight data channels and one
common channel are required and sometimes control channels such as status channel
and response channel are required. This is expensive and inconvenient for
long-distance transmission. In the serial communication, only two channels are
required. It is cost effective for long-distance transmission. However, the serial
communication can only transmit one bit every time, resulting in slow transmission
speed. However, with the improvement of the communication signal frequency, the
slow transmission speed problem has solved. The serial communication is generally
applied to synchronous and asynchronous serial interface communication.

The synchronous/asynchronous serial interface is a slow WAN interface, able to

encapsulate WAN protocols such as HDLC and PPP. It is divided into synchronization
serial interface and asynchronism serial interface.

7.1.1 Synchronous Serial Interface

In the channel, the amplitude and pulse width are used to specify the data pulse signal.
The receiving end samples the received signal by a certain clock serial number.
Therefore, timing is an important factor to correctly receive and transmit data.

Synchronous/Asynchronous serial interface is called the synchronous serial interface

when it works in the synchronous mode and it adopts the synchronous transmission

Version 1.0
 FALCON

mode. In the synchronous transmission, characters are transmitted in frame groups.

Some special synchronous characters, placed at the start part of each frame, are a
special bit group. It informs the receiving end that a frame is reached and triggers the
synchronous clock to start to transmit or receive data. The receiving end starts to
receive data when it correctly receives the synchronous characters. The synchronous
serial interface obtains the timing signal in the following method: The timing information
is contained in the data flow and the synchronous serial interface requires that the
timing signal must be easy to be extracted from the data flow. In this way, no special
signal channel is required to transmit the clock. The synchronous serial interface
determines whether a clock needs to be configured based on the device work mode
and works at the DTE (Data Terminal Equipment) or DCE (Data Circuit-terminating
Equipment) end. The clock is provided by the DCE end.

7.1.2 Asynchronous Serial Interface

Synchronous/Asynchronous serial interface is called the asynchronous serial interface

when it works in the asynchronous mode and it adopts the asynchronous transmission
mode. The asynchronous communication has a low requirement for the hardware,
which is easy and simple for transmitting and receiving data randomly. In the
asynchronous transmission, the start bit and end bit are added for the character to
spate the character. Because the synchronization is created for every character, that is,
each character will be added extra two bits (start bit and end bit), the transmission rate
is low. The asynchronous serial interface needs the clock to ensure normal data
receiving. Compared with the synchronous clock of the synchronous serial interface,
the asynchronous serial interface must configure the same clock rate for devices on
both ends. Otherwise, normal communication cannot be achieved.

7.2 Synchronous/Asynchronous Serial Interface Function

Configuration

Table 7-1 Function configuration list of synchronous/asynchronous serial interface

Configuration Task

Configure the synchronous/asynchronous serial Configure the synchronous/asynchronous seria

interface work mode interface work mode

Configure the synchronous serial interface Configure the synchronous/asynchronous seria

interface clock rate

Configure the synchronous serial interface line

coding

Configure the synchronous serial interface idle

Version 1.0
 FALCON

Configuration Task
transmission character

Configure the synchronous serial interface cloc

rate

Configure the asynchronous serial interface Configure the asynchronous serial interface clo
rate

Configure the asynchronous serial interface da

bit length

Configure the asynchronous serial interface end

length

Configure the asynchronous serial interface flow

control mode

Configure the asynchronous serial interface

verification mode

Configure the data transmitting and receiving Configure the synchronous/asynchronous seria
condition f the synchronous/asynchronous serial interface data receiving and transmitting conditi
interface

7.2.1 Configure Synchronous/Asynchronous Serial Interface Work mode

The synchronous/asynchronous serial interface works in the synchronous mode or the

asynchronous mode.

Configuration Condition

None

Configure the synchronous/asynchronous Serial Interface Work Mode

Table 7-2Configure the synchronous/asynchronous serial interface work mode

Step Command Description

Enter the global configure terminal -

configuration mode

Enter the interface interface interface-name -

configuration mode

Configure the physical-layer { async | Optional

synchronous/asynchronous sync }
By default, the

Version 1.0
 FALCON

Step Command Description

serial interface work mode synchronous/asynchronous
serial interface works in the
sync mode.

7.2.2 Configure Synchronous Serial Interface

Configuration Condition

Before configuring the synchronous serial interface, first complete the following task:

z The interface works in the synchronous mode.

Configure Synchronous Serial Interface Clock Rate

During the data transmission, both frame synchronization and clock synchronization
must be ensured. Packet loss may occur when the clock is not synchronized.
Therefore, to ensure clock synchronization, a unified clock must be used. One end is
configured with an internal clock and the other end is configured with a line clock. Thus,
a unified clock is ensured on the line. You are advised to avoid configuring clocks at
both ends of the device. Otherwise, interfaces may be unable for communications due
to clock chaos. Generally, the clock is configured at the DCE. When the DTE is
operating, the device does not need to be configured with a clock. It transmits and
receives data via the clock provided by the DCE. When the DCE is operating, the
device needs to be configured with a clock. It transmits and receives data by the clock
configured by itself. The DCE also provides the clock for other devices. The V.35 or
V.24 mode determines the highest clock rate configured. The V.35 or V.24 mode is
determined by the connected cable.

The synchronous serial interface clock rate needs to be configured under interfaces.

Table 7-3Configure the synchronous serial interface clock rate

Step Command Description

Enter the global configure terminal -

configuration mode

Enter the interface interface interface-name -

configuration mode

Configure the synchronous clock rate rate-value Mandatory

serial interface clock rate
By default, the clock rate is
not configured
Value range:
1200, 2400, 4800, 9600,

Version 1.0
 FALCON

Step Command Description

19200, 38400, 56000,
64000, 72000, 125000,
128000, 148000, 250000,
500000, 800000, 1000000,
1300000, 2000000

z Run the show interface command to view whether the interface works in the DCE or
DTE mode.
z When the synchronous serial interface of the device works in the DCE mode, a
clock needs to be configured. The device also provides external clock for other
devices.
z When the synchronous serial interface of the device works in the DTE mode, it
obtains the clock form the DCE.
z In the V.24 mode, the clock rate of the interface can reach a maximum of 128 kbit/s.
z In the V.35mode, the clock rate of the interface can reach a maximum of 2 Mbit/s.

Configure Synchronous Serial Interface Line Coding

The E1 receiving and transmitting directions are independent without interfering each
other. Because the clock is extracted from the line signal, no independent clock line is
needed. The line coding usually uses NRZI and NRZ.

The synchronous serial interface line coding needs to be configured under interfaces.

Table 7-4 Configure the synchronous serial interface line coding

Step Command Description

Enter the global configure terminal -

configuration mode

Enter the interface interface interface-name -

configuration mode

Configure the synchronous nrzi-encoding Optional

serial interface line coding
By default, the line coding
method is NRZ.

Version 1.0
 FALCON

z By default, the NRZ coding method is adopted and no configuration command is

configured. You can only run the no nrzi-encoding command to restore to the NRZ
coding method.
z The synchronous serial interface of both ends of the device must be configured with
the same line coding method. Otherwise, the interface cannot communicate normally.

Configure Synchronous Serial Interface Idle Transmission Character

This section mainly describes the characters transmitted over the line when the
synchronous serial interface is idle.

The idle transmission character of the synchronous serial interface must be configured
under interfaces.

Table 7-5 Configure the synchronous serial interface idle transmission character

Step Command Description

Enter the global configure terminal -

configuration mode

Enter the interface interface interface-name -

configuration mode

Configure the idle idle-character { flags | Optional

transmission character of marks }
the synchronous serial By default, the idle
interface transmission character is
flags.

z When the idle transmission character is set to flags, the transmission character on
the line is 7E character actually.
z When the idle transmission character is set to marks, the transmission character on
the line is FF character actually.

Configure Synchronous Serial Interface Clock Rotation

Because of the long line and fast clock, the clock may be delayed for more than half

Version 1.0
 FALCON

period and less than one period. This results in that the packet cannot be received and
transmitted normally. At this time, the following command can be configured to rotate
the clock to adjust the clock for half period.

Table 7-6Configure the synchronous serial interface clock rotation

Step Command Description

Enter the global configure terminal -

configuration mode

Enter the interface interface interface-name -

configuration mode

Configure the synchronous clock invert { rxclk | txclk } Mandatory

serial interface clock
rotation By default, the clock
rotations not configured.

z The clock frequency of different devices may be different and the clock rotation
needs to be configured.

7.2.3 Configure Asynchronous Serial Interface

Configuration Condition

Before configuring the asynchronous serial interface, first complete the following task:

z The interface works in the asynchronous mode.

Configure Asynchronous Serial Interface Clock Rate

The clock rate of the asynchronous serial interface can reach a maximum of 115200
kbit/s. The both devices must be configured with the same clock rate for normal
communications.

The asynchronous serial interface clock rate must be configured under devices.

Table 7-7 Configure the asynchronous serial interface clock rate

Step Command Description

Version 1.0
 FALCON

Step Command Description

Enter the global configure terminal -

configuration mode

Enter the interface interface interface-name -

configuration mode

Configure the clock rate for speed speed-value Optional

the asynchronous serial
interface By default, the clock rate is
9600 bit/s.
Value range:
300, 600, 1200, 2400,
4800, 9600, 19200, 38400,
57600, 115200

Configure Asynchronous Serial Interface Data Bit Length

Configure the bit number occupied by data when a character is transmitted over the
line. By default, a character data occupies 8 bits.

The data bit length of the asynchronous data bit must be configured under interfaces.

Table 7-8 Configure asynchronous serial interface data bit length

Step Command Description

Enter the global configure terminal -

configuration mode

Enter the interface interface interface-name -

configuration mode

Configure asynchronous databits { 5 | 6 | 7 | 8 } Mandatory

serial interface data bit
length By default, the data bit
length is 8 bits.

z After the 5, 6, and 7 bits are configured, exceptions may occur to the communication
unless the corresponding data bits are sent by the interface.
z When the data bit configured by the interface is 5, the stop bit length of the interface
must be configured to 2 at first. Because the ASCII code is 7 bits, at least 7 bits must

Version 1.0
 FALCON

be configured during the transmission.

Configure Asynchronous Serial Interface Stop Bit Length

Configuring the data bit number occupied by the stop bit when a character is
transmitted over the line. By default, 1 bit is occupied.

The stop bit length of the asynchronous serial interface must be configured under
interfaces.

Table 7-9 Configure the asynchronous serial interface stop bit length

Step Command Description

Enter the global configuration configure terminal -

mode

Enter the interface interface interface-name -

configuration mode

Configure the stop bit length stopbits { 1 | 2 } Optional

of the asynchronous serial
interface By default, the stop bit
length is 1 bit.

Configure Asynchronous Serial Interface Flow Control Mode

The flow control is used to avoid the phenomenon that packet loss occurs when
sending devices due to different device receiving speed. The flow control mode is
divided into hardware flow control and software flow control.

The software flow control indicates that the receiving end informs the sending end to
send or not send data using special characters.

The hardware flow control indicates the receiving end uses the hardware control signal
line on the interface to inform the sending end to send or not send data. Compared with
the software flow control, the sending end of the hardware flow control does not need
to insert the flow control character in the data flow. The receiving end does not need to
check whether the flow control character is received.

Generally, the hardware flow control has a higher transmission rate than the software
flow control. When the control signal line is incomplete, the software flow control is
adopted.

The flow control mode of the asynchronous serial interface must be configured under
interfaces.

Version 1.0
 FALCON

Table 7-10 Configure the flow control mode of the asynchronous serial interface

Step Command Description

Enter the global configure terminal -

configuration mode

Enter the interface interface interface-name -

configuration mode

Configure the flow control flow-control { hardware | none | Mandatory

mode for the asynchronous software }
serial interface By default, the flow
control mode is not
configured.

Configure Asynchronous Serial Interface Verification Mode

The verification ensures the data correctness. The verification is divided into odd,
mark, even, and spac. When the parity bit is any odd number, it is called odd. When
all the parity bits are 1, it is called mark. When the parity bit is any even number, it is
called even. When all the parity bits are 0, it is called space.

The verification mode of the asynchronous serial interface must be configured under
interfaces.

Table 7-11 Configure the asynchronous serial interface verification mode

Step Command Description

Enter the global configure terminal -

configuration mode

Enter the interface interface interface-name -

configuration mode

Configure the verification parity { even | mark | none | odd Mandatory

mode for the asynchronous | space }
interface By default, the
verification mode is not
configured.

7.2.4 Configure Synchronous/Asynchronous Serial Interface Data Receiving and

Transmitting Condition

Configuration Condition

Version 1.0
 FALCON

Before the data receiving and transmitting condition of the synchronous/asynchronous

serial interface, first complete the following task:

z The interface works in the synchronous mode or the asynchronous mode.

Configure the Synchronous/Asynchronous Serial Interface Data Receiving and Transmitting

Condition

The synchronous/asynchronous serial interface follows the RS-232-C standard, but the
RS-232-C standard has many signal lines, commonly data signal line and control
signal line.

DSR (Data Set Ready) signal line: When the interface is up, the data communication
terminal is ready for use.

DTR (Data Terminal Ready) signal line: When the interface is up, the data
communication terminal is ready for use.

The preceding two signals are valid immediately when powering on. This only indicates
that the device is available, instead of indicating that the device is ready for
communications. Whether the communication is available is determined by the
following control signal.

RTS (Request To Send) signal line: It indicates that signal is sent to the communication
device to make the signal up when the DCT requests to send data to the DCE, that is,
when the terminal begins to send data. It controls whether the communication terminal
will enter the sending status.

CTS (Clear To Send) signal line: It indicates the response signal to the RTS when the
DCE is ready to receive the data sent by the DTE. When the communication terminal is
ready to receive the data sent by the terminal, the signal is up and the terminal is
informed to send data.

DCD (Data Carrier Detection) signal line: It indicates that the DCE is connected to the
communication link and informs that the DTE is ready to receive data.

Generally, when all control signal line are valid, the interfaces can communicate
normally. When the control signal line is incomplete, you can run the following
command to change the condition for receiving and transmitting data to enable normal
communications of synchronous/asynchronous serial interface.

The condition for receiving and transmitting data of the synchronous/asynchronous

serial interface must be configured under interfaces.

Table 7-12 Configure the synchronous/asynchronous serial interface data receiving and
transmitting condition

Step Command Description

Version 1.0
 FALCON

Step Command Description

Enter the global configure terminal -

configuration mode

Enter the interface interface interface-name -

configuration mode

Configure the condition for
receiving and transmitting
data of the
synchronous/asynchronous
serial interface
tx-on { cts | dcd | dcd-dsr | dsr } Optional
By default, the
condition for receiving
and transmitting data is
dcd-dsr.

7.2.5 Synchronous/Asynchronous Serial Interface Monitoring and Maintaining

Table 7-13 Synchronous/Asynchronous serial interface monitoring and maintaining

Command Description

show interface interface-name View the interface information

7.3 Typical Configuration Example of

Synchronous/Asynchronous Serial Interface

7.3.1 Configure Interconnection in Synchronous Serial Mode

Network Requirements

z Device1 connects to Device2 via the synchronous/asynchronous serial interface.

Data communicates in the synchronous serial mode.

z Device1 acts as the DTE and Device2 acts as the DCE.

Network Topology

Figure 7-1Networking of interconnection in the synchronous serial mode

Configuration Steps

Version 1.0
 FALCON

Step 1: Configure the interface in the synchronous serial mode. Configure the IP address on the
interface and encapsulate the protocol.

#Configure Device1.
Device1#configure terminal
Device1(config)#interface serial 1/0
Device1(config-if-serial1/0)#ip address 2.0.0.1 255.255.255.0
Device1(config-if-serial1/0)#encapsulation ppp
Device1(config-if-serial1/0)#exit

#Configure Device2.
Device2#configure terminal
Device2(config)#interface serial 1/0
Device2(config-if-serial1/0)#ip address 2.0.0.2 255.255.255.0
Device2(config-if-serial1/0)#encapsulation ppp
Device2(config-if-serial1/0)#exit

Step 2: Configure the Interface clock rate.

#Configure Device2.
Device2(config)#interface serial 1/0
Device2(config-if-serial1/0)#clock rate 2000000

When the clock rate for the interface is configured, the device works in the DCE mode.

Step 3: Check the result.

#View the serial interface status on Device1.

Device1#show interface serial 1/0
serial1/0:
line protocol is up
Flags: (0x80080f1) POINT-TO-POINT MULTICAST RUNNING
Type: PPP
Internet address: 2.0.0.1/24
Destination Internet address: 2.0.0.2
Metric: 0, MTU: 1500, BW: 2000 Kbps, DLY: 20000 usec, VRF: global
Reliability 255/255, Txload 1/255, Rxload 1/255
Last clearing of "show interface" counters never
input peak rate 52 bits/sec, 0 hour 0 minute 40 seconds ago
output peak rate 52 bits/sec, 0 hour 0 minute 40 seconds ago
5 minutes input rate 0 bit/sec, 0 packet/sec
5 minutes output rate 0 bit/sec, 0 packet/sec
27 packets received; 67 packets sent
0 multicast packets received
0 multicast packets sent
0 input errors; 0 output errors
0 collisions; 0 dropped
LCP:OPENED
IPCP:OPENED
encap-type: simply PPP
rxFrames: 27, rxChars: 346
txFrames: 26, txChars: 320
rxNoOctet: 0, rxAbtErrs: 0, rxCrcErrs: 0
rxOverrun: 0, rxLenErrs: 0, txUnderrun: 0
idle flag, encode NRZ
You insert DTE line,V35 model

Version 1.0
 FALCON

DCD=up DSR=up DTR=up RTS=up CTS=up TxC=up

#View the serial interface status on Device2.

Device2#show interface serial 1/0
Serial1/0:
line protocol is up
Flags: (0x80080f1) POINT-TO-POINT MULTICAST RUNNING
Type: PPP
Internet address: 2.0.0.2/24
Destination Internet address: 2.0.0.1
Metric: 0, MTU: 1500, BW: 2000 Kbps, DLY: 20000 usec, VRF: global
Reliability 255/255, Txload 1/255, Rxload 1/255
Last clearing of "show interface" counters at: 0 hour 11 minutes 7 seconds
input peak rate 25 bits/sec, 0 hour 0 minute 15 seconds ago
output peak rate 33 bits/sec, 0 hour 0 minute 5 seconds ago
40 seconds input rate 0 bit/sec, 0 packet/sec
40 seconds output rate 0 bit/sec, 0 packet/sec
11 packets received; 12 packets sent
0 multicast packets received
0 multicast packets sent
0 input errors; 0 output errors
0 collisions; 0 dropped
LCP:OPENED
IPCP:OPENED
encap-type: simply PPP
rxFrames: 11, rxChars: 132
txFrames: 12, txChars: 152
rxNoOctet: 0, rxAbtErrs: 0, rxCrcErrs: 0
rxOverrun: 0, rxLenErrs: 0, txUnderrun: 0
idle flag, encode NRZ
You insert DCE line,V35 model
DCD=up DSR=up DTR=up RTS=up CTS=up TxC=up
Rate = 2000000 bps

Run the show interface command on Device1, it can be observed that the status of the
interface is up, able to obtaining the IP address of the peer device.

#Ping the IP address of the peer device on Device1. The IP address can be pinged
through.
Device1#ping 2.0.0.2

Press key (ctrl + shift + 6) interrupt it.

Sending 5, 76-byte ICMP Echos to 2.0.0.2 , timeout is 2 seconds:
!!!!!
Success rate is 100% (5/5). Round-trip min/avg/max = 0/0/0 ms.

z Whether the synchronous/asynchronous serial interface works in the V35 or V24

mode is determined by the connected cable on the interface card.
z Different work mode of the device has different cables connected on the interface.
In the actual scenario, Our device works in the DTE mode. Use the DTE cable for
physical connection.
z When configuring the clock rate, if the "Warning: The line is DTE, can not set clock
rate." message is displayed, it indicates that the interface can work in the DTE mode

Version 1.0
 FALCON

and you cannot configure theclock.

7.3.2 Configure Interconnection in Asynchronous Serial Mode

Network Requirements

z Device1 connects to Device2 via the synchronous/asynchronous serial interface.

Data communicates in the asynchronous serial mode.

Network Topology

Figure 7-2 Networking of interconnection in the asynchronous serial mode

Configuration Steps

Step 1: Configure the interface in the asynchronous serial mode. Configure the IP address on
the interface and encapsulate the protocol.

#Configure Device1.
Device1#configure terminal
Device1(config)#interface serial 1/0
Device1(config-if-serial1/0)#physical-layer async
Device1(config-if-serial1/0)#ip address 2.0.0.1 255.255.255.0
Device1(config-if-serial1/0)#encapsulation ppp
Device1(config-if-serial1/0)#exit

#Configure Device2.
Device2#configure terminal
Device2(config)#interface serial 1/0
Device2(config-if-serial1/0)#physical-layer async
Device2(config-if-serial1/0)#ip address 2.0.0.2 255.255.255.0
Device2(config-if-serial1/0)#encapsulation ppp
Device2(config-if-serial1/0)#exit

Step 2: Configure the interface transmission rate.

#Configure Device1.
Device1(config)#interface serial 1/0
Device1(config-if-serial1/0)#speed 115200
Device1(config-if-serial1/0)#exit

#Configure Device2.
Device2(config)#interface serial 1/0

Version 1.0
 FALCON

Device2(config-if-serial1/0)#speed 115200
Device2(config-if-serial1/0)#exit

Step 3: Check the result.

# View the serial interface status on Device1.

Device1#show interface serial 1/0
serial1/0:
line protocol is up
Flags: (0x80080f1) POINT-TO-POINT MULTICAST RUNNING
Type: PPP
Internet address: 2.0.0.1/24
Destination Internet address: 2.0.0.2
Metric: 0, MTU: 1500, BW: 10 Kbps, DLY: 20000 usec, VRF: global
Reliability 255/255, Txload 1/255, Rxload 1/255
Last clearing of "show interface" counters at: 22 hours 8 minutes 58 seconds
input rate 0 bit/sec, 0 packet/sec
output rate 0 bit/sec, 0 packet/sec
2 packets received; 2 packets sent
0 multicast packets received
0 multicast packets sent
0 input errors; 0 output errors
0 collisions; 0 dropped
LCP:OPENED
IPCP:OPENED
encap-type: simply PPP
rxFrames: 2, rxChars: 24
txFrames: 2,txChars: 24
rxNoOctet: 0, rxAbtErrs: 0, rxCrcErrs: 0
rxOverrun: 0, rxLenErrs: 0, txUnderrun: 0
speed 115200, dataBits 8, stopBits 1
parity none, flow-control none, tx-on dcd-dsr
You insert DTE line,V35 model
DCD=up DSR=up DTR=up RTS=up CTS=up

Run the show interface command on Device1, it can be observed that the status of the
interface is up, able to obtaining the IP address of the peer device. The interface works
in the asycnhronous mode.

#Ping the IP address of the peer device on Device1. The IP address can be pinged
through.
Device1#ping 2.0.0.2

Press key (ctrl + shift + 6) interrupt it.

Sending 5, 76-byte ICMP Echos to 2.0.0.2 , timeout is 2 seconds:
!!!!!
Success rate is 100% (5/5). Round-trip min/avg/max = 0/0/0 ms.

z Generally, the data bit and stop bit of the asynchronous serial interface is set by
default.

Version 1.0
 FALCON

Version 1.0
 FALCON

83G Interface
8.1 Overview

3G (3rd Generation), indicates the 3rd generation mobile communication technology.

Compared with 1G and 2G such as GSM and TDMA, 3G is a new generation of mobile
communication system by combining multimedia communication such as the wireless
communication and network. The 3G technology can process multiple media formats
such as images, music, and videos, providing multiple information services including
web browsing, teleconference, and e-commerce. To provide these services, the
wireless network must support different data transmission rate, that is, 2 Mbps indoors,
384 kbps outdoors, and 144 kbps in driving. The CDMA is considered as the first
choice of the 3G technology. Internationally, the three most representative 3G
standards are as follows: CDMA2000, WCDMA, and TD-SCDMA, where, CDMA2000
and WCDMA use the FDD (Frequency Division Duplexing) mode, and TD-SCDMA
uses the TDD (Time Division Duplexing) mode.

8.1.1 3G Application Scenario

The data communications in the 3G wireless network is available when the 3G

communication modules, such as a USB adapter and 3G board card, are inserted into
the device. The specific application scenario is shown in the following figure.

Figure 8-1 3G application scenario

Viewing from the preceding figure, the device achieves the wireless communication
with the operator NodeB via the 3G communication modules and achieves data
interaction with the WAN finally via the operator. Different 3G communication modules
and different SIM cards determine different operators and different network modes.
However, viewing from the overall application scenario, the data communications

Version 1.0
 FALCON

methods differ slightly.

8.2 3G Function Configuration

Table 8-1 3G configuration list

Configuration Task

Configure dialing access point Configure APN dailing access point

Configure the SIM card safety function Enable the PIN code function

Authenticate the PIN code manually

Authenticate the PIN code automatically

Modify the PIN code

Unblock the PIN code

Configure IMSI binding function

Configure the network mode Configure the auto network mode

Configure the 3G network mode

Configure the 2G network mode

Configure the signal function Configure the signal change notification

range

Configure the interface switching policy under

thedual-3G mode

Configure the abnormal recovery Configure the timeout for the 3G

function communication module automatic restart

Configure the host restart function when the

3G card fails to be loaded repeatedly

8.2.1 Configure Dialing Access Point

3G dialing function configuration means setting the dialing access points as required by
the operator. This ensures successful dialing and data connection with the operator.

Configuration Condition

Version 1.0
 FALCON

None

Configure Dialing Access Point

Configure the dialing access point according to the dialing requirement of the carrier,
mainly setting the accesse server name.

Table 8-2 Configure the dialing access point

Step Command Description

Configure the dialing access cellular interface-name Mandatory

points for the 3G
communication module in the
specified slot in the privileged
user mode
configure apn-config apn-set
apn By default, apn
indicates the public
network APN access
server name of the
carrier.

Clear Dialing Access Point

Clear the access server name.

Table 8-3 Clear the dialing access point

Step Command Description

Configure the dialing access cellular interface-name Optional

points for the 3G configure apn-config apn-clear
communication module in the
specified slot in the privileged
user mode

8.2.2 Configure SIM Card Safety Function

SIM card safety function mainly provides PIN code protection and IMSI binding,
protecting the right of using the 3G module.

The SIM (subscriber identity module), also called the subscriber identity card, records
the user identity data and information.

PIN (Personal Identification Number) code is the personal identity password of the SIM
card. The PIN code is set to 1234 or 0000 by default. If the PIN code is enabled, a
four-digit PIN code must be entered when powering on. The PIN code can be changed,
which is used to protect your own SIM card from being used by others.

PUK (PIN Unlocking Key) is the unblocking code of the PIN code. When the SIM card
is locked caused by entering wrong PIN code, you can unblock it using the PUK code.

Version 1.0
 FALCON

A unique IMSI (International Mobile Subscriber ldentification Number) is allocated to

every SIM card. This code is valid at any places including the roaming area on the
network. The IMSI binding function binds the unique identifier of the SIM card with the
slot number.

z When the PIN code is wrongly entered for three consecutive times, the SIM card will
be locked. At this time, you can use the PUK code to unblock it. However, if the PUK
code is wrongly entered for ten consecutive times, the SIM card will be locked
permanently.

Configuration Condition

None

Enable PIN Code

The right of using the SIM card is protected by enabling the PIN code. You must enter
the correct PIN code to use the SIM card.

Table 8-4 Enable the PIN code

Step Command Description

Enable the PIN code cellular interface-name Mandatory

protection function for the 3G security pin-enable pin code
communication module in the By default, the PIN
specified slot in the privileged code protection
user mode function is not enabled.

Authenticate PIN Code Manually

PIN code manual authentication means PIN code authentication by entering the
command manually every time.

Table 8-5 Authenticate the PIN code manually

Step Command Description

Authenticate the PIN code for cellular interface-name Mandatory

the 3G communication security pin-check pin code
module in the specified slot in By default, the PIN
the privileged user mode code is not
authenticated

Version 1.0
 FALCON

Step Command Description

manually.

Authenticate PIN Code Automatically

In the PIN code automatic authentication mode, the PIN code is verified by presetting
the PIN code. The user only needs to configure the PIN code for one time and the
device will use the configured PIN code for authentication.

Table 8-6 Authenticate the PIN code automatically

Step Command Description

Enter the global configuration configure terminal -

mode

Configure the PIN code cellular interface-name Mandatory

automatic authentication security pin-check auto pin
function for the 3G code By default, the PIN
communication module in the code is not verified
specified slot automatically.

Change PIN Code

Changing the PIN code allows the new PIN code set by the user. After the PIN code is
changed, the new PIN code is used for authentication.

Table 8-7 Change the PIN code

Step Command Description

Change the PIN code for the cellular interface-name Mandatory

3G communication module in security pin-change pin code
the specified slot in the new pin code By default, the PIN
privileged user mode code is not changed.

Unblock PIN Code

If the SIM card is locked by entering the wrong PIN code for three consecutive times,
the user can enter the PUK code to unblock it and set new PIN code.

Table 8-8 Unblock the PIN code

Version 1.0
 FALCON

Step Command Description

Unblock the PIN code and set cellular interface-name Mandatory

the new PIN code using the
PUK code for the 3G
communication module in the
specified slot in the privileged
user mode
security puk-check puk code
pin code By default, the PIN
code is not unblocked.

Configure IMSI Binding Function

The user can specify the SIM card to the 3G communication module in the fixed slot by
the IMSI binding function, and the 3G communication modules in other slots cannot
use the SIM card. This function is only available for this device.

Table 8-9 Configure the IMSI binding function

Step Command Description

Enter the global configuration configure terminal -

mode

Perform IMSI binding for the cellular interface-name Mandatory

SIM card in the specified slots imsi-bond { current-imsi |
imsi } By default, the IMSI
binding function is not
enabled.

8.2.3 Configure Network Mode

The device provides multiple flexible policies for the 3G network mode and supports
the network mode of all the current operators. The user configures the network mode
for the 3G communication module using commands to satisfy requirements in different
network environment.

Configuration Condition

None

Configure Network Mode

The interface provides three network access modes: auto-sensing, forced 3G, and
forced 2G. The user can configure the network as required by users.

Table 8-10 Configure the network mode

Step Command Description

Version 1.0
 FALCON

Step Command Description

Choose the network access cellular interface-name Optional

modes for the 3G mode{auto | manual{3G |
communication module in the 2G}} By default, the network
specified slot in the privileged access mode is auto.
user mode

8.2.4 Configure 3G Signal Function

The 3G signal function mainly achieves some assistant functions based on the 3G
signal strength, including the specified signal change notification range and dual-3G
application and interface switching policies based on 3G signal strength.

Configuration Condition

None

Configure Signal Change Notification Range

Due to the particularity of the wireless network, the signal strength changes frequently.
Therefore, the device provides the function of configurable signal change notification
range. If the signal changes within the configured range, the signal change will not be
notified. If the signal changes beyond the configured range, the signal change will be
notified.

Table 8-11 Configure the signal change notification range

Step Command Description

Enter the global configuration configure terminal -

mode

Enter the 3G interface interface interface-name -

configuration mode

Configure the signal change signal notify range range Optional

notification range
By default, the signal
change notification
range is 10.

Configure Interface Switching Policy in the Dual-3G Mode

The dual-3G mode provides a service switching policy based on the signal strength.
When weak signal strength occurs to a 3G communication module, the data services
carried over the 3G communication module is automatically switched to another 3G

Version 1.0
 FALCON

interface for data communication. The corresponding 3G interface is configured with

the manual and automatic switching policies. The user can choose the manual
switching policy to set the interface switching conditions as required. The user can also
choose the automatic switching policy to enable the device to perform service
switching based on the signal strength.

Table 8-12 Configure the interface switching policy in the dual-3G mode

Step Command Description

Enter the global configuration configure terminal -

mode

Enter the 3G interface interface interface-name -

configuration mode

Configure the interface signal switch { automatically | Optional

switching policy in the 3G { below time percent upwards
mode time percent } | after second } By default, the interface
switching policy is not
enabled.

8.2.5 Configure Exception Recovery Function

Configuration Condition

None

Configure Timeout for 3G Communication Module Automatic Restart

In the automatic dialing mode, the 3G communication module can restart automatically
when the dialing fails in a specified time. The dialing success rate increases after
restart.

Table 8-13 Configure the timeout for the 3G communication module automatic restart

Step Command Description

Enter the global configure terminal -

configuration mode

Enter the 3G interface interface interface-name -

configuration mode

Configure the automatic watchdog wait time Optional

restart function after the
timeout By default, the automatic
restart function after the
timeout is not enabled.

Version 1.0
 FALCON

Configure Host Restart Function When 3G card Fails to BE Loaded Repeatedly

When the 3G card fails to be loaded repeatedly and other error handling mechanism
cannot recover the 3G card to normal operating, this function enables the entire device
to be restarted to recover the system to the initial state. This ensures the correct
operating of the system and of the 3G card.

Table 8-14 Configure the host restart function when the 3G card fails to be loaded
repeatedly

Step Command Description

Enter the global configure terminal -

configuration mode

Configure the host restart cardreset-exception reboot Optional

function when the 3G card
fails to be loaded
enable
By default, the host restart
function when the 3G card
fails to be loaded is not
enabled.

8.2.6 3G Monitoring and Maintaining

Table 8-15 The 3G monitoring and maintaining

Command Description

show cellular interface-name { all | Display the status information of the 3G

hardware | network | profile | radio |
security }
communication module, including the hardware
information, network information, dialing
configuration information, signal information and
security information in the independent mode or
the unified mode

8.3 Typical Configuration Example of 3G Network

8.3.1 Configure 3G Public Network

Network Requirements

z Device connects to the public network via the 3G interface.

z The 3G inter face cellular1/0 on Device uses the WCDMA system.

Network Topology

Version 1.0
 FALCON

Figure 8-2 Networking of configuring the 3G public network

Configuration Steps

Step 1: Configure the name of APN as 3gnet.

#Configure Device.
Device#cellular 1/0 configure apn-config apn-set 3gnet

Step 2: Configure modem dialing script with the script name as g3dia and indicator as ATDT.

#Configure Device.
Device#configure terminal
Device(config)#chat-script g3dia ATDT

Step 3: Define the rule for triggering dialing data flow.

#Configure Device.
Device(config)#dialer-list 1 protocol ip permit

Step 4: Configure the 3G interface.

#Configure Device.
Device(config)#interface cellular 1/0
Device(config-if-cellular1/0)#dialer in-band
Device(config-if-cellular1/0)#dialer-group 1
Device(config-if-cellular1/0)#dialer string *99#
Device(config-if-cellular1/0)#script dialer g3dia
Device(config-if-cellular1/0)#ppp chap hostname a
Device(config-if-cellular1/0)#ppp chap password 0 a
Device(config-if-cellular1/0)#ip address negotiated
Device(config-if-cellular1/0)#exit

Step 5: Configure the default routing of Device with the egress interface as cellular1/0.

Version 1.0
 FALCON

#Configure Device.
Device(config)#ip route 0.0.0.0 0.0.0.0 cellular 1/0

Step 6: Check the result.

#After the dialing is triggered, check whether the interface cellular1/0 of Device can
obtain the IP address.
Device#show interface cellular 1/0
Cellular1/0:
line protocol is up
Flags: (0xc0080f1) POINT-TO-POINT MULTICAST RUNNING
Type: PPP
Internet address: 10.231.36.57/32
Destination Internet address: 0.0.0.0
Metric: 0, MTU: 1500, BW: 384 Kbps, DLY: 100000 usec, VRF: global
Reliability 255/255, Txload 1/255, Rxload 1/255
Last clearing of "show interface" counters at: 0 hour 5 minutes 2 seconds
input rate 0 bit/sec, 0 packet/sec
output rate 0 bit/sec, 0 packet/sec
2 packets received; 2 packets sent
0 multicast packets received
0 multicast packets sent
0 input errors; 0 output errors
0 collisions; 0 dropped
LCP:OPENED
IPCP:OPENED
encap-type: simply PPP
Rx chars: 80, Tx chars 80
Rx overrun 0, Tx underrun 0

If the WCDMA system is used, the IP address of the local end can be successfully
negotiated. If the CDMA2000 and TD-SCDMA systems are used, both the IP
addresses of the local end and of the peer end can be negotiated.

z The dialing number of WCDMA and TD-SCDMA is "99#" and the dialing number of
CDMA2000 is "#777".
z If the command dialer mode auto is configured for the 3G interface to enable the
automatic dialing, there is no need to define the rule for triggering dialing data flow.
z In the WCDMA and TD-SCDMA networks, it is recommended that the
PPP-authenticated user account and password use "a". In the CDMA2000 network, it
is recommended that the PPP-authenticated user account and password use "card".
z The WCDMA and TD-SCDMA networks use the APN names to identify the private
network and public network. The APN name is provided by the operator. The
CDMA2000 network dials the domain name used by the user account to identify the
private network and public network. The domain name is allocated by the operator.
z The public network name APN name of the WCDMA and TD-SCDMA networks is
"3gnet".

Version 1.0
 FALCON

8.3.2 Configure 3G Private Network

Network Requirements

z IPsec is built between Device1 and Device2 via the 3G interface cellular1/0.

z Device1 acts as the branch device, the operator device as the LAC, and Device2 as
the LNS. L2TP is built between LAC and Device2.

z The 3G interface cellular1/0 on Device1 uses the WCDMA system.

z Device2 performs the AAA authentication and allocates IP addresses by the AAA
authentication.

Network Topology

Figure 8-3 Networking of configuring the 3G public network

Device Interface IP Address Device Interface IP Address

Device1 Gi0 192.168.100.1/24 Device2 Gi0 30.1.1.1/24

Gi1 192.168.201.1/24

Gi2 192.168.200.1/24

Loopback0 172.16.20.1/32

Configuration Steps

Step 1: Configure the IP addresses for all interfaces.(Omitted)

Step 2: Configure the APN name as hy118.scapn.

Version 1.0
 FALCON

#Configure Device1.
Device#cellular 1/0 configure apn-config apn-set hy118.scapn

Step 3: Configure the modem dialing script with the script name as g3dia and indicator as ATDT.

#Configure Device1.
Device1#configure terminal
Device1(config)#chat-script g3dia ATDT

Step 4: Define the rule for triggering dialing data flow.

#Configure Device1.
Device1(config)#dialer-list 1 protocol ip permit

Step 5: Configure the 3G interface of Device1.

#Configure Device1.
Device1(config)#interface cellular 1/0
Device1(config-if-cellular1/0)#dialer in-band
Device1(config-if-cellular1/0)#dialer-group 1
Device1(config-if-cellular1/0)#dialer string *99#
Device1(config-if-cellular1/0)#script dialer g3dia
Device1(config-if-cellular1/0)#ppp chap hostname 3g_authen
Device1(config-if-cellular1/0)#ppp chap password 0 admin
Device1(config-if-cellular1/0)#ip address negotiated
Device1(config-if-cellular1/0)#exit

Step 6: Configure the default routing of Device1 with the egress interface as cellular1/0.

#Configure Device1.
Device1(config)#ip route 0.0.0.0 0.0.0.0 cellular 1/0

Step 7: Configure the AAA server to authenticate and allocate the IP address.

#Configure Device2.

Configure the AAA server to use the radius authentication and authority.
Device2(config)#aaa new-model
Device2(config)#aaa authentication ppp default radius
Device2(config)#aaa authorization network default radius

Version 1.0
 FALCON

Configure the IP address, user account, and password of the AAA server.
Device2(config)#radius-server host 192.168.200.2 auth-port 1645 priority 0 key admin

Step 8: Configure the L2TP tunnel between the LAC and Device2.

#Configure Device2.

Configure the loopback interface.

Device2(config)#interface loopback0
Device2(config-if-loopback0)#ip address 172.16.20.1 255.255.255.255
Device2(config-if-loopback0)#exit

Configure virtual-template 1 and use the IP address of Loopback0.

Device2(config)#interface virtual-template 1
Device2(config-if-virtual-template1)#encapsulation ppp
Device2(config-if-virtual-template1)#ppp mtu adaptive proxy
Device2(config-if-virtual-template1)#ppp authentication chap default
Device2(config-if-virtual-template1)#ppp authorization default
Device2(config-if-virtual-template1)#ip unnumber loopback0
Device2(config-if-virtual-template1)#exit

Enable the VPDN function and configure the VPDN group.

Device2(config)#vpdn enable
Device2(config)#vpdn-group 1
Device2(config-vpdn)#accept-dialin
Device2(config-vpdn-acc-in)#protocol l2tp
Device2(config-vpdn-acc-in)#virtual-template 1
Device2(config-vpdn-acc-in)#exit

Configure the L2TP connection request of the LAC whose hostname is set to
GGSNCD0. (Optional)
Device2(config-vpdn)#terminate-from hostname GGSNCD01

Configure the L2TP tunnel authentication password. This password must be the same
as the L2TP password provided by the operator.
Device2(config-vpdn)#l2tp tunnel password admin

Disable the L2TP tunnel authentication.

Device2(config-vpdn)#no l2tp tunnel authentication
Device2(config-vpdn)#exit

Step 9: Check the result.

#After the dialing is triggered, check the information of interface cellular1/0 on Device1.
Device1#show interface cellular 1/0
Cellular1/0:
line protocol is up
Flags: (0xc0080f1) POINT-TO-POINT MULTICAST RUNNING
Type: PPP
Internet address: 172.16.10.11/32

Version 1.0
 FALCON

Destination Internet address: 0.0.0.0

Metric: 0, MTU: 1500, BW: 384 Kbps, DLY: 100000 usec, VRF: global
Reliability 255/255, Txload 1/255, Rxload 1/255
Last clearing of "show interface" counters never
input peak rate 144 bits/sec, 0 hour 45 minutes 19 seconds ago
output peak rate 112 bits/sec, 0 hour 27 minutes 18 seconds ago
5 minutes input rate 0 bit/sec, 0 packet/sec
5 minutes output rate 0 bit/sec, 0 packet/sec
577 packets received; 301 packets sent
269 multicast packets received
0 multicast packets sent
0 input errors; 0 output errors
0 collisions; 0 dropped
LCP:OPENED
IPCP:OPENED
encap-type: simply PPP
Rx chars: 23595, Tx chars 3908
Rx overrun 0, Tx underrun 0

If the WCDMA private network dialing is successful, the IP address of the local end can
be successfully negotiated. If the CDMA2000 private network is used, both the IP
addresses of the local end and of the peer end can be negotiated.

#Check whether the L2TP tunnel is built on Device2.

Device2#show vpdn detail
L2TP MaxTun 1024, MaxSes 1024:
tunnel free num: 1023
TUNNELS:
LocID LocName RemID RemName RemAddr Vpdn
Port Sess State
21 Device2 63 GGSNCD01 119.6.10.116 1 1701
1 ESTAB

session free num: 1023

SESSIONS:
LocID TunID RemID IfName User SysId
msi/calling-no State
79 21 4236 virtual-access1 test1 -
8614528080921 ESTAB

L2TP total Tunnel and Session Information. Tunnel 1 Session 1

#Ping the IP address of the virtual interface virtual-template 1 of Device2 on Device1

and check whether it can be pinged through.
Device1#ping 172.16.20.1

Press key (ctrl + shift + 6) interrupt it.

Sending 5, 76-byte ICMP Echos to 172.16.20.1 , timeout is 2 seconds:
!!!!!
Success rate is 100% (5/5). Round-trip min/avg/max = 316/502/1066 ms.

Device1 can ping through the IP address of virtual-template 1 on Device2.

Step 10: Create the IPsec tunnel and configure the IPsec security policy.

#Configure Device1.

Configure the pre-shared key. Set the key to admin, allowing all peer end to use the
key.
Device1(config)#crypto ike key admin any

Version 1.0
 FALCON

Create the IPsec tunnel.

Device1(config)#crypto tunnel tun
Device1(config-tunnel)#local interface cellular1/0
Device1(config-tunnel)#peer address 172.16.20.1
Device1(config-tunnel)#set authentication preshared
Device1(config-tunnel)#set auto-up
Device1(config-tunnel)#exit

Configure the Ipsec security policy.

Device1(config)#crypto policy policy1
Device1(config-policy)#flow 192.168.100.0 255.255.255.0 192.168.201.0 255.255.255.0 ip tunnel tun
Device1(config-policy)#exit

#Configure Device2.

Configure the pre-shared key. Set the key to admin, allowing all peer end to use the
key.
Device2(config)#crypto ike key admin any

Craete the IPsec tunnel.

Device2(config)#crypto tunnel tun
Device2(config-tunnel)#local address 172.16.20.1
Device2(config-tunnel)#peer any
Device2(config-tunnel)#exit

Configure the Ipsec security policy and configure the routing that is automatically
added to thepeer end to protect the network.
Device2(config)#crypto policy policy1
Device2(config-policy)#flow 192.168.201.0 255.255.255.0 192.168.100.0 255.255.255.0 ip tunnel tun
Device2(config-policy)#set reverse-route
Device2(config-policy)#exit

Step 11: Check the result.

#Check whether the Ipsec tunnel is successfully created on Device1.

Device1#show crypto ipsec sa
policy name : policy1
f (src, dst, protocol, src port, dst port) : 192.168.100.0/24 192.168.201.0/24 ip any any
local tunnel endpoint : 172.16.10.11 remote tunnel endpoint : 172.16.20.1
the pairs of ESP ipsec sa : id : 13, algorithm : DES HMAC-SHA1-96
inbound esp ipsec sa : spi : 0xf2401510(4064285968) crypto context : 0xa722e60
current input 0 packets, 0 kbytes
encapsulation mode : Tunnel
replay protection : ON
remaining lifetime (seconds/kbytes) : 28465/4294967295
uptime is 0 hour 5 minute 35 second
outbound esp ipsec sa : spi : 0xc1c1114b(3250655563) crypto context : 0xc1b8340
current output 0 packets, 0 kbytes
encapsulation mode : Tunnel
replay protection : ON
remaining lifetime (seconds/kbytes) : 28465/4294967295
uptime is 0 hour 5 minute 35 second

total sa and sa group is 1

#Use the extended ping command on Device1. The destination address 192.168.201.1

Version 1.0
 FALCON

and source address 192.168.100.1 can be pinged through normally.

Device1#ping
Protocol [ip]:
Target IP address or hostname: 192.168.201.1
Repeat count [5]:
Datagram size [76]:
Timeout in seconds [2]:
Extended commands [no]: y
Source address or interface: 192.168.100.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [abcd]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [no]:

Press key (ctrl + shift + 6) interrupt it.

Sending 5, 76-byte ICMP Echos to 192.168.201.1 , timeout is 2 seconds:
!!!!!
Success rate is 100% (5/5). Round-trip min/avg/max = 366/446/516 ms.

z Configure the command ppp mtu adaptive proxy for virtual-template 1 to ensure the
local MTU adapting to the peer MRU.
z The WCDMA and TD-SCDMA networks use the APN names to identify the private
network and public network. The APN name is provided by the operator. The
CDMA2000 network dials the domain name used by the user account to identify the
private network and public network. The domain name is allocated by the operator.
z The APN name used by Device1 is provided by the operator.
z The command terminate-from hostname configured for Device2 is provided by the
operator.
z If the operator LAC and LNS do not exist in the direct connecting network segment,
the static routing directing to the operator LAC is configured.
z If the command dialer mode auto is configured for the 3G interface to enable the
automatic dialing, there is no need to define the rule for triggering dialing data flow.
z The PPP-authenticated user account and password configured on Device1 are
allocated by the upper AAA server.

8.3.3 Configure Dual-3G Switching Based on the Signal Strength

Network Requirements

z IPsec is built between Device1 and Device2 via the 3G interface cellular1/0 and
cellular2/0.

z Device1 uses two 3G cards of different 3G systems. Where, cellular1/0 uses the

Version 1.0
 FALCON

WCDMA and cellular2/0 uses the CDMA2000. cellular1/0 is the master interface
and cellular2/0 is the standby interface. The two interfaces switches based on the
signal strength.

z Device1 acts as the branch device, operator device as the LAC, and Device2 as the
LNS. The L2TP is built between LAC-1/LAC-2 and Device2.

z Two VPDN lines are created on Device2 and two VPDN groups are created.
Different VPDN groups correspond to different operators.

z Configure the signal switching on Device1. The 3G signal monitoring module

associates the 3G signal strength with the routing via track and IPsec. When the
signal on the 3G master interface cellular1/0 is strong, the track status is up,
choose cellular1/0 as the data egress interface. When the signal on the master
interface cellular1/0 is weak, the standby interface is used. IPsec and the routing
switch synchronously.

z LNS device performs authentication and allocates the IP address by the AAA server.

Network Topology

 
Figure 8-4Networking of configuring sual-3G switching based on the signal strength

Device Interface IP Address Device Interface IP Address

Device1 Gi0 192.168.100.2/24 Device2 Gi0 30.1.1.1/24

Device2 Loopback0 172.16.20.1/24 Gi1 40.1.1.1/24

Loopback1 172.16.30.1/24 Gi2 192.168.200.1/24

Gi1/0 192.168.201.234/24

Configuration Steps

Version 1.0
 FALCON

Step 1: Configure the IP addresses of all interfaces. (Omitted)

Step 2: Define the rule for triggering dialing data flow and configure the APN name. (Omitted)

Configure the modem dialing script with the script name as g3dia and indicator as ATDT.
Step 3:
(Omitted)

Step 4: Configure two 3G interfaces on Device1. (Omitted)

Step 5: Configure cellular1/0 of Device1 as automatic signal detection mode.

#Configure Device1 and set the initial dialing detection time as 120s.
Device1#configure terminal
Device1(config)#interface cellular 1/0
Device1(config-if-cellular1/0)#signal switch automatically
Device1(config-if-cellular1/0)#signal switch after 120
Device1(config-if-cellular1/0)#exit

Step 6: Configure the signal of associating track1 with cellular1/0.

#Configure Device1.
Device1(config)#track 1
Device1(config-track)#interface cellular 1/0 3g-signal
Device1(config-track)#exit

Step 7: Configure the static routing of Device1 and bind track.

#Configure Device1.
Device1(config)#ip route 172.16.20.1 255.255.255.255 cellular 1/0 track 1
Device1(config)#ip route 0.0.0.0 0.0.0.0 cellular 2/0 100

Step 8: Configure the loopback interface.

#Configure Device2 and create two loopback interfaces as the virtual template
address.
Device2#configure terminal
Device2(config)#interface loopback0
Device2(config-if-loopback0)#ip address 172.16.20.1 255.255.255.255
Device2(config-if-loopback0)#exit
Device2(config)#interface loopback1
Device2(config-if-loopback1)#ip address 172.16.30.1 255.255.255.255

Version 1.0
 FALCON

Device2(config-if-loopback1)#exit

Create two L2TPs on Device2 and correspond to different operators based on configured
Step 9:
terminate-from hostname. (Omitted)

Step 10: Configure the IPsec tunnel.

#Configure Device1.

Configure the pre-shared key. Set the key to admin, allowing all peer end to use the
key.
Device1(config)#crypto ike key admin any

Create two IPsec tunnels for two 3G interfaces. Configure the local interface of tun1 as
cellular1/0 and tunnel ID as wcdma. Configure the local interface of tun2 as cellular2/0
and tunnel ID as cdma.
Device1(config)#crypto tunnel tun1
Device1(config-tunnel)#local interface cellular1/0
Device1(config-tunnel)#peer address 172.16.20.1
Device1(config-tunnel)#set authentication preshared
Device1(config-tunnel)#set auto-up
Device1(config-tunnel)#set local-id wcdma
Device1(config-tunnel)#set track 1
Device1(config-tunnel)#exit
Device1(config)#crypto tunnel tun2
Device1(config-tunnel)#local interface cellular 2/0
Device1(config-tunnel)#peer address 172.16.30.1
Device1(config-tunnel)#set authentication preshared
Device1(config-tunnel)#set auto-up
Device1(config-tunnel)#set local-id cdma
Device1(config-tunnel)#exit

#Configure Device2.

Configure the pre-shared key. Set the key to admin, allowing all peer end to use the
key.
Device2(config)#crypto ike key admin any

Create two IPsec tunnels. tun1 uses the IP address of loopback0 as the local IP
address, specifying the tunnel ID of Device1 as wcdma. tun2 uses the IP address of
loopback1 as the local IP address, specifying the tunnel ID of Device1 as cdma.
Device2(config)#crypto tunnel tun1
Device2(config-tunnel)#local address 172.16.20.1
Device2(config-tunnel)#peer any
Device2(config-tunnel)#set peer-id wcdma
Device2(config-tunnel)#set authentication preshared
Device2 config-tunnel)#exit
Device2(config)#crypto unnel tun2
Device2(config-tunnel)#local address 172.16.30.1
Device2(config-tunnel)#peer any
Device2(config-tunnel)#set peer-id cdma
Device2(config-tunnel)#set authentication preshared
Device2 config-tunnel)#exit

Version 1.0
 FALCON

Step 11: Configure the IPsec security policy.

#Configure Device1 and create the Ipsec security policy to associate tun1 and tun2.
Set tun1 as the active tunnel and tun2 as the standby tunnel.
Device1(config)#crypto policy policy1
Device1(config-policy)#flow 192.168.100.0 255.255.255.0 192.168.201.0 255.255.255.0 ip tunnel
tun1 tun2

Associate track and choose the policy based on the track status. The tunnel with track
as up is preferentially selected.
Device1(config-policy)#set track-aware
Device1(config-policy)#exit

Configure Device2 and create IPsec security policy to associate tun1 and tun2. Set
tun1 as the active tunnel and tun2 as the standby tunnel. Configure the routing that is
automatically added to the peer end to protect the network.
Device2(config)#crypto policy policy1
Device2(config-policy)# flow 192.168.201.0 255.255.255.0 192.168.100.0 255.255.255.0 ip tunnel
tun1 tun2
Device2(config-policy)#set reverse-route
Device2(config-policy)#set peer-track-aware
Device2(config-policy)#exit

The set peer-track-aware command must be used together with the set track-aware
command. The local end chooses the tunnel for sending data based on the tunnel for
receiving data. The channel for sending data must be the same tunnel for receiving
data.

Step 12: Check the result.

#The dialing is triggered successfully when the Ipsec channel is built successfully.
When the track object status is up on Device1, tun1 is selected for data
communication.
Device1#show track object
track 1
status = up
entnum = 1
logic operator AND
Object Type Status Refcnt instruction
------------------------- -------- ------ ----------------------------------------
interface 3g-signal up 1
-------------------------------------------------------------------------------------
module priority caller
------------------------- -------- ------
STATICRT 20 0x75f990
cdma 20 0x6a6670
-------------------------------------------------------------------------------------

#Use the extended ping command on Device1. The destination address

192.168.201.234 and source address 192.168.100.2 can be pinged through normally.
Packets are btransmitted over tun1.
Device1#ping
Protocol [ip]:

Version 1.0
 FALCON

Target IP address or hostname: 192.168.201.234

Repeat count [5]:
Datagram size [76]:
Timeout in seconds [2]:
Extended commands [no]: y
Source address or interface: 192.168.100.2
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [abcd]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [no]:

Press key (ctrl + shift + 6) interrupt it.

Sending 5, 76-byte ICMP Echos to 192.168.201.234 , timeout is 2 seconds:
!!!!!
Success rate is 100% (5/5). Round-trip min/avg/max = 433/473/516 ms.
Device1#show crypto ipsec sa
policy name : policy1
f (src, dst, protocol, src port, dst port) : 192.168.100.0/24 192.168.201.0/24 ip any any
local tunnel endpoint : 172.16.10.11 remote tunnel endpoint : 172.16.20.1
the pairs of ESP ipsec sa : id : 6, algorithm : DES HMAC-SHA1-96
inbound esp ipsec sa : spi : 0xf76327a6(4150470566) crypto context : 0x9e2c9a0
current input 5 packets, 0 kbytes
encapsulation mode : Tunnel
replay protection : ON
remaining lifetime (seconds/kbytes) : 28710/4294967294
uptime is 0 hour 1 minute 30 second
outbound esp ipsec sa : spi : 0xa10f1be5(2702121957) crypto context : 0xa7d2940
current output 5 packets, 0 kbytes
encapsulation mode : Tunnel
replay protection : ON
remaining lifetime (seconds/kbytes) : 28710/4294967294
uptime is 0 hour 1 minute 30 second
local tunnel endpoint : 172.16.10.123 remote tunnel endpoint : 172.16.30.1
the pairs of ESP ipsec sa : id : 3, algorithm : DES HMAC-SHA1-96
inbound esp ipsec sa : spi : 0x653e27a4(1698572196) crypto context : 0x9e23e40
current input 0 packets, 0 kbytes
encapsulation mode : Tunnel
replay protection : ON
remaining lifetime (seconds/kbytes) : 28433/4294967295
uptime is 0 hour 6 minute 7 second
outbound esp ipsec sa : spi : 0x17d21be3(399645667) crypto context : 0x9e23cc0
current output 0 packets, 0 kbytes
encapsulation mode : Tunnel
replay protection : ON
remaining lifetime (seconds/kbytes) : 28433/4294967295
uptime is 0 hour 6 minute 7 second

total sa and sa group is 2

#When track object status is down on Device1, tun2 is selected for data communication.
Device1#show track object
track 1
status = down
entnum = 1
logic operator AND
Object Type Status Refcnt instruction
------------------------- -------- ------ ----------------------------------------
interface 3g-signal down 1
-------------------------------------------------------------------------------------
module priority caller
------------------------- -------- ------
tun1 20 0x6a6714
-------------------------------------------------------------------------------------

#Use the extended ping command on Device1. The destination address

Version 1.0
 FALCON

192.168.201.234 and source address 192.168.100.2 can be pinged through normally.

Packets are btransmitted over tun2.
Device1#ping
Protocol [ip]:
Target IP address or hostname: 192.168.201.234
Repeat count [5]:
Datagram size [76]:
Timeout in seconds [2]:
Extended commands [no]: y
Source address or interface: 192.168.100.2
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [abcd]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [no]:

Press key (ctrl + shift + 6) interrupt it.

Sending 5, 76-byte ICMP Echos to 192.168.201.234 , timeout is 2 seconds:
!!!!!
Success rate is 100% (5/5). Round-trip min/avg/max = 399/482/533 ms.

Device1#show crypto ipsec sa

policy name : policy1
f (src, dst, protocol, src port, dst port) : 192.168.100.0/24 192.168.201.0/24 ip any any
local tunnel endpoint : 172.16.10.11 remote tunnel endpoint : 172.16.20.1
the pairs of ESP ipsec sa : id : 6, algorithm : DES HMAC-SHA1-96
inbound esp ipsec sa : spi : 0xf76327a6(4150470566) crypto context : 0x9e2c9a0
current input 0 packets, 0 kbytes
encapsulation mode : Tunnel
replay protection : ON
remaining lifetime (seconds/kbytes) : 28575/4294967294
uptime is 0 hour 3 minute 45 second
outbound esp ipsec sa : spi : 0xa10f1be5(2702121957) crypto context : 0xa7d2940
current output 0 packets, 0 kbytes
encapsulation mode : Tunnel
replay protection : ON
remaining lifetime (seconds/kbytes) : 28575/4294967294
uptime is 0 hour 3 minute 45 second
local tunnel endpoint : 172.16.10.123 remote tunnel endpoint : 172.16.30.1
the pairs of ESP ipsec sa : id : 3, algorithm : DES HMAC-SHA1-96
inbound esp ipsec sa : spi : 0x653e27a4(1698572196) crypto context : 0x9e23e40
current input 5 packets, 0 kbytes
encapsulation mode : Tunnel
replay protection : ON
remaining lifetime (seconds/kbytes) : 28298/4294967294
uptime is 0 hour 8 minute 22 second
outbound esp ipsec sa : spi : 0x17d21be3(399645667) crypto context : 0x9e23cc0
current output 5 packets, 0 kbytes
encapsulation mode : Tunnel
replay protection : ON
remaining lifetime (seconds/kbytes) : 28298/4294967294
uptime is 0 hour 8 minute 22 second

Use the extended ping command on Device1 to enable the packet to be protected by
the Ipsec. You can run the show crypto ipsec sa command to check which channel is
selected by the packet for data communication.

z The signal switching means whether to perform the signal switching based on the

Version 1.0
 FALCON

signal quality. However, the signal quality cannot authentically refelect the channel
situation. Good signal may not result in smooth channel and weak signal may not
result in congestion. Therefore, it is not relaiable that the switching is determined by
the signal quality to a certain extent.
z Because the 3G signal is vulnerable to the environment, generally the sutomatic
detection mode is used for the signal detection.
z If the dialer mode auto command is configured for the 3G interface to enable the
automatic dialing, there is no need to define the rule for triggering dialing data flow.
z Run the signal switch after command to determine the initial status of the 3G signal.
The signal switch after command is followed by a time parameter, which configures
that no dialing will be performed in the period when the 3G interface is successfully
loaded. Instead, the signal in the period is detected at first to determine the initial
signal sttaus and judge whether to perform the dialing.
z Two L2TP tunnels are created on Device2, corresponding to two operators. You can
configure the terminate-from hostname command for the VPDN group, corresponding
to different operators.
z The PPP-authenticated user account and password configured on Device1 are
allocated by the upper AAA server.

8.3.4 Configure 3G Network Connecting to the Upper Dual Center

Network Requirements

z IPsec is built between Device1 and Device2/Device3 via the 3G interface

cellular1/0.

z Device1 acts as the branch device, operator device as the LAC, and Device2 and
Device3 as the LNS. The L2TP is created between the LAC and LNS.

z cellular1/0 of Device1 connects to the upper dual centers, Network-Center-1 and

Network-Center-2.

z Device1 preferentially connects to Device2. When Device2 fails to be connected

repeatedly, Device1 switches to connect to Device3. When Device2 recovers,
Device1 switches back to connect to Device2 after a period.

z Different user accounts and APNs are adopted to connect to Device2 and Device3
by user accounts and APN switching.

z The user account connecting to Device2 is a1, password is a1, and APN name is
isapn1. The user account connecting to Device3 is b1, password is b1, and APN
name is apn2.

z cellular1/0 of Device1 uses the WCDMA system.

z The LNS device performs authentication and allocates the IP address by the AAA
server.

Version 1.0
 FALCON

Network Topology

Figure 8-5 Typical networking of configuring the 3G line connecting to the upper dual
centers

Device Interface IP Address Device Interface IP Address

Device1 Gi0 192.168.100.1/24 Device2 Gi0 30.1.1.2/24

Device3 Gi0 40.1.1.2/24 Gi1 10.250.19.1/24

Gi1 10.1.4.1/24 Gi2 192.168.200.1/24

Gi2 192.168.199.1/24 Loopback0 172.16.20.1/32

Loopback0 172.16.30.1/32

Configuration Steps

Step 1: Configure the IP addresses for all interfaces.(Omitted)

Configure the modem dialing script with the script name as g3dia and indicator as ATDT.
Step 2:
(Omitted)

Step 3: Define the rule for triggering dialing data flow and configure the APN name. (Omitted)

Step 4: Configure the 3G interface for Device1.

#Configure Device1.

Version 1.0
 FALCON

Device1#configure terminal
Device1(config)#interface cellular 1/0
Device1(config-if-cellular1/0)#dialer in-band
Device1(config-if-cellular1/0)#dialer-group 1
Device1(config-if-cellular1/0)#dialer string *99#
Device1(config-if-cellular1/0)#script dialer g3dia
Device1(config-if-cellular1/0)#ip address negotiated

Configure dialing user name list.

Device1(config-if-cellular1/0)#ppp chap user-list admin

Configure the switching to be performed when the connection fails for three
consecutive times.
Device1(config-if-cellular1/0)#ppp retry authentication 3

Configure the active account to dial every hour when the standby account is used.
Device1(config-if-cellular1/0)#ppp main-account recovery 60
Device1(config-if-cellular1/0)#exit

Create the user name list admin and configure a1 as the account connecting to Device2
Step 5:
and b1 as the account connecting to Device3.

#Configure Device1.
Device1(config)#user-list admin
Device1(config-ulist)#user a1 password 0 a1 apn apn1 main
Device1(config-ulist)#user b1 password 0 b1 apn apn2
Device1(config-ulist)#exit

Step 6: Configure the default routing of Device1 with the egress interface as cellular1/0.

#Configure Device1.
Device1(config)#ip route 0.0.0.0 0.0.0.0 cellular1/0

Configure Device2 and Device3 to perform authentication and allocate the IP address by
Step 7:
the AAA server.

#Configure Device2.

Configure the AAA server to use the radius authentication and authority.
Device2#configure terminal
Device2(config)#aaa new-model
Device2(config)#aaa authentication ppp default radius
Device2(config)#aaa authorization network default radius

Configure the IP address, user account, and password of the AAA server.
Device2(config)#radius-server host 192.168.200.2 auth-port 1645 priority 0 key admin

Version 1.0
 FALCON

#Configure Device3.

Configure the AAA server to use the radius authentication and authority.
Device3#configure terminal
Device3(config)#aaa new-model
Device3(config)#aaa authentication ppp default radius
Device3(config)#aaa authorization network default radius

Configure the IP address, user account, and password of the AAA server.
Device3(config)#radius-server host 192.168.199.2 auth-port 1645 priority 0 key admin

Step 8: Configure the L2TP tunnel to be built between Device2 and operator.

#Configure Device2.

Create a loopback interface.

Device2(config)#interface loopback0
Device2(config-if-loopback0)#ip address 172.16.20.1 255.255.255.255
Device2(config-if-loopback0)#exit

Configure virtual-template 1 and use the IP address of loopback0.

Device2(config)#interface virtual-template 1
Device2(config-if-virtual-template1)#encapsulation ppp
Device2(config-if-virtual-template1)#no peer default ip address
Device2(config-if-virtual-template1)#ppp mtu adaptive proxy
Device2(config-if-virtual-template1)#ppp authentication chap default
Device2(config-if-virtual-template1)#ppp authorization default
Device2(config-if-virtual-template1)#ip unnumber loopback0
Device2(config-if-virtual-template1)#exit

Enable the VPDN function and configure the VPDN group.

Device2(config)#vpdn enable
Device2(config)#vpdn-group 1
Device2(config-vpdn)#accept-dialin
Device2(config-vpdn-acc-in)#protocol l2tp
Device2(config-vpdn-acc-in)#virtual-template 1
Device2(config-vpdn-acc-in)#exit

Configure the L2TP connection request of the LAC whose hostname is set to
GGSNCD01. (Optional)
Device2(config-vpdn)#terminate-from hostname GGSNCD01

Configure the L2TP tunnel authentication password. The password must be the same
as the L2TP password provided by the operator.
Device2(config-vpdn)#l2tp tunnel password admin

Disable the L2TP tunnel authentication.

Device2(config-vpdn)#no l2tp tunnel authentication
Device2(config-vpdn)#exit

Version 1.0
 FALCON

Step 9: Configure the L2TP tunnel to be built between Device3 and the operator.

#Configure Device3.

Configure the loopback interface.

Device3(config)#interface loopback0
Device3(config-if-loopback0)#ip address 172.16.30.1 255.255.255.255
Device3(config-if-loopback0)#exit

Configure virtual-template 1 and use the IP address of loopback0.

Device3(config)#interface virtual-template 1
Device3(config-if-virtual-template1)#encapsulation ppp
Device3(config-if-virtual-template1)#no peer default ip address
Device3(config-if-virtual-template1)#ppp mtu adaptive proxy
Device3(config-if-virtual-template1)#ppp authentication chap default
Device3(config-if-virtual-template1)#ppp authorization default
Device3(config-if-virtual-template1)#ip unnumber loopback0
Device3(config-if-virtual-template1)#exit

Enable the VPDN function and configure the VPDN group.

Device3(config)#vpdn enable
Device3(config)#vpdn-group 1
Device3(config-vpdn)# accept-dialin
Device3(config-vpdn-acc-in)#protocol l2tp
Device3(config-vpdn-acc-in)#virtual-template 1
Device3(config-vpdn-acc-in)#exit

Configure the L2TP connection request of the LAC whose hostname is set to
GGSNCD03. (Optional)
Device3(config-vpdn)#terminate-from hostname GGSNCD03

Configure the L2TP tunnel authentication password. The password must be the same
as the L2TP password provided by the operator.
Device3(config-vpdn)#l2tp tunnel password admin

Disable the L2TP tunnel authentication.

Device3(config-vpdn)#no l2tp tunnel authentication
Device3(config-vpdn)#exit

Step 10: Configure the IPsec tunnel to be built between the branch device and Device2/Device3.

#Configure Device1.

Create two IPsec tunnels for two 3G interfaces. Configure the local interface of tun1 as
cellular1/0, connecting Device2. Configure the local interface of tun2 as cellular1/0,
connecting Device3.
Device1(config)#crypto tunnel tun1
Device1(config-tunnel)#local interface cellular1/0
Device1(config-tunnel)#peer address 172.16.20.1
Device1(config-tunnel)#set authentication preshared
Device1(config-tunnel)#set auto-up
Device1(config-tunnel)#exit

Version 1.0
 FALCON

Device1(config)#crypto tunnel tun2

Device1(config-tunnel)#local interface cellular 1/0
Device1(config-tunnel)#peer address 172.16.30.1
Device1(config-tunnel)#set authentication preshared
Device1(config-tunnel)#set auto-up
Device1(config-tunnel)#exit

Enable the IPsec pre-fragment to ensure the data will not fragmented in the operator
network transmission when the non-TCP is encapsulated with the IPsec. Packet loss
may occur to fragmented packets in the operator link.
Device1(config)#crypto ipsec pre-fragment enable

Configure the pre-shared key. Set the key to admin, allowing all peer end to use the
key.
Device1(config) #crypto ike key admin any

#Configure Device2.

Create Ipsec tunnel tun1.

Device2(config)#crypto tunnel tun1
Device2(config-tunnel)#local address 172.16.20.1
Device2(config-tunnel)#peer any
Device2(config-tunnel)#set sec-level basic
Device2(config-tunnel)#exit

Configure the pre-shared key. Set the key to admin, allowing all peer end to use the
key.
Device2(config)#crypto ike key admin any

#Configure Device3.

Craete IPsec tunnel tun1.

Device3(config)#crypto tunnel tun1
Device3(config-tunnel)#local address 172.16.30.1
Device3(config-tunnel)#peer any
Device3(config-tunnel)#set sec-level basic
Device3(config-tunnel)#exit

Configure the pre-shared key. Set the key to admin, allowing all peer end to use the
key.
Device3(config)#crypto ike key admin any

Step 11: Configure the IPsec security policy.

#Configure the IPsec security policy on Device1.

Device1(config)#crypto policy policy1
Device1(config-policy)#flow 192.168.100.0 255.255.255.0 10.250.19.0 255.255.255.0 ip tunnel tun1
Device1(config-policy)#exit

Device1(config)#crypto policy policy2

Device1(config-policy)#flow 192.168.100.0 255.255.255.0 10.1.4.0 255.255.255.0 ip tunnel tun2
Device1(config-policy)#exit

Configure the IPsec security tunnel on Device2 and configure the routing that is
Version 1.0
 FALCON

automatically added to the peer device to protect network.

Device2(config)#crypto policy policy1
Device2(config-policy)#flow 10.250.19.0 255.255.255.0 192.168.100.0 255.255.255.0 ip tunnel tun1
Device2(config-policy)#set reverse-route
Device2(config-policy)#exit

Configure the IPsec security policy on Device3 and configure the routing that is
automatically added to the peer device to protect network.
Device3(config)#crypto policy policy1
Device3(config-policy)#flow 10.1.4.0 255.255.255.0 192.168.100.0 255.255.255.0 ip tunnel tun1
Device3(config-policy)#set reverse-route
Device3(config-policy)#exit

Step 12: Check the result.

#When Device1 dials Device2, the IPsec tunnel can be built between Decice1 and
Device2. Use the extended ping command on Device1 and Network-Center-1 can be
pinged through.
Device1#show crypto ipsec sa
policy name : policy1
f (src, dst, protocol, src port, dst port) : 192.168.100.0/24 10.250.19.0/24 ip any any
local tunnel endpoint : 172.16.10.123 remote tunnel endpoint : 172.16.20.1
the pairs of ESP ipsec sa : id : 238, algorithm : DES HMAC-SHA1-96
inbound esp ipsec sa : spi : 0x1beb1e9d(468393629) crypto context : 0x9eb67e0
current input 0 packets, 0 kbytes
encapsulation mode : Tunnel
replay protection : ON
remaining lifetime (seconds/kbytes) : 28793/4294967295
uptime is 0 hour 0 minute 7 second
outbound esp ipsec sa : spi : 0x8adc247a(2329683066) crypto context : 0xa86a240
current output 0 packets, 0 kbytes
encapsulation mode : Tunnel
replay protection : ON
remaining lifetime (seconds/kbytes) : 28793/4294967295
uptime is 0 hour 0 minute 7 second
policy name : tun2
f (src, dst, protocol, src port, dst port) : 192.168.100.0/24 10.1.4.0/24 ip any any

total sa and sa group is 1

Device1#ping
Protocol [ip]:
Target IP address or hostname: 10.250.19.1
Repeat count [5]:
Datagram size [76]:
Timeout in seconds [2]:
Extended commands [no]: y
Source address or interface: 192.168.100.2
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [abcd]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [no]:

Press key (ctrl + shift + 6) interrupt it.

Sending 5, 76-byte ICMP Echos to 10.250.19.1 , timeout is 2 seconds:
!!!!!
Success rate is 100% (5/5). Round-trip min/avg/max = 383/456/516 ms.

Version 1.0
 FALCON

Device1#show crypto ipsec sa

policy name : policy1
f (src, dst, protocol, src port, dst port) : 192.168.100.0/24 10.250.19.0/24 ip any any
local tunnel endpoint : 172.16.10.123 remote tunnel endpoint : 172.16.20.1
the pairs of ESP ipsec sa : id : 238, algorithm : DES HMAC-SHA1-96
inbound esp ipsec sa : spi : 0x1beb1e9d(468393629) crypto context : 0x9eb67e0
current input 5 packets, 0 kbytes
encapsulation mode : Tunnel
replay protection : ON
remaining lifetime (seconds/kbytes) : 28747/4294967294
uptime is 0 hour 0 minute 53 second
outbound esp ipsec sa : spi : 0x8adc247a(2329683066) crypto context : 0xa86a240
current output 5 packets, 0 kbytes
encapsulation mode : Tunnel
replay protection : ON
remaining lifetime (seconds/kbytes) : 28747/4294967294
uptime is 0 hour 0 minute 53 second
policy name : tun2
f (src, dst, protocol, src port, dst port) : 192.168.100.0/24 10.1.4.0/24 ip any any

total sa and sa group is 1

#When Device1 fails to dial Device2 for three consecutive times, Device1 will connect
to Device3 and the IPsec tunnel will be correctly built with Device3. Use the extended
ping command on Device1 and Network-Center-2 can be pinged through.
Device1#show crypto ipsec sa
policy name : policy2
f (src, dst, protocol, src port, dst port) : 192.168.100.0/24 10.250.19.0/24 ip any any
policy name : tun2
f (src, dst, protocol, src port, dst port) : 192.168.100.0/24 10.1.4.0/24 ip any any
local tunnel endpoint : 172.16.10.123 remote tunnel endpoint : 172.16.30.1
the pairs of ESP ipsec sa : id : 274, algorithm : DES HMAC-SHA1-96
inbound esp ipsec sa : spi : 0x12c01ea6(314580646) crypto context : 0xa86a8c0
current input 0 packets, 0 kbytes
encapsulation mode : Tunnel
replay protection : ON
remaining lifetime (seconds/kbytes) : 28797/4294967295
uptime is 0 hour 0 minute 3 second
outbound esp ipsec sa : spi : 0x1f7822be(527966910) crypto context : 0xa86a740
current output 0 packets, 0 kbytes
encapsulation mode : Tunnel
replay protection : ON
remaining lifetime (seconds/kbytes) : 28797/4294967295
uptime is 0 hour 0 minute 3 second

total sa and sa group is 1

Device1#ping
Protocol [ip]:
Target IP address or hostname: 10.1.4.1
Repeat count [5]:
Datagram size [76]:
Timeout in seconds [2]:
Extended commands [no]: y
Source address or interface: 192.168.100.2
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [abcd]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [no]:

Press key (ctrl + shift + 6) interrupt it.

Sending 5, 76-byte ICMP Echos to 10.1.4.1 , timeout is 2 seconds:

Version 1.0
 FALCON

!!!!!
Success rate is 100% (5/5). Round-trip min/avg/max = 383/456/516 ms.

Device1#show crypto ipsec sa

policy name : tun1
f (src, dst, protocol, src port, dst port) : 192.168.100.0/24 10.250.19.0/24 ip any any
policy name : policy2
f (src, dst, protocol, src port, dst port) : 192.168.100.0/24 10.1.4.0/24 ip any any
local tunnel endpoint : 172.16.10.123 remote tunnel endpoint : 172.16.30.1
the pairs of ESP ipsec sa : id : 274, algorithm : DES HMAC-SHA1-96
inbound esp ipsec sa : spi : 0x12c01ea6(314580646) crypto context : 0xa86a8c0
current input 5 packets, 0 kbytes
encapsulation mode : Tunnel
replay protection : ON
remaining lifetime (seconds/kbytes) : 28595/4294967294
uptime is 0 hour 3 minute 25 second
outbound esp ipsec sa : spi : 0x1f7822be(527966910) crypto context : 0xa86a740
current output 5 packets, 0 kbytes
encapsulation mode : Tunnel
replay protection : ON
remaining lifetime (seconds/kbytes) : 28595/4294967294
uptime is 0 hour 3 minute 25 second

total sa and sa group is 1

Use the extended ping command on Device1 to enable the packet to be protected by
the Ipsec. You can run the show crypto ipsec sa command to check which channel is
selected by the packet for data communication.

z Configure the command ppp mtu adaptive proxy for virtual-template 1 to ensure the
local MTU adapting to the peer MRU.
z In the WCDMA and TD-SCDMA systems, the APN names, which are provided by
the operator, are used to determine the connected private network. In the CDMA2000
network, run the ppp chap hostname command to identify the private network and
public network based on the corresponding domain names. In the telecom network,
the APN name is not required.
z If the command dialer mode auto is configured for the 3G interface to enable the
automatic dialing, there is no need to define the rule for triggering dialing data flow.
z The PPP-authenticated user account and password configured on Device1 are
allocated by the upper AAA server.
z If the operator LAC and LNS do not exist in the direct connecting network segment,
the static routing directing to the operator LAC is configured.

8.3.5 Configure Dual-3G Services as Active and Standby Mode

Network Requirements

z IPsec is built between Device1 and Device2 via the 3G interface cellular1/0 and

Version 1.0
 FALCON

cellular2/0.

z Device1 uses two 3G cards of different 3G systems. Where, cellular1/0 uses the
WCDMA and cellular2/0 uses the CDMA2000. The two 3G links are in the active
and standby mode.

z Device1 acts as the branch device, operator device as the LAC, and Device2 as the
LNS. The L2TP is built between the LAC and Device2.

z Use the traffic distribution to transmit multiple service traffic on two 3G lines, service
A and service B for example. Service A uses WCDMA as the active line and
CDMA2000 as the standby line. Service B uses CDMA2000 as the active line and
WCDMA as the standby line.

z The LNS device performs authentication and allocates the IP address by the AAA
server.

Network Topology

Figure 8-6 Networking of configuring dual-3G switching based on the signal strength

Device Interface IP Address Device Interface IP Address

Device1 Gi0 192.168.100.2/24 Device2 Gi0 30.1.1.1/24

Device2 Loopback0 172.16.20.1/24 Gi1 40.1.1.1/24

Loopback1 172.16.30.1/24 Gi2 192.168.200.1/24

Gi1/0 192.168.201.234/24

Configuration Steps

Step 1: Configure the IP addresses for all interfaces.(Omitted)

Version 1.0
 FALCON

Configure the modem dialing script with the script name as g3dia and indicator as ATDT.
Step 2:
(Omitted)

Step 3: Define the rule for triggering dialing data flow and configure the APN name. (Omitted)

Step 4: Configure the 3G interface for Device1. (Omitted)

Step 5: Configure the floating static routing on Device1.

#Configure Device1.

Service A uses cellular1/0 as the main data communication interface and cellular2/0 as
the backup interface. Service B uses cellular 2/0 as the main data communication
interface and cellular1/0 as the standby interface.
Device1#configure terminal
Device1(config)#ip route 11.1.1.0 255.255.255.0 cellular 1/0
Device1(config)#ip route 11.1.1.0 255.255.255.0 cellular 2/0 100
Device1(config)#ip route 0.0.0.0 255.255.255.0 cellular 2/0
Device1(config)#ip route 0.0.0.0 255.255.255.0 cellular 1/0 100

Step 6: Configure that Device2 is authenticated and allocated with IP address by the AAA server.

#Configure Device2. Configure the AAA server to use the radius authentication and
authority.
Device2#configure terminal
Device2(config)#aaa new-model
Device2(config)#aaa authentication ppp default radius
Device2(config)#aaa authorization network default radius

Configure the IP address, user account, and password of the AAA server.
Device2(config)#radius-server host 192.168.200.2 auth-port 1645 priority 0 key admin

Step 7: Configure the L2TP tunnel to be built on Device2.

#Configure Device2.

Create two loopback interfaces as the virtual template IP address.

Device2(config)#interface loopback0
Device2(config-if-loopback1)#ip address 172.16.20.1 255.255.255.255
Device2(config-if-loopback1)#exit
Device2(config)#interface loopback1
Device2(config-if-loopback1)#ip address 172.16.30.1 255.255.255.255
Device2(config-if-loopback1)#exit

Configure virtual-template 1 and build the L2TP tunnel between virtual-template 1 and

Version 1.0
 FALCON

WCDMA.
Device2(config)#interface virtual-template1
Device2(config-if-virtual-template1)# encapsulation ppp
Device2(config-if-virtual-template1)#no peer default ip address
Device2(config-if-virtual-template1)#ppp mtu adaptive proxy
Device2(config-if-virtual-template1)#ppp authentication chap default
Device2(config-if-virtual-template1)#ppp authorization default
Device2(config-if-virtual-template1)#ip unnumber loopback0
Device2(config-if-virtual-template1)#exit

Enable the VPDN function and configure the VPDN group.

Device2(config)#vpdn enable
Device2(config)#vpdn-group 1 (Unicom vpdn)
Device2(config-vpdn)# accept-dialin
Device2(config-vpdn-acc-in)#protocol l2tp
Device2(config-vpdn-acc-in)#virtual-template 1
Device2(config-vpdn-acc-in)#exit

Configure the L2TP connection request of the LAC whose hostname is set to
GGSNCD01.
Device2(config-vpdn)#terminate-from hostname GGSNCD01

Configure the L2TP tunnel authentication password. This password must be the same
as the L2TP password provided by the operator.
Device2(config-vpdn)#l2tp tunnel password admin

Disable the L2TP tunnel authentication.

Device2(config-vpdn)#no l2tp tunnel authentication
Device2(config-vpdn)#exit

Configure virtual-template 2 and build the L2TP tunnel between virtual-template 2 and
WCDMA.
Device2(config)#interface virtual-template2
Device2(config-if-virtual-template2)#encapsulation ppp
Device2(config-if-virtual-template2)#no peer default ip address
Device2(config-if-virtual-template2)#ppp mtu adaptive proxy
Device2(config-if-virtual-template2)#ppp authentication chap default
Device2(config-if-virtual-template2)#ppp authorization default
Device2(config-if-virtual-template2)#ip unnumber loopback1
Device2(config-if-virtual-template2)#exit

Enable the VPDN function and configure the VPDN group.

Device2(config)#vpdn enable
Device2(config)#vpdn-group 2 (Telecom vpdn)
Device2(config-vpdn)# accept-dialin
Device2(config-vpdn-acc-in)#protocol l2tp
Device2(config-vpdn-acc-in)#virtual-template 2
Device2(config-vpdn-acc-in)#exit

Configure the L2TP connection request of the LAC whose hostname is set to
SC-CD-BS-PDSN-1.
Device2(config-vpdn)#terminate-from hostname SC-CD-BS-PDSN-1

Configure the L2TP tunnel authentication password. This password must be the same
as the L2TP password provided by the operator.
Device2(config-vpdn)#l2tp tunnel password admin

Version 1.0
 FALCON

Disable the L2TP tunnel authentication.

Device2(config-vpdn)#no l2tp tunnel authentication
Device2(config-vpdn)#exit

Step 8: Configure Device1 IPsec dialing tunnel

#Configure Device1. Create two IPsec tunnels for two 3G interfaces. Configure the
local interface of tun1 as cellular1/0, the main data communication interface of service
A. Configure the local interface of tun2 as cellular2/0, the main data communication
interface of service B.
Device1(config)#crypto tunnel tun1
Device1(config-tunnel)#local interface cellular1/0
Device1(config-tunnel)#peer address 172.16.20.1
Device1(config-tunnel)#set authentication preshared
Device1(config-tunnel)#set auto-up
Device1(config-tunnel)#exit
Device1(config)#crypto tunnel tun2
Device1(config-tunnel)#local interface cellular 2/0
Device1(config-tunnel)#peer address 172.16.30.1
Device1(config-tunnel)#set authentication preshared
Device1(config-tunnel)#set auto-up
Device1(config-tunnel)#exit

Step 9: Configure the IPsec security policy of Device1.

#Configure Device1.

Service A uses WCDMA and CDMA2000 as the standby line.

Device1(config)#crypto policy policy1
Device1(config-policy)#flow 192.168.1.0 255.255.255.0 11.1.1.0 255.255.255.0 ip tunnel tun1 tun2
Device1(config-policy)#exit

Service B uses CDMA2000 and WCDMA as the standby line.

Device1(config)#crypto policy policy2
Device1(config-policy)#flow 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0 ip tunnel tun2 tun1
Device1(config-policy)#exit

Step 10: Configure the IPsec tunnel of Device2.

#Configure Device2.
Device2(config)#crypto tunnel tun1
Device2(config-tunnel)#local interface loopback0
Device2(config-tunnel)#peer any
Device2(config-tunnel)#exit
Device2(config)#crypto tunnel tun2
Device2(config-tunnel)#local interface loopback1
Device2(config-tunnel)#peer any
Device2(config-tunnel)#exit

Version 1.0
 FALCON

Configure the IPsec policy of Device2 and configure the routing that is automatically
Step 11:
added to the peer end to protect the network.

#Configure Device2.
Device2(config)#crypto policy policy1
Device2(config-policy)#flow 11.1.1.0 255.255.255.0 any ip tunnel tun1 tun2
Device2(config-policy)#set reverse-route
Device2(config-policy)#exit
Device2(config)#crypto policy policy2
Device2(config-policy)#flow 10.1.1.0 255.255.255.0 any ip tunnel tun2 tun1
Device2(config-policy)#set reverse-route
Device2(config-policy)#exit

Step 12: Configure the routing of Device2.

#Configure Device2.
Device2(config)#router ospf 100
Device2(config-ospf)#network 10.250.19.0 0.0.0.255 area 0
Device2(config-ospf)#redistribute static
Device2(config-ospf)#redistribute connected
Device2(config-ospf)#exit

Step 13: Check the result.

#The two 3G interfaces can connect to the operator normally and the IPsec tunnel can
be created. Use the extended ping command on Decice1 with the destination IP
address as 11.1.1.1 and source IP address as 192.168.100.2. Packets are protected
by tun1.
Device1#ping
Protocol [ip]:
Target IP address or hostname: 11.1.1.1
Repeat count [5]:
Datagram size [76]:
Timeout in seconds [2]:
Extended commands [no]: y
Source address or interface: 192.168.100.2
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [abcd]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [no]:

Press key (ctrl + shift + 6) interrupt it.

Sending 5, 76-byte ICMP Echos to 11.1.1.1 , timeout is 2 seconds:
!!!!!
Success rate is 100% (5/5). Round-trip min/avg/max = 566/662/716 ms.

Device1#show crypto ipsec sa

policy name : policy1
f (src, dst, protocol, src port, dst port) : 192.168.100.0/24 11.1.1.0/24 ip any any

Version 1.0
 FALCON

local tunnel endpoint : 172.16.10.11 remote tunnel endpoint : 172.16.20.1

the pairs of ESP ipsec sa : id : 219, algorithm : DES HMAC-SHA1-96
inbound esp ipsec sa : spi : 0x92b1022b(2461073963) crypto context : 0x9e237c0
current input 5 packets, 0 kbytes
encapsulation mode : Tunnel
replay protection : ON
remaining lifetime (seconds/kbytes) : 28723/4294967294
uptime is 0 hour 1 minute 17 second
outbound esp IPsec sa : spi : 0x14bb1268(347804264) crypto context : 0x9e236c0
current output 5 packets, 0 kbytes
encapsulation mode : Tunnel
replay protection : ON
remaining lifetime (seconds/kbytes) : 28723/4294967294
uptime is 0 hour 1 minute 17 second
local tunnel endpoint : 172.16.10.123 remote tunnel endpoint : 172.16.30.1
the pairs of ESP ipsec sa : id : 216, algorithm : DES HMAC-SHA1-96
inbound esp IPsec sa : spi : 0x5e8b0229(1586168361) crypto context : 0x9e2c0a0
current input 0 packets, 0 kbytes
encapsulation mode : Tunnel
replay protection : ON
remaining lifetime (seconds/kbytes) : 28698/4294967295
uptime is 0 hour 1 minute 42 second
outbound esp ipsec sa : spi : 0xf0125e(15733342) crypto context : 0x9e235c0
current output 0 packets, 0 kbytes
encapsulation mode : Tunnel
replay protection : ON
remaining lifetime (seconds/kbytes) : 28698/4294967295
uptime is 0 hour 1 minute 42 second
policy name : policy2
f (src, dst, protocol, src port, dst port) : 192.168.100.0/24 10.1.1.0/24 ip any any
local tunnel endpoint : 172.16.10.123 remote tunnel endpoint : 172.16.30.1
the pairs of ESP ipsec sa : id : 217, algorithm : DES HMAC-SHA1-96
inbound esp ipsec sa : spi : 0xc7da022a(3352953386) crypto context : 0x9e233c0
current input 0 packets, 0 kbytes
encapsulation mode : Tunnel
replay protection : ON
remaining lifetime (seconds/kbytes) : 28699/4294967295
uptime is 0 hour 1 minute 41 second
outbound esp ipsec sa : spi : 0xe640125f(3862958687) crypto context : 0x9e23a40
current output 0 packets, 0 kbytes
encapsulation mode : Tunnel
replay protection : ON
remaining lifetime (seconds/kbytes) : 28699/4294967295
uptime is 0 hour 1 minute 41 second
local tunnel endpoint : 172.16.10.11 remote tunnel endpoint : 172.16.20.1
the pairs of ESP ipsec sa : id : 220, algorithm : DES HMAC-SHA1-96
inbound esp ipsec sa : spi : 0x28dd022c(685572652) crypto context : 0x9e2c5a0
current input 0 packets, 0 kbytes
encapsulation mode : Tunnel
replay protection : ON
remaining lifetime (seconds/kbytes) : 28723/4294967295
uptime is 0 hour 1 minute 17 second
outbound esp ipsec sa : spi : 0xeebc1267(4005302887) crypto context : 0x9e2c320
current output 0 packets, 0 kbytes
encapsulation mode : Tunnel
replay protection : ON
remaining lifetime (seconds/kbytes) : 28723/4294967295
uptime is 0 hour 1 minute 17 second

#If the IPsec tunnel created via cellular1/0 disconnects due to certain faults, use the
extended ping command on Device1 with the destination IP address as 11.1.1.1 and
source IP address as 192.168.100.2. Packets are protected by tun2.
Device1#ping
Protocol [ip]:
Target IP address or hostname: 11.1.1.1
Repeat count [5]:
Datagram size [76]:

Version 1.0
 FALCON

Timeout in seconds [2]:

Extended commands [no]: y
Source address or interface: 192.168.100.2
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [abcd]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [no]:

Press key (ctrl + shift + 6) interrupt it.

Sending 5, 76-byte ICMP Echos to 11.1.1.1 , timeout is 2 seconds:
!!!!!
Success rate is 100% (5/5). Round-trip min/avg/max = 500/536/566 ms.

Device1#show crypto ipsec sa

policy name : policy1
f (src, dst, protocol, src port, dst port) : 192.168.100.0/24 11.1.1.0/24 ip any any
local tunnel endpoint : 172.16.10.123 remote tunnel endpoint : 172.16.30.1
the pairs of ESP ipsec sa : id : 216, algorithm : DES HMAC-SHA1-96
inbound esp ipsec sa : spi : 0x5e8b0229(1586168361) crypto context : 0x9e2c0a0
current input 5 packets, 0 kbytes
encapsulation mode : Tunnel
replay protection : ON
remaining lifetime (seconds/kbytes) : 28621/4294967294
uptime is 0 hour 2 minute 59 second
outbound esp ipsec sa : spi : 0xf0125e(15733342) crypto context : 0x9e235c0
current output 5 packets, 0 kbytes
encapsulation mode : Tunnel
replay protection : ON
remaining lifetime (seconds/kbytes) : 28621/4294967294
uptime is 0 hour 2 minute 59 second
policy name : policy2
f (src, dst, protocol, src port, dst port) : 192.168.100.0/24 10.1.1.0/24 ip any any
local tunnel endpoint : 172.16.10.123 remote tunnel endpoint : 172.16.30.1
the pairs of ESP ipsec sa : id : 217, algorithm : DES HMAC-SHA1-96
inbound esp ipsec sa : spi : 0xc7da022a(3352953386) crypto context : 0x9e233c0
current input 0 packets, 0 kbytes
encapsulation mode : Tunnel
replay protection : ON
remaining lifetime (seconds/kbytes) : 28622/4294967295
uptime is 0 hour 2 minute 58 second
outbound esp ipsec sa : spi : 0xe640125f(3862958687) crypto context : 0x9e23a40
current output 0 packets, 0 kbytes
encapsulation mode : Tunnel
replay protection : ON
remaining lifetime (seconds/kbytes) : 28622/4294967295
uptime is 0 hour 2 minute 58 second

total sa and sa group is 2

Use the same method to verify that service B uses cellular2/0 as the master interface
and cellular1/0 as the standby interface.

z Configure the command ppp mtu adaptive proxy for virtual-template 1 to ensure the
local MTU adapting to the peer MRU.
z In the WCDMA and TD-SCDMA systems, the APN names, which are provided by
the operator, are used to determine the connected private network. In the CDMA2000
network, run the ppp chap hostname command to identify the private network and

Version 1.0
 FALCON

public network based on the corresponding domain names. In the telecom network,
the APN name is not required.
z If the command dialer mode auto is configured for the 3G interface to enable the
automatic dialing, there is no need to define the rule for triggering dialing data flow.
z The traffic distribution means that two services are carried over different 3G lines
when the line is normal and the two lines act in the active and standby mode when
exceptions occur.
z The PPP-authenticated user account and password configured on Device1 are
allocated by the upper AAA server.
z To ensure normal routing, configure reverse route injection for the IPsec policy of
Device2. You can also configure the floating static routing directing to the 3G interface
of Device1. When configuring the static routing, direct to the IP address of the 3G
interface. Do not configure the egress interface named virtual-template .
z If the operator LAC and LNS do not exist in the direct connecting network segment,
the static routing directing to the operator LAC is configured.

Version 1.0
 FALCON

94G Interface
9.1 4G Overview

4G is short for 4th Generation. It is evolved from the the third generation
communication technology, that is, LTE (Long Term Evolution). The importing of
various core technologies, such as OFDM (Orthogonal Frequency Division Multiplexing)
and MIMO (Multiple Input Multiple Output), improves the communication efficiency and
transmission rate in the LTE network. With the advantages of high bandwidth, high rate
and low delay, LTE brings better data transmission service for the wireless
communication. It will also bring more revolutionary change, such as VoLTE (Voice
over LTE) and MBMS (Multimedia Broadcast Multicast Service).

LTE mainly has two mainstream network modes, that is, LTE-TDD and LTE-FDD.
LTE-TDD mainly adopts the Time Division Multiplexing technology and the main
advantage is that the uplink and downlink rate can be adjusted by configuring the
uplink and downlink timeslot ratio. It has high utilization for the fragmental bands,
applicable to the asymmetrical transmission services. The disadvantage is the poor
immunity. LTE-FDD mainly adopts the Frequency Division Multiplexing technology. The
uplink and downlink transmission adopts different bands to ensure the stability of the
communication rate and strong immunity. The disadvantage is the low band utilization.
In the 20M spectrum bandwidth, the LTE uplink and downlink theoretical rates are
50Mb/s, 100Mb/s respectively. With the updating of the LTE technology, the rate is also
improved continunously.

With the evolution of the mobile communication technology, the network difference is
gradually reduced, bringing more colorful services for the user.

9.1.1 4G Application Scenario

The data communications in the 4G wireless network is available when the 4G

communication modules, such as a USB adapter and 3G board card, are inserted into
the device. If there is no 4G network or the 4G network coverage is not stable, the
module can switch to 2G/3G network. The specific application scenario is shown in the
following figure.

Version 1.0
 FALCON

Figure 9-1 4G application scenario 

Viewing from the preceding figure, the device achieves the wireless communication
with the operator base station via the 4G communication modules and achieves data
interaction with the WAN finally via the operator. Different 4G communication modules
and different SIM cards determine different operators and different network modes.
However, viewing from the overall application scenario, the data communications
methods differ slightly.

9.2 4G Function Configuration

Table 9-1 4G configuration list 

Configuration Task

Configure the 4G dialing access point Configure the APN dialing access point

Configure the 4G dialing parameters Configure the user name and password

Configure the authentication type

Configure the SIM card safety function Enable the PIN code function

Authenticate the PIN code manually

Authenticate the PIN code automatically

Modify the PIN code

Unblock the PIN code

Configure IMSI binding function

Select the network mode Seelect the forced LTE mode

Select the auto mode

Configure the multi-account dialing Configure the multi-account dialing function

function

Version 1.0
 FALCON

9.2.1 Configure 4G Dialing Access Point

The APN access point name is provided by the carrier. During dialing, the carrier
determines the accessed server and sets up the data connection by resolving the
access point name.

Configuration Condition

The carrier needs to support the APN avvess function.

Configure Dialing Access Point

Configure the dialing access point according to the dialing requirement of the carrier,
mainly setting the accesse server name.

Table 9-2 Configure the dialing access point

Step Command Description

Enter the global configuration configure terminal -

mode

Enter the 4G interface mode interface fastcellular -

interface-name

Configure the 4G dialing dialer config apn apn-name Optional

access point
By default, apn-name is
CMNET.

9.2.2 Configure 4G Dialing Parameters

The carrier determines the access server, authenticates and sets up the connection by
resolving the user name and password.

The authentication type configuration of the 4G interface needs to be consistent with

that of the server.

Configuration Condition

The carrier needs to support the access function via the user name and password.

Configure Dialing User Name and Password

Configure the user name and password according to the dialing requirement of the
carrier.

Table 9-3 Configure the dialing user name and password 

Version 1.0
 FALCON

Step Command Description

Enter the global configuration configure terminal -

mode

Enter the 4G interface mode interface fastcellular -

interface-name

Configure the 4G dialing user dialer config username Optional

namd and password user-name password pwd
By default, user-name
is card and pwd is card.

Configure Dialing Authentication Type

It needs to be consistent with the authentication type of the server. If the server does
not need the authentication type, do not affect the dialing process after 4G interface
configuration.

Table 9-4 Configure dialing authentication type 

Step Command Description

Enter the global configuration configure terminal -

mode

Enter the 4G interface mode interface fastcellular -

interface-name

Configure the 4G dialing dialer config authtype {chap | Optional

authentication type pap | pap_chap}
By default, the
authentication type is
CHAP.

9.2.3 Configure SIM Card Safety Function

SIM card safety function mainly provides PIN code protection and IMSI binding,
protecting the right of using the 4G module.

The SIM (subscriber identity module), also called the subscriber identity card, records
the user identity data and information.

PIN (Personal Identification Number) code is the personal identity password of the SIM
card. The PIN code is set to 1234 or 0000 by default. If the PIN code is enabled, a
four-digit PIN code must be entered when powering on. The PIN code can be changed,

Version 1.0
 FALCON

which is used to protect your own SIM card from being used by others.

PUK (PIN Unlocking Key) is the unblocking code of the PIN code. When the SIM card
is locked caused by entering wrong PIN code, you can unblock it using the PUK code.

A unique IMSI (International Mobile Subscriber ldentification Number) is allocated to

every SIM card. This code is valid at any places including the roaming area on the
network. The IMSI binding function binds the unique identifier of the SIM card with the
slot number.

z When the PIN code is wrongly entered for three consecutive times, the SIM card will
be locked. At this time, you can use the PUK code to unblock it. However, if the PUK
code is wrongly entered for ten consecutive times, the SIM card will be locked
permanently.

Configuration Condition

None

Enable PIN Code

The right of using the SIM card is protected by enabling the PIN code. You must enter
the correct PIN code to use the SIM card.

Table 9-5 Enable the PIN code 

Step Command Description

Enter the global configuration configure terminal -

mode

Enter the 4G interface mode interface fastcellular -

interface-name

Configure the 4G PIN code pin-code pin-enable pin code Mandatory

protect
By default, do not
enable the PIN code
protect function.

Authenticate PIN Code Manually

PIN code manual authentication means PIN code authentication by entering the

Version 1.0
 FALCON

command manually every time.

Table 9-6 Authenticate the PIN code manually 

Step Command Description

Enter the global configuration configure terminal -

mode

Enter the 4G interface mode interface fastcellular -

interface-name

Configure the 4G PIN code pin-code pin-check pin code Mandatory

authentication
By default, do not
configure the manual
authentication PIN
code.

Authenticate PIN Code Automatically

In the PIN code automatic authentication mode, the PIN code is verified by presetting
the PIN code. The user only needs to configure the PIN code for one time and the
device will use the configured PIN code for authentication.

Table 9-7 Authenticate the PIN code automatically 

Step Command Description

Enter the global configuration configure terminal -

mode

Enter the 4G interface mode interface fastcellular -

interface-name

Configure the 4G auto pin-code pin-check auto pin Mandatory

authentication PIN code code
function By default, do not
configure the auto
authentication PIN
code.

Change PIN Code

Changing the PIN code allows the new PIN code set by the user. After the PIN code is
changed, the new PIN code is used for authentication.

Table 9-8 Change the PIN code 

Version 1.0
 FALCON

Step Command Description

Enter the global configuration configure terminal -

mode

Enter the 4G interface mode interface fastcellular -

interface-name

Change the 4G PIN code pin-code pin-change pin code Mandatory

new pin code
By default, do not
change the PIN code.

Unblock PIN Code

If the SIM card is locked by entering the wrong PIN code for three consecutive times,
the user can enter the PUK code to unblock it and set new PIN code.

Table 9-9 Unblock the PIN code 

Step Command Description

Enter the global configuration configure terminal -

mode

Enter the 4G interface mode interface fastcellular -

interface-name

Unlock and set the new PIN pin-code puk-check puk code Mandatory
code via the PUK code pin code
By default, do not
configure the unblock
PIN code

Configure IMSI Binding Function

The user can specify the SIM card to the 3G communication module in the fixed slot by
the IMSI binding function, and the 3G communication modules in other slots cannot
use the SIM card. This function is only available for this device.

Table 9-10 Configure the IMSI binding function 

Step Command Description

Enter the global configuration configure terminal -

mode

Version 1.0
 FALCON

Step Command Description

Enter the 4G interface mode interface fastcellular -

interface-name

Perform the IMSI binding for dialer condition imsi-band Mandatory

the specified 4G interface SIM { current-imsi | imsi }
card By default, do not
enable the IMSI binding
function

9.2.4 Select Network Mode

The deivce only provides two optional network configuration modes, that is, auto mode
and forced LTE mode. The auto mode indicates that the module automatically adapts
to the current network and performs the network switching according to the preferred
mode automatically. The forced LTE mode is mainly used when the 4G signal coverage
is stable in the customer scenario and the user has the specified requirement for the
rate. Usually, the auto mode is recommended.

Configuration Condition

None

Select Network Mode

The user can configure as desired.

Table 9-11Select network mode 

Step Command Description

Enter the global configuration configure terminal -

mode

Enter the 4G interface mode interface fastcellular -

interface-name

Configure the 4G network dialer condition lte-only Optional

mode
no dialer condition lte-only By default, enable the
auto mode.

9.2.5 Configure Multi-account Dialing Function

The multi-account dialing function is mainly used: In the auto dialing mode, when the
default dialing configuration in the 4G interface fails to dial in the set time, automatically

Version 1.0
 FALCON

switch to multi-account list. The carrier needs to support the function.

Configuration Condition

None

Configure Multi-account List

To create the multi-account list, configure the desired dialing parameter.

Table 9-12 Configure the multi-account list

Step Command Description

Enter the global configure terminal -

configuration mode

Enter the sub list multi-dialer multi-list-name multi-list-name: Up to 10

configuration mode lists can be configured.
The length of the list name
cannot exceed 20.

Enter the sub item config-list list-id list-id: optional value 1-2
configuration mode

Configure the dialing apn apn-name Optional

parameter sub item
username user-name By default, do not
password pwd configure.
authtype {chap | pap |
ap_chap}

Configure 4G Interface to Associate with Multi-account List

The default dialing configuration in the interface is still the preferred dialing
configuration. After configuring the 4G interface to associate with the multi-account list,
the created multi-account list can take effect.

Table 9-13 Configure the 4G interface to associate with the multi-account list

Step Command Description

Enter the global configure terminal -

configuration mode

Enter the 4G interface interface fastcellular -

mode interface-name

Version 1.0
 FALCON

Step Command Description

Configure the 4G interface multi-dialer multi-list-name Optional

to associate with the
multi-account list By default, do not
configure the 4G interface
to associate with the
multi-account list

9.2.6 4G Monitoring and Maintaining

Table 9-14 The 4G monitoring and maintaining 

Command Description

show fastcellular phyinfo Display the 4G module hardware information,

net5work information, SIM card information of all
interfaces

show fastcellular dialer condition Display the error statistics information related
with the dialing

show multi-list Display the association, dialing status and

current configuration content of the current
backup dialing configuration list and interface

9.3 Typical Configuration Example of 4G Network

9.3.1 4G VPDN Typical Configuration Example

Network Requirements

z Device1 is connected to the specified private network environment via the domain
name.

z Device1 serves as the network site device, the carrier device serves as LAC, and
Device2 serves as LNS. Set up the L2TP tunnel between LAC and Device2.

z Associate Track on the 4G interface of Device1, used to detect the link status
between the site router and LNS.

Network Topology

Version 1.0
 FALCON

Figure 9-2 4G VPDN typical configuration view

Device Interfac IP address Device Interface IP address

e

Device Gi0 172.16.2.1/24 Device Loopback 64.19.245.250 /24

1 2 0

AAA 130.255.12.28/24 Gi0 125.71.215.223/24

Gi1 26.1.1.1/24

Gi2 130.255.100.29/24

Configuration Steps

Step 1: Configure the IP address and route of the interface (omitted).

Step 2: Configure the 4G interface.

#Configure the dialing user name and password of Device1 4G interface fastcellular1/0.
Configure the interface as the auto dialing mode and get IP adderss via DHCP.
Device1#configure terminal
Device1(config)#interface fastcellular1/0
Device1(config-if-fastcellular1/0)#dialer config username [email protected] password 0 admin
Device1(config-if-fastcellular1/0)#dialer mode auto
Device1(config-if-fastcellular1/0)#ip address dhcp
Device1(config-if-fastcellular1/0)#exit

z The 4G private network can be connected via the APN and domain name. The specific
mode depends on the carrier. In the exmplae, use the domain name mode to access.

Step 3: Configure AAA.

#Configure Device2.

Version 1.0
 FALCON

Use Radius to authenticate. The authentication list and authorization list are named as
ppp. Configure the address, authentication port, statistics port, and Radius server
password of the Radius server.
Device2(config)#aaa new-model
Device2(config)#aaa authentication ppp ppp radius none
Device2(config)#aaa authorization network ppp radius
Device2(config)#radius-server host 130.255.12.28 auth-port 1812 acct-port 1813 priority 0 key 0 a

Step 4: Configure the L2TP tunnel.

#Configure Device2.

Configure the virtual template virtual-template 1.

Device2(config)#interface virtual-template 1
Device2(config-if-virtual-template1)#encapsulation ppp
Device2(config-if-virtual-template1)#ppp mtu adaptive proxy
Device2(config-if-virtual-template1)#ppp authentication chap ppp
Device2(config-if-virtual-template1)#ppp authorization ppp
Device2(config-if-virtual-template1)#ip unnumber loopback0
Device2(config-if-virtual-template1)#exit

Enable the VPDN function and configure the VPDN group.

Device2(config)#vpdn enable
Device2(config)#vpdn-group 1
Device2(config-vpdn)#accept-dialin
Device2(config-vpdn-acc-in)#protocol l2tp
Device2(config-vpdn-acc-in)#virtual-template 1
Device2(config-vpdn-acc-in)#exit

Configure only to accept the L2TP connection request of the LAC with hostname
GGSNCD01 (optional).
Device2(config-vpdn)#terminate-from hostname GGSNCD01

Configure the L2TP tunnel authentication password. The password should be the same
as the L2TP password provided by the carrier.
Device2(config-vpdn)#l2tp tunnel password admin

View the L2TP tunnel setup status on Device2.

Device2#show vpdn detail
L2TP MaxTun 6000, MaxSes 6000:
tunnel free num: 5999
TUNNELS:
LocID LocName RemID RemName RemAddr Vpdn Port Sess State
78 Router 78 GGSNCD01 115.169.201.159 1 1701 1 ESTAB
session free num: 1999
SESSIONS:
LocID TunID RemID IfName User SysId Imsi/calling-noState
30 78 386 virtual-access2 [email protected] - 460110500000920 ESTAB

L2TP total Tunnel and Session Information. Tunnel 1 Session 1

After dialing successfully, the 4G interface of Device1 can get the IP address and the
protocol is up.
Device1#show interface fastcellular 1/0
Fastcellular1/0:
line protocol is up
Flags: (0xc208063) BROADCAST MULTICAST ARP RUNNING

Version 1.0
 FALCON

Type: ETHERNET_CSMACD
Internet address: 64.19.245.249/30
Broadcast address: 64.19.245.251
Metric: 0, MTU: 1500, BW: 100000 Kbps, DLY: 100 usec, VRF: global
Reliability 255/255, Txload 1/255, Rxload 1/255
Ethernet address is 0001.7ab8.d858
Last clearing of "show interface" counters never
input peak rate 596 bits/sec, 1 hour 58 minutes 8 seconds ago
output peak rate 715 bits/sec, 1 hour 58 minutes 8 seconds ago
5 minutes input rate 0 bit/sec, 0 packet/sec
5 minutes output rate 0 bit/sec, 0 packet/sec
618 packets received; 1807 packets sent
4 multicast packets received
29 multicast packets sent
0 input errors; 0 output errors
0 collisions; 0 dropped
Unknown protocol 0
Rate: auto Duplex: auto
rxframes 618, rx bytes 52160, rx arps 21
txframes 1807, tx bytes 308654, tx arps 25
rx errors 0, tx errors 0

On Device1, ping the address of the virtual interface virtual-access2 on Device2 and
view whether the ping can succeed.
Device1#ping 64.19.245.250

Press key (ctrl + shift + 6) interrupt it.

Sending 5, 76-byte ICMP Echos to 64.19.245.250 , timeout is 2 seconds:
!!!!!
Success rate is 100% (5/5). Round-trip min/avg/max = 316/502/1066 ms.

Device1 can ping the address of the virtual interface virtual- access2 of Device 2.

Step 5: Configure the 4G interface to associate with Track.

#On Device1, configure the ICMP-echo entity to detect the network connectivity from
Device1 to Device2 and add the entity to the entity group. Schedule the RTP group 1.
Device1(config)#rtr enable
Device1(config)#rtr 1 icmpecho
Device1(config-rtr-icmpecho)#set 64.19.245.250 5 70 2 12
Device1(config-rtr-icmpecho)#exit
Device1(config)#rtr group 1
Device1(config-rtr-group)#member 1
Device1(config-rtr-group)#exit
Device1(config)#rtr schedule 1 group 1 start now ageout 100 life forever

Create Track to associate with SLA.

Device1(config)#track 1
Device1(config-track)#rtr 1
Device1(config-track)#exit

Associate Track1 on the 4G interface.

Device1(config)# interface fastcellular1/0
Device1(config-if-fastcellular1/0)#dialer track id 1

Version 1.0
 FALCON

z For the SLA configuration, refer to the SLA chapter of the configuration manual.

Step 6: Check the result.

When the link status between Device1 and Device2 is normal, view that the track
status is up on Device1.
Device1#show track object
track 1
status = up
entnum = 1
logic operator AND
Object Type Status Refcnt instruction
------------------------- -------- ------ ----------------------------------------
rtr up 1 rtr 1
-------------------------------------------------------------------------------------
module priority caller
------------------------- -------- ------
NDISDDR 20 0xd56b88
-------------------------------------------------------------------------------------

#On Device1, view that the 4G interface status is UP and can get the IP address.
Device1#show interface fastcellular 1/0
Fastcellular1/0:
line protocol is up
Flags: (0xc208063) BROADCAST MULTICAST ARP RUNNING
Type: ETHERNET_CSMACD
Internet address: 64.19.245.249/30
Broadcast address: 64.19.245.251
Metric: 0, MTU: 1500, BW: 100000 Kbps, DLY: 100 usec, VRF: global
Reliability 255/255, Txload 1/255, Rxload 1/255
Ethernet address is 0001.7ab8.d858
Last clearing of "show interface" counters never
input peak rate 596 bits/sec, 1 hour 58 minutes 8 seconds ago
output peak rate 715 bits/sec, 1 hour 58 minutes 8 seconds ago
5 minutes input rate 0 bit/sec, 0 packet/sec
5 minutes output rate 0 bit/sec, 0 packet/sec
618 packets received; 1807 packets sent
4 multicast packets received
29 multicast packets sent
0 input errors; 0 output errors
0 collisions; 0 dropped
Unknown protocol 0
Rate: auto Duplex: auto
rxframes 618, rx bytes 52160, rx arps 21
txframes 1807, tx bytes 308654, tx arps 25
rx errors 0, tx errors 0

When the link status between Device1 and Device2 is not normal, view that the track
status is down on Device1. Here, make the 4G interface down and re-dial.

9.3.2 4G IP APN Typical Configuration Example

Network Requirements

z Device1 is connected to the specified private network environment via the APN.

z 4G router Device1 and Device2 use the IPSEC extended authentication to set up

Version 1.0
 FALCON

the IPsec tunnel, protecting the data between the PC1 network and
Network-Center.

z IPsec proposed securitu protocol adopts ESP, IKE proposal and IPsec proposal
encryption algorithm adopts 3DES; authentication algorithm adopts SHA1.

z Set up BFD echo multi-hop session between device1 and device2; detect the 4G
link status between device1 and device2.

Network Topology

Figure 9-3 4G IP APN typical networking

Device Interfac IP address Devic Interface IP address

e e

Device Gi0 172.16.2.1/24 AAA 130.255.12.28/24

1 Server

Device Gi0 125.71.215.223/24

2

Gi1 26.1.1.1/24

Gi2 130.255.100.29/24

Configuration Steps

Step 1: Configure the IP address and route of the interface (omitted).

Step 2: Configure the 4G interface.

#Configure Device1; configure 4G interface fastcellular1/0 as auto dialing mode and

get IP adderss via DHCP automatically.
Device1#configure terminal
Device1(config)#interface fastcellular1/0
Device1(config-if-fastcellular1/0)#dialer mode auto
Device1(config-if-fastcellular1/0)#ip address dhcp
Device1(config-if-fastcellular1/0)#dialer config apn cdmptx.sc
Device1(config-if-fastcellular1/0)#exit

Version 1.0
 FALCON

z The 4G private network can be connected via the APN and domain name. The specific
mode depends on the carrier. In the exmplae, use the APN mode to access.

Step 3: Configure AAA.

#Confgure Device2; use Radius to authenticate; the authentication list and accounting
list are named as 4g; configure the Radius server address, authentication port,
statistics port, and Radius server password.
Device2#configure terminal
Device2(config)#aaa new-model
Device2(config)#aaa authentication xauth 4g radius
Device2(config)#aaa accounting network 4g wait-start radius
Device2(config)#radius-server host 130.255.12.28 auth-port 1812 acct-port 1813 priority 0 key 0 a

Step 4: Configure the IKE and IPsec proposal.

#Configure the IKE proposal ikepro on Device1, use the encryption algorithm 3DES
and authentication algorithm SHA1; configure the IPsec proposal ippro, use ESP
security protocol, use the encryption algorithm 3DES and authentication algorithm
SHA1.
Device1(config)#crypto ike proposal ikepro
Device1(config-ike-prop)#encryption 3des
Device1(config-ike-prop)#exit
Device1(config)#crypto ipsec proposal ippro
Device1(config-ipsec-prop)#esp 3des sha1
Device1(config-ipsec-prop)#exit

#Configure the pre-share key on Device1 as admin and permit all peers to use the key.
Device1(config)#crypto ike key admin any

#Configure the IKE proposal ikepro on Device2, use the encryption algorithm 3DES
and authentication algorithm SHA1; configure the IPsec proposal ippro, use the ESP
security protocol, use the encryption algorithm 3DES and authentication algorithm
SHA1.
Device2(config)#crypto ike proposal ikepro
Device2(config-ike-prop)#encryption 3des
Device2(config-ike-prop)#exit
Device2(config)#crypto ipsec proposal ippro
Device2(config-ipsec-prop)#esp 3des sha1
Device2(config-ipsec-prop)#exit

#Configure the pre-share key on Device2 as admin and permit all peers to use the key.
Device2(config)#crypto ike key admin any

Step 5: Configure the IKE ID alias.

Version 1.0
 FALCON

#Configure the IKE ID aliad as 4g on Device2, apply the extended authentication list 4g,
specify the extended authentication IMSI attribute and optional attribute, and apply the
accounting list 4g.
Device2(config)#crypto ike id alias 4g
Device2(config)#authentication 4g authen_imsi optional
Device2(config)#accounting 4g

Step 6: Configure the IPsec tunnel.

#Configure the tunnel tun on Device1 to initiate the negotiation with the identity of the
extended authentication client, use the 4G interface fastcellular1/0 as the local address
of the tunnel, configure the peer address of the tunnel as 125.71.215.223, configure
the authentication mode as the pre-share key authentication, IKE proposal uses ikepro,
the IPsec proposal uses ippro, configure the extended authentication client user name
as a and password as a, and enable auto initiating negotiation. On the AAA server, it is
necessary to configure the IKE extended authentication user name, password, and
IMSI information.

z The IMSI value of the AAA server is consistent with the IMSI value of the 4G interface.

Device1(config)#crypto tunnel tun

Device1(config-tunnel)#local interface fastcellular1/0
Device1(config-tunnel)#peer address 125.71.215.223
Device1(config-tunnel)#set authentication preshared
Device1(config-tunnel)#set ike proposal ikepro
Device1(config-tunnel)#set ipsec proposal ippro
Device1(config-tunnel)#set xauth-client user-name a password a
Device1(config-tunnel)#set auto-up
Device1(config-tunnel)#exit

#On Device2, configure the tunnel, use the address of the interface Gi0
125.71.215.223 as the local address of the tunnel, configure the peer address of the
tunnel as any, the IKE proposal uses ikepro, the IPsec proposal uses ippro, and set the
peer ID alias as 4g.
Device2(config)#crypto tunnel tun
Device2(config-tunnel)#local address 125.71.215.223
Device2(config-tunnel)#peer any
Device2(config-tunnel)#set ike proposal ikepro
Device2(config-tunnel)#set ipsec proposal ippro
Device2(config-tunnel)#set peer-id alias 4g
Device2(config-tunnel)#exit

Step 7: Configure the IPsec security policy.

#Configure Device1, configure the security policy policy1, protect the IP

communication from network 172.16.2.0/24 to network 26.1.1.0/24, and associate the

Version 1.0
 FALCON

tunnel tun.
Device1(config)#crypto policy policy1
Device1(config-policy)#flow 172.16.2.0 255.255.255.0 26.1.1.0 255.255.255.0 ip tunnel tun
Device1(config-policy)#exit

#Configure Device2, configure the security policy policy1, protect the IP

communication of any network, and associate the tunnel tun.
Device2(config)#crypto policy policy1
Device2(config-policy)#flow any any ip tunnel tunnel bypass
Device2(config-policy)#exit

Step 8: Configure BFD.

#Configure Device1, configure BFD on the 4G interface fastcellular1/0, the remote IP

address is 125.71.215.223, and the local IP address of the BFD is got from the 4G
interface dynamically.
Device1(config)#interface fastcellular1/0
Device1 (config-if-fastcellular1/0)#dialer bfd remote-ip 125.71.215.223
Device1 (config-if-fastcellular1/0)#exit

#Configure Device2, and enable BFD on gigabitethernet 0.

Device2(config)#interface gigabitethernet0
Device2(config-if-gigabitethernet0)#bfd echo multihop local-ip 125.71.215.223
Device2(config-if-gigabitethernet0)#exit

Step 9: Check the result.

#View the interface information of the 4G interface fastcellular1/0 on Device1.

Device1#show interface fastcellular1/0
fastcellular1/0:
line protocol is up
Flags: (0xc208063) BROADCAST MULTICAST ARP RUNNING
Type: ETHERNET_CSMACD
Internet address: 10.230.33.13/30
Broadcast address: 10.230.33.15
Metric: 0, MTU: 1500, BW: 1000000 Kbps, DLY: 100 usec, VRF: global
Reliability 255/255, Txload 1/255, Rxload 1/255
Ethernet address is 0001.7adf.e997
Last clearing of "show interface" counters never
input peak rate 545 bits/sec, 0 hour 8 minutes 10 seconds ago
output peak rate 4028 bits/sec, 0 hour 1 minute 20 seconds ago
5 minutes input rate 0 bit/sec, 0 packet/sec
5 minutes output rate 2000 bits/sec, 3 packets/sec
43 packets received; 1749 packets sent
6 multicast packets received
16 multicast packets sent
0 input errors; 0 output errors
0 collisions; 0 dropped
Unknown protocol 0
Rate: auto Duplex: auto
rxframes 43, rx bytes 4842, rx arps 3
txframes 1736, tx bytes 158030, tx arps 9
rx errors 0, tx errors 0

#View the BFD session information on Device1.

Device1#show bfd session
OurAddr NeighAddr LD/RD State Holddown interface
10.230.33.13 125.71.215.223 4/4 UP 90000 fastcellular3/0

Version 1.0
 FALCON

#View the BFD session information on Device2.

Device2#show bfd session
OurAddr NeighAddr LD/RD State Holddown interface
125.71.215.223 0.0.0.0 4/4 DOWN 0 gigabitethernet0

z Currently, BFD only detects the lower-end device, so the upper Device2 session status
is always DOWN.

#View the IPsec tunnel information on Device1.

Device1#show crypto ike sa
sa-id negotiation-state localaddr peeraddr peer-identity
2128 STATE_XAUTH_C2 10.230.33.13 125.71.215.223 125.71.215.223
2129 STATE_QUICK_I2 10.230.33.13 125.71.215.223 125.71.215.223
Device1#show crypto ipsec sa
policy name : policy1
f (src, dst, protocol, src port, dst port) : 172.16.2.0/24 26.1.1.0/24 ip any any
local tunnel endpoint : 10.230.33.13 remote tunnel endpoint : 125.71.215.223
the pairs of ESP ipsec sa : id : 2129, algorithm : 3DES HMAC-SHA1-96
inbound esp ipsec sa : spi : 0x262f3048(640626760) crypto m_context(s_context) :
0x9e44e60 / 0x137cd368
current input 10 packets, 0 kbytes
encapsulation mode : UDP-Encapsulation-Tunnel
replay protection : ON
remaining lifetime (seconds/kbytes) : 28696/4294967295
uptime is 0 hour 1 minute 44 second
outbound esp ipsec sa : spi : 0xd1e04f22(3521138466) crypto m_context(s_context) :
0x137cd230 / 0x137cd1c8
current output 10 packets, 0 kbytes
encapsulation mode : UDP-Encapsulation-Tunnel
replay protection : ON
remaining lifetime (seconds/kbytes) : 28696/4294967295
uptime is 0 hour 1 minute 44 second

total sa and sa group is 1

#View the Ipsec tunnel information on Device2.

Device2#show crypto ike sa
sa-id negotiation-state localaddr peeraddr peer-identity
67155 STATE_XAUTH_S3 125.71.215.223 223.104.9.12 a(a)
67156 STATE_QUICK_R2 125.71.215.223 223.104.9.12 a
Device2#show crypto ipsec sa tunnel tun
policy name : subflow-1610618814, the parent policy name : policy1
f (src, dst, protocol, src port, dst port) : 26.1.1.0/24 172.16.2.0/24 ip any any
local tunnel endpoint : 125.71.215.223 remote tunnel endpoint : 223.104.9.12
the pairs of ESP ipsec sa : id : 67156, algorithm : 3DES HMAC-SHA1-96
inbound esp ipsec sa : spi : 0xd1e04f22(3521138466) crypto m_context(s_context) :
0xa6f4ab8 / 0x18b80d90
current input 10 packets, 0 kbytes
encapsulation mode : UDP-Encapsulation-Tunnel
replay protection : ON
remaining lifetime (seconds/kbytes) : 28643/4294967295
uptime is 0 hour 2 minute 37 second
outbound esp ipsec sa : spi : 0x262f3048(640626760) crypto m_context(s_context) :
0x19c0fc58 / 0x2031a298
current output 10 packets, 0 kbytes
encapsulation mode : UDP-Encapsulation-Tunnel
replay protection : ON

Version 1.0
 FALCON

remaining lifetime (seconds/kbytes) : 28643/4294967295

uptime is 0 hour 2 minute 37 second

total sa and sa group is 1

#You can see that Device1 and Device2 set up the IPsec extended authentication
tunnel successfully.

#PC1 and data center can ping each other via the Ipsec tunnel.

#After the line between Device1 and Device2 fails, BFD can detect the fault fast and
trigger re-initiating dialing after the 4G interface is down.

Version 1.0
 FALCON

10 Loopback Interface

10.1 Overview

Loopback interface, also called local loopback interface, is one logical virtual interface
realized by software. The interface is not affected by the physical status. As long as not
disabling manually, its status is always enabled. In the dynamical routing protocol, such
as OSPF, you can select the IP address of loopback interface as Router ID. For the
packets sent to the loopback interface, the device regards that the packets are sent to
itself, so it does not forward the packets.

10.2 Loopback Interface Function Configuration

Table 10-1 Function configuration list of loopback interface

Configuration Task

Configure the loopback interface Configure loopback interface

10.2.1 Configure Loopback Interface

Configuration Condition

None

Configure Basic Functions of Loopback Interface

Table 10-2 Configure basic functions of the loopback interface 

Step Command Description

Enter the global configure terminal -

configuration mode

Version 1.0
 FALCON

Step Command Description

Create the loopback interface loopback unit Mandatory

interface –number
By default, the loopback
interface is not created

Version 1.0
 FALCON

11 Null Interface

11.1 Overview

Null interface is one logical interface realized by software. Any packet sent to null
interface is dropped. The dynamic routing protocol, such as OSPF, generates the
auto-summarized route. The egress interface points to null interface and can avoid
route loop effectively. Null0 interface is created by the device by default and the user
cannot disable or delete it.

11.2 Null Interface Function Configuration

Table 11-1 Function configuration list of Null interface   

Configuration Task

Configure the basic functions of Null Configure the basic functions of Null
interface
interface

11.2.1 Configure Null Interface

Configuration Condition

None

Configure Basic Functions of Null Interface

Table 11-2 Configure basic functions of Null interface 

Step Command Description

Enter the global configure terminal -

configuration mode

Version 1.0
 FALCON

Step Command Description

Enter the null interface interface null 0 Mandatory

configuration mode

Configure prohibiting no ip unreachables Optional

sending the error packet of
ICMP unreachable By default, prohibit sending
the error packet of ICMP
unreachable.

z Null interface just supports configuring permitting or prohibiting sending the error
packet of ICMP unreachable.
z The packet reaching Null interface is dropped and it is not necessary to send the
error of ICMP unreachable.

Version 1.0
 FALCON

12 Tunnel Interface

12.1 Overview

Tunnel is the technology of using one network protocol to transmit another network
protocol. It includes the process of encapsulating, transmitting, and de-encapsulating
data. The path passed by the encapsulated packet when being transmitted in the
network is called tunnel. Tunnel is one virtual point-to-point connection. The devices at
the two sides of the tunnel are called tunnel endpoints and they are responsible for
encapsulating and de-encapsulating packets.

Tunnel interface is one logical interface realized by software, providing the

transmission link for the point-to-point mode.

12.2 Tunnel Interface Function Configuration

Table 12-1 Function configuration list of tunnel interface 

Configuration Task

Configure the basic functions of the tunnel Configure the basic functions of the tunnel
interface interface

12.2.1 Configure Tunnel Interface

Configuration Condition

None

Configure Basic Functions of Tunnel Interface

Table 12-2 Configure basic functions of tunnel interface

Step Command Description

Version 1.0
 FALCON

Step Command Description

Enter the global configure terminal -

configuration mode

Create tunnel interface and interface tunnel tunnel-unit Mandatory

enter its configuration mode
By default, the tunnel
interface is not created on
the device.

Configure work mode of tunnel mode { gre ip | ipip | Optional

ipv6ip [ 6to4 | auto-tunnel ]
tunnel interface
mpls traffic-eng }
By default, the work mode
of the tunnel interface is
GRE over IPv4.

Configure TOS of tunnel tunnel tos tos-value Optional

interface
By default, the tunnel
interface is not configured
with TOS.

Configure TTL of tunnel tunnel ttl ttl-value Optional

interface
By default, the TTL value of
the tunnel interface is 255.

z The TOS configured on tunnel interface is used to fill the TOS field in the outer IPv4
packet header during encapsulation. If the TOS value is not configured on tunnel
interface, use the TOS value in the inner IPv4 packet header.
z The TTL value configured on tunnel interface is used to fill the TTL field in the outer
IPv4 packet header during encapsulation.

Version 1.0