ESR Dual-GSM Failover

I’d like to show you one of the benefit from Enterprise Service Router. As you might be know, ESR has been equipped by GSM module. There are two options, it can support single OR dual SIM card for redundancy purpose. In this tutorial part, I want to share my experience about how to configure Dual GSM Failover in ESR. Please refer to the following picture for details:

esr_2sim_failover

Picture 1: General topology for Dual GSM scenario

The first thing you need to prepare is two SIM cards from different GSM operator. I use public APN in this scenario, but I’d prefer to use private APN for corporate or enterprise client. It’s because they will provide traffic guarantee and closed IP segmentation, so that the GSM network more secure.

Based on the topology, Branch Router (OA57x0 ESR) will connect to Head Office Router (OA58x0 ESR) with GSM connection. It has two GSM links which are connected to different operator (let’s say Operator-A and Operator-B). The primary link is connecting to Operator-A on interface direct-ip1 (dip-1), and the second link is connecting to Operator-B on interface direct-ip2 (dip-2). Those two interfaces will be assigned IP by operator’s DHCP server, but the dip-2 interface won’t be assigned until it become active. In the HO side, we have a Backhaul Router which is connected to those two operators. It has a Loopback interface with public IP address, so that the operators can reach it via internet. The loopback interface is important to establish VPN tunnel (DMVPN) between Branch and HO, it will become the tunnel source for each router. Why do we need to establish VPN tunnel? If you still have no idea, please stop and close this page right now! OK, let’s jump to the configuration part:

Branch Router:

   set hostname BRANCH
   add device direct-ip 1
   add device direct-ip 2
   add device tnip 1
   add device loopback 1
   set data-link at cellular0/0
   set data-link at cellular0/1
   set data-link at cellular1/0
   set data-link sync serial2/0
   set data-link nic cellular1/1
   feature afs 
      enable 
   exit
;
   feature access-lists 
; -- Access Lists user configuration --
      access-list 100 
         entry 10 default
         entry 10 permit
         entry 10 source address 1.1.1.2 255.255.255.255
         entry 10 protocol gre
;
      exit
;
      access-list 101 
         entry 1 default
         entry 1 deny
         entry 1 protocol gre
;
         entry 2 default
         entry 2 permit
      exit
   exit
;
   global-profiles dial 
; -- Dial Profiles Configuration --
      profile OPERATOR-A default
      profile OPERATOR-A dialout
      profile OPERATOR-A local-address 08111
      profile OPERATOR-A 3gpp-accessibility-control traffic 100 all
      profile OPERATOR-A 3gpp-apn indosatgprs
;
      profile OPERATOR-B default
      profile OPERATOR-B dialout
      profile OPERATOR-B local-address 08222
      profile OPERATOR-B 3gpp-accessibility-control traffic 100 all
      profile OPERATOR-B 3gpp-apn axis
   exit
   network cellular1/0
; -- Interface AT. Configuration  --
      coverage-timer 10
      no register-denied-reset 
      sim-select internal-socket-2
      record-changes enable
      record-changes sim enable
      record-changes sim samples 200
      sim external-socket-1 local-address 08222
      sim external-socket-1 pin ciphered-unique 0x73D2BE54782B4623
      sim internal-socket-2 local-address 08111
      sim internal-socket-2 pin ciphered-unique 0xCBE1E87F6A266E55
      sim supervision enable
      sim return-criteria time after 60
      sim return-criteria nsla-advisor 222
      sim nsla-criteria nsla-advisor 111
      sim connection-timeout 90s
      network mode automatic
      network domain cs+ps
   exit
;
   network direct-ip1
; -- Generic Direct IP Encapsulation User Configuration --
      description "Link to Operator-A"
      ip address dhcp-negotiated
      base-interface 
; -- Base Interface Configuration --
         base-interface cellular1/1 link
         base-interface cellular1/1 profile OPERATOR-A
      exit
;
      direct-ip 
; -- Direct IP encapsulator user configuration --
         address dhcp
         authentication none
      exit
;
   exit
;
   network direct-ip2
; -- Generic Direct IP Encapsulation User Configuration --
      description "Link to Operator-B"
      ip address dhcp-negotiated
      base-interface 
; -- Base Interface Configuration --
         base-interface cellular1/1 link
         base-interface cellular1/1 profile OPERATOR-B
      exit
;
      direct-ip 
; -- Direct IP encapsulator user configuration --
         address dhcp
         authentication none
      exit
   exit
;
   network tnip1
; -- IP Tunnel Net Configuration --
      ip address 99.99.99.2 255.255.255.0 
      enable 
      mode gre multipoint
      source 1.1.1.2
      nhrp enable 
      nhrp holdtime 300
      nhrp map multicast 117.102.90.189
      nhrp map 99.99.99.1 255.255.255.255 117.102.90.189
      nhrp nhs 99.99.99.1
      nhrp record 
      encapsulation 
; -- GRE Configuration --
         key 123456
      exit
;
   exit
;
   network loopback1
; -- Loopback interface configuration --
      ip address 1.1.1.2 255.255.255.255 
;
   exit
;
   protocol ip
; -- Internet protocol user configuration --
      route 117.102.90.189 255.255.255.255 direct-ip1
      route 117.102.90.189 255.255.255.255 direct-ip2 10
      route 0.0.0.0 0.0.0.0 tnip1
;
      nat 
         rule 1 out direct-ip1 list 101 dynamic overload
         rule 1 translation source interface direct-ip1
;
         rule 2 out direct-ip2 list 101 dynamic overload
         rule 2 translation source interface direct-ip2
;
      exit
;
      ipsec 
; -- IPSec user configuration --
         enable 
         assign-access-list 100

;This is Phase-I
         template 1 default
         template 1 isakmp des sha1
         template 1 life duration seconds 1d
         template 1 ike natt-version draft-v2-n
         template 1 ike group two
         template 1 keepalive dpd

;This is Phase-II for Primary Link
         template 2 default
         template 2 dynamic esp des md5
         template 2 source-address direct-ip1
         template 2 life type both
         template 2 life duration seconds 1d
         template 2 keepalive keepalive

;This is Phase-II for Secondary Link
         template 3 default
         template 3 dynamic esp tdes sha1
         template 3 source-address direct-ip2
         template 3 life type both
         template 3 life duration seconds 1d
         template 3 keepalive keepalive
;
         map-template 100 2
         map-template 100 3
         key preshared ip 117.102.90.189 ciphered 0xCA8EE13C941D2D25E13C2B98DB569D80 unique
         advanced keep-alive packets 10
         advanced pkt-dest-isakmp-dest
         advanced dpd idle-period 20
      exit
;
   exit
;
   feature nsm 
; -- Network Service Monitor configuration --
      operation 1 
; -- NSM Operation configuration --
         description "Healthy Check to Backhaul"
         type echo ipicmp 117.102.90.189
         frequency 2
         timeout 2000
      exit
;
      operation 2 
; -- NSM Operation configuration --
         type echo ipicmp 99.99.99.1
         frequency 3
         timeout 1000
      exit
;
      schedule 1 life forever
      schedule 1 start-time after 1m
      schedule 2 life forever
      schedule 2 start-time after 1m30s
   exit
;
   feature nsla 
; -- Feature Network Service Level Advisor --
      enable 

      filter 111 nsm-op 1 rtt
      filter 111 significant-samples 10
      filter 111 activation threshold timeout
      filter 111 activation sensibility 100
      filter 111 activation stabilization-time 1
      filter 111 deactivation threshold timeout
      filter 111 deactivation sensibility 100
      filter 111 deactivation stabilization-time 1

      filter 222 nsm-op 1 rtt
      filter 222 significant-samples 10
      filter 222 activation threshold timeout
      filter 222 activation sensibility 100
      filter 222 activation stabilization-time 1
      filter 222 deactivation threshold timeout
      filter 222 deactivation sensibility 100
      filter 222 deactivation stabilization-time 1

      alarm 111 filter-id 111
      alarm 222 filter-id 222

      advisor 111 alarm-id 111
      advisor 222 alarm-id 222

   exit
   dump-command-errors 
   end 

At the Branch site, we have configured three main features to establish connection to the HO site. These features are configured independently:

  • Global Profile & Direct-IP Interface ~ for dialing to establish GSM connection.
  • IP NSLA and NSM ~ to track end-to-end connectivity, so it will trigger the second link if there’s a failure on primary link.
  • IPSec and TNIP Interface ~ to secure connection and establish DMVPN over internet.

Now, let’s jump to HO Router configuration. The HO’s configuration is easier and quite simple compare to the Branch Router.

Head Office Router:

set hostname HEAD-OFFICE
add device tnip 1
add device loopback 1
feature afs 
      enable 
   exit
;
   feature access-lists 
; -- Access Lists user configuration --
      access-list 100 
         entry 10 default
         entry 10 permit
         entry 10 source address 117.102.90.189 255.255.255.255
         entry 10 protocol gre
;
      exit
;
      access-list 101 
         entry 1 default
         entry 1 deny
         entry 1 protocol gre
;
         entry 2 default
         entry 2 permit
      exit
   
network tnip1
; -- IP Tunnel Net Configuration --
      ip address 99.99.99.1 255.255.255.0 
      enable 
      mode gre multipoint
      source 117.102.90.189
      nhrp enable 
      nhrp holdtime 600
      nhrp map multicast dynamic
      nhrp record 
      encapsulation 
; -- GRE Configuration --
         key 123456
      exit
   exit
;
network loopback1
; -- Loopback interface configuration (Tunnel Source) --
      ip address 117.102.90.189 255.255.255.248 
   exit
   
protocol ip
; -- Internet protocol user configuration --
      route 0.0.0.0 0.0.0.0 117.102.90.185
      route 0.0.0.0 0.0.0.0 180.110.10.254 10
      route <Branch Network> <Branch Netmask> 99.99.99.2

      ipsec 
; -- IPSec user configuration --
         enable 
         assign-access-list 100
;
         template 1 default
         template 1 isakmp des sha1
         template 1 life duration seconds 1d
         template 1 ike natt-version draft-v2-n
         template 1 ike group two
         template 1 keepalive dpd
;
         template 2 default
         template 2 dynamic esp des md5
         template 2 source-address 117.102.90.189
         template 2 life type both
         template 2 life duration seconds 1d
         template 2 keepalive keepalive
;
         template 3 default
         template 3 dynamic esp tdes sha1
         template 3 source-address 117.102.90.189
         template 3 life type both
         template 3 life duration seconds 1d
         template 3 keepalive keepalive
;
         map-template 100 2
         map-template 100 3
         key preshared ip 0.0.0.0 ciphered 0xCA8EE13C941D2D25E13C2B98DB569D80 unique
         advanced keep-alive packets 10
         advanced pkt-dest-isakmp-dest
         advanced dpd idle-period 20
      exit
   exit
;

Ok, now you’re ready to have redundancy in GSM with Enterprise Service Router!

Advertisements