Quantar Linking
THIS IS A WORK IN PROGRESS
There are a few ways to link Quantars, using p25nx, mmvdm, and the method presented here using astro tacs.
Quantars were designed to be "linked" only as a simulcast or linked receiver network for a single system. This is accomplished by connecting the wireline for analog and the v.24 for digital. Quantars may be linked back-to-back by using a v.24 cross over and connecting the wirelines between them. While this is the simplest way, it doesn't scale. Using an ASTROTAC comparator to sit between the Quantars as a network switch function.
Each Quantar needs a two links to the ASTRO-TAC, a v.24 and a wireline link. If all Quantars are at the same site, this is really easy to do, just connect the wirelines and v.24's using cross overs. In the early 1990's the v.24 and wireline interfaces made quite a bit of sense, the v.24 and wireline would plug directly into a channel bank, and the DS1 or fractional DS1's between sites was easy. As of today, T1's are hard to find and very expensive. Channel banks are thousands of dollars on the used market now.
Today the internet is ubiquitous and linking via IP is the preferred method. This means we must transport synchronous serial and analog voice for each Quantar back to a central site. There are a few ways to do this via IP or MPLS, and presented here will be using cheap and easily available cisco routers in a VPN.
Contents
- 1 Architecture overview
- 2 Network Planning
- 3 Hardware for linking
- 4 Making it work
- 4.1 Configuring the hub
- 4.1.1 IP Interface Config
- 4.1.2 DMVPN config
- 4.1.3 Routing Config
- 4.1.4 Serial/Stun Config
- 4.1.5 Voice Port Config
- 4.1.6 NAT Config
- 4.1.7 IPSEC Remote Access Config
- 4.1.8 DNS Config
- 4.1.9 SNMP Config
- 4.1.10 SSH Config
- 4.1.11 NTP Config
- 4.1.12 User config
- 4.1.13 VTY ACL
- 4.1.14 DHCP
- 4.1.15 ESW module config
- 4.2 Configuring a client
- 4.1 Configuring the hub
Architecture overview
There are several parts of this network, but the fundamental precept is creating link of rs232 and wireline voice between each port on the AstroTAC and each Quantar. This is no different than if all the equipment was in the same room, or linked into channel banks on T1 lines between sites. We're using IP multi-point VPN overlay network to simulate a circuit based network.
Our network stack is :
Internet -------- DMVPN -------- STUN and G.711 VOIP circuits -------- ATAC and Quantars
What's presented here assumes each site has a stable IPv4 internet connection and the router has a globally routeable IPv4 address. The overlay network is based on Dynamic Multi-Point VPN (DMVPN) and allows us to configure a single hub router and have the same or similar config on all the endpoints. Traffic from router to router builds a connection on the fly encrypted between each router, even if the IP address of the routers change.
That last concept is important as anything that prevents routers from forwarding IP inbound (ie if the router is behind NAT) will prevent site to site connectivity. Generally this isn't needed as we only talk hub to site for the circuits, but can present it self during troubleshooting from one site to the other.
Logical connections
Network Planning
Lots of routers, lots of ports, lots of circuits. You will need to name and keep interfaces described or you will be unable to troubleshoot this network.
Reliable bandwidth and pps is required. The analog links will require about 60 kbit/s at 33 PPS at all times , stun is another 20 kbit/s when it's operating. A fully loaded 16 port ATAC3000 using all remote ports will be 1.280 Mbit/s at 1220 PPS or about a fully loaded T1.
The first
overlay network
Our first step will be designing the overlay network. This consists of diagraming out sites and what equipment will go else where. As part of this I like to fully populate out and cross connect the central hub to the ATAC. This way it's all cabled up and I don't need to make changes at the hub to add an additional site.
IP addressing
IP addressing needs to be through out for the overlay network. As this will not interconnect with any other network, you're free to use your own addressing scheme.
I use IP space in the 172.16.0.0/12 space with a /20 for the tunnel interfaces and different space for each routers loopback. At some sites and the hub it's handy to have a local interface which can do dhcp so you can use a local laptop to connect to the network elements directly. This should be given security considerations if enabled.
I will also setup remote access VPN into the network at the HUB as well. This needs it's own subnet for routing of connected clients; a /27 can be used here as well, but it must be separate from any other space used on Ethernet interfaces at the hub.
circuits over this
Interface naming
DNS
Having all interfaces named in DNS is a good idea. This makes troubleshooting and tracerouting on the overlay network much easier. As the hub router has a bunch of extra CPU, it's easy to configure this on the hub and have it be primary DNS. This is well baked in IOS and other than some additional config it's not hard.
security
network monitoring
A server with LibreNMS or Observium
SNMP
SSH for management
Hardware for linking
Will you need analog? If no you can eliminate a bunch of configuration and half the circuits. The bandwidth requirements at the hub will be less as well.
Hub site
A hub site needs a router with at least the number of ports on it you plan to use remotely. A converted quantar might only have 5 ports, but a fully loaded ATAC could be 16. If they are all remote you will need that too. The hub router also need to process a number of things on the network. All in all it's not much, but given the cost of the cisco routers on the used market the following config has become my standard.
- Cisco 3845 router
- AIM-VPN/SSL-3 VPN Module for 3825/3845 Routers
- 768M or 1GB of RAM
- 2GB flash disk
- PVDM2-64 (DSP module for analog lines)
- Optional PSU PWR-3845-AC-IP, this will supply 48v for the switch card
- 1, NM-16A/S - Cisco 800-20840-01D 16-Port Async/Sync Serial Network Module (you can use the NM-8A/S too, but it's got different connectors)
- 8, Cisco VIC2-2E/M 2-Port Ear and Mouth Voice Interface Card (only for analog)
- 2, Cisco NM-2V, carrier cards for VIC2 to put in the NM ports
- 1, NME-16ES-1G-P 16 Port POE switch module. This is optional but it provides a 3750 switch in a network module with POE that can power RPi's or other local devices.
- CAB-SS-232FC, RS-232 Cable, DCE Female to Smart Serial for all serial ports
- OR CISCO CAB-232FC RS-232 Cable, DCE Female to Serial if using the 8 port card.
Edge site
An edge site can support one or two Quantars or cascaded (advanced) ATACs. If you don't need to support Voice, an 1841 or other 1800 series router can be used, but the cost delta is negligible. This entire 2811 setup is under $100 via eBay. I like to use the same cables and connectors for serial at the hub as at the edge sites, this determines the cards for serial. If you're doing voice, two ports of serial matches the 2 ports of E and M well.
- Cisco 2811
- AIM-VPN/SSL-2 VPN Module for 2811 Routers
- 512M of RAM
- 2GB flash disk
- PVDM2-64 (DSP module for analog lines)
- 1, WIC-2A/S 2 port Serial WAN Interface Card OR
- 1, WIC-1T 1 port Serial Card uses the larger serial connector
- 1, Cisco VIC2-2E/M 2-Port Ear and Mouth Voice Interface Card (only for analog)
- CAB-SS-232FC, RS-232 Cable, DCE Female to Smart Serial for all serial ports
- OR CISCO CAB-232FC RS-232 Cable, DCE Female to Serial if using the 8 port card.
You may want to pickup a serial adapter and FTDI serial to USB dongle for console access just to leave at the site. This can be handy.
Making it work
Configuring the hub
IP Interface Config
- Loopback 0
- Gi0/0
DMVPN config
- Tunnel 0
Routing Config
- OSPF
router ospf
Serial/Stun Config
Voice Port Config
- voice class permanent
voice class permanent 1811 signal timing oos timeout disabled signal keepalive disabled signal sequence oos no-action
- voice-port
voice-port 0/0/0
- dial-peer voice 1601 voip
- dial-peer voice 1600 pots
NAT Config
IPSEC Remote Access Config
DNS Config
SNMP Config
- SNMP ACL
SSH Config
NTP Config
- NTP ACL
User config
aaa new-model ! ! aaa authentication login default local aaa authentication login vpnclient local aaa authorization console aaa authorization config-commands aaa authorization exec default local aaa authorization network localgroups local
VTY ACL
DHCP
ip dhcp pool P25NX-local-80 network 172.31.7.80 255.255.255.240 default-router 172.31.7.81 dns-server 172.31.7.81 lease 0 0 15
ESW module config
- IP management
- SNMP
- rancid