Difference between revisions of "Quantar Linking"

From W9CR
Jump to navigation Jump to search
Line 58: Line 58:
 
I use IP space in the 172.16.0.0/12 space with a /20 for the tunnel interfaces and different space for each routers loopback.  At some sites and the hub it's handy to have a local interface which can do dhcp so you can use a local laptop to connect to the network elements directly.  This should be given security considerations if enabled.  
 
I use IP space in the 172.16.0.0/12 space with a /20 for the tunnel interfaces and different space for each routers loopback.  At some sites and the hub it's handy to have a local interface which can do dhcp so you can use a local laptop to connect to the network elements directly.  This should be given security considerations if enabled.  
  
I will also setup remote access VPN into the network at the HUB as well.  This needs it's own subnet for routing of connected clients; a /27 can be used here as well, but it must be separate from any other space used on Ethernet interfaces at the hub.  
+
I will also setup remote access VPN into the network at the HUB as well.  This needs it's own subnet for routing of connected clients; a /27 can be used here as well, but it must be separate from any other space used on Ethernet interfaces at the hub.
 +
 
 +
{| class="wikitable"
 +
! style="font-family: "Roboto Mono", monospace" colspan="8" |3845 Ports
 +
|- style="font-family: "Roboto Mono", monospace"
 +
! Voice Port !! Serial Port !! ATAC !! Site !! # Local !! # Remote !! STUN !! Color
 +
|- font-family: "Roboto Mono", monospace
 +
| 0/0/0 || s1/0 || 1 || TPA || 1100 || 1101 || 10 || White/Blue
 +
|- font-family: "Roboto Mono", monospace
 +
| 0/0/1 || s1/1 || 2 || MIA || 1200 || 1201 || 20 || White/Orange
 +
|-
 +
| 0/1/0 || s1/2 || 3 || JAX || 1300 || 1301 || 30 || White/Green
 +
|-
 +
| 0/1/1 || s1/3 || 4 || MCO || 1400 || 1401 || 40 || White/Brown
 +
|-
 +
| 0/2/0 || s1/4 || 5 || FLL || 1500 || 1501 || 50 || White/Slate
 +
|-
 +
| 0/2/1 || s1/5 || 6 || EYW || 1600 || 1601 || 60 || Red/Blue
 +
|-
 +
| 0/3/0 || s1/6 || 7 || RSW || 1700 || 1701 || 70 || Red/Orange
 +
|-
 +
| 0/3/1 || s1/7 || 8 || SPG || 1800 || 1801 || 80 || Red/Green
 +
|-
 +
| 3/0/0 || s1/8 || 9 || BOW || 1900 || 1901 || 90 || Red/Brown
 +
|-
 +
| 3/0/1 || s1/9 || 10 || MLB || 2000 || 2001 || 100 || Red/Slate
 +
|-
 +
| 3/1/0 || s1/10 || 11 || SQR || 2100 || 2101 || 110 || Black/Blue
 +
|-
 +
| 3/1/1 || s1/11 || 12 || TLH || 2200 || 2201 || 120 || Black/Orange
 +
|-
 +
| 4/0/0 || s1/12 || 13 || PBI || 2300 || 2301 || 130 || Black/Green
 +
|-
 +
| 4/0/1 || s1/13 || 14 || GNV || 2400 || 2401 || 140 || Black/Brown
 +
|-
 +
| 4/1/0 || s1/14 || 15 || PNS || 2500 || 2501 || 150 || Black/Slate
 +
|-
 +
| 4/1/0 || s1/15 || 16 || PIE || 2600 || 2601 || 160 || Yellow/Blue
 +
|}
  
 
== circuits over this ==  
 
== circuits over this ==  

Revision as of 03:38, 21 April 2020

THIS IS A WORK IN PROGRESS

There are a few ways to link Quantars, using p25nx, mmvdm, and the method presented here using astro tacs.

Quantars were designed to be "linked" only as a simulcast or linked receiver network for a single system. This is accomplished by connecting the wireline for analog and the v.24 for digital. Quantars may be linked back-to-back by using a v.24 cross over and connecting the wirelines between them. While this is the simplest way, it doesn't scale. Using an ASTROTAC comparator to sit between the Quantars as a network switch function.

Each Quantar needs a two links to the ASTRO-TAC, a v.24 and a wireline link. If all Quantars are at the same site, this is really easy to do, just connect the wirelines and v.24's using cross overs. In the early 1990's the v.24 and wireline interfaces made quite a bit of sense, the v.24 and wireline would plug directly into a channel bank, and the DS1 or fractional DS1's between sites was easy. As of today, T1's are hard to find and very expensive. Channel banks are thousands of dollars on the used market now.

Today the internet is ubiquitous and linking via IP is the preferred method. This means we must transport synchronous serial and analog voice for each Quantar back to a central site. There are a few ways to do this via IP or MPLS, and presented here will be using cheap and easily available cisco routers in a VPN.


Architecture overview

There are several parts of this network, but the fundamental precept is creating link of rs232 and wireline voice between each port on the AstroTAC and each Quantar. This is no different than if all the equipment was in the same room, or linked into channel banks on T1 lines between sites. We're using IP multi-point VPN overlay network to simulate a circuit based network.

Our network stack is :

Internet
--------
DMVPN
--------
STUN and G.711 VOIP circuits
--------
ATAC and Quantars

What's presented here assumes each site has a stable IPv4 internet connection and the router has a globally routeable IPv4 address. The overlay network is based on Dynamic Multi-Point VPN (DMVPN) and allows us to configure a single hub router and have the same or similar config on all the endpoints. Traffic from router to router builds a connection on the fly encrypted between each router, even if the IP address of the routers change.

That last concept is important as anything that prevents routers from forwarding IP inbound (ie if the router is behind NAT) will prevent site to site connectivity. Generally this isn't needed as we only talk hub to site for the circuits, but can present it self during troubleshooting from one site to the other.


Logical connections

Template:Required image



Network Planning

Lots of routers, lots of ports, lots of circuits. You will need to name and keep interfaces described or you will be unable to troubleshoot this network.

Reliable bandwidth and pps is required. The analog links will require about 60 kbit/s at 33 PPS at all times , stun is another 20 kbit/s when it's operating. A fully loaded 16 port ATAC3000 using all remote ports will be 1.280 Mbit/s at 1220 PPS or about a fully loaded T1.


The first


overlay network

Our first step will be designing the overlay network. This consists of diagraming out sites and what equipment will go else where. As part of this I like to fully populate out and cross connect the central hub to the ATAC. This way it's all cabled up and I don't need to make changes at the hub to add an additional site.

Template:Required image

IP addressing

IP addressing needs to be through out for the overlay network. As this will not interconnect with any other network, you're free to use your own addressing scheme.

I use IP space in the 172.16.0.0/12 space with a /20 for the tunnel interfaces and different space for each routers loopback. At some sites and the hub it's handy to have a local interface which can do dhcp so you can use a local laptop to connect to the network elements directly. This should be given security considerations if enabled.

I will also setup remote access VPN into the network at the HUB as well. This needs it's own subnet for routing of connected clients; a /27 can be used here as well, but it must be separate from any other space used on Ethernet interfaces at the hub.

3845 Ports
Voice Port Serial Port ATAC Site # Local # Remote STUN Color
0/0/0 s1/0 1 TPA 1100 1101 10 White/Blue
0/0/1 s1/1 2 MIA 1200 1201 20 White/Orange
0/1/0 s1/2 3 JAX 1300 1301 30 White/Green
0/1/1 s1/3 4 MCO 1400 1401 40 White/Brown
0/2/0 s1/4 5 FLL 1500 1501 50 White/Slate
0/2/1 s1/5 6 EYW 1600 1601 60 Red/Blue
0/3/0 s1/6 7 RSW 1700 1701 70 Red/Orange
0/3/1 s1/7 8 SPG 1800 1801 80 Red/Green
3/0/0 s1/8 9 BOW 1900 1901 90 Red/Brown
3/0/1 s1/9 10 MLB 2000 2001 100 Red/Slate
3/1/0 s1/10 11 SQR 2100 2101 110 Black/Blue
3/1/1 s1/11 12 TLH 2200 2201 120 Black/Orange
4/0/0 s1/12 13 PBI 2300 2301 130 Black/Green
4/0/1 s1/13 14 GNV 2400 2401 140 Black/Brown
4/1/0 s1/14 15 PNS 2500 2501 150 Black/Slate
4/1/0 s1/15 16 PIE 2600 2601 160 Yellow/Blue

circuits over this

Interface naming

DNS

Having all interfaces named in DNS is a good idea. This makes troubleshooting and tracerouting on the overlay network much easier. As the hub router has a bunch of extra CPU, it's easy to configure this on the hub and have it be primary DNS. This is well baked in IOS and other than some additional config it's not hard.


security

network monitoring

A server with LibreNMS or Observium

SNMP

SSH for management

Hardware for linking

Will you need analog? If no you can eliminate a bunch of configuration and half the circuits. The bandwidth requirements at the hub will be less as well.


Hub site

A hub site needs a router with at least the number of ports on it you plan to use remotely. A converted quantar might only have 5 ports, but a fully loaded ATAC could be 16. If they are all remote you will need that too. The hub router also need to process a number of things on the network. All in all it's not much, but given the cost of the cisco routers on the used market the following config has become my standard.

  • Cisco 3845 router
    • AIM-VPN/SSL-3 VPN Module for 3825/3845 Routers
    • 768M or 1GB of RAM
    • 2GB flash disk
    • PVDM2-64 (DSP module for analog lines)
    • Optional PSU PWR-3845-AC-IP, this will supply 48v for the switch card
  • 1, NM-16A/S - Cisco 800-20840-01D 16-Port Async/Sync Serial Network Module (you can use the NM-8A/S too, but it's got different connectors)
  • 8, Cisco VIC2-2E/M 2-Port Ear and Mouth Voice Interface Card (only for analog)
  • 2, Cisco NM-2V, carrier cards for VIC2 to put in the NM ports
  • 1, NME-16ES-1G-P 16 Port POE switch module. This is optional but it provides a 3750 switch in a network module with POE that can power RPi's or other local devices.
  • CAB-SS-232FC, RS-232 Cable, DCE Female to Smart Serial for all serial ports
  • OR CISCO CAB-232FC RS-232 Cable, DCE Female to Serial if using the 8 port card.


Edge site

An edge site can support one or two Quantars or cascaded (advanced) ATACs. If you don't need to support Voice, an 1841 or other 1800 series router can be used, but the cost delta is negligible. This entire 2811 setup is under $100 via eBay. I like to use the same cables and connectors for serial at the hub as at the edge sites, this determines the cards for serial. If you're doing voice, two ports of serial matches the 2 ports of E and M well.

  • Cisco 2811
    • AIM-VPN/SSL-2 VPN Module for 2811 Routers
    • 512M of RAM
    • 2GB flash disk
    • PVDM2-64 (DSP module for analog lines)
  • 1, WIC-2A/S 2 port Serial WAN Interface Card OR
  • 1, WIC-1T 1 port Serial Card uses the larger serial connector
  • 1, Cisco VIC2-2E/M 2-Port Ear and Mouth Voice Interface Card (only for analog)
  • CAB-SS-232FC, RS-232 Cable, DCE Female to Smart Serial for all serial ports
  • OR CISCO CAB-232FC RS-232 Cable, DCE Female to Serial if using the 8 port card.

You may want to pickup a serial adapter and FTDI serial to USB dongle for console access just to leave at the site. This can be handy.


Making it work

Configuring the hub

IP Interface Config

  • Loopback 0


  • Gi0/0


DMVPN config

  • Tunnel 0


Routing Config

  • OSPF
router ospf

Serial/Stun Config

Voice Port Config

  • voice class permanent
voice class permanent 1811
 signal timing oos timeout disabled
 signal keepalive disabled
 signal sequence oos no-action


  • voice-port
voice-port 0/0/0
  • dial-peer voice 1601 voip
  • dial-peer voice 1600 pots

NAT Config

IPSEC Remote Access Config

DNS Config

SNMP Config

  • SNMP ACL

SSH Config

NTP Config

  • NTP ACL

User config

aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpnclient local
aaa authorization console
aaa authorization config-commands
aaa authorization exec default local 
aaa authorization network localgroups local 

VTY ACL

DHCP

ip dhcp pool P25NX-local-80
 network 172.31.7.80 255.255.255.240
 default-router 172.31.7.81 
 dns-server 172.31.7.81 
 lease 0 0 15


ESW module config

  • IP management
  • SNMP
  • rancid


Configuring a client