Sample L2 Interchassis HA Configuration
Configuration Overview
ASR 9000 Chassis RSP Configuration (IOS-XR)
- ASR 9000 Primary Chassis
- ASR 9000 Backup Chassis
SecGW VM Configuration (StarOS)
- SecGW VM Configuration - Primary ASR 9000 Chassis
- SecGW VM Configuration - Backup ASR 9000 Chassis

Sample L2 Interchassis HA Configuration

This chapter provides a sample interchassis wsg-service High Availability (HA) configuration for SecGW functionality between four VPC-VSM instances (StarOS VMs) running on VSMs in separate ASR 9000 chassis.

Configuration Overview

Interchassis Layer 2 redundancy supports hot standby redundancy between two VPC-VSM instances in different ASR 9000 chassis. The standby instance is ready to become active once a switchover is triggered. SA re-negotiation is not required and traffic loss is minimal.

The route database on the standby VSM must contain only the routes that were successfully injected by the active VSM.

Because of the asymmetric assignment of VSM resources among StarOS VMs, an operator should configure one-to-one mapping between StarOS VMs across active/standby VSMs in different ASR 9000 chassis. See the table below.

Table 1. Recommended Mapping of Interchassis StarOS VMs
Active VSM	Standby VSM
VM1 – SecGW1	VM1 – SecGW1
VM2 – SecGW2	VM2 – SecGW2
VM3 – SecGW3	VM3 – SecGW3
VM4 – SecGW4	VM4 – SecGW4

Each VM will be monitored via separate HSRP configurations and connected to separate oneP (CA) sessions so that switchover of one VM will not affect the other VMs.

Sample ASR 9000 chassis RSP configurations are provided for primary and standby chassis.

The sample configurations provided for an SecGW VM (Virtual Machine) configuration must be replicated on each CPU-VM complex on both the active and standby VSMs. Each VSM supports four CPU-VM complexes (SecGWs).

ASR 9000 Chassis RSP Configuration (IOS-XR)

Important

Primary and standby ASR 9000 chassis must be configured to handle the SecGWs (CPU-VM complexes) running on ASR 9000 VSMs. There are four CPU-VM complexes per VSM.

The sample configurations must be applied to the primary and backup ASR 9000 chassis. Each chassis will have unique and shared IP addresses to assure high availability across chassis.

Notes:

Set basic chassis parameters
Enable oneP communication. (TLS protocol)
Enable virtual services and assign virtual interfaces for each CPU-VM complex.
Configure physical Gigabit Ethernet (GigE) ASR 9000 interfaces. Shutdown unused ports.
Configure a GigE public interface (with VLANs) for IKE and ESP traffic on each CPU-VM complex.
Configure a GigE private interface (with VLANs) for clear traffic on each CPU-VM complex.
Configure a 10 Gigabit Ethernet (10GigE) interface for IKE and ESP traffic on each CPU-VM complex. Shut down unused ports.
- Configure a VLAN on this interface for clear and SRP traffic.
- Configure a VLAN on this interface for SRP traffic.
- Configure a VLAN on this interface for clear traffic
Configure a 10GigE Management interface on each CPU-VM complex.
Configure a Bridged Virtual Interface (BVI) for the chassis. A BVI interface configured on the RSP is used as the sess-ip-address in all four SecGW(s) for bringing up the oneP session between the RSP and SecGW.
Configure static IPv4 and IPV6 addresses.
Configure an L2 VPN.
Configure HSRP tracking for each CPU-VM complex (shared parameters across ASR 9000 chassis).
Configure IP Service Level Agreement (SLA) operations.

ASR 9000 Primary Chassis

hostname <ASR9K_primary_hostname> 
clock timezone <timezone> 
clock <clock_settings> 
logging console critical 
logging buffered 99999999 
tftp vrf default ipv4 server homedir / 
telnet vrf default ipv4 server max-servers 50 
domain name <domain_name> 
cdp 
configuration commit auto-save filename <unique_ASR9K_config_filename> 
vrf ike1 
 
vrf ike2 
 
vrf ike3 
 
vrf ike4 
 
line console 
 exec-timeout 0 0 
 length 50 
 
line default 
 exec-timeout 0 0 
 
onep 
 transport type tls localcert onep-tp disable-remotecert-validation 
 
virtual-service enable 
virtual-service SecGW1 
 vnic interface TenGigE0/4/1/0 
 vnic interface TenGigE0/4/1/1 
 vnic interface TenGigE0/4/1/2 
 activate 
virtual-service enable 
virtual-service SecGW2 
 vnic interface TenGigE0/4/1/3 
 vnic interface TenGigE0/4/1/4 
 vnic interface TenGigE0/4/1/5 
 activate 
 
virtual-service enable 
virtual-service SecGW3  
 vnic interface TenGigE0/4/1/6 
 vnic interface TenGigE0/4/1/7 
 vnic interface TenGigE0/4/1/8 
 activate 
 
virtual-service enable 
virtual-service SecGW4 
 vnic interface TenGigE0/4/1/9 
 vnic interface TenGigE0/4/1/10 
 vnic interface TenGigE0/4/1/11 
 activate 
 
interface Loopback1 
 ipv4 address 65.65.0.1 255.255.255.255 
 
interface MgmtEth0/RSP0/CPU0/0 
 ipv4 address 10.78.1.40 255.255.255.0 
 
interface MgmtEth0/RSP0/CPU0/1 
 ipv4 address 8.40.2.101 255.255.0.0 
 
interface GigabitEthernet0/0/0/0 
 shutdown 
 
interface GigabitEthernet0/0/0/1 
 shutdown 
 
interface GigabitEthernet0/0/0/2 
 shutdown 
 
interface GigabitEthernet0/0/0/3 
 shutdown 
 
interface GigabitEthernet0/0/0/4 
 shutdown 
 
interface GigabitEthernet0/0/0/5 
description "SRP Link - direct Connect to <ASR9K_primary_hostname> gigabitEthernet 0/0/0/5" 
 ipv4 address 87.87.87.10 255.255.255.0 
 speed 1000 
 transceiver permit pid all 
 
interface GigabitEthernet0/0/0/6 
 shutdown 
 
interface GigabitEthernet0/0/0/7 
 shutdown 
 
interface GigabitEthernet0/0/0/8 
 shutdown 
 
interface GigabitEthernet0/0/0/9 
 shutdown 
 
interface GigabitEthernet0/0/0/10 
 shutdown 
 
interface GigabitEthernet0/0/0/11 
 shutdown 
 
interface GigabitEthernet0/0/0/12 
 shutdown 
 
interface GigabitEthernet0/0/0/13 
 shutdown 
 
interface GigabitEthernet0/0/0/14 
 shutdown 
 
interface GigabitEthernet0/0/0/15 
 shutdown 
 
interface GigabitEthernet0/0/0/16 
 shutdown 
 
interface GigabitEthernet0/0/0/17 
 shutdown 
 
interface GigabitEthernet0/0/0/18 
 description "Public Interface: IKE and ESP Traffic" 
 cdp 
 transceiver permit pid all 
 dot1q tunneling ethertype 0x9200 
 
interface GigabitEthernet0/0/0/18.1871 
 description "Public Interface: IKE and ESP Traffic - VM1" 
 ipv4 address 187.0.1.10 255.255.255.0 
 ipv6 address 1871::10/64 
 ipv6 enable 
 encapsulation dot1q 1871 
 
interface GigabitEthernet0/0/0/18.1872 
 description "Public Interface: IKE and ESP Traffic - VM2" 
 ipv4 address 187.0.2.10 255.255.255.0 
 ipv6 address 1872::10/64 
 ipv6 enable 
 encapsulation dot1q 1872 
 
interface GigabitEthernet0/0/0/18.1873 
 description "Public Interface: IKE and ESP Traffic - VM3" 
 ipv4 address 187.0.3.10 255.255.255.0 
 ipv6 address 1873::10/64 
 ipv6 enable 
 encapsulation dot1q 1873 
 
interface GigabitEthernet0/0/0/18.1874 
 description "Public Interface: IKE and ESP Traffic - VM4" 
 ipv4 address 187.0.4.10 255.255.255.0 
 ipv6 address 1874::10/64 
 ipv6 enable 
 encapsulation dot1q 1874 
 
interface GigabitEthernet0/0/0/19 
 description Private Interface, Clear Traffic 
 cdp 
 transceiver permit pid all 
 dot1q tunneling ethertype 0x9200 
 
interface GigabitEthernet0/0/0/19.1881 
 description "Private Interface, Clear Traffic - VM1" 
 ipv4 address 188.0.1.10 255.255.255.0 
 ipv6 address 1881::10/64 
 ipv6 enable 
 encapsulation dot1q 1881 
 
interface GigabitEthernet0/0/0/19.1882 
 description "Private Interface, Clear Traffic - VM2" 
 ipv4 address 188.0.2.10 255.255.255.0 
 ipv6 address 1882::10/64 
 ipv6 enable 
 encapsulation dot1q 1882 
 
interface GigabitEthernet0/0/0/19.1883 
 description "Private Interface, Clear Traffic - VM3" 
 ipv4 address 188.0.3.10 255.255.255.0 
 ipv6 address 1883::10/64 
 ipv6 enable 
 encapsulation dot1q 1883 
 
interface GigabitEthernet0/0/0/19.1884 <clear-traffic_VLANid_VM4> 
 description "Private Interface, Clear Traffic - VM4" 
 ipv4 address 188.0.4.10 255.255.255.0 
 ipv6 address 1884::10/64 
 ipv6 enable 
 encapsulation dot1q 1884 
 
interface GigabitEthernet0/0/0/20 
 shutdown 
 
interface GigabitEthernet0/0/0/21 
 shutdown 
 
interface GigabitEthernet0/0/0/22 
 shutdown 
 
interface GigabitEthernet0/0/0/23 
 shutdown 
 
interface GigabitEthernet0/0/0/24 
 shutdown 
 
interface GigabitEthernet0/0/0/25 
 shutdown 
 
interface GigabitEthernet0/0/0/26 
 shutdown 
 
interface GigabitEthernet0/0/0/27 
 shutdown 
 
interface GigabitEthernet0/0/0/28 
 shutdown 
 
interface GigabitEthernet0/0/0/29 
 shutdown 
 
interface GigabitEthernet0/0/0/30 
 shutdown 
 
interface GigabitEthernet0/0/0/31 
 shutdown 
 
interface GigabitEthernet0/0/0/32 
 shutdown 
 
interface GigabitEthernet0/0/0/33 
 shutdown 
 
interface GigabitEthernet0/0/0/34 
 shutdown 
 
interface GigabitEthernet0/0/0/35 
 shutdown 
 
interface GigabitEthernet0/0/0/36 
 shutdown 
 
interface GigabitEthernet0/0/0/37 
 shutdown 
 
interface GigabitEthernet0/0/0/38 
 shutdown 
 
interface GigabitEthernet0/0/0/39 
 shutdown 
 
interface TenGigE0/4/1/0 
 description "IKE and ESP traffic VM1" 
 transceiver permit pid all 
 dot1q tunneling ethertype 0x9200 
 
interface TenGigE0/4/1/0.1871 
 description "IKE and ESP traffic for VM1" 
 ipv4 address 31.31.31.10 255.255.255.0 
 ipv6 address 2031::10/64 
 encapsulation dot1q 1871 
 
interface TenGigE0/4/1/1 
 description "Clear and srp traffic VM1" 
 transceiver permit pid all 
 dot1q tunneling ethertype 0x9200 
 
interface TenGigE0/4/1/1.1259 
 description "srp traffic VM1" 
 ipv4 address 71.71.71.10 255.255.255.0 
 ipv6 address <10Gig_SRP_IPv6-address/mask> 
 encapsulation dot1q 2071::10/64 
 
interface TenGigE0/4/1/2 
 description "Management interface for VM1" 
 transceiver permit pid all 
 l2transport 
  
 
interface TenGigE0/4/1/3 
 description "IKE and ESP traffic VM2" 
 transceiver permit pid all 
 dot1q tunneling ethertype 0x9200 
 
interface TenGigE0/4/1/3.1872 
 description "IKE and ESP traffic for VM2" 
 ipv4 address 32.32.32.10 255.255.255.0 
 ipv6 address 2032::10/64 
 encapsulation dot1q 1872 
 
interface TenGigE0/4/1/4 
 description "Clear and srp traffic VM2" 
 transceiver permit pid all 
 dot1q tunneling ethertype 0x9200 
 
interface TenGigE0/4/1/4.1260 
 description "srp traffic VM2" 
 ipv4 address 72.72.72.10 255.255.255.0 
 ipv6 address 2072::10/64 
 encapsulation dot1q 1260 
 
interface TenGigE0/4/1/4.1882 
 description "clear traffic VM2" 
 ipv4 address 52.52.52.10 255.255.255.0 
 ipv6 address 2052::10/64 
 encapsulation dot1q 1882 
 
interface TenGigE0/4/1/5 
 description "Management interface for VM2" 
 transceiver permit pid all 
 l2transport 
  
 
interface TenGigE0/4/1/6 
 description "IKE and ESP traffic VM3" 
 transceiver permit pid all 
 dot1q tunneling ethertype 0x9200 
 
interface TenGigE0/4/1/6.1873 
 description "IKE and ESP traffic for VM3" 
 ipv4 address 33.33.33.10 255.255.255.0 
 ipv6 address 2033::10/64 
 encapsulation dot1q 1873 
 
interface TenGigE0/4/1/7 
 description "Clear and srp traffic VM3" 
 transceiver permit pid all 
 dot1q tunneling ethertype 0x9200 
 
interface TenGigE0/4/1/7.1261 
 description "srp traffic VM3" 
 ipv4 address 73.73.73.10 255.255.255.0 
 ipv6 address 2073::10/64 
 encapsulation dot1q 1261 
 
interface TenGigE0/4/1/7.1883 
 description "clear traffic VM3" 
 ipv4 address 53.53.53.10 255.255.255.0 
 ipv6 address 2053::10/64 
 encapsulation dot1q 1883 
 
interface TenGigE0/4/1/8 
 description "Management interface for VM3" 
 transceiver permit pid all 
 l2transport 
  
 
interface TenGigE0/4/1/9 
 description "IKE and ESP traffic VM4" 
 transceiver permit pid all 
 dot1q tunneling ethertype 0x9200 
 
interface TenGigE0/4/1/9.1874 
 description "IKE and ESP traffic for VM3" 
 ipv4 address 34.34.34.10 255.255.255.0 
 ipv6 address 2034::10/64 
 encapsulation dot1q 1874 
 
interface TenGigE0/4/1/10 
 description "Clear and srp traffic VM4" 
 transceiver permit pid all 
 dot1q tunneling ethertype 0x9200 
 
interface TenGigE0/4/1/10.1262 
 description "srp traffic VM4" 
 ipv4 address 74.74.74.10 255.255.255.0 
 ipv6 address 2074::10/64 
 encapsulation dot1q 1262 
 
interface TenGigE0/4/1/10.1884 
 description "clear traffic VM4" 
 ipv4 address 54.54.54.10 255.255.255.0 
 ipv6 address 2054::10/64 
 encapsulation dot1q 1884 
 
interface TenGigE0/4/1/11 
 description "Management interface for VM4" 
 transceiver permit pid all 
 l2transport 
  
 
interface BVI1 
 ipv4 address 100.100.100.10 255.255.255.0 
 
router static 
 address-family ipv4 unicast 
  5.5.0.0/16 34.34.34.33 
  10.78.0.0/16 MgmtEth0/RSP0/CPU0/0 
  35.35.35.35/32 31.31.31.11 
  36.36.36.36/32 32.32.32.11 
  37.37.37.37/32 33.33.33.11 
  38.38.38.38/32 34.34.34.11 
  64.103.217.0/24 10.78.1.1 
  65.65.0.0/16 188.0.1.100 
  66.66.0.0/16 188.0.2.100 
  67.67.0.0/16 188.0.3.100 
  68.68.0.0/16 188.0.4.100 
  81.81.81.0/24 GigabitEthernet0/0/0/5 87.87.87.9 
  82.82.82.0/24 GigabitEthernet0/0/0/5 87.87.87.9 
  83.83.83.0/24 GigabitEthernet0/0/0/5 87.87.87.9 
  84.84.84.0/24 GigabitEthernet0/0/0/5 87.87.87.9 
  92.0.0.0/8 187.0.1.11 
  93.0.0.0/8 187.0.2.11 
  94.0.0.0/8 187.0.3.11 
  95.0.0.0/8 187.0.4.11 
  202.153.144.0/24 8.40.0.1 
  
 address-family ipv6 unicast 
  2035::35/128 2031::11 
  2036::36/128 2032::11 
  2037::37/128 2034::11 
  2038::38/128 2034::11 
  2065::/64 1881::100 
  2066::/64 1882::100 
  2067::/64 1883::100 
  2068::/64 1884::100 
  2092::/64 1871::11 
  2093::/64 1872::11 
  2094::/64 1873::11 
  2095::/64 1874::11 
  
 
l2vpn 
 xconnect group wsg 
  
 bridge group irb 
  bridge-domain irb1 
   interface TenGigE0/4/1/2 
    
   interface TenGigE0/4/1/5 
    
   interface TenGigE0/4/1/8 
    
   interface TenGigE0/4/1/11 
    
   routed interface BVI1 
   
  
 
router hsrp 
 interface GigabitEthernet0/0/0/18.1871 
  address-family ipv4 
   hsrp 4 
    preempt 
    priority 101 
    address 187.0.1.20 
    track object WsgIPsla 
    track object PublicHsrp 
    
   
  address-family ipv6 
   hsrp 12 
    preempt 
    priority 101 
    track object WsgIPsla 
    track object PublicHsrp 
    address global 1871::20 
    address linklocal autoconfig 
    
   
  
 interface GigabitEthernet0/0/0/18.1872 
  address-family ipv4 
   hsrp 5 
    preempt 
    priority 101 
    address 187.0.2.20 
    track object WsgIPsla1 
    track object PublicHsrp 
    
   
  address-family ipv6 
   hsrp 13 
    preempt 
    priority 101 
    track object WsgIPsla1 
    track object PublicHsrp 
    address global 1872::20 
    address linklocal autoconfig 
    
   
  
 interface GigabitEthernet0/0/0/18.1873 
  address-family ipv4 
   hsrp 6 
    preempt 
    priority 101 
    address 187.0.3.20 
    track object WsgIPsla2 
    track object PublicHsrp 
    
   
  
 interface GigabitEthernet0/0/0/18.1874 
  address-family ipv6 
   hsrp 14 
    preempt 
    priority 101 
    track object WsgIPsla2 
    track object PublicHsrp 
    address global 1873::20 
    address linklocal autoconfig 
    
   
  
  address-family ipv4 
   hsrp 7 
    preempt 
    priority 101 
    address 187.0.4.20 
    track object WsgIPsla3 
    track object PublicHsrp 
    
   
  address-family ipv6 
   hsrp 15 
    preempt 
    priority 101 
    track object WsgIPsla3 
    track object PublicHsrp 
    address global 1874::20 
    address linklocal autoconfig 
    
   
  
 interface GigabitEthernet0/0/0/19.1881 
  address-family ipv4 
   hsrp 8 
    preempt 
    priority 101 
    address 188.0.1.20 
    track object WsgIPsla 
    track object PublicHsrp 
    
   
  address-family ipv6 
   hsrp 16 
    preempt 
    priority 101 
    track object WsgIPsla 
    track object PublicHsrp 
    address global 1881::20 
    address linklocal autoconfig 
    
   
  
 interface GigabitEthernet0/0/0/19.1882 
  address-family ipv4 
   hsrp 9 
    preempt 
    priority 101 
    address 188.0.2.20 
    track object WsgIPsla1 
    track object PublicHsrp 
    
   
  address-family ipv6 
   hsrp 17 
    preempt 
    priority 101 
    track object WsgIPsla1 
    track object PublicHsrp 
    address global 1882::20 
    address linklocal autoconfig 
    
   
  
interface GigabitEthernet0/0/0/19.1883 
  address-family ipv4 
   hsrp 10 
    preempt 
    priority 101 
    address 188.0.3.20 
    track object WsgIPsla2 
    track object PublicHsrp 
    
   
  address-family ipv6 
   hsrp 18 
    preempt 
    priority 101 
    track object WsgIPsla2 
    track object PublicHsrp 
    address global 1883::20 
    address linklocal autoconfig 
    
   
  
 interface GigabitEthernet0/0/0/19.1884 
  address-family ipv4 
   hsrp 11 
    preempt 
    priority 101 
    address 188.0.4.20 
    track object WsgIPsla3 
    track object PublicHsrp 
    
   
  address-family ipv6 
   hsrp 19 
    preempt 
    priority 101 
    track object WsgIPsla3 
    track object PublicHsrp 
    address global 1884::20 
    address linklocal autoconfig 
    
   
  
 
ipsla 
 operation 200 
  type icmp echo 
   destination address 31.31.31.100 
   timeout 300 
   frequency 1 
   
  
 operation 201 
  type icmp echo 
   destination address 32.32.32.100 
   timeout 300 
   frequency 1 
   
  
 operation 202 
  type icmp echo 
   destination address 33.33.33.100 
   timeout 300 
   frequency 1 
   
  
 operation 203 
  type icmp echo 
   destination address 34.34.34.100 
   timeout 300 
   frequency 1 
   
  
 schedule operation 200 
  start-time now 
  life forever 
  
 schedule operation 201 
  start-time now 
  life forever 
  
 schedule operation 202 
  start-time now 
  life forever 
  
 schedule operation 203 
  start-time now 
  life forever 
  
 
track WsgIPsla 
 type rtr 200 reachability 
 delay up 1 
 delay down 1 
 
track WsgIPsla1 
 type rtr 201 reachability 
 delay up 1 
 delay down 1 
 
track WsgIPsla2 
 type rtr 202 reachability 
 delay up 1 
 delay down 1 
 
track WsgIPsla3 
 type rtr 203 reachability 
 delay up 1 
 delay down 1 
 
track PublicHsrp 
 type line-protocol state 
  interface GigabitEthernet0/0/0/18 
  
 delay up 1 
 delay down  
 
crypto ca trustpoint onep-tp 
 crl optional 
 subject-name CN=<ASR9K_primary_hostname>.<domain_name> 
 enrollment url terminal 
 
end

ASR 9000 Backup Chassis

hostname <ASR9K_backup_hostname> 
clock timezone <timezone> 
clock <clock_settings> 
logging console critical 
logging buffered 99999999 
tftp vrf default ipv4 server homedir disk:0 
telnet vrf default ipv4 server max-servers 10 
domain name <domain_name> 
cdp advertise v1 
configuration commit auto-save filename <unique_ASR9K_config_filename> 
vrf ike1 
 
vrf ike2 
 
vrf ike3 
 
vrf ike4 
 
line console 
 exec-timeout 0 0 
 length 50 
 
line default 
 exec-timeout 0 0 
 
onep 
 transport type tls localcert onep-tp disable-remotecert-validation 
 
virtual-service enable 
virtual-service SecGW1 
 vnic interface TenGigE0/4/1/0 
 vnic interface TenGigE0/4/1/1 
 vnic interface TenGigE0/4/1/2 
 activate 
virtual-service enable 
virtual-service SecGW2 
 vnic interface TenGigE0/4/1/3 
 vnic interface TenGigE0/4/1/4 
 vnic interface TenGigE0/4/1/5 
 activate 
 
virtual-service enable 
virtual-service SecGW3  
 vnic interface TenGigE0/4/1/6 
 vnic interface TenGigE0/4/1/7 
 vnic interface TenGigE0/4/1/8 
 activate 
 
virtual-service enable 
virtual-service SecGW4 
 vnic interface TenGigE0/4/1/9 
 vnic interface TenGigE0/4/1/10 
 vnic interface TenGigE0/4/1/11 
 activate 
 
interface Loopback1 
 ipv4 address 65.65.0.1 255.255.255.255 
 
interface MgmtEth0/RSP0/CPU0/0 
 ipv4 address 10.78.1.50 255.255.255.0 
 
interface MgmtEth0/RSP0/CPU0/1 
 ipv4 address 8.40.4.200 255.255.0.0 
 
interface GigabitEthernet0/0/0/0 
 shutdown 
 
interface GigabitEthernet0/0/0/1 
 shutdown 
 
interface GigabitEthernet0/0/0/2 
 shutdown 
 
interface GigabitEthernet0/0/0/3 
 shutdown 
 
interface GigabitEthernet0/0/0/4 
 shutdown 
 
interface GigabitEthernet0/0/0/5 
description "SRP Link - direct Connect to <ASR9K_backupy_hostname> gigabitEthernet 0/0/0/5" 
 ipv4 address 87.87.87.9 255.255.255.0 
 speed 1000 
 transceiver permit pid all 
 
interface GigabitEthernet0/0/0/6 
 shutdown 
 
interface GigabitEthernet0/0/0/7 
 shutdown 
 
interface GigabitEthernet0/0/0/8 
 shutdown 
 
interface GigabitEthernet0/0/0/9 
 shutdown 
 
interface GigabitEthernet0/0/0/10 
 shutdown 
 
interface GigabitEthernet0/0/0/11 
 shutdown 
 
interface GigabitEthernet0/0/0/12 
 shutdown 
 
interface GigabitEthernet0/0/0/13 
 shutdown 
 
interface GigabitEthernet0/0/0/14 
 shutdown 
 
interface GigabitEthernet0/0/0/15 
 shutdown 
 
interface GigabitEthernet0/0/0/16 
 shutdown 
 
interface GigabitEthernet0/0/0/17 
 shutdown 
 
interface GigabitEthernet0/0/0/18 
 description "Public Interface: IKE and ESP Traffic" 
 cdp 
 transceiver permit pid all 
 dot1q tunneling ethertype 0x9200 
 
interface GigabitEthernet0/0/0/18.1871 
 description "Public Interface: IKE and ESP Traffic - VM1" 
 ipv4 address 187.0.1.9 255.255.255.0 
 ipv6 address 1871::9/64 
 ipv6 enable 
 encapsulation dot1q 1871 
 
interface GigabitEthernet0/0/0/18.1872 
 description "Public Interface: IKE and ESP Traffic - VM2" 
 ipv4 address 187.0.2.9 255.255.255.0 
 ipv6 address 1872::9/64 
 ipv6 enable 
 encapsulation dot1q 1872 
 
interface GigabitEthernet0/0/0/18.1873 
 description "Public Interface: IKE and ESP Traffic - VM3" 
 ipv4 address 187.0.3.9 255.255.255.0 
 ipv6 address 1873::9/64 
 ipv6 enable 
 encapsulation dot1q 1873 
 
interface GigabitEthernet0/0/0/18.1874 
 description "Public Interface: IKE and ESP Traffic - VM4" 
 ipv4 address 187.0.4.9 255.255.255.0 
 ipv6 address 1874::9/64 
 ipv6 enable 
 encapsulation dot1q 1874 
 
interface GigabitEthernet0/0/0/19 
 description Private Interface, Clear Traffic 
 cdp 
 transceiver permit pid all 
 dot1q tunneling ethertype 0x9200 
 
interface GigabitEthernet0/0/0/19.1881 
 description "Private Interface, Clear Traffic - VM1" 
 ipv4 address 188.0.1.9 255.255.255.0 
 ipv6 address 1881::9/64 
 ipv6 enable 
 encapsulation dot1q 1881 
 
interface GigabitEthernet0/0/0/19.1882 
 description "Private Interface, Clear Traffic - VM2" 
 ipv4 address 188.0.2.9 255.255.255.0 
 ipv6 address 1882::9/64 
 ipv6 enable 
 encapsulation dot1q 1882 
 
interface GigabitEthernet0/0/0/19.1883 
 description "Private Interface, Clear Traffic - VM3" 
 ipv4 address 188.0.3.9 255.255.255.0 
 ipv6 address 1883::9/64 
 ipv6 enable 
 encapsulation dot1q 1883 
 
interface GigabitEthernet0/0/0/19.1884 <clear-traffic_VLANid_VM4> 
 description "Private Interface, Clear Traffic - VM4" 
 ipv4 address 188.0.4.9 255.255.255.0 
 ipv6 address 1884::9/64 
 ipv6 enable 
 encapsulation dot1q 1884 
 
interface GigabitEthernet0/0/0/20 
 shutdown 
 
interface GigabitEthernet0/0/0/21 
 shutdown 
 
interface GigabitEthernet0/0/0/22 
 shutdown 
 
interface GigabitEthernet0/0/0/23 
 shutdown 
 
interface GigabitEthernet0/0/0/24 
 shutdown 
 
interface GigabitEthernet0/0/0/25 
 shutdown 
 
interface GigabitEthernet0/0/0/26 
 shutdown 
 
interface GigabitEthernet0/0/0/27 
 shutdown 
 
interface GigabitEthernet0/0/0/28 
 shutdown 
 
interface GigabitEthernet0/0/0/29 
 shutdown 
 
interface GigabitEthernet0/0/0/30 
 shutdown 
 
interface GigabitEthernet0/0/0/31 
 shutdown 
 
interface GigabitEthernet0/0/0/32 
 shutdown 
 
interface GigabitEthernet0/0/0/33 
 shutdown 
 
interface GigabitEthernet0/0/0/34 
 shutdown 
 
interface GigabitEthernet0/0/0/35 
 shutdown 
 
interface GigabitEthernet0/0/0/36 
 shutdown 
 
interface GigabitEthernet0/0/0/37 
 shutdown 
 
interface GigabitEthernet0/0/0/38 
 shutdown 
 
interface GigabitEthernet0/0/0/39 
 shutdown 
 
interface TenGigE0/4/1/0 
 description "IKE and ESP traffic VM1" 
 transceiver permit pid all 
 dot1q tunneling ethertype 0x9200 
 
interface TenGigE0/4/1/0.1871 
 description "IKE and ESP traffic for VM1" 
 ipv4 address 41.41.41.10 255.255.255.0 
 ipv6 address 2041::10/64 
 encapsulation dot1q 1871 
 
interface TenGigE0/4/1/1 
 description "Clear and srp traffic VM1" 
 transceiver permit pid all 
 dot1q tunneling ethertype 0x9200 
 
interface TenGigE0/4/1/1.1359 
 description "srp traffic VM1" 
 ipv4 address 81.81.81.10 255.255.255.0 
 ipv6 address 2081::10/64 
 encapsulation dot1q 1359 
 
 
interface TenGigE0/4/1/1.1881 
 description "clear traffic VM1" 
 ipv4 address 61.61.61.10 255.255.255.0 
 ipv6 address 2061::10/64 
 encapsulation dot1q 1881 
 
interface TenGigE0/4/1/2 
 description "Management interface for VM1" 
 transceiver permit pid all 
 l2transport 
  
 
interface TenGigE0/4/1/3 
 description "IKE and ESP traffic VM2" 
 transceiver permit pid all 
 dot1q tunneling ethertype 0x9200 
 
interface TenGigE0/4/1/3.1872 
 description "IKE and ESP traffic for VM2" 
 ipv4 address 42.42.42.10 255.255.255.0 
 ipv6 address 2042::10/64 
 encapsulation dot1q 1872 
 
interface TenGigE0/4/1/4 
 description "Clear and srp traffic VM2" 
 transceiver permit pid all 
 dot1q tunneling ethertype 0x9200 
 
interface TenGigE0/4/1/4.1360 
 description "srp traffic VM2" 
 ipv4 address 82.82.82.10 255.255.255.0 
 ipv6 address 2082::10/64 
 encapsulation dot1q 1360 
 
interface TenGigE0/4/1/4.1882 
 description "clear traffic VM2" 
 ipv4 address 62.62.62.10 255.255.255.0 
 ipv6 address 2062::10/64 
 encapsulation dot1q 1882 
 
interface TenGigE0/4/1/5 
 description "Management interface for VM2" 
 transceiver permit pid all 
 l2transport 
  
 
interface TenGigE0/4/1/6 
 description "IKE and ESP traffic VM3" 
 transceiver permit pid all 
 dot1q tunneling ethertype 0x9200 
 
interface TenGigE0/4/1/6.1873 
 description "IKE and ESP traffic for VM3" 
 ipv4 address 43.43.43.10 255.255.255.0 
 ipv6 address 2043::10/64 
 encapsulation dot1q 1873 
 
interface TenGigE0/4/1/7 
 description "Clear and srp traffic VM3" 
 transceiver permit pid all 
 dot1q tunneling ethertype 0x9200 
 
interface TenGigE0/4/1/7.1361 
 description "srp traffic VM3" 
 ipv4 address 83.83.83.10 255.255.255.0 
 ipv6 address 2083::10/64 
 encapsulation dot1q 1361 
 
interface TenGigE0/4/1/7.1883 
 description "clear traffic VM3" 
 ipv4 address 63.63.63.10 255.255.255.0 
 ipv6 address 2063::10/64 
 encapsulation dot1q 1883 
 
interface TenGigE0/4/1/8 
 description "Management interface for VM3" 
 transceiver permit pid all 
 l2transport 
  
 
interface TenGigE0/4/1/9 
 description "IKE and ESP traffic VM4" 
 transceiver permit pid all 
 dot1q tunneling ethertype 0x9200 
 
interface TenGigE0/4/1/9.1874 
 description "IKE and ESP traffic for VM3" 
 ipv4 address 44.44.44.10 255.255.255.0 
 ipv6 address 2044::10/64 
 encapsulation dot1q 1874 
 
interface TenGigE0/4/1/10 
 description "Clear and srp traffic VM4" 
 transceiver permit pid all 
 dot1q tunneling ethertype 0x9200 
 
interface TenGigE0/4/1/10.1362 
 description "srp traffic VM4" 
 ipv4 address 84.84.84.10 255.255.255.0 
 ipv6 address 2084::10/64 
 encapsulation dot1q 1362 
 
interface TenGigE0/4/1/10.1884 
 description "clear traffic VM4" 
 ipv4 address 64.64.64.10 255.255.255.0 
 ipv6 address 2064::10/64 
 encapsulation dot1q 1884 
 
interface TenGigE0/4/1/11 
 description "Management interface for VM4" 
 transceiver permit pid all 
 l2transport 
  
 
interface BVI3 
 ipv4 address 192.168.122.2 255.255.255.0 
 
router static 
 address-family ipv4 unicast 
  10.78.0.0/16 MgmtEth0/RSP0/CPU0/0 
  35.35.35.35/32 41.41.41.11 
  36.36.36.36/32 42.42.42.11 
  37.37.37.37/32 43.43.43.11 
  38.38.38.38/32 44.44.44.11 
  64.103.217.0/24 10.78.1.1 
  65.65.0.0/16 188.0.1.100 
  66.66.0.0/16 188.0.2.100 
  67.67.0.0/16 188.0.3.100 
  68.68.0.0/16 188.0.4.100 
  81.81.81.0/24 GigabitEthernet0/0/0/5 87.87.87.10 
  82.82.82.0/24 GigabitEthernet0/0/0/5 87.87.87.10 
  83.83.83.0/24 GigabitEthernet0/0/0/5 87.87.87.10 
  84.84.84.0/24 GigabitEthernet0/0/0/5 87.87.87.10 
  92.0.0.0/8 187.0.1.11 
  93.0.0.0/8 187.0.2.11 
  94.0.0.0/8 187.0.3.11 
  95.0.0.0/8 187.0.4.11 
  202.153.144.25/32 8.40.0.1 
  
 address-family ipv6 unicast 
  2035::35/128 2041::11 
  2036::36/128 2042::11 
  2037::37/128 2044::11 
  2038::38/128 2044::11 
  2065::/64 1881::100 
  2066::/64 1882::100 
  2067::/64 1883::100 
  2068::/64 1884::100 
  2092::/64 1871::11 
  2093::/64 1872::11 
  2094::/64 1873::11 
  2095::/64 1874::11 
  
 
l2vpn 
 xconnect group wsg 
  
 bridge group irb 
  bridge-domain irb1 
   interface TenGigE0/4/1/2 
    
   interface TenGigE0/4/1/5 
    
   interface TenGigE0/4/1/8 
    
   interface TenGigE0/4/1/11 
    
   routed interface BVI3 
   
  
 
router hsrp 
 interface GigabitEthernet0/0/0/18.1871 
  address-family ipv4 
   hsrp 4 
    preempt 
    priority 101 
    address 187.0.1.20 
    track object WsgIPsla 
    track object PublicHsrp 
    
   
  address-family ipv6 
   hsrp 12 
    preempt 
    priority 101 
    track object WsgIPsla 
    track object PublicHsrp 
    address global 1871::20 
    address linklocal autoconfig 
    
   
  
 interface GigabitEthernet0/0/0/18.1872 
  address-family ipv4 
   hsrp 5 
    preempt 
    priority 101 
    address 187.0.2.20 
    track object WsgIPsla1 
    track object PublicHsrp 
    
   
  address-family ipv6 
   hsrp 13 
    preempt 
    priority 101 
    track object WsgIPsla1 
    track object PublicHsrp 
    address global 1872::20 
    address linklocal autoconfig 
    
   
  
 interface GigabitEthernet0/0/0/18.1873 
  address-family ipv4 
   hsrp 6 
    preempt 
    priority 101 
    address 187.0.3.20 
    track object WsgIPsla2 
    track object PublicHsrp 
    
   
  
 interface GigabitEthernet0/0/0/18.1874 
  address-family ipv6 
   hsrp 14 
    preempt 
    priority 101 
    track object WsgIPsla2 
    track object PublicHsrp 
    address global 1873::20 
    address linklocal autoconfig 
    
   
  
  address-family ipv4 
   hsrp 7 
    preempt 
    priority 101 
    address 187.0.4.20 
    track object WsgIPsla3 
    track object PublicHsrp 
    
   
  address-family ipv6 
   hsrp 15 
    preempt 
    priority 101 
    track object WsgIPsla3 
    track object PublicHsrp 
    address global 1874::20 
    address linklocal autoconfig 
    
   
  
 interface GigabitEthernet0/0/0/19.1881 
  address-family ipv4 
   hsrp 8 
    preempt 
    priority 101 
    address 188.0.1.20 
    track object WsgIPsla 
    track object PublicHsrp 
    
   
  address-family ipv6 
   hsrp 16 
    preempt 
    priority 101 
    track object WsgIPsla 
    track object PublicHsrp 
    address global 1881::20 
    address linklocal autoconfig 
    
   
  
 interface GigabitEthernet0/0/0/19.1882 
  address-family ipv4 
   hsrp 9 
    preempt 
    priority 101 
    address 188.0.2.20 
    track object WsgIPsla1 
    track object PublicHsrp 
    
   
  address-family ipv6 
   hsrp 17 
    preempt 
    priority 101 
    track object WsgIPsla1 
    track object PublicHsrp 
    address global 1882::20 
    address linklocal autoconfig 
    
   
  
interface GigabitEthernet0/0/0/19.1883 
  address-family ipv4 
   hsrp 10 
    preempt 
    priority 101 
    address 188.0.3.20 
    track object WsgIPsla2 
    track object PublicHsrp 
    
   
  address-family ipv6 
   hsrp 18 
    preempt 
    priority 101 
    track object WsgIPsla2 
    track object PublicHsrp 
    address global 1883::20 
    address linklocal autoconfig 
    
   
  
 interface GigabitEthernet0/0/0/19.1884 
  address-family ipv4 
   hsrp 11 
    preempt 
    priority 101 
    address 188.0.4.20 
    track object WsgIPsla3 
    track object PublicHsrp 
    
   
  address-family ipv6 
   hsrp 19 
    preempt 
    priority 101 
    track object WsgIPsla3 
    track object PublicHsrp 
    address global 1884::20 
    address linklocal autoconfig 
    
   
  
 
ipsla 
 operation 200 
  type icmp echo 
   destination address 41.41.41.100 
   timeout 300 
   frequency 1 
   
  
 operation 201 
  type icmp echo 
   destination address 42.42.42.100 
   timeout 300 
   frequency 1 
   
  
 operation 202 
  type icmp echo 
   destination address 43.43.43.100 
   timeout 300 
   frequency 1 
   
  
 operation 203 
  type icmp echo 
   destination address 44.44.44.100 
   timeout 300 
   frequency 1 
   
  
 schedule operation 200 
  start-time now 
  life forever 
  
 schedule operation 201 
  start-time now 
  life forever 
  
 schedule operation 202 
  start-time now 
  life forever 
  
 schedule operation 203 
  start-time now 
  life forever 
  
 
track WsgIPsla 
 type rtr 200 reachability 
 delay up 1 
 delay down 1 
 
track WsgIPsla1 
 type rtr 201 reachability 
 delay up 1 
 delay down 1 
 
track WsgIPsla2 
 type rtr 202 reachability 
 delay up 1 
 delay down 1 
 
track WsgIPsla3 
 type rtr 203 reachability 
 delay up 1 
 delay down 1 
 
track PublicHsrp 
 type line-protocol state 
  interface GigabitEthernet0/0/0/18 
  
 delay up 1 
 delay down  
 
crypto ca trustpoint onep-tp 
 crl optional 
 subject-name CN=<ASR9K_backup_hostname>.<domain_name> 
 enrollment url terminal 
 
end

SecGW VM Configuration (StarOS)

Important

Each SecGW (CPU-VM complex) must be separately configured as described below for corresponding VSMs in both the primary and backup ASR 9000 chassis. There are four CPU-VM complexes per ASR 9000 VSM.

The unique parameters for each CPU-VM complex must correspond with interface settings configured for the primary and backup ASR 9000 chassis.

Notes:

Enable hidden CLI test-commands.
Install SecGW License.
Assign unique host name per CPU-VM complex.
Set crash log size to 2048 with compression.
Require Session Recovery.
Create local context with unique parameters per CPU-VM complex.
Enable wsg-service with unique parameters per CPU-VM complex.
Create SRP context with unique parameters per CPU-VM complex.
Enable Connected Apps session with unique password and session name per CPU-VM complex.
Set wsg-lookup priorities.
Appropriately configure ethernet ports with unique parameters per CPU-VM complex. Refer to the tables below for mapping of sample IP addresses for each SecGW.

Table 2. StarOS IP Address Mapping - SecGW1
Variable	Primary ASR 9000	Backup ASR 9000
<interfsace_LOCAL1_IPv4-address>	100.100.100.1 255.255.255.0	192.168.122.15 255.255.255.0
<iproute_:LOCAL1_IPv4-address_mask>	0.0.0.0 0.0.0.0 100.100.100.10	0.0.0.0 0.0.0.0 192.168.122.2
<wsg_acl1_permit_IPv4-address_mask>	65.65.0.0 0.0.255.255 45.45.0.0 0.0.255.255	65.65.0.0 0.0.255.255 45.45.0.0 0.0.255.255
<wsg_acl1_permit_IPv6-address/mask>	2065:: ::ffff:ffff:ffff:ffff 2045:: ::ffff:ffff:ffff:ffff	2065:: ::ffff:ffff:ffff:ffff 2045:: ::ffff:ffff:ffff:ffff
<wsg_pool1_IPv4-address>	45.45.0.1 45.45.58.254	45.45.0.1 45.45.58.254
<wsg_pool1_IPv6-address/mask>	2045::/56	2045::/56
<crypto_foo_local_IPv4-addrress>	35.35.35.35	35.35.35.35
<crypto_foo-1_local_IPv6-addrress>	2035::35	2035::35
<wsg_interface_clear_IPv4-address_mask>	51.51.51.11 255.255.255.0	61.61.61.11 255.255.255.0
<wsg_interface_clear_IPv6-address/mask>	2051::11/64	2061::11/64
<wsg_interface_ike_IPv4-address_mask>	31.31.31.11 255.255.255.0	41.41.41.11 255.255.255.0
<wsg_interface_ike_IPv6-address/mask>	2031::11/64	2041::11/64
<wsg_interface_ike-loop_IPv4-address_mask>	35.35.35.35 255.255.255.255	35.35.35.35 255.255.255.255
<wsg_interface_ike-loop_IPv6-address/mask>	2035::35/128	2035::35/128
<wsg_interface_ike-loop1_IPv4-address_mask>	31.31.31.100 255.255.255.255	41.41.41.100 255.255.255.255
<wsg-service_bind_IPv4-address>	35.35.35.35	35.35.35.35
<wsg-service_bind_IPv6-address>	2035::35	2035::35
<wsg_iproute_clear_IPv4-address_mask>	65.65.0.0 255.255.0.0	65.65.0.0 255.255.0.0
<wsg_iproute_clear_IPv4-address>	51.51.51.10	61.61.61.10
<wsg_iproute_ike1_IPv4-address_mask>	187.0.1.0 255.255.255.0	187.0.1.0 255.255.255.0
<wsg_iproute_ike1_IPv4-address>	31.31.31.10	41.41.41.10
<wsg_iproute_ike2_IPv4-address_mask>	92.0.0.0 255.0.0.0	92.0.0.0 255.0.0.0
<wsg_iproute_ike2_IPv4-address>	31.31.31.10	41.41.41.10
<wsg_iproute_ike3_IPv4-address_mask>	188.0.1.0 255.255.255.0	188.0.1.0 255.255.255.0
<wsg_iproute_ike3_IPv4-address>	31.31.31.10	41.41.41.10
<wsg_iproute_clear_IPv6-address/mask>	2065::/64	2065::/64
<wsg_iproute_clear_nexthop_IPv6-address>	2051::10	2061::10
<wsg_iproute_ike1_IPv6-address/mask>	2092::/64	2092::/64
<wsg_iproute_ike1_nexthop_IPv6-address>	2031::10	2041::10
<wsg_iproute_ike2_IPv6-address/mask>	1871::/64	1871::/64
<wsg_iproute_ike2_nexthop_IPv6-address>	2031::10	2041::10
<wsg_iproute_ike2_IPv6-address/mask>	1881::/64	1881::/64
<wsg_iproute_ike2_nexthop_IPv6-address>	2031::10	2041::10
<wsg_rri_nexthop_IPv4-address>	51.51.51.11	61.61.61.11
<wsg_rri_nexthop_IPv6-address>	—	—
<srp_monitor_hsrp_vlan_id>	1871	1871
<srp_hsrp-group_number>	4	4
<srp_peer_IPv4-address>	81.81.81.11	71.71.71.11
<srp_bind_IPv4-address>	71.71.71.11	81.81.81.11
<srp_interface_icsr_IPv4-address_mask>	71.71.71.11 255.255.255.0	81.81.81.11 255.255.255.0
<srp_iproute_icsr_IPv4-address_mask>	81.81.81.0 255.255.255.0	71.71.71.0 255.255.255.0
<srp_iproute_icsr_IPv4-address>	71.71.71.10	81.81.81.10
<connectedapps_session_IPv4-address>	100.100.100.10	192.168.122.2
<port_1/10_vlan_id>	—	—
<port_1/11_vlan_id_srp>	1259	1871
<port_1/11_vlan_id_wsg>	1881	1881

Table 3. StarOS IP Address Mapping - SecGW2
Variable	Primary ASR 9000	Backup ASR 9000
<interfsace_LOCAL1_IPv4-address>	100.100.100.2 255.255.255.0	192.168.122.16 255.255.255.0
<iproute_LOCAL1_IPv4-address_mask>	0.0.0.0 0.0.0.0 100.100.100.10	0.0.0.0 0.0.0.0 192.168.122.2
<wsg_acl1_permit_IPv4-address_mask>	66.66.0.0 0.0.255.255 46.46.0.0 0.0.255.255	66.66.0.0 0.0.255.255 46.46.0.0 0.0.255.255
<wsg_acl1_permit_IPv6-address/mask>	2066:: ::ffff:ffff:ffff:ffff 2046:: ::ffff:ffff:ffff:ffff	2066:: ::ffff:ffff:ffff:ffff 2046:: ::ffff:ffff:ffff:ffff
<wsg_pool1_IPv4-address>	46.46.0.1 46.46.58.254	46.46.0.1 46.46.58.254
<wsg_pool1_IPv6-address/mask>	2046::/56	2046::/56
<crypto_foo_local_IPv4-addrress>	36.36.36.36	36.36.36.36
<crypto_foo-1_local_IPv6-addrress>	2036::36	2036::36
<wsg_interface_clear_IPv4-address_mask>	52.52.52.11 255.255.255.0	62.62.62.11 255.255.255.0
<wsg_interface_clear_IPv6-address/mask>	2052::11/64	2062::11/64
<wsg_interface_ike_IPv4-address_mask>	52.52.52.11 255.255.255.0	42.42.42.12 255.255.255.0
<wsg_interface_ike_IPv6-address/mask>	2032::11/64	2042::11/64
<wsg_interface_ike-loop_IPv4-address_mask>	36.36.36.36 255.255.255.255	36.36.36.36 255.255.255.255
<wsg_interface_ike-loop_IPv6-address/mask>	2036::36/128	2036::36/128
<wsg_interface_ike-loop1_IPv4-address_mask>	32.32.32.100 255.255.255.255	42.42.42.100 255.255.255.255
<wsg-service_bind_IPv4-address>	36.36.36.36	36.36.36.36
<wsg-service_bind_IPv6-address>	2036::36	2036::36
<wsg_iproute_clear_IPv4-address_mask>	66.66.0.0 255.255.0.0	66.66.0.0 255.255.0.0
<wsg_iproute_clear_IPv4-address>	52.52.52.10	62.62.62.10
<wsg_iproute_ike1_IPv4-address_mask>	187.0.2.0 255.255.255.0	187.0.2.0 255.255.255.0
<wsg_iproute_ike1_IPv4-address>	32.32.32.10	42.42.42.10
<wsg_iproute_ike2_IPv4-address_mask>	93.0.0.0 255.0.0.0	93.0.0.0 255.0.0.0
<wsg_iproute_ike2_IPv4-address>	32.32.32.10	42.42.42.10
<wsg_iproute_ike3_IPv4-address_mask>	188.0.2.0 255.255.255.0	188.0.2.0 255.255.255.0
<wsg_iproute_ike3_IPv4-address>	32.32.32.10	42.42.42.10
<wsg_iproute_clear_IPv6-address/mask>	2066::/64	2066::/64
<wsg_iproute_clear_nexthop_IPv6-address>	2052::10	2062::10
<wsg_iproute_ike1_IPv6-address/mask>	2093::/64	2093::/64
<wsg_iproute_ike1_nexthop_IPv6-address>	2032::10	2042::10
<wsg_iproute_ike2_IPv6-address/mask>	1872::/64	1872::/64
<wsg_iproute_ike2_nexthop_IPv6-address>	2032::10	2042::10
<wsg_iproute_ike2_IPv6-address/mask>	1882::/64	1882::/64
<wsg_iproute_ike2_nexthop_IPv6-address>	2032::10	2042::10
<wsg_rri_nexthop_IPv4-address>	52.52.52.11	62.62.62.11
<wsg_rri_nexthop_IPv6-address>	2052::11	2062::1
<srp_monitor_hsrp_vlan_id>	1872	1872
<srp_hsrp-group_number>	5	5
<srp_peer_IPv4-address>	82.82.82.11	72.72.72.11
<srp_bind_IPv4-address>	72.72.72.11	82.82.82.11
<srp_interface_icsr_IPv4-address_mask>	72.72.72.11 255.255.255.0	82.82.82.11 255.255.255.0
<srp_iproute_icsr_IPv4-address_mask>	82.82.82.0 255.255.255.0	71.71.71.0 255.255.255.0
<srp_iproute_icsr_IPv4-address>	72.72.72.11	82.82.82.11
<connectedapps_session_IPv4-address>	100.100.100.10	192.168.122.2
<port_1/10_vlan_id>	—	—
<port_1/11_vlan_id_srp>	1260	1360
<port_1/11_vlan_id_wsg>	1882	1882

Table 4. StarOS IP Address Mapping - SecGW3
Variable	Primary ASR 9000	Backup ASR 9000
<interfsace_LOCAL1_IPv4-address>	100.100.100.3 255.255.255.0	192.168.122.17 255.255.255.0
<iproute_LOCAL1_IPv4-address_mask>	0.0.0.0 0.0.0.0 100.100.100.10	0.0.0.0 0.0.0.0 192.168.122.2
<wsg_acl1_permit_IPv4-address_mask>	67.67.0.0 0.0.255.255 47.47.0.0 0.0.255.255	67.67.0.0 0.0.255.255 47.47.0.0 0.0.255.255
<wsg_acl1_permit_IPv6-address/mask>	2067:: ::ffff:ffff:ffff:ffff 2047:: ::ffff:ffff:ffff:ffff	2067:: ::ffff:ffff:ffff:ffff 2047:: ::ffff:ffff:ffff:ffff
<wsg_pool1_IPv4-address>	47.47.0.1 47.47.58.254	47.47.0.1 47.47.58.254
<wsg_pool1_IPv6-address/mask>	2047::/56	2047::/56
<crypto_foo_local_IPv4-addrress>	37.37.37.37	37.37.37.37
<crypto_foo-1_local_IPv6-addrress>	2037::37	2037::37
<wsg_interface_clear_IPv4-address_mask>	53.53.53.11 255.255.255.0	63.63.63.11 255.255.255.0
<wsg_interface_clear_IPv6-address/mask>	2053::11/64	2063::11/64
<wsg_interface_ike_IPv4-address_mask>	33.33.33.11 255.255.255.0	43.43.43.12 255.255.255.0
<wsg_interface_ike_IPv6-address/mask>	2033::11/64	2043::11/64
<wsg_interface_ike-loop_IPv4-address_mask>	37.37.37.37 255.255.255.255	37.37.37.37 255.255.255.255
<wsg_interface_ike-loop_IPv6-address/mask>	2037::37/128	2037::37/128
<wsg_interface_ike-loop1_IPv4-address_mask>	33.33.33.100 255.255.255.255	43.43.43.100 255.255.255.255
<wsg-service_bind_IPv4-address>	37.37.37.37	37.37.37.37
<wsg-service_bind_IPv6-address>	2037::37	2037::37
<wsg_iproute_clear_IPv4-address_mask>	67.67.0.0 255.255.0.0	67.67.0.0 255.255.0.0
<wsg_iproute_clear_IPv4-address>	53.53.53.10	63.63.63.10
<wsg_iproute_ike1_IPv4-address_mask>	187.0.3.0 255.255.255.0	187.0.3.0 255.255.255.0
<wsg_iproute_ike1_IPv4-address>	33.33.33.10	43.43.43.10
<wsg_iproute_ike2_IPv4-address_mask>	94.0.0.0 255.0.0.0	94.0.0.0 255.0.0.0
<wsg_iproute_ike2_IPv4-address>	33.33.33.10	43.43.43.10
<wsg_iproute_ike3_IPv4-address_mask>	188.0.3.0 255.255.255.0	188.0.3.0 255.255.255.0
<wsg_iproute_ike3_IPv4-address>	33.33.33.10	43.43.43.10
<wsg_iproute_clear_IPv6-address/mask>	2067::/64	2067::/64
<wsg_iproute_clear_nexthop_IPv6-address>	2053::10	2063::10
<wsg_iproute_ike1_IPv6-address/mask>	2094::/64	2094::/64
<wsg_iproute_ike1_nexthop_IPv6-address>	2033::10	2043::10
<wsg_iproute_ike2_IPv6-address/mask>	1873::/64	1873::/64
<wsg_iproute_ike2_nexthop_IPv6-address>	2033::10	2043::10
<wsg_iproute_ike2_IPv6-address/mask>	1883::/64	1883::/64
<wsg_iproute_ike2_nexthop_IPv6-address>	2033::10	2043::10
<wsg_rri_nexthop_IPv4-address>	53.53.53.11	63.63.63.11
<wsg_rri_nexthop_IPv6-address>	2053::11	2063::11
<srp_monitor_hsrp_vlan_id>	1873	1873
<srp_hsrp-group_number>	6	5
<srp_peer_IPv4-address>	83.83.83.11	73.73.73.11
<srp_bind_IPv4-address>	73.73.73.11	83.83.83.11
<srp_interface_icsr_IPv4-address_mask>	73.73.73.11 255.255.255.0	83.83.83.11 255.255.255.0
<srp_iproute_icsr_IPv4-address_mask>	83.83.83.0 255.255.255.0	73.73.73.0 255.255.255.0
<srp_iproute_icsr_IPv4-address>	73.73.73.11	83.83.83.11
<connectedapps_session_IPv4-address>	100.100.100.10	192.168.122.2
<port_1/10_vlan_id>	1873	1873
<port_1/11_vlan_id_srp>	1260	1361
<port_1/11_vlan_id_wsg>	1882	1883

Table 5. StarOS IP Address Mapping - SecGW4
Variable	Primary ASR 9000	Backup ASR 9000
<interfsace_LOCAL1_IPv4-address>	100.100.100.4 255.255.255.0	192.168.122.18 255.255.255.0
<iproute_LOCAL1_IPv4-address_mask>	0.0.0.0 0.0.0.0 100.100.100.10	0.0.0.0 0.0.0.0 192.168.122.2
<wsg_acl1_permit_IPv4-address_mask>	68.68.0.0 0.0.255.255 48.48.0.0 0.0.255.255	68.68.0.0 0.0.255.255 48.48.0.0 0.0.255.255
<wsg_acl1_permit_IPv6-address/mask>	2068:: ::ffff:ffff:ffff:ffff 2048:: ::ffff:ffff:ffff:ffff	2068:: ::ffff:ffff:ffff:ffff 2048:: ::ffff:ffff:ffff:ffff
<wsg_pool1_IPv4-address>	48.48.0.1 48.48.58.254	48.48.0.1 48.48.58.254
<wsg_pool1_IPv6-address/mask>	2048::/56	2048::/56
<crypto_foo_local_IPv4-addrress>	38.38.38.38	38.38.38.38
<crypto_foo-1_local_IPv6-addrress>	2038::38	2038::38
<wsg_interface_clear_IPv4-address_mask>	54.54.54.11 255.255.255.0	64.64.64.11 255.255.255.0
<wsg_interface_clear_IPv6-address/mask>	2054::11/64	2064::11/64
<wsg_interface_ike_IPv4-address_mask>	34.34.34.11 255.255.255.0	44.44.44.12 255.255.255.0
<wsg_interface_ike_IPv6-address/mask>	2034::11/64	2044::11/64
<wsg_interface_ike-loop_IPv4-address_mask>	38.38.38.38 255.255.255.255	38.38.38.38 255.255.255.255
<wsg_interface_ike-loop_IPv6-address/mask>	2038::38/128	2038::38/128
<wsg_interface_ike-loop1_IPv4-address_mask>	34.34.34.100 255.255.255.255	44.44.44.100 255.255.255.255
<wsg-service_bind_IPv4-address>	38.38.38.38	38.38.38.38
<wsg-service_bind_IPv6-address>	2038::38	2038::38
<wsg_iproute_clear_IPv4-address_mask>	68.68.0.0 255.255.0.0	68.68.0.0 255.255.0.0
<wsg_iproute_clear_IPv4-address>	54.54.54.10	64.64.64.10
<wsg_iproute_ike1_IPv4-address_mask>	187.0.4.0 255.255.255.0	187.0.4.0 255.255.255.0
<wsg_iproute_ike1_IPv4-address>	34.34.34.10	44.44.44.10
<wsg_iproute_ike2_IPv4-address_mask>	95.0.0.0 255.0.0.0	95.0.0.0 255.0.0.0
<wsg_iproute_ike2_IPv4-address>	34.34.34.10	44.44.44.10
<wsg_iproute_ike3_IPv4-address_mask>	188.0.4.0 255.255.255.0	188.0.4.0 255.255.255.0
<wsg_iproute_ike3_IPv4-address>	34.34.34.10	44.44.44.10
<wsg_iproute_clear_IPv6-address/mask>	2068::/64	2068::/64
<wsg_iproute_clear_nexthop_IPv6-address>	2054::10	2064::10
<wsg_iproute_ike1_IPv6-address/mask>	2095::/64	2095::/64
<wsg_iproute_ike1_nexthop_IPv6-address>	2034::10	2044::10
<wsg_iproute_ike2_IPv6-address/mask>	1874::/64	1874::/64
<wsg_iproute_ike2_nexthop_IPv6-address>	2034::10	2044::10
<wsg_iproute_ike2_IPv6-address/mask>	1884::/64	1884::/64
<wsg_iproute_ike2_nexthop_IPv6-address>	2034::10	2044::10
<wsg_rri_nexthop_IPv4-address>	54.54.54.11	64.64.64.11
<wsg_rri_nexthop_IPv6-address>	2054::11	2064::11
<srp_monitor_hsrp_vlan_id>	1874	1874
<srp_hsrp-group_number>	7	7
<srp_peer_IPv4-address>	84.84.84.11	74.74.74.11
<srp_bind_IPv4-address>	74.74.74.11	84.84.84.11
<srp_interface_icsr_IPv4-address_mask>	74.74.74.11 255.255.255.0	84.84.84.11 255.255.255.0
<srp_iproute_icsr_IPv4-address_mask>	84.84.84.0 255.255.255.0	74.74.74.0 255.255.255.0
<srp_iproute_icsr_IPv4-address>	74.74.74.11	84.84.84.11
<connectedapps_session_IPv4-address>	100.100.100.10	192.168.122.2
<port_1/10_vlan_id>	1874	1874
<port_1/11_vlan_id_srp>	1262	1362
<port_1/11_vlan_id_wsg>	1884	1884

SecGW VM Configuration - Primary ASR 9000 Chassis

config 
  cli hidden 
  tech-support test-commands encrypted password <unique_encrypted_password> 
  cli test-commands encrypted password <unique_encrypted_password> 
  license key " 
<SecGW_license_key> 
  system hostname <ASR9K_hostname>-<SecGW#> 
  orbem 
    no siop-port 
    no iiop-port 
  #exit 
  crash max-size 2048 compression gzip 
  require session recovery 
  context local 
    no ip guarantee framed-route local-switching 
    interface LOCAL1 
      ip address <LOCAL1_IPv4-address> 
    #exit 
    server ftpd 
    #exit 
    ssh key 
<unique_encrypted_ssh_key1> 
    ssh key 
<unique_encrypted_ssh_key2> 
    ssh key 
<unique_encrypted_ssh_key3> 
    server sshd 
      subsystem sftp 
    #exit 
    server telnetd 
    #exit 
    subscriber default 
    exit 
    administrator admin encrypted password <unique_encrypted_password> 
    aaa group default 
    #exit 
    ip route <iproute_:LOCAL1_IPv4-address_mask> LOCAL1 
  #exit 
  port ethernet 1/1 
    no shutdown 
    bind interface LOCAL1 local 
  #exit 
  ca-certificate name test  
 pem data  
"-----BEGIN CERTIFICATE-----n 
<certificate_data> 
-----END CERTIFICATE-----" 
  #exit 
  context wsg 
    ip access-list acl1 
      permit ip <wsg_acl1_permit_IPv4-address_mask><wsg_acl1_permit_IPv4-address_mask> 
    #exit 
    ipv6 access-list acl1 
      permit ip <wsg_acl1_permit_IPv6-address_mask><wsg_acl1_permit_IPv6-address_mask> 
    #exit 
    no ip guarantee framed-route local-switching 
    ip pool pool1 range <wsg_pool1_IPv4-address/mask> <wsg_pool1_IPv4-address> public 0 
    ipv6 pool ipv6-pool1 prefix <wsg_pool1_IPv6-address/mask> public 0 
    ipsec transform-set tselsa-foo 
    #exit 
    ikev2-ikesa transform-set ikesa-foo 
    #exit 
    crypto template foo ikev2-dynamic 
      authentication local pre-shared-key encrypted key <unique_encrypted_key_per_CPU-VM> 
      authentication remote pre-shared-key encrypted key <unique_encrypted_key_per_CPU-VM> 
      ikev2-ikesa transform-set list ikesa-foo 
      ikev2-ikesa rekey 
      payload foo-sa0 match childsa match ipv4 
        ipsec transform-set list tselsa-foo 
        rekey keepalive 
      #exit 
      identity local id-type ip-addr id <crypto_foo_IPv4-address> 
    #exit 
    crypto template foo-1 ikev2-dynamic 
      authentication local pre-shared-key encrypted key <encrypted_key> 
      authentication remote pre-shared-key encrypted key <encrypted_key> 
      ikev2-ikesa transform-set list ikesa-foo 
      ikev2-ikesa rekey 
      payload foo-sa0 match childsa match ipv6 
        ipsec transform-set list tselsa-foo 
        rekey keepalive 
      #exit 
      identity local id-type ip-addr id <crypto_foo1_local_IPv6-address_mask> 
    #exit 
    interface clear 
      ip address <wsg_interface_clear_IPv4-address> 
      ipv6 address <wsg_interface_clear_IPv6-address> secondary 
    #exit 
    interface ike loopback 
      ip address <wsg_interface_ike_IPv4-address mask> srp-activate 
      ipv6 address <wsg_interface_ike_IPv6-address/mask> srp-activate 
    #exit 
    interface ike-loop loopback 
      ip address <wsg_interface_ike-loop_IPv4-address_mask> srp-activate 
    #exit 
    interface ike-loop-v6 loopback 
      ipv6 address <wsg_interface_ike-loop_IPv6-address/mask> srp-activate 
    #exit 
    interface ike-loop1 loopback 
      ip address <wsg_interface_ike-loop1_IPv4-address_mask> srp-activate 
    #exit 
    subscriber default 
    exit 
    aaa group default 
    #exit 
    wsg-service ipv4 
      deployment-mode site-to-site 
      ip access-group acl1 
      bind address <wsg-service_bind_IPv4-address> crypto-template foo 
    #exit 
    wsg-service ipv6 
      deployment-mode site-to-site 
      ipv6 access-group acl1 
      bind address <wsg-service_bind_IPv6-address_per_CPU-VM> crypto-template foo-1 
    #exit 
    ip route <wsg_iproute_clear_IPv4-address_mask> <wsg_iproute_clear__IPv4-address> clear 
    ip route <wsg_iproute_ike1_IPv4-address mask> <wsg_iproute_ike1_IPv4-address> ike 
    ip route <wsg_iproute_ike2_IPv4-address mask> <wsg_iproute_ike2_IPv4-address> ike 
    ip route <wsg_iproute_ike3_IPv4-address mask> <wsg_iproute_ike3_IPv4-address> ike 
    ipv6 route <wsg_iproute_clear_IPv6-address/mask> <wsg_iproute_clear_nexthop_IPv6-address> interface clear 
    ipv6 route <wsg_iroute_ike1_IPv6-address/mask> <wsg_iproute_ike1_nexthop_IPv6-address> interface ike 
    ipv6 route <wsg_iproute_ike2_IPv6-address/mask> <wsg_iproute_ike2_nexthop_IPv6-address> interface ike 
    ipv6 route <wsg_iproute_ike3_IPv6-address/mask> <wsg_iproute_ike3_nexthop_IPv6-address> interface ike 
    ip rri next-hop <wsg_rri_nexthop_IPv4-address> interface clear 
    ipv6 rri next-hop <wsg_rri_nexthop_IPv6-address> interface clear 
  #exit 
  context srp 
    no ip guarantee framed-route local-switching 
    service-redundancy-protocol 
      chassis-mode primary 
      hello-interval 3 
      configuration-interval 60 
      dead-interval 15 
      checkpoint session duration non-ims-session 30 
      route-modifier threshold 10 
      priority 10 
      monitor hsrp interface GigabitEthernet0/0/0/18. <srp_monitor_hsrp_vlan_ID> afi-type IPv4 hsrp-group<srp_hsrp-group_number> 
      peer-ip-address <srp_peer_IPv4-address> 
      bind address <srp_bind_IPv4-address> 
    #exit 
    interface icsr 
      ip address <srp_interface_icsr_IPv4-address_mask_per_CPU-VM> 
    #exit 
    subscriber default 
    exit 
    aaa group default 
    #exit 
    ip route <srp_iproute_IPv4-address_mask><srp_iproute_IPv4-address> icsr 
  #exit 
   
  connectedapps 
    sess-userid cisco 
    sess-passwd encrypted password <encrypted_password> 
    sess-name hsrp 
    sess-ip-address <connectapps_session_IPv4-address> 
    rri-mode BOTH 
    ha-chassis-mode inter 
    ha-network-mode L2 
    ca-certificate-name test 
    activate 
  #exit 
  wsg-lookup 
    priority 1 source-netmask 32 destination-netmask 32 
    priority 2 source-netmask 128 destination-netmask 128 
    priority 3 source-netmask 64 destination-netmask 64 
  #exit 
  port ethernet 1/10 
    no shutdown 
    vlan <port_1/10__vlan_id> 
      no shutdown 
      bind interface ike wsg 
    #exit 
  #exit 
  port ethernet 1/11 
    no shutdown 
    vlan <port_1/11_vlan_id_srp> 
      no shutdown 
      bind interface icsr srp 
    #exit 
    vlan <port_1/11_vlan_id_wsg> 
      no shutdown 
      bind interface clear wsg 
    #exit 
  #exit 
end

SecGW VM Configuration - Backup ASR 9000 Chassis

config 
  cli hidden 
  tech-support test-commands encrypted password <unique_encrypted_password> 
  cli test-commands encrypted password <unique_encrypted_password>

Important

The logging disable eventid entries should only be applied to SecGW2, SecGW3 and SecGW4.

logging disable eventid 10171 
logging disable eventid 10638 
logging disable eventid 12690 
logging disable eventid 1298 
logging disable eventid 55629 
logging disable eventid 77601 to 77602 
  license key " 
<SecGW_license_key> 
  system hostname <ASR9K_hostname>-<SecGW#> 
  orbem 
    no siop-port 
    no iiop-port 
  #exit 
  crash max-size 2048 compression gzip 
  require session recovery 
  context local 
    no ip guarantee framed-route local-switching 
    interface LOCAL1 
      ip address <LOCAL1_IPv4-address> 
    #exit 
    server ftpd 
    #exit 
    ssh key 
<unique_encrypted_ssh_key1> 
    ssh key 
<unique_encrypted_ssh_key2> 
    ssh key 
<unique_encrypted_ssh_key3> 
    server sshd 
      subsystem sftp 
    #exit 
    server telnetd 
    #exit 
    subscriber default 
    exit 
    administrator admin encrypted password <unique_encrypted_password> 
    aaa group default 
    #exit 
    ip route <iproute_:LOCAL1_IPv4-address_mask> LOCAL1 
  #exit 
  port ethernet 1/1 
    no shutdown 
    bind interface LOCAL1 local 
  #exit 
  ca-certificate name test  
 pem data  
"-----BEGIN CERTIFICATE-----n 
<certificate_data> 
-----END CERTIFICATE-----" 
  #exit 
  context wsg 
    ip access-list acl1 
      permit ip <wsg_acl1_permit_IPv4-address_mask><wsg_acl1_permit_IPv4-address_mask> 
    #exit 
    ipv6 access-list acl1 
      permit ip <wsg_acl1_permit_IPv6-address_mask><wsg_acl1_permit_IPv6-address_mask> 
    #exit 
    no ip guarantee framed-route local-switching 
    ip pool pool1 range <wsg_pool1_IPv4-address/mask> <wsg_pool1_IPv4-address> public 0 
    ipv6 pool ipv6-pool1 prefix <wsg_pool1_IPv6-address/mask> public 0 
    ipsec transform-set tselsa-foo 
    #exit 
    ikev2-ikesa transform-set ikesa-foo 
    #exit 
    crypto template foo ikev2-dynamic 
      authentication local pre-shared-key encrypted key <unique_encrypted_key_per_CPU-VM> 
      authentication remote pre-shared-key encrypted key <unique_encrypted_key_per_CPU-VM> 
      ikev2-ikesa transform-set list ikesa-foo 
      ikev2-ikesa rekey 
      payload foo-sa0 match childsa match ipv4 
        ipsec transform-set list tselsa-foo 
        rekey keepalive 
      #exit 
      identity local id-type ip-addr id <crypto_foo_IPv4-address> 
    #exit 
    crypto template foo-1 ikev2-dynamic 
      authentication local pre-shared-key encrypted key <encrypted_key> 
      authentication remote pre-shared-key encrypted key <encrypted_key> 
      ikev2-ikesa transform-set list ikesa-foo 
      ikev2-ikesa rekey 
      payload foo-sa0 match childsa match ipv6 
        ipsec transform-set list tselsa-foo 
        rekey keepalive 
      #exit 
      identity local id-type ip-addr id <crypto_foo1_local_IPv6-address_mask> 
    #exit 
    interface clear 
      ip address <wsg_interface_clear_IPv4-address> 
      ipv6 address <wsg_interface_clear_IPv6-address> secondary 
    #exit 
    interface ike loopback 
      ip address <wsg_interface_ike_IPv4-address mask> srp-activate 
      ipv6 address <wsg_interface_ike_IPv6-address/mask> srp-activate 
    #exit 
    interface ike-loop loopback 
      ip address <wsg_interface_ike-loop_IPv4-address_mask> srp-activate 
    #exit 
    interface ike-loop-v6 loopback 
      ipv6 address <wsg_interface_ike-loop_IPv6-address/mask> srp-activate 
    #exit 
    interface ike-loop1 loopback 
      ip address <wsg_interface_ike-loop1_IPv4-address_mask> srp-activate 
    #exit 
    subscriber default 
    exit 
    aaa group default 
    #exit 
    wsg-service ipv4 
      deployment-mode site-to-site 
      ip access-group acl1 
      bind address <wsg-service_bind_IPv4-address> crypto-template foo 
    #exit 
    wsg-service ipv6 
      deployment-mode site-to-site 
      ipv6 access-group acl1 
      bind address <wsg-service_bind_IPv6-address_per_CPU-VM> crypto-template foo-1 
    #exit 
    ip route <wsg_iproute_clear_IPv4-address_mask> <wsg_iproute_clear__IPv4-address> clear 
    ip route <wsg_iproute_ike1_IPv4-address mask> <wsg_iproute_ike1_IPv4-address> ike 
    ip route <wsg_iproute_ike2_IPv4-address mask> <wsg_iproute_ike2_IPv4-address> ike 
    ip route <wsg_iproute_ike3_IPv4-address mask> <wsg_iproute_ike3_IPv4-address> ike 
    ipv6 route <wsg_iproute_clear_IPv6-address/mask> <wsg_iproute_clear_nexthop_IPv6-address> interface clear 
    ipv6 route <wsg_iroute_ike1_IPv6-address/mask> <wsg_iproute_ike1_nexthop_IPv6-address> interface ike 
    ipv6 route <wsg_iproute_ike2_IPv6-address/mask> <wsg_iproute_ike2_nexthop_IPv6-address> interface ike 
    ipv6 route <wsg_iproute_ike3_IPv6-address/mask> <wsg_iproute_ike3_nexthop_IPv6-address> interface ike 
    ip rri next-hop <wsg_rri_nexthop_IPv4-address> interface clear 
    ipv6 rri next-hop <wsg_rri_nexthop_IPv6-address> interface clear 
  #exit 
  context srp 
    no ip guarantee framed-route local-switching 
    service-redundancy-protocol 
      chassis-mode primary 
      hello-interval 3 
      configuration-interval 60 
      dead-interval 15 
      checkpoint session duration non-ims-session 30 
      route-modifier threshold 10 
      priority 10 
      monitor hsrp interface GigabitEthernet0/0/0/18. <srp_monitor_hsrp_vlan_ID> afi-type IPv4 hsrp-group <srp_hsrp-group_number> 
      peer-ip-address <srp_peer_IPv4-address> 
      bind address <srp_bind_IPv4-address> 
    #exit 
    interface icsr 
      ip address <srp_interface_icsr_IPv4-address_mask_per_CPU-VM> 
    #exit 
    subscriber default 
    exit 
    aaa group default 
    #exit 
    ip route <srp_iproute_IPv4-address_mask><srp_iproute_IPv4-address> icsr 
  #exit 
   
  connectedapps 
    sess-userid cisco 
    sess-passwd encrypted password <encrypted_password> 
    sess-name hsrp 
    sess-ip-address <connectapps_session_IPv4-address> 
    rri-mode BOTH 
    ha-chassis-mode inter 
    ha-network-mode L2 
    ca-certificate-name test 
    activate 
  #exit 
  wsg-lookup 
    priority 1 source-netmask 32 destination-netmask 32 
    priority 2 source-netmask 128 destination-netmask 128 
    priority 3 source-netmask 64 destination-netmask 64 
  #exit 
  port ethernet 1/10 
    no shutdown 
    vlan <port_1/10__vlan_id> 
      no shutdown 
      bind interface ike wsg 
    #exit 
  #exit 
  port ethernet 1/11 
    no shutdown 
    vlan <port_1/11_vlan_id_srp> 
      no shutdown 
      bind interface icsr srp 
    #exit 
    vlan <port_1/11_vlan_id_wsg> 
      no shutdown 
      bind interface clear wsg 
    #exit 
  #exit 
end

SecGW Administration Guide, StarOS Release 21.18

Bias-Free Language

Book Title

SecGW Administration Guide, StarOS Release 21.18

Chapter Title