Comnet reliance RL1000GW Installation And Operation Manual Download Page 68 | Manualshive

Page: 68 / 192

background image

INS_RL1000GW_REV– 15 Jul 2016 PAGE 68

INSTALLATION AND OPERATION MANUAL

RL1000GW

TECH SUPPORT: 1.888.678.9427

Example

Following example will explain the ACL inspection flow.

The PC is sending udp packets. At the interface eth1, ACGs are intercepting the packets and
examine them.

ACG with priority 10 will take effect first, examine the packet with ACL 1050 rules. Rule 2, which
has priority 50, will be the first to be examined. As the rule addresses TCP packets, the condition
is not met. The packet will then be examined with rule 1 which addresses ICMP and thus as well
the rule is not met. The packet will now be examined with ACL 1010 rule 2 (priority 30). As the rule
condition of ICMP is not met, the packet is examined by the next rule (priority 80). The condition
of UDP is met and the packet is permitted.

ACL Commands Hierarchy

+ root

+ ip access-list extended

- create {acl-num <1001-65535>} [acl-name <>] [redirect <off| on>]

- delete {acl-num <1001-65535>}

- permit tcp {acl-num <1001-65535>} [rule-name <>] [priority <1-256>] {src-ip [any|

<a.b.c.d>]| <a.b.c.d/e>} {dst-ip [any| <a.b.c.d>]| <a.b.c.d/e>} [src-port <1-65535>] [dst-port
<1-65535>] [src-port-range <(1-65535):(1-65535)>] [dst-port-range <(1-65535):(1-65535)>]

- deny tcp {acl-num <1001-65535>} [rule-name <>] [priority <1-256>] {src-ip [any| <a.b.c.d>]|

<a.b.c.d/e>} {dst-ip [any| <a.b.c.d>]| <a.b.c.d/e>} [src-port <1-65535>] [dst-port <1-65535>]
[src-port-range <(1-65535):(1-65535)>] [dst-port-range <(1-65535):(1-65535)>]

- permit udp {acl-num <1001-65535>} [rule-name <>] [priority <1-256>] {src-ip [any|

<a.b.c.d>]| <a.b.c.d/e>} {dst-ip [any| <a.b.c.d>]| <a.b.c.d/e>} [src-port <1-65535>] [dst-port
<1-65535>] [src-port-range <(1-65535):(1-65535)>] [dst-port-range <(1-65535):(1-65535)>]

«
...
66
67
68
69
70
...
»

Summary of Contents for reliance RL1000GW

Page 1: ...ges are routinely encountered such as electrical utility substations and switchyards heavy manufacturing facilities track side electronic equipment and other difficult out of plant installations Layer...

Page 2: ...and Interfaces 14 Graphic View of Hardware 16 Distance kept for natural air flow 17 Logical Structure 17 Grounding 17 Connecting to a Power Source 18 Power Budget 18 Configuration Environment 19 Comma...

Page 3: ...e id 41 IP interface VLAN id 41 IP Interface Commands Hierarchy 41 IP Interface Commands Description 42 Example 43 Diagnostic 46 System logs export 46 Commands Hierarchy 46 Commands Description 46 Cap...

Page 4: ...6 ACG 67 Comments 67 Example 68 ACL Commands Hierarchy 68 ACL Commands Descriptions 70 Configuration Example 71 QOS 72 QOS Commands Hierarchy 72 QOS Commands Descriptions 72 NAT 73 Networking 73 NAT C...

Page 5: ...int 94 Modes of Operation 94 Reference drawing 96 Serial Traffic Direction 97 Allowed latency 97 Tx Delay 98 Bus Idle Time 98 Example 1 98 Example 2 100 Protocol Gateway IEC 101 to IEC 104 102 Modes o...

Page 6: ...ec VPN 135 DM VPN Commands Hierarchy 136 IPSec VPN Commands Hierarchy 137 IPSec 138 Applications 138 Authentication Header AH 138 Encapsulating Security Payload ESP 138 Security Associations 139 ISAKM...

Page 7: ...nels Commands Hierarchy 170 Discrete IO Channels Commands 170 VPN Setup Examples 171 DM VPN Setup 171 Network drawing 172 DM VPN over Cellular Setup 176 Network drawing 177 Configuration 177 Testing t...

Page 8: ...epresentations defined in the agreement executed between ComNet and the customer shall bind and obligate ComNet ComNet however has made all reasonable efforts to ensure that the instructions contained...

Page 9: ...ich provide the industry with a standard platform for analytics and security management systems enabling leading performance compact and cost effective solutions ComNet products are available in comme...

Page 10: ...nment such as fit to the harsh environment high reliability and network resiliency In addition the ComNet routers have unique service aware capabilities that enable an integrated handling of applicati...

Page 11: ...o MODBUS RTU and IEC 61850 101 104 TCP to IEC 61850 101 104 RTU This level of protocol conversion allows legacy protocols to be secured by enterprise and industry best practice level encryption across...

Page 12: ...uch as magnetic card readers biometric identification sensors facial recognition cameras etc to create a two factor authentication to the APA feature This provides an additional level of validation of...

Page 13: ...ComNet s Reliance Product Configuration Utility and CLI allowing the secure switch router to be easily configured and to diagnose network and security functions Configuration of the secure firewall i...

Page 14: ...FP and 2G 3G HSPA Cellular Modem 12 24 VDC RL1000GW 12 E S22 CNA RL1000GW with 2 x RS 232 1 x 10 100 Tx and 4G LTE Cellular Modem NA Bands 12 24 VDC RL1000GW 12 E S24 CNA RL1000GW with 1 x RS 232 1 x...

Page 15: ...s 24 48 VDC RL1000GW 48 E S22 CEU RL1000GW with 2 x RS 232 1 x 10 100 Tx and 4G LTE Cellular Modem EU Bands 24 48 VDC RL1000GW 48 E S24 CEU RL1000GW with 1 x RS 232 1 x RS 485 1 x 10 100 Tx and 4G LTE...

Page 16: ...Call out Description Manual Reference 1 Antenna Female Connection 2 SIM Card Ports 1 2 3 Power and Run LED Indicators 4 Console Interface Link Activity L A and Speed LED Indicators 5 RS 232 Ports 1 2...

Page 17: ...erminated by a crimped two hole lug with hole diameter and spacing as shown in the below figure Use a suitable crimping tool to fasten the lug securely to the wire Adhere to your company s policy as t...

Page 18: ...the grounding and a Blue wire for the Neutral conductor use 18AWG 1mm2 wire with insulated ferrules Power Budget The following table details power consumption of the Hardware variants with cellular a...

Page 19: ...s mode would mean the user to log out from the system Use the command exit Global Hierarchy Configuration From the Global Configuration mode command you may drill down to specific feature sub tree Exa...

Page 20: ...er supporting L3 dynamic and static Routing SCADA services Firewall Secure networking The below table gives a high level view of the supported features Feature Set TFTP Ethernet ports Serial ports Cel...

Page 21: ...IEEE 802 1q X Backup Restore running config X Conditioned scheduled system reboot X Console serial port X TFTP client X Inband Management X Outband Management X Remote Upgrade X Safe Mode X SFTP Clie...

Page 22: ...X Terminal Server X VPN L3 mGRE DM VPN X System Default state The following table details the default state of features and interfaces Feature Default state Ethernet Ports All ports are enabled Serial...

Page 23: ...export help show start stop date discrete service show dns host resolver exit firewall log profile tcp serial idle timeout iec101 gw cnt operation config iec 101 config iec 104 config gw show ipsec e...

Page 24: ...onfiguration as a file with a chosen name for backup and import the file back to boot the system with when needed User configuration is saved using the following command RL1000GW commit Building confi...

Page 25: ...oading a new OS file to the router make sure the RL1000GW has on it only one the active file If needed delete the unused file before attempting to download new Commands Hierarchy Root commit delete di...

Page 26: ...3 Check connectivity to the tftp server from which the software will be downloaded PING 172 18 212 240 172 18 212 240 56 data bytes 64 bytes from 172 18 212 240 seq 0 ttl 64 time 1 026 ms 64 bytes fr...

Page 27: ...000GW os image download status Finished Download 8 Activating desired OS file will automatically reboot the device RL1000GW os image activate version name RF _ RL1000GW _ 4 0 02 67 tar RL1000GW os ima...

Page 28: ...first Safe mode is used for approved technician only and should not be used unless specified by ComNet This safe mode state is available at the prompt For first safe mode Press s The second safe mode...

Page 29: ...ll 4 Install first sw version from TFTP continue c Continue with start up process help H Display help about this utility c Extracting software s OK 01 01 70 00 01 09 Running applications For safe mode...

Page 30: ...t the device format 2 Format flash activate 3 Activate sw version on flash install 4 Install first sw version from TFTP continue c Continue with start up process help H Display help about this utility...

Page 31: ...nter the OS image file name Enter version number on TFTP Server For main menu press X RF _ RL1000GW _ 4 0 02 52 tar 8 OS Image file will be downloaded and activated 01 01 70 00 03 18 downloading RF _...

Page 32: ...er RJ45 Included at all variants Referred to in CLI as eth1 Gigabitethernet SFP SGMII Optional ordering SFP modules are not included Copper and fiber SFP of 100 1000 types are supported Referred to in...

Page 33: ...In unicast packets 233 Out unicast packets 4 In errors packets 0 Out errors packets 0 In octets 311651 Out octets 690 Unknown packets 0 RL1000GW port show status idx slot port admin Status auto Negot...

Page 34: ...PAGE 34 INSTALLATION AND OPERATION MANUAL RL1000GW TECH SUPPORT 1 888 678 9427 multicast 725 Size 65 127 1239 align error 0 Size 128 255 435 dropped event 0 Size 256 511 35 fragmented 0 Size 512 1023...

Page 35: ...OTE A console cable is supplied in the box The cable is uniquely colored white Connecting to the Console Port The console port is an EIA232 VT 100 compatible port to enable the definition of the devic...

Page 36: ...wing are commands related to the CLI terminal root idle timeout Management The router can be managed via following methods IP based Serial console port Default state Feature Default state Layer 3 inte...

Page 37: ...chedule date and time YYYY MM DD HH MM SS schedule every 180 604800 seconds schedule time HH MM SS schedule in 0 604800 seconds cancel show users modify username su password password show commit delet...

Page 38: ...cific time for router reload Time format HH MM SS configuration which was not committed will not be available after reload reload schedule in Set specific timer for next router reload Permissible rang...

Page 39: ...ateway L2 VPN L3 DMVPN IPSec Interface Assignment Rules An IP interface may optionally be set with a VLAN tag to result on vlan tagging at the interface egress The VLAN tag set to an interface must be...

Page 40: ...will be routable with IP interface set to be in the same subnet as the packets origin if such is available at the RL1000GW IP interfaces associated to vlans are given an automatic name indicating the...

Page 41: ...are untagged IP interface VLAN id When an IP interface is assigned with a VLAN id it supports vlan tagging Packet coming inward to the physical interface eth1 or eth2 as assigned will be received by...

Page 42: ...interface The configuration should include Address prefix IP address in the format aa bb cc dd xx VLAN vlan ID for egress packets from the interface Purpose application host or general physical inter...

Page 43: ...ce show Id VLAN Name IP Subnet Mtu Purpose Admin status Description 1 5 eth1 5 10 10 10 100 24 1500 application host enable router static router static enable router static configure terminal router s...

Page 44: ...IP interface without vlan id RL1000GW RL1000GW router interface create address prefix 172 17 203 100 24 physical interface eth2 purpose application host commit commit ok RL1000GW router interface show...

Page 45: ...1 Enable dhcp on interface eth1 to retrieve an IP from a dhcp server RL1000GW router dhcp enable physical interface eth1 router interface show VLAN Name Id IP Subnet Purpose Description N A eth1 N A N...

Page 46: ...minute month year remove task name copy logs show Commands Description Command Description Schedule manage scheduled task to copy system logs to the usb drive To mound a usb drive insert it to the ro...

Page 47: ...estination address A B C D show captured packets c number status help Commands Description Command Description Capture Start initiate Ethernet traffic capture on a selected ACE IP interface i mandator...

Page 48: ...ITIVE RESPONSE UNICAST 16 55 07 616319 IP 172 18 212 240 17500 255 255 255 255 17500 UDP length 112 16 55 07 616628 IP 172 18 212 240 17500 172 18 212 255 17500 UDP length 112 16 55 07 926503 arp who...

Page 49: ...undamental tenets of the syslog protocol and process is its simplicity The transmission of syslog messages may be started on a device without a receiver being configured or even actually physically pr...

Page 50: ...4 security authorization messages 4x8 level 5 messages generated internally by syslog 5x8 level 6 line printer subsystem 6x8 level 7 network news subsystem 7x8 level 8 UUCP subsystem 8x8 level 9 cloc...

Page 51: ...4 132 notification 5 133 informational 6 134 debugging 7 135 Message Format The following will describe the structure of syslog messages Message severity Severity S indicaror Description 0 S E Emergen...

Page 52: ...1 Example for violation type no rule configured RF _ Syslog module 3 firewall severity 3 message firewall ID 74 T 2014 05 12 11 52 43 S E SG 3500 SRC 172 18 212 50 52011 DST 172 18 212 46 2404 LEN 56...

Page 53: ...r violation type protocol type mismatch 05 12 2014 16 53 40 Local0 Alert 172 18 212 183 May 12 11 52 59 SW RLGE2FE16R firewall ID 80 T 2014 05 12 11 52 59 S A SG 3500 SRC 172 18 212 50 52011 DST 172 1...

Page 54: ...Violation description string Major Protocol Id Major protocol id value for ModBus Function Code for IEC101 104 Type Id for DNP3 Function Code Minor Protocol Id Minor protocol id value for ModBus Sub F...

Page 55: ...violation not allowed WRITE quantity Rule violation out of the allowed address range Rule violation out of the allowed FIFO addresse range Rule violation out of the allowed encapsulated interface rang...

Page 56: ...igured between dm vpn interfaces WTR stopped for MGRE IF NAME ip mask NBMA address Relevant when protection group is configured between dm vpn interfaces Failed to create dm vpn mGRE interface MGRE IF...

Page 57: ...ot present or disabled RSSI is RSSI below required threshold Threshold but primary SIM is not present or disabled Continiuty check failed attempt moving to alternative provider will be performed Annou...

Page 58: ...n slot Slot is Active Serial Card on slot Slot failure Last seen SEC Serial Station SLOT PORT Traffic is now resumed Time TIME service id SVC Serial Point SLOT PORT SVC No traffic since TIME latest Rx...

Page 59: ...r warn kernel Speed 100 Duplex 1 pause 0 May 18 19 27 48 SmartSwitch user warn kernel adjust _ link Addr 1 link 0 speed 100 o 100 dup 1 o 1 May 18 19 27 48 SmartSwitch user info kernel PHY mdio ff7240...

Page 60: ...te of discrete input channels is supported by the RL1000GW NOTE Software support for the DI channels will be available from R5 0 Interfaces Connection terminal are as shown in below figure Diagnostics...

Page 61: ...el 2 Digital outputs are dry mechanical relay contacts Maximum power to be implemented at the contacts AC Max 250v 37 5vA DC Max 220v 30 watt Above mentioned power limitations should not be exceeded M...

Page 62: ...rchy config terminal date YYYY MM DD hh mm ss hh mm ss date Commands Description Command Description Config terminal date YYYY MM DD hh mm ss hh mm ss Sets the current time and date date Show the syst...

Page 63: ...und authentication outbound authentication and change password request for the Authentication service Provides some level of protection against an active attacker TACACS is a security application that...

Page 64: ...se is supported tacacs server add This command configures the TACACS server with the parameters host retries key and specifies the IP address of one or more servers Host ipv4 address Configures the IP...

Page 65: ...list RL1000GW tacacs server add host 192 168 1 250 key Ab11 59 retries 5 timeout 50 port 49 RL1000GW tacacs server add host 172 18 212 230 key Ab11 RF 3 configure default server RL1000GW tacacs serve...

Page 66: ...the network and prevent another host from accessing the same area Flow of ACL Inspection ACL Rules An ACL has a unique identifier acl number 1001 65535 ACL may consist of a single or multiple rules E...

Page 67: ...rding to the ACG priorities until first match is found The packet will then be permitted denied with the ACL option of redirect The packet will not be further inspected by lower priority ACGs If a pac...

Page 68: ...P is not met the packet is examined by the next rule priority 80 The condition of UDP is met and the packet is permitted ACL Commands Hierarchy root ip access list extended create acl num 1001 65535 a...

Page 69: ...65535 1 65535 dst port range 1 65535 1 65535 permit icmp acl num 1001 65535 rule name priority 1 256 src ip any a b c d a b c d e dst ip any a b c d a b c d e deny icmp acl num 1001 65535 rule name p...

Page 70: ...ax Priority this field will determine the rules execution order Higher value of filter priority implies it will be executed first This value ranges between 1 and 256 Permit deny icmp acl num 1001 6553...

Page 71: ...ip access list extended permit tcp acl num 1010 priority 40 src ip any dst ip 192 168 2 101 RL1000GW ip access list extended deny tcp acl num 1010 priority 30 src ip any dst ip 192 168 1 101 RL1000GW...

Page 72: ...ial services QOS Commands Hierarchy qos mark rule create src ip A B C D E dest ip A B C D E protocol tcp udp src port 1 65535 dest port 1 65535 dscp 0 63 mark rule remove src ip A B C D E dest ip A B...

Page 73: ...the required public ip addresses to a single one Static NAT settings direct incoming WAN traffic to a particular target LAN client As the WAN stations usually will not have a route to the private LAN...

Page 74: ...ived at the PC Sessions initiated by the Server towards the PC will not be received by the PC Dynamic and Static NAT together Both the Server and the PC can initiate sessions and receive replies NAT C...

Page 75: ...the nat should traverse the original ip to Original port the original protocol destination port at the incoming packet ip header Modified port the protocol port to which the nat should traverse the or...

Page 76: ...nat static create original ip 192 168 10 11 modified ip 10 10 10 10 original port 23 modified port 23 protocol tcp 5 Set Static NAT settings directing WAN traffic targeted to 192 168 10 11 towards 10...

Page 77: ...NSTALLATION AND OPERATION MANUAL RL1000GW TECH SUPPORT 1 888 678 9427 Rule Id Original Dst IP Original Dst Port Protocol Modified Dst IP Modified Dst Port 1 192 168 10 11 23 tcp 10 10 10 10 23 2 192 1...

Page 78: ...icular network destinations which describes the state of its own links and it also sends the complete routing structure topography The advantage of shortest path first algorithms is that they result i...

Page 79: ...Network can be given as A B C D M or as a name of a preconfigured interface eth1 vlan id passive interface Suppress routing updates on an interface given as a name of a preconfigured interface eth1 v...

Page 80: ...ged all exit interface fast 0 1 switchport pvid 4 exit interface vlan 2 ip address 192 168 2 101 255 255 255 0 no shutdown exit interface vlan 4 ip address 192 168 4 101 255 255 255 0 no shutdown exit...

Page 81: ...al interface eth2 2 configure OSPF router ospf enable configure terminal router ospf router id 192 168 1 102 network 192 168 1 102 24 area 0 0 0 0 network 192 168 2 102 24 area 0 0 0 0 passive interfa...

Page 82: ...2 OSPF router routing table OSPF external routing table router ospf exit Connection closed by foreign host RL1000GW router route show Kernel IP routing table Destination Gateway Genmask Flags Metric R...

Page 83: ...pplication type Hierarchy Level Transparent Tunneling Terminal Server 101 104 Gateway Router IP Interface X X X Serial Port X X X Serial Local end point X X X Serial Remote end point required if servi...

Page 84: ...disable show show port clear counters create slot 1 port 1 2 baudrate 9600 50 368400 parity no no odd even stopbits 1 1 2 bus idle time bits 30 1000 mode of operation Serial tunnel serial tunnel term...

Page 85: ...frame connection mode udp tcp remove remote address A B C D service id 1 100 show Serial Commands Description Command Description Serial Access serial configuration hierarchy Configuration for ports...

Page 86: ...packet with 9 6kbps rate Remove Slot 1 constant Port port number 1 2 Show Local end point Create Slot 1 constant Port port number 1 2 Service id numeric value of serial service Position Master point t...

Page 87: ...the low border range value x and result in a permissible range of x to x 100 The actual port number which will be used is dependent on the service id value as such service id low border ip port Defau...

Page 88: ...aration root serial Port create port 1 Port create port 2 Commit Default State The default state of the serial ports is non configured RS 232 Port Pin Assignment Below is the pin assignment of the ser...

Page 89: ...RJ 45 and second end of female DB 9 The cable should be used when no control lines are needed Serial port at the router DB 9 female connector for end device Pinout for crossed cable CBL RJ45 DB9 NULL...

Page 90: ...485 ports are of RJ 45 type The RS 485 supported mode is 4 wires RJ45 Female Router port Direction 1 B Rx 4 GND 5 A Rx 6 B Tx 8 A Tx LED States Each serial port has a led to indicate its state Port c...

Page 91: ...omer serial device at the router serial port is encapsulated as UDP or TCP Ethernet packets by the router An IP interface is configured to route the packets over the Ethernet network The Ethernet clou...

Page 92: ...g topologies Point to point Point to multipoint point Multi Point to multipoint point Point to Point Below picture illustrates Point to point service at which the master and slave are connected locall...

Page 93: ...27 Point to multipoint point Below picture illustrates Point to multipoint service at which the master and slaves are connected locally at the same router Figure 5 P2MP local service Below picture ill...

Page 94: ...ration is set at the serial port configuration level and defines how serial data is collected Transparent Tunneling Transparent tunneling is a mode at which serial data is sent with a distinct start b...

Page 95: ...ial processor collects bytes and encapsulates the data at a UDP TCP Ethernet frame The number of bytes collected to a single Ethernet packet is determined by the following factors Allowed latency Bus...

Page 96: ...nneling connection is defined by the values of service id and the low border ip port set at the serial settings Reference drawing For ease of explanation of following terms and serial properties at th...

Page 97: ...network to router 2 and to the serial processor The serial processor transmits the data to CE2 over S1 and increases the Tx counters Allowed latency Allowed latency is the maximum time allowed for th...

Page 98: ...serial byte to CE2 Following data bytes are sent without delay Bus Idle Time This parameter determines a silence on the serial line to identify frame end The configurable value for it is given in numb...

Page 99: ...l remote end point create remote address 192 168 1 101 service id 1 position master commit Configuration router A MASTER 1 Configure the IP interface router interface create address prefix 192 168 1 1...

Page 100: ...l any Master Bytes disable any Example 2 Below network demonstrates a P2P topology of transparent serial tunneling between RLGE2FE16R and RL1000GW routers Configuration RL1000GW SLAVE 1 Configure the...

Page 101: ...rface vlan 100 ip address 192 168 1 101 255 255 255 0 no shutdown end write startup cfg 2 Configure the ACE IP interface application connect router interface create address prefix 192 168 1 201 24 vla...

Page 102: ...r to commands issued by the IEC101 master with the proper IEC101 address and sending the responses vice versa IEC101 Master The application module will act as a IEC101 master to the IEC101 server devi...

Page 103: ...INS_RL1000GW_REV 15 Jul 2016 PAGE 103 INSTALLATION AND OPERATION MANUAL RL1000GW TECH SUPPORT 1 888 678 9427 Unbalanced Mode Up to 32 ASDU addresses behind each IEC101 server device...

Page 104: ...sical layer Transmission speed in monitor control direction 300 38400bps Link layer Link transmission procedure Balanced transmission Unbalanced transmission Address field of the link Not present bala...

Page 105: ...e uplink traffic This application IP interface acts as the IEC104 server in the Ethernet network and represents all the IEC101 devices connected locally to the router towards the IEC104 clients Option...

Page 106: ...nfigured with mode of operation set to transparent b Configure a local service serial local end point i Create a local end point and assign the serial port ii The local end point field application mus...

Page 107: ...ooting is usually at the IEC101 connection to the locally connected RTU The IEC 104 connection between the gateway and the client SCADA is based on straightforward Ethernet connectivity which is easy...

Page 108: ...no odd even stopbits 1 2 databits 8 5 8 admin status up down show local end point create create slot 1 port 1 2 application iec101 gw service id 1 100 position slave remove slot 1 port 1 2 service id...

Page 109: ...y gen_inter n n y time_tag n n y iec101 remove slot 1 port 1 2 iec101 add_asdu remove_asdu port 1 2 asdu_addr 1 255 1 65534 link address 1 255 1 65534 iec101 add_ioa_trans remove_ioa_trans port 1 2 sr...

Page 110: ...al to the configuration at the IEC 101 server translated_cmn_addr used when a translation service required for the common address of asdu The value should be identical to the actual common address of...

Page 111: ...depending on the settings of ioa_length A value is expected as byte1 byte2 byte3 or byte1 byte2 or byte 1 Permissible value for each byte is 1 255 example for 3 bytes size IOA 5 212 151 iec104 update...

Page 112: ...tion iec101 gw 4 Configure the gateway mode of operation and choose the ACE interface to be used The IP interface must be available in advance iec101 gw config gw update mode balanced ip _ addr 192 16...

Page 113: ...168 1 101 0 n n 30 15 10 20 192 168 1 250 0 n n 30 15 10 20 IEC 101 SLOT PORT OP ST LINK ADR CMN ADR CONV CMN ADR LINK LEN CMN LEN COT LEN IOA LEN SRC IOA CONV IOA 1 1 UP 27 1 0 2 2 2 3 SLOT PORT ORI...

Page 114: ...ts A usage example console ports of remote devices to be reached via terminal server service using telnet from any PC with Ethernet link In below drawing the management station PC is a Telnet client w...

Page 115: ...e serial services the application will direct the traffic from the management station to the RTUs allowing each its own path for management Below is a second option at which the terminal servers are s...

Page 116: ...ill be encapsulated as an individual UDP TCP packet Service Connection Mode The service connection mode is set at the terminal server settings and defines the protocol option to be used for all servic...

Page 117: ...the terminal server settings Terminal Server Commands Hierarchy root serial port clear counters create slot 1 port 1 2 baudrate 9600 50 368400 databits 8 5 8 parity no no odd even stopbits 1 1 2 bus...

Page 118: ...imeout min 10 0 1440 buffer mode frame frame byte show tcp service create remote address A B C D service id 1 100 telnet port port num null cr mode off off on max tcp clients 1 1 8 remove service id 1...

Page 119: ...400 460800 921600 Parity no odd even Stopbits 1 2 Mode of operation transparent Remove Slot 1 constant Port port number 1 2 Show Local end point Create Slot 1 constant Port port number 1 2 Service id...

Page 120: ...ompleted This mode avoids fragmentation of serial messages to different tcp packets byte serial originated packets will be egressed without additional buffering at the terminal server Show display the...

Page 121: ...ield settings on off allows flexability in working with different types of terminals as PuTTY hyper terminal CRT as each handles the CR bit differently When set to On the switch will drop NULL charact...

Page 122: ...ate low border telnet tcp port 19999 buffer mode byte terminal server tcp service create service id 1 remote address 192 168 1 101 telnet port 20000 commit NOTE Make sure to use proper serial connecti...

Page 123: ...000GW terminal server tcp service show index service id telnet port dest ip null cr mode max ip clients 1 1 20000 192 168 1 101 off 1 5 Ping between the PC 192 168 1 250 and the RL1000GW 192 168 1 101...

Page 124: ...counters RL1000GW serial port show briefly slot 1 port 1 idx slot port svc mode baud data parity stop id rate bits bits 1 1 1 1 Transparent 9600 8 None 1 OctetsIn 20 OctetsOut 25 TxError 0 RxError 0 O...

Page 125: ...o listen on port 20000 terminal server admin status enable terminal server settings update low border telnet tcp port 19999 buffer mode byte terminal server tcp service create service id 1 remote addr...

Page 126: ...is set to use a ACE IP interface as its TCP traffic source Packet sent from Modbus TCP Client will carry the gateway IP interface and the Modbus RTU station ID as its target The gateway will listen to...

Page 127: ...l end point create create slot 1 port 1 4 application modbus gw service id position protocol show modbus gw show gw list connection clear show counters clear id gw id 1 5 unit id 1 255 clear port slot...

Page 128: ...tion ids behind a serial port map units on bus show show to station ids identified behind the serial port History Show Show latest reply from each unit and the time in seconds from that connection Per...

Page 129: ...al port to be used for connecting the Modbus rtu slave serial port create slot 1 port 1 serial local end point create slot 1 port 1 service id 1 protocol modbus _ rtu application modbus gw 3 assign th...

Page 130: ...show by id gw id 4 gwid 4 unit id 65535 Gw Unit Id Rx valid Rx error Tx valid Tx error 4 3 477 0 599 0 Slot Port Rx valid Rx error Tx valid Tx error 1 1 477 0 616 0 modbus gw debug map units on bus s...

Page 131: ...H SUPPORT 1 888 678 9427 Serial points slot 1 port 1 pointer 0x1007c408 modbus gw debug show server points Server points IP addr 192 168 40 10 GwId 4 Subnet mask 255 255 255 0 pointer 0x10081580 modbu...

Page 132: ...ructure Example Following setup demonstrates DNP3 gateway configuration 1 assign IP interface for the gateway router interface create address prefix 192 168 40 10 24 physical interface eth1 purpose ap...

Page 133: ...y and its integrity The RADiFlow switches support such a VPN Virtual Private Network connection using GRE tunnels RFC2 2784 over an IPSec encrypted link The IPSec tunnel can be set to use 3DES or AES...

Page 134: ...static routing and OSPF 6 Layer 3 protection 7 The hub is recommended to be connected to the network using one of its Ethernet ports A cellular uplink at the hub is not recommended as an aggregation...

Page 135: ...3 Single tunnel is allowed at the spoke 4 The hub must be connected to the network using one of its Ethernet ports 5 The spoke is recommended to be connected to the network using one of its Ethernet...

Page 136: ...u 1418 128 9600 tos inherint hex 0 255 cisco authentication tunnel destination tunnel source remove name show name nhrp map create update multipoint gre name nbma address A B C D protocol address pref...

Page 137: ...L1000GW TECH SUPPORT 1 888 678 9427 IPSec VPN Commands Hierarchy root vpn ipsec tunnel crate name address prefix A B C D M lower layer dev ppp0 eth0 eth1 vlan id eth2 vlan id remote address A B C D mt...

Page 138: ...tablished over the public network and or when security is required Authentication Header AH The IP Authentication Header AH is used to provide connectionless integrity and data origin authentication f...

Page 139: ...for subsequent ISAKMP exchanges It also indicates the authentication method and key exchange that will be performed as part of the ISAKMP protocol After the basic set of security attributes has been a...

Page 140: ...g material is typically used as a key encryption key KEK to encrypt the VPN GRE traffic This key is kept secret and never exchanged over the insecure channel The D H groups are identified by the lengt...

Page 141: ...ddress 2 Fully qualified domain name FQDN a Allowed only when Aggressive IKE mode is used Below is an example of PSK configuration 1 Detail the preshared IDs of the VPN members and specify the id of l...

Page 142: ...INS_RL1000GW_REV 15 Jul 2016 PAGE 142 INSTALLATION AND OPERATION MANUAL RL1000GW TECH SUPPORT 1 888 678 9427 The above configuration example will result in following show output...

Page 143: ...them Figure 9 The certificate files 1 Import the key file RL1000GW rsA signature import tftp 172 17 203 31 ipsec key RSA signature file ipsec key imported successfully 2 Import the certificate file R...

Page 144: ...INS_RL1000GW_REV 15 Jul 2016 PAGE 144 INSTALLATION AND OPERATION MANUAL RL1000GW TECH SUPPORT 1 888 678 9427 The above configuration example will result in following show output...

Page 145: ...he VPN network are not static for example a cellular spoke retrieving dynamic IP from the ISP over its PPP interface the Main mode of IKE is not applicable Pre shared key When used in main mode the PS...

Page 146: ...s used over a cellular link the IKE mode to be used is Aggressive The PSK may be of IP format or fqdn Settings structure Authentication method PSK X 509 Diffie Hellman key exchange group a k a OAKLY g...

Page 147: ...future The VPN GRE IPSEC sessions can negotiate new keys for every communication and if a key is compromised only the specific session it protected will be revealed The PFS uses as well the D H group...

Page 148: ...Log level log level Dead Peer Discovery delay dpd delay max failure dpd maxfail max retires dpd retry flush Security Association flush sa proto id type id type soft timer soft lifetime Phase 1 Authent...

Page 149: ...address prefix Destination address dst address prefix Source protocol port src port Destination protocol port src port Protocol protocol Preshared Keys Key key Own PSK id id Partner PSK id id Partner...

Page 150: ...p6144 pfs group none modp768 modp1024 modp1536 modp2048 modp3072 modp4096 modp6144 modp8192 dpd delay 5 0 120 dpd maxfail 5 2 20 dpd retry 5 1 20 log level error warning notify info debug debug2 my id...

Page 151: ...1000GW_REV 15 Jul 2016 PAGE 151 INSTALLATION AND OPERATION MANUAL RL1000GW TECH SUPPORT 1 888 678 9427 show log grep num of lines global defs policy preshared rsa signature file sa proto ah esp ipsec...

Page 152: ...used dh group Diffie Hellman key exchange Group Relates to phase 1 determines the strength of the key used in the key exchange process The higher the group number the stronger the key and security in...

Page 153: ...lt ip interface Address this option is not supported in current version fqdn the units own preshared id will be in a domain name format For example spoke radiflow com default none ike phase1 mode Inte...

Page 154: ...1 99 hard lifetime 100 rsa sig name The name set by the user for the signature Policy create Configure the policy to determine the type of traffic to encrypt src ip A B C D form Ip address of the pack...

Page 155: ...INS_RL1000GW_REV 15 Jul 2016 PAGE 155 INSTALLATION AND OPERATION MANUAL RL1000GW TECH SUPPORT 1 888 678 9427 IPSec defaults...

Page 156: ...connection to site The RL1000GW supports options for GPRS UMTS modem or LTE A modem provides a key solution for connectivity to remote sites The modem support dual SIM card for redundancy and backup b...

Page 157: ...1 888 678 9427 FREQUENCY BANDS LTE 2600 7 N Y FREQUENCY BANDS LTE 900 8 N Y FREQUENCY BANDS LTE 700 13 Y N FREQUENCY BANDS LTE 700 17 Y N FREQUENCY BANDS LTE 800 20 N Y FREQUENCY BANDS LTE 1900 25 Y...

Page 158: ...e spoke the important availability also when retrieving private IP from the ISP Interface Name At various applications the addressing of configuration to the cellular interface will be done using its...

Page 159: ...2 NAT VPN Application Once Holding an IP address retrieved from the ISP at its PPP interface and with a VPN configured the Spoke will initiate NHRP request for registration towards the Hub The Hub mu...

Page 160: ...ividually configured and enabled disabled Dependent on configuration and availability the status of a SIM may be one of the following at the modem Unknown SIM is either Not available at the slot Cellu...

Page 161: ...cellular wan show 2 SIM 1 is connected following the modem enable and the SIM properties configured SIM 2 is configured an in READY state cellular enable cellular wan update admin status enable apn na...

Page 162: ...the ISP a reload can be trigger to the router A configuration parameter retry threshold reload is available to be set between 0 disabled and 30 whereas values 1 30 represents the number of consecutive...

Page 163: ...rtt threshold 5000msec 1 000 20 000 interval 60sec 1 1440 request size 100bytes 64 1500 remove dest ip address ip address name show config show status modem power_down power up send command at cgsn ge...

Page 164: ...igger to a watchdog is one of these 2 conditions to be met Create update name name of the test text dest ip address ip address of a reachable routable host Format aa bb cc dd rtt threshold round trip...

Page 165: ...ttempts to establish Connected status of the cellular modem Configuration which was not committed will not be saved after the reload Settings show Show show configured interval time Wan update Sim slo...

Page 166: ...The modem has a led indicator for each SIM slot to represent the SIM cad state Modem admin state SIM admin state SIM Operation state LED disable N A N A OFF enable disable N A OFF enable Ready ON enab...

Page 167: ...000GW TECH SUPPORT 1 888 678 9427 Example for retrieving the IMEI Below is an example of retrieving the IMEI identifier of the modem RL1000GW cellular disable cellular modem power up Completed OK cell...

Page 168: ...ample of 2 SIM cards and their permissible state status cellular wan update admin status enable apn name internetg sim slot 1 operator name cellcom user name guest password guest cellular wan update a...

Page 169: ...rator can decide if any action is required Digital output channels are not supported at current version Connection terminal are as shown in below figure Technical data At digital Inputs please connect...

Page 170: ...in no shutdown shutdown set name clear show Discrete IO Channels Commands Command Description Discrete in Shutdown disable the input channels no shutdown enable the input channels Set name Set a name...

Page 171: ...he spoke and Hub will establish connection over the shared link At below examples see vlan 20 subnet 172 18 20 x 2 Both will be set with a common mGRE tunnel each holding an mGRE interfaces See 10 10...

Page 172: ...n the VPN from default vlan 1 config terminal no spanning tree vlan 1 no ports fastethernet 0 1 0 8 gigabitethernet 0 3 untagged fastethernet 0 1 0 8 exit 3 Assign the user and network vlans and set P...

Page 173: ...0 0 0 192 168 10 201 1 end commit 6 Assign ACE IP interface which will route user traffic application connect router interface create address prefix 192 168 10 201 24 vlan 10 purpose general 7 Assign...

Page 174: ...outer interface create address prefix 192 168 40 201 24 physical interface eth1 description UNI purpose general admin status enable 2 Assign IP interface towards the WAN router router interface create...

Page 175: ...mp update my id RTU1 radiflow com ipsec preshared create id HUB radiflow com key secretkey ipsec preshared create id RTU1 radiflow com key secretkey ipsec isakmp update id type fqdn ipsec policy creat...

Page 176: ...er 4 As the hub is located behind a NAT router a default gateway should be assigned at the ACE interface 172 18 212 100 5 As this is layer 3 service the users behind the spoke and hub are in different...

Page 177: ...cription UNI purpose application host admin status enable 2 Setting the cellular modem cellular settings update default route yes 3 Wan update menu SIM card configuration slot 1 cellular wan update si...

Page 178: ...the tunnel remote end router static enable configure terminal ip route 192 168 10 0 24 10 10 10 10 write memory exit exit commit 8 IPSec configuration RL1000GW ipsec isakmp update my id RTU1 radiflow...

Page 179: ...1 255 255 255 0 no shut exit ip route 0 0 0 0 0 0 0 0 192 168 10 10 1 end 2 Create an IP interface ETH 20 in the subnet of the router router interface create address prefix 172 18 212 230 24 vlan 20...

Page 180: ...10 20 router static enable configure terminal ip route 192 168 40 0 24 10 10 10 20 ip route 0 0 0 0 0 172 18 212 100 write exit exit 7 IPSec configuration RL1000GW application connect ipsec isakmp up...

Page 181: ...FE16R hub Show vlan router interface show 2 Make sure both the IP of the hub and the one of the spoke are each accessible from the internet using a PC connected to the internet send ping commands ping...

Page 182: ...00GW vpn gre nhrp map show status Tunnel Protocol Changes Oper Last Name address prefix Status change sec ago mgre1 10 10 10 10 24 1 up 1151 RL1000GW ipsec show sa 46 210 228 96 4500 80 74 102 38 4500...

Page 183: ...bc e106edb4 40103b21 95609c4a 2dcedbe5 4ac0a5d2 b6762651 A hmac md5 5719c1c7 a42a25b5 b9a3bb2a d391f8da seq 0x00000000 replay 4 flags 0x00000000 state mature created May 18 13 09 36 2014 current May 1...

Page 184: ...rial local end point create port 1 service id 1 application terminal server commit 2 Create the terminal server service terminal server admin status enable terminal server tcp service create service i...

Page 185: ...rial tunnel position master serial remote end point create remote address 192 168 40 10 service id 2 position slave exit write startup cfg Spoke 1 Create the serial port and transparent serial tunneli...

Page 186: ...according to the operator defined values Firewall Service flow In order for a protocol flow to be inspected by the firewall the following is achieved by the ComNet NMS iSIM A designated service vlan...

Page 187: ...RL1000GW variants support the firewall as an option Configuration The firewall configuration consists of two parts 1 Access lists at the ports filtering L3 L4 traffic and directing the designated SCA...

Page 188: ...104 traffic to the firewall RL1000GW ip access list extended RL1000GW ip access list extended create acl num 1101 acl name SCADA redirect fw RL1000GW ip access list extended permit tcp acl num 1101 r...

Page 189: ...acl num 1102 interface eth1 direction in priority 10 completed ok 5 Create the firewall rules file Done only with EMS 6 Download and activate the firewall rules file firewall profile import tftp remo...

Page 190: ...sabled Packets are not inspected Enabled packets are inspected and blocked in case of violation Violations are logged Simulate packets are inspected but are not blocked in case of violations Violation...

Page 191: ...INS_RL1000GW_REV 15 Jul 2016 PAGE 191 INSTALLATION AND OPERATION MANUAL RL1000GW TECH SUPPORT 1 888 678 9427...

Page 192: ...RIVE DANBURY CT 06810 USA T 203 796 5300 F 203 796 5303 TECH SUPPORT 1 888 678 9427 INFO COMNET NET 8 TURNBERRY PARK ROAD GILDERSOME MORLEY LEEDS UK LS27 7LE T 44 0 113 307 6400 F 44 0 113 253 7462 IN...

Reviews:

No comments

Related manuals for reliance RL1000GW

Brand: N-Tron Pages: 101

Brand: D-Link Pages: 12

Brand: NETGEAR Pages: 2

D-NVR4108HS-4KS2/L

Brand: Dahua Pages: 33

Brand: US Robotics Pages: 180

Brand: Comelit Pages: 140

TigerSwitch 100 SMC6924VF

Brand: SMC Networks Pages: 174

Brand: Matrix Switch Corporation Pages: 60

Brand: Cabletron Systems Pages: 56

Brand: Tripp Lite Pages: 2

Brand: LOBENN Pages: 86

Brand: Cambium Networks Pages: 172

Brand: Edimax Pages: 29

Watchguard NVR-Q320

Brand: VIP Pages: 32

Brand: Vonets Pages: 9

Brand: Starbridge Networks Pages: 40

Brand: Defender wireless Pages: 5

Brand: Edimax Pages: 16

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands