manualshive.com logo in svg

Digi IX10, User Manual

The Digi IX10 is a versatile industrial router that offers reliable connectivity in harsh environments. To ensure a seamless user experience, we provide a comprehensive User Manual that can be downloaded for free from our website. Discover all the features and benefits of the Digi IX10 and enhance your industrial networking capabilities today.

Share
Download
background image

Firewall

Packet filtering

IX10 User Guide

667

See

Firewall configuration

for more information about firewall zones.

10. Click

Apply

to save the configuration and apply the change.

  Command line

1. Select the device in Remote Manager and click

Actions

>

Open Console

, or log into the IX10

local command line as a user with full Admin access rights.

Depending on your device configuration, you may be presented with an

Access selection

menu

. Type

admin

to access the Admin CLI.

2. At the command line, type

config

to enter configuration mode:

> config
(config)>

To edit the default packet filtering rule or another existing packet filtering rule:

a. Determine the index number of the appropriate packet filtering rule:

(config)> show firewall filter
0

action accept
dst_zone any
enable true
ip_version any
label Allow all outgoing traffic
protocol any
src_zone internal

1

action drop
dst_zone internal
enable true
ip_version any
label myfilter
protocol any
src_zone external

(config)>

b. Select the appropriate rule by using its index number:

(config)> firewall filter 1
(config firewall filter 1)>

To create a new packet filtering rule:

(config)> add firewall filter end
(config firewall filter 1)>

Packet filtering rules are enabled by default. To disable the rule:

(config firewall filter 1)> enable false
(config firewall filter 1)>

Summary of Contents for IX10

Page 1: ...IX10 User Guide User Guide Firmware version 22 5 ...

Page 2: ...lar PLMN network to use n Added commands for over the air OTA system firmware update to check list and update to new firmware from the Digi firmware server n Added a show dns command to the Admin CLI to display active DNS servers and their associated interface n Added a show ntp command to the Admin CLI to display the status of the NTP service n Expanded Port forwarding option to support a range o...

Page 3: ...1 Release of Digi IX10 firmware version 21 8 n Added LXC container support for running localized containers on the device n Added support for maintenance windows triggers to control when a device is available for Digi Remote Manager maintenance activity n VPN enhancements l Added support for L2TPv3 tunneling l New option to enable disable or force IPsec IKE fragmentation n Improved options for cre...

Page 4: ...m script start CLI command to run manual scripts n New Find me feature that flashes cellular related LEDs to help locate the device onsite and a new system find me command n Added datapoint upload_multiple function to digidevice python module for uploading multiple datapoints to DigiRM at once n Added clear dhcp lease command to remove all dynamic DHCP leases or certain DHCP leases based on MAC ad...

Page 5: ...t obtained n SureLink enhancments l Added new settings under cellular Surelink options to have the device reset the cellular modem if a specified number of Surelink tests fail l Added show surelink Admin CLI command n Serial port enhancements l New option to add and configure an external USB to serial adapter l Disable serial history in remote access mode by default n Support for sending analog an...

Page 6: ...option to determine how many SureLink failures are required prior to switching to the alternate SIM n New Socket ID string option to send the configured text to the remote server s when a TCP socket connection is opened to the serial port n New cat Admin CLI command for displaying file contents H June 2022 Release of Digi IX10 firmware version 22 5 n 5G enhancements l Added 5G slice support for co...

Page 7: ...essage content that the devices sends when there is no valid fix from any of the configured location sources Trademarks and copyright Digi Digi International and the Digi logo are trademarks or registered trademarks in the United States and other countries worldwide All other trademarks mentioned in this document are the property of their respective owners 2022 Digi International Inc All rights re...

Page 8: ...of reported issue Trace if possible Description of issue Steps to reproduce Contact Digi technical support Digi offers multiple technical support plans and service packages Contact us at 1 952 912 3444 or visit us at www digi com support Feedback To provide feedback on this document email your comments to techcomm digi com Include the document title and part number IX10 User Guide 90002399 H in th...

Page 9: ...IX10 LEDs 27 Power PWR 28 SIM 28 LTE 28 Signal quality indicators 29 Ethernet Link and Activity 29 Signal quality bars explained 30 IX10 power supply requirements 31 Digi IX10 serial connector pinout 31 10 pin serial cabling options 32 QR code definition 32 Hardware setup Install SIM cards 34 Apply Dielectric Grease over SIM Contacts 34 SIM removal 35 Tips for improving cellular signal strength 35...

Page 10: ...rity 53 Configure your device for Digi Remote Manager support 53 Collect device health data and set the sample interval 60 Enable event log upload to Digi Remote Manager 63 Log into Digi Remote Manager 65 Use Digi Remote Manager to view and manage your device 66 Add a device to Digi Remote Manager 66 Configure multiple IX10 devices by using Digi Remote Manager configurations 67 View Digi Remote Ma...

Page 11: ...onfigure UDP serial mode 185 Configure Modbus mode 190 Show serial status and statistics 195 Log serial port messages 195 Digi Navigator application 196 Configure RealPort from the Digi Navigator 196 Discover the IP address using the Digi Navigator 198 Install the Digi Navigator 198 Digi Navigator features 199 Connect to and access the Digi Navigator 200 Discover the IP address when connected to a...

Page 12: ...ure an OpenVPN server 312 Configure an OpenVPN Authentication Group and User 321 Configure an OpenVPN client by using an ovpn file 326 Configure an OpenVPN client without using an ovpn file 329 Configure SureLink active recovery for OpenVPN 334 Show OpenVPN server status and statistics 342 Show OpenVPN client status and statistics 343 Generic Routing Encapsulation GRE 345 Configuring a GRE tunnel ...

Page 13: ...ce as an NTP server 499 Show status and statistics of the NTP server 504 Configure a multicast route 505 Enable service discovery mDNS 508 Use the iPerf service 511 Example performance test using iPerf3 516 Configure the ping responder service 516 Example performance test using iPerf3 520 Applications Develop Python applications 523 Set up the IX10 for Python development 524 Create and test a Pyth...

Page 14: ...cal configuration 621 Configure your IX10 device to use a RADIUS server 622 LDAP 626 LDAP user configuration 627 LDAP server failover and fallback to local configuration 628 Configure your IX10 device to use an LDAP server 628 Configure serial authentication 633 Disable shell access 636 Set the idle timeout for IX10 users 638 Example user configuration 641 Example 1 Administrator user with local a...

Page 15: ... Reboot your IX10 device 712 Reboot your device immediately 712 Schedule reboots of your device 713 Erase device configuration and reset to factory defaults 715 Configure the IX10 device to use custom factory default settings 718 Locate the device by using the Find Me feature 720 Configure a power profile 721 Configuration files 725 Save configuration changes 725 Save configuration to a file 726 R...

Page 16: ...ets 791 Show captured traffic data 792 Save captured data traffic to a file 794 Download captured data to your PC 794 Clear captured data 796 Use the ping command to troubleshoot network connections 797 Ping to check internet connection 797 Stop ping commands 797 Use the traceroute command to diagnose IP routing problems 797 Digi IX10 regulatory and safety statements RF exposure statement 799 Fede...

Page 17: ...and statistics using the show command 829 show config 829 show system 830 show network 830 Device configuration using the command line interface 830 Execute configuration commands at the root Admin CLI prompt 831 Display help for the config command from the root Admin CLI prompt 831 Configuration mode 833 Enable configuration mode 833 Enter configuration commands in configuration mode 833 Save cha...

Page 18: ...unlock 854 modem reset 855 modem scan 855 modem sim slot 855 monitoring 855 monitoring metrics upload 856 more 856 mv 856 ping 856 reboot 858 rm 859 scp 860 show analyzer 860 show arp 860 show cloud 860 show config 861 show containers 861 show dhcp lease 861 show dns 861 show event 861 show hotspot 862 show ipsec 862 show l2tp lac 862 show l2tp lns 862 show l2tpeth 863 show location 863 show log 8...

Page 19: ...mware 869 system factory erase 869 system find me 870 system firmware ota check 870 system firmware ota list 870 system firmware ota update 870 system firmware update 870 system power ignition off_delay 871 system restore 871 system script start 871 system script stop 871 system serial clear 871 system serial save 872 system serial show 872 system serial start 872 system serial stop 872 system sup...

Page 20: ...nfigure CPU performance and power consumption n Added cellular APN and cellular connection duration as datapoints sent to Digi Remote Manager n Wi Fi scanner enhancements l Added support for sending an HTTP or TCP stream of results from the Wi Fi scanner to one or more remote servers n SCEP enhancements l New SCEP client settings and underlying functionality to support connecting to additional SCE...

Page 21: ...lt password assigned to the device The IX10 also includes a terminal connector for the power supply installed in the power input n Insert cards n Digi IX10 label Printed copy of the product label on the bottom of your device You can affix this label to the top or side of the device such that you can access the label after the device is mounted or store the label in a safe place for future referenc...

Page 22: ... configure cellular WWAN access at this time acquire SIM cards as needed Note the carrier network APN Access Point Name and SIM pin if any for each card Ethernet cable Smart phone or tablet Optional Use a smart phone or table to to automatically register your IX10 in your Digi Remote Manager account and connect to your cellular network See Digi IX10 Quick start Step 3 Connect 1 Insert SIM card s I...

Page 23: ...ly Dielectric Grease over SIM ContactsApply Dielectric Grease over SIM Contacts for instructions c Insert the SIM card s into the SIM sockets Insert the end of each SIM card with the chamfered corner positioned as indicated Push the SIM in until it clicks into place d After SIM cards are installed replace the SIM slot cover Apply Dielectric Grease over SIM Contacts Note Digi recommends using eithe...

Page 24: ...g for the first time it could take several minutes for the IX10 device to connect to the cellular network while it attempts to determine the APN required for the connection n Indicator LEDs blink to show status during startup n Verify that the LTE LED on the front of the IX10 shows either green or blue solid or flashing for proper operation n Verify that the signal strength indicator on the front ...

Page 25: ...onfigure the device including using a Digi RM device configuration to automatically update the device See the Digi Remote Manager User Guide 1 On the PC connected to the IX10 open a browser and go to 192 168 210 1 2 Log into the IX10 User name Use the default user name admin Password Use the unique password printed on the bottom label of the device or the printed label included in the package ...

Page 26: ...for high speed connectivity For a detailed list of IX10 hardware specifications see https www digi com products networking cellular routers industrial digi ix10 specifications IX10 accessories When accessories are purchased with the IX10 device the following are provided n Cellular antennas n Power supply n Ethernet cable n DIN rail mounting clip IX10 front and side views The following figure show...

Page 27: ...ASE button again before the device is connected to the internet to also remove generated certificates keys 3 Firmware reversion Press and hold the ERASE button and then power on the device to boot to the version of firmware that was used prior to the current version 4 Ethernet port LAN enabled by default 5 Serial port See Digi IX10 serial connector pinout for information about the serial port pin ...

Page 28: ...sent Solid green SIM1 is active Solid blue SIM 2 is active Solid red SIM failure LTE Indicates that the status of the cellular module and the ETH Ethernet port connection Solid yellow or orange Initializing or starting up Flashing yellow or orange In the process of connecting to the cellular network and to a device on its ETH port Flashing white ETH port connection established and in the process o...

Page 29: ...Signal quality indicators LEDs labeled 1 through 5 Indicate the cellular service quality level Signal bars Weighted dBm Signal strength Quality 113 to 99 0 to 23 Bad 98 to 87 24 to 42 Marginal 86 to 76 43 to 61 OK 75 to 64 62 to 80 Good 63 to 51 81 to 100 Excellent The weighted dBm measurements are negative numbers meaning values closer to zero denote a larger number For example a 85 is a better s...

Page 30: ...4G LTE algorithms For 4G LTE the IX10 device determines the RSRP SNR and RSSI values separately and uses the following algorithms to display the signal quality RSRP 85 rsrp_bars 5 95 RSRP 85 rsrp_bars 4 105 RSRP 95 rsrp_bars 3 115 RSRP 105 rsrp_bars 2 199 RSRP 115 if we re connected to the cellular network rsrp_bars 1 if not rsrp_bars 0 If RSRP 199 the device uses the RSSI as the value with the sa...

Page 31: ...the DC power source with a non Digi power supply you must use a certified LPS power supply rated at either 12 VDC 0 75 A or 24 VDC 0 375 A minimum The voltage tolerance supports 10 9 VDC to 30 VDC at 9 Watts minimum n For installations requiring protective earth grounding connect the ve terminal of the power connector to the system protective earth with a minimum 1mm2 stranded single insulated cab...

Page 32: ...gi MEI products that have 10 pin RJ45 connectors The PortServer TS Digi Connect and Digi One Products Cable Guide also provides information about additional Digi cabling options QR code definition A QR code is printed on the label attached to the device and on the loose label included in the box with the device components The QR code contains information about the device QR code items Semicolon se...

Page 33: ...Hardware setup This chapter contains the following topics Install SIM cards 34 Connect data cables 35 Mount the IX10 device 35 IX10 User Guide 33 ...

Page 34: ...trongly recommends that you apply a thin layer of dielectric grease to the SIM contacts prior to installing the SIM cards See Apply Dielectric Grease over SIM ContactsApply Dielectric Grease over SIM Contacts for instructions 3 Insert the SIM card s into the SIM sockets Insert the end of each SIM card with the chamfered corner positioned as indicated Push the SIM in until it clicks into place 4 Af...

Page 35: ...each SIM in until it clicks and repeat for removal When you push to eject the SIM ejects back out about 1 8 inch Tips for improving cellular signal strength If the signal strength LEDs or the signal quality for your device indicate Poor or No service try the following things to improve signal strength n Move the device to another location n Try connecting a different set of antennas if available n...

Page 36: ...h clip The DIN rail clip is an optional accessory included when the IX10 is purchased with accessories You can attach the din rail clip directly to the device either on the back or the bottom of the device 1 Attach the DIN rail clip to the back of the device a Attach the DIN rail clip to the back of the device with the screws provided ...

Page 37: ...ice onto a DIN rail and gently press until the clip snaps into the rail 2 Attach the DIN rail clip to the bottom of the device a Attach the DIN rail clip to the bottom of the device with the screws provided WARNING Using screws longer than 5 0 mm will cause damage to the IX10 ...

Page 38: ...nto a DIN rail and gently press until the clip snaps into the rail WARNING If being installed above head height on a wall or ceiling ensure the device is fitted securely to avoid the risk of personal injury Digi recommends that this device be installed by an accredited contractor ...

Page 39: ...Review IX10 default settings 40 Change the default password for the admin user 41 Configuration methods 43 Using Digi Remote Manager 44 Using the local web interface 44 Use the local REST API to configure the IX10 device 45 Using the command line 50 IX10 User Guide 39 ...

Page 40: ... click Devices to display a list of your devices 3 Locate your device as described in Use Digi Remote Manager to view and manage your device 4 Click the Device ID 5 Click Settings 6 Click to expand Config The following tables list important factory default settings for the IX10 Default interface configuration Interface type Preconfigured interfaces Devices Default configuration Wireless Wide Area ...

Page 41: ... allows all outbound traffic n SSH and web administration l Enabled for local administration l Firewall zone Internal Monitoring n Device heath metrics uploaded to Digi Remote Manager at 60 minute interval n SNMP Disabled Serial port n Enabled n Serial mode Remote n Label None n Baud rate 9600 n Data bits 8 n Parity None n Stop bits 1 n Flow control None Change the default password for the admin u...

Page 42: ...in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Authentication Users admin 4 Enter a new password for the admin user The password must be at least eight characters long and must contain at least one ...

Page 43: ...e configuration you may be presented with an Access selection menu Type quit to disconnect from the device Configuration methods There are two primary methods for configuring your IX10 device n Web interface The web interface can be accessed in two ways l Central management using the Digi Remote Manager a cloud based device management and data enablement platform that allows you to connect any dev...

Page 44: ...ther n As part of the getting started process See the Quick Start Guide for further information n If you have not registered your device already you can add a device to Remote Manager See Add a device to Digi Remote Manager For information about configuring central management for your IX10 device see Central management Using the local web interface To connect to the IX10 local Web UI 1 Use an Ethe...

Page 45: ...ifications to the configuration You can view the REST API specification from your web browser by opening the URL https ip address cgi bin config cgi For example https 192 168 210 1 cgi bin config cgi Use the GET method to return device configuration information To return device configuration issue the GET method For example using curl curl k u admin https ip address cgi bin config cgi value path X...

Page 46: ...alues for path are listed in the first left column 4 To determine further allowed path location values by using the question mark with the path name config service Services Additional Configuration dns DNS iperf IPerf location Location mdns Service Discovery mDNS modbus_gateway Modbus Gateway multicast Multicast ntp NTP ping Ping responder snmp SNMP ssh SSH telnet Telnet web_admin Web administrati...

Page 47: ...ig cgi keys service ssh X GET Enter host password for user admin ok true result acl custom enable key mdns port protocol Use the POST method to modify device configuration parameters and list arrays Use the POST method to modify device configuration parameters To modify configuration parameters use the POST method with the path and value parameters curl k u admin https ip address cgi bin config cg...

Page 48: ...l to instruct curl to turn off globbing The below example would add a new static route for the WAN interface for the 1 2 4 0 24 destination network curl g k u admin https 192 168 210 1 cgi bin config cgi value path network route static append true collapsed dst 1 2 4 0 24 collapsed interface network interface wan X POST Enter host password for user admin ok true result network route static 1 Use t...

Page 49: ...10 device IX10 User Guide 49 1 edge 2 ipsec 3 setup 4 external 2 Use the DELETE method to remove the external zone list item 4 curl k u admin https 192 168 210 1 cgi bin config cgi value path service ssh acl zone 4 X DELETE Enter host password for user admin ok true ...

Page 50: ... to allow access and you must log in as a user who has been configured for the appropriate access For further information about configuring access to these services see n Serial Serial port n WebUI Configure the web administration service n SSH Configure SSH access n Telnet Configure telnet access Log in to the command line interface Command line 1 Connect to the IX10 device by using a serial conn...

Page 51: ...ss for a list of commands and details Type help for details on navigating the CLI Type exit to disconnect from the Admin CLI See Command line interface for detailed instructions on using the command line interface Exit the command line interface Command line 1 At the command prompt type exit exit 2 Depending on the device configuration you may be presented with another menu for example Access sele...

Page 52: ...gure your device for Digi Remote Manager support 53 Log into Digi Remote Manager 65 Use Digi Remote Manager to view and manage your device 66 Add a device to Digi Remote Manager 66 Configure multiple IX10 devices by using Digi Remote Manager configurations 67 View Digi Remote Manager connection status 68 Learn more 68 IX10 User Guide 52 ...

Page 53: ...com n If your Digi device is configured to use a non default URL to connect to Remote Manager updating the firmware will not change your configuration However if you erase the device s configuration the Remote Manager URL will change to the default of edp12 devicecloud com n If you perform a factory reset by pressing the ERASE twice the client side certificate will be erased and you must use the R...

Page 54: ...i Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is ...

Page 55: ...ection The default is 3199 7 Optional For Retry interval type the amount of time that the IX10 device should wait before reattempting to connect to remote cloud services after being disconnected The default is 30 seconds Allowed values are any number of hours minutes or seconds and take the format number h m s For example to set Retry interval to ten minutes enter 10m or 600s 8 Optional For Keep a...

Page 56: ...s or seconds and take the format number h m s For example to set Reboot Timeout to ten minutes enter 10m or 600s The minimum value is 30 minutes and the maximum is 48 hours If not set this option is disabled The default is disabled 13 Optional Enable Locally authenticate CLI to require a login and password to authenticate the user from the remote cloud services CLI If disabled no login prompt will...

Page 57: ...url url config 6 Optional Set the amount of time that the IX10 device should wait before reattempting to connect to the remote cloud services after being disconnected The minimum value is ten seconds The default is 30 seconds config cloud drm retry_interval value where value is any number of hours minutes or seconds and takes the format number h m s For example to set the retry interval to ten min...

Page 58: ...ion to remote cloud services If the connection is down you can configure the device to restart the connection or to reboot The watchdog is enabled by default To disable config cloud drm watchdog false config 11 If watchdog is enabled a Optional Set the amount of time to wait before restarting the connection to the remote cloud services once the connection is down where value is any number of hours...

Page 59: ...ith remote cloud services by using SMS a Enable SMS messaging config cloud drm sms enable true config b Set the phone number for Digi Remote Manager config cloud drm sms destination drm_phone_number config c Optional Set the service identifier config cloud drm sms sercice_id id config 1 Optional Configure the IX10 device to communicate with remote cloud services by using an HTTP proxy server a Ena...

Page 60: ...rmation to Remote Manager at the same time the IX10 device includes a preconfigured randomization of two minutes for uploading metrics For example if Health sample interval is set to five minutes the metrics will be uploaded to Remote Manager at a random time between five and seven minutes To disable the collection of device health data or enable it if it has been disabled or to change the health ...

Page 61: ...port health metrics n All metrics are uploaded once every hour When disabled all metrics are uploaded every Health sample interval 6 Device health data upload is enabled by default To disable toggle off Enable Device Health samples upload 7 For Health sample interval select the interval between health sample uploads 8 Click Apply to save the configuration and apply the change Command line 1 Select...

Page 62: ...trics values to Digi Remote Manager that have changed health metrics were last uploaded This is useful to reduce the bandwidth used to report health metrics This is useful to reduce the bandwidth used to report health metrics Even if enabled all metrics are uploaded once every hour To disable config monitoring devicehealth only_send_deltas false config When disabled all metrics are uploaded every ...

Page 63: ...e Configuration saved 8 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Enable event log upload to Digi Remote Manager You can configure your device to upload the event log to Digi Remote Manager and configure the interval between event log uploads To enable the event log upload or dis...

Page 64: ...vent log uploads 5 For Device event log upload interval select the interval between health sample uploads 6 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Acc...

Page 65: ... 30 or 60 and represents the number of minutes between uploads of health sample data 5 Save the configuration and apply the change config save Configuration saved 6 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Log into Digi Remote Manager To start Digi Remote Manager 1 If you have n...

Page 66: ...xample IX10 Add a device to Digi Remote Manager You can register your device with Remote Manager as part of the getting started process See the Quick Start Guide for further information If you have not registered your device already you can add a device to Remote Manager 1 If you have not already done so connect to your Digi Remote Manager account 2 From the menu click Devices to display a list of...

Page 67: ...anager configurations Typically if you want to provision multiple IX10 routers 1 Using the IX10 local WebUI configure one IX10 router to use as the model configuration for all subsequent IX10s you need to manage 2 Register the configured IX10 device in your Remote Manager account 3 In Remote Manager create a configuration a From the Dashboard select Configurations b Click Create c Enter a Name and...

Page 68: ... device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 Use the show cloud command to view the status of your device s connection to Remote Manager show cloud Device Cloud Status Status Connec...

Page 69: ...ces These interfaces can be bridged in a Local Area Network LAN or assigned to a Wide Area Network WAN This chapter contains the following topics Wireless Wide Area Networks WWANs 70 Local Area Networks LANs 124 Show Surelink status and statistics 158 IX10 User Guide 69 ...

Page 70: ... modem is connected and has an IP address Use the SIM failover options to configure the IX10 device to automatically recover the modem in the event that it cannot obtain an IP address See Configure a Wireless Wide Area Network WWAN for details about SIM failover n The type of probe test to be performed one of l Test another interface s status Used to create a failover or coupled relationship betwe...

Page 71: ...arget is configured determine whether the interface should fail over based on the failure of one of the test targets or all of the test targets Order of precedence for SureLink actions If multiple SureLink actions such as restarting the interface and rebooting the device are enabled the following order of precedence is used 1 Restart interface 2 Switch to the alternate SIM 3 Reset the modem 4 Rebo...

Page 72: ...gain 7 Seventh Surelink failure The device will reboot To configure the IX10 device to regularly probe connections through the WWAN Web SureLink can be configured for both IPv4 and IPv6 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to v...

Page 73: ...at the Surelink test must fail before the modem is reset The default is 3 9 Switch SIM is enabled by default Click to disable n If Switch SIM is enabled for Switch SIM fail count type or select the number of times that the Surelink test must fail before the modem switches to the alternate SIM The default is 5 Note The SureLink Switch SIM option differs from the SIM failover option which is set dur...

Page 74: ...HTTPS GET request to the URL specified in Web servers The URL should take the format of http s hostname path n Test DNS servers configured for this interface Tests connectivity by sending a DNS query to the DNS servers configured for this interface n Test the interface status The interface is considered to be down based on l Down time The amount of time that the interface can be down before this t...

Page 75: ...for both IPv4 and IPv6 These instructions are for IPv4 to configure IPv6 active recovery replace ipv4 in the command line with ipv6 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admi...

Page 76: ...an ipv4 surelink where int is an integer between 1 through 5 The default is 3 SIM switching is enabled by default To disable config network interface my_wwan ipv4 surelink switch_sim false config network interface my_wwan ipv4 surelink Note The SureLink switch_sim option differs from the sim_failover option which is set during WWAN configuration sim_failover applies when the modem is unable to con...

Page 77: ...where value is one of n ping Tests connectivity by sending an ICMP echo request to a specified hostname or IP address l Specify the hostname or IP address config network interface my_wwan ipv4 surelink target 0 ping_ host host config network interface my_wwan ipv4 surelink target 0 l Optional Set the size in bytes of the ping packet config network interface my_wwan ipv4 surelink target 0 ping_ siz...

Page 78: ...onsidered to have failed config network interface my_wwan ipv4 surelink target 0 interface_timeout value config network interface my_wwan ipv4 surelink target 0 The default is 60 seconds l other Allows you to test another interface s status to create a failover or coupled relationship between interfaces config network interface my_wwan ipv4 surelink target 0 other value config network interface my...

Page 79: ... my_wwan ipv4 surelink The default is 15 minutes c If more than one test target is configured determine whether the interface should fail over based on the failure of one of the test targets or all of the test targets config network interface my_wwan ipv4 surelink success_condition value config network interface my_wwan ipv4 surelink Where value is either one or all d Set the number of probe attem...

Page 80: ...med one of l Test another interface s status Used to create a failover or coupled relationship between two interfaces Requires the name of the alternate interface the IP version to be tested and the expected status of the alternate interface either up or down l Ping Requires the hostname or IP address of the host to be pinged l DNS query You can perform a DNS query to a named DNS server or to the ...

Page 81: ...a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Network Interfaces 4 Create a new interface or select an existing one n To create a new interface see Configure a Wireless Wide Area Network WWAN n To edit an existing interface click to expand the appropriate interface 5 After creating or selecting the interface click IPv4 or IP...

Page 82: ...for a particular IP version l For Expected status select whether the expected status of the alternate interface is Up or Down For example if Expected status is set to Down but the alternate interface is determined to be up then this test will fail n Ping test Tests connectivity by sending an ICMP echo request to the hostname or IP address specified in Ping host You can also optionally change the n...

Page 83: ...nt of time that the device should wait for a response to a probe attempt before considering it to have failed Allowed values are any number of weeks days hours minutes or seconds and take the format number w d h m s For example to set Response timeout to ten minutes enter 10m or 600s The default is 15 seconds 13 Optional Repeat this procedure for IPv6 14 Click Apply to save the configuration and a...

Page 84: ...ink restart_attempts int config network interface my_wwan ipv4 surelink where int is any number greater than 0 The default is 1 6 Set the device to reboot when the interface is considered to have failed config network interface my_wwan ipv4 surelink reboot true config network interface my_wwan ipv4 surelink Note If the reboot parameter is enabled at the same time as the restart parameter the reboo...

Page 85: ...arget 0 n dns_configured Tests connectivity by sending a DNS query to the DNS servers configured for this interface n http Tests connectivity by sending an HTTP or HTTPS GET request to the specified URL l Specify the url config network interface my_wwan ipv4 surelink target 0 http_ url value config network interface my_wwan ipv4 surelink target 0 where value uses the format http s hostname path n ...

Page 86: ...ermine the alternate interface s status for a particular IP version config network interface my_wwan ipv4 surelink target 0 other_ip_version value config network interface my_wwan ipv4 surelink target 0 where value is one of any both ipv4 or ipv6 o Set the expected status of the alternate interface config network interface my_wwan ipv4 surelink target 0 other_status value config network interface ...

Page 87: ... my_wwan ipv4 surelink The default is 15 seconds 10 Optional Repeat this procedure for IPv6 11 Save the configuration and apply the change config network interface my_wwan ipv4 surelink save Configuration saved 12 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Disable SureLink If your...

Page 88: ...ick Network Interfaces 4 Select the appropriate WAN or WWAN on which SureLink should be disabled 5 After selecting the WAN or WWAN click IPv4 SureLink 6 Toggle off Enable to disable SureLink 7 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin ...

Page 89: ...I Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Disable DNS lookup Alternatively you can disable DNS lookup or other internet activity for device that use a private APN with no Internet access or that have restricted wired WAN connections that do not allow DNS resolution while retaining the SureLink interface test ...

Page 90: ...figuration window is displayed 3 Click Network Interfaces 4 Select the appropriate WAN or WWAN on which SureLink should be disabled 5 After selecting the WAN or WWAN click IPv4 SureLink 6 Click to expand Test targets 7 Click to expand the second test target This test target has its Test type set to Test DNS servers configured for this interface ...

Page 91: ... node in the configuration schema For example to disable SureLink for an interface named my_wan config network interface my_wan config network interface my_wan 4 Determine the index number of the target config network interface my_wan show ipv4 surelink target 0 interface_down_time 600s interface_timeout 120s test interface_up 1 test dns_configured config network interface my_wan 5 Delete the targ...

Page 92: ...default n Configure the criteria used to determine which modem this modem configuration applies to n Determine the SIM slot that will be used when connecting to the cellular network n Configure the maximum number of interfaces that can use the modem n Enable carrier switching which allows the modem to automatically match the carrier for the active SIM Carrier switching is enabled by default n Conf...

Page 93: ...criteria used to determine if this modem configuration applies to the currently attached modem n Any modem Applies this configuration to any modem that is attached n IMEI Applies this configuration only to a modem that matches the identified IMEI l If IMEI is selected for Match IMEI type the IMEI of the modem that this configuration should be applied to n Port Applies this configuration to a modem...

Page 94: ...e the best available technology The default is All technologies 11 For Antennas select whether the modem should use the main antenna the auxiliary antenna or both the main and auxiliary antennas 12 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full A...

Page 95: ...em sim_slot value config where value is one of the following n any Uses either SIM slot n 1 Uses the first SIM slot n 2 Uses the second SIM slot The default is any 6 If sim_slot is set to any set the SIM slot that should be considered the preferred slot for this modem config network modem modem sim_slot_preference value config where value is one of the following n none Does not consider either SIM...

Page 96: ...value config Available options for value vary depending on the modem type To determine available options config network modem modem access_tech Access technology The cellular network technology that the modem may use Format 2G 3G 4G 4GM 4GT all Default value all Current value all config The default is all which uses the best available technology 10 Set whether the modem should use the main antenna...

Page 97: ...cessfully connected it will remember the correct APN As a result it is generally not necessary to configure APNs However you can configure the system to use a specified APN To configure the APN Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote ...

Page 98: ...s the Challenge Handshake Authentication Profile CHAP to authenticate n PAP Uses the Password Authentication Profile PAP to authenticate If Automatic CHAP or PAP is selected enter the Username and Password required to authenticate The default is None 7 To add additional APNs for Add APN click and repeat the preceding instructions 8 Optional To configure the device to bypass its preconfigured APN l...

Page 99: ...ork interface modem modem apn 0 ip_version version config where version is one of the following n auto Requests both IPv4 and IPv6 address n ipv4 Requests only an IPv4 address n ipv6 Requests only an IPv6 address The default is auto 6 Optional Set the authentication method config network interface modem modem apn 0 auth method config where method is one of the following n none No authentication is...

Page 100: ...detailed status and statistics for a specific modem Web 1 Log into the IX10 WebUI as a user with Admin access 2 On the menu click Status 3 Under Connections click Modems The modem status window is displayed Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device config...

Page 101: ...k passing IPv4 address 189 232 229 47 IPv4 gateway 189 232 229 1 IPv4 MTU 1500 IPv4 DNS server s 245 144 162 207 245 144 162 208 IPv6 surelink passing IPv6 address 11f6 4680 0d67 59d2 552b 3429 81a8 f1ea IPv6 gateway ff50 d95d 7e98 abe8 3030 9138 4f25 f51b IPv6 MTU 1500 TX bytes 127941 RX bytes 61026 Uptime 10 hrs 56 mins 39360s SIM SIM Slot 1 SIM Status ready IMSI 61582122197895 ICCID 26587628655...

Page 102: ...uk unlock puk_code new_pin modem_name For example to unlock a SIM card in the modem named modem with PUK code 12345678 and set the new SIM PIN to 1234 modem puk unlock 12345678 1234 modem 3 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Note If the SIM remains in a locked state after ...

Page 103: ...ending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the Admin CLI prompt type modem at interactive and press Enter Type n if you do not want exclusive access This allows you to send AT commands to the device while still allowing the device to connect disconnect and or reconnect to the cellular network 3 At the Admin CLI pro...

Page 104: ...ellular modem and SIM card and allows for configurations such as n Segregating public and private traffic including policy based routes to ensure that your internal network traffic always goes through the private connection n Separation of untrusted Internet traffic from trusted internal network traffic n Secure connection to internal customer network without using a VPN n Separate billing structu...

Page 105: ...he Configuration window is displayed 3 Increase the maximum number of interfaces allowed for the modem a Click Network Modems Modem b For Maximum number of interfaces type 2 4 Create the WWAN interfaces In this example we will create two interfaces named WWAN_Public and WWAN_Private a Click Network Interfaces b For Add Interface type WWAN_Public and click c For Interface type select Modem ...

Page 106: ...red the IX10 will attempt to determine the APN i Click to expand APN list APN ii For APN type the public APN for your cellular carrier g For Add Interface type WWAN_Private and click h For Interface type select Modem i For Zone select External j For Device select Modem This should be the same modem selected for the WWAN_Public WWAN k Enable APN list only l Click to expand APN list APN ...

Page 107: ...2 168 2 101 through the private APN a Click Network Routes Policy based routing b Click the to add a new route policy c For Label enter Route through private APN d For Interface select Interface WWAN_Private e Configure the source address i Click to expand Source address ii For Type select IPv4 address iii For Address type 192 168 2 101 f Configure the destination address i Click to expand Destina...

Page 108: ... configuration mode config config 3 Set the maximum number of interfaces for the modem config network modem modem max_intfs 2 config 4 Create the WWAN interfaces a Create the WWANPublic interface config add network interface WWANPublic config network interface WWANPublic b Set the interface type to modem config network interface WWANPublic type modem config network interface WWANPublic c Set the m...

Page 109: ...true config network interface WWANPrivate j Set the private APN config network interface WWANPublic modem apn private_apn config network interface WWANPublic 5 Create the routing policies For example to route all traffic from a device with the IP address of 192 168 2 101 through the private APN a Add a new routing policy config add network route policy end config network route policy 0 b Set the l...

Page 110: ...exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Configure a Wireless Wide Area Network WWAN Configuring a Wireless Wide Area Network WWAN involves configuring the following items Required configuration items n The interface type Modem n The firewall zone External n The cellular modem that i...

Page 111: ...anagement priority of the WAN The active interface with the highest management priority will have its address reported as the preferred contact address for central management and direct device access l The IPv6 Maximum Transmission Unit MTU of the WAN l When to use DNS always never or only when this interface is the primary default route l SureLink active recovery configuration See Configure SureL...

Page 112: ...lick n To edit an existing WWAN click to expand the WWAN New WWANs are enabled by default To disable toggle off Enable 5 For Interface type select Modem 6 The WWAN is enabled by default To disable toggle off Enable 7 Interface type defaults to Modem 8 For Zone select External 9 For Device select the cellular modem 10 For Match SIM by select a SIM matching criteria to determine when this WWAN shoul...

Page 113: ...omatic The carrier is manually configured If the configured network is not available automatic carrier selection is used If Manual or Manual Automatic is selected a For Network PLMN ID type the PLMN ID for the cellular network b For Network technology select the technology that should be used The default is All technologies which means that the best available technology will be used Note If Manual...

Page 114: ...t the MTU d For Use DNS n Always DNS will always be used for this WWAN when multiple interfaces have the same DNS server the interface with the lowest metric will be used for DNS requests n When primary default route Only use the DNS servers provided for this WWAN when the WWAN is the primary route n Never Never use DNS servers for this WWAN The default setting is When primary default route 19 Opt...

Page 115: ... Set the appropriate firewall zone config network interface my_wwan zone zone config network interface my_wwan See Firewall configuration for further information 5 Select a cellular modem a Enter modem device to view available modems and the proper syntax config network interface my_wwan modem device Device The modem used by this network interface Format modem Current value config network interfac...

Page 116: ...an n iccid Set the unique SIM card ICCID that must be in active for this WWAN to be used config network interface my_wwan modem iccid ICCID config network interface my_wwan n imsi Set the International Mobile Subscriber Identity IMSI that must be in active for this WWAN to be used config network interface my_wwan modem imsi IMSI config network interface my_wwan n plmn_id Set the PLMN id that must ...

Page 117: ...lue is one of n automatic The cellular carrier is selected automatically by the device n manual The cellular carrier must be manually configured If the configured network is not available no cellular connection will be established n manual_automatic The carrier is manually configured If the configured network is not available automatic carrier selection is used If manual or manual_automatic is set...

Page 118: ...erface my_wwan modem sim_failover_alt value config network interface my_wwan where value is one of n none The device will perform no alternative action if automatic SIM switching is unavailable n reset The device will reset the modem if automatic SIM switching is unavailable n reboot The device will reboot if automatic SIM switching is unavailable 12 The IX10 device uses a preconfigured list of Ac...

Page 119: ...this WWAN when the WWAN is the primary route The default setting is primary 15 Optional IPv6 configuration items a IPv6 support is enabled by default To disable config network interface my_wwan ipv4 enable false config network interface my_wwan b Set the MTU config network interface my_wwan ipv4 mtu num config network interface my_wwan c Configure when the WWAN s DNS servers will be used config ne...

Page 120: ...ss defaultip IPv4 up 192 168 210 1 24 defaultlinklocal IPv4 up 169 254 100 100 16 eth1 IPv4 up 10 10 10 10 24 eth1 IPv6 up fe00 2404 240 f4ff fe80 120 64 eth IPv4 up 192 168 2 1 24 eth IPv6 up fd00 2704 1 48 loopback IPv4 up 127 0 0 1 8 modem IPv4 up 10 200 1 101 30 modem IPv6 down 3 Additional information can be displayed by using the show network verbose command show network verbose Interface Pr...

Page 121: ...IPv6 Status up IPv6 Type dhcpv6 IPv6 Address es fe00 2404 240 f4ff fe80 120 64 IPv6 Gateway ff80 234 f3ff ff0e 4320 IPv6 MTU 1500 IPv6 Metric 1 IPv6 Weight 10 IPv6 DNS Server s fd00 244 1 fe80 234 f3f4 fe0e 4320 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Delete a WWAN Follow thi...

Page 122: ...con next to the name of the WAN or WWAN to be deleted and select Delete 5 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to a...

Page 123: ... del network interface my_wwan 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Page 124: ... Ethernet Loopback n Firewall zone Loopback n IP address 127 0 0 1 8 n Default IP n Ethernet ETH n Firewall zone Setup n IP address 192 168 210 1 24 n Default Link local IP n Ethernet ETH n Firewall zone Setup n IP address 169 254 100 100 16 You can modify configuration settings for ETH and you can create new LANs This section contains the following topics About Local Area Networks LANs 125 Config...

Page 125: ...nd uses the IP subnet of 192 168 2 0 24 If the WAN ETH1 Ethernet device is being used by a WAN with the same IP subnet you should change the default IP address and subnet of LAN1 Additional configuration items n Additional IPv4 configuration l The metric for IPv4 routes associated with the LAN l The relative weight for IPv4 routes associated with the LAN l The IPv4 management priority of the LAN T...

Page 126: ...ylist and allowlist To create a new LAN or edit an existing LAN Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Web UI a On the menu click ...

Page 127: ...it does not function as an 802 1x supplicant a Click to expand Authentication b Click Enable server to enable the 802 1x authenticator on the IX10 device c Type the Server IP address of the authentication server d Server Port number defaults to 1812 Type a new port number for the authentication server if different than the default e Type the Server Password for the authentication server f Set the ...

Page 128: ...he assigned length Leave blank to use a random identifier f Set the MTU 12 Optional Click to expand MAC address denylist Incoming packets will be dropped from any devices whose MAC addresses is included in the MAC address denylist a Click to expand MAC address denylist b For Add MAC address click c Type the MAC address 13 Optional Click to expand MAC address allowlist If allowlist entries are spec...

Page 129: ...ork device used by this network interface Format network device eth network device loopback Current value config network interface my_lan device b Set the device for the LAN config network interface my_lan device device config network interface my_lan 6 Configure IPv4 settings n IPv4 support is enabled by default To disable config network interface my_lan ipv4 enable false config network interface...

Page 130: ...port config network interface my_lan ipv6 enable true config network interface my_lan b Set the IPv6 type to DHCP config network interface my_lan ipv6 type dhcpv6 config network interface my_lan c Generally the default settings for IPv6 support are sufficient You can view the default IPv6 settings by using the question mark config network interface my_lan ipv6 IPv6 Parameters Current Value enable ...

Page 131: ... interface my_lan 802_1x authentication enable true config network interface my_lan b Set the IP address of the authentication server config network interface my_lan 802_1x authentication ip IPv4_ address config network interface my_lan c Set the password for the authentication server config network interface my_lan 802_1x authentication password password config network interface my_lan d The auth...

Page 132: ...9 Optional Configure the MAC address deny list Incoming packets will be dropped from any devices whose MAC addresses is included in the MAC address denylist a Add a MAC address to the denylist config network interface my_lan add mac_denylist end mac_address config network interface my_lan where mac_address is a hyphen separated MAC address for example 32 A6 84 2E 81 58 b Repeat for each additional...

Page 133: ...the LAN subnet To change the LAN subnet Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Web UI a On the menu click System Under Configurati...

Page 134: ...an alternate private IP config network interface lan ipv4 address IPv4_address netmask config 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Change the LAN address type By default the LAN interface uses a ...

Page 135: ...IX10 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 At the config prompt set the LAN to use a DHCP address config network interface lan ipv4 type dhcp 4 Save the configuration and apply...

Page 136: ...faultip IPv4 up 192 168 210 1 24 defaultlinklocal IPv4 up 169 254 100 100 16 eth1 IPv4 up 10 10 10 10 24 eth1 IPv6 up fe00 2404 240 f4ff fe80 120 64 eth IPv4 up 192 168 2 1 24 eth IPv6 up fd00 2704 1 48 loopback IPv4 up 127 0 0 1 8 modem IPv4 up 10 200 1 101 30 modem IPv6 down 3 Additional information can be displayed by using the show network verbose command show network verbose Interface Proto S...

Page 137: ...c 5 IPv4 Weight 10 IPv4 DNS Server s IPv6 Status up IPv6 Type prefix IPv6 Address es fd00 2704 1 48 IPv6 Gateway IPv6 MTU 1500 IPv6 Metric 5 IPv6 Weight 10 IPv6 DNS Server s 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Delete a LAN Follow this procedure to delete any LANs that hav...

Page 138: ...he name of the LAN to be deleted and select Delete 5 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2...

Page 139: ... time automatically n A DHCP relay server which forwards DHCP requests from clients to a DHCP server that is running on a separate device Configure a DHCP server Note These instructions assume you are configuring the device to use its local DHCP server For instructions about configuring the device to use a DHCP relay server see Configure DHCP relay Required configuration items n Enable the DHCP se...

Page 140: ... Configuration window is displayed 3 Click Network Interfaces 4 Click to expand an existing LAN or create a new LAN See Configure a LAN 5 Click to expand IPv4 DHCP server 6 Enable the DHCP server 7 Optional For Lease time type the amount of time that a DHCP lease is valid Allowed values are any number of weeks days hours minutes or seconds and take the format number w d h m s For example to set Le...

Page 141: ...x type the domain name that should be appended to host names e For Primary and Secondary DNS Primary and Secondary NTP server and Primary and Secondary WINS server select either n None No server is broadcast n Automatic Broadcasts the IX10 device s server n Custom Allows you to identify the IP address of the server f For Bootfile name type the relative path and file name of the bootfile on the TFT...

Page 142: ...ainder of the IP address will be based on the LAN s static IP address as defined in the address parameter config network interface my_lan ipv4 dhcp_server lease_start num config Allowed values are between 1 and 254 and the default is 100 6 Optional Set the highest IP address that the DHCP server will assign to a client config network interface my_lan ipv4 dhcp_server lease_end num config Allowed v...

Page 143: ...dress or host name of the primary and secondary DNS the primary and secondary NTP server and the primary and secondary WINS servers config network interface my_lan ipv4 dhcp_server advanced primary_ dns value config network interface my_lan ipv4 dhcp_server advanced secondary_dns value config network interface my_lan ipv4 dhcp_server advanced primary_ ntp value config network interface my_lan ipv4...

Page 144: ...tic_lease 0 save Configuration saved 11 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Map static IP addresses to hosts You can configure the DHCP server to assign static IP addresses to specific hosts Required configuration items n IP address that will be mapped to the device n MAC a...

Page 145: ... for the static lease Note The IP address here should be outside of the DHCP server s configured lease range See Configure a DHCP server for further information about the lease range 9 Optional For Hostname type a label for the static lease This does not have to be the device s actual hostname 10 Repeat for each additional DHCP static lease 11 Click Apply to save the configuration and apply the ch...

Page 146: ... 5 Set the IP address for the static lease config network interface my_lan ipv4 dhcp_server advanced static_lease 0 ip 10 01 01 10 network interface my_lan ipv4 dhcp_server advanced static_lease 0 Note The IP address here should be outside of the DHCP server s configured lease range See Configure a DHCP server for further information about the lease range 6 Optional Set a label for this static lea...

Page 147: ...e config config 3 Show the static lease configuration For example to show the static leases for a lan named my_lan config show network interface my_lan ipv4 dhcp_server advanced static_ lease 0 ip 192 168 2 10 mac BF C3 46 24 0E D9 no name 1 ip 192 168 2 11 mac E3 C1 1F 65 C3 0E no name config 4 Type cancel to exit configuration mode config cancel 5 Type exit to exit the Admin CLI Depending on you...

Page 148: ...g LAN 5 Click to expand IPv4 DHCP server Advanced settings Static leases 6 Click the menu icon next to the name of the static lease to be deleted and select Delete 7 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on ...

Page 149: ...he change config save Configuration saved 6 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Configure DHCP options You can configure DHCP servers running on your IX10 device to send certain specified DHCP options to DHCP clients You can also set the user class which enables you to spec...

Page 150: ... Network Interfaces 4 Click to expand an existing LAN or create a new LAN See Configure a LAN 5 Click to expand IPv4 DHCP server Advanced settings Custom DHCP option 6 For Add Custom option click Custom options are enabled by default To disable toggle off Enable 7 For Option number type the DHCP option number 8 For Value type the value of the DHCP option 9 Optional For Label type a label for the c...

Page 151: ...e Configure a LAN for information about creating a LAN 4 Custom options are enabled by default To disable config network interface my_lan ipv4 dhcp_server advanced custom_option 0 enable false config network interface my_lan ipv4 dhcp_server advanced custom_option 0 5 Set the option number for the DHCP option config network interface my_lan ipv4 dhcp_server advanced custom_option 0 option 210 conf...

Page 152: ...e configuration you may be presented with an Access selection menu Type quit to disconnect from the device Configure DHCP relay DHCP relay allows a router to forward DHCP requests from one LAN to a separate DHCP server typically connected to a different LAN For the IX10 device DHCP relay is configured by providing the IP address of a DHCP relay server rather than an IP address range If both the DH...

Page 153: ...w and manage your device b Click the Device ID c Click Settings d Click to expand Config Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Network Interfaces 4 Click to expand an existing LAN or create a new LAN See Configure a LAN 5 Disable the DHCP server if it is enabled a Click to expand IPv4 DHCP server b Click Enabl...

Page 154: ...e Configure a LAN for information about creating a LAN 4 Set the IP address of the DHCP relay server config network interface my_lan ipv4 dhcp_relay 0 address 10 10 10 10 config network interface my_lan ipv4 dhcp_relay 0 5 Optional Add additional DHCP relay servers a Move back one step in the configuration schema by typing two periods config network interface my_lan ipv4 dhcp_relay 0 config networ...

Page 155: ...tworking click DHCP Leases Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 Enter the show dhcp lease command at the Admn CLI prompt show dhcp lease IP Address ...

Page 156: ... on the LAN Required configuration items n Device to be assigned to the VLAN n The VLAN ID The TCP header uses the VLAN ID to identify the destination VLAN for the packet To create a VLAN Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manage...

Page 157: ...cal command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Add the VLAN config add network vlan name config 4 Set the device to be used by the VLAN a View a list of available devices config network v...

Page 158: ...penVPN clients Surelink status is only available from the Admin CLI Command line Show Surelink status for all interfaces To show the Surelink status all interfaces use the show surelink interface all command 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configuration you ...

Page 159: ...e name eth1 Interface Test Proto Last Response Status eth1 Interface is up IPv4 32 seconds Passing eth1 Interface s DNS servers DNS IPv4 28 seconds Passingsing 3 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Show Surelink status for all IPsec tunnels To show the Surelink status all I...

Page 160: ... IPsec Test Last Response Status test 194 43 79 74 Ping 29 seconds Passed test 194 43 79 75 Ping 5 seconds Passed 3 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Show Surelink status for all OpenVPN clients To show the Surelink status all OpenVPN clients use the show surelink openvpn...

Page 161: ... into the IX10 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 Use the show surelink openvpn client name command to show the Surelink status of a specific OpenVPN client for example show surelink openvpn client test_client1 OpenVPN Client Test Last Response Stat...

Page 162: ...orts n Application Provides access to the serial device from Python applications n RealPort Used in conjunction with the Digi RealPort driver RealPort can also be configured using the Digi Navigator For more information about configuring RealPort see Digi Navigator application n UDP serial Provides access to the serial port using UDP n Modbus Allows the device to function as a Modbus protocol gate...

Page 163: ...age is displayed Note You can also configure the serial port by using Device Configuration Serial Changes made by using either Device Configuration or Serial Configuration will be reflected in both 3 Click the name of the port that you want to configure The serial port is enabled by default To disable toggle off Enable 4 For Mode select Login This is the default 5 Optional For Label enter a label ...

Page 164: ... which you want to connect The default is 1 e Flow control For Flow control select the type of flow control used by the device to which you want to connect The default is None 8 Click Apply to save the configuration and apply the change The Apply button is located at the top of the WebUI page You may need to scroll to the top of the page to locate it Command line 1 Select the device in Remote Mana...

Page 165: ...e to which you want to connect config path parambaudrate rate config 8 Set the number of data bits used by the device to which you want to connect config path paramdatabits bits config 9 Set the type of parity used by the device to which you want to connect config path paramparity parity config Allowed values are n even n odd n none The default is none 10 Set the stop bits used by the device to wh...

Page 166: ...match the serial configuration of the device to which you want to connect Web 1 Log into the IX10 WebUI as a user with Admin access 2 On the menu click System Under Configuration click Serial Configuration The Serial Configuration page is displayed Note You can also configure the serial port by using Device Configuration Serial Changes made by using either Device Configuration or Serial Configurat...

Page 167: ...evice to which you want to connect The default is 1 e Flow control For Flow control select the type of flow control used by the device to which you want to connect The default is None 8 Click Enable to enable the data framing feature 9 For Maximum Frame Count enter the maximum size of the packet The default is 1024 10 For Idle Time enter the length of time the device should wait before sending the...

Page 168: ...ut from the serial port that are written to buffer These bytes are redisplayed when a user connects to the serial port The default is 4000 bytes d For Idle timeout type the amount of time to wait before disconnecting due to user inactivity 16 Expand Monitor Settings a Enable CTS to monitor CTS Clear to Send changes on this port b Enable DCD to monitor DCD Data Carrier Detect changes on this port 1...

Page 169: ...e default is rs 232 6 Optional Set a label that will be used when referring to this port config path paramlabel label config 7 Set the baud rate used by the device to which you want to connect config path parambaudrate rate config 8 Set the number of data bits used by the device to which you want to connect config path paramdatabits bits config 9 Set the type of parity used by the device to which ...

Page 170: ...e config c Set the number of bytes of output from the serial port that are written to buffer These bytes are redisplayed when a user connects to the serial port config path paramhistory bytes config The default is 4000 bytes d Set the amount of time to wait before disconnecting due to user inactivity config path paramidle_timeout value config where value is any number of weeks days hours minutes o...

Page 171: ...Configure Application mode Application mode provides access to the serial device from Python applications To change the configuration to match the serial configuration of the device to which you want to connect Web 1 Log into the IX10 WebUI as a user with Admin access 2 On the menu click System Under Configuration click Serial Configuration The Serial Configuration page is displayed Note You can a...

Page 172: ...on and apply the change The Apply button is located at the top of the WebUI page You may need to scroll to the top of the page to locate it Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type adm...

Page 173: ...resented with an Access selection menu Type quit to disconnect from the device Configure PPP dial in mode PPP dial in allows the device to answer Point to Point Protocol PPP connections over serial ports To change the configuration to match the serial configuration of the device to which you want to connect Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin a...

Page 174: ...600 7 For Flow control select the type of flow control used by the device to which you want to connect The default is None 8 For Idle timeout type the amount of time that the active session can be idle before the session is disconnected Allowed values are any number of weeks days hours minutes or seconds and take the format number w d h m s For example to set Idle timeout to ten minutes enter 10m ...

Page 175: ...lick Override to override the default PPP configuration and only use the custom configuration file If Override is not enabled the custom PPP configuration file is used in addition to the default configuration d For Configuration file paste or type the configuration data in the format of a pppd options file 16 Optional Configure a script that will be run to prepare the link before PPP negotiations ...

Page 176: ... Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 The serial port is enabled by default To disable config serial port1 enable f...

Page 177: ... to ten minutes enter either 10m or 600s config serial port1 idle_timeout 600s config 9 Set the local IP address assigned to this interface config serial port1 ppp_dialin local_address IPv4_address config 10 Set the IP address assigned to the remote peer config serial port1 ppp_dialin remote_address IPv4_address config 11 Set the authentication method used to authenticate the remote peer config se...

Page 178: ...raffic on this interface a Use the to determine available zones config serial port1 ppp_dialin zone Zone The firewall zone assigned to this interface This can be used by packet filtering rules and access control lists to restrict network traffic on this interface Format any dynamic_routes edge external internal ipsec loopback setup Default value internal Current value internal config b Set the zon...

Page 179: ...Set the name of the script config serial port1 ppp_dialin connect script filename config Scripts are located in the etc config serial directory An example script windows_dun sh is provided Example windows_dun sh file bin sh Example connect script for connecting from a PC using a Windows dial up networking connection with built in standard 33600 bps modem driver and phone number 123 The shell s rea...

Page 180: ...ocess refer to the Get started Install RealPort for LINUX in the RealPort Installation User s Guide Step 2 Configure the serial ports for RealPort mode You should perform this process on each of the serial ports on the device See Configure the serial port for RealPort mode Step 3 Configure the RealPort service To complete RealPort configuration on the IX10 you must enable and configure the RealPor...

Page 181: ...ngly recommended To implement Encrypted RealPort 1 Follow the standard Windows process to access the Device Manager from your computer s operating system 2 Select Multi port Serial Adapters 3 Right click on your device Click the Properties menu option The Properties dialog appears 4 Click the Advanced tab 5 Click Properties The Advanced Properties dialog appears 6 Click the Security tab 7 Select t...

Page 182: ...onfiguration to match the serial configuration of the device to which you want to connect Web 1 Log into the IX10 WebUI as a user with Admin access 2 On the menu click System Under Configuration click Serial Configuration The Serial Configuration page is displayed Note You can also configure the serial port by using Device Configuration Serial Changes made by using either Device Configuration or S...

Page 183: ... page You may need to scroll to the top of the page to locate it Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter confi...

Page 184: ...ce After you have configured RealPort mode on the IX10 you must enable and configure the RealPort service When this step is complete all of the serial ports on the IX10 are configured to use the RealPort service Web 1 Log into the IX10 WebUI as a user with Admin access 2 On the menu click System Configuration Device Configuration 3 Expand Services 4 Expand RealPort 5 Click Enable to enable the Rea...

Page 185: ...h you want to connect Web 1 Log into the IX10 WebUI as a user with Admin access 2 On the menu click System Under Configuration click Serial Configuration The Serial Configuration page is displayed Note You can also configure the serial port by using Device Configuration Serial Changes made by using either Device Configuration or Serial Configuration will be reflected in both 3 Click to expand the ...

Page 186: ...to connect d For Stop bits select the number of stop bits used by the device to which you want to connect e For Flow control select the type of flow control used by the device to which you want to connect 8 Expand Data Framing Settings a Click Enable to enable the data framing feature b For Maximum Frame Count enter the maximum size of the packet The default is 1024 c For Idle Time enter the lengt...

Page 187: ...h data was received To add a destination i Click Add Destination A destination row is added ii Optional For Description enter a description of the destination iii For Hostname enter the host name or IP address of the remote site to which data should be sent iv For Port enter the port number of the remote site to which data should be sent 10 Click Apply to save the configuration and apply the chang...

Page 188: ... l Enable termination if you want to enable electrical termination on this serial port config serial port1 termination true config The default is rs 232 6 Optional Set a label that will be used when referring to this port config serial port1 label label config 7 Set the baud rate used by the device to which you want to connect config serial port1 label baudrate rate config 8 Set the number of data...

Page 189: ...et config serial port1 framing max_count int config The default is 1024 14 Set the length of time the device should wait before sending the packet config serial port1 framing idle_time value config where value is in milliseconds ms or seconds s The maximum value is 60s 15 Set the end pattern The packet is sent when this pattern is received from the serial port config serial port1 framing end_patte...

Page 190: ...l port1 udp destination 0 iii Set the host name or IP address of the remote site to which data should be sent config serial port1 udp destination 0 hostname hostanme or IP address config serial port1 udp destination 0 iv Set the port number of the remote site to which data should be sent config serial port1 udp destination 0 port port config serial port1 udp destination 0 20 Save the configuration...

Page 191: ...l that will be used when referring to this port 6 For Signalling select the electrical signaling interface type used on this serial port n RS 232 n RS 485 l Enable Termination if you want to enable electrical termination on this serial port The default is RS 232 7 Expand Serial Settings The entries in the following fields must match the information for the power controller Refer to your power cont...

Page 192: ...you want to connect config path paramdatabits bits config 3 Set the type of parity used by the device to which you want to connect config path paramparity parity config Allowed values are n even n odd n none The default is none 4 Set the stop bits used by the device to which you want to connect config path paramstopbits bits config 5 Set the type of flow control used by the device to which you wan...

Page 193: ...le false config 4 Set the mode config serial port1 mode modbus config 5 Set the signaling interface type used on this serial port n rs 232 n rs 485 l Enable termination if you want to enable electrical termination on this serial port config serial port1 termination true config The default is rs 232 6 Optional Set a label that will be used when referring to this port config path paramlabel label co...

Page 194: ...ne 1 Set the baud rate used by the device to which you want to connect config path parambaudrate rate config 2 Set the number of data bits used by the device to which you want to connect config path paramdatabits bits config 3 Set the type of parity used by the device to which you want to connect config path paramparity parity config Allowed values are n even n odd n none The default is none 4 Set...

Page 195: ...ss rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 Use the show serial command show serial Label Port Enable Mode Baudrate Serial 1 port1 true login 9600 3 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the dev...

Page 196: ...i Navigator features n Discover the IP address when connected to a network n Discover the IP address when not on a network n Manage the RealPort device list n Access the web UI from the Digi Navigator n Filter devices for display in the Digi Navigator n Access Digi Remote Manager from the Digi Navigator Configure RealPort from the Digi Navigator You can configure the IX10 to communicate with your ...

Page 197: ...default user name is admin and the default password is the unique password printed on the label packaged with your device c Click Submit A progress message displays d When RealPort configuration is complete the Success message displays e Click Close to close the message 6 Configure RealPort on your computer a Click Configure this PC for RealPort b From the Select starting COM list box select the f...

Page 198: ...Digi Navigator to quickly discover the IP address for the IX10 Make sure you have the device powered and connected the device to your network or computer with an Ethernet cable See Connect to and access the Digi Navigator 1 Download and install the Digi Navigator 2 Launch the Digi Navigator 3 The tool discovers the IX10 devices that are powered on and connected to your network When the process is ...

Page 199: ... b The Microsoft Visual C installation screen closes automatically when installation is complete 5 Click Finish to complete installation of the Digi Navigator Digi Navigator features All features of the Digi Navigator are available from the main application screen Section Description Green toolbar From the toolbar at the top of the screen you can apply filters and access Digi Remote Manager Filter...

Page 200: ...address when connected to a network To discover the IP address for a IX10 device connected to your network the Digi Navigator uses the HTTPS service by default Other services can be used if needed 1 Make sure your device is connected to the network and the Digi Navigator is installed 2 Launch the Digi Navigator 3 Click Filters from the green toolbar to expand the toolbar and display the filter opt...

Page 201: ...ar and hide the filters Manage the RealPort device list After you have enabled and configured RealPort on at least one IX10 device a list of configured devices displays at the bottom of the Digi Navigator application screen Using the available buttons you can refresh the list and easily access the COM port configuration on your computer Refresh Click Refresh to update the list of IX10 devices that...

Page 202: ...ress you want to use The login screen for the web UI launches a Enter the user name and password for the IX10 in the Username and Password fields b Click Login Filter devices for display in the Digi Navigator You can use the Digi Navigator filters to determine the types of IX10 devices you want to display Only the devices that are powered on and connected to your network can be included in the Dig...

Page 203: ...imize the toolbar and hide the filters Access Digi Remote Manager from the Digi Navigator You can access Digi Remote Manager from the Digi Navigator Within the Remote Manager you can configure and monitor your IX10 For information about using Digi Remote Manager refer to the Digi Remote Manager User Guide 1 Make sure you have the device powered and connected the device to your network or computer ...

Page 204: ...Routing This chapter contains the following topics IP routing 205 Show the routing table 222 Dynamic DNS 223 Virtual Router Redundancy Protocol VRRP 229 IX10 User Guide 204 ...

Page 205: ...destination it forwards the IP packet to the configured IP gateway or interface 3 If it cannot find a route for the destination it uses a default route 4 If there are two or more routes to a destination the device uses the route with the longest mask 5 If there are two or more routes to a destination with the same mask the device uses the route with the lowest metric This section contains the foll...

Page 206: ...n n The metric for the route When multiple routes are available to reach the same destination the route with the lowest metric is used n The Maximum Transmission Units MTU of network packets using this route To configure a static route Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate yo...

Page 207: ... 255 0 type 192 168 47 0 24 The any keyword can also be used to route packets to any destination with this static route 7 For Interface select the interface on the IX10 device that will be used with this static route 8 Optional For Gateway type the IPv4 address of the gateway used to reach the destination Set to blank if the destination can be accessed without a gateway 9 Optional For Metric type ...

Page 208: ...the destination of this route For example config network route static 0 destination ip_address netmask config network route static 0 For example to route traffic to the 192 168 47 0 network that uses a subnet mask of 255 255 255 0 config network route static 0 dst 192 168 47 0 24 config network route static 0 The any keyword can also be used to route packets to any destination with this static rou...

Page 209: ...11 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Delete a static route Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager...

Page 210: ...ll Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Determine the index number of the static route to be deleted config show network route static 0 dst 10 0 0 1 enable true no gateway interface network interface lan1 label new...

Page 211: ...lar connection while all other traffic is routed through an Ethernet WAN connection Policy based routing for the IX10 device uses the following criteria to determine how to route traffic n Firewall zone for example internal outbound traffic external inbound traffic or IPSec tunnel traffic n Network interface for example the cellular connection the WAN or the LAN n IPv4 address n IPv6 address n MAC...

Page 212: ... for the routing policy n Whether packets that match this policy should be dropped when the gateway interface is disconnected rather than forwarded through other interfaces To configure a routing policy Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Dig...

Page 213: ...4 or IPv6 9 For Protocol select Any TCP UDP or ICMP n If TCP or UDP is selected for Protocol type the port numbers of the Source port and Destination port or set to any to match for any port n If ICMP is selected for Protocol type the ICMP type and optional code or set to any to match for any ICMP type 10 For DSCP type the 6 bit hexadecimal Differentiated Services Code Point DSCP field match crite...

Page 214: ...k Use the format IPv4_address netmask or use any to match any IPv4 address n IPv6 address Matches the destination IP address to the specified IP address or network Use the format IPv6_address prefix_length or use any to match any IPv6 address n Domain Matches the destination IP address to the specified domain names To specify domains i Click to expand Domains ii Click the to add a domain iii For D...

Page 215: ... gateway interface is disconnected rather than forwarded through other interfaces config network route policy 0 exclusive true config network route policy 0 7 Select the IP version config network route policy 0 ip_version value config network route policy 0 where value is one of any ipv4 or ipv6 8 Set the protocol config network route policy 0 protocol value config network route policy 0 where val...

Page 216: ...ol is matched Identify the ICMP type config network route policy 0 icmp_type value config network route policy 0 where value is the ICMP type and optional code or set to any to match for any ICMP type 9 Set the source address type config network route policy 0 src type value config network route policy 0 where value is one of n zone Matches the source IP address to the selected firewall zone Set t...

Page 217: ...e uses the format IPv4_address netmask or any to match any IPv4 address n address6 Matches the source IPv6 address to the specified IP address or network Set the address that will be matched config network route policy 0 src address6 value config network route policy 0 where value uses the format IPv6_address prefix_length or any to match any IPv6 address n mac Matches the source MAC address to th...

Page 218: ...e policy 0 dst interface network interface eth1 config network route policy 0 n address Matches the destination IPv4 address to the specified IP address or network Set the address that will be matched config network route policy 0 dst address value config network route policy 0 where value uses the format IPv4_address netmask or any to match any IPv4 address n address6 Matches the destination IPv6...

Page 219: ...v1 RFC1058 RIPng The IPv6 Routing Information Protocol RIP service supports RIPng RFC2080 OSPFv2 The IPv4 Open Shortest Path First OSPF service supports OSPFv2 RFC2328 OSPFv3 The IPv6 Open Shortest Path First OSPF service supports OSPFv3 RFC2740 BGP The Border Gateway Protocol BGP service supports BGP 4 RFC1771 IS IS The IPv4 and IPv6 Intermediate System to Intermediate System IS IS service Config...

Page 220: ...namic routes is specifically designed to work with routing services and should be left as the default 5 Configure the routing services that will be used a Click to expand a routing service b Enable the routing service c Complete the configuration of the routing service 6 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions ...

Page 221: ...es config network route service Routing services Settings for dynamic routing services and protocols Parameters Current Value enable true Enable zone dynamic_routes Zone Additional Configuration bgp BGP isis IS IS ospfv2 OSPFv2 ospfv3 OSPFv3 rip RIP ripng RIPng config b Enable a routing service that will be used For example to enable the RIP service config network route service rip enable true con...

Page 222: ...ted with an Access selection menu Type quit to disconnect from the device Show the routing table To display the routing table Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click...

Page 223: ... device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Dynamic DNS The Domain Name System DNS uses name servers to provide a mapping between computer readable IP addresses and human readable hostnames This allows users to access websites and personal networks with easy to remember URLs Unfortunately IP addresses change frequently invalidati...

Page 224: ...e amount of time to wait to check if the interface s IP address needs to be updated n The amount of time to wait to force an update of the interface s IP address n The amount of time to wait for an IP address update to succeed before retrying the update n The number of times to retry a failed IP address update Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admi...

Page 225: ...select the interface that has its IP address registered with the Dynamic DNS provider 6 For Service select the Dynamic DNS provider or select custom to enter a custom URL for the Dynamic DNS provider 7 If custom is selected for Service type the Custom URL that should be used to update the IP address with the Dynamic DNS provider 8 Type the Domain name that is linked to the interface s IP address 9...

Page 226: ...ormat number w d h m s For example to set Retry interval to ten minutes enter 10m or 600s 13 Optional For Retry count type the number of times to retry a failed IP address update 14 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access righ...

Page 227: ...w_ddns_instance custom url config network ddns new_ddns_instance 7 Set the domain name that is linked to the interface s IP address config network ddns new_ddns_instance domain domain_name config network ddns new_ddns_instance 8 Set the username to authenticate with the Dynamic DNS provider config network ddns new_ddns_instance username name config network ddns new_ddns_instance 9 Set the password...

Page 228: ... amount of time to wait for an IP address update to succeed before retrying the update config network ddns new_ddns_instance retry_interval value config network ddns new_ddns_instance where value is any number of weeks days hours minutes or seconds and takes the format number w d h m s For example to set retry_interval to ten minutes enter either 10m or 600s config network ddns new_ddns_instance r...

Page 229: ...g devices from master to backup and from backup to master even if the device has not failed For example if a host becomes unreachable on the far end of a network link then the physical default gateway can be changed by adjusting the VRRP priority of the IX10 device connected to the failing link This provides failover capabilities based on the status of connections behind the router in addition to ...

Page 230: ...emote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Network VRRP 4 For Add VRRP instance type a name for the VRRP instance and click The new VRRP instance configuration is displayed ...

Page 231: ...es are from 1 and 255 and it is configured to 100 by default 9 Optional For Password type a password that will be used to authenticate this VRRP router with VRRP peers If the password length exceeds 8 characters it will be truncated to 8 characters 10 Configure the virtual IP addresses associated with this VRRP instance a Click to expand Virtual IP addresses b Click to add a virtual IP address c F...

Page 232: ...The router with the highest priority will be used as the master router If the master router fails then the IP address of the virtual router is mapped to the backup device with the next highest priority If this device s actual IP address is being used as the virtual IP address of the VRRP pool then the priority of this device should be set to 255 Allowed values are from 1 and 255 and it is configur...

Page 233: ...SureLink is enabled by default on all WAN interfaces and should not be disabled on the WAN interfaces that are being monitored by VRRP If multiple WAN interfaces are being monitored on the same device the VRRP priority will be adjusted only if all WAN interfaces fail SureLink tests l The amount that the VRRP priority will be modified when SureLink determines that the VRRP interface is not function...

Page 234: ...ick the Device ID c Click Settings d Click to expand Config Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Network VRRP 4 Create a new VRRP instance or click to expand an existing VRRP instance See Configure VRRP for information about creating a new VRRP instance 5 Click to expand VRRP 6 Click Enable ...

Page 235: ... connectivity failure and increased when SureLink succeeds again Along with the priority settings for devices in this VRRP pool the amount entered here should be large enough to automatically demote a master device when SureLink connectivity fails For example if the VRRP master device has a priority of 100 and the backup device has a priority of 80 then the Priority modifier should be set to an am...

Page 236: ... interface has network connectivity and promote a backup to master if SureLink fails i Click to expand IPv4 SureLink ii Click Enable iii For Interval type a the amount of time to wait between connectivity tests To guarantee seamless internet access for VRRP purposes SureLink tests should occur more often than the default of 15 minutes Allowed values are any number of weeks days hours minutes or se...

Page 237: ...test vrrp_plus enable true config 5 Add interfaces to monitor Generally this will be a cellular or WAN interface a Use the to determine available interfaces b Set the interface for example config add network vrrp VRRP_test vrrp_plus monitor_interface end network interface modem config c Optional Repeat for additional interfaces 6 Set the amount that the device s priority should be decreased or inc...

Page 238: ...l IP addresses i Set the DHCP server gateway type to custom config network interface eth ipv4 dhcp_server advanced gateway custom config ii Determine the VRRP virtual IP addresses config show network vrrp VRRP_test virtual_address 0 192 168 3 3 1 10 10 10 1 config iii Set the custom gateway to one of the VRRP virtual IP addresses For example config network interface eth ipv4 dhcp_server advanced g...

Page 239: ...rface eth ipv4 surelink target 0 test value config network interface eth ipv4 surelink target 0 where value is one of n ping Tests connectivity by sending an ICMP echo request to a specified hostname or IP address l Specify the hostname or IP address config network interface eth ipv4 surelink target 0 ping_host host config network interface eth ipv4 surelink target 0 l Optional Set the size in byt...

Page 240: ...e eth ipv4 surelink target 0 where value is any number of weeks days hours minutes or seconds and takes the format number w d h m s For example to set interface_down_time to ten minutes enter either 10m or 600s config network interface eth ipv4 surelink target 0 interface_down_time 600s config network interface eth ipv4 surelink target 0 The default is 60 seconds l Optional Set the amount of time ...

Page 241: ...he device Example VRRP VRRP configuration This example configuration creates a VRRP pool containing two IX10 devices Configure device one master device Web Task 1 Configure VRRP on device one 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manage...

Page 242: ...ation window is displayed 3 Click Network VRRP 4 For Add VRRP instance type a name for the VRRP instance and click The new VRRP instance configuration is displayed 5 Click Enable 6 For Interface select Interface ETH 7 For Router ID leave at the default setting of 50 8 For Priority leave at the default setting of 100 9 Click to expand Virtual IP addresses ...

Page 243: ... Select Interface Modem 6 For Priority modifier type 30 Task 3 Configure the IP address for the VRRP interface ETH on device one 1 Click Network Interfaces ETH IPv4 2 For Address type 192 168 3 1 24 Task 4 Configure the DHCP server for ETH on device one 1 Click to expand Network Interfaces ETH IPv4 DHCP Server 2 For Lease range start leave at the default of 100 3 For Lease range end type 199 4 Cli...

Page 244: ...p VRRP_test 4 Enable the VRRP instance config network vrrp VRRP_test enable true config network vrrp VRRP_test 5 Set the VRRP interface to ETH config network vrrp VRRP_test interface network interface eth config network vrrp VRRP_test 6 Add the virtual IP address associated with this VRRP instance config network vrrp VRRP_test add virtual_address end 192 168 3 3 config network vrrp VRRP_test Task ...

Page 245: ...CP addresses to clients a Set the start address to 100 config network interface eth ipv4 dhcp_server lease_start 100 config b Set the end address to 199 config network interface eth ipv4 dhcp_server lease_end 199 config 2 Set the DHCP server gateway type to custom config network interface eth ipv4 dhcp_server advanced gateway custom config 3 Set the custom gateway to 192 168 3 3 config network int...

Page 246: ...ation Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Network VRRP 4 For Add VRRP instance type a name for the VRRP instance and click The new VRRP in...

Page 247: ...onfigure VRRP on device two 1 Click to expand VRRP 2 Click Enable 3 Click to expand Monitor interfaces 4 Click to add an interface for monitoring 5 Select Interface Modem 6 Click to enable Monitor VRRP master 7 For Priority modifier type 30 Task 3 Configure the IP address for the VRRP interface ETH on device two 1 Click Network Interfaces ETH IPv4 2 For Address type 192 168 3 2 24 3 For Default ga...

Page 248: ...pand Network Interfaces ETH IPv4 DHCP Server 2 For Lease range start type 200 3 For Lease range end type 250 4 Click Advanced settings 5 For Gateway select Custom 6 For Custom gateway enter 192 168 3 3 7 Click Apply to save the configuration and apply the change Command line Task 1 Configure VRRP on device two 1 Select the device in Remote Manager and click Actions Open Console or log into the IX1...

Page 249: ... vrrp VRRP_test add virtual_address end 192 168 3 3 config network vrrp VRRP_test Task 2 Configure VRRP on device two 1 Enable VRRP config network vrrp VRRP_test vrrp_plus enable true config network vrrp VRRP_test 2 Add the interface to monitor config network vrrp VRRP_test add vrrp_plus monitor_interface end network interface modem config network vrrp VRRP_test 3 Enable the ability to monitor the...

Page 250: ...le true config 2 Create a SureLink test target config add network interface eth ipv4 surelink target end config network interface eth ipv4 surelink target 0 3 Set the type of test to ping config network interface eth ipv4 surelink target 0 test ping config network interface eth ipv4 surelink target 0 4 Set my devicecloud com as the hostname to ping config network interface eth ipv4 surelink target...

Page 251: ...g save Configuration saved 6 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Show VRRP status and statistics This section describes how to display VRRP status and statistics for a IX10 device VRRP status is available from the Web UI only Web 1 Log into Digi Remote Manager or log into t...

Page 252: ...played Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the Admin CLI prompt type show vrrp show vrrp VRRP Status Proto State Virtual IP VRRP_test Up IPv4 Ba...

Page 253: ...t type show vrrp name name show vrrp name VRRP_test VRRP_test VRRP Status Enabled True Status Up Interface lan IPv4 Virtual IP address es 10 10 10 1 100 100 100 1 Current State Master Current Priority 100 Last Transition Tue Jan 1 00 00 39 2019 Became Master 1 Released Master 0 Adverts Sent 71 Adverts Received 4 Priority Zero Sent 0 Priority zero Received 0 ...

Page 254: ...y connect two private networks together so that devices can connect from one network to the other using secure channels This chapter contains the following topics IPsec 255 OpenVPN 311 Generic Routing Encapsulation GRE 345 L2TP 366 L2TPv3 Ethernet 385 NEMO 391 IX10 User Guide 254 ...

Page 255: ...ec can run in two different modes Tunnel and Transport Tunnel The entire IP packet is encrypted and or authenticated and then encapsulated as the payload in a new IP packet Transport Only the payload of the IP packet is encrypted and or authenticated The IP header is left untouched This mode has limitations when using an authentication header because the IP addresses in the IP header cannot be tra...

Page 256: ...d key authentication mode provides additional security by using client authentication credentials in addition to the standard pre shared key The IX10 device can be configured to authenticate with the remote peer as an XAUTH client RSA Signatures With RSA signatures authentication the IX10 device uses a private RSA key to authenticate with a remote peer that is using a corresponding public key Cert...

Page 257: ...Configure SureLink active recovery for IPsec for information about IPsec active recovery Additional configuration items The following additional configuration settings are not typically configured to get an IPsec tunnel working but can be configured as needed n Determine whether the device should use UDP encapsulation even when it does not detect that NAT is being used n If using IPsec failover id...

Page 258: ...ular or otherwise you must configure a static route to direct the traffic either through the IPsec tunnel or through the WAN outside of the IPsec tunnel See Configure a static route for information about configuring a static route Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your de...

Page 259: ... 8 Optional Enable Force UDP encapsulation to force the tunnel to use UDP encapsulation even when it does not detect that NAT is being used 9 For Zone select the firewall zone for the IPsec tunnel Generally this should be left at the default of IPsec Note Depending on your network configuration you may need to add a packet filtering rule to allow incoming traffic For example for the IPsec zone a C...

Page 260: ...ayload Provides encryption as well as authentication and integrity n AH Authentication Header Provides authentication and integrity only 14 Click to expand Authentication a For Authentication type select one of the following n Pre shared key Uses a pre shared key PSK to authenticate with the remote peer i Type the Pre shared key n Asymmetric pre shared keys Uses asymmetric pre shared keys to authe...

Page 261: ...ate in PEM format l Certificate Authority For Certificate Authority chain paste the Certificate Authority CA certificates These must include all peer certificates in the chain up to the root CA certificate in PEM format 15 Optional For Management Priority set the management priority for this IPsec tunnel A tunnel that is up and has the highest priority will be used for central management and direc...

Page 262: ...alue type the key ID n MAC address The device s primary MAC address will be used as the ID and sent as a ID_KEY_ID IKE identity n Serial number The device s serial number will be used as the ID and sent as a ID_KEY_ID IKE identity 19 Click to expand Remote endpoint a For IP version select either IPv4 or IPv6 b For Hostname list selection select one of the following n Round robin Attempts to connec...

Page 263: ...ified Domain Name and sent as an ID_FQDN IKE identity For FQDN ID value type the ID as an FQDN n KeyID The ID will be interpreted as a Key ID and sent as an ID_KEY_ID IKE identity For KEYID ID value type the key ID n MAC address The device s primary MAC address will be used as the ID and sent as a ID_KEY_ID IKE identity n Serial number The device s serial number will be used as the ID and sent as ...

Page 264: ...col is selected type the number of the protocol e For Port type the port matching criteria Allowed values are a port number a range of port numbers or any f Optional Click to expand Remote traffic selector g For Remote network enter the IP address and optional netmask of the remote network h For Protocol select one of the following n Any Matches any protocol n TCP Matches TCP protocol only n UDP M...

Page 265: ...e IKE security association expires after a successful negotiation and must be re authenticated Allowed values are any number of weeks days hours minutes or seconds and take the format number w d h m s For example to set Phase 1 lifetime to ten minutes enter 10m or 600s g For Phase 2 lifetime enter the amount of time that the IKE security association expires after a successful negotiation and must ...

Page 266: ...lick to expand NAT to create a list of destination networks that require source NAT a Click next to Add NAT destination b For Destination network type the IPv4 address and optional netmask of a destination network that requires source NAT You can also use any meaning that any destination network connected to the tunnel will use source NAT 24 See Configure SureLink active recovery for IPsec for inf...

Page 267: ...signed to this IPsec tunnel This can be used by packet filtering rules and access control lists to restrict network traffic on this tunnel Format any dynamic_routes edge external internal ipsec loopback setup Default value ipsec Current value ipsec config vpn ipsec tunnel ipsec_example Note Depending on your network configuration you may need to add a packet filtering rule to allow incoming traffi...

Page 268: ... n tunnel The entire IP packet is encrypted and or authenticated and then encapsulated as the payload in a new IP packet n transport Only the payload of the IP packet is encrypted and or authenticated The IP header is unencrypted The default is tunnel 8 Set the protocol config vpn ipsec tunnel ipsec_example type protocol config vpn ipsec tunnel ipsec_example where protocol is either n esp Encapsul...

Page 269: ...remote peer a For the private_key parameter paste the device s private RSA key in PEM format config vpn ipsec tunnel ipsec_example auth private_key key config vpn ipsec tunnel ipsec_example b Set the private key passphrase that is used to decrypt the private key Leave blank if the private key is not encrypted config vpn ipsec tunnel ipsec_example auth private_key_ passphrase passphrase config vpn ...

Page 270: ...ertificate Authority chain for verification o For the ca_cert parameter paste the Certificate Authority CA certificates These must include all peer certificates in the chain up to the root CA certificate in PEM format config vpn ipsec tunnel ipsec_example auth ca_cert cert_ chain config vpn ipsec tunnel ipsec_example 11 Optional Configure the device to connect to its remote peer as an XAUTH client...

Page 271: ...ID will be automatically determined from the value of the tunnels endpoints n raw Enter an ID and have it passed unmodified to the underlying IPsec stack Set the unmodified ID that will be passed config vpn ipsec tunnel ipsec_example local id type raw_id id config vpn ipsec tunnel ipsec_example n any Any ID will be accepted n ipv4 The ID will be interpreted as an IPv4 address and sent as an ID_IPV...

Page 272: ...ndpoint a Add a remote hostname config vpn ipsec tunnel ipsec_example add remote hostname end value config vpn ipsec tunnel ipsec_example where value is the hostname or IPv4 address of the IPsec peer If your device is not configured to initiate the IPsec connection see ike initiate you can also use the keyword any which means that the hostname is dynamic or unknown Repeat for additional hostnames ...

Page 273: ... ID This can be a fully qualified domain name or an IPv6 address config vpn ipsec tunnel ipsec_example remote id type ipv6_id id config vpn ipsec tunnel ipsec_example n rfc822 The ID will be interpreted as an RFC822 email address Set the ID in internet email address format config vpn ipsec tunnel ipsec_example remote id type rfc822_ id id config vpn ipsec tunnel ipsec_example n fqdn The ID will be...

Page 274: ...g vpn ipsec tunnel ipsec_example where value is one of n if_supported Send oversized IKE messages in fragments if the peer supports receiving them n always Always send IKEv1 messages in fragments For IKEv2 this option is equivalent to if supported n never Do not send oversized IKE messages in fragments n accept Do not send oversized IKE messages in fragments but announce support for fragmentation ...

Page 275: ...g vpn ipsec tunnel ipsec_example where value is any number of weeks days hours minutes or seconds and takes the format number w d h m s For example to set lifetime_margin to ten minutes enter either 10m or 600s config vpn ipsec tunnel ipsec_example ike lifetime_margin 600s config vpn ipsec tunnel ipsec_example The default is nine minutes i Configure the types of encryption hash and Diffie Hellman ...

Page 276: ...e 1 proposals i Move back one level in the schema config vpn ipsec tunnel ipsec_example ike phase1_proposal 0 config vpn ipsec tunnel ipsec_example ike phase1_proposal ii Add an additional proposal config vpn ipsec tunnel ipsec_example ike phase1_proposal add end config vpn ipsec tunnel ipsec_example ike phase1_proposal 1 Repeat the above steps to set the type of encryption hash and Diffie Hellman...

Page 277: ...llman group types config vpn ipsec tunnel ipsec_example ike phase2_proposal 0 dh_group curve25519 curve448 ecp192 ecp224 config vpn ipsec tunnel ipsec_example ike phase2_proposal 0 ii Set the Diffie Hellman group type config vpn ipsec tunnel ipsec_example ike phase2_proposal 0 dh_group value config vpn ipsec tunnel ipsec_example ike phase2_proposal 0 The default is modp2048 vi Optional Add additio...

Page 278: ...d peer packet before assuming the tunnel has failed The default is 90 config vpn ipsec tunnel ipsec_example dpd timeout value config 17 Optional Create a list of destination networks that require source NAT a Add a destination network config add vpn ipsec tunnel ipsec_example nat end config vpn ipsec tunnel ipsec_example nat 0 b Set the IPv4 address and optional netmask of a destination network th...

Page 279: ... 0 n custom A user defined network Set the custom network config vpn ipsec tunnel ipsec_example policy 0 local custom value config vpn ipsec tunnel ipsec_example policy 0 where value is the IPv4 address and optional netmask The keyword any can also be used n request Requests a network from the remote peer n dynamic Uses the address of the local endpoint d Set the port matching criteria for the loc...

Page 280: ...lue is the port number a range of port numbers or the keyword any h Set the protocol matching criteria for the remote traffic selector config vpn ipsec tunnel ipsec_example policy 0 remote protocol value config vpn ipsec tunnel ipsec_example policy 0 where value is one of n any Matches any protocol n tcp Matches TCP protocol only n udp Matches UDP protocol only n icmp Matches ICMP requests only n ...

Page 281: ...ection_try_interval Connection try interval ike_timeout IKE timeout config Generally the default settings for these should be sufficient c You can also enable debugging for IPsec config vpn ipsec advanced debug value config where value is one of n none n basic_auditing n detailed_control n generic_control n raw_data n sensitive_data 20 Save the configuration and apply the change config save Config...

Page 282: ...th tunnels are active simultaneously and there is minimal downtime due to failover l Identify the preferred tunnel during configuration of the backup tunnel In this scenario the backup tunnel is not active until the preferred tunnel fails IPsec failover using SureLink With this configuration when two IPsec tunnels are configured with the same local and remote endpoints but different metrics traffi...

Page 283: ...point Web 1 Configure the primary IPsec tunnel See Configure an IPsec tunnel for instructions n During configuration of the IPsec tunnel set the metric to a low value for example 10 n Configure SureLink for the primary IPsec tunnel and enable Restart interface See Configure SureLink active recovery for IPsec for instructions 2 Create a backup IPsec tunnel Configure this tunnel to use the same loca...

Page 284: ... a value that is higher than the metric of the primary tunnel for example 20 config vpn ipsec tunnel IPsecFailoverBackupTunnel metric 20 config vpn ipsec tunnel IPsecFailoverBackupTunnel IPsec failover using Preferred tunnel Web 1 Configure the primary IPsec tunnel See Configure an IPsec tunnel for instructions 2 Create a backup IPsec tunnel See Configure an IPsec tunnel for instructions 3 During ...

Page 285: ...uration items n A valid IPsec configuration See Configure an IPsec tunnel for configuration instructions n Enable IPsec active recovery n The behavior of the IX10 device upon IPsec failure either l Restart the IPsec interface l Reboot the device Additional configuration items n The interval between connectivity tests n Whether the interface should be considered to have failed if one of the test ta...

Page 286: ...D c Click Settings d Click to expand Config Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click VPN IPsec 4 Create a new IPsec tunnel or select an existing one n To create a new IPsec tunnel see Configure an IPsec tunnel n To edit an existing IPsec tunnel click to expand the appropriate tunnel ...

Page 287: ... seconds and take the format number w d h m s For example to set Interval to ten minutes enter 10m or 600s The default is 15 minutes 10 For Success condition determine whether the interface should fail over based on the failure of one of the test targets or all of the test targets 11 For Attempts type the number of probe attempts before the WAN is considered to have failed 12 For Response timeout ...

Page 288: ...ding an HTTP or HTTPS GET request to the URL specified in Web servers The URL should take the format of http s hostname path n Test DNS servers configured for this interface Tests connectivity by sending a DNS query to the DNS servers configured for this interface n Test the interface status The interface is considered to be down based on l Down time The amount of time that the interface can be do...

Page 289: ...t the interface when its connection is considered to have failed config vpn ipsec tunnel ipsec_example surelink restart true config vpn ipsec tunnel ipsec_example This is useful for interfaces that may regain connectivity after restarting such as a cellular modem 6 To configure the device to reboot when the interface is considered to have failed config vpn ipsec tunnel ipsec_example surelink reboo...

Page 290: ...timeout to ten minutes enter either 10m or 600s config vpn ipsec tunnel ipsec_example surelink timeout 600s config vpn ipsec tunnel ipsec_example The default is 15 seconds 11 Configure test targets a Add a test target config vpn ipsec tunnel ipsec_example add surelink target end config vpn ipsec tunnel ipsec_example surelink target 0 b Set the test type config vpn ipsec tunnel ipsec_example sureli...

Page 291: ...face takes before this test is considered to have failed l Optional Set the amount of time that the interface can be down before this test is considered to have failed config vpn ipsec tunnel ipsec_example surelink target 0 interface_down_time value config vpn ipsec tunnel ipsec_example surelink target 0 where value is any number of weeks days hours minutes or seconds and takes the format number w...

Page 292: ...interface s IP version This allows you to determine the alternate interface s status for a particular IP version config vpn ipsec tunnel ipsec_example surelink target 0 other_ip_version value config vpn ipsec tunnel ipsec_example surelink target 0 where value is one of any both ipv4 or ipv6 o Set the expected status of the alternate interface config vpn ipsec tunnel ipsec_example surelink target 0...

Page 293: ...etails about all configured IPsec tunnels type the following at the prompt show ipsec all Name Enable Status Hostname ipsec1 true up 192 168 2 1 vpn1 false pending 192 168 3 1 3 To display details about a specific tunnel show ipsec tunnel ipsec1 Tunnel ipsec1 Enable true Status pending Hostname 192 168 2 1 Zone ipsec Mode tunnel Type esp 4 Type exit to exit the Admin CLI Depending on your device c...

Page 294: ...n click Device Configuration The Configuration window is displayed 3 Click VPN IPsec 4 Click to expand Advanced 5 For Debug level select one of the following n Disable debug messages n Basic auditing debug Logs basic auditing information for example SA up SA down n Generic control flow Select this for basic debugging information n Detailed control flow More detailed debugging control flow n Raw da...

Page 295: ...es sensitive material in dumps for example encryption keys 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Configure a Simple Certificate Enrollment Protocol client Simple Certificate Enrollment Protocol SC...

Page 296: ...cess rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Network SCEP Client 4 For Add clients enter a name for t...

Page 297: ...ing Interval to ten minutes enter 10m or 600s The default is 5s 8 For Key Length type the bit size of the private key The default is 2048 9 For Renewable Time type the number of days that the certificate enrollment can be renewed prior to the request expiring This value is configured on the SCEP server and is used by the IX10 device to determine when to start attempting to auto renew an existing c...

Page 298: ...ach appropriate Distinguished Name attribute 20 Optional Configure the certificate revocation list CRL a Click to expand CRL b Click Enable to enable the CRL c For Type select the type of CRL n URL The URL to the file name used to access the certificate revocation list from the CA n CRLDP The CRL distribution point n getCRL A CRL query using the issuer name and serial number from the certificate w...

Page 299: ...me 6 Optiona Set a CA idenity string that will be understood by the certificate authority For example it could be a domain name or a user name If the certificate authority has multiple CA certificates this field can be used to distinguish which is required config network scep_client scep_client_name server ca_ident string config network scep_client scep_client_name 7 Set the HTTP URL path required...

Page 300: ...scep_client scep_client_name distinguished_name ou value config network scep_client scep_client_name g Set the Common Name config network scep_client scep_client_name distinguished_name cn value config network scep_client scep_client_name 10 Optional Configure the certificate revocation list CRL a Enable the CRL config network scep_client scep_client_name crl enable true config network scep_client...

Page 301: ...ient scep_client_name where value is any number of weeks days hours minutes or seconds and takes the format number w d h m s For example to set max_poll_time to ten minutes enter either 10m or 600s config network scep_client scep_client_name max_poll_time 600s config network scep_client scep_client_name The default is 1d 13 Set the amount of time that the device should wait between polling attempt...

Page 302: ...guration you may be presented with an Access selection menu Type quit to disconnect from the device Example SCEP client configuration with Fortinet SCEP server In this example configuration we will configure the IX10 device as a SCEP client that will connect to a Fortinet SCEP server Fortinet configuration On the Fortinet server 1 Enable ports for SCEP services a From the menu select Network Inter...

Page 303: ...butes entered here must correspond to the Distinguished Name attributes configured for the SCEP client on the IX10 device f For Renewal Allow renewal x days before the certified is expired type the number of days that the certificate enrollment can be renewed prior to the request expiring The Renewable Time setting on the IX10 device must match the setting of this parameter g The remaining fields ...

Page 304: ...P client configuration is displayed 5 Click Enable to enable the SCEP client 6 For Renewable Time type the number of days that the certificate enrollment can be renewed prior to the request expiring This value must match the setting of the Allow renewal x days before the certified is expired option on the Fortinet server 7 Optional Click Debug to enable verbose logging in var log scep_client ...

Page 305: ...DN attributes in the Enrollment Request on the Fortinet server 13 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access th...

Page 306: ...Name attributes The values entered here must correspond to the DN attributes in the Enrollment Request on the Fortinet server a Set the Domain Component config network scep_client Fortinet_SCEP_client distinguished_name dc value config network scep_client Fortinet_SCEP_client b Set the two letter Country Code config network scep_client Fortinet_SCEP_client distinguished_name c value config network...

Page 307: ...nfig network scep_client Fortinet_SCEP_client 10 Save the configuration and apply the change config network scep_client Fortinet_SCEP_client save Configuration saved 11 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Show SCEP client status and information You can show general SCEP cli...

Page 308: ...rtificate Authority Certificate 1 Subject C US CN TA SCEP 1 MSCEP RA Issuer CN TA SCEP 1 CA Serial 1100000002A1E755981C0C3F34000000000002 Expiry Apr 25 13 42 47 2023 GMT Certificate Authority Certificate 2 Subject C US CN TA SCEP 1 MSCEP RA Issuer CN TA SCEP 1 CA Serial 1100000003268AFB5E98BFCA73000000000003 Expiry Apr 25 13 42 48 2023 GMT Certificate Authority Certificate 3 Subject CN TA SCEP 1 C...

Page 309: ...lem Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Web UI a On the menu click System Under Configuration click Device Configuration The Co...

Page 310: ...pe admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Disable hardware cryptographic acceleration config system hycrypto false 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to d...

Page 311: ...ubnet from the OpenVPN server and other OpenVPN clients OpenVPN clients use Network Address Translation NAT to route traffic from devices connected on its LAN interfaces to the OpenVPN server The manner in which the IP subnets are defined depends on the OpenVPN topology in use The IX10 device supports two types of OpenVPN topology OpenVPN Topology Subnet definition method net30 Each OpenVPN client...

Page 312: ...rd interface configuration for example a standard DHCP server configuration l TAP Device only An alternate form of OpenVPN bridging mode in which the device rather than OpenVPN controls the interface configuration If this method is is the OpenVPN server must be included as a device in either an interface or a bridge n The firewall zone to be used by the OpenVPN server n The IP network and subnet m...

Page 313: ...n The TCP UDP port to use By default the IX10 device uses port 1194 n Access control list configuration to restrict access to the OpenVPN server through the firewall n Additional OpenVPN parameters Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Rem...

Page 314: ...To disable toggle off Enable 5 For Device type select the mode used by the OpenVPN server either n TUN OpenVPN managed n TAP OpenVPN managed n TAP Device only See OpenVPN for information about OpenVPN server modes 6 If TUN OpenVPN managed or TAP OpenVPN managed is selected for Device type a For Zone select the firewall zone for the OpenVPN server For TUN device types this should be set to Internal...

Page 315: ...ame password Uses both certificates and a username and password for client authentication Each client requires a public and private key and you must create an OpenVPN authentication group and user See Configure an OpenVPN Authentication Group and User for instructions b Paste the contents of the CA certificate usually in a ca crt file the Public key for example server crt the Private key for examp...

Page 316: ...ually set additional OpenVPN parameters a Click Enable to enable the use of additional OpenVPN parameters b Click Override if the additional OpenVPN parameters should override default options c For OpenVPN parameters type the additional OpenVPN parameters 12 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console ...

Page 317: ...PN bridging mode in which the device rather than OpenVPN controls the interface configuration If this method is is the OpenVPN server must be included as a device in either an interface or a bridge See OpenVPN for information about OpenVPN modes The default is tun 5 If tap or tun are set for device_type a Set the IP address and subnet mask of the OpenVPN server config vpn openvpn server name addre...

Page 318: ... set to 80 the first client IP address will be 192 168 1 80 The default is from 80 ii Set the last address in the range limit config vpn openvpn server name server_last_ip value config vpn openvpn server name where value is a number between 1 and 255 The number entered here will represent the last client IP address For example if address is set to 192 168 1 1 24 and server_last_ip is set to 99 the...

Page 319: ...ue of the cacert parameter config vpn openvpn server name cacert value config vpn openvpn server name iii Paste the contents of the public key for example server crt into the value of the server_cert parameter config vpn openvpn server name server_cert value config vpn openvpn server name iv Paste the contents of the private key for example server key into the value of the server_key parameter con...

Page 320: ...cl interface end value config vpn openvpn server name Where value is an interface defined on your device Display a list of available interfaces Use network interface to display interface information config vpn openvpn server name network interface Interfaces Additional Configuration defaultip Default IP defaultlinklocal Default Link local IP eth ETH loopback Loopback modem Modem config vpn openvpn...

Page 321: ... config vpn openvpn server name c Set the additional OpenVPN parameters config vpn openvpn server name extra parameters config vpn openvpn server name 10 Save the configuration and apply the change config save Configuration saved 11 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Confi...

Page 322: ...in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Add an OpenVPN authentication group a Click Authentication Groups b For Add Group type a name for the group for example OpenVPN_Group and click The new authe...

Page 323: ...this group will have access g Repeat to add additional OpenVPN tunnels 4 Add an OpenVPN authentication user a Click Authentication Users b For Add type a name for the user for example OpenVPN_User and click c Type a password for the user This password is used for local authentication of the user You can also configure the user to use RADIUS or TACACS authentication by configuring authentication me...

Page 324: ... Networks VPN OpenVPN IX10 User Guide 324 d Click to expand the Groups node e Click to add a group to the user f Select a Group with OpenVPN access enabled 5 Click Apply to save the configuration and apply the change ...

Page 325: ..._Group 4 Enable OpenVPN access rights for users of this group config auth group OpenVPN_Group acl openvpn enable true 5 Add an OpenVPN tunnel to which users of this group will have access a Determine available tunnels config auth group OpenVPN_Group vpn openvpn server Servers A list of openvpn servers Additional Configuration OpenVPN_server1 OpenVPN server config auth group OpenVPN_Group b Add a t...

Page 326: ...PN client if configured on the OpenVPN server See Configure SureLink active recovery for OpenVPN for information about OpenVPN active recovery Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the ...

Page 327: ...ehavior and configure the client manually click Use ovpn file to disable If Use ovpn file is disabled see Configure an OpenVPN client without using an ovpn file for configuration information 7 For Zone select the firewall zone for the OpenVPN client 8 Optional Select the Metric for the OpenVPN client If multiple active routes match a destination the route with the lowest metric will be used 9 Opti...

Page 328: ...nt name where name is the name of the OpenVPN server The OpenVPN client is enabled by default To disable the client type config vpn openvpn client name enable false config vpn openvpn client name 4 Set the firewall zone for the OpenVPN client config vpn openvpn client name zone value config vpn openvpn client name To view a list of available zones config vpn openvpn client name zone Zone The zone ...

Page 329: ... quit to disconnect from the device Configure an OpenVPN client without using an ovpn file Required configuration items n Enable the OpenVPN client The OpenVPN client is enabled by default n The mode used by the OpenVPN server either routing TUN or bridging TAP n The firewall zone to be used by the OpenVPN client n The IP address of the OpenVPN server n Certificates and keys l The CA certificate u...

Page 330: ...te Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click VPN OpenVPN Clients 4 For Add type a name for the OpenVPN client and click The new OpenVPN client configuration is displayed ...

Page 331: ... port used by the OpenVPN server The default is 1194 13 Paste the contents of the CA certificate usually in a ca crt file the Public key for example client crt and the Private key for example client key into their respective fields The contents will be hidden when the configuration is saved 14 Optional Click to expand Advanced Options to manually set additional OpenVPN parameters a Click Enable to...

Page 332: ...name 4 The default behavior is to use an OVPN file for client configuration To disable this behavior and configure the client manually config vpn openvpn client name use_file false config vpn openvpn client name 5 Set the mode used by the OpenVPN server config vpn openvpn client name device_type value config vpn openvpn client name where value is either tun or tap The default is tun 6 Set the fire...

Page 333: ...n openvpn client name The default is 1194 11 Paste the contents of the CA certificate usually in a ca crt file into the value of the cacert parameter config vpn openvpn client name cacert value config vpn openvpn client name 12 Paste the contents of the public key for example client crt into the value of the public_cert parameter config vpn openvpn client name public_cert value config vpn openvpn ...

Page 334: ...an OpenVPN client without using an ovpn file for configuration instructions n Enable OpenVPN active recovery n The behavior of the IX10 device upon OpenVPN failure either l Restart the OpenVPN interface l Reboot the device Additional configuration items n The interval between connectivity tests n Whether the interface should be considered to have failed if one of the test targets fails or all of t...

Page 335: ...evice Configuration The Configuration window is displayed 3 Click VPN OpenVPN Clients 4 Create a new OpenVPN client or select an existing one n To create a new OpenVPN client see Configure an OpenVPN client by using an ovpn file or Configure an OpenVPN client without using an ovpn file n To edit an existing OpenVPN client click to expand the appropriate client ...

Page 336: ...or seconds and take the format number w d h m s For example to set Interval to ten minutes enter 10m or 600s The default is 15 minutes 10 For Success condition determine whether the interface should fail over based on the failure of one of the test targets or all of the test targets 11 For Attempts type the number of probe attempts before the WAN is considered to have failed 12 For Response timeou...

Page 337: ...nding an HTTP or HTTPS GET request to the URL specified in Web servers The URL should take the format of http s hostname path n Test DNS servers configured for this interface Tests connectivity by sending a DNS query to the DNS servers configured for this interface n Test the interface status The interface is considered to be down based on l Down time The amount of time that the interface can be d...

Page 338: ...ient1 5 To configure the device to restart the interface when its connection is considered to have failed config vpn openvpn client openvpn_client1 surelink restart true config vpn openvpn client openvpn_client1 This is useful for interfaces that may regain connectivity after restarting such as a cellular modem 6 To configure the device to reboot when the interface is considered to have failed con...

Page 339: ...ays hours minutes or seconds and takes the format number w d h m s For example to set timeout to ten minutes enter either 10m or 600s config vpn openvpn client openvpn_client1 surelink timeout 600s config vpn openvpn client openvpn_client1 The default is 15 seconds 11 Configure test targets a Add a test target config vpn openvpn client openvpn_client1 add surelink target end config vpn openvpn cli...

Page 340: ...pn client openvpn_client1 surelink target 0 http_url value config vpn openvpn client openvpn_client1 surelink target 0 where value uses the format http s hostname path n interface_up The interface is considered to be down based on the interfaces down time and the amount of time an initial connection to the interface takes before this test is considered to have failed l Optional Set the amount of t...

Page 341: ...e a failover or coupled relationship between interfaces config vpn openvpn client openvpn_client1 surelink target 0 other value config vpn openvpn client openvpn_client1 surelink target 0 If other is set o Set the alternate interface to be tested i Use the to determine available interfaces ii Set the interface For example config vpn openvpn client openvpn_client1 surelink target 0 other_interface ...

Page 342: ... can view status and statistics for OpenVPN servers from either the web interface or the command line Web 1 Log into the IX10 WebUI as a user with Admin access 2 On the menu select Status OpenVPN Servers The OpenVPN Servers page appears 3 To view configuration details about an OpenVPN server click the configuration icon in the upper right of the OpenVPN server s status pane Command line 1 Select t...

Page 343: ...eb 1 Log into the IX10 WebUI as a user with Admin access 2 On the menu select Status OpenVPN Clients The OpenVPN Clients page appears 3 To view configuration details about an OpenVPN client click the configuration icon in the upper right of the OpenVPN client s status pane Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a...

Page 344: ... Enable true Status up Username user1 IP address 123 122 121 120 Remote 120 121 122 123 MTU 1492 Zone internal IP Address 192 168 30 1 24 Port 1194 Use File true Metric 0 Protocol udp Port 1194 Type tun 4 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Page 345: ...quired configuration items n A GRE loopback endpoint interface n GRE tunnel configuration l Enable the GRE tunnel The GRE tunnels are enabled by default l The local endpoint interface l The IP address of the remote device peer Additional configuration items n A GRE key n Enable the device to respond to keepalive packets Task One Create a GRE loopback endpoint interface Web 1 Log into Digi Remote M...

Page 346: ...Ethernet 7 For Zone select Internal 8 For Device select Ethernet Loopback 9 Click to expand IPv4 10 For Address enter the IP address and subnet mask of the local GRE endpoint for example 10 10 1 1 24 11 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with f...

Page 347: ...to set the local GRE endpoint s IP address and subnet mask to 10 10 1 1 24 config network interface gre_interface ipv4 address 10 10 1 1 24 config network interface gre_interface 7 Save the configuration and apply the change config network interface gre_interface save Configuration saved 8 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access se...

Page 348: ...ional For Key enter a key that will be inserted in GRE packets created by this tunnel It must match the key set by the remote endpoint Allowed value is an interger between 0 and 4294967295 or an IP address 9 Optional Enable keepalive reply to enable the device to reply to Cisco GRE keepalive packets 10 Click Apply to save the configuration and apply the change Command line 1 Select the device in R...

Page 349: ... remote peer config vpn iptunnel gre_example remote ip_address config vpn iptunnel gre_example 6 Optional Set a key that will be inserted in GRE packets created by this tunnel The key must match the key set by the remote endpoint config vpn iptunnel gre_example key value config vpn iptunnel gre_example where value is an interger between 0 and 4294967295 or an IP address 7 Optional Enable the devic...

Page 350: ...view information about currently configured GRE tunnels Web 1 Log into the IX10 WebUI as a user with Admin access 2 On the menu click Status IP tunnels The IP Tunnelspage appears 3 To view configuration details about a GRE tunnel click the configuration icon in the upper right of the tunnel s status pane ...

Page 351: ... 0 2 32 2 Create an IPsec endpoint interface named ipsec_endpoint1 a Zone set to Internal b Device set to Ethernet Loopback c IPv4 Address set to the IP address of the local GRE tunnel 172 30 0 1 32 3 Create a GRE tunnel named gre_tunnel1 a Local endpoint set to the IPsec endpoint interface Interface ipsec_endpoint1 b Remote endpoint set to the IP address of the GRE tunnel on IX10 2 172 30 0 2 4 C...

Page 352: ...amed gre_interface2 and add it to the GRE tunnel a Zone set to Internal b Device set to IP tunnel gre_tunnel2 c IPv4 Address set to a virtual IP address on the GRE tunnel 172 31 0 2 30 Configuration procedures Configure the IX10 1 device Task one Create an IPsec tunnel Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device config...

Page 353: ...e testkey 7 Click to expand Remote endpoint 8 For Hostname type public IP address of the IX10 2 device 9 Click to expand Policies 10 For Add Policy click to add a new policy 11 Click to expand Local network 12 For Type select Custom network 13 For Address type the IP address and subnet of the local GRE tunnel 172 30 0 1 32 14 For Remote network type the IP address and subnet of the remote GRE tunn...

Page 354: ...y to testkey config vpn ipsec tunnel ipsec_gre1 auth secret testkey config vpn ipsec tunnel ipsec_gre1 5 Set the remote endpoint to public IP address of the IX10 2 device config vpn ipsec tunnel ipsec_gre1 remote hostname 192 168 101 1 config vpn ipsec tunnel ipsec_gre1 6 Add a policy config vpn ipsec tunnel ipsec_gre1 add policy end config vpn ipsec tunnel ipsec_gre1 policy 0 7 Set the local netw...

Page 355: ...y the change config ipsec tunnel ipsec_gre1 policy 0 save Configuration saved Task two Create an IPsec endpoint interface Web 1 Click Network Interface 2 For Add Interface type ipsec_endpoint1 and click 3 For Zone select Internal 4 For Device select Ethernet loopback 5 Click to expand IPv4 6 For Address type the IP address of the local GRE tunnel 172 30 0 1 32 7 Click Apply to save the configurati...

Page 356: ...ice loopback config network interface ipsec_endpoint1 device network device loopback config network interface ipsec_endpoint1 5 Set the IPv4 address to the IP address of the local GRE tunnel 172 30 0 1 32 config network interface ipsec_endpoint1 ipv4 address 172 30 0 1 32 config network interface ipsec_endpoint1 6 Save the configuration and apply the change config vpn ipsec tunnel ipsec_endpoint1 ...

Page 357: ...unnel1 config vpn iptunnel gre_tunnel1 3 Set the local endpoint to the IPsec endpoint interface created in Task two network interface ipsec_endpoint1 config vpn iptunnel gre_tunnel1 local network interface ipsec_ endpoint1 config vpn iptunnel gre_tunnel1 4 Set the remote endpoint to the IP address of the GRE tunnel on IX10 2 172 30 0 2 config vpn iptunnel gre_tunnel1 remote 172 30 0 2 config vpn i...

Page 358: ...nel created in Task three IP tunnel gre_tunnel1 5 Click to expand IPv4 6 For Address type 172 31 0 1 30 for a virtual IP address on the GRE tunnel 7 Click Apply to save the configuration and apply the change Command line 1 At the command line type config to enter configuration mode config config 2 Add an interface named gre_interface1 config add network interface gre_interface1 config network inte...

Page 359: ...ace1 6 Save the configuration and apply the change config network interface gre_interface1 save Configuration saved 7 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Configure the IX10 2 device Task one Create an IPsec tunnel Web 1 Log into Digi Remote Manager or log into the local Web...

Page 360: ...t was configured for the IX10 1 testkey 7 Click to expand Remote endpoint 8 For Hostname type public IP address of the IX10 1 device 9 Click to expand Policies 10 For Add Policy click to add a new policy 11 Click to expand Local network 12 For Type select Custom network 13 For Address type the IP address and subnet of the local GRE tunnel 172 30 0 2 32 14 For Remote network type the IP address and...

Page 361: ...hat was configured for the IX10 1 testkey config vpn ipsec tunnel ipsec_gre2 auth secret testkey config vpn ipsec tunnel ipsec_gre2 5 Set the remote endpoint to public IP address of the IX10 1 device config vpn ipsec tunnel ipsec_gre2 remote hostname 192 168 100 1 config vpn ipsec tunnel ipsec_gre2 6 Add a policy config vpn ipsec tunnel ipsec_gre2 add policy end config vpn ipsec tunnel ipsec_gre2 ...

Page 362: ...he change config vpn ipsec tunnel ipsec_gre2 policy 0 save Configuration saved Task two Create an IPsec endpoint interface Web 1 Click Network Interfaces 2 For Add Interface type ipsec_endpoint2 and click 3 For Zone select Internal 4 For Device select Ethernet loopback 5 Click to expand IPv4 6 For Address type the IP address of the local GRE tunnel 172 30 0 2 32 7 Click Apply to save the configura...

Page 363: ... device loopback config network interface ipsec_endpoint2 device network device loopback config network interface ipsec_endpoint2 5 Set the IPv4 address to the IP address of the local GRE tunnel 172 30 0 2 32 config network interface ipsec_endpoint2 ipv4 address 172 30 0 2 32 config network interface ipsec_endpoint2 6 Save the configuration and apply the change config vpn ipsec tunnel ipsec_endpoi...

Page 364: ...unnel2 config vpn iptunnel gre_tunnel2 3 Set the local endpoint to the IPsec endpoint interface created in Task two network interface ipsec_endpoint2 config vpn iptunnel gre_tunnel2 local network interface ipsec_ endpoint2 config vpn iptunnel gre_tunnel2 4 Set the remote endpoint to the IP address of the GRE tunnel on IX10 1 172 30 0 1 config vpn iptunnel gre_tunnel2 remote 172 30 0 1 config vpn i...

Page 365: ...nel created in Task three IP tunnel gre_tunnel2 5 Click to expand IPv4 6 For Address type 172 31 0 2 30 for a virtual IP address on the GRE tunnel 7 Click Apply to save the configuration and apply the change Command line 1 At the command line type config to enter configuration mode config config 2 Add an interface named gre_interface2 config add network interface gre_interface2 config network inte...

Page 366: ... you may be presented with an Access selection menu Type quit to disconnect from the device L2TP Your IX10 device supports PPP over L2TP Layer 2 Tunneling Protocol Configure a PPP over L2TP tunnel Your IX10 device supports PPP over L2TP Layer 2 Tunneling Protocol The tunnel endpoints are known as L2TP Access Concentrators LAC and L2TP Network Servers LNS Each endpoint terminates the PPP session Re...

Page 367: ...tion method l The metric for the tunnel l Enable custom PPP configuration options for the tunnel o Whether to override the default configuration and only use the custom options o Optional configuration data in the format of a pppd options file Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a L...

Page 368: ... to list additional IP addresses or networks n To limit access to specified IPv6 addresses and networks a Click IPv6 Addresses b For Add Address click c For Address enter the IPv6 address or network that can access the device s service type Allowed values are l A single IP address or host name l A network designation in CIDR notation for example 2001 db8 48 l any No limit to IPv6 addresses that ca...

Page 369: ...f the custom configuration should override the default configuration and only use the custom options iii For Configuration file paste or type the configuration data in the format of a pppd options file k For SureLink see Configure SureLink active recovery for PPP over L2TP 7 To add an L2TP network server a Click to expand L2TP network servers b For Add L2TP network server type a name for the LNS a...

Page 370: ...ional Custom PPP configuration i Enable custom PPP configuration ii Enable Override if the custom configuration should override the default configuration and only use the custom options iii For Configuration file paste or type the configuration data in the format of a pppd options file 8 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager a...

Page 371: ... service type Repeat this step to list additional IP addresses or networks n To limit access to hosts connected through a specified interface on the IX10 device config add vpn l2tp acl interface end value config Where value is an interface defined on your device Display a list of available interfaces Use network interface to display interface information config network interface Interfaces Additio...

Page 372: ...pn l2tp lac name config add vpn l2tp lac name where name is the name of the LAC For example to add an LAC named lac_tunnel config add vpn l2tp lac lac_tunnel config vpn l2tp lac lac_tunnel LACs are enabled by default To disable config vpn l2tp lac lac_tunnel enable false config vpn l2tp lac lac_tunnel b Set the hostname or IP address of the L2TP network server config vpn l2tp lac lac_tunnel lns ho...

Page 373: ...rewall zone for the tunnel This is used by packet filtering rules and access control lists to restrict network traffic on the tunnel i Use the to determine available zones config vpn l2tp lac lac_tunnel zone Zone The firewall zone assigned to this tunnel This can be used by packet filtering rules and access control lists to restrict network traffic on this tunnel Format any dynamic_routes edge ext...

Page 374: ...n LNS named lns_server config add vpn l2tp lns lns_server config vpn l2tp lns lns_server LACs are enabled by default To disable config vpn l2tp lns lns_server enable false config vpn l2tp lns lns_server b Set the IP address of the L2TP access concentrator that this server will allow connections from config vpn l2tp lns lns_server lac IP_address config vpn l2tp lns lns_server This can also be n A r...

Page 375: ... lns lns_server password password config vpn l2tp lns lns_server The default is none f Optional Set the metric for the tunnel config vpn l2tp lns lns_server metric int config vpn l2tp lns lns_server where int is an integer between 0 and 65535 The default is 1 g Set the firewall zone for the tunnel This is used by packet filtering rules and access control lists to restrict network traffic on the tu...

Page 376: ...change config save Configuration saved 8 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Configure SureLink active recovery for PPP over L2TP You can configure the IX10 device to regularly probe PPP over L2TP access concatenators to determine if the connection has failed and take remed...

Page 377: ... with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click VPN PPP over L2TP 4 Create a new PPP ...

Page 378: ...minutes or seconds and take the format number w d h m s For example to set Interval to ten minutes enter 10m or 600s The default is 15 minutes 10 For Success condition determine whether the interface should fail over based on the failure of one of the test targets or all of the test targets 11 For Attempts type the number of probe attempts before the WAN is considered to have failed 12 For Respons...

Page 379: ...ding an HTTP or HTTPS GET request to the URL specified in Web servers The URL should take the format of http s hostname path n Test DNS servers configured for this interface Tests connectivity by sending a DNS query to the DNS servers configured for this interface n Test the interface status The interface is considered to be down based on l Down time The amount of time that the interface can be do...

Page 380: ...onfig vpn l2tp lac lac_tunnel 5 To configure the device to restart the interface when its connection is considered to have failed config vpn l2tp lac lac_tunnel surelink restart true config vpn l2tp lac lac_tunnel This is useful for interfaces that may regain connectivity after restarting such as a cellular modem 6 To configure the device to reboot when the interface is considered to have failed c...

Page 381: ...ample to set interval to ten minutes enter either 10m or 600s config vpn l2tp lac lac_tunnel surelink timeout 600s config vpn l2tp lac lac_tunnel The default is 15 seconds 11 Configure test targets a Add a test target config vpn l2tp lac lac_tunnel add surelink target end config vpn l2tp lac lac_tunnel surelink target 0 b Set the test type config vpn l2tp lac lac_tunnel surelink target 0 test valu...

Page 382: ... interface takes before this test is considered to have failed l Optional Set the amount of time that the interface can be down before this test is considered to have failed config vpn l2tp lac lac_tunnel surelink target 0 interface_down_time value config vpn l2tp lac lac_tunnel surelink target 0 where value is any number of weeks days hours minutes or seconds and takes the format number w d h m s...

Page 383: ...ue config vpn l2tp lac lac_tunnel surelink target 0 where value is one of any both ipv4 or ipv6 o Set the expected status of the alternate interface config vpn l2tp lac lac_tunnel surelink target 0 other_ status value config vpn l2tp lac lac_tunnel surelink target 0 where value is either up or down For example if other_status is set to down but the alternate interface is determined to be up then t...

Page 384: ...ow the status of L2TP network servers from the WebUI 1 Log into the IX10 WebUI as a user with Admin access 2 On the menu select Status Under VPN select L2TP Network Servers The L2TP Network Servers page appears 3 To view configuration details about an L2TP network server click the configuration icon in the upper right of the tunnel s status pane Command line Show the status of L2TP access connecto...

Page 385: ...dmin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 To display details about all configured L2TP access connectors type the following at the prompt show l2tp lns Name Enabled Status Device lns_test1 true up test_device0 lns_test2 true pending 3 To display details about a specific tunnel show l2tp lns name...

Page 386: ...elected l The ID for the tunnel l The ID of the peer s tunnel l Determine whether to enable UDP checksum n The session cookie n The peer session cookie n The Layer2SpecificHeader type n The Sequence numbering control Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as descri...

Page 387: ...check the UDP checksum 10 Click to expand Sessions a For Add Sesssion type a name for a session carried by the parent tunnel and click b For Session ID type the session identifier for this session This must match the value for Peer session ID on the remote peer Allowed value is any integer between 1 and 4294967295 c For Peer session ID type the Session ID of the remote peer d Optional For Cookie t...

Page 388: ...The tunnel is enabled by default To disable config vpn l2tpeth L2TPv3_example enable false config vpn l2tpeth L2TPv3_example 4 Set the IPv4 address of the remote endpoint config vpn l2tpeth L2TPv3_example remote IP_address config vpn l2tpeth L2TPv3_example 5 Set the interface of the local endpoint i Use the to determine available interfaces ii Set the interface For example config vpn l2tpeth L2TPv...

Page 389: ...ession_example config vpn l2tpeth L2TPv3_example session_example 10 Set the session identifier for this session This must match the value for peer session ID on the remote peer config vpn l2tpeth L2TPv3_example session_example session_id value config vpn l2tpeth L2TPv3_example session_example where value is any integer between 1 and 4294967295 11 Set the session ID of the remote peer config vpn l2...

Page 390: ...ved out of order The default is none 16 Save the configuration and apply the change config save Configuration saved 17 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Show L2TPV3 tunnel status Web 1 Log into the IX10 WebUI as a user with Admin access 2 On the menu select Status Under V...

Page 391: ...yptes 3 120 4 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device NEMO Network Mobility NEMO is a mobile networking technology that provides access to one or more Local Area Networks LANs on your device NEMO creates a tunnel between the home agent on the mobile private network and the IX10...

Page 392: ...your cellular carrier n The local network interfaces that will be advertised on NEMO Additional configuration items n The home agent Software Parameter Index SPI n Path MTU discovery Path MTU discovery is enabled by default If it is disabled identify the MTU n Care of address the local network interface that is used to communicate with the peer l If set to Interface identify the local interface to...

Page 393: ...irewall zone configures the IX10 device to trust traffic going to the tunnel and allows it through the network 6 For Home agent server IP address type the IPv4 address of the NEMO home agent This is provided by your cellular carrier 7 For Key type the key used to authenticate to the home agent This is provided by your cellular carrier 8 For Home agent SPI type the Security Parameter Index SPI valu...

Page 394: ...int negotiated by NEMO n If Default route is selected the network interface that is used will be the same as the default route n If Interface is selected specify the local network interface The default is Default route 13 Click to expand Local networks a For Add Interface click to add a local network to use as a virtual NEMO network interface b For Interface select the local interface to use as a ...

Page 395: ...nemo_example Allowed values are any integer between 1 and 65535 8 MTU discovery is enabled by default which allows the device to determine the maximum transmission unit MTU size To disable config vpn nemo nemo_example mtu_discovery false config vpn nemo nemo_example If disabled set the MTU size The default MTU size for LANs on the IX10 device is 1500 The MTU size of the NEMO tunnel will be smaller...

Page 396: ... coaddress interface eth1 config vpn nemo nemo_example n ip If ip is used set the IP address config vpn nemo nemo_example coaddress address IP_address config vpn nemo nemo_example The default is defaultroute 12 Set the GRE tunnel local endpoint a Set the method to determine the GRE tunnel local endpoint config vpn nemo nemo_example tun_local type value config vpn nemo nemo_example where value is o...

Page 397: ...n access 2 On the menu select Status NEMO The NEMO page appears 3 To view configuration details about an NEMO tunnel click the configuration icon in the upper right of the tunnel s status pane Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configuration you ma...

Page 398: ...ce modem GRE Tunnel 10 10 10 1 4 3 2 1 Metric 255 MTU 1476 Lifetime Actual 600 Local Network Subnet Status lan1 192 168 2 1 24 Advertized LAN2 192 168 3 1 24 Advertized 4 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Page 399: ...ss 414 Use SSH with key authentication 422 Configure telnet access 425 Configure DNS 430 Simple Network Management Protocol SNMP 438 Location information 445 Modbus gateway 476 System time 494 Network Time Protocol 498 Configure a multicast route 505 Enable service discovery mDNS 508 Use the iPerf service 511 Configure the ping responder service 516 IX10 User Guide 399 ...

Page 400: ...See Set the idle timeout for IX10 users for information about setting the inactivity timeout for the web administration and SSH services To allow web administration or SSH for the External firewall zone Add the External firewall zone to the web administration service Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configur...

Page 401: ...lect the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Add the external zone to the web administration serv...

Page 402: ... External firewall zone to the SSH service Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Web UI a On the menu click System Under Configur...

Page 403: ...Services Allow remote access for web administration and SSH IX10 User Guide 403 4 For Add Zone click 5 Select External 6 Click Apply to save the configuration and apply the change ...

Page 404: ...to monitor and configure the IX10 device by using the WebUI a browser based interface By default the web administration service is enabled and uses the standard HTTPS port 443 The default access control for the service uses the Internal firewall zone which means that only devices connected to the IX10 s LAN can access the WebUI If this configuration is sufficient for your needs no further configur...

Page 405: ...ion Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Services Web administration 4 Click Enable 5 Click Apply to save the configuration and apply the c...

Page 406: ...iguration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Configure the service Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manage...

Page 407: ...vice d Click again to list additional IP addresses or networks n To limit access to specified IPv6 addresses and networks a Click IPv6 Addresses b For Add Address click c For Address enter the IPv6 address or network that can access the device s web administration service Allowed values are l A single IP address or host name l A network designation in CIDR notation for example 2001 db8 48 l any No...

Page 408: ...ertificate and private key must be in PEM format n The private key can use one of the following algorithms l RSA l DSA l ECDSA l ECDH Note Password protected certificate keys are not supported Example a Generate the SSL certificate and private key for example openssl req newkey rsa 2048 nodes keyout key pem x509 days 365 out certificate pem b Paste the contents of certificate pem and key pem into ...

Page 409: ...rol n To limit access to specified IPv4 addresses and networks config add service web_admin acl address end value config Where value can be l A single IP address or host name l A network designation in CIDR notation for example 192 168 1 0 24 l any No limit to IPv4 addresses that can access the web administratrion service Repeat this step to list additional IP addresses or networks n To limit acce...

Page 410: ...d on your device or the any keyword Display a list of available firewall zones Type firewall zone at the config prompt config firewall zone Zones A list of groups of network interfaces that can be referred to by packet filtering rules and access control lists Additional Configuration any dynamic_routes edge external internal ipsec loopback setup config Repeat this step to list additional firewall ...

Page 411: ...GptY2JhbmVAZGlnaS5jb20wHhcN MjAwOTIyMTY1OTUyWhcNMjEwOTIyMTY1OTUyWjCBhzELMAkGA1UEBhMCVVMxDzAN BgNVBAgMBk9yZWdvbjEOMAwGA1UEBwwFQWxvaGExEzARBgNVBAoMCk1jQmFuZSBJ bmMxEDAOBgNVBAsMB1N1cHBvcnQxDzANBgNVBAMMBm1jYmFuZTEfMB0GCSqGSIb3 DQEJARYQam1jYmFuZUBkaWdpLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAOBn19AX01LO9plYtfRZq0bETwNwSCYGeEIOGJ7gHt rihLVBJS1woYv u1Oq1ohYxIawBY1iIPBD2GtzyEJXzBZdQRhwi dRyRi4vr7...

Page 412: ...9Stn VicrmROjojQk sRGxR7fDixaGZolUwcRg7N7SH y3zA7SDp4WvhjFeKFR8b6O1d4 PFnWO2envUUiE 50ZoPFWsv1o8eK2XT67Qbn56t9NB5a7QPvzSSR7jG77QKBgD w BrqTT9wl4DBrsxEiLK 1g0 iMKCm8dkaJbHBMgsuw1m7 K fAzwBwtpWk21alGX Ly3eX2j9zNGwMYfXjgO1hViRxQEgNdqJyk9fA2gsMtYltTbymVYHyzMweMD88fRC Ey2FlHfxIfPeE7MaHNCeXnN5N56 MCtSUJcRihh3AoGAey0BGi4xLqSJESqZZ58p e71JHg4M46rLlrxi 4FXaop64LCxM8kPpROfasJJu5nlPpYHye959BBQnYcAheZZ 0siGsw...

Page 413: ... client HTTP requests to the HTTPS service Legacy port redirection is enabled by default and normally these settings should not be changed To disable legacy port redirection config service web_admin legacy enable false config 9 Save the configuration and apply the change config save Configuration saved 10 Type exit to exit the Admin CLI Depending on your device configuration you may be presented w...

Page 414: ...SSH service n Multicast DNS mDNS support n A private key to use for communications with the SSH service n Create custom SSH configuration settings See Set the idle timeout for IX10 users for information about setting the inactivity timeout for the SSH service Enable or disable the SSH service The SSH service is enabled by default To disable the service or enable it if it has been disabled Web 1 Lo...

Page 415: ...ed with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Enable or disable the SSH service n To enable the service config service ssh enable true config n To disable the sevice config service ssh enable false config 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to ex...

Page 416: ...ngs d Click to expand Config Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Services SSH 4 Optional For Port enter the port number for the service Normally this should not be changed 5 Click Access control list to configure access control n To limit access to specified IPv4 addresses and networks a Click IPv4 Addresses...

Page 417: ... dropdown d Click again to allow access through additional interfaces n To limit access based on firewall zones a Click Zones b For Add Zone click c For Zone select the appropriate firewall zone from the dropdown See Firewall configuration for information about firewall zones d Click again to allow access through additional firewall zones 6 Multicast DNS mDNS is enabled by default mDNS is a protoc...

Page 418: ... To limit access to specified IPv4 addresses and networks config add service ssh acl address end value config Where value can be l A single IP address or host name l A network designation in CIDR notation for example 192 168 1 0 24 l any No limit to IPv4 addresses that can access the SSH service Repeat this step to list additional IP addresses or networks n To limit access to specified IPv6 addres...

Page 419: ...ice ssh acl zone end value Where value is a firewall zone defined on your device or the any keyword Display a list of available firewall zones Type firewall zone at the config prompt config firewall zone Zones A list of groups of network interfaces that can be referred to by packet filtering rules and access control lists Additional Configuration any dynamic_routes edge external internal ipsec loo...

Page 420: ...m SSH configuration settings a Enable custom configurations config service ssh custom enable true config b To override the standard SSH configuration and only use the config_file parameter config service ssh custom override true config n If override is set to true entries in Configuration file will be used in place of the standard SSH configuration n If override is set to false entries in Configur...

Page 421: ... 421 8 Save the configuration and apply the change config save Configuration saved 9 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Page 422: ... the user s ssh directory The private and public keys are named id_rsa and id_rsa pub If you need to generate an SSH key pair you can use the ssh keygen application For example the following entry generates an RSA key pair in the user s ssh directory ssh keygen t rsa f ssh id_rsa The private key file is named id_rsa and the public key file is named id_rsa pub The pub extension is automatically app...

Page 423: ...e configuration and apply the change Command line You can add configure passwordless SSH login for an existing user or include the support when creating a new user See User authentication for information about creating a new user These instructions assume an existing user named temp_user 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as...

Page 424: ...blic SSH key which you can enter by pasting or typing a public encryption key that this user can use for passwordless SSH login 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Page 425: ...n Multicast DNS mDNS support See Set the idle timeout for IX10 users for information about setting the inactivity timeout for the telnet service Enable the telnet service The telnet service is disabled by default To enable the service Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate you...

Page 426: ...with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Enable the telnet service config service telnet enable true config 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access sel...

Page 427: ...net 4 Optional For Port enter the port number for the service Normally this should not be changed 5 Click Access control list to configure access control n To limit access to specified IPv4 addresses and networks a Click IPv4 Addresses b For Add Address click c For Address enter the IPv4 address or network that can access the device s telnet service Allowed values are l A single IP address or host...

Page 428: ... zone from the dropdown See Firewall configuration for information about firewall zones d Click again to allow access through additional firewall zones 6 Multicast DNS mDNS is disabled by default mDNS is a protocol that resolves host names in small networks that do not have a DNS server To enable mDNS click Enable mDNS 7 Click Apply to save the configuration and apply the change Command line 1 Sel...

Page 429: ...ice config add service telnet acl interface end value config Where value is an interface defined on your device Display a list of available interfaces Use network interface to display interface information config network interface Interfaces Additional Configuration defaultip Default IP defaultlinklocal Default Link local IP eth ETH loopback Loopback modem Modem config Repeat this step to list add...

Page 430: ...t setting of 23 normally should not be changed config service telnet port 25 config 6 Save the configuration and apply the change config save Configuration saved 7 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Configure DNS The IX10 device includes a caching DNS server which forwards...

Page 431: ...t names and their IP addresses The device is configured by default with the hostname digi device which corresponds to the 192 168 210 1 IP address To configure the DNS server Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and...

Page 432: ...a specified interface on the IX10 device a Click Interfaces b For Add Interface click c For Interface select the appropriate interface from the dropdown d Click again to allow access through additional interfaces n To limit access based on firewall zones a Click Zones b For Add Zone click c For Zone select the appropriate firewall zone from the dropdown See Firewall configuration for information a...

Page 433: ...cess rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Configure access control n To limit access to specified IPv4 addresses and networks config add service dns acl address end value config Where value can be l A single IP address or host ...

Page 434: ...lt IP defaultlinklocal Default Link local IP eth ETH loopback Loopback modem Modem config Repeat this step to list additional interfaces n To limit access based on firewall zones config add service dns acl zone end value Where value is a firewall zone defined on your device or the any keyword Display a list of available firewall zones Type firewall zone at the config prompt config firewall zone Zo...

Page 435: ...6 Optional Rebind protection By default rebind protection is disabled If enabled this prevents upstream DNS servers from returning private IP addresses To enable config service dns stop_dns_rebind false config 7 Optional Allow localhost rebinding By default localhost rebinding is enabled by default if rebind protection is enabled This is useful for Real time Black List RBL servers To disable confi...

Page 436: ... the change config save Configuration saved 11 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Show DNS server You can display status for DNS servers This command is available only at the Admin CLI Command line Show DNS information 1 Select the device in Remote Manager and click Action...

Page 437: ...h1 fe80 227 4ff fe2b ae12 eth1 fe80 227 4ff fe44 105b eth1 fe80 240 ffff fe80 23b0 3 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Page 438: ...onfigure the SNMP access control list to allow the device to receive the packets See Configure Simple Network Management Protocol SNMP Configure Simple Network Management Protocol SNMP Required configuration items n Enable SNMP n Firewall configuration using access control to allow remote connections to the SNMP agent n The user name and password used to connect to the SNMP agent Additional config...

Page 439: ...llowed values are l A single IP address or host name l A network designation in CIDR notation for example 192 168 1 0 24 l any No limit to IPv4 addresses that can access the SNMP agent d Click again to list additional IP addresses or networks n To limit access to specified IPv6 addresses and networks a Click IPv6 Addresses b For Add Address click c For Address enter the IPv6 address or network tha...

Page 440: ...es in small networks that do not have a DNS server To enable mDNS click Enable mDNS 10 Optional Select the Authentication type either MD5 or SHA The default is MD5 11 Optional Type the Privacy passphrase If not set the password entered above is used 12 Optional Select the Privacy protocol either DES or AES The default is DES 13 Optional Click Enable version 2c access to enable read only access to ...

Page 441: ...s the SNMP service Repeat this step to list additional IP addresses or networks n To limit access to hosts connected through a specified interface on the IX10 device config add service snmp acl interface end value config Where value is an interface defined on your device Display a list of available interfaces Use network interface to display interface information config network interface Interface...

Page 442: ...username name config 6 Set the password for the user that will be used to connect to the SNMP agent config service snmp password pwd config 7 Optional Set the port number for the SNMP agent The default is 161 config service snmp port port config 8 Optional Configure Multicast DNS mDNS mDNS is a protocol that resolves host names in small networks that do not have a DNS server For the SNMP agent mDN...

Page 443: ...ng on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Download MIBs This procedure is available from the WebUI only Required configuration items n Enable SNMP To download a zip archive of the SNMP MIBs supported by this device Web 1 Log into the IX10 WebUI as a user with Admin access 2 Enable SNMP See Configure Simple Network Man...

Page 444: ...Services Simple Network Management Protocol SNMP IX10 User Guide 444 The SNMP page is displayed 4 Click Download ...

Page 445: ... device to forward location messages either from the IX10 device or from external sources to a remote host Additionally the device can be configured to use a geofence to allow you to determine actions that will be taken based on the physical location of the device This section contains the following topics Configure the location service 446 Enable or disable modem GNSS support 448 Configure the de...

Page 446: ...er or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Cl...

Page 447: ...d based on the order that the location sources are listed here 7 For information about configuring Destination servers see Forward location information to a remote host 8 For information about configuring Geofence see Configure geofencing 9 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the IX...

Page 448: ... Type quit to disconnect from the device Enable or disable modem GNSS support To disable support for the modem s GNSS receiver or enable it if it has been disabled Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage you...

Page 449: ...icon next to the modem location source b Click Delete 8 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CL...

Page 450: ...ation source config service location source 0 label label config 5 Save the configuration and apply the change config save Configuration saved 6 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Configure the device to use a user defined static location You can configured your IX10 devic...

Page 451: ...or to enable it if it has been disabled 8 For Latitude type the latitude of the device Allowed values are 90 and 90 with up to six decimal places 9 For Longitude type the longitude of the device Allowed values are 180 and 180 with up to six decimal places 10 For Altitude type the altitude of the device Allowed values are an integer followed by m or km for example 100m or 1km 11 Click Apply to save...

Page 452: ... the device config service location source coordinates latitude int config service location source where int is any integer between 90 and 90 with up to six decimal places 7 Set the longitude of the device config service location source coordinates longitude int config service location source where int is any integer between 180 and 180 with up to six decimal places 8 Set the altitude of the devic...

Page 453: ...DP port on the IX10 device that will be used to listen for incoming messages Required configuration items n The location server must be enabled n UDP port that the IX10 device will listen to for incoming location messages n Access control list configuration to provide access to the port through the firewall To configure the device to accept location messages from external sources Web 1 Log into Di...

Page 454: ...for example 192 168 1 0 24 l any No limit to IPv4 addresses that can access the location server UDP port d Click again to list additional IP addresses or networks n To limit access to specified IPv6 addresses and networks a Click IPv6 Addresses b For Add Address click c For Address enter the IPv6 address or network that can access the device s location server UDP port Allowed values are l A single...

Page 455: ...dmin CLI 2 At the command line type config to enter configuration mode config config 3 Add a location source config add service location source end config service location source 4 Optional Set a label for this location source config service location source label label config service location source 5 Set the type of location source to server config service location source type server config servi...

Page 456: ...on messages will be forwarded n Location update interval which determines how often the device will forward location information to the remote hosts n A description of the remote hosts n Specific types of NMEA or TAIP messages that should be forwarded n If the message protocol is NMEA configure a talker ID to be used for all messages n Text that will be prepended to the forwarded message n A vehic...

Page 457: ...ward interval multiplier select the number of Location update intervals to wait before forwarding location data to this server See Configure the location service for more information about setting the Location update interval 10 For NMEA filters select the filters that represent the types of messages that will be forwarded By default all message types are forwarded n To remove a filter a Click the...

Page 458: ...ected a Select a Talker ID The talker ID is a two character prefix in the NMEA message that identifies the source type The talker ID set here will override the talker ID from all sources and all forwarded sentences will use the configured ID The default setting is Default which means that the talker ID provided by the source will be used b Determine the Behavior when fix is invalid n None No messa...

Page 459: ...TCP or UDP port on the remote host to which location messages will be sent config service location forward 0 server_port 8000 config service location forward 0 7 Set the number of Location update intervals to wait before forwarding location data to this server See Configure the location service for more information about setting the Location update interval config service location forward 0 interv...

Page 460: ...value is one of n none No messages are sent n empty Send messages with empty fields n last_fix Send messages with information from the last valid fix The default is empty 9 Optional Set the text to prepend to the forwarded message Two variables can be included in the prepended text n s Includes the IX10 device s serial number in the prepended text n v Includes the vehicle ID in the prepended text ...

Page 461: ...type a Use the show command to determine the index number of the message type to be deleted config service location forward 0 show filter_nmea 0 gga 1 gll 2 gsa 3 gsv 4 rmc 5 vtg config service location forward 0 b Use the index number to delete the message type For example to delete the gsa index number 2 message type config service location forward 0 del filter_nmea 2 config service location for...

Page 462: ...ip config service location forward 0 filter_taip b Use the add command to add the message type For example to add the id message type config service location forward 0 filter_taip add id end config service location forward 0 filter_taip 13 Save the configuration and apply the change config save Configuration saved 14 Type exit to exit the Admin CLI Depending on your device configuration you may be...

Page 463: ...ts For each event type l Determine if the action s associated with the event type should be performed when the device boots inside or outside of the geofence boundary l The number of update intervals that should take place before the action s are taken Multiple actions can be configured for each type of event For each action l The type of action either a factory erase or executing a custom script ...

Page 464: ...off Enable 5 For Update interval type the amount of time that the geofence should wait between polling for updated location data The default is one minute Allowed values are any number of weeks days hours minutes or seconds and take the format number w d h m s For example to set Update interval to ten minutes enter 10m or 600s 6 For Boundary type select the type of boundary that the geofence will ...

Page 465: ...epresents a vertex of the polygon A vertex is the point at which two sides of a polygon meet c Type the Latitude and Longitude of one of the vertices of the polygon Allowed values are l For Latitude any integer between 90 and 90 with up to six decimal places l For Longitude any integer between 180 and 180 with up to six decimal places d Click again to add an additional point and continue adding po...

Page 466: ...tion when the action is triggered l Custom script to execute a custom script when the action is triggered If Custom script is selected i Click to expand Custom script ii For Commands type the script that will be executed when the action is triggered If the script begins with then the proceeding file path will be used to invoke the script interpreter If not then the default shell will be used iii E...

Page 467: ...ipt when the action is triggered If Custom script is selected i Click to expand Custom script ii For Commands type the script that will be executed when the action is triggered If the script begins with then the proceeding file path will be used to invoke the script interpreter If not then the default shell will be used iii Enable Log script output to log the output of the script to the system log...

Page 468: ...nable false config service location geofence test_geofence 4 Set the amount of time that the geofence should wait between polling for updated location data config service location geofence test_geofence update_interval value config service location geofence test_geofence where value is any number of weeks days hours minutes or seconds and takes the format number w d h m s For example to set update...

Page 469: ...meet i Add a vertex config service location geofence test_geofence add coordinates end config service location geofence test_geofence coordinates 0 ii Set the latitude and longitude of the vertex config service location geofence test_geofence coordinates 0 latitude int config service location geofence test_geofence coordinates 0 longitude int config service location geofence test_geofence coordina...

Page 470: ...ervice location geofence test_geofence coordinates add end config service location geofence test_geofence coordinates 1 latitude 44 927220 config service location geofence test_geofence coordinates 1 longitude 93 39589 config service location geofence test_geofence coordinates 1 config service location geofence test_geofence coordinates add end config service location geofence test_geofence coordi...

Page 471: ...prior to performing the actions config service location geofence test_geofence on_entry num_ intervals int config For example if the update interval is 1m one minute and the num_intervals is set to 3 the actions will not be performed until the device has been inside the geofence for three minutes c Add an action i Type to return to the root of the configuration config service location geofence tes...

Page 472: ...ervice location geofence test_geofence on_entry action 0 syslog_stdout true config service location geofence test_geofence on_entry action 0 iii To log the errors from the script to the system log config service location geofence test_geofence on_entry action 0 syslog_stderr true config service location geofence test_geofence on_entry action 0 iv Optional Set the maximum amount of system memory th...

Page 473: ...ion geofence test_geofence on_exit bootup true config b Set the number of update_intervals that must take place prior to performing the actions config service location geofence test_geofence on_exit num_ intervals int config For example if the update interval is 1m one minute and the num_intervals is set to 3 the actions will not be performed until the device has been outside the geofence for thre...

Page 474: ...ce location geofence test_geofence on_exit action 0 iii To log the errors from the script to the system log config service location geofence test_geofence on_exit action 0 syslog_stderr true config service location geofence test_geofence on_exit action 0 iv Optional Set the maximum amount of system memory that will be available for the script and it spawned processes config service location geofen...

Page 475: ... about location information from either the WebUI or the command line Web 1 Log into the IX10 WebUI as a user with Admin access 2 On the main menu click Status 3 Under Services click Location The device s current location is displayed along with the status of any configured geofences Command line Show location information 1 Select the device in Remote Manager and click Actions Open Console or log ...

Page 476: ...location geofence command at the system prompt show location geofence Geofence Status State Transitions Last Transition test_geofence Up Inside 0 3 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Modbus gateway The IX10 supports the ability to function as a Modbus gateway to provide se...

Page 477: ...ection type is serial o The serial port to be used l Modbus address or addresses to determine if messages should be forwarded to a destination device Additional configuration items n Server configuration l The packet mode l The maximum time between bytes in a packet l If the connection type is set to socket o The port to use o The inactivity timeout o Access control list l If the connection type i...

Page 478: ... full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Services Modbus Gateway 4 Click Enable to ...

Page 479: ...cket mode select RTU or RAW if Connection type is set to Socket or ASCII if Connection typeis set to Serial for the type of packet that will be used by this connection The default is RTU 6 For Packet idle gap type the maximum allowable time between bytes in a packet Allowed values are between 10 milliseconds and one second and take the format number ms s For example to set Packet idle gap to 20 mi...

Page 480: ...ss or host name l A network designation in CIDR notation for example 2001 db8 48 l any No limit to IPv6 addresses that can access the web administration service d Click again to list additional IP addresses or networks n To limit access to hosts connected through a specified interface on the IX10 device a Click Interfaces b For Add Interface click c For Interface select the appropriate interface f...

Page 481: ...y this connection The default is RTU 6 For Packet idle gap type the maximum allowable time between bytes in a packet Allowed values are between 10 milliseconds and one second and take the format number ms s For example to set Packet idle gap to 20 milliseconds enter 20ms 7 If Connection type is set to Socket for Inactivity timeout type the amount of time to wait before disconnecting the socket whe...

Page 482: ... For Add Zone click c For Zone select the appropriate firewall zone from the dropdown See Firewall configuration for information about firewall zones d Click again to allow access through additional firewall zones 10 Optional Enable Send broadcast messages to configure the gateway to send broadcast messages to this client 11 For Response timeout type the maximum time to wait for a response to a me...

Page 483: ...n different buses For example if there are two devices on two different buses that have the same Modbus address of 10 you can create two clients on the gateway n Client one l Modbus address filter set to 10 This will configure the gateway to deliver all messages that have the Modbus server address of 10 to this device n Client two l Modbus address filter set to 20 l Adjust Modbus server address se...

Page 484: ...either socket or serial The default is socket n If connection_type is set to socket i Set the IP protocol config service modbus_gateway server test_modbus_server socket protocol value config service modbus_gateway server test_modbus_server where value is either tcp or udp ii Set the port config service modbus_gateway server test_modbus_server socket port config service modbus_gateway server test_m...

Page 485: ...enter either 10m or 600s config service modbus_gateway server test_modbus_server inactivity_timeout 600s config service modbus_gateway server test_modbus_server n If connection_type is set to serial i Set the serial port i Use the to determine available serial ports config service modbus_gateway server test_modbus_ server serial port Serial Additional Configuration port1 Port 1 config service modb...

Page 486: ...d service modbus_gateway server test_modbus_server config b Add a client config add service modbus_gateway client name config service modbus_gateway client name where name is a name for the client for example config add service modbus_gateway client test_modbus_client config service modbus_gateway client test_modbus_client The Modbus client is enabled by default To disable config service modbus_ga...

Page 487: ...between 10 milliseconds and one second and take the format number ms s For example to set idle_gap to 20 milliseconds enter 20ms v Set the amount of time to wait before disconnecting the socket when it has become inactive config service modbus_gateway client test_modbus_client inactivity_timeout value config service modbus_gateway client test_modbus_client where value is any number of minutes or s...

Page 488: ...t serial packet_mode value config service modbus_gateway client test_modbus_client where value is either rtu or ascii The default is rtu iii Set the maximum allowable time between bytes in a packet config service modbus_gateway client test_modbus_client serial idle_gap value config service modbus_gateway client test_modbus_client where value is any number between 10 milliseconds and one second and...

Page 489: ... more of the filters the message is forwarded If it does not match the filters the message is not forwarded Allowed values are 1 through 255 or a hyphen separated range For example n To have this client filter for incoming messages that contain the Modbus address of 10 set the index 0 entry to 10 config service modbus_gateway client test_modbus_client filter 0 10 config service modbus_gateway clie...

Page 490: ...This allows you to configure clients on the gateway that will forward messages to remote devices with the same Modbus address on different buses For example if there are two devices on two different buses that have the same Modbus address of 10 you can create two clients on the gateway n Client one l filter set to 10 This will configure the gateway to deliver all messages that have the Modbus serv...

Page 491: ... device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 Use the show modbus gateway command at the system prompt show modbus gateway Server Connection IP Address Port Uptime modbus_socket 10 4...

Page 492: ...ections 4 Packet Errors 0 RX Broadcasts 0 RX Requests 12 TX Exceptions 0 TX Responses 12 Clients modbus_socket_41 Address Translation Errors 0 Connection Errors 0 Packet Errors 0 RX Responses 4 RX Timeouts 0 TX Broadcasts 0 TX Requests 4 modbus_socket_21 Address Translation Errors 0 Connection Errors 0 Packet Errors 0 RX Responses 4 RX Timeouts 0 TX Broadcasts 0 TX Requests 4 modbus_serial_client ...

Page 493: ...X10 User Guide 493 RX Timeouts 0 TX Broadcasts 0 TX Requests 4 4 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Page 494: ...NTP server providing NTP services to downstream devices See Network Time Protocol for more information about NTP server support You can also set the local date and time manually if there is no access to NTP servers See Manually set the system date and time for information Configure the system time This procedure is optional The IX10 device s default system time configuration uses the Digi NTP serv...

Page 495: ... default value of the NTP server a Click NTP servers b For Server type a new server name n To add an NTP server a Click NTP servers b For Add Server click c For Server enter the hostname of the upstream NTP server that the device will use to synchronize its time d Click to add additional NTP servers If multiple servers are included servers are tried in the order listed until one succeeds Note This...

Page 496: ...r log messages It also affects actions that occur at a specific time of day Format Africa Abidjan Africa Accra Africa Addis_Ababa config 4 Optional Add an upstream NTP server that the device will use to synchronize its time to the appropriate location in the list of NTP servers The default setting is time devicecloud com n To delete the default NTP server time devicecloud com config del service nt...

Page 497: ... Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 Test the configured NTP servers for connectivity system time test Testing NTP server time devicecloud com on UDP port 123 server 52 2 40 158 stratum 2 offset 0 000216 delay 0 05800 server 35 164 164 69 stratum 2 offset 0 000991 delay 0 07188 24 Aug 22 ...

Page 498: ...l command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 Set the device s local date and time system time set value where value is the The date in year month day hour minute second format For example system time set 2022 05 31 9 03 04 3 Type exit to exit the Admin CLI Depend...

Page 499: ...etting is the Digi NTP server time devicecloud com Additional Configuration Options n Additional upstream NTP servers n Access control list to limit downstream access to the IX10 device s NTP service n The time zone setting if the default setting of UTC is not appropriate To configure the IX10 device s NTP service Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full ...

Page 500: ...ck again to list additional IP addresses or networks n To limit access to specified IPv6 addresses and networks a Click IPv6 Addresses b For Add Address click c For Address enter the IPv6 address or network that can access the device s NTP service Allowed values are l A single IP address or host name l A network designation in CIDR notation for example 2001 db8 48 l any No limit to IPv6 addresses ...

Page 501: ...pstream NTP server that the device will use to synchronize its time d Click to add additional NTP servers If multiple servers are included servers are tried in the order listed until one succeeds Note This list is synchronized with the list of servers included with NTP client configuration and changes made to one will be reflected in the other See Configure the system time for more information abo...

Page 502: ... service ntp server 1 time server com config Note This list is synchronized with the list of servers included with NTP client configuration and changes made to one will be reflected in the other See Configure the system time for more information about NTP client configuration 5 Allow the device s local system clock to be used as backup time source config service ntp local true config 6 Optional Co...

Page 503: ...erfaces Use network interface to display interface information config network interface Interfaces Additional Configuration defaultip Default IP defaultlinklocal Default Link local IP eth ETH loopback Loopback modem Modem config Repeat this step to list additional interfaces n To limit access based on firewall zones config add service ntp acl zone end value Where value is a firewall zone defined o...

Page 504: ...wing command config system time timezone Timezone The timezone for the location of this device This is used to adjust the time for log messages It also affects actions that occur at a specific time of day Format Africa Abidjan Africa Accra Africa Addis_Ababa config 8 Save the configuration and apply the change config save Configuration saved 9 Type exit to exit the Admin CLI Depending on your devi...

Page 505: ...Remote Refid ST T When Poll Reach Delay Offset Jitter ec2 52 2 40 158 129 6 15 32 2 u 191 1024 377 33 570 1 561 0 991 128 136 167 120 128 227 205 3 3 u 153 1024 1 43 583 1 895 0 382 3 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Configure a multicast route Multicast routing allows a...

Page 506: ...isable toggle off Enable 6 Type the Source address for the route This must be a multicast IP address between 224 0 0 1 and 239 255 255 255 7 Select a Source interface where multicast packets will arrive 8 To add one or more destination interface that the IX10 device will send mutlicast packets to a Click to expand Destination interfaces b Click c For Destination interface select the interface d Re...

Page 507: ...rvice multicast test dst ip address config service multicast test 6 Set the source interface for the route where multicast packets will arrive a Use the to determine available interfaces b Set the interface For example config service multicast test src_interface network interface eth1 config service multicast test 7 Set a destination interface that the IX10 device will send mutlicast packets to a ...

Page 508: ...cess the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Services Service Discovery mDNS 4 Enable the mDNS service 5 Click Access...

Page 509: ... limit access to hosts connected through a specified interface on the IX10 device a Click Interfaces b For Add Interface click c For Interface select the appropriate interface from the dropdown d Click again to allow access through additional interfaces n To limit access based on firewall zones a Click Zones b For Add Zone click c For Zone select the appropriate firewall zone from the dropdown See...

Page 510: ...t name l A network designation in CIDR notation for example 2001 db8 48 l any No limit to IPv6 addresses that can access the mDNS service Repeat this step to list additional IP addresses or networks n To limit access to hosts connected through a specified interface on the IX10 device config add service mdns acl interface end value config Where value is an interface defined on your device Display a...

Page 511: ...n your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Use the iPerf service Your IX10 device includes an iPerf3 server that you can use to test the performance of your network iPerf3 is a command line tool that measures the maximum network throughput an interface can handle This is useful when diagnosing network speed issues to deter...

Page 512: ...evice will automatically configure its firewall rules to allow incoming connections on the configured listening port You can restrict access by configuring the access control list for the iPerf server To enable the iPerf3 server Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your devi...

Page 513: ...t to IPv4 addresses that can access the iperf service d Click again to list additional IP addresses or networks n To limit access to specified IPv6 addresses and networks a Click IPv6 Addresses b For Add Address click c For Address enter the IPv6 address or network that can access the device s iperf service Allowed values are l A single IP address or host name l A network designation in CIDR notat...

Page 514: ...onfig 3 Enable the iPerf server config service iperf enable true config 4 Optional Set the port number for the iPerf server listening port The default is 5201 config service iperf port port_number config 5 Optional Set the access control list to restrict access to the iPerf server n To limit access to specified IPv4 addresses and networks config add service iperf acl address end value config Where...

Page 515: ...ditional Configuration defaultip Default IP defaultlinklocal Default Link local IP eth ETH loopback Loopback modem Modem config Repeat this step to list additional interfaces n To limit access based on firewall zones config add service iperf acl zone end value Where value is a firewall zone defined on your device or the any keyword Display a list of available firewall zones Type firewall zone at t...

Page 516: ... 2 00 sec 28 4 MBytes 238 Mbits sec 29 1 39 MBytes 4 2 00 3 00 sec 29 8 MBytes 250 Mbits sec 0 1 46 MBytes 4 3 00 4 00 sec 31 2 MBytes 262 Mbits sec 0 1 52 MBytes 4 4 00 5 00 sec 32 1 MBytes 269 Mbits sec 0 1 56 MBytes 4 5 00 6 00 sec 32 5 MBytes 273 Mbits sec 0 1 58 MBytes 4 6 00 7 00 sec 33 9 MBytes 284 Mbits sec 0 1 60 MBytes 4 7 00 8 00 sec 33 7 MBytes 282 Mbits sec 0 1 60 MBytes 4 8 00 9 00 s...

Page 517: ...Configuration window is displayed 3 Click Services Ping responder The ping responder service is enabled by default Click Enable to disable all ping responses 4 Click to expand Access control list to restrict ping responses to specified IP address interfaces and or zones n To limit access to specified IPv4 addresses and networks a Click IPv4 Addresses b For Add Address click c For Address enter the...

Page 518: ...rough additional interfaces n To limit access based on firewall zones a Click Zones b For Add Zone click c For Zone select the appropriate firewall zone from the dropdown See Firewall configuration for information about firewall zones d Click again to allow access through additional firewall zones 5 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remo...

Page 519: ...host name l A network designation in CIDR notation for example 2001 db8 48 l any No limit to IPv6 addresses that can access the service type Repeat this step to list additional IP addresses or networks n To limit access to hosts connected through a specified interface on the IX10 device config add service iperf acl interface end value config Where value is an interface defined on your device Displ...

Page 520: ...pending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Example performance test using iPerf3 On a remote host with Iperf3 installed enter the following command iperf3 c device_ip where device_ip is the IP address of the IX10 device For example iperf3 c 192 168 2 1 Connecting to host 192 168 2 1 port 5201 4 local 192 168 3 100...

Page 521: ...es 4 7 00 8 00 sec 33 7 MBytes 282 Mbits sec 0 1 60 MBytes 4 8 00 9 00 sec 33 5 MBytes 281 Mbits sec 0 1 60 MBytes 4 9 00 10 00 sec 33 2 MBytes 279 Mbits sec 0 1 60 MBytes ID Interval Transfer Bandwidth Retr 4 0 00 10 00 sec 315 MBytes 264 Mbits sec 37 sender 4 0 00 10 00 sec 313 MBytes 262 Mbits sec receiver iperf Done ...

Page 522: ...stem restarts at specific intervals or at a specified time This chapter contains the following topics Develop Python applications 523 Run a Python application at the shell prompt 526 Start an interactive Python session 528 Python modules 529 Configure scripts to run automatically 563 Configure scripts to run manually 570 Start a manual script 576 Stop a script that is currently running 577 Show sc...

Page 523: ... and test a Python application In addition to the standard Python library the IX10 includes a set of extensions to access its configuration and interfaces See Python modules The IX10 provides you with the ability to n Run Python applications on the device interactively or from a file n Specify Python applications and other scripts to be run each time the device system restarts at specific interval...

Page 524: ...uration see the following topics n Change the default LAN subnet n Change the LAN address type n Allow remote access for web administration and SSH 4 Enable service discovery mDNS a Click Services Service Discovery mDNS b Enable the mDNS service Note For more information see Enable service discovery mDNS 5 Configure SSH access a Click Services SSH b Click Enable Note For more information see the f...

Page 525: ...with your Digi device through the integrated SSH console to see the application output or execute quick tests Manually install and launch an application To create build and launch your application 1 Write your Python application code Code can include n Any Python 3 6 standard feature n Access to the IX10 configuration and hardware with the Python modules n Third party modules included in the IX10 ...

Page 526: ...ompletes displaying output and prompting for additional user input if needed To interrupt the application enter CTRL C Note Python applications cannot be run from the Admin CLI You must access the device shell in order to run Python applications from the command line See Authentication groups for information about configuring authentication groups that include shell access 1 Upload the Python appl...

Page 527: ...h full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI b At the command line use the scp command to upload the Python application script to the IX10 device scp host hostname or ip user username remote remote path local local path to local where n hostname or ip is the hostname or ip address of the remo...

Page 528: ... ports storage Start an interactive Python session Use the python command without specifying any parameters to start an interactive Python session The Python session operates interactively using REPL Read Evaluate Print Loop to allow you to write Python code on the command line Note The Python interactive session is not available from the Admin CLI You must access the device shell in order to run ...

Page 529: ...ious extensions that allow Python to interact with additional features offered by the device 4 Use Ctrl D to exit the Python session You can also exit the session using exit or quit Python modules The IX10 supports Python 3 6 and provides you with the ability to run Python applications on the device interactively or from a file It also offers extensions to manage your IX10 ...

Page 530: ...ce module The Python digidevice module provides platform specific extensions that allow you to interact with the device s configuration and interfaces The following submodules are included with the digidevice module This section contains the following topics ...

Page 531: ...n command with no parameters to enter an interactive Python session python Python 3 10 1 default May 9 2021 22 49 59 GCC 8 3 0 on linux Type help copyright credits or license for more information 3 Import the cli submodule from digidevice import cli 4 Execute a CLI command using the cli execute command function For example to print the system status and statistics to stdout using the show system c...

Page 532: ...n Python 3 10 1 default May 9 2021 22 49 59 GCC 8 3 0 on linux Type help copyright credits or license for more information 3 Import the cli submodule from digidevice import cli 4 Use the help command with cli execute help cli execute Help on function execute in module digidevice cli execute command timeout 5 Execute a CLI command with the timeout specified returning the results 5 Use Ctrl D to exi...

Page 533: ...021 22 49 59 GCC 8 3 0 on linux Type help copyright credits or license for more information 3 Import the datapoint submodule and other necessary modules from digidevice import datapoint import time 4 Upload the datapoints to Remote Manager datapoint upload Velocity 69 units mph datapoint upload Temperature 24 geo_location 54 409469 1 718836 129 datapoint upload Emergency_Door closed timestamp time...

Page 534: ...igi Remote Manager Programmers Guide for more information on web services and datapoints Help for using Python to upload custom datapoints to Remote Manager Get help for uploading datapoints to your Digi Remote Manager account by accessing help for datapoint upload and datapoint upload_multiple 1 Select a device in Remote Manager that is configured to allow shell access to the admin user and click...

Page 535: ...configuration Use the config Python module to access and modify the device configuration Read the device configuration 1 Select a device in Remote Manager that is configured to allow shell access to the admin user and click Actions Open Console Alternatively log into the IX10 local command line as a user with shell access Depending on your device configuration you may be presented with an Access s...

Page 536: ...nfig load interfaces cfg get network interfaces print interfaces get lan ipv4 address Which returns 192 168 2 1 24 Modify the device configuration Use the set and commit methods to modify the device configuration 1 Select a device in Remote Manager that is configured to allow shell access to the admin user and click Actions Open Console Alternatively log into the IX10 local command line as a user ...

Page 537: ...guration by accessing help for digidevice config 1 Select a device in Remote Manager that is configured to allow shell access to the admin user and click Actions Open Console Alternatively log into the IX10 local command line as a user with shell access Depending on your device configuration you may be presented with an Access selection menu Type shell to access the device shell 2 At the shell pro...

Page 538: ...odule on your IX10 device to create a response 1 Select a device in Remote Manager that is configured to allow shell access to the admin user and click Actions Open Console Alternatively log into the IX10 local command line as a user with shell access Depending on your device configuration you may be presented with an Access selection menu Type shell to access the device shell 2 At the shell promp...

Page 539: ... device d Click Add e Click OK 3 Click Examples SCI Data Service Send Request Code similar to the following will be displayed in the HTTP message body text box sci_request version 1 0 data_service targets device id 00000000 00000000 0000FFFF A83CF6A3 targets requests device_request target_name myTarget my payload string device_request requests data_service sci_request Note The value of the target_...

Page 540: ...ef status_cb error_code error_description if error_code 0 print error handling showSystem device request s error_ description device_request register showSystem handler status_callback status_ cb Do not let the process finish so that it handles device requests while True time sleep 10 2 Upload the showsystem py application to the etc config scripts directory on two or more Digi devices In this exa...

Page 541: ...evice ii Click the Device ID iii Click Settings iv Click to expand Config Web UI i On the menu click System Under Configuration click Device Configuration The Configuration window is displayed iii Click System Scheduled tasks Custom scripts iv Click to add a custom script v For Label type Show system application vi For Run mode select On boot vii For Exit action select Restart script ...

Page 542: ...tion entry config add system schedule script end config system schedule script 0 Scheduled scripts are enabled by default To disable config system schedule script 0 enable false config system schedule script 0 iv Provide a label for the script config system schedule script 0 label Show system application v Configure the application to run automatically when the device reboots config system schedul...

Page 543: ... Console Alternatively log into the IX10 local command line as a user with shell access Depending on your device configuration you may be presented with an Access selection menu Type shell to access the device shell ii Type the following at the shell prompt python etc config scripts showsystem py iii Exit the shell exit 4 In Remote Manager click Documentation API Explorer 5 Select the devices to u...

Page 544: ...reply version 1 0 data_service device id 00000000 00000000 0000FFFF A83CF6A3 requests device_request target_name showSystem status 0 Model Digi IX10 Serial Number IX10 000068 Hostname IX10 MAC 00 40 D0 13 35 36 Hardware Version 50001959 01 A Firmware Version 22 5 50 62 Bootloader Version 1 Firmware Build Date Mon 13 June 2022 20 07 32 Schema Version 461 Timezone UTC Current Time Wed 31 May 2022 9 ...

Page 545: ... MB Disk tmp Usage 0 004MB 40 96MB 0 Disk var Usage 0 820MB 32 768MB 3 device_ request requests device data_service sci_request Help for using Python to respond to Digi Remote Manager SCI requests Get help for respond to Digi Remote Manager Server Command Interface SCI requests by accessing help for digidevice device_request 1 Select a device in Remote Manager that is configured to allow shell acc...

Page 546: ...h device_request unregister help device_request unregister Help on function unregister in module digidevice device_request unregister target str bool 5 Use Ctrl D to exit the Python session You can also exit the session using exit or quit Use digidevice runtime to access the runtime database Use the runt submodule to access and modify the device runtime database Read from the runtime database Use ...

Page 547: ...ork pam serial system b Print available keys for the system key print runt keys system This will return the following boot_count chassis cpu_temp cpu_usage disk load_avg local_time mac mcu model ram serial uptime c Use the get method to print the device s MAC address print runt get system mac This will return the MAC address of the device 6 Use the stop method to close the runtime database 7 Use C...

Page 548: ...y value 6 Use the get method to verify the change print runt get my variable my variable 7 Close the runtime database runt stop 8 Use Ctrl D to exit the Python session You can also exit the session using exit or quit Help for using Python to access the runtime database Get help for reading and modifying the device runtime database by accessing help for digidevice runt 1 Select a device in Remote M...

Page 549: ...be removed from the previous device and added to the new device n If Remote Manager is configured to apply a profile to a device based on the device name changing the name of the device may cause Remote Manager to automatically push a profile onto the device Together these two features allow you to swap one device for another by using the name submodule to change the device name while guaranteeing...

Page 550: ...ght credits or license for more information 3 Import the name submodule from digidevice import name 4 Upload the name to Remote Manager name upload my_name 5 Use Ctrl D to exit the Python session You can also exit the session using exit or quit Help for uploading the device name to Digi Remote Manager Get help for uploading the device name to Digi Remote Managerby accessing help for digidevice nam...

Page 551: ...can be subsequently updated by using the update method Determine if the device s location 1 Select a device in Remote Manager that is configured to allow shell access to the admin user and click Actions Open Console Alternatively log into the IX10 local command line as a user with shell access Depending on your device configuration you may be presented with an Access selection menu Type shell to a...

Page 552: ...n You can also exit the session using exit or quit Update the location data The location submodule takes a snapshot of the current location and stores it in the runtime database You can update this snapsot 1 Select a device in Remote Manager that is configured to allow shell access to the admin user and click Actions Open Console Alternatively log into the IX10 local command line as a user with sh...

Page 553: ... user and click Actions Open Console Alternatively log into the IX10 local command line as a user with shell access Depending on your device configuration you may be presented with an Access selection menu Type shell to access the device shell 2 At the shell prompt use the python command with no parameters to enter an interactive Python session python Python 3 10 1 default May 9 2021 22 49 59 GCC ...

Page 554: ... source_idx 1 label gnss source_idx 1 quality No Fix Invalid state Enabled signal utc_date_time May 05 2022 9 03 04 vertical_velocity 0 0 6 Use Ctrl D to exit the Python session You can also exit the session using exit or quit Help for the digidevice location module Get help for the digidevice location module 1 Select a device in Remote Manager that is configured to allow shell access to the admin...

Page 555: ... details 1 Select a device in Remote Manager that is configured to allow shell access to the admin user and click Actions Open Console Alternatively log into the IX10 local command line as a user with shell access Depending on your device configuration you may be presented with an Access selection menu Type shell to access the device shell 2 At the shell prompt use the python command with no param...

Page 556: ...ess selection menu Type shell to access the device shell 2 At the shell prompt use the python command with no parameters to enter an interactive Python session python Python 3 10 1 default May 9 2021 22 49 59 GCC 8 3 0 on linux Type help copyright credits or license for more information 3 Import the maintenance submodule from digidevice import maintenance 4 Use the help command with maintenance he...

Page 557: ...he local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click System Sched...

Page 558: ...nfig to enter configuration mode config config 3 At the config prompt type config system schedule sms_script_handling true config 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device See Configure scripts to run...

Page 559: ...rint exception occured while waiting print err COND release my_callback unregister_callback Use Python to access serial ports You can use the Python serial module to access serial ports on your IX10 device that are configured to be in Application mode See Configure Application mode for information about configuring a serial port in Application mode To use Python to access serial ports 1 Select a d...

Page 560: ...us applications including cloud based applications such as Amazon Web Services and Microsoft Azure The following is example code that reads CPU and RAM usage on the device updates the device firmware then publishes information about DHCP clients and system information to the MQTT server at 192 168 1 100 The MQTT server IP is configurable MQTT client example Reporting some device metrics from runt ...

Page 561: ...date file fname 60 except print Failed to run firmware update command return HTTPStatus INTERNAL_SERVER_ERROR if not Firmware update completed in ret print Failed to update firmware return HTTPStatus INTERNAL_SERVER_ERROR finally os remove fname print Firmware update finished return HTTPStatus OK CMD_HANDLERS reboot cmd_reboot fw update cmd_fwupdate def send_cmd_reply client cmd_path cid cmd statu...

Page 562: ...oad cid m cid cmd m cmd try payload m params except payload None except print Invalid command format format msg payload if not cid Return if client ID not passed return None send_cmd_reply client msg topic cid cmd HTTPStatus BAD_REQUEST try status CMD_HANDLERS cmd payload except print Invalid command format cmd status HTTPStatus NOT_IMPLEMENTED send_cmd_reply client msg topic cid cmd status def pu...

Page 563: ...ial runt get system serial PREFIX router serial PREFIX_EVENT event PREFIX PREFIX_CMD cmd PREFIX PREFIX_RSP rsp PREFIX client mqtt Client client on_connect on_connect client on_message on_message try client connect 192 168 1 100 1883 60 client loop_start except print Failed to connect to MQTT server sys exit 1 while True publish_dhcp_leases publish_system time sleep POLL_TIME Configure scripts to r...

Page 564: ...ipt finishes The actions that can be taken are l None l Restart the script l Reboot the device n Whether to write the script output and errors to the system log n If the script is set to run at a specified interval whether another instance of the script should be run at the specified interval if the previous instance is still running n The memory available to be used by the script n Whether the sc...

Page 565: ... address of the remote host n username is the name of the user on the remote host n remote path is the path and filename of the file on the remote host that will be copied to the IX10 device n local path is the location on the IX10 device where the copied file will be placed For example To upload a script from a remote host with an IP address of 192 168 4 1 to the etc config scripts directory on t...

Page 566: ...n Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click System Scheduled tasks Custom scripts 4 For Add Script click The script configuration window is disp...

Page 567: ...lick to enable Run single to run only a single instance of the script at a time If Run single is not enabled a new instance of the script will be started at every interval regardless of whether the script is still running from a previous interval n Set time Runs the script at a specified time of the day l If Set Time is selected specify the time that the script should run in Run time using the for...

Page 568: ...cess rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Add a script config add system schedule script end config system schedule script 0 Scheduled scripts are enabled by default To disable config system schedule script 0 enable false confi...

Page 569: ...true config system schedule script 0 If once is set to false a new instance of the script will be started at every interval regardless of whether the script is still running from a previous interval n set_time Runs the script at a specified time of the day l If set_time is set set the time that the script should run using the format HH MM config system schedule script 0 run_time HH MM config syste...

Page 570: ...cript 0 If once is enabled rebooting the device will cause the script to run again The only way to re run the script is to n Remove the script from the device and add it again n Make a change to the script n Disable once 10 Sandbox is enabled by default This option protects the script from accidentally destroying the system it is running on config system schedule script 0 sandbox true config syste...

Page 571: ...stem The File System page appears 3 Highlight the scripts directory and click to open the directory 4 Click upload 5 Browse to the location of the script on your local machine Select the file and click Open to upload the file The uploaded file is uploaded to the etc config scripts directory Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local...

Page 572: ... home admin bin test py local etc config scripts to local admin 192 168 4 1 s password adminpwd test py 100 36MB 11 1MB s 00 03 3 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Note You can also create scripts by using the vi command when logged in with shell access Task two Configure...

Page 573: ...The script configuration window is displayed Custom scripts are enabled by default To disable toggle off Enable to toggle off 5 Optional For Label provide a label for the script 6 For Run mode select Manual 7 For Commands enter the commands that will execute the script If the script begins with then the script will be invoked in the location specified by the path for the script command Otherwise t...

Page 574: ...ain The only way to re run the script is to n Remove the script from the device and add it again n Make a change to the script n Uncheck Once 12 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configura...

Page 575: ...yslog_stdout and syslog_stderr are not enabled only the script s exit code is written to the system log 8 Set the maximum amount of memory available to be used by the script and its subprocesses config system schedule script 0 max_memory value config system schedule script 0 where value uses the syntax number b bytes KB k MB MB M GB G TB T 9 To run the script only once at the specified time config...

Page 576: ... Scripts page displays 3 For scripts that are enabled and configured to have a run mode of Manual click Start Script to start the script Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin ...

Page 577: ...in access 2 At the Status page click Scripts The Scripts page displays 3 For scripts that are currently running click Stop Script to stop the script Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu...

Page 578: ...tatistics about location information from either the WebUI or the command line Web 1 Log into the IX10 WebUI as a user with Admin access 2 At the Status page click Scripts The Scripts page displays Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configuration y...

Page 579: ...pt information IX10 User Guide 579 1 script2 true idle 01 00 3 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Page 580: ...1 Authentication groups 589 Local users 600 Terminal Access Controller Access Control System Plus TACACS 613 Remote Authentication Dial In User Service RADIUS 620 LDAP 626 Configure serial authentication 633 Disable shell access 636 Set the idle timeout for IX10 users 638 Example user configuration 641 IX10 User Guide 580 ...

Page 581: ...ns for a group You can modify the released groups and create additional groups as needed for your site A user can be assigned to more than one group n admin Provides the logged in user with administrative and shell access n serial Provides the logged in user with access to serial ports Users Defines local users for the IX10 n admin Belongs to both the admin and serial groups TACACS Configures supp...

Page 582: ...tion Dial In User Service RADIUS for information about configuring RADIUS authentication n TACACS Users authenticated by using a remote TACACS server for authentication See Terminal Access Controller Access Control System Plus TACACS for information about configuring TACACS authentication n LDAP Users authenticated by using a remote LDAP server for authentication See LDAP for information about con...

Page 583: ...te Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displa...

Page 584: ... in the list 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Add the new authentication method t...

Page 585: ...on in the list use an index value to indicate the appropriate position For example config add auth method 1 auth_type config where auth_type is one of local radius tacacs or ldap n You can also use the move command to rearrange existing methods See Rearrange the position of authentication methods for information about how to reorder the authentication methods 4 Save the configuration and apply the...

Page 586: ...ow is displayed 3 Click Authentication Methods 4 Click the menu icon next to the method and select Delete 5 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Acc...

Page 587: ...t to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Rearrange the position of authentication methods Web Authentication methods are reordered by changing the method type in the Method drop down for each authentication method to match the appropriate order For example the following configuration ha...

Page 588: ... In the Method drop down select RADIUS 5 Click to expand the second Method 6 In the Method drop down select Local users 7 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configuration you may be present...

Page 589: ...from the device Authentication groups Authentication groups are used to assign access rights to IX10 users Three types of access rights can be assigned n Admin access Users with Admin access can be configured to have either l The ability to manage the IX10 device by using the WebUI or the Admin CLI l Read only access to the WebUI and Admin CLI n Shell access Users with Shell access have the abilit...

Page 590: ...erial group is configured by default to have Serial access The preconfigured authentication groups cannot be deleted but the access rights defined for the group are configurable This section contains the following topics Change the access rights for a predefined group 591 Add an authentication group 593 Delete an authentication group 598 ...

Page 591: ... device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Authentication Groups 4 Click the authentication group to be changed either admi...

Page 592: ... Full access n Serial access n Interactive shell access Shell access is not available if the Allow shell parameter has been disabled See Disable shell access for more information about the Allow shell parameter 6 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a u...

Page 593: ...enable false config n Shell access l To enable Shell access for the serial group config auth group serial acl shell enable true config Shell access is not available if the Allow shell parameter has been disabled See Disable shell access for more information about the Allow shell parameter n Serial access l To enable Serial access for the admin group config auth group admin acl serial enable true c...

Page 594: ...nitoring To add an authentication group Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Web UI a On the menu click System Under Configurati...

Page 595: ...ess full provides users of this group with the ability to manage the IX10 device by using the WebUI or the Admin CLI l Read only access read only provides users of this group with read only access to the WebUI and Admin CLI The default is Full access full n Serial access 6 Optional Configure the serial ports to which users of this group have access a Click Serial ports to expand the Serial ports n...

Page 596: ...he box next to Bluetooth scanner access 12 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the co...

Page 597: ...ods config auth group test config b Enable captive portal access rights for users of this group config auth group test acl portal enable true config c Add a captive portal to which users of this group will have access i Determine available portals config show firewall portal portal1 auth none enable true http redirect no interface no message no redirect_url no terms timeout 24h no title config ii ...

Page 598: ...y default the IX10 device has two preconfigured authentication groups admin and serial These groups cannot be deleted To delete an authentication group that you have created Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and ...

Page 599: ...ne as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 At the config prompt type config del auth group groupname 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exi...

Page 600: ... the device and is the most critical security feature for the device If you reset the device to factory defaults you must log in using the default user and password and you should immediately change the password to a custom password Before deploying or mounting the IX10 device record the default password so you have the information available when you need it even if you cannot physically access th...

Page 601: ...nd Config Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Authentication Users 4 Click the username to expand the user s configuration node 5 For Password enter the new password The password must be at least eight characters long and must contain at least one uppercase letter one lowercase letter one number and one spec...

Page 602: ...ve the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config co...

Page 603: ...ups for information about configuring groups Additional configuration items n An alias for the user Because the username cannot contain any special characters such as hyphens or periods an alias allows the user to log in using a name that contains special characters n The number of unsuccessful login attempts before the user is locked out of the system n The amount of time that the user is locked ...

Page 604: ...ger a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Authentication Users 4 In Add User type a name for the user and click The user configuration window is displayed ...

Page 605: ...expand Login failure lockout The login failure lockout feature is enabled by default To disable toggle off Enable a For Lockout tries type the number of unsuccessful login attempts before the user is locked out of the device The default is 5 b For Lockout duration type the amount of time that the user is locked out after the number of unsuccessful login attempts defined in Lockout tries Allowed va...

Page 606: ...erification only select Disallow code reuse to prevent a code from being used more than once during the time that it is valid f For time based verification only in Code refresh interval type the amount of time that a code will remain valid Allowed values are any number of weeks days hours minutes or seconds and take the format number w d h m s For example to set Code refresh interval to ten minute...

Page 607: ...uth user new_user enable false config auth user new_user 4 Optional Create a username alias for the user Because the name to create the user cannot contain special characters such as hyphens or periods an alias allows the user to log in using a name that contains special characters For security purposes if two users have the same alias the alias will be disabled config auth user new_user username ...

Page 608: ... group to the user For example to add the admin group to the user config auth user new_user add group end admin config auth user new_user Note Every user must be configured with at least one group b Optional Add additional groups by repeating the add group command config auth user new_user add group end serial config auth user new_user To remove a group from a user a Use the show command to determ...

Page 609: ...ime Password TOTP authentication uses the current time to generate a one time password n hotp HMAC based One Time Password HOTP uses a counter to validate a one time password The default value is totp config auth user new_user 2fa type totp config auth user new_user 2fa d Add a secret key config auth user new_user 2fa secret key config auth user new_user 2fa This key should be used by an applicati...

Page 610: ...r new_user 2fa login_limit 3 config auth user new_user 2fa i Configure the login limit period This is the amount of time that the user is allowed to attempt to log in config auth user new_user 2fa login_limit_period value config auth user new_user 2fa where value is any number of weeks days hours minutes or seconds and takes the format number w d h m s For example to set login_limit_period to ten ...

Page 611: ...sconnect from the device Delete a local user To delete a user from your IX10 Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Web UI a On th...

Page 612: ...ine as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 At the config prompt type config del auth user username 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit...

Page 613: ...nd connection parameters to a TACACS server over TCP The TACACS server then authenticates the TACACS client requests and sends back a response message to the device When you are using TACACS authentication you can have both local users and TACACS users able to log in to the device To use TACACS authentication you must set up a TACACS server that is accessible by the IX10 device prior to configurat...

Page 614: ... sudo gedit etc tacacs tac_plus conf 2 Add users to the file using the following format This example will create two users one with admin and serial access and one with only serial access user user1 name User1 for IX10 pap cleartext password1 service system groupname admin serial user user2 name User2 for IX10 pap cleartext password2 service system groupname serial The groupname attribute is optio...

Page 615: ...lable or if the user is not defined on the TACACS server then you should list the TACACS authentication method prior to the Local users authentication method See User authentication methods for more information about authentication methods If the TACACS servers are unavailable and the IX10 device falls back to local authentication only users defined locally on the device are able to log in TACACS ...

Page 616: ...to Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Web UI a On the menu click System Under Configuration click Device Configuration The Configuration wind...

Page 617: ...the TACACS server s configuration to identify the IX10 authentication group or groups that the user is a member of For example in TACACS user configuration the group attribute in the sample tac_plus conf file is groupname which is also the default setting in the IX10 configuration 7 Optional For Service type the value of the service attribute in the the TACACS server s configuration For example in...

Page 618: ...min CLI 2 At the command line type config to enter configuration mode config config 3 Optional Prevent other authentication methods from being used if TACACS authentication fails Other authentication methods will only be used if the TACACS server is unavailable config auth tacacs authoritative true config 4 Optional Configure the group_attribute This is the name of the attribute used in the TACACS...

Page 619: ...rver end config auth tacacs server 0 b Enter the TACACS server s IP address or hostname config auth tacacs server 0 hostname hostname ip address config auth tacacs server 0 c Optional Change the default port setting to the appropriate port config auth tacacs server 0 port port config auth tacacs server 0 d Optional Repeat the above steps to add additional TACACS servers 9 Add TACACS to the authent...

Page 620: ...erver over UDP The RADIUS server then authenticates the RADIUS client requests and sends back a response message to the device When you are using RADIUS authentication you can have both local users and RADIUS users able to log in to the device To use RADIUS authentication you must set up a RADIUS server that is accessible by the IX10 device prior to configuration The process of setting up a RADIUS...

Page 621: ...ely if the user is also configured as a local user on the IX10 device and the RADIUS server authenticates the user but does not return any groups the local configuration determines the list of groups See Authentication groups for more information about authentication groups The Unix FTP Group Names attribute can contain one group or multiple groups in a comma separated list 3 Save and close the fi...

Page 622: ...a RADIUS server for authentication and authorization Required configuration items n Define the RADIUS server IP address or domain name n Define the RADIUS server shared secret n Add RADIUS as an authentication method for your IX10 device Additional configuration items n Whether other user authentication methods should be used in addition to the RADIUS server or if the RADIUS server should be consi...

Page 623: ... of the RADIUS server c Optional Change the default Port setting to the appropriate port Normally this should be left at the default setting of port 1812 d For Secret type the RADIUS server s shared secret This is configured in the secret parameter of the RADIUS server s client conf file for example secret testing123 e For Timeout type or select the amount of time in seconds to wait for the RADIUS...

Page 624: ...k Authentication Methods b For Add method click c Select RADIUS for the new method from the Method drop down Authentication methods are attempted in the order they are listed until the first successful authentication result is returned See Rearrange the position of authentication methods for information about rearranging the position of the methods in the list 9 Click Apply to save the configurati...

Page 625: ...name config auth radius server 0 hostname hostname ip address config auth radius server 0 c Optional Change the default port setting to the appropriate port config auth radius server 0 port port config auth radius server 0 d Configure the amount of time in seconds to wait for the RADIUS server to respond Allowed value is any integer from 3 to 60 The default value is 3 config auth radius server 0 t...

Page 626: ...the IX10 device acts as an LDAP client which sends user credentials and connection parameters to an LDAP server The LDAP server then authenticates the LDAP client requests and sends back a response message to the device When you are using LDAP authentication you can have both local users and LDAP users able to log in to the device To use LDAP authentication you must set up a LDAP server that is ac...

Page 627: ...ng the following format dn uid john dc example dc com objectClass inetOrgPerson cn John Smith sn Smith uid john userPassword password ou admin serial n The value of uid and userPassword must correspond to the username and password used to log into the IX10 device n The ou attribute is optional If used the value must correspond to authentication groups configured on your IX10 Alternatively if the u...

Page 628: ...P server then you should list the LDAP authentication method prior to the Local users authentication method See User authentication methods for more information about authentication methods If the LDAP servers are unavailable and the IX10 device falls back to local authentication only users defined locally on the device are able to log in LDAP users cannot log in until the LDAP servers are brought...

Page 629: ...ss the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Authentication LDAP Servers ...

Page 630: ...This is the preferred method for LDAP 7 If Enable TLS or Start TLS are selected for TLS connection n Leave Verify server certificate at the default setting of enabled to verify the server certificate with a known Certificate Authority n Disable Verify server certificate if the server is using a self signed certificate 8 Optional For Server login type a distinguished name DN that is used to bind to...

Page 631: ...lt is returned See Rearrange the position of authentication methods for information about rearranging the position of the methods in the list 15 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configura...

Page 632: ...this option unset if the server allows anonymous connections config auth ldap bind_dn dn_value config For example config auth ldap bind_dn cn user dc example dc com config 7 Set the password used to log into the LDAP server Leave this option unset if the server allows anonymous connections config auth ldap bind_password password config 8 Set the distinguished name DN on the server to search for us...

Page 633: ... the appropriate port config auth ldap server 0 port port config auth ldap server 0 d Optional Repeat the above steps to add additional LDAP servers 13 Add LDAP to the authentication methods Authentication methods are attempted in the order they are listed until the first successful authentication result is returned This example will add LDAP to the end of the list See User authentication methods ...

Page 634: ...l For TLS identity certificate paste a TLS certificate and private key in PEM format If empty the certificate for the web administration service is used See Configure the web administration service for more information 5 For Peer authentication select the method used to verify the certificate of a remote peer 6 Include standard CAs is enabled by default This allows peers with certificates that hav...

Page 635: ...iguration mode config config 3 Optional Paste a TLS certificate and private key in PEM format config auth serial identiy cert and private key config 4 Set the method used to verify the certificate of a remote peer config auth serial verify value config where value is either n ca Uses certificate authorities CAs to verify n peer Uses the remote peer s public certificate to verify 5 By default peers...

Page 636: ...llow shell parameter This does not prevent access to the Admin CLI Note If shell access is disabled re enabling it will erase the device s configuration and perform a factory reset Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to vi...

Page 637: ...vice in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Set the allow_shell parameter to false config auth allow_shell ...

Page 638: ...t the user s active session can be inactive before it is automatically disconnected set the Idle timeout parameter By default the Idle timeout is set to 10 minutes Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage you...

Page 639: ...guration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 At th...

Page 640: ...config auth idle_timeout 600s config 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Page 641: ...og into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Web UI a On the menu click System Under Configuration click Device Configuration The Configuration...

Page 642: ...min access to enable iv Verify that Access level is set to Full access If not select Full access e Verify that Local users is one of the configured authentication methods i Click Authentication Methods ii Verify that Local users is one of the methods listed in the list If not i For Add Method click ii For Method select Local users 7 Click Apply to save the configuration and apply the change Comman...

Page 643: ...up admin acl admin level full config 4 Verify that local is one of the configured authentication methods config show auth method 0 local config If local is not listed config add auth method end local config 5 Create the user In this example the user is being created with the username adminuser config add auth user adminuser config auth user adminuser 6 Assign a password to the user config auth use...

Page 644: ...sing all three authentication methods In this example when the user attempts to log in to the IX10 device user authentication will occur in the following order 1 The user is authenticated by the RADIUS server If the RADIUS server is unavailable 2 The user is authenticated by the TACACS server If both the RADIUS and TACACS servers are unavailable 3 The user is authenticated by the IX10 device using...

Page 645: ... Names parameter c Save and close the users file 2 Configure a user on the TACACS server a On the ubuntu machine hosting the TACACS server open the etc tacacs tac_plus conf file sudo gedit etc tacacs tac_plus conf b Add a TACACS user to the tac_plus conf file user admin1 name Admin1 for TX64 pap cleartext password1 service system groupname admin In this example n The user s username is admin1 n Th...

Page 646: ...ngs d Click to expand Config Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 5 Configure the authentication methods a Click Authentication Methods b For Method select RADIUS c For Add Method click to add a new method d For the new method select TACACS e Click to add another new method f For the new method select Local users ...

Page 647: ... i Click Authentication Groups ii Click admin iii Verify that the admin group has Admin access enabled If not click Admin access to enable iv Verify that Access level is set to Full access If not select Full access 7 Click Apply to save the configuration and apply the change Command line 1 Configure a user on the RADIUS server a On the ubuntu machine hosting the FreeRadius server open the etc free...

Page 648: ...this example n The user s username is admin1 n The user s password is password1 n The authentication group on the IX10 device admin is identified in the groupname parameter c Save and close the tac_plus conf file 3 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configuration...

Page 649: ...full administrator rights config show auth group admin acl admin enable true level full config If admin enable is set to false config auth group admin acl admin enable true config If admin level is set to read only config auth group admin acl admin level full config 7 Configure the local user a Create a local user with the username admin1 config add auth user admin1 config auth user admin1 b Assig...

Page 650: ...650 8 Save the configuration and apply the change config auth user adminuser save Configuration saved 9 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Page 651: ...his chapter contains the following topics Firewall configuration 652 Port forwarding rules 657 Packet filtering 665 Configure custom firewall rules 673 Configure Quality of Service options 675 IX10 User Guide 651 ...

Page 652: ...in the initial setup of the device By default the firewall will only allow this zone to access administration services l IPsec The default zone for IPsec tunnels l Dynamic routes Used for routes learned using routing services n Port forwarding A list of rules that allow network connections to the IX10 to be forwarded to other servers by translating the destination address n Packet filtering A list...

Page 653: ...ration window is displayed 5 Optional If traffic on this zone will be forwarded from a private network to the internet enable Network Address Translation NAT 6 Click Apply to save the configuration and apply the change See Configure the firewall zone for a network interface for information about how to configure network interfaces to use a zone Command line 1 Select the device in Remote Manager an...

Page 654: ...nnect from the device See Configure the firewall zone for a network interface for information about how to configure network interfaces to use a zone Configure the firewall zone for a network interface Firewall zones allow you to group network interfaces for the purpose of packet filtering and access control There are several preconfigured firewall zones and you can create custom zones as well The...

Page 655: ...nal 5 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter confi...

Page 656: ...t from the device Delete a custom firewall zone You cannot delete preconfigured firewall zones To delete a custom firewall zone Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Cli...

Page 657: ...ration mode config config 3 Use the del command to delete a custom firewall rule For example config del firewall zone my_zone 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Port forwarding rules Most compu...

Page 658: ...he port forwarding rule n The IP version either IPv4 or IPv6 that incoming network connections must match n The protocols that incoming network connections must match n A white list of devices based on either IP address or firewall zone that are authorized to leverage this forwarding rule To configure a port forwarding rule Web 1 Log into Digi Remote Manager or log into the local Web UI as a user ...

Page 659: ...version select either IPv4 or IPv6 Network connections will only be forwarded if they match the selected IP version 8 For Protocol select the type of internet protocol Network connections will only be forwarded if they match the selected protocol 9 For Incoming port s type the public facing port number that network connections must use for their traffic to be forwarded 10 For To Address type the I...

Page 660: ...ck Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 At the config prompt type config add firewall dnat end config firewall dnat 0 Port forwarding...

Page 661: ...l dnat 0 to_address ip address config firewall dnat 0 n For IPv6 addresses config firewall dnat 0 to_address6 ip address config firewall dnat 0 9 Set the public facing port number s that network connections must use for their traffic to be forwarded config firewall dnat 0 to_port value config firewall dnat 0 where value is the port number comma separated list of port numbers or range of port numbe...

Page 662: ...work interfaces that can be referred to by packet filtering rules and access control lists Additional Configuration any dynamic_routes edge external internal ipsec loopback setup config firewall dnat 0 acl 11 Save the configuration and apply the change config save Configuration saved 12 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selec...

Page 663: ...ice Configuration The Configuration window is displayed 3 Click Firewall Port forwarding 4 Click the menu icon next to the appropriate port forwarding rule and select Delete 5 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Dep...

Page 664: ...0 10 10 10 to_port 10001 1 acl no address6 no zone enable false interface ip_version ipv6 label IPv6 port forwarding rule port 10002 protocol tcp to_address6 c097 4533 bd63 bb12 9a6f 5569 4b53 c29a to_port 10003 config 4 To delete the rule use the index number with the del command For example config del firewall dnat 1 5 Save the configuration and apply the change config save Configuration saved 6...

Page 665: ...e will be accepted rejected or dropped by this rule Additional configuration requirements n A label for the rule n The IP version to be matched either IPv4 IPv6 or Any n The protocol to be matched one of l TCP l UDP l ICMP l ICMP6 l Any To configure a packet filtering rule Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device co...

Page 666: ...Label that will be used to identify the rule 5 For Action select one of n Accept Allows matching network connections n Reject Blocks matching network connections and sends an ICMP error if appropriate n Drop Blocks matching network connections and does not send a reply 6 Select the IP version 7 Select the Protocol 8 For Source zone select the firewall zone that will be monitored by this rule for i...

Page 667: ...To edit the default packet filtering rule or another existing packet filtering rule a Determine the index number of the appropriate packet filtering rule config show firewall filter 0 action accept dst_zone any enable true ip_version any label Allow all outgoing traffic protocol any src_zone internal 1 action drop dst_zone internal enable true ip_version any label myfilter protocol any src_zone ex...

Page 668: ...ons from network interfaces that are a member of this zone See Firewall configuration for more information about firewall zones config firewall filter 1 src_zone my_zone config firewall filter 1 6 Set the destination firewall zone Packets destined for network interfaces that are members of this zone will either be accepted rejected or dropped by this rule See Firewall configuration for more inform...

Page 669: ...ice Enable or disable a packet filtering rule To enable or disable a packet filtering rule Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config ...

Page 670: ...en Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Determine the index number of the appropriate port forwarding rule config show firewall filter 0 action ac...

Page 671: ...e 6 Save the configuration and apply the change config save Configuration saved 7 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Delete a packet filtering rule To delete a packet filtering rule Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin a...

Page 672: ...ote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Determine the index number of the packet filtering rule you want to delete...

Page 673: ...igure custom firewall rules Custom firewall rules consist of a script of shell commands that can be used to install firewall rules ipsets and other system configuration These commands are run whenever system configuration changes occur that might cause changes to the firewall To configure custom firewall rules Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admi...

Page 674: ...figuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Ena...

Page 675: ...g packets on each interface egress packets not what is received on the interface packet ingress A QoS binding contains the policies and rules that apply to packets exiting the IX10 device on the binding s interface By default the IX10 device has two preconfigured QoS bindings Outbound and Inbound These bindings are an example configuration designed for a typical VoIP site n Outbound provides an ex...

Page 676: ...ppropriate for your network 8 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line ty...

Page 677: ... 6 Save the configuration and apply the change config save Configuration saved 7 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Create a new binding Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuratio...

Page 678: ...Interface to queue egress packets on The binding will only match traffic that is being sent out on this interface 8 Optional For Interface bandwidth Mbit set the maximum egress bandwidth of the interface in megabits allocated to this binding Typically this should be 95 of the available bandwidth Allowed value is any integer between 1 and 1000 9 Create a policy for the binding At least one policy i...

Page 679: ...icy For example if a binding contains three policies and each policy contains a weight of 10 each policy will be allocated one third of the total interface bandwidth e For Latency type the maximum delay before the transmission of packets A lower latency means that the packets will be scheduled more quickly for transmission f Select Default to identify this policy as a fall back policy The fall bac...

Page 680: ...ess n IPv6 address Only traffic from the IP address typed in IPv6 address will be matched Use the format IPv6_address prefix_length or use any to match any IPv6 address n MAC address Only traffic from the MAC address typed in MAC address will be matched ix Click to expand Destination address and select the Type n Any Traffic destined for anywhere will be matched n Interface Only traffic destined f...

Page 681: ...or example config firewall qos 2 interface network interface eth1 config firewall qos 2 6 Optional Set the maximum egress bandwidth of the interface in megabits allocated to this binding config firewall qos 2 bandwidth int config firewall qos 2 where int is an integer between 1 and 1000 Typically this should be 95 of the available bandwidth The default is 95 7 Create a policy for the binding At le...

Page 682: ... means that the packets will be scheduled more quickly for transmission config firewall qos 2 policy 0 latency int config firewall qos 2 policy 0 where int is any integer 1 or greater The default is 100 f To identify this policy as a fall back policy config firewall qos 2 policy 0 default true config firewall qos 2 policy 0 The fall back policy will be used for traffic that is not matched by any o...

Page 683: ...licy 0 rule 0 srcport value config firewall qos 2 policy 0 rule 0 where value is the IP port number a range of port numbers using the format IP_port IP_port or any vii Set the destination port to define a destination matching criteria config firewall qos 2 policy 0 rule 0 dstport value config firewall qos 2 policy 0 rule 0 where value is the IP port number a range of port numbers using the format ...

Page 684: ...ddress config network qos 2 policy 0 rule 0 ix Set the destination address type config network qos 2 policy 0 rule 0 dst type value config network qos 2 policy 0 rule 0 where value is one of n any Traffic destined for anywhere will be matched See Firewall configuration for more information about firewall zones n interface Only traffic destined for the selected Interface will be matched Set the int...

Page 685: ...ses the format IPv6_address prefix_length or any to match any IPv6 address Repeat to add a new rule Up to 30 rules can be configured 8 Save the configuration and apply the change config save Configuration saved 9 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Page 686: ...s 3 Click Upload New Container 4 From your local file system select the container file in tgz format You can download a simple example container file test_lxc tgz from the Digi website 5 Create Configuration is selected by default This will create a configuration on the device for the container when it is installed If deselected you will need to create the configuration manually 6 Click Apply 7 If...

Page 687: ...ties Additional configuration items n If virtual networking is enabled l The bridge to be used to provide network connectivity l A static IP address for the container l The network gateway n Serial ports on the device that the container will have access to Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remot...

Page 688: ...iner This must be a valid IP address for the bridge or if left blank a DHCP server can assign the container an IP address c Optional For Gateway type the IP address of the network gateway 7 Click to expand Serial ports to sssign serial ports that the container will have access to a For Add Port click b For Port select the serial port 8 Click Apply to save the configuration and apply the change Com...

Page 689: ... container name network true config system container name b Set the network bridge device that will be used to provide network access i Use the to determine the available bridges config system container name bridge Network Bridge Device Containers require a bridge to access the network Choose which bridge to connect the container to Format lan1 Current value config system container name ii Set the...

Page 690: ...Starting and stopping the container Container commands are not available from the Admin CLI You must access the device shell in order to run Python applications from the command line See Authentication groups for information about configuring authentication groups that include shell access Starting the container There are two methods to start containers n Non persistent Changes made to the contain...

Page 691: ...is will start the container by using bin sh l which runs the shell and loads the shell profile The default shell profile includes an lxc prompt Starting a container by including an executable You can supply an executable to run when you start the container along with any parameters If you don t supply a parameter the default behavior is to run the executable by using bin sh l which runs the shell ...

Page 692: ... Containers status page is displayed Command line Show status of all containers Use the show containers command with no additional arguments to show the status of all containers on the system 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configuration you may be presented...

Page 693: ... to access the Admin CLI 2 At the prompt type show containers container test_lxc Container Configured Enabled State test_lxc True enabled RUNNING PID 19327 3 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Schedule a script to run in the container This simple example will 1 Start the c...

Page 694: ...figuration The Configuration window is displayed 3 Click System Scheduled tasks Custom scripts 4 For Add Script click The script configuration window is displayed 5 Optional For Label type container_script 6 For Run mode select Interval 7 For Interval type 10s 8 For Commands type the following lxc container_name bin ping c 1 IP_address ...

Page 695: ...mmand line type config to enter configuration mode config config 3 Add a script config add system schedule script end config system schedule script 0 4 Provide a label for the script for example config system schedule script 0 label test_lxc config system schedule script 0 5 Set the mode to interval config system schedule script 0 when interval config system schedule script 0 6 Set the interval to...

Page 696: ...ner that contains a python script in the etc directory In this example we will use a simple container file named test_lxc tgz You can download test_lxc tgz from the Digi website At the command line of a Linux host we will unpack the file add a simple python script and create a new container file that includes the python script Create the custom container file 1 At the command line of a Linux host ...

Page 697: ...lect the container file You can download a simple example container file test_lxc tgz from the Digi website v Create Configuration is selected by default This will create a configuration on the device for the container when it is installed If deselected you will need to create the configuration manually vi Click Apply 2 Select a device in Remote Manager that is configured to allow shell access to ...

Page 698: ... cellular module firmware 708 Reboot your IX10 device 712 Erase device configuration and reset to factory defaults 715 Locate the device by using the Find Me feature 720 Configure a power profile 721 Configuration files 725 Schedule system maintenance tasks 730 Disable device encryption 735 Configure the speed of your Ethernet port 737 IX10 User Guide 698 ...

Page 699: ... basic system information 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 Enter show system at the prompt show system Model Digi IX10 Serial Number IX10 000065 SKU IX10 Hos...

Page 700: ...on 50001947 01 1P Firmware Version 22 5 50 62 Alt Firmware Version 22 5 50 62 Alt Firmware Build Date Mon 13 June 2022 20 07 32 Bootloader Version 19 7 23 0 15f936e0ed Schema Version 715 Timezone UTC Current Time Wed 31 May 2022 9 03 04 0000 CPU 1 4 Uptime 6 days 6 hours 21 minutes 57 seconds 541317s Load Average 0 01 0 03 0 02 RAM Usage 119 554MB 1878 984MB 6 Temperature 40C Disk Load Average 0 0...

Page 701: ... into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Web UI a On the menu click System Under Configuration click Device Configuration The Configuration w...

Page 702: ... config to enter configuration mode config config 3 Set a name for the device This name will appear in log messages and at the command prompt config system name 192 168 3 1 192 168 3 1 config 4 Set the contact for the device 192 168 3 1 config system contact Jane User 192 168 3 1 config 5 Set the location for the device 192 168 3 1 config system location 9350 Excelsior Blvd Suite 700 Hopkins MN 19...

Page 703: ...the device The IX10 device validates the system firmware image as part of the update process and only successfully updates if the system firmware image can be authenticated Downgrading Downgrading to an earlier release of the firmware may result in the device configuration being erased Downgrading from firmware version 22 2 9 x Beginning with firmware version 22 2 9 x the IX10 device uses certific...

Page 704: ...85 Checking for latest IX10 firmware Newest firmware version available to download is 22 5 50 62 Device firmware update from 22 2 9 85 to 22 5 50 62 is needed 3 Use the modem firmware ota list command to list available firmware on the Digi firmware repository system firmware ota list 22 2 9 85 22 5 50 62 4 Perform an OTA firmware update n To perform an OTA firmware update by using the most recent ...

Page 705: ...version 22 5 50 62 Downloaded firmware tmp cli_firmware bin remaining Applying firmware version 22 5 50 62 41388K netflash got tmp cli_firmware bin length 42381373 netflash authentication successful netflash vendor and product names are verified netflash programming FLASH device dev flash image1 41408K 100 Firmware update completed reboot device b Reboot the device reboot Update firmware from a lo...

Page 706: ...of the remote host n username is the name of the user on the remote host n remote path is the path and filename of the file on the remote host that will be copied to the IX10 device n local path is the location on the IX10 device where the copied file will be placed For example scp host 192 168 4 1 user admin remote home admin bin IX10 22 5 50 62 bin local tmp to local admin 192 168 4 1 s password...

Page 707: ... of firmware in two flash memory banks n The current firmware version that is used to boot the device n A copy of the firmware that was in use prior to your most recent firmware update When the device reboots it will attempt to use the current firmware version If the current firmware version fails to load after three consecutive attempts it is marked as invalid and the device will use the previous...

Page 708: ...r device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 Duplicate the firmware system duplicate firmware Update cellular module firmware You can update modem firmware by downloading firmware from the Digi firmware repository or by uploading firmware from your local storage onto the device You can also schedule modem firmware updates See Schedu...

Page 709: ...rmware over the air OTA You can update your modem firmware by querying the Digi firmware repository to determine if there is new firmware available for your modem and performing an OTA modem firmware update 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configuration you m...

Page 710: ...atest Generic firmware Retrieving modem firmware list Newest firmware version available to download is 25 20 666_CUST_ 067_1 Retrieving download location for modem firmware 25 20 666_CUST_067_ 1 n To perform an OTA firmware update by using a specific version from the Digi firmware repository use the version parameter to identify the appropriate firmware version as determined by using modem firmwar...

Page 711: ...at the firmware file may not have a tar gz extension but it is a tar file and can be unzipped with tar or a similar tool See Use the scp command for information about uploading files to the IX10 device 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configuration you may be...

Page 712: ...you may be presented with an Access selection menu Type quit to disconnect from the device Reboot your IX10 device You can reboot the IX10 device immediately or schedule a reboot for a specific time every day Note You may want to save your configuration settings to a file before rebooting See Save configuration to a file Reboot your device immediately Web 1 Log into the IX10 WebUI as a user with A...

Page 713: ...ith full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Select System Scheduled tasks 4 For Reboot ti...

Page 714: ...ng on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Set the reboot time config system schedule reboot_time time config where time is the time of the day that the device should reboot using the format HH MM For example the set the device to reboot at two in...

Page 715: ...system log files Additionally if the ERASE button is used to erase the configuration pressing the ERASE button a second time immediately after the device has rebooted n Erases all automatically generated certificates and keys n With firmware release 22 2 9 x and newer erases the client side certificate used for communication with Digi Remote Manager If you are using Digi Remote Manager with firmwa...

Page 716: ...mand line 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 Enter the following system factory erase 3 After resetting the device a Connect to the IX10 by using the serial po...

Page 717: ...using the serial port or by using an Ethernet cable to connect the IX10 ETH port to your PC b Log into the IX10 User name Use the default user name admin Password Use the unique password printed on the bottom label of the device or the printed label included in the package c Optional Reset the default password for the admin account See Change the default password for the admin user for further inf...

Page 718: ...s This way when you erase the device s configuration the device will reset to your custom configuration rather than to the original factory defaults Note To clear the custom default configuration press the ERASE button wait for the device to reboot then press the ERASE button again Required configuration items n Custom factory default file Web 1 Log into the IX10 WebUI as a user with Admin access ...

Page 719: ...nloaded rename the file to custom default config bin 6 Upload the file to the device a From the main menu select System Filesystem b Under Default device configuration click c Select the file from your local file system Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your ...

Page 720: ...Me A notification message appears noting that the LED is flashing on the device Click the x in the message to close it 3 On the menu click System again Ablue circle next to Find Me is blinking indicating that the Find Me feature is active 4 To deactivate the Find Me feature click System and click Find Me again A notification message appears noting that the LED is no longer flashing on the device C...

Page 721: ... in terms of power consumption during standard operating mode You can choose to preserve power performance or to balance both To change the active power profile Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your d...

Page 722: ...ofile and allows you to change it The available options are n Performance The CPU clock frequency is scaled up to work in the highest available frequency and provide a better system performance n Auto The CPU clock frequency is dynamically scaled up and down to provide better performance during high demanding conditions and also to save power during inactivity periods ...

Page 723: ...selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Set the profile you prefer config system power profile profile_name config where profile_name is one of n auto The CPU clock frequency is dynamically scaled up and down to provide better performance during high demanding conditions and also to save power during inactivity...

Page 724: ...00 n 792000 The default is 792000 5 Save the configuration and apply the change config save Configuration saved 6 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Page 725: ...ou make changes to the IX10 configuration the changes are not automatically saved You must explicitly save configuration changes which also applies the changes If you do not save configuration changes the system discards the changes Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your ...

Page 726: ...uration changes 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Save configuration to a file You can save your IX10 device s configuration to a file and use this file to restore the configuration either to ...

Page 727: ... system backup path passphrase passphrase type type where n path is the location on the IX10 s filesystem where the configuration backup file should be saved n passphrase optional is a passphrase used to encrypt the configuration backup n type is the type of backup either l archive Creates a binary archive file containing the device s configuration certificates and keys and other information l cli...

Page 728: ...ckup from the device or a backup from a similar device Web 1 Log into the IX10 WebUI as a user with Admin access 2 On the main menu click System Under Configuration click Configuration Maintenance The Configuration Maintenance windows is displayed 3 In the Configuration Restore section a If a passphrase was used to create the configuration backup for Passphrase save restore enter the passphrase b ...

Page 729: ...username is the name of the user on the remote host n remote path is the path and filename of the file on the remote host that will be copied to the IX10 device n local path is the location on the IX10 device where the copied file will be placed For example scp host 192 168 4 1 user admin remote home admin bin backup archive 0040FF800120 22 5 50 62 19 23 42 bin local opt to local 3 Enter the follo...

Page 730: ...one of the triggers must be met n The tasks to be performed Options are l Firmware updates l Digi Remote Manager configuration check n Whether the device will check for updates to the device firmware n Whether the device will check for updates to the modem firmware n The frequency daily weekly or monthly that checks for firmware updates will run Web 1 Log into Digi Remote Manager or log into the l...

Page 731: ... type the time of day that the maintenance window should start using the syntax HH MM If Start time is not set maintenance tasks are not scheduled and will not be run The behavior of Start time varies depending on the setting of Duration window which is configured in the next step l If Duration window is set to Immediately all scheduled tasks will begin at the exact time specified in Start time l ...

Page 732: ...ice s firmware version You should not enable this option 8 Optional Click to enable Modem firmware update to instruct the system to look for any updated modem firmware during the maintenance window If updated firmware is found it will then be installed Modem firmware update looks for updated firmware both on the local device and over the network using either a WAN or cellular connection 9 Optional...

Page 733: ...nce trigger 0 n out_of_service The maintenance window will only start if the Python Out of Service is set See Use Python to set the maintenance window for further information n time Configure a time period for the maintenance window i Configure the time of day that the maintenance window should start using the syntax HH MM If the start time is not set maintenance tasks are not scheduled and will n...

Page 734: ...s either daily or weekly Daily is the default 4 Optional Configure the device to look for any updated device firmware during the maintenance window If updated firmware is found it will then be installed The device will look for updated firmware both on the local device and over the network using either a WAN or cellular connection config system schedule maintenance device_fw_update value config wh...

Page 735: ...is being shipped When device encryption is disabled the following occurs n The device is reset to the default configuration and rebooted n After the reboot l Access to the device via the WebUI and SSH are disabled l All internet connectivity is disabled including WAN and WWAN Connectivity to central management software is also disabled l All IP networks and addresses are disabled except for the de...

Page 736: ... the device Re enable cryptography after it has been disabled To re enable cryptography 1 Configure your PC network to connect to the 192 168 210 subnet For example on a Windows PC a Select the Properties of the relevant network connection on the Windows PC b Click the Internet Protocol Version 4 TCP IPv4 parameter c Click Properties The Internet Protocol Version 4 TCP IPv4 Properties dialog appea...

Page 737: ...e IX10 device at the IP address of 192 168 210 1 4 Log into the device n Username admin n Password The default unique password for your device is printed on the device label 5 At the shell prompt type rm etc config nocrypt flatfsd i This will re enable encryption and leave the device at its factory default setting Configure the speed of your Ethernet port You can configure the speed of your IX10 d...

Page 738: ...enu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Network Device ETH 4 For Speed select the appropriate speed for the Ethernet port or select Auto to automatically detect the speed The default is Auto 5 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Cons...

Page 739: ... of l 10 Sets the speed to 10 Mbps l 100 Sets the speed to 100 Mbps l 1000 Sets the speed to 1 Gbps Available only for devices with Gigabit Ethernet ports auto Configures the device to automatically determine the best speed for the Ethernet port The default is auto 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your devi...

Page 740: ...Monitoring This chapter contains the following topics intelliFlow 741 Configure NetFlow Probe 748 IX10 User Guide 740 ...

Page 741: ...e the chart to drill down to view more granular information and menu options allow you to change various aspects of the information being displayed Note When intelliFlow is enabled and the device is connected to Digi aView it adds an estimated 50MB of data usage for the device by reporting the metrics to aView intelliflow does not currently work with Digi Remote Manager Enable intelliFlow Required...

Page 742: ... by IntelliFlow should be present on the specified zone 6 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin ...

Page 743: ...elies on an internal to external relationship where the internal clients are present on the zone specified Format any dynamic_routes edge external internal ipsec loopback setup Default value internal Current value internal config b Set the zone to be used by IntelliFlow config monitoring intelliflow zone my_zone 5 Save the configuration and apply the change config save Configuration saved 6 Type e...

Page 744: ...into the IX10 WebUI as a user with Admin access 2 If you have not already done so enable intelliFlow See Enable intelliFlow 3 From the menu click Status intelliFlow The System Utilisation chart is displayed n Display more granular information 1 Click and drag over an area in the chart to zoom into that area and provide more granular information 2 Release to display the selected portion of the char...

Page 745: ... Select the time period to be displayed n Save or print the chart 1 Click the menu icon 2 To save the chart to your local filesystem select Export to PNG 3 To print the chart select Print chart Use intelliFlow to display top data usage information With intelliFlow you can display top data usage information based on the following n Top data usage by host n Top data usage by server n Top data usage ...

Page 746: ... the Top Data Usage by Server chart click Top Data Usage by Server n To display the Top Data Usage by Service chart click Top Data Usage by Service 5 Change the type of chart that is used to display the data a Click the menu icon b Select the type of chart 6 Change the number of top users displayed You can display the top five top ten or top twenty data users ...

Page 747: ... Use intelliFlow to display data usage by host over time To generate a chart displaying a host s data usage over time Web 1 Log into the IX10 WebUI as a user with Admin access 2 If you have not already done so enable intelliFlow See Enable intelliFlow 3 From the menu click Status intelliFlow 4 Click Host Data Usage Over Time n Display more granular information a Click and drag over an area in the ...

Page 748: ...d configuration items n Enable NetFlow n The IP address of a NetFlow collector Additional configuration items n The NetFlow version n Enable flow sampling and select the flow sampling technique n The number of flows from which the flow sampler can sample n The number of seconds that a flow is inactive before it is exported to the NetFlow collectors n The number of seconds that a flow is active bef...

Page 749: ...the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Monitoring NetFlow probe 4 Enable NetFlow probe ...

Page 750: ... and 16383 The default is 100 8 For Inactive timeout type the the number of seconds that a flow can be inactive before sent to a collector Allowed value is any number between 1 and 15 The default is 15 9 For Active timeout type the number of seconds that a flow can be active before sent to a collector Allowed value is any number between 1 and 1800 The default is 1800 10 For Maximum flows type the ...

Page 751: ...istic Selects every nth flow where n is the value of the flow sample population n random Randomly selects one out of every n flows where n is the value of the flow sample population n hash Randomly selects one out of every n flows using the hash of the flow key where n is the value of the flow sample population 5 If you are using a flow sampler set the number of flows for the sampler config monito...

Page 752: ...ess ip_address config monitoring netflow collector 0 c Optional Set the port used by the collector config monitoring netflow collector 0 port port config monitoring netflow collector 0 d Optional Set a label for the collector config monitoring netflow collector 0 label This is a collector config monitoring netflow collector 0 Repeat to add additional collectors 10 Save the configuration and apply ...

Page 753: ...he IX10 local file system 754 Display directory contents 754 Create a directory 755 Display file contents 756 Copy a file or directory 756 Move or rename a file or directory 757 Delete a file or directory 758 Upload and download files 759 IX10 User Guide 753 ...

Page 754: ... across reboots but are deleted if a factory reset of the system is performed See Erase device configuration and reset to factory defaults for more information Display directory contents To display directory contents by using the WebUI or the Admin CLI Web 1 Log into the IX10 WebUI as a user with Admin access 2 On the menu click System Under Administration click File System The File System page ap...

Page 755: ...mand specifying the name of the directory For example 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the Admin CLI prompt type mkdir path dir_name For example to create...

Page 756: ...ser admin password 2a 05 W1sls1oxsadf n4J0XT Rgr6ewr1yerHtXQdbafsatGswKg0YUm schema version 461 3 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Copy a file or directory This procedure is not available through the WebUI To copy a file or directory by using the Admin CLI use the cp com...

Page 757: ...me a file named test py in etc config scripts to final py 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the Admin CLI prompt type mv etc config scripts test py etc con...

Page 758: ...o be deleted and click to open the directory 4 Highlight the file to be deleted and click 5 Click OK to confirm Command line To delete a file named test py in etc config scripts 1 Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Acces...

Page 759: ... exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Upload and download files You can download and upload files by using the WebUI or from the command line by using the scp Secure Copy command or by using a utility such as SSH File Transfer Protocol SFTP or an SFTP application like FileZilla Upload an...

Page 760: ...o the IX10 device To copy a file from a remote host to the IX10 device use the scp command as follows scp host hostname or ip user username remote remote path local local path to local where n hostname or ip is the hostname or ip address of the remote host n username is the name of the user on the remote host n remote path is the path and filename of the file on the remote host that will be copied...

Page 761: ... the IP address of 192 168 4 1 1 Use the system support report command to generate the report system support report var log Saving support report to var log support report 0040D0133536 22 05 31 9 03 04 bin Support report saved 2 Use the scp command to transfer the report to a remote host scp host 192 168 4 1 user admin remote home admin temp local var log support report 00 40 D0 13 35 36 22 05 31 ...

Page 762: ...ost This example downloads a file named test py from the IX10 device at the IP address of 192 168 2 1 with a username of ahmed to the local directory on the remote host sftp ahmed 192 168 2 1 Password Connected to 192 168 2 1 sftp get test py Fetching test py to test py test py 100 254 0 3KB s 00 00 sftp exit ...

Page 763: ...rt report 764 View system and event logs 766 Configure syslog servers 771 Configure options for the event and system logs 774 Analyze network traffic 779 Use the ping command to troubleshoot network connections 797 Use the traceroute command to diagnose IP routing problems 797 IX10 User Guide 763 ...

Page 764: ... 1110 Mbps Tx latency 31 45 ms Rx download average 44 7588 Mbps Rx latency 30 05 ms 3 To output the result in json format use the output parameter speedtest host output json tx_avg 51 8510 tx_avg_units Mbps tx_latency 31 07 tx_latency_units ms rx_avg 39 5770 rx_avg_units Mbps rx_latency 34 19 rx_latency_units ms 4 To change the size of the speedtest packet use the size parameter speedtest host siz...

Page 765: ...ed with an Access selection menu Type admin to access the Admin CLI 2 Use the system support report command to generate the report system support report var log Saving support report to var log support report 0040D0133536 22 05 31 9 03 04 bin Support report saved 3 Use the scp command to transfer the report to a remote host scp host 192 168 4 1 user admin remote home admin temp local var log suppo...

Page 766: ... about configuring the information displayed in event and system logs View System Logs Web 1 Log into the IX10 WebUI as a user with Admin access 2 On the main menu click System Logs The system log displays 3 Limit the display in the system log by using the Find search tool 4 Use filters to configure the types of information displayed in the system logs ...

Page 767: ...lld 621 reloading status 3 Optional Use the show log number num command to limit the number of lines that are displayed For example to limit the log to the most recent ten lines show log number 10 Timestamp Message Nov 26 21 54 34 IX10 netifd Interface interface_wan is setting up now Nov 26 21 54 35 IX10 firewalld 621 reloading status 4 Optional Use the show log filter value command to limit the n...

Page 768: ...ype quit to disconnect from the device View Event Logs Web 1 Log into the IX10 WebUI as a user with Admin access 2 On the main menu click System Logs 3 Click System Logs to collapse the system logs viewer or scroll down to Events 4 Click Events to expand the event viewer 5 Limit the display in the event log by using the Find search tool 6 Click to download the event log Command line ...

Page 769: ...s 3 Optional Use the show event number num command to limit the number of lines that are displayed For example to limit the event list to the most recent ten lines show event number 10 Timestamp Type Category Message Nov 26 21 42 37 status stat intf eth1 type ethernet rx 11332435 tx 5038762 Nov 26 21 42 35 status system local_time Thu 08 Aug 2019 21 42 35 0000 uptime 3 hours 0 minutes 48 seconds 4...

Page 770: ...s View system and event logs IX10 User Guide 770 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Page 771: ...or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed ...

Page 772: ... error informational and status event categories by clicking to toggle off the category e For Syslog egress port type the port number to use for the syslog server The default is 514 f For Protocol select the IP protocol to use for communication with the syslog server Available options are TCP and UPD The default is UPD 5 Click Apply to save the configuration and apply the change Command line 1 Sel...

Page 773: ...tically enabled when the server is enabled n To disable informational event messages config system log remote 0 info false config system log remote 0 n To disable status event messages config system log remote 0 status false config system log remote 0 n To disable informational event messages config system log remote 0 error false config system log remote 0 4 Set the port number to use for the sys...

Page 774: ... of time to wait before sending a heartbeat event if no other events have been sent is set to 30 minutes n All event categories are enabled To change or disable the heartbeat interval or to disable event categories and to perform other log configuration Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote M...

Page 775: ... disabled a Click to expand Event Categories b Click an event category to expand c Depending on the event category you can enable or disable informational events status events and error events Some categories also allow you to set the Status interval which is the time interval between periodic status events 6 Optional See Configure syslog servers for information about configuring remote syslog ser...

Page 776: ...e is any number of weeks days hours minutes or seconds and takes the format number w d h m s For example to set the heartbeat interval to ten minutes enter either 10m or 600s config system log heartbeat_interval 600s config To disable the heartbeat interval set the value to 0s 4 Enable preserve system logs functionality to save the current session s system log after a reboot By default the IX10 de...

Page 777: ... categories also allow you to set the status interval which is the time interval between periodic status events For example to configure DHCP server logging i Use the question mark to determine what events are available for DHCP server logging configuration config system log event dhcpserver DHCP server Settings for DHCP server events Informational events are generated when a lease is obtained or ...

Page 778: ...et the status interval to ten minutes enter either 10m or 600s config system log event dhcpserver status_interval 600s config 6 Optional See Configure syslog servers for information about configuring remote syslog servers to which log messages will be sent 7 Save the configuration and apply the change config save Configuration saved 8 Type exit to exit the Admin CLI Depending on your device config...

Page 779: ... more detailed analysis you can download the captured data traffic from the device and view it using a third party application Note Data traffic is captured to RAM and the captured data is lost when the device reboots unless you save the data to a file See Save captured data traffic to a file This section contains the following topics Configure packet capture for the network analyzer 780 Example f...

Page 780: ...s or time that will trigger the analyzer to run using this capture configuration l The amount of time that the analyzer session will run l The frequency with which captured events will be saved To configure a packet capture configuration Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate ...

Page 781: ...ew capture filter configuration is displayed 5 Optional Add a filter type a Click to expand Filter You can select from preconfigured filters to determine which types of packets to capture or ignore or you can create your own Berkeley packet filter expression b To create a filter that either captures or ignores packets from a particular IP address or network ...

Page 782: ...tion is disabled which means that the filter will capture packets that use this protocol v Click to add additional IP protocols filters d To create a filter that either captures or ignores packets from a particular port i Click to expand Filter TCP UDP port ii Click to add a TCP UDP port iii For IP TCP UDP port to capture or ignore type the number of the port to be captured or ingored iv For TCP o...

Page 783: ...setting instance c For Device select an interface d Repeat to add additional interfaces to the capture filter 7 Optional For Berkeley packet filter expression type a filter using Berkeley Packet Filter BPF syntax See Example filters for capturing data traffic for examples of filters using BPF syntax 8 Optional Schedule the analyzer to run using this capture filter based on a specified event or at ...

Page 784: ...ull Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Add a new capture filter config add network analyzer name config network analyzer name 4 Add an interface to the capture filter config network analyzer name add device end d...

Page 785: ...hen the IP address network is either the source or the destination iv Optional Set the filter should ignore packets from this IP address network config network analyzer name filter address 0 ignore true config network analyzer name filter address 0 By default is option is set to false which means that the filter will capture packets from this IP address network v Repeat these steps to add addition...

Page 786: ...kets from this protocol vi Repeat these steps to add additional protocol filters c To create a filter that either captures or ignores packets from a particular port i Add a new port filter config network analyzer name add filter port end config network analyzer name filter port 0 ii Set the transport protocol that should be filtered for the port config network analyzer name filter port 0 protocol ...

Page 787: ... example 00 aa 11 bb 22 cc iii Set whether the filter should apply to packets when the MAC address is the source the destination or both config network analyzer name filter mac_address 0 match value config network analyzer name filter mac_address 0 where value is one of n source The filter will apply to packets when the MAC address is the source n destination The filter will apply to packets when ...

Page 788: ...yntax 6 Optional Schedule the analyzer to run using this capture filter based on a specified event or at a particular time a Enable scheduling for this capture filter config network analyzer name schedule enable true config network analyzer name b Set the mode that will be used to run the capture filter config network analyzer name when mode config network analyzer name where mode is one of the fo...

Page 789: ...me save_interval value config network analyzer name where value is any number of weeks days hours minutes or seconds and takes the format number w d h m s For example to set save_interval to ten minutes enter either 10m or 600s config network analyzer name save_interval 600s config network analyzer name 7 Save the configuration and apply the change config save Configuration saved 8 Type exit to ex...

Page 790: ...o and from IP host 10 0 0 1 but filter out ports 22 and 80 ip host 10 0 0 1 and not port 22 or port 80 Example Ethernet capture filters n Capture Ethernet packets to and from a host with a MAC address of 00 40 D0 13 35 36 ether host 00 40 D0 13 35 36 n Capture Ethernet packets from host 00 40 D0 13 35 36 ether src 00 40 D0 13 35 36 n Capture Ethernet packets to host 00 40 D0 13 35 36 ether dst 00 ...

Page 791: ...art name capture_filter where capture_filter is the name of a packet capture configuration See Configure packet capture for the network analyzer for more information To determine available packet capture configurations use the analyzer start name name Name of the capture filter to use Format test_capture capture_ping analyzer start name You can capture up to 10 MB of data traffic in two 5 MB files...

Page 792: ...t show the following information for each packet n The packet number n The timestamp for when the packet was captured n The length of the packet and the amount of data captured n Whether the packet was sent or received by the device n The interface on which the packet was sent or received n A hexadecimal dump of the packet of up to 256 bytes n Decoded information of the packet To show captured dat...

Page 793: ...5670 0x3d36 Flags Do not fragment Fragment Offset 0 0x0000 TTL 128 0x80 Protocol TCP 6 Checksum 0x14bc Source IP Address 10 10 74 130 Dest IP Address 10 10 74 72 TCP Header Source Port 52654 Destination Port 22 Sequence Number 2756443999 Ack Number 3995064355 Data Offset 5 Flags ACK Window 2050 Checksum 0xc740 Urgent Pointer 0 TCP Data 00 00 00 00 00 00 where capture_filter is the name of a packet...

Page 794: ...e n filename is the name of the file that the captured data will be saved to Determine filenames already in use Use the tab autocomplete feature to determine filenames that are currently in use analyzer save name tab test1_analyzer_capture test2_analyzer_capture analyzer save name n capture_filter is the name of a packet capture configuration See Configure packet capture for the network analyzer f...

Page 795: ...n menu Type admin to access the Admin CLI 2 Type scp to use the Secure Copy program to copy the file to your PC scp host hostname or ip user username remote remote path local local path to remote where n hostname or ip is the hostname or ip address of the remote host n username is the name of the user on the remote host n remote path is the location on the remote host where the file will be copied...

Page 796: ...ou may be presented with an Access selection menu Type admin to access the Admin CLI 2 Type the following at the Admin CLI prompt analyzer clear name capture_filter where capture_filter is the name of a packet capture configuration See Configure packet capture for the network analyzer for more information To determine available packet capture configurations use the anaylzer clear name name Name of...

Page 797: ...Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Stop ping commands To stop pings when the number of pings to send the count parameter has been set to a high value enter Ctrl C Use the traceroute command to diagnose IP routing problems Use the traceroute command to diagnose IP routing problems This command t...

Page 798: ...Select the device in Remote Manager and click Actions Open Console or log into the IX10 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the Admin CLI prompt use the traceroute command to view IP routing information traceroute 8 8 8 8 traceroute to 8 8 8 8 8 8...

Page 799: ...to correct the interference by one or more of the following measures n Reorient or relocate the receiving antenna n Increase the separation between the equipment and the receiver n Connect the equipment into an outlet that is on a circuit different from the receiver n Consult the dealer or an experienced radio TV technician for help Labeling Requirements FCC 15 19 IX10 complies with Part 15 of FCC...

Page 800: ...ration of Conformity DoC IX10 User Guide 800 Digi customers assume full responsibility for learning and meeting the required guidelines for each country in their distribution market Refer to the radio regulatory agency in the desired countries of operation for more information ...

Page 801: ...00 MHz Cellular LTE 2100 MHz 200 mW Cellular LTE 2600 MHz Cellular LTE 2300 MHz Cellular LTE 2500 MHz 158 49 mW Innovation Science and Economic Development Canada IC certifications This digital apparatus does not exceed the Class B limits for radio noise emissions from digital apparatus set out in the Radio Interference Regulations of the Canadian Department of Communications Le present appareil n...

Page 802: ...Changes or modifications not expressly approved by the party responsible for compliance could void the user s authority to operate the equipment Use only the accessories attachments and power supplies provided by the manufacturer connecting non approved antennas or power supplies may damage the router cause interference or create an electric shock hazard and will void the warranty n Do not attempt...

Page 803: ... of cellular services to the offender legal action or both As with any electrical equipment do not operate the router in the presence of flammable gases fumes or potentially explosive atmospheres Do not use radio devices anywhere that blasting operations occur Wireless routers receive and transmit radio frequency energy when power is on Interference can occur when using the router close to TV sets...

Page 804: ...български Croatian Hrvatski French Français Greek Ε λληνικά Hungarian Magyar Italian Italiano Latvian Latvietis Lithuanian Lietuvis Polish Polskie Portuguese Português Slovak Slovák Slovenian Esloveno Spanish Español IX10 User Guide 804 ...

Page 805: ...ble parts Never open the equipment For safety reasons the equipment should be opened only by qualified personnel The unit must be powered off where blasting is in progress where explosive atmospheres are present or near medical or life support equipment Do not power on the unit in any aircraft Operation of this equipment in a residential environment could cause radio interference For ambient tempe...

Page 806: ... потребителя Н икога не отваряйте оборудването О т съображения за безопасност оборудването трябва да се отваря само от квалиф ициран персонал У редът трябва да се изключи там където се извърш ва взривяване където има експлозивна атмосф ера или в близост до медицинско оборудване или оборудване за поддържане на живота Н е включвайте устройството в самолет Р аботата с това оборудване в жилищ на среда...

Page 807: ...servisirati Nikada ne otvarajte opremu Iz sigurnosnih razloga opremu bi trebalo otvarati samo kvalificirano osoblje Uređaj se mora isključiti tamo gdje je u tijeku miniranje gdje su prisutne eksplozivne atmosfere ili u blizini medicinske opreme ili opreme za održavanje života Nemojte uključivati jedinicu ni u jednom zrakoplovu Rad ove opreme u stambenom okruženju mogao bi prouzročiti radio smetnje...

Page 808: ...r Ne jamais ouvrir l équipement Pour des raisons de sécurité l équipement ne doit être ouvert que par du personnel qualifié L unité doit être éteinte là où le dynamitage est en cours où des atmosphères explosives sont présentes ou à proximité d équipements médicaux ou de survie N allumez pas l appareil dans un avion L utilisation de cet équipement dans un environnement résidentiel peut provoquer d...

Page 809: ...οίγετ ε ποτ έ τ ον εξ οπλισμό Γ ια λόγους ασφαλείας ο εξ οπλισμός πρέπει να ανοίγει μόνο από εξ ειδικευμένο προσωπικό Η μονάδα πρέπει να είναι απενεργοποιημένη ότ αν βρίσκετ αι σε εξ έλιξ η η έκρηξ η όπου υπάρχουν εκρηκτ ικές ατ μόσφαιρες ή κοντ ά σε ιατ ρικό εξ οπλισμό ή εξ οπλισμό υποστ ήριξ ης τ ης ζ ωής Μην ενεργοποιείτ ε τ η μονάδα σε κανένα αεροσκάφος Η λειτ ουργία αυτ ού τ ου εξ οπλισμού σε...

Page 810: ... személyzet nyithatja meg Az egységet ki kell kapcsolni ha robbantás folyik ahol robbanásveszélyes környezet van vagy orvosi vagy életmentő berendezések közelében Semmilyen repülőgépen ne kapcsolja be az egységet A berendezés lakókörnyezetben történő működtetése rádiózavarokat okozhat 60 C feletti környezeti hőmérséklet esetén ezt a berendezést csak korlátozott hozzáférésű helyre kell telepíteni A...

Page 811: ...ire mai l apparecchiatura Per motivi di sicurezza l apparecchiatura deve essere aperta solo da personale qualificato L unità deve essere spenta dove sono in corso esplosioni dove sono presenti atmosfere esplosive o vicino ad apparecchiature mediche o di supporto vitale Non accendere l unità in nessun aereo Il funzionamento di questa apparecchiatura in un ambiente residenziale potrebbe causare inte...

Page 812: ...etotāja apkalpojamas daļas Nekad neatveriet aprīkojumu Drošības apsvērumu dēļ aprīkojumu drīkst atvērt tikai kvalificēts personāls Iekārtai jābūt izslēgtai ja notiek spridzināšana sprādzienbīstama vide vai medicīnas vai dzīvības uzturēšanas aprīkojuma tuvumā Nevienā lidmašīnā neieslēdziet ierīci Šīs ierīces darbība dzīvojamā vidē var izraisīt radio traucējumus Ja apkārtējā temperatūra pārsniedz 60...

Page 813: ...tojui prižiūrimų dalių Niekada neatidarykite įrangos Saugumo sumetimais įrangą turėtų atidaryti tik kvalifikuotas personalas Įrenginys turi būti išjungtas ten kur vyksta sprogdinimas sprogi aplinka arba šalia medicinos ar gyvybės palaikymo įrangos Neįjunkite įrenginio jokiuose orlaiviuose Naudojant šią įrangą gyvenamojoje aplinkoje gali kilti radijo trukdžių Esant aukštesnei nei 60 C aplinkos temp...

Page 814: ...ie otwieraj urządzenia Ze względów bezpieczeństwa urządzenie powinno być otwierane wyłącznie przez wykwalifikowany personel Urządzenie musi być wyłączone w miejscach w których trwają prace wybuchowe w atmosferze wybuchowej lub w pobliżu sprzętu medycznego lub podtrzymującego życie Nie włączaj urządzenia w żadnym samolocie Praca tego sprzętu w środowisku mieszkalnym może powodować zakłócenia radiow...

Page 815: ...er feita pelo usuário Nunca abra o equipamento Por razões de segurança o equipamento deve ser aberto apenas por pessoal qualificado A unidade deve ser desligada onde houver detonações em andamento onde houver presença de atmosferas explosivas ou próximo a equipamentos médicos ou de suporte à vida Não ligue a unidade em nenhuma aeronave A operação deste equipamento em um ambiente residencial pode c...

Page 816: ...ateľom Nikdy neotvárajte zariadenie Z bezpečnostných dôvodov by malo zariadenie otvárať iba kvalifikovaný personál Jednotka musí byť vypnutá tam kde prebiehajú trhacie práce kde je prítomné výbušné prostredie alebo v blízkosti lekárskych prístrojov alebo zariadení na podporu života Jednotku nezapínajte v žiadnom lietadle Prevádzka tohto zariadenia v obytnom prostredí by mohla spôsobiť rádiové ruše...

Page 817: ...ih lahko uporabljal uporabnik Nikoli ne odpirajte opreme Iz varnostnih razlogov naj opremo odpira samo usposobljeno osebje Enoto je treba izklopiti tam kjer poteka razstreljevanje kjer so prisotne eksplozivne atmosfere ali v bližini medicinske opreme ali opreme za vzdrževanje življenja Enote ne vklopite v nobenem letalu Delovanje te opreme v stanovanjskem okolju lahko povzroči radijske motnje Pri ...

Page 818: ...bierto únicamente por personal calificado La unidad debe estar apagada donde se estén realizando explosiones cuando haya atmósferas explosivas o cerca de equipos médicos o de soporte vital No encienda la unidad en ningún avión El funcionamiento de este equipo en un entorno residencial puede provocar interferencias de radio Para temperaturas ambiente superiores a 60 C este equipo debe instalarse ún...

Page 819: ...N 300 328 v1 8 1 n EN 301 893 v1 7 2 n EN 301 489 n FCC Part 15 Subpart B Class B Safety compliance standards EN 62368 E UTRA CA E UTRA FDD E UTRA TDD UMTS FDD PTCRB Cellular carriers See the current list of carriers on the IX10 datasheet available on the Digi IX10 Specifications page Electrical safety compliance The IX10 model 50002009 01 shall be powered using a DC power source Approved in its c...

Page 820: ... the web interface 822 Display help for commands and parameters 824 Auto complete commands and parameters 826 Available commands 827 Use the scp command 828 Display status and statistics using the show command 829 Device configuration using the command line interface 830 Execute configuration commands at the root Admin CLI prompt 831 Configuration mode 833 Command line reference 845 IX10 User Guid...

Page 821: ...WebUI Configure the web administration service n SSH Configure SSH access n Telnet Configure telnet access Log in to the command line interface Command line 1 Connect to the IX10 device by using a serial connection SSH or telnet or the Terminal in the WebUI or the Console in the Digi Remote Manager See Access the command line interface for more information n For serial connections the default conf...

Page 822: ...rface Command line 1 At the command prompt type exit exit 2 Depending on the device configuration you may be presented with another menu for example Access selection menu a Admin CLI s Shell q Quit Select access or quit admin Type q or quit to exit Execute a command from the web interface 1 Log into the IX10 WebUI as a user with Admin access 2 At the main menu click Terminal The device console app...

Page 823: ...Command line interface Execute a command from the web interface IX10 User Guide 823 The Admin CLI prompt appears ...

Page 824: ... start of line Ctrl E Move cursor to end of line Ctrl W Delete word under cursor until start of line or Ctrl R If the current input is invalid then characters will be deleted until a prefix for a valid command is found Ctrl left Jump cursor left until start of line or Ctrl right Jump cursor right until start of line or The question mark command When executed from the root command prompt displays a...

Page 825: ...ture Show manufacturer information modbus gateway Show modbus gateway status statistics modem Show modem statistics network Show network interface statistics ntp Show NTP information openvpn Show OpenVPN statistics route Show IP routing information scripts Show scheduled scripts serial Show serial statistics surelink Show Surelink statistics system Show system statistics version Show firmware vers...

Page 826: ...ailable commands are displayed instead Auto complete applies to these command elements only n Command names For example typing net Tab auto completes the command as network n Parameter names For example l ping hostname int Tab auto completes the parameter as interface l system b Tab auto completes the parameter as backup n Parameter values where the value is one of an enumeration or an on off type...

Page 827: ... for information about the help command ls Lists the contents of a directory mkdir Creates a directory modem Executes modem commands more Displays the contents of a file mv Moves a file or directory ping Pings a remote host using Internet Control Message Protocol ICMP Echo Request messages reboot Reboots the IX10 device rm Removes a file scp Uses the secure copy protocol SCP to transfer files betw...

Page 828: ... being copied to a remote host from the IX10 device o The path and filename of the file on the IX10 device that will be copied to the remote host o The location on the remote host where the file will be copied Copy a file from a remote host to the IX10 device To copy a file from a remote host to the IX10 device use the scp command as follows scp host hostname or ip user username remote remote path...

Page 829: ...rt report 0040D0133536 22 05 31 9 03 04 bin Support report saved 2 Use the scp command to transfer the report to a remote host scp host 192 168 4 1 user admin remote home admin temp local var log support report 00 40 D0 13 35 36 22 05 31 9 03 04 bin to remote admin 192 168 4 1 s password adminpwd support report 0040D0133536 22 05 31 9 03 04 bin Display status and statistics using the show command ...

Page 830: ...ersion 19 7 23 0 15f936e0ed Current Time Wed 31 May 2022 9 03 04 0000 CPU 1 4 Uptime 6 days 6 hours 21 minutes 57 seconds 541317s Temperature 40C show network The show network command displays status and statistics for network interfaces show network Interface Proto Status Address defaultip IPv4 up 192 168 210 1 24 defaultlinklocal IPv4 up 169 254 100 100 16 lan IPv4 up 192 168 2 1 lan IPv6 up 0 0...

Page 831: ...able false The IX10 device s ssh service is now disabled Note When the config command is executed at the root prompt certain configuration actions that are available in configuration mode cannot be performed This includes validating configuration changes canceling and reverting configuration changes and performing actions on elements in lists See Configuration mode for information about using conf...

Page 832: ...mote_control Remote control snmp SNMP ssh SSH telnet Telnet web_admin Web administration config service 3 Next display help for the config service ssh command config service ssh SSH An SSH server for managing the device Parameters Current Value enable true Enable key private Private key port 22 Port Additional Configuration acl Access control list mdns config service ssh 4 Lastly display the allow...

Page 833: ... configuration commands in configuration mode There are two ways to enter configuration commands while in configuration mode n Enter the full command string from the config prompt For example to disable the ssh service by entering the full command string at the config prompt config service ssh enable false config n Execute commands by moving through the configuration schema For example to disable ...

Page 834: ...fig cancel After using cancel to discard unsaved changes to the configuration you will automatically exit configuration mode Configuration actions In configuration mode configuration actions are available to perform tasks related to saving or canceling the configuration changes and to manage items and elements in lists The commands can be listed by entering a question mark at the config prompt The...

Page 835: ...ple 1 Enter at the config prompt config This will display the following help information config Additional Configuration application Custom scripts auth Authentication cloud Central management firewall Firewall monitoring Monitoring network Network serial Serial service Services system System vpn VPN config 2 You can then display help for the additional configuration commands For example to displa...

Page 836: ...display help for the service ssh command use one of the following methods n At the config prompt enter service ssh config service ssh n At the config prompt a Enter service to move to the service node config service config service b Enter ssh to move to the ssh node config service ssh config service ssh c Enter to display help for the ssh node config service ssh Either of these methods will displa...

Page 837: ...config service b Enter ssh to move to the ssh node config service ssh config service ssh c Enter enable to display help for the enable parameter config service ssh enable config service ssh Either of these methods will display the following information config service ssh enable Enable Enable the service Format true false yes no 1 0 Default value true Current value true config service ssh enable Mo...

Page 838: ...uration by entering two periods config service ssh acl zone config service ssh acl You can also move back multiples nodes in the configuration by typing multiple sets of two periods config service ssh acl zone config service n Move to the root of the config prompt from anywhere within the configuration by entering three periods config service ssh acl zone config Manage elements in lists While in c...

Page 839: ... keyword is used to add an element to the end of a list Additionally the end keyword is used to add an element to a list that does not have any elements For example to add an authentication group to a user that has just been created 1 Use the show command to verify that the user is not currently a member of any groups config show auth user new user group config 2 Use the end keyword to add the adm...

Page 840: ...ements in a list For example to reorder the authentication methods 1 Use the show command to display current authentication method configuration config show auth method 0 local 1 tacacs 2 radius config 2 To configure the device to use TACACS authentication first to authenticate a user use the move index_number_1 index_number_2 command config move auth method 1 0 config 3 Use the show command again...

Page 841: ...min password pwd config 3 Save the configuration and apply the change config save Configuration saved 4 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Revert a subset of configuration changes to the default settings There are two methods to revert a subset of configuration changes to ...

Page 842: ...e auth node config auth config auth 2 Enter the revert command with the path set to method config auth revert method config auth 3 Save the configuration and apply the change config auth save Configuration saved 4 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Enter strings in configu...

Page 843: ...od one Create a user at the root of the config prompt config add auth user user1 config auth user user1 n Method two Create a user by moving through the configuration a At the config prompt enter auth to move to the auth node config auth config auth b Enter user to move to the user node config auth user config auth user c Create a new user with the username user1 config auth user add user1 config ...

Page 844: ... serial enable true ports 0 port1 shell enable false config auth user user1 6 Add the user to the admin group config auth user user1 add group end admin config auth user user1 7 Save the configuration and apply the change config auth user user1 save Configuration saved 8 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type q...

Page 845: ... modem firmware ota list 852 modem firmware ota update 852 modem firmware update 852 modem pin change 853 modem pin disable 853 modem pin enable 853 modem pin status 854 modem pin unlock 854 modem puk status 854 modem puk unlock 854 modem reset 855 modem scan 855 modem sim slot 855 monitoring 855 monitoring metrics upload 856 more 856 mv 856 ping 856 reboot 858 rm 859 scp 860 show analyzer 860 sho...

Page 846: ...68 ssh 868 system backup 868 system disable cryptography 869 system duplicate firmware 869 system factory erase 869 system find me 870 system firmware ota check 870 system firmware ota list 870 system firmware ota update 870 system firmware update 870 system power ignition off_delay 871 system restore 871 system script start 871 system script stop 871 system serial clear 871 system serial save 872...

Page 847: ...l be used as the root directory for the path and file analyzer start Start a capture session of packets on this devices interfaces Syntax analyzer start name Parameters name Name of the capture filter to use analyzer stop Stops the traffic capture session Syntax analyzer stop name Parameters name Name of the capture filter to use clear dhcp lease ip address Clear the DHCP lease for the specified I...

Page 848: ...ilepath for container image to be created container delete Delete a LXC container This will remove the LXC container configuration and the container image Syntax container delete container Parameters container Filepath for container image to be deleted This process also removes any associated configuration cp Copy a file or directory Syntax cp source destination force Parameters source The source ...

Page 849: ...Command line interface Command line reference IX10 User Guide 849 Parameters None ...

Page 850: ... Command line reference IX10 User Guide 850 ls List a directory Syntax ls path show hidden Parameters path List files and directories under this path show hidden Show hidden files and directories Hidden filenames begin with ...

Page 851: ...LI command on modem at interactive Start an AT command session on the modem s AT serial port Syntax modem at interactive name STRING imei STRING Parameters name The configured name of the modem to execute this CLI command on imei The IMEI of the modem to execute this CLI command on modem firmware check Inspect opt MODEM_MODEL Custom_Firmware directory for new modem firmware file Syntax modem firmw...

Page 852: ...ersions Syntax modem firmware ota list name STRING imei STRING Parameters name The configured name of the modem to execute this CLI command on imei The IMEI of the modem to execute this CLI command on modem firmware ota update Perform FOTA firmware over the air update The modem will be updated to the latest modem firmware image unless a specific firmware version is specified Syntax modem firmware ...

Page 853: ...ured name of the modem to execute this CLI command on imei The IMEI of the modem to execute this CLI command on modem pin disable Disable the PIN lock on the SIM card that is active in the modem Warning Attempting to use an incorrect PIN code may PUK lock the SIM Syntax modem pin disable pin name STRING imei STRING Parameters pin The SIM s PIN code name The configured name of the modem to execute ...

Page 854: ...h a PIN code Set the PIN field in the modem interface s configuration to unlock the SIM card automatically before use Warning Attempting to use an incorrect PIN code may PUK lock the SIM Syntax modem pin unlock pin name STRING imei STRING Parameters pin The SIM s PIN code name The configured name of the modem to execute this CLI command on imei The IMEI of the modem to execute this CLI command on ...

Page 855: ...xecute this CLI command on imei The IMEI of the modem to execute this CLI command on modem scan List of carriers present in the network Syntax modem scan name STRING imei STRING Parameters name The configured name of the modem to execute this CLI command on imei The IMEI of the modem to execute this CLI command on modem sim slot Show or change the modem s active SIM slot This applies only to modem...

Page 856: ...rent device health metrics Functions as if a scheduled upload was triggered Syntax monitoring metrics upload Parameters None more View a file Syntax more path Parameters path The file to view mv Move a file or directory Syntax mv source destination force Parameters source The source file or directory to move destination The destination path to move the source file or directory to force Do not ask ...

Page 857: ... reachable over a default route If not specified the system s primary default route will be used source The ping command will send a packet with the source address set to the IP address of this interface rather than the address of the interface the packet is sent from ipv6 If a hostname is defined as the value of the host parameter use the hosts IPV6 address size The number of bytes sent in the IC...

Page 858: ...Command line interface Command line reference IX10 User Guide 858 reboot Reboot the system Parameters None ...

Page 859: ...Command line interface Command line reference IX10 User Guide 859 rm Remove a file or directory Syntax rm path force Parameters path The path to remove force Force the file to be removed without asking ...

Page 860: ... host or from the remote host to the local device port The SSH port to use to connect to the remote host Minimum 1 Maximum 65535 Default 22 show analyzer Show packets from a specified analyzer capture Syntax show analyzer name Parameters name Name of the capture filter to use show arp Show ARP tables If no IP version is specified IPv4 IPV6 will be displayed Syntax show arp ipv4 ipv6 verbose Parame...

Page 861: ... session although individual output lines maybe context sensitive and unable to be entered in isolation show containers Show container status statistics Syntax show containers container STRING Parameters container Display more details and config data for a specific container show dhcp lease Show DHCP leases Syntax show dhcp lease all verbose Parameters all Show all leases active and inactive not i...

Page 862: ...s of a specific client to limit the status display to only this client show ipsec Show IPsec status statistics Syntax show ipsec tunnel STRING all verbose Parameters tunnel Display more details and config data for a specific IPsec tunnel all Display all tunnels including disabled tunnels verbose Display status of one or all tunnels in plain text show l2tp lac Show L2TP access concentrator status s...

Page 863: ...mation show log Show system log low level Syntax show log number INTEGER filter critical warning debug info Parameters number Number of lines to retrieve from log Minimum 1 Default 20 filter Filters for type of log message displayed critical warning info debug Note filters from the number of messages retrieved not the whole log this can be very time consuming If you require more messages of the fi...

Page 864: ... modem to execute this CLI command on verbose Display more information less concise more detail show nemo Show NEMO status and statistics Syntax show nemo name STRING Parameters name Display more details and configuration data for a specific NEMO instance show network Show network interface status statistics Syntax show network interface STRING all verbose Parameters interface Display more details...

Page 865: ...lients show openvpn server Show OpenVPN server status statistics Syntax show openvpn server name STRING all Parameters name Display more details and config data for a specific OpenVPN server all Display all servers including disabled servers show route Show IP routing information Syntax show route ipv4 ipv6 verbose Parameters ipv4 Display IPv4 routes ipv6 Display IPv6 routes verbose Display more i...

Page 866: ...G Parameters port Display more details and config data for a specific serial port show surelink interface Show SureLink status statistics for network interfaces Syntax show surelink interface name STRING all Parameters name The name of a specific network interface all Show all network interfaces show surelink ipsec Show SureLink status statistics for IPsec tunnels Syntax show surelink ipsec tunnel...

Page 867: ...all Show all OpenVPN clients show system Show system status statistics Syntax show system verbose Parameters verbose Display more information disk usage etc show usb Show USB information Syntax show usb Parameters None show version Show firmware version Syntax show version verbose Parameters verbose Display more information build date show vrrp Show VRRP status statistics Syntax show vrrp name STR...

Page 868: ...speed test host server size The number of kilobytes sent in the speed test packets Minimum 0 Default 1000 mode The type of speed test protocol to run Default nuttcp output The format of output to display the speed test results as Default text ssh Use SSH protocol to log into a remote server Syntax ssh host user port INTEGER command STRING Parameters host The hostname or IP address of the remote ho...

Page 869: ...ackup file system disable cryptography Erase the device s configuration and reboot into a limited mode with no cryptography available The device s shell will be accessible over Telnet port 23 at IP address 192 168 210 1 To return the device to normal operation perform the configuration erase procedure with the device s ERASE button twice consecutively Syntax system disable cryptography Parameters ...

Page 870: ...k Parameters None system firmware ota list Query the Digi firmware server for a list of device firmware versions Syntax system firmware ota list Parameters None system firmware ota update Perform FOTA firmware over the air update The device will be updated to the latest firmware version unless the version argument is used to specify the firmware version Syntax system firmware ota update version ST...

Page 871: ...ackup archive or CLI commands file Syntax system restore path passphrase STRING Parameters path The path to the backup file passphrase Decrypt the archive with a passphrase system script start Run a manual script Scripts that are disabled not a manual script or already running can not be run Syntax system script start script Parameters script Script to start system script stop Stop an active runni...

Page 872: ...traffic to If a relative path is provided etc config serial will be used as the root directory for the path and file system serial show Displays the serial log on the screen Syntax system serial show port Parameters port Serial port system serial start Start logging data on a serial port Syntax system serial start port size INTEGER Parameters port Serial port size Maximum size of serial log Defaul...

Page 873: ...et in the system time timezone config setting Syntax system time set datetime Parameters datetime The date in year month day hour minute second format e g 2021 09 26 12 24 48 system time sync Perform a NTP query to the configured server s and set the local time to the first server that responds Syntax system time sync Parameters None system time test Test the configured NTP server s for connectivi...

Page 874: ...Minimum 1 Default 30 port Specifies the destination port base traceroute will use the destination port number will be incremented by each probe A value of 1 specifies that no specific port will be used Minimum 1 Default 1 nqueries Sets the number of probe packets per hop A value of 1 indicated Minimum 1 Default 3 src_addr Chooses an alternative source address Note that you must select the address ...

Reviews:

No comments

Related manuals for IX10

Aastra CNX Product Brief preview
CNX
Brand: Aastra Pages: 2
Wave wifi EC Series Quick Start Manual preview
EC Series
Brand: Wave wifi Pages: 2
H3C S5120V3-EI Series Manual preview
S5120V3-EI Series
Brand: H3C Pages: 54
H3C CR16000-M Installation Manual preview
CR16000-M
Brand: H3C Pages: 116
SyChip WLAN6065SD User Manual preview
WLAN6065SD
Brand: SyChip Pages: 24
E-Lins H700 Series User Manual preview
H700 Series
Brand: E-Lins Pages: 113
ZyXEL Communications XS1920 Series User Manual preview
XS1920 Series
Brand: ZyXEL Communications Pages: 422
Brocade Communications Systems NetIron MLXe Series Hardware Installation Manual preview
NetIron MLXe Series
Brand: Brocade Communications Systems Pages: 305
Sans Digital ELITENAS EN104L+(B) Quick Installation Manual preview
ELITENAS EN104L+(B)
Brand: Sans Digital Pages: 9
Patton IPLink 2603 Series User Manual preview
IPLink 2603 Series
Brand: Patton Pages: 120
Lanner FW-7551 User Manual preview
FW-7551
Brand: Lanner Pages: 38
Allied Telesis AT-BSTACK1 Quick Install Manual preview
AT-BSTACK1
Brand: Allied Telesis Pages: 34
iNetVu Tachyon CI1300 Quick Start Manual preview
Tachyon CI1300
Brand: iNetVu Pages: 20
ADTRAN 1700601G2 Quick Start Manual preview
1700601G2
Brand: ADTRAN Pages: 4
Teldat H2 RAIL Installation Manual preview
H2 RAIL
Brand: Teldat Pages: 47
Allynk Technology CAG-0100 User Manual preview
CAG-0100
Brand: Allynk Technology Pages: 39
PC Concepts Full-Rated Router ADSL2+ User Manual preview
Full-Rated Router ADSL2+
Brand: PC Concepts Pages: 104
3Com Router 3000 Series Manual preview
Router 3000 Series
Brand: 3Com Pages: 37

Brands by name

Popular brands

Load more brands