manualshive.com logo in svg

Digi IX20, User Manual

The Digi IX20 is a cutting-edge networking device designed for seamless connectivity. Unlock its full potential by referring to the comprehensive User Manual that can be downloaded for free from our website. Explore the features and functionalities effortlessly, ensuring smooth operations with this invaluable manual.

Share
Download
background image

Virtual Private Networks (VPN)

Generic Routing Encapsulation (GRE)

IX20 User Guide

335

Example: GRE tunnel over an IPSec tunnel

The IX20 device can be configured as an advertised set of routes through an IPSec tunnel. This allows
you to leverage the dynamic route advertisement of GRE tunnels through a secured IPSec tunnel.

The example configuration provides instructions for configuring the IX20 device with a GRE tunnel
through IPsec.

IX20-1 configuration tasks

1. Create an IPsec tunnel named

ipsec_gre1

with:

n

A pre-shared key.

n

Remote endpoint

set to the public IP address of the IX20-2 device.

n

A policy with:

l

Local network

set to the IP address and subnet of the local GRE tunnel,

172.30.0.1/32

.

l

Remote network

set to the IP address and subnet of the remote GRE tunnel,

172.30.0.2/32

.

2. Create an IPsec endpoint interface named

ipsec_endpoint1

:

a.

Zone

set to

Internal

.

b.

Device

set to

Ethernet: Loopback

.

c. IPv4 Address set to the IP address of the local GRE tunnel,

172.30.0.1/32

.

3. Create a GRE tunnel named

gre_tunnel1

:

a.

Local endpoint

set to the IPsec endpoint interface,

Interface: ipsec_endpoint1

.

b. Remote endpoint set to the IP address of the GRE tunnel on IX20-2,

172.30.0.2

.

4. Create an interface named

gre_interface1

and add it to the GRE tunnel:

a.

Zone

set to

Internal

.

b.

Device

set to

IP tunnel: gre_tunnel1

.

c. IPv4 Address set to a virtual IP address on the GRE tunnel,

172.31.0.1/30

.

IX20-2 configuration tasks

1. Create an IPsec tunnel named

ipsec_gre2

with:

n

The same pre-shared key as the

ipsec_gre1

tunnel on IX20-1.

n

Remote endpoint

set to the public IP address of IX20-1.

n

A policy with:

l

Local network

set to the IP address and subnet of the local GRE tunnel,

172.30.0.2/32

.

l

Remote network

set to the IP address of the remote GRE tunnel,

172.30.0.1/32

.

Summary of Contents for IX20

Page 1: ...IX20 User Guide ...

Page 2: ...pport l Support for remote proxy server for Digi Remote Manager l Watchdog support for connection to Digi Remote Manager l Locally authenticate CLI option added to Digi Remote Manager configuration to control whether a user is required to provide device level authentication when accessing the console of the device through Digi Remote Manager l Added a randomized two minute delay window for uploadi...

Page 3: ...points are uploaded as health metrics to Digi Remote Manager l Added the ability to select Digi aView as the cloud service n Added the ability to duplicate firmware to copy the active firmware to the secondary firmware partition n Moved the update firmware CLI command to system firmware update n Added new Authoritative option under TACACS RADIUS and LDAP user authentication methods to prevent fall...

Page 4: ...ks and copyright Digi Digi International and the Digi logo are trademarks or registered trademarks in the United States and other countries worldwide All other trademarks mentioned in this document are the property of their respective owners 2020 Digi International Inc All rights reserved Disclaimers Information in this document is subject to change without notice and does not represent a commitme...

Page 5: ...to reproduce Contact Digi technical support Digi offers multiple technical support plans and service packages Contact us at 1 952 912 3444 or visit us at www digi com support Feedback To provide feedback on this document email your comments to techcomm digi com Include the document title and part number IX20 User Guide 90002381 C in the subject line of your email IX20 User Guide 5 ...

Page 6: ...ew 21 IX20 LEDs 22 Power 23 INT 23 Wi Fi Service IX20W model only 23 SIM1 23 SIM2 23 LTE 24 Signal quality indicators 24 Ethernet Link and Activity 25 Signal quality bars explained 25 IX20 power supply requirements 26 Digi IX20 serial connector pinout 26 Configuration for extreme thermal conditions 27 Hardware setup Install SIM cards in the Plug in LTE modem 31 Tips for improving cellular signal s...

Page 7: ...reless Wide Area Networks WWANs 49 Configure WAN WWAN priority and default route metrics 49 WAN WWAN failover 52 Configure SureLink active recovery to detect WAN WWAN failures 53 Configure the device to reboot when a failure is detected 60 Disable SureLink 66 Example Use a ping test for WAN failover from Ethernet to cellular 70 Using Ethernet devices in a WAN 73 Using cellular modems in a Wireless...

Page 8: ...g 207 Configure a static route 208 Delete a static route 211 Policy based routing 213 Configure a routing policy 213 Example Dual WAN policy based routing 221 Example Route traffic to a specific WAN interface based on the client MAC address 224 Routing services 229 Configure routing services 230 Show the routing table 233 Dynamic DNS 234 Configure dynamic DNS 234 Virtual Router Redundancy Protocol...

Page 9: ...rk Management Protocol SNMP 389 Download MIBs 394 Configure the Modbus gateway 394 Configure gateway servers 396 Configure clients 398 System time 409 Configure the system time 409 Network Time Protocol 412 Configure the device as an NTP server 412 Configure a multicast route 417 Ethernet network bonding 420 Enable service discovery mDNS 423 Use the iPerf service 426 Example performance test using...

Page 10: ... use a TACACS server 504 Remote Authentication Dial In User Service RADIUS 510 RADIUS user configuration 511 RADIUS server failover and fallback to local configuration 511 Configure your IX20 device to use a RADIUS server 512 LDAP 517 LDAP user configuration 518 LDAP server failover and fallback to local configuration 519 Configure your IX20 device to use an LDAP server 519 Disable shell access 52...

Page 11: ...display top data usage information 603 Use intelliFlow to display data usage by host over time 605 Configure NetFlow Probe 606 Central management Digi Remote Manager support 612 Configure Digi Remote Manager 612 Collect device health data and set the sample interval 618 Log into Digi Remote Manager 621 Use Digi Remote Manager to view and manage your device 623 Add a device to Digi Remote Manager 6...

Page 12: ... IX20 regulatory and safety statements RF exposure statement 665 Federal Communication FCC Part 15 Class B 665 Radio Frequency Interference RFI FCC 15 105 665 European Community CE Mark Declaration of Conformity DoC 666 CE mark Europe 666 Maximum transmit power for radio frequencies 668 Innovation Science and Economic Development Canada IC certifications 668 RoHS compliance statement 669 Safety st...

Page 13: ...ion mode 684 Enter configuration commands in configuration mode 684 Save changes and exit configuration mode 684 Exit configuration mode without saving changes 685 Configuration actions 685 Display command line help in configuration mode 686 Move within the configuration schema 688 Manage elements in lists 689 The revert command 691 Enter strings in configuration commands 693 Example Create a new ...

Page 14: ...i Remote Manager l Added the ability to select Digi aView as the cloud service n Added the ability to duplicate firmware to copy the active firmware to the secondary firmware partition n Moved the update firmware CLI command to system firmware update n Added new Authoritative option under TACACS RADIUS and LDAP user authentication methods to prevent falling back to additional authentication method...

Page 15: ...iving SMS messages in a custom python script n MQTT client support via Paho Python module n Added a random unprivileged port for performing ntp time syncs if standard port 123 fails n Scripting enhancements l Added a Status Scripts page in the web UI and show scripts command to the Admin CLI to view custom scripts and applications configured in the device along with their status Added the system s...

Page 16: ...r code and scan the installation QR code on the label 4 Follow the prompts to complete your IX20 registration If you need to sign up for a Digi Remote Manager account 1 Click here to create a new account You ll receive an email with login instructions 2 On your smartphone or tablet download the Digi Remote Manager mobile app from the App Store iPhone or Google Play Android 3 Open the Digi Remote M...

Page 17: ...he power input n Digi 1002 CM unit n CM unit cover plate n Antennas Two cellular antenna are included For the Wi Fi enabled IX20W device a Wi Fi antenna is also included n Power supply and adapters n Ethernet cable n Insert cards n Digi IX20 label Printed copy of the product label on the bottom of your device You can affix this label to the top or side of the device such that you can access the la...

Page 18: ...For optionally mounting the IX20 to a DIN rail Laptop or personal computer Use an Ethernet cable to connect your IX20 to a laptop or PC SIM card s If you intend to configure cellular WWAN access at this time acquire SIM cards as needed Note the carrier network APN Access Point Name and SIM pin if any for each card Smart phone or tablet Optional Use a smart phone or table to to automatically regist...

Page 19: ...tach spare label included with the CORE modem to the device 6 Attach antenna s 7 If you intend to configure Ethernet WAN access at this time use an Ethernet cable to connect the IX20 s WAN ETH1 port to a hub with access to the Internet 8 Use an Ethernet cable to connect the IX20 ETH2 port to your PC Step 4 Power up a Connect DC power Note If you need help understanding power requirements see IX20 ...

Page 20: ...printed on the bottom label of the device or the printed label included in the package When you first log into the WebUI or the command line you must change the password for the admin user See Change the default password for the admin user for instructions Additionally for Wi Fi enabled models when you first log into the WebUI or the command line you will be required the change the SSID and pre sh...

Page 21: ...0 100 BaseT Ethernet ports for high speed connectivity For a detailed list of IX20 hardware specifications see https www digi com products networking cellular routers industrial digi ix20 specifications IX20 accessories When accessories are purchased with the IX20 device the following are provided n Cellular antennas n Wi Fi antennas for the IX20W device only n Power supply n Ethernet cable n DIN ...

Page 22: ...SE button one time will reset the device configurations to the factory default It will not remove any automatically generated certificates and keys 2 Full device reset After the device reboots from the first button press press the ERASE button again before the device is connected to the internet to also remove generated certificates keys 3 Firmware reversion Press and hold the ERASE button and the...

Page 23: ...he WAN ETH1 Ethernet port is connecting Solid green The WAN ETH1 Ethernet port is connected and has activity Wi Fi Service IX20W model only Off No Wi Fi access points or Wi Fi clients are enabled Solid green Wi Fi access points or Wi Fi clients are enabled SIM1 Indicates that SIM1 is in use Off SIM1 not in use Solid green SIM1 is in use SIM2 Indicates that SIM2 is in use ...

Page 24: ... to a device on its ETH2 port Flashing white ETH2 port connection established and in the process of connecting to the cellular network Solid blue Connected to the 4G LTE and also has a ETH2 connection Flashing green Connected to 2G or 3G and is in the process of connecting to any device on its ETH2 port or nothing is connected to the port Alternating Red yellow or orange Upgrading firmware WARNING...

Page 25: ...explained The signal status bars for the Digi IX20 measure more than simply signal strength The value reported by the 4G LTE signal bars is calculated using an algorithm that takes into consideration the Reference Signals Received Power RSRP the Signal to noise ratio SNR and the Received Signal Strength Indication RSSI to provide an accurate indicator of the quality of the signal that the device i...

Page 26: ... then reported as the signal strength bars IX20 power supply requirements IX20 is intended to be powered by a certified power supply with output rated at either 12 VDC 0 75 A or 24 VDC 0 375 A minimum n Use the included power supply part number 24000154 n If you are providing the DC power source with a non Digi power supply you must use a certified LPS power supply rated at either 12 VDC 0 75 A or...

Page 27: ...n the following temperate ranges n IX20W Wi Fi enabled version 20C to 70C 40F to 158F n IX20 non Wi Fi version 40C to 70C 4F to 158F However in extreme temperature conditions up to 70C 158F you must add a Quality of Service QOS rule that limits the upload speed of the modem to 1 Mpbs For less extreme temperatures a modem upload speed of up to 10 Mpbs is acceptable WebUI 1 Log into the IX20 WebUI a...

Page 28: ...nd line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Add a binding config add firewall qos end config firewall qos 2 4 Set the interface to the modem interface config fi...

Page 29: ...ig firewall qos 2 policy 0 add rule end config firewall qos 2 policy 0 rule 0 The default settings for the policy and rule are sufficient 8 Save the configuration and apply the change config firewall qos 2 policy 0 rule 09 save Configuration saved 9 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from...

Page 30: ...Hardware setup This chapter contains the following topics Install SIM cards in the Plug in LTE modem 31 Connect data cables 32 Mount the IX20 device 32 IX20 User Guide 30 ...

Page 31: ... in an environment with high vibration levels SIM card contact fretting may cause unexpected SIM card failures To protect the SIM cards Digi strongly recommends that you apply a thin layer of dielectric grease to the SIM contacts prior to installing the SIM cards 3 On the IX20 back panel remove the CORE modem cover by loosening the cover plate thumb screw and removing the cover plate 4 With the an...

Page 32: ...o service try the following things to improve signal strength n Move the device to another location n Try connecting a different set of antennas if available n Purchase a Digi Antenna Extender Kit Antenna Extender Kit 1m Connect data cables The IX20 provides two types of data ports n Ethernet RJ 45 Use a Cat 5e or Cat 6 Ethernet cable n Serial 9 pin RS 232 Use a serial cable with a 9 pin RS 232 co...

Page 33: ...unting tabs Attach to DIN rail with clip The DIN rail clip is an optional accessory included when the IX20 is purchased with accessories 1 Attach the DIN rail clip to the bottom of the device with the screws provided 2 Set the IX20 device onto a DIN rail and gently press until the clip snaps into the rail ...

Page 34: ...ed 2 Attach the IX20 device to the bracket with the screws provided 3 Set the bracket with the clip onto a DIN rail and gently press until the clip snaps into the rail WARNING If being installed above head height on a wall or ceiling ensure the device is fitted securely to avoid the risk of personal injury Digi recommends that this device be by an accredited contractor ...

Page 35: ...38 Reset default SSID and pre shared key for the preconfigured Wi Fi access point 40 Configuration methods 42 Using Digi Remote Manager 42 Access Digi Remote Manager 42 Using the web interface 43 Using the command line 45 Access the command line interface 45 Log in to the command line interface 45 Exit the command line interface 46 IX20 User Guide 35 ...

Page 36: ... Click Device Management to display a list of your devices 3 Locate and select your device as described in Use Digi Remote Manager to view and manage your device 4 Click Configure The following tables list important factory default settings for the IX20 Default interface configuration Interface type Preconfigured interfaces Devices Default configuration Wide Area Network WAN n ETH1 n Ethernet ETH1...

Page 37: ...N n Firewall zone Setup n IP address 192 168 210 1 24 n Default Link local IP n Bridge LAN n Firewall zone Setup n IP address 169 254 100 100 16 Wi Fi available with IX20W models only n Wi Fi access point Digi AP n Wi Fi radio n Enabled n SSID Digi IX20W serial_number n Encryption WAP2 Personal PSK n Pre shared key The unique password printed on the bottom label of the device Bridges Wi Fi model o...

Page 38: ...and on the loose label included in the package When you first log into the WebUI or the command line you will be required to change the password for the admin user prior to being able to save any configuration changes If you erase the device configuration or reset the device to factory defaults the password for the admin user will revert to the original factory assigned default password Additional...

Page 39: ...ration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Set a new password for the admin user The password must be at least ten characters ...

Page 40: ...nt For the Wi Fi enabled IX20W device by default the SSID and pre shared key for the preconfigured Wi Fi access point are n Enabled n SSID Digi IX20W serial_number n Encryption WAP2 Personal PSK n Pre shared key The unique password printed on the bottom label of the device When you first log into the WebUI or the command line or after erasing the configuration you will be required to change the SS...

Page 41: ...a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Set a new SSID for the digi_ap access point config network wifi ap digi_ap ssid new_ssid config 4 Set a new pre shared key config network wifi ap digi_ap encryp...

Page 42: ...e your IX20 device Web based instructions in this guide are applicable to both the Remote Manager and the local web interface n Command line A robust command line allows you to perform all configuration and management tasks from within a command shell Both the Remote Manager and the local web interface also have the option to open a terminal emulator for executing commands on your IX20 device See ...

Page 43: ... label packaged with your device After logging in the local web admin dashboard is displayed The dashboard shows the current state of the device Dashboard area Description Network activity Summarizes network statistics the total number of bytes sent and received over all configured bridges and Ethernet devices Digi Remote Manager Displays the device connection status for Digi Remote Manager the am...

Page 44: ...Configuration and management Using the web interface IX20 User Guide 44 Log out of the web interface n On the main menu click your user name Click Log out ...

Page 45: ...ommand line your device must be configured to allow access and you must log in as a user who has been configured for the appropriate access For further information about configuring access to these services see n Serial Configure the serial port n WebUI Configure the web administration service n SSH Configure SSH access n Telnet Configure telnet access Log in to the command line interface Command ...

Page 46: ...he IX20 command line You will now be connected to the Admin CLI Connecting now exit to disconnect from Admin CLI See Command line interface for detailed instructions on using the command line interface Exit the command line interface Command line 1 At the command prompt type exit exit 2 Depending on the device configuration you may be presented with another menu for example Access selection menu a...

Page 47: ...unications interfaces These interfaces can be bridged in a Local Area Network LAN or assigned to a Wide Area Network WAN This chapter contains the following topics Wide Area Networks WANs 48 Local Area Networks LANs 108 Bridging 137 IX20 User Guide 47 ...

Page 48: ...ink enabled for IPv4 You can modify configuration settings for the existing WAN and WWANs and you can create new WANs and WWANs This section contains the following topics Wide Area Networks WANs and Wireless Wide Area Networks WWANs 49 Configure WAN WWAN priority and default route metrics 49 WAN WWAN failover 52 Configure SureLink active recovery to detect WAN WWAN failures 53 Configure the device...

Page 49: ...e as configured in the WAN s IPv4 and IPv6 metric settings Assigning priority to WANs By default the IX20 device s WAN ETH1 is configured with the lowest metric 1 and is therefor the highest priority WAN By default the Wireless WAN Modem is configured with a metric of 3 which means it has a lower priority than ETH1 You can assign priority to WANs based on the behavior you want to implement for pri...

Page 50: ... Guide 50 3 Set the metrics for Modem a Click Network Interfaces Modem IPv4 b For Metric type 1 c Click IPv6 d For Metric type 1 4 Set the metrics for ETH1 a Click Network Interfaces ETH1 IPv4 b For Metric type 2 c Click IPv6 d For Metric type 2 ...

Page 51: ...to the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Set the metrics for Modem a Set the IPv4 metric for Modem to 1 For example config network interface modem ipv4 metric 1 config b Set...

Page 52: ... There are two ways to detect WAN or WWAN failure active detection and passive detection n Active detection uses Digi SureLinkTM technology to send probe tests to a target host or to test the status of the interface The WAN WWAN is considered to be down if there are no responses for a configured amount of time See Configure SureLink active recovery to detect WAN WWAN failures for more information ...

Page 53: ...s n Enable SureLink SureLink can be enabled for both IPv4 and IPv6 configurations By default SureLink is enabled for IPv4 for the preconfigured WAN ETH1 and WWAN Modem It is disabled for IPv6 n The type of probe test to be performed either l Ping Requires the hostname or IP address of the host to be pinged l DNS query You can perform a DNS query to a named DNS server or to the DNS servers configur...

Page 54: ...be configured for both IPv4 and IPv6 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Network Interfaces 4 Create a new WAN or WWAN or select an existing one n To create a new WAN or WWAN see Configure a Wide Area Network WAN or Configure a Wireless Wide Area Net...

Page 55: ... s For example to set Down time to ten minutes enter 10m or 600s The default is 60 seconds l Initial connection time The amount of time to wait for an initial connection to the interface before this test is considered to have failed Allowed values are any number of weeks days hours minutes or seconds and take the format number w d h m s For example to set Initial connection time to ten minutes ent...

Page 56: ...ions are for IPv4 to configure IPv6 active recovery replace ipv4 in the command line with ipv6 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Create a new WAN or WWAN or e...

Page 57: ...t 0 n dns Tests connectivity by sending a DNS query to the specified DNS server l Specify the DNS server Allowed value is the IP address of the DNS server config network interface my_wan ipv4 surelink target 0 dns_ server ip_address config network interface my_wan ipv4 surelink target 0 n dns_configured Tests connectivity by sending a DNS query to the DNS servers configured for this interface n ht...

Page 58: ... minutes or seconds and takes the format number w d h m s For example to set interface_timeout to ten minutes enter either 10m or 600s config network interface my_wan ipv4 surelink target 0 interface_timeout 600s config network interface my_wan ipv4 surelink target 0 The default is 60 seconds Optional Repeat to add additional test targets 7 Optional active recovery configuration parameters a Move ...

Page 59: ... ipv4 surelink success_condition value config network interface my_wan ipv4 surelink Where value is either one or all f Set the number of probe attempts before the WAN is considered to have failed config network interface my_wan ipv4 surelink attempts num config network interface my_wan ipv4 surelink The default is 3 g Set the amount of time that the device should wait for a response to a probe at...

Page 60: ...performed either l Ping Requires the hostname or IP address of the host to be pinged l DNS query You can perform a DNS query to a named DNS server or to the DNS servers configured for the WAN l HTTP or HTTPS test Requires the URL of the host to be tested l Interface status Determines if the interface has an IP address assigned to it that the physical link is up and that a route is present to send ...

Page 61: ...or the preconfigured WAN ETH1 and WWAN Modem It is disabled for IPv6 7 Enable Reboot device Note If both the Restart interface and Reboot device parameters are enabled the Reboot device parameter takes precedence 8 Click to expand Test targets 9 For Add Test Target click 10 Select the Test type n Ping test Tests connectivity by sending an ICMP echo request to the hostname or IP address specified i...

Page 62: ...arameters a Change the Interval between connectivity tests Allowed values are any number of weeks days hours minutes or seconds and take the format number w d h m s For example to set Interval to ten minutes enter 10m or 600s The default is 15 minutes b If more than one test target is configured for Success condition determine whether the interface should fail over based on the failure of one of t...

Page 63: ...rk interface my_wan 4 Enable SureLink SureLink can be enabled for both IPv4 and IPv6 configurations By default SureLink is enabled for IPv4 for the preconfigured WAN eth1 and WWAN modemwwan2 It is disabled for IPv6 config network interface my_wan ipv4 surelink enable true config network interface my_wan 5 Set the device to reboot when the interface is considered to have failed config network inter...

Page 64: ...RL l Specify the url config network interface my_wan ipv4 surelink target 0 http_url value config network interface my_wan ipv4 surelink target 0 where value uses the format http s hostname path n interface_up The interface is considered to be down based on the interfaces down time and the amount of time an initial connection to the interface takes before this test is considered to have failed l O...

Page 65: ...vity tests config network interface my_wan ipv4 surelink interval value config network interface my_wan ipv4 surelink where value is any number of weeks days hours minutes or seconds and takes the format number w d h m s For example to set interval to ten minutes enter either 10m or 600s config network interface my_wan ipv4 surelink interval 600s config network interface my_wan ipv4 surelink The d...

Page 66: ...nterface my_wan ipv4 surelink save Configuration saved 11 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Disable SureLink If your device uses a private APN with no Internet access or your device has a restricted wired WAN connection that doesn t allow DNS resolution follow this proced...

Page 67: ... to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Change to the WAN or WWAN s node in the configuration schema For example to disable SureLink for the Modem interface config network interface modem config network interface modem 4 Disable SureLink config network interface modem ipv4 surelink enable false config network interface modem 5 Save the...

Page 68: ...to it that the physical link is up and that a route is present to send traffic out of the network interface WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Network Interfaces 4 Select the appropriate WAN or WWAN on which SureLink should be disabled 5 After...

Page 69: ...cess selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Change to the WAN or WWAN s node in the configuration schema For example to disable SureLink for the Modem interface config network interface modem config network interface modem 4 Determine the index number of the target config network interface modem show ipv4 sure...

Page 70: ...as the primary WAN while the cellular Modem interface serves as the backup WAN In this example configuration SureLink is used over for the ETH1 interface to send a probe packet of size 256 bytes to the IP host 43 66 93 111 every 10 seconds If there are three consecutive failed responses the IX20 device brings the ETH1 interface down and starts using the Modem interface It continues to regularly te...

Page 71: ...expand Test targets d Delete the existing test targets Click the menu icon next to each target and select Delete e For Add Test Target click f For Test type select Ping test g For Ping host type 43 66 93 111 h For Ping payload size type 256 4 Repeat the above step for Modem to enable SureLink on that interface 5 Click Apply to save the configuration and apply the change ...

Page 72: ...ig network interface eth1 del ipv4 surelink target 1 config network interface eth1 c Add a test target config add network interface eth1 ipv4 surelink target end config network interface eth1 ipv4 surelink target 0 d Set the probe type to ping config network interface eth1 ipv4 surelink target 0 test ping config network interface eth1 ipv4 surelink target 0 e Set the packet size to 256 bytes confi...

Page 73: ...n these Ethernet devices to a WAN Using cellular modems in a Wireless WAN WWAN The IX20 supports one cellular modem named Modem which is included in a preconfigured Wireless WAN also named Modem The cellular modem can have only one active interface at any one time For example Modem can have either SIM1 or SIM2 up at one time Typically you configure SIM1 of the cellular modem as the primary cellula...

Page 74: ...ests only an IPv4 address n IPv6 Requests only an IPv6 address The default is Automatic 6 Optional Authentication method For Authentication method select one of the following n None No authentication is required n Automatic The device will attempt to connect using CHAP first and then PAP n CHAP Uses the Challenge Handshake Authentication Profile CHAP to authenticate n PAP Uses the Password Authent...

Page 75: ...LI 2 At the command line type config to enter configuration mode config config 3 At the config prompt type config network interface modem modem apn 0 apn value config where value is the APN for the SIM card 4 Optional To add additional APNs a Use the add command to add a new APN entry For example config add network interface modem modem apn end config network interface modem modem apn 1 b Set the ...

Page 76: ...ssword required to authenticate config network interface modem modem apn 0 username name config network interface modem modem apn 0 password pwd config The default is none 7 Optional To configure the device to bypass its preconfigured APN list and only use the configured APNs config network interface modem modem apn_lock true config 8 Save the configuration and apply the change config save Configu...

Page 77: ...dem SIM Status APN Signal Strength modem 1 ready connected 1234 Good 84 dBm n To view detailed status and statistics use the show modem name name command show modem name modem modem Telit LM940 IMEI 781154796325698 Manufacturer Telit Model LM940 FW Version 24 01 541_ATT Revision 24 01 541 Status State connected APN 1234 Signal Strength Good 85 dBm Bars 2 5 Access Mode 4G Temperature 34C IP address...

Page 78: ...modem named modem with PUK code 12345678 and set the new SIM PIN to 1234 modem puk unlock 12345678 1234 modem 3 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Note If the SIM remains in a locked state after using the unlock command contact your cellular carrier Signal strength for 4G ...

Page 79: ... CLI prompt type modem at interactive and press Enter Type n if you do not want exclusive access This allows you to send AT commands to the device while still allowing the device to connect disconnect and or reconnect to the cellular network 3 At the Admin CLI prompt use the modem command to begin an interactive AT command session modem at interactive Do you want exclusive access to the modem y n ...

Page 80: ... through the private connection n Separation of untrusted Internet traffic from trusted internal network traffic n Secure connection to internal customer network without using a VPN n Separate billing structures for public and private traffic n Site to site networking without the overhead of tunneling for each device In the following example configuration all traffic on LAN1 is routed through the ...

Page 81: ...terfaces type 2 4 Create the WWAN interfaces In this example we will create two interfaces named WWAN_Public and WWAN_Private a Click Network Interfaces b For Add Interface type WWAN_Public and click c For Interface type select Modem d For Zone select External e For Device select Modem f Optional Configure the public APN If the public APN is not configured the IX20 will attempt to determine the AP...

Page 82: ... External j For Device select Modem This should be the same modem selected for the WWAN_Public WWAN k Enable APN list only l Click to expand APN list APN m For APN type the private APN provided to you by your cellular carrier 5 Create the routing policies For example to route all traffic from LAN1 through the public APN and LAN2 through the private APN ...

Page 83: ...Interface select LAN1 f Configure the destination address i Click to expand Destination address ii For Type select Interface iii For Interface select Interface WWAN_Public g Click the to add another route policy h For Label enter Route through private APN i For Interface select Interface WWAN_Private j Configure the source address i Click to expand Source address ii For Type select Interface iii F...

Page 84: ...ter configuration mode config config 3 Set the maximum number of interfaces for the modem config network modem modem max_intfs 2 config 4 Create the WWAN interfaces a Create the WWANPublic interface config add network interface WWANPublic config network interface WWANPublic b Set the interface type to modem config network interface WWANPublic type modem config network interface WWANPublic c Set th...

Page 85: ...vice modem config network interface WWANPrivate i Enable APN list only config network interface WWANPrivate apn_lock true config network interface WWANPrivate j Set the private APN config network interface WWANPublic modem apn private_apn config network interface WWANPublic 5 Create the routing policies For example to route all traffic from LAN1 through the public APN and LAN2 through the private ...

Page 86: ...licy 0 interface network interface WWANPublic config network route policy 0 f Use to periods to move back one level in the configuration config nnetwork route policy 0 config nnetwork route policy g Add a new routing policy config network route policy add end config network route policy 1 h Set the label that will be used to identify this route policy config network route policy 1 label Route thro...

Page 87: ...y 1 dst type interface config network route policy 1 ii Set the interface to WWANPrivate config network route policy 1 interface network interface WWANPrivate config network route policy 1 6 Save the configuration and apply the change config network route policy 1 save Configuration saved 7 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access s...

Page 88: ...rvers for this interface l Whether to include the IX20 device s hostname in DHCP requests l SureLink active recovery configuration See Configure SureLink active recovery to detect WAN WWAN failures for further information n IPv6 configuration l The metric for IPv6 routes associated with the WAN l The relative weight for IPv6 routes associated with the WAN l The IPv6 management priority of the WAN ...

Page 89: ...k n To edit an existing WAN click to expand the WAN The Interface configuration window is displayed New WANs are enabled by default To disable click Enable 5 For Interface type leave at the default setting of Ethernet 6 For Zone select External 7 For Device select an Ethernet device a Wi Fi client or a bridge See Bridging for more information about bridging 8 Configure IPv4 settings a Click to exp...

Page 90: ...en be configured to register the device s hostname and IP address with an associated DNS server n See RFC4702 for further information about DHCP server support for the Client FQDN option n See Configure system information for information about setting the IX20 device s system name d See Configure SureLink active recovery to detect WAN WWAN failures for information about configuring Active recovery...

Page 91: ... See Configure system information for information about setting the IX20 device s system name 10 Optional Click to expand MAC address blacklist Incoming packets will be dropped from any devices whose MAC addresses is included in the MAC address blacklist a Click to expand MAC address blacklist b For Add MAC address click c Type the MAC address 11 Optional Click to expand MAC address whitelist If t...

Page 92: ...bridge See Bridging for more information about bridging a Enter device to view available devices and the proper syntax config network interface my_wan device Device The network device used by this network interface Format network device eth1 network device eth2 network device loopback network bridge lan network wireless ap digi_ap Current value config network interface my_wan device b Set the devi...

Page 93: ...interface my_wan iv Set the MTU config network interface my_wan ipv4 mtu num config network interface my_wan v Configure how to use DNS config network interface my_wan ipv4 use_dns value config network interface my_wan where value is one of n always DNS will always be used for this WAN when multiple interfaces have the same DNS server the interface with the lowest metric will be used for DNS reque...

Page 94: ...6 support are sufficient You can view the default IPv6 settings by using the question mark config network interface my_wan ipv6 IPv6 Parameters Current Value dhcp_hostname false DHCP Hostname enable true Enable metric 0 Metric mgmt 0 Management priority mtu 1500 MTU type dhcpv6 Type use_dns always Use DNS weight 10 Weight Additional Configuration connection_monitor Active recovery config network i...

Page 95: ...PN configuration n The custom gateway netmask n IPv4 configuration l The metric for IPv4 routes associated with the WAN l The relative weight for IPv4 routes associated with the WAN l The IPv4 management priority of the WAN The active interface with the highest management priority will have its address reported as the preferred contact address for central management and direct device access l The ...

Page 96: ...WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Network Interfaces 4 Create the WWAN or select an existing WWAN n To create a new WWAN for Add interface type a name for the WWAN and click n To edit an existing WWAN click to expand the WWAN New WWANs are enabled by default To disabl...

Page 97: ...s selected for Match ICCID type the unique SIM card ICCID that must be in active for this WWAN to be used b Type the PIN for the SIM Leave blank if no PIN is required c Type the Phone number for the SIM for SMS connections Normally this should be left blank It is only necessary to complete this field if the SIM does not have a phone number or if the phone number is incorrect d Roaming is enabled b...

Page 98: ...0 Optional To configure the IP address of a custom gateway or a custom netmask a Click Custom gateway to expand b Click Enable c For Gateway Netmask enter the IP address and netmask of the custom gateway To override only the gateway netmask but not the gateway IP address use all zeros for the IP address For example 0 0 0 0 32 will use the network provided gateway but with a 32 netmask 11 Optional ...

Page 99: ...ing Active recovery 2 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Create a new WWAN or edit an e...

Page 100: ...configuration items a Set theSIM matching criteria to determine when this WWAN should be used config network interface my_wwan modem match value config network interface my_wwan Where value is one of n any n carrier Set the cellular carrier must be in active for this WWAN to be used i Use to determine available carriers config network interface my_wwan modem carrier Match SIM carrier The SIM carri...

Page 101: ...ace my_wwan modem plmn_id PLMN_ID config network interface my_wwan n sim_slot Set which SIM slot must be in active for this WWAN to be used config network interface my_wwan modem sim_slot value config network interface my_wwan where value is either 1 or 2 b Set the PIN for the SIM Leave blank if no PIN is required config network interface my_wwan modem pin value config network interface my_wwan c ...

Page 102: ...imes that the device should attempt to connect to the active SIM before failing over to the next available SIM config network interface my_wwan modem sim_failover_retries num config network interface my_wwan The default setting is 5 ii Configure how SIM failover will function if automatic SIM switching is unavailable config network interface my_wwan modem sim_failover_alt value config network inte...

Page 103: ...wwan b Set the metric config network interface my_wwan ipv4 metric num config network interface my_wwan See Configure WAN WWAN priority and default route metrics for further information about metrics c Set the relative weight for default routes associated with this interface For multiple active interfaces with the same metric the weight is used to load balance traffic to the interfaces config netw...

Page 104: ...t the management priority This determines which interface will have priority for central management activity The interface with the highest number will be used config network interface my_wwan ipv6 mgmt num config network interface my_wwan f Set the MTU config network interface my_wwan ipv6 mtu num config network interface my_wwan g See Configure SureLink active recovery to detect WAN WWAN failure...

Page 105: ... up fd00 2704 1 48 loopback IPv4 up 127 0 0 1 8 modem IPv4 up 10 200 1 101 30 modem IPv6 down 3 Enter show network interface name at the Admin CLI prompt to display additional information about a specific WAN For example to display information about ETH1 enter show network interface eth1 show network interface eth1 wan1 Interface Status Device eth1 Zone external IPv4 Status up IPv4 Type dhcp IPv4 ...

Page 106: ...m You cannot delete the preconfigured WAN ETH1 or the preconfigured WWAN Modem WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Network Interfaces 4 Click the menu icon next to the name of the WAN or WWAN to be deleted and select Delete 5 Click Apply to sav...

Page 107: ...g to enter configuration mode config config 3 Use the del command to delete the WAN or WWAN For example to delete a WWAN named my_ wwan config del network interface my_wwan 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect f...

Page 108: ... DHCP server enabled n LAN priority Metric 5 n Loopback n Ethernet Loopback n Firewall zone Loopback n IP address 127 0 0 1 8 n Default IP n Bridge LAN n Firewall zone Setup n IP address 192 168 210 1 24 n Default Link local IP n Bridge LAN n Firewall zone Setup n IP address 169 254 100 100 16 You can modify configuration settings for ETH2 and you can create new LANs This section contains the foll...

Page 109: ... LAN n The IPv4 address and subnet mask for the LAN While it is not strictly necessary for a LAN to have an IP address if you want to send traffic from other networks to the LAN you must configure an IP address Note By default ETH2 is set to an IP address of 192 168 2 1 and uses the IP subnet of 192 168 2 0 24 If the WAN ETH1 Ethernet device is being used by a WAN with the same IP subnet you shoul...

Page 110: ...ion Unit MTU of the LAN l The IPv6 prefix length and ID l IPv6 DHCP server configuration See DHCP servers for more information n MAC address blacklist and whitelist To create a new LAN or edit an existing LAN WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click...

Page 111: ...utes associated with this interface For multiple active interfaces with the same metric Weight is used to load balance traffic to the interfaces iii Set the Management priority This determines which interface will have priority for central management activity The interface with the highest number will be used iv Set the MTU e Enable the DHCP server i Click to expand DHCP server ii Click Enable See...

Page 112: ...al Click to expand MAC address whitelist If there whitelist entries are specified incoming packets will only be accepted from the listed MAC addresses a Click to expand MAC address whitelist b For Add MAC address click c Type the MAC address 13 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending ...

Page 113: ...evice for the LAN config network interface my_lan device device config network interface my_lan 6 Configure IPv4 settings n IPv4 support is enabled by default To disable config network interface my_lan ipv4 enable false config network interface my_lan n The LAN is configured by default to use a static IP address for its IPv4 configuration To configure the LAN to be a DHCP client rather than using ...

Page 114: ... config network interface my_lan iv Set the MTU config network interface my_lan ipv4 mtu num config network interface my_lan c Enable the DHCP server config network interface my_lan ipv4 dhcp_server enable true See DHCP servers for information about configuring the DHCP server 7 Optional Configure IPv6 settings a Enable IPv6 support config network interface my_lan ipv6 enable true config network i...

Page 115: ...ce my_lan d Modify any of the remaining default settings as appropriate For example to change the minimum length of the prefix config network interface my_lan ipv6 prefix_length 60 config network interface my_lan If the minimum length is not available then a longer prefix will be used See Configure WAN WWAN priority and default route metrics for further information about metrics 8 Save the configu...

Page 116: ...aultlinklocal IPv4 up 169 254 100 100 16 eth1 IPv4 up 10 10 10 10 24 eth1 IPv6 up fe00 2404 240 f4ff fe80 120 64 eth2 IPv4 up 192 168 2 1 24 eth2 IPv6 up fd00 2704 1 48 loopback IPv4 up 127 0 0 1 8 modem IPv4 up 10 200 1 101 30 modem IPv6 down 3 Enter show network interface name at the Admin CLI prompt to display additional information about a specific LAN For example to display information about ...

Page 117: ...lete a LAN Follow this procedure to delete any LANs that have been added to the system You cannot delete the preconfigured LAN LAN1 WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Network Interfaces 4 Click the menu icon next to the name of the LAN to be d...

Page 118: ...ocal network Addresses are assigned from a specified pool of IP addresses For a local network the device uses the DHCP server that has the IP address pool in the same IP subnet as the local network When a host receives an IP configuration the configuration is valid for a particular amount of time known as the lease time After this lease time expires the configuration must be renewed The host renew...

Page 119: ...ck to expand an existing LAN or create a new LAN See Configure a LAN 5 Click to expand IPv4 DHCP server 6 Enable the DHCP server 7 Optional For Lease time type the amount of time that a DHCP lease is valid Allowed values are any number of weeks days hours minutes or seconds and take the format number w d h m s For example to set Lease time to ten minutes enter 10m or 600s The default is 12 hours 8...

Page 120: ...er and Primary and Secondary WINS server select either n None No server is broadcast n Automatic Broadcasts the IX20 device s server n Custom Allows you to identify the IP address of the server f For Bootfile name type the relative path and file name of the bootfile on the TFTP server g For TFTP server name type the IP address or host name of the TFTP server 10 See Configure DHCP options for infor...

Page 121: ...ainder of the IP address will be based on the LAN s static IP address as defined in the address parameter config network interface my_lan ipv4 dhcp_server lease_start num config Allowed values are between 1 and 254 and the default is 100 6 Optional Set the highest IP address that the DHCP server will assign to a client config network interface my_lan ipv4 dhcp_server lease_end num config Allowed v...

Page 122: ...dress or host name of the primary and secondary DNS the primary and secondary NTP server and the primary and secondary WINS servers config network interface my_lan ipv4 dhcp_server advanced primary_dns value config network interface my_lan ipv4 dhcp_server advanced secondary_ dns value config network interface my_lan ipv4 dhcp_server advanced primary_ntp value config network interface my_lan ipv4 ...

Page 123: ...rk interface my_lan ipv4 dhcp_server advanced static_lease 0 save Configuration saved 11 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Map static IP addresses to hosts You can configure the DHCP server to assign static IP addresses to specific hosts Required configuration items n IP ...

Page 124: ...This does not have to be the device s actual hostname 10 Repeat for each additional DHCP static lease 11 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line typ...

Page 125: ...label for this static lease config network interface my_lan ipv4 dhcp_server advanced static_lease 0 name label config network interface my_lan ipv4 dhcp_server advanced static_lease 0 7 Save the configuration and apply the change config network interface my_lan ipv4 dhcp_server advanced static_lease 0 save Configuration saved 8 Type exit to exit the Admin CLI Depending on your device configuratio...

Page 126: ...46 24 0E D9 no name 1 ip 192 168 2 11 mac E3 C1 1F 65 C3 0E no name config 4 Type cancel to exit configuration mode config cancel 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Delete static IP mapping entries To delete a static IP entry WebUI 1 Log into the IX20 WebUI as a user wit...

Page 127: ... Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Show the static lease configuration For example to show the static leases for a lan named my_lan config show network interfac...

Page 128: ...ou can configure DHCP servers running on your IX20 device to send certain specified DHCP options to DHCP clients You can also set the user class which enables you to specify which specific DHCP clients will receive the option You can also force the command to be sent to the clients DHCP options can be set on a per LAN basis or can be set for all LANs A total of 32 DHCP options can be configured Re...

Page 129: ...type select the data type that the option uses If the incorrect data type is selected the device will send the value as a string 12 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CL...

Page 130: ...ption 0 7 Optional Set a label for this custom option config network interface my_lan ipv4 dhcp_server advanced custom_option 0 name label config network interface my_lan ipv4 dhcp_server advanced custom_option 0 8 Optional To force the DHCP option to always be sent to the client even if the client does not ask for it config network interface my_lan ipv4 dhcp_server advanced custom_option 0 force ...

Page 131: ...CP relay server and an IP address range are specified DHCP relay is used and the specified IP address range is ignored Multiple DHCP relay servers can be provided for each LAN If multiple relay servers are provided DHCP requests are forwarded to all servers without waiting for a response Clients will typically use the IP address from the first DHCP response received Configuring DHCP relay involves...

Page 132: ... Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Add a DHCP relay server to an existing LAN For example to add a server to a LAN named my_ lan config add netwo...

Page 133: ... my_lan ipv4 dhcp_relay 1 dhcp_server enable false config network interface my_lan ipv4 dhcp_relay 1 6 Save the configuration and apply the change config network interface lan1 ipv4 dhcp_relay 1 save Configuration saved 7 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Show DHCP server...

Page 134: ...tual LANs VLANs allow splitting a single physical LAN into separate Virtual LANs This is useful for security reasons and also helps to reduce broadcast traffic on the LAN Required configuration items n Device to be assigned to the VLAN n The VLAN ID The TCP header uses the VLAN ID to identify the destination VLAN for the packet To create a VLAN WebUI 1 Log into the IX20 WebUI as a user with full A...

Page 135: ... enter configuration mode config config 3 Add the VLAN config add network vlan name config 4 Set the device to be used by the VLAN a View a list of available devices config network vlan vlan1 device Device The Ethernet device to use for this virtual LAN Format network device eth1 network device eth2 network device loopback network vlan vlan1 network bridge lan network wireless ap digi_ap Current v...

Page 136: ... Save the configuration and apply the change config network vlan vlan1 save Configuration saved 7 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Page 137: ...owing preconfigured bridges Interface type Preconfigured interfaces Devices Default configuration Bridges Wi Fi model only n Bridge LAN n Ethernet ETH2 n Wi Fi access point Digi AP n Enabled n Used by the ETH1 interface You can modify configuration settings for the existing bridge and you can create new bridges This section contains the following topics Edit the preconfigured ETH2 bridge 138 Confi...

Page 138: ...WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Network Bridges LAN 4 The LAN bridge is enabled by default To disable uncheck Enable 5 Modify the list of devices that are a part of the bridge By default the LAN bridge includes the following devices n Ethernet ETH2 n Wi Fi access po...

Page 139: ... is 2 seconds 7 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 The LAN bridge is enabled by default...

Page 140: ...a show network bridge lan1 device command after each device is deleted to determine the new index numbering b Add devices to the bridge i Determine available devices config network bridge my_bridge interface lan device Device The network device used by this network interface Format network device eth1 network device eth2 network device loopback network bridge lan network wireless ap digi_ap Defaul...

Page 141: ...tion saved 7 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Configure a bridge Required configuration items n A name for the bridge Bridges are enabled by default n Devices to be included in the bridge Additional configuration items n Enable Spanning Tree Protocol STP To create a brid...

Page 142: ...licts a Click STP b Click Enable c For Forwarding delay enter the number of seconds that the device will spend in each of the listening and learning states before the bridge begins forwarding data The default is 2 seconds 8 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device config...

Page 143: ...lan network wireless ap digi_ap Default value network bridge lan Current value network bridge lan config network bridge my_bridge b Add the appropriate device For example to add the Digi AP Wi Fi access point config network bridge my_bridge add device end network wireless ap digi_ap config 6 Optional Enable Spanning Tree Protocol STP STP is used when using multiple LANs on the same device to preve...

Page 144: ...7 Save the configuration and apply the change config save Configuration saved 8 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Page 145: ...evice s serial port The default serial port configuration is n Enabled n Serial mode Remote n Label None n Baud rate 9600 n Data bits 8 n Parity None n Stop bits 1 n Flow control None Configure the serial port By default the IX20 serial port is configured as follows n Enabled n Serial mode Remote n Label None n Baud rate 9600 n Data bits 8 n Parity None n Stop bits 1 n Flow control None To change ...

Page 146: ...is enabled by default To disable toggle off Enable 4 For Mode one of the following n Login Allows the user to log into the device through the serial port n Remote access Allows for remote access to another device that is connected to the serial port n Application Provides access to the serial device from Python applications See Use Python to access serial ports for information about creating Pytho...

Page 147: ...al If Remote Access is selected for Mode a Click to expand Service Settings All service settings are disabled by default Click available options to toggle them to enabled and set the IP ports as appropriate b Click to expand Session Settings c Enable Exclusive access to limit access to the serial port to a single active session d For Escape sequence type the characters used to start an escape sequ...

Page 148: ...I 2 At the command line type config to enter configuration mode config config 3 The serial port is enabled by default To disable config serial port1 enable false config 4 Set the mode config serial port1 mode mode config where mode is either n login Allows the user to log into the device through the serial port n remote Allows for remote access to another device that is connected to the serial por...

Page 149: ...by the device to which you want to connect config serial port1 stopbits bits config e Set the type of flow control used by the device to which you want to connect config serial port1 flow type config Allowed values are n none n rts cts n xon xoff The default is none 7 If mode is set to remote a Set the characters used to start an escape sequence config serial port1 escape string config If no chara...

Page 150: ...ue config f Optional Enable monitoring of DCD Data Carrier Detect changes on this port config serial port1 monitor dcd true config g Configure TCP access to this port i Set the connection type config serial USB_port service tcp conn_type value config serial USB_port where value is one of i tcp The TCP connection is unencrypted ii tls The TCP connection uses Transport Layer Security TLS encryption ...

Page 151: ...or host name l A network designation in CIDR notation for example 2001 db8 48 l any No limit to IPv6 addresses that can access the tcp port Repeat this step to list additional IP addresses or networks n To limit access to hosts connected through a specified interface on the IX20 device config serial USB_port add service tcp acl interface end value config serial USB_port Where value is an interface...

Page 152: ...y dynamic_routes edge external internal ipsec loopback setup config serial USB_port Repeat this step to list additional firewall zones v Optional Enable mDNS mDNS is a protocol that resolves host names in small networks that do not have a DNS server config serial USB_port service tcp mdns enable true config serial USB_port h Configure telnet access to this port CAUTION This connection is not authe...

Page 153: ...ial USB_port Where value can be l A single IP address or host name l A network designation in CIDR notation for example 2001 db8 48 l any No limit to IPv6 addresses that can access the telnet port Repeat this step to list additional IP addresses or networks n To limit access to hosts connected through a specified interface on the IX20 device config serial USB_port add service telnet acl interface ...

Page 154: ...ts Additional Configuration any dynamic_routes edge external internal ipsec loopback setup config serial USB_port Repeat this step to list additional firewall zones iv Optional Enable mDNS mDNS is a protocol that resolves host names in small networks that do not have a DNS server config serial USB_port service telnet mdns enable true config serial USB_port i Configure ssh access to this port i Ena...

Page 155: ...or host name l A network designation in CIDR notation for example 2001 db8 48 l any No limit to IPv6 addresses that can access the ssh port Repeat this step to list additional IP addresses or networks n To limit access to hosts connected through a specified interface on the IX20 device config serial USB_port add service ssh acl interface end value config serial USB_port Where value is an interface...

Page 156: ...s Additional Configuration any dynamic_routes edge external internal ipsec loopback setup config serial USB_port Repeat this step to list additional firewall zones iv Optional Enable mDNS mDNS is a protocol that resolves host names in small networks that do not have a DNS server config serial USB_port service ssh mdns enable true config serial USB_port 8 Configure TCP access to this port CAUTION T...

Page 157: ... value can be l A single IP address or host name l A network designation in CIDR notation for example 2001 db8 48 l any No limit to IPv6 addresses that can access the tcp port Repeat this step to list additional IP addresses or networks n To limit access to hosts connected through a specified interface on the IX20 device config add serial port1 service tcp acl interface end value config Where valu...

Page 158: ... Additional Configuration any dynamic_routes edge external internal ipsec loopback setup config Repeat this step to list additional firewall zones d Optional Enable mDNS mDNS is a protocol that resolves host names in small networks that do not have a DNS server config serial port1 service tcp mdns enable true config 9 Configure telnet access to this port CAUTION This connection is not authenticate...

Page 159: ...e value can be l A single IP address or host name l A network designation in CIDR notation for example 2001 db8 48 l any No limit to IPv6 addresses that can access the telnet port Repeat this step to list additional IP addresses or networks n To limit access to hosts connected through a specified interface on the IX20 device config add serial port1 service telnet acl interface end value config Whe...

Page 160: ...l lists Additional Configuration any dynamic_routes edge external internal ipsec loopback setup config Repeat this step to list additional firewall zones d Optional Enable mDNS mDNS is a protocol that resolves host names in small networks that do not have a DNS server config serial port1 service telnet mdns enable true config 10 Configure ssh access to this port a Enable ssh access config serial p...

Page 161: ...DR notation for example 2001 db8 48 l any No limit to IPv6 addresses that can access the ssh port Repeat this step to list additional IP addresses or networks n To limit access to hosts connected through a specified interface on the IX20 device config add serial port1 service ssh acl interface end value config Where value is an interface defined on your device Display a list of available interface...

Page 162: ... to list additional firewall zones d Optional Enable mDNS mDNS is a protocol that resolves host names in small networks that do not have a DNS server config serial port1 service ssh mdns enable true config 11 Save the configuration and apply the change config save Configuration saved 12 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selec...

Page 163: ...ration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 Use the show serial command show serial Label Port Enable Mode Baudrate Serial 1 port1 true login 9600 3 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Page 164: ...ol 169 Configure the Wi Fi radio s transmit power 170 Configure a Wi Fi access point with no security 172 Configure a Wi Fi access point with personal security 177 Configure a Wi Fi access point with enterprise security 182 Isolate Wi Fi clients 189 Show Wi Fi access point status and statistics 196 Configure a Wi Fi client and add client networks 197 Show Wi Fi client status and statistics 204 IX2...

Page 165: ...ss point enabled The default SSID for the access points is Digi IX20W serial_number The password for the default access point is the unique password as found on the device s label Prior to saving any configuration changes to the device you will need to configure the access point to change the default SSID and password See Reset default SSID and pre shared key for the preconfigured Wi Fi access poi...

Page 166: ...e 802 11b g n Channel Automatic Channel width 20 40 MHz Beacon interval 100 n Access point Default setting Name Digi AP Enabled or disabled Enabled SSID Digi IX20W serial_number SSID broadcast Enabled Encyrption WAP2 Personal PSK Pre shared key The unique password printed on the bottom label of the device Group rekey interval 10 minutes n Client mode connections none ...

Page 167: ...ing the following steps Note For the 2 4 GHz band only channels 1 to 11 are supported channels 12 13 and 14 are not supported For the 5 0 GHz band only non Dynamic Frequency Selection DFS channels are supported WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Cli...

Page 168: ...onfiguration mode config config 3 Set the channel for the radio a Determine the band for the radio config network wifi radio phy0 band 2400mhz config b Set the channel for the Wi Fi radio config network wifi radio phy0 2400mhz channel value config where value is n For 2 4 GHz l 1 through 11 l auto n For 5 GHz l 36 l 40 l 44 l 48 l auto 4 Save the configuration and apply the change config save Conf...

Page 169: ... band WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Network WiFi 4 For Frequency band select either 2 4 GHz or 5 GHz 5 For Access point mode select the appropriate mode Only modes appropriate for the selected band are displayed 6 Click Apply to save the ...

Page 170: ...If the Wi Fi radio has a band of 2400mhz config network wifi radio phy0 2400mhz mode value config where value is one of b bg bgn g gn or n n If the Wi Fi radio has a band of 5000mhz config network wifi radio phy0 5000mhz mode value config where value is one of ac acn or n 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on yo...

Page 171: ...ork WiFi 4 For Tx power percentage type or select the appropriate percentage for the Wi Fi radio s transmit power 5 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the comma...

Page 172: ...nd uses no security or encryption By default the IX20 device comes with one preconfigured access point Digi AP You cannot delete default access points but you can modify them or you can create your own access points Required configuration items n Enable the Wi Fi access point n Select a Wi Fi radio for the access point n The Service Set Identifier SSID for the access point n Configure security for...

Page 173: ...4 Create a new access point or modify an existing access point n To create a new access point for Add WiFi access point type a name for the access point and click n To modify an existing access point click to expand the access point The Wi Fi access point configuration window is displayed 5 Enable the access point New access points are enabled by default The default preconfigured access points are...

Page 174: ...es in noisy environments To disable group rekeys set to 0 This will allow any client that has previously connected see all broadcast traffic on the wireless network until the Wi Fi radio is restarted The default is 10 minutes 11 Assign the Wi Fi access point to a LAN interface or to a bridge See Configure a LAN and Configure a bridge for more information The access point must be assigned to an act...

Page 175: ..._AP where value is any number of days hours minutes or seconds and takes the format number d h m s For example to set group rekey interval to ten minutes enter either 10m or 600s config network wireless ap new_AP encryption group_rekey 600s config network wireless ap new_AP Increasing the time between rekeys can improve connectivity issues in noisy environments To disable group rekeys set to 0 Thi...

Page 176: ...none config network wifi ap digi_ap encryption type none config 7 Optional Determine whether to prevent clients that are connected to this access point from communicating with each other config network wifi ap digi_ap isolate_client true config See Isolate Wi Fi clients for information about how to prevent clients connected to different access points from communicating with each other 8 Optional S...

Page 177: ...modes allow a Wi Fi access point to authenticate clients by using a preshared key that the client enters when connecting to the access point By default the IX20 device comes with one preconfigured access point Digi AP You cannot delete default access points but you can modify them or you can create your own access points Required configuration items n Enable the Wi Fi access point n Select a Wi Fi...

Page 178: ...oint or modify an existing access point n To create a new access point for Add WiFi access point type a name for the access point and click n To modify an existing access point click to expand the access point The Wi Fi access point configuration window is displayed 5 Enable the access point New access points are enabled by default The default preconfigured access points are disabled by default 6 ...

Page 179: ...or example to set Group rekey interval to ten minutes enter 10m or 600s Increasing the time between rekeys can improve connectivity issues in noisy environments To disable group rekeys set to 0 This will allow any client that has previously connected see all broadcast traffic on the wireless network until the Wi Fi radio is restarted The default is 10 minutes 12 Assign the Wi Fi access point to a ...

Page 180: ...changing the group key The group key is shared by all in clients of the access point and after a client has disconnected it will be able to use the group key to decrypt broadcast packets until the key is changed config network wifi ap new_AP encryption group_rekey value config network wifi ap new_AP where value is any number of days hours minutes or seconds and takes the format number d h m s For ...

Page 181: ...s config network wifi ap Additional Configuration digi_ap Digi AP config 4 Set the SSID for the appropriate access point config network wifi ap digi_ap ssid my_SSID config 5 SSID broadcasting is enabled by default for the preconfigured access points If SSID broadcasting is disabled config network wifi ap digi_ap ssid_broadcast true config 6 Set the security for the access point to psk or psk2 conf...

Page 182: ...k until the Wi Fi radio is restarted The default is 10 minutes 5 Assign the Wi Fi access point to a LAN interface or to a bridge See Configure a LAN and Configure a bridge for more information The access point must be assigned to an active LAN or a bridge that is assigned to an active LAN 6 Save the configuration and apply the change config save Configuration saved 7 Type exit to exit the Admin CL...

Page 183: ... for more information Additional configuration items n Determine whether to broadcast the access point s SSID n Determine whether to isolate clients connected to this access point so that they cannot communicate with each other n The server port for one or more RADIUS server n The amount of time to wait before changing the group key To configure a Wi Fi access point with WPA2 enterprise security W...

Page 184: ...adcast the SSID 8 Optional Enable Isolate clients to prevent clients that are connected to this access point from communicating with each other See Isolate Wi Fi clients for information about how to prevent clients connected to different access points from communicating with each other 9 For Encryption select WPA2 Enterprise 10 Configure one or more RADIUS servers a Click to expand RADIUS server l...

Page 185: ... traffic on the wireless network until the Wi Fi radio is restarted The default is 10 minutes 12 Assign the Wi Fi access point to a LAN interface or to a bridge See Configure a LAN and Configure a bridge for more information The access point must be assigned to an active LAN or a bridge that is assigned to an active LAN 13 Click Apply to save the configuration and apply the change Command line Con...

Page 186: ...work wifi ap new_AP encryption radius_servers 0 key secret_ key config network wifi ap new_AP c Optional Set the RADIUS server s port The default is 1812 config network wifi ap new_AP encryption radius_servers 0 port port config network wifi ap new_AP d Optional Add and configure additional radius servers i Add a server config network wifi ap new_AP add encryption radius_servers end config network...

Page 187: ...e See Configure a LAN and Configure a bridge for more information The access point must be assigned to an active LAN or a bridge that is assigned to an active LAN 6 Save the configuration and apply the change config save Configuration saved 7 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the de...

Page 188: ...r config network wifi ap digi_ap encryption key_wpa2 secret_key config 10 Optional Set the RADIUS server s port The default is 1812 config network wifi ap digi_ap encryption port_wpa2 port config 11 Optional Set the amount of time to wait before changing the group key The group key is shared by all in clients of the access point and after a client has disconnected it will be able to use the group ...

Page 189: ...n menu Type quit to disconnect from the device Isolate Wi Fi clients Client isolation prevents wireless clients connected to the IX20 device from communicating with other clients There are two mechanisms for client isolation configuration n Isolate clients connected to the same access point n Isolate clients connected to different access points This section provides instructions for both mechanism...

Page 190: ...ify an existing access point See Configure a Wi Fi access point with no security Configure a Wi Fi access point with personal security or Configure a Wi Fi access point with enterprise security 4 Optional Set the client isolation config network wifi ap digi_ap isolate_client true config 5 Save the configuration and apply the change config save Configuration saved 6 Type exit to exit the Admin CLI ...

Page 191: ...nt named new_AP a Click Network WiFi Access points b For Add WiFi access point type a name for the access point and click c For SSID type the SSID Up to 32 characters are allowed d Select the appropriate type of Encryption and complete the encryption related fields as appropriate See Configure a Wi Fi access point with no security Configure a Wi Fi access point with personal security or Configure ...

Page 192: ...v For Source zone select Internal vi For Destination zone select LAN2_isolation_zone e Rearrange the firewall filters Firewall filters are applied in the order that they are listed As a result in order to drop traffic from the Internal zone to the LAN2_isolation_zone this filter must be listed prior to the Allow all outgoing traffic filter which allows the Internal zone to have access to any zone ...

Page 193: ...th full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Configure a new access point a Create a new access point config add network wifi ap new_AP config network wifi ap new_AP New access points are enabled by default b Set t...

Page 194: ...Return to the root config prompt by typing three periods config firewall zone LAN2_isolation_zone config ii Add the new packet filter config add firewall filter end config firewall filter 1 iii Set the label for the filter config firewall filter 1 label Allow LAN2_isolation_zone to External config firewall filter 1 iv Set the source zone to LAN2_isolation_zone config firewall filter 1 src_zone LAN...

Page 195: ...ig firewall filter 0 v Set the filter to drop traffic between the zones config firewall filter 0 action drop config firewall filter 0 5 Create a new LAN By default the IX20 device comes with one preconfigured LAN which includes the default access point We will use that LAN for the default access point and create a new LAN for the second access point a Return to the root config prompt by typing thr...

Page 196: ... Wi Fi access point status and statistics You can show summary status for all Wi Fi access points and detailed status and statistics for individual Wi Fi access points WebUI 1 Log into the IX20 WebUI as a user with Admin access 2 On the main menu click Status 3 Under Connections click Wi Fi Access Points Command line Show summary of Wi Fi access points To show the status and statistics for Wi Fi a...

Page 197: ... Admin access Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the Admin CLI prompt type show wifi ap name name show wifi ap name my_AP Enabled true Status up SSID my_AP Security none Channel Channel Width Radio wifi BSSID 01 41 D1 14 36 37 Client Signal RX TX Uptime cc c0 78 34 d5 a2 68 260997 279481 801 Configure a ...

Page 198: ...that have the same SSID as their signal strength varies n Additional access points that client will attempt to use If connection to one access point fails the device will attempt to connect to the next access point in the list To configure a Wi Fi client WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration...

Page 199: ...B that is used to determine the scanning frequency The allowed value is an integer between 113 and 0 The Scan threshold works with the Short interval and Long interval options to determine how often the device should scan for available access points n If the signal strength from the access point to which the client is currently connected is below the Scan threshold it will use the Short interval t...

Page 200: ...e menu icon next to the channel and select Delete h To add a channel click Add Scan frequency and select the appropriate channel 8 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI...

Page 201: ...ncryption n wpa2 WPA2 enterprise encryption c If the type of encryption is set to n psk or psk2 set the password that the client will use to connect to the access point config network wifi client new_client ssid 0 encryption key_ psk2 password config network wifi client new_client n wpa2 i Set the username that the client will use to connect to the access point config network wifi client new_clien...

Page 202: ..._long_interval are set to the same value bgscan_strength is ignored For example the default configuration has both bgscan_short_interval and bgscan_long_interval set to 1 second which means that the device will scan for access points once per second regardless of the value of bgscan_strength c Set the number of seconds to wait between scans for access points when the signal strength from the acces...

Page 203: ...g network wifi client new_client g To add a frequency i Use the with an existing index number to determine the allowed values for frequencies config network wifi client new_client background_scanning scan_ freq 1 Scan frequency Enable this frequency in the background scan Format 2412 2417 2422 2427 2432 2437 2442 2447 2452 2457 2462 Current value 2437 ii Add the appropriate frequency For example t...

Page 204: ...ne as a user with Admin access Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the Admin CLI prompt type show wifi client show wifi client Client Enabled SSID Status Sig MAC my_client true my_SSID up 43 91 fe 86 d1 0e 81 3 To view information about both active and inactive clients include the all parameter show wifi ...

Page 205: ...ide 205 2 At the Admin CLI prompt type show wifi cleint name name show wifi client name my_client Client my_client Enabled true SSID my_SSID Status up Signal 43 MAC 91 fe 86 d1 0e 81 Channel 48 Radio wifi1 TX Power 23 Link Quality 67 70 BSSID 6D B9 DD BD EE C4 ...

Page 206: ...Routing This chapter contains the following topics IP routing 207 Show the routing table 233 Dynamic DNS 234 Virtual Router Redundancy Protocol VRRP 239 IX20 User Guide 206 ...

Page 207: ...ay or interface 3 If it cannot find a route for the destination it uses a default route 4 If there are two or more routes to a destination the device uses the route with the longest mask 5 If there are two or more routes to a destination with the same mask the device uses the route with the lowest metric This section contains the following topics Configure a static route 208 Delete a static route ...

Page 208: ...e IPv4 address of the gateway used to reach the destination n The metric for the route When multiple routes are available to reach the same destination the route with the lowest metric is used n The Maximum Transmission Units MTU of network packets using this route To configure a static route WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under C...

Page 209: ...et to blank if the destination can be accessed without a gateway 9 Optional For Metric type the metric for the route When multiple routes are available to reach the same destination the route with the lowest metric is used 10 Optional For MTU type the Maximum Transmission Units MTU of network packets using this route 11 Click Apply to save the configuration and apply the change Command line 1 Log ...

Page 210: ...vailable interfaces config network route static 0 interface Interface The network interface to use to reach the destination Format network interface defaultip network interface defaultlinklocal network interface eth1 network interface eth2 network interface loopback Current value config network route static 0 interface b Set the interface For example config network route static 0 interface network...

Page 211: ...Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Delete a static route WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Network Routes Static routes 4 Click the menu ...

Page 212: ...show network route static 0 dst 10 0 0 1 enable true no gateway interface network interface lan1 label new_static_route metric 0 mtu 0 1 dst 192 168 5 1 enable true gateway 192 168 5 1 interface network interface lan2 label new_static_route_1 metric 0 mtu 0 config 4 Use the index number to delete the static route config del network route static 0 config 5 Save the configuration and apply the chang...

Page 213: ...are processed sequentially as a result if a packet matches an earlier policy it will be routed using that policy s rules It will not be processed by any subsequent rules Configure a routing policy Required configuration items n The packet matching parameters It can any combination of the following l Source interface l Source address This can be a firewall zone an interface a single IPv4 IPv6 addre...

Page 214: ...rop packets that match the policy when the gateway interface is disconnected rather than forwarded through other interfaces 8 For IP version select Any IPv4 or IPv6 9 For Protocol select Any TCP UDP or ICMP n If TCP or UDP is selected for Protocol type the port numbers of the Source port and Destination port or set to any to match for any port n If ICMP is selected for Protocol type the ICMP type ...

Page 215: ...ss to the selected interface s network address n IPv4 address Matches the destination IP address to the specified IP address or network Use the format IPv4_address netmask or use any to match any IPv4 address n IPv6 address Matches the destination IP address to the specified IP address or network Use the format IPv6_address prefix_length or use any to match any IPv6 address n Domain Matches the de...

Page 216: ... satisfy the matching criteria will be routed through this interface If the interface has a gateway then it will be used as the next hop Format network interface defaultip network interface defaultlinklocal network interface eth1 network interface eth2 network interface loopback Current value config network route policy 0 interface b Set the interface For example config network route policy 0 inte...

Page 217: ...y port as the destination port n upd Source and destination ports are matched a Set the source port config network route policy 0 src_port value config network route policy 0 where value is the port number or the keyword any to match any port as the source port b Set the destination port config network route policy 0 dst_port value config network route policy 0 where value is the port number or th...

Page 218: ...cy 0 src zone external config network route policy 0 See Firewall configuration for more information about firewall zones n interface Matches the source IP address to the selected interface s network address Set the interface a Use the to determine available interfaces config network route policy 0 src interface Interface The network interface Format network interface defaultip network interface d...

Page 219: ...mat IPv6_address prefix_length or any to match any IPv6 address n mac Matches the source MAC address to the specified MAC address Set the MAC address to be matched config network route policy 0 src mac MAC_address config network route policy 0 10 Set the destination address type config network route policy 0 dst type value config network route policy 0 where value is one of n zone Matches the dest...

Page 220: ...or example config network route policy 0 dst interface network interface eth1 config network route policy 0 n address Matches the destination IPv4 address to the specified IP address or network Set the address that will be matched config network route policy 0 dst address value config network route policy 0 where value uses the format IPv4_address netmask or any to match any IPv4 address n address...

Page 221: ...uit to disconnect from the device Example Dual WAN policy based routing This example routes traffic to a specific IP address to go through the cellular WWAN interface while all other traffic uses the Ethernet WAN interface WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is dis...

Page 222: ...ick to expand Destination address b For Type select IPv4 address c For IPv4 address type the IP address that will be the destination for outgoing traffic routed through the WWAN interface In the above example this is 241 236 162 59 9 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your dev...

Page 223: ...y 0 src type zone config network route policy 0 ii Set the zone to internal config network route policy 0 src zone internal config network route policy 0 e Configure the destination address i Set the destination to use an IPv4 address config network route policy 0 dst type address config network route policy 0 ii Set the IP address that will be the destination for outgoing traffic routed through t...

Page 224: ...ll data from a certain client device through a cellular WAN based on the device s MAC address while all other client devices are routed through the Ethernet WAN WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed ...

Page 225: ...d Zone type EthernetWAN and click ii Enable Source NAT 4 Configure the WAN interfaces to use the new zones a Configure the cellular WAN interface i Click Network Interfaces Modem ii For Zone select CellularWAN b Configure the Ethernet WAN interface i Click Network Interfaces ETH1 ii For Zone select EthernetWAN 5 Configure the policy based route for traffic from the client device that will be sent ...

Page 226: ... zone i Click to expand Destination address ii For Type select Zone iii For Zone select CellularWAN 6 Create a packet filtering rule that rejects all other LAN packets on the cellular WAN interface a Click Firewall Packet filtering b Click the to add a new packet filtering rule c For Label type Reject LAN traffic to cellular WAN d For Action select Drop e For Source zone select Internal f For Dest...

Page 227: ...e CellularWAN ii Enable Source NAT on the new zone config firewall zone CellularWAN src_nat true config firewall zone CellularWAN b Create second firewall zone named EthernetWAN with Source NAT enabled i Type to move back one node in the configuration config firewall zone CellularWAN config firewall zone ii Create the firewall zone config firewall zone add EthernetWAN config firewall zone Ethernet...

Page 228: ...IP phone config network route policy 0 c Set the interface config network route policy 0 interface network interface modem config network route policy 0 d Configure the source as the MAC address of the VoIP phone i Set the source type to mac config network route policy 0 src type mac config network route policy 0 ii Set the MAC address to the MAC address of the VoIP phone config network route poli...

Page 229: ... config firewall filter 2 d Set the source zone to internal config firewall filter 2 src_zone internal config firewall filter 2 e Set the destination zone to CellularWAN config firewall filter 2 dst_zone CellularWAN config firewall filter 2 7 Save the configuration and apply the change config firewall filter 2 save Configuration saved 8 Type exit to exit the Admin CLI Depending on your device conf...

Page 230: ...ocol BGP service supports BGP 4 RFC1771 Babel The IPv4 and IPv6 Babel service IS IS The IPv4 and IPv6 Intermediate System to Intermediate System IS IS service Configure routing services Required configuration items n Enable routing services n Enable and configure the types of routing services that will be used WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu cl...

Page 231: ...y the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Enable routing services config network route service enable true config 4 Configure routing servic...

Page 232: ...e routing service For example use the to view the available parameters for the RIP service config network route service rip Parameters Current Value ecmp false Allow ECMP enable true Enable Additional Configuration interface Interfaces neighbour Neighbours redis Route redistribution timer Timers config 5 Save the configuration and apply the change config save Configuration saved 6 Type exit to exi...

Page 233: ...Load Balance to view IPv4 load balancing 5 Click IPv6 Load Balance to view IPv6 load balancing Command line 1 Log into the IX20 command line as a user with Admin access Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the Admin CLI prompt type show route show route Destination Gateway Source Metric Interface default 1...

Page 234: ... selection menu Type quit to disconnect from the device Dynamic DNS The Domain Name System DNS uses name servers to provide a mapping between computer readable IP addresses and human readable hostnames This allows users to access websites and personal networks with easy to remember URLs Unfortunately IP addresses change frequently invalidating these mappings when they do Dynamic DNS has become the...

Page 235: ...should be used to update the IP address with the Dynamic DNS provider n The amount of time to wait to check if the interface s IP address needs to be updated n The amount of time to wait to force an update of the interface s IP address n The amount of time to wait for an IP address update to succeed before retrying the update n The number of times to retry a failed IP address update WebUI 1 Log in...

Page 236: ...d values are any number of weeks days hours minutes or seconds and take the format number w d h m s For example to set Check interval to ten minutes enter 10m or 600s 11 Optional For Forced update interval type the amount of time to wait to force an update of the interface s IP address Allowed values are any number of weeks days hours minutes or seconds and take the format number w d h m s For exa...

Page 237: ...bled by default To disable config network ddns new_ddns_instance enable false config network ddns new_ddns_instance 4 Set the interface for the Dynamic DNS instance a Use the to determine available interfaces config network ddns new_ddns_instance interface Interface The network interface from which to obtain the IP address to register with the dynamic DNS service Format defaultip defaultlinklocal ...

Page 238: ... to the interface s IP address config network ddns new_ddns_instance domain domain_name config network ddns new_ddns_instance 8 Set the username to authenticate with the Dynamic DNS provider config network ddns new_ddns_instance username name config network ddns new_ddns_instance 9 Set the password to authenticate with the Dynamic DNS provider config network ddns new_ddns_instance password pwd con...

Page 239: ...e is any number of weeks days hours minutes or seconds and takes the format number w d h m s For example to set retry_interval to ten minutes enter either 10m or 600s config network ddns new_ddns_instance retry_interval 600s config network ddns new_ddns_instance The default is 60s 13 Optional Set the number of times to retry a failed IP address update config network ddns new_ddns_instance retry_co...

Page 240: ...anged by adjusting the VRRP priority of the IX20 device connected to the failing link This provides failover capabilities based on the status of connections behind the router in addition to the basic VRRP device failover For IX20 devices SureLink is used to probe network connections VRRP can be configured to probe a specified IP address by either sending an ICMP echo request ping or attempting to ...

Page 241: ...is configured to 50 by default 8 For Priority type the priority for this router in the group The router with the highest priority will be used as the master router If the master router fails then the IP address of the virtual router is mapped to the backup device with the next highest priority If this device s actual IP address is being used as the virtual IP address of the VRRP pool then the prio...

Page 242: ...nding on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Add a VRRP instance For example config add network vrrp VRRP_test config network vrrp VRRP_test 4 Enable the VRRP instance config network vrrp VRRP_test enable true config network vrrp VRRP_test 5 Set ...

Page 243: ...used as the virtual IP address of the VRRP pool then the priority of this device should be set to 255 Allowed values are from 1 and 255 and it is configured to 100 by default config network vrrp VRRP_test priority int config network vrrp VRRP_test 8 Optional Set a password that will be used to authenticate this VRRP router with VRRP peers If the password length exceeds 8 characters it will be trun...

Page 244: ...s are being monitored on the same device the VRRP priority will be adjusted only if all WAN interfaces fail SureLink tests l The amount that the VRRP priority will be modified when SureLink determines that the VRRP interface is not functioning correctly l Configure the VRRP interface s DHCP server to use a custom gateway that corresponds to one of the VRRP virtual IP addresses n Backup devices onl...

Page 245: ...RRP master This parameter allows a backup VRRP device to monitor the master device and increase its priority when the master device is failing SureLink tests This can allow a device functioning as a backup device to promote itself to master 9 For Priority modifier type or select the amount that the device s priority should be decreased due to SureLink connectivity failure and increased when SureLi...

Page 246: ... c For backup devices for Default Gateway type the IP address of the VRRP interface on the master device d Configure the VRRP interface s DHCP server to use a custom gateway that corresponds to one of the VRRP virtual IP addresses i Click to expand DHCP Server Advanced settings ii For Gateway select Custom iii For Custom gateway enter the IP address of one of the virtual IPs used by this VRRP inst...

Page 247: ...e test target For example to configure SureLink to verify internet connectivity on the LAN by pinging my devicecloud com i For Test Type select Ping test ii For Ping host type my devicecloud com 11 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be present...

Page 248: ...ween 1 and 254 The default is 10 Along with the priority settings for devices in this VRRP pool the amount entered here should be large enough to automatically demote a master device when SureLink connectivity fails For example if the VRRP master device has a priority of 100 and the backup device has a priority of 80 then weight should be set to an amount greater than 20 so that if SureLink fails ...

Page 249: ... gateway 192 168 3 1 config c For backup devices enable and configure SureLink on the VRRP interface i Determine the VRRP interface Generally this should be a LAN interface VRRP will then monitor the LAN using SureLink to determine if the interface has network connectivity and promote a backup to master if SureLink fails config show network vrrp VRRP_test interface network interface eth2 config ii...

Page 250: ...eth2 ipv4 surelink target 0 n dns Tests connectivity by sending a DNS query to the specified DNS server l Specify the DNS server Allowed value is the IP address of the DNS server config network interface eth2 ipv4 surelinktarget 0 dns_ server ip_address config network interface eth2 ipv4 surelinktarget 0 n dns_configured Tests connectivity by sending a DNS query to the DNS servers configured for t...

Page 251: ...is considered to have failed config network interface eth2 ipv4 surelink target 0 interface_timeout value config network interface eth2 ipv4 surelink target 0 where value is any number of weeks days hours minutes or seconds and takes the format number w d h m s For example to set interface_timeout to ten minutes enter either 10m or 600s config network interface eth2 ipv4 surelink target 0 interfac...

Page 252: ...figure device one master device WebUI Task 1 Configure VRRP on device one 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Network VRRP ...

Page 253: ...ce ETH2 7 For Router ID leave at the default setting of 50 8 For Priority leave at the default setting of 100 9 Click to expand Virtual IP addresses 10 Click to add a virtual IP address 11 For Virtual IP type 192 168 3 3 Task 2 Configure VRRP on device one 1 Click to expand VRRP 2 Click Enable 3 Click to expand Monitor interfaces 4 Click to add an interface for monitoring 5 Select Interface Modem ...

Page 254: ...art leave at the default of 100 3 For Lease range end type 199 4 Click to expand Advanced settings 5 For Gateway select Custom 6 For Custom gateway enter 192 168 3 3 7 Click Apply to save the configuration and apply the change Command line Task 1 Configure VRRP on device one 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be p...

Page 255: ...ure VRRP on device one 1 Enable VRRP config network vrrp VRRP_test vrrp_plus enable true config network vrrp VRRP_test 2 Add the interface to monitor config network vrrp VRRP_test add vrrp_plus monitor_interface end network interface modem config network vrrp VRRP_test 3 Set the amount that the device s priority should be decreased or increased due to SureLink connectivity failure or success to 30...

Page 256: ...ace eth2 ipv4 dhcp_server advanced gateway custom config 3 Set the custom gateway to 192 168 3 3 config network interface eth2 ipv4 dhcp_server advanced gateway_custom 192 168 3 3 config 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit t...

Page 257: ...ce configuration is displayed 5 Click Enable 6 For Interface select Interface ETH2 7 For Router ID leave at the default setting of 50 8 For Priority type 80 9 Click to expand Virtual IP addresses 10 Click to add a virtual IP address 11 For Virtual IP type 192 168 3 3 Task 2 Configure VRRP on device two 1 Click to expand VRRP 2 Click Enable 3 Click to expand Monitor interfaces ...

Page 258: ... 168 3 2 24 3 For Default gateway type the IP address of the VRRP interface on the master device configured above in Task 3 step 2 192 168 3 1 Task 4 Configure SureLink for ETH2 on device two 1 Click Network Interfaces ETH2 IPv4 SureLink 2 Click Enable 3 For Interval type 15s 4 Click to expand Test targets Test target 5 For Test Type select Ping test 6 For Ping host type my devicecloud com Task 5 ...

Page 259: ...presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Create the VRRP instance config add network vrrp VRRP_test config network vrrp VRRP_test 4 Enable the VRRP instance config network vrrp VRRP_test enable true config network vrrp VRRP_test 5 Set the VRRP interface to ETH2 config network vrrp VRRP_t...

Page 260: ...reased due to SureLink connectivity failure or success to 30 config network vrrp VRRP_test network vrrp VRRP_test vrrp_plus weight 30 config network vrrp VRRP_test Task 3 Configure the IP address for the VRRP interface ETH2 on device two 1 Type to return to the root of the config prompt config network vrrp VRRP_test config 2 Set the IP address for ETH2 config network interface eth2 ipv4 address 19...

Page 261: ...rompt config network interface eth2 ipv4 surelink target 0 config 2 Set the start and end addresses of the DHCP pool to use to assign DHCP addresses to clients a Set the start address to 200 config network interface eth2 ipv4 dhcp_server lease_start 200 config b Set the end address to 250 config network interface eth2 ipv4 dhcp_server lease_end 250 config 3 Set the DHCP server gateway type to cust...

Page 262: ...access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Status VRRP The Virtual Router Redundancy Protocol window is displayed Command line 1 Log into the IX20 command line as a user with Admin access Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin ...

Page 263: ... VRRP instance at the Admin CLI prompt type show vrrp name name show vrrp name VRRP_test VRRP_test VRRP Status Enabled True Status Up Interface lan IPv4 Virtual IP address es 10 10 10 1 100 100 100 1 Current State Master Current Priority 100 Last Transition Tue Jan 1 00 00 39 2019 Became Master 1 Released Master 0 Adverts Sent 71 Adverts Received 4 Priority Zero Sent 0 Priority zero Received 0 ...

Page 264: ...sed to securely connect two private networks together so that devices can connect from one network to the other using secure channels This chapter contains the following topics IPsec 265 OpenVPN 298 Generic Routing Encapsulation GRE 329 NEMO 349 IX20 User Guide 264 ...

Page 265: ...imitations when using an authentication header because the IP addresses in the IP header cannot be translated for example with Network Address Translation NAT as it would invalidate the authentication hash value Internet Key Exchange IKE settings IKE is a key management protocol that allows IPsec to negotiate the security associations SAs that are used to create the secure IPsec tunnel Both IKEv1 ...

Page 266: ...ce uses a private RSA key to authenticate with a remote peer that is using a corresponding public key Certificate based Authentication X 509 certificate based authentication makes use of private keys on both the server and client which are secured and never shared Both the server and client have a certificate which is generated with their respective private key and signed by a Certificate Authorit...

Page 267: ...ng used n If using IPsec failover identify the primary tunnel during configuration of the backup tunnel n The Network Address Translation NAT keep alive time n The protocol either Encapsulating Security Payload ESP or Authentication Header AH n The management priority for the IPsec tunnel interface The active interface with the highest management priority will have its address reported as the pref...

Page 268: ...sec 4 Optional Change the NAT keep alive time Allowed values are any number of weeks days hours minutes or seconds and take the format number w d h m s For example to set NAT keep alive time to ten minutes enter 10m or 600s The default is 40 seconds 5 Click to expand Tunnels 6 For Add IPsec tunnel type a name for the tunnel and click The new IPsec tunnel configuration is displayed ...

Page 269: ...ll not fail over to a backup tunnel leave this option blank 9 Optional Enable Force UDP encapsulation to force the tunnel to use UDP encapsulation even when it does not detect that NAT is being used 10 For Zone select the firewall zone for the IPsec tunnel Generally this should be left at the default of IPsec 11 Select the Mode either n Tunnel The entire IP packet is encrypted and or authenticated...

Page 270: ...e the Private key passphrase that is used to decrypt the private key Leave blank if the private key is not encrypted iii For Certificate paste the local X 509 certificate in PEM format iv For Peer verification select either l Peer certificate For Peer certificate paste the peer s X 509 certificate in PEM format l Certificate Authority For Certificate Authority chain paste the Certificate Authority...

Page 271: ...il The ID will be interpreted as an RFC822 email address For RFC822 ID value type the ID in internet email address format n FQDN The ID will be interpreted as FQDN Fully Qualified Domain Name and sent as an ID_FQDN IKE identity For FQDN ID value type the ID as an FQDN n KeyID The ID will be interpreted as a Key ID and sent as an ID_KEY_ID IKE identity For KEYID ID value type the key ID 18 Click to...

Page 272: ..._ID IKE identity For KEYID ID value type the key ID 19 Click to expand Policies Policies define the network traffic that will be encapsulated by this tunnel a Click to create a new policy The new policy configuration is displayed b Click to expand Local network c For Type select one of the following n Address The address of a local network interface For Address select the appropriate interface n N...

Page 273: ...set Phase 1 lifetime to ten minutes enter 10m or 600s f For Phase 2 lifetime enter the amount of time that the IKE security association expires after a successful negotiation and must be rekeyed Allowed values are any number of weeks days hours minutes or seconds and take the format number w d h m s For example to set Phase 2 lifetime to ten minutes enter 10m or 600s g For Lifetime margin enter a ...

Page 274: ... tunnel is idle c For Timeout type the number of seconds to wait for a response from a dead peer packet before assuming the tunnel has failed 22 Optional Click to expand NAT to create a list of destination networks that require source NAT a Click next to Add NAT destination b For Destination network type the IPv4 address and optional netmask of a destination network that requires source NAT You ca...

Page 275: ...referred tunnel has failed It will continue to operate until the preferred tunnel returns to full operation status Format primary_ipsec_tunnel Optional yes Current value config vpn ipsec tunnel ipsec_example ipsec_failover b Set the primary IPsec tunnel config vpn ipsec tunnel ipsec_example ipsec_failover primary_ipsec_ tunnel config vpn ipsec tunnel ipsec_example 5 Optional Set the tunnel to use ...

Page 276: ...authenticated The IP header is unencrypted The default is tunnel 8 Set the protocol config vpn ipsec tunnel ipsec_example type protocol config vpn ipsec tunnel ipsec_example where protocol is either n esp Encapsulating Security Payload Provides encryption as well as authentication and integrity n ah Authentication Header Provides authentication and integrity only The default is esp 9 Optional Set ...

Page 277: ... the peer s public RSA key in PEM format config vpn ipsec tunnel ipsec_example auth peer_public_key key config vpn ipsec tunnel ipsec_example n x509 Uses private key and X 509 certificates to authenticate with the remote peer a For the private_key parameter paste the device s private RSA key in PEM format config vpn ipsec tunnel ipsec_example auth private_key key config vpn ipsec tunnel ipsec_exam...

Page 278: ...auth_client enable true config vpn ipsec tunnel ipsec_example b Set the XAUTH client username config vpn ipsec tunnel ipsec_example xauth_client username name config vpn ipsec tunnel ipsec_example c Set the XAUTH client password config vpn ipsec tunnel ipsec_example xauth_client password pwd config vpn ipsec tunnel ipsec_example 12 Optional Enable MODECFG client functionality MODECFG client functi...

Page 279: ...ipv4_id id config vpn ipsec tunnel ipsec_example n ipv6 The ID will be interpreted as an IPv6 address and sent as an ID_IPV6_ADDR IKE identity Set an IPv6 formatted ID This can be a fully qualified domain name or an IPv6 address config vpn ipsec tunnel ipsec_example local id ipv6_id id config vpn ipsec tunnel ipsec_example n rfc822 The ID will be interpreted as an RFC822 email address Set the ID i...

Page 280: ...unnel ipsec_example remote id raw_id id config vpn ipsec tunnel ipsec_example n any Any ID will be accepted n ipv4 The ID will be interpreted as an IPv4 address and sent as an ID_IPV4_ADDR IKE identity Set an IPv4 formatted ID This can be a fully qualified domain name or an IPv4 address config vpn ipsec tunnel ipsec_example remote id ipv4_id id config vpn ipsec tunnel ipsec_example n ipv6 The ID w...

Page 281: ...To disable config vpn ipsec tunnel ipsec_example ike initiate false config vpn ipsec tunnel ipsec_example c Set the IKE phase 1 mode config vpn ipsec tunnel ipsec_example ike mode value config vpn ipsec tunnel ipsec_example where value is either aggressive or main d Padding of IKE packets is enabled by default and should normally not be disabled except for compatibility purposes To disable config ...

Page 282: ... takes the format number w d h m s For example to set lifetime_margin to ten minutes enter either 10m or 600s config vpn ipsec tunnel ipsec_example ike lifetime_margin 600s config vpn ipsec tunnel ipsec_example The default is nine minutes h Configure the types of encryption hash and Diffie Hellman group to use during phase 1 i Add a phase 1 proposal config vpn ipsec tunnel ipsec_example add ike ph...

Page 283: ...fie Hellman group for the additional proposal iii Repeat to add more phase 1 proposals i Configure the types of encryption hash and Diffie Hellman group to use during phase 2 i Move back two levels in the schema config vpn ipsec tunnel ipsec_example ike phase1_proposal 0 config vpn ipsec tunnel ipsec_example ike ii Add a phase 2 proposal config vpn ipsec tunnel ipsec_example ike add ike phase2_pro...

Page 284: ... for the additional proposal iii Repeat to add more phase 2 proposals 16 Optional Configure dead peer detection Dead peer detection is enabled by default Dead peer detection uses periodic IKE transmissions to the remote endpoint to detect whether tunnel communications have failed allowing the tunnel to be automatically restarted when failure occurs a Change to the root of the configuration schema ...

Page 285: ...e root of the configuration schema config vpn ipsec tunnel ipsec_example nat 0 config b Add a policy config add vpn ipsec tunnel ipsec_example policy end config vpn ipsec tunnel ipsec_example policy 0 c Set the type of local network policy config vpn ipsec tunnel ipsec_example policy 0 local type value config vpn ipsec tunnel ipsec_example policy 0 where value is one of n address The address of a ...

Page 286: ... interface For example config vpn ipsec tunnel ipsec_example policy 0 local network eth1 config vpn ipsec tunnel ipsec_example policy 0 n custom A user defined network Set the custom network config vpn ipsec tunnel ipsec_example policy 0 local custom value config vpn ipsec tunnel ipsec_example policy 0 where value is the IPv4 address and optional netmask The keyword any can also be used n request ...

Page 287: ... and takes the format number w d h m s For example to set keep_alive to ten minutes enter either 10m or 600s config vpn ipsec advanced keep_alive 600s config The default is 40 seconds 20 Save the configuration and apply the change config save Configuration saved 21 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to...

Page 288: ...tunnel WebUI 1 Configure the primary IPsec tunnel See Configure an IPsec tunnel for instructions 2 Create a backup IPsec tunnel See Configure an IPsec tunnel for instructions 3 During configuration of the backup IPsec tunnel identify the primary IPsec tunnel in the Preferred tunnel parameter 4 Click Apply to save the configuration and apply the change Command line 1 Configure the primary IPsec tun...

Page 289: ...onnections to determine if the connection has failed and take remedial action You can also configure the IPsec tunnel to fail over to a backup tunnel See Configure IPsec failover for further information Required configuration items n A valid IPsec configuration See Configure an IPsec tunnel for configuration instructions n Enable IPsec active recovery n The behavior of the IX20 device upon IPsec f...

Page 290: ... or select an existing one n To create a new IPsec tunnel see Configure an IPsec tunnel n To edit an existing IPsec tunnel click to expand the appropriate tunnel 5 After creating or selecting the IPsec tunnel click Active recovery 6 Enable active recovery 7 For Restart interface enable to configure the device to restart the interface when its connection is considered to have failed This is useful ...

Page 291: ...of time that the device should wait for a response to a probe attempt before considering it to have failed Allowed values are any number of weeks days hours minutes or seconds and take the format number w d h m s For example to set Response timeout to ten minutes enter 10m or 600s The default is 15 seconds 13 Add a test target a Click to expand Test targets b For Add Test target click c Select the...

Page 292: ...onsidered to have failed Allowed values are any number of weeks days hours minutes or seconds and take the format number w d h m s For example to set Initial connection time to ten minutes enter 10m or 600s The default is 60 seconds 14 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your d...

Page 293: ...sec_example where value is any number of weeks days hours minutes or seconds and takes the format number w d h m s For example to set interval to ten minutes enter either 10m or 600s config vpn ipsec tunnel ipsec_example connection_monitor interval 600s config vpn ipsec tunnel ipsec_example The default is 15 minutes 8 Determine whether the interface should fail over based on the failure of one of ...

Page 294: ...y sending an ICMP echo request to a specified hostname or IP address l Specify the hostname or IP address by using ping_host or ping_host6 config vpn ipsec tunnel ipsec_example connection_monitor target 0 ping_host host config vpn ipsec tunnel ipsec_example connection_monitor target 0 l Optional Set the size in bytes of the ping packet by using ping_size or ping_ size6 config vpn ipsec tunnel ipse...

Page 295: ...example connection_monitor target 0 where value is any number of weeks days hours minutes or seconds and takes the format number w d h m s For example to set interface_down_time to ten minutes enter either 10m or 600s config ipsec tunnel ipsec_example connection_monitor target 0 interface_down_time 600s config ipsec tunnel ipsec_example connection_monitor target 0 The default is 60 seconds l Optio...

Page 296: ...age appears 3 To view configuration details about an IPsec tunnel click the configuration icon in the upper right of the tunnel s status pane Command line 1 Log into the IX20 command line as a user with Admin access Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 To display details about all configured IPsec tunnels typ...

Page 297: ...Private Networks VPN IPsec IX20 User Guide 297 4 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Page 298: ...ubnet from the OpenVPN server and other OpenVPN clients OpenVPN clients use Network Address Translation NAT to route traffic from devices connected on its LAN interfaces to the OpenVPN server The manner in which the IP subnets are defined depends on the OpenVPN topology in use The IX20 device supports two types of OpenVPN topology OpenVPN Topology Subnet definition method net30 Each OpenVPN client...

Page 299: ...rd interface configuration for example a standard DHCP server configuration l TAP Device only An alternate form of OpenVPN bridging mode in which the device rather than OpenVPN controls the interface configuration If this method is is the OpenVPN server must be included as a device in either an interface or a bridge n The firewall zone to be used by the OpenVPN server n The IP network and subnet m...

Page 300: ...es that the OpenVPN server will provide to clients n The TCP UDP port to use By default the IX20 device uses port 1194 n Access control list configuration to restrict access to the OpenVPN server through the firewall n Additional OpenVPN parameters WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The C...

Page 301: ...server will use when providing IP addresses to clients The default is from 80 to 99 7 Optional Set the VPN port that the OpenVPN server will use The default is 1194 8 For Server managed certificates determine the method of certificate management If enabled the server will manage certificates If not enabled certificates must be created externally and added to the server 9 If Server managed certific...

Page 302: ...v6 address or network that can access the device s service type Allowed values are l A single IP address or host name l A network designation in CIDR notation for example 2001 db8 48 l any No limit to IPv6 addresses that can access the service type d Click again to list additional IP addresses or networks n To limit access to hosts connected through a specified interface on the IX20 device a Click...

Page 303: ...d Also known as routing mode Each OpenVPN client is assigned a different IP subnet from the OpenVPN server and other OpenVPN clients OpenVPN clients use Network Address Translation NAT to route traffic from devices connected on its LAN interfaces to the OpenVPN server n TAP OpenVPN managed Also know as bridging mode A more advanced implementation of OpenVPN The IX20 device creates an OpenVPN inter...

Page 304: ...e routes match a destination the route with the lowest metric will be used config vpn openvpn server name metric value config vpn openvpn server name where value is an interger between 0 and 65535 The default is 0 d Optional Set the range of IP addresses that the OpenVPN server will use when providing IP addresses to clients i Set the first address in the range limit config vpn openvpn server name...

Page 305: ...uthentication type config vpn openvpn server name authentication value config vpn openvpn server name where value is one of n cert Uses only certificates for client authentication Each client requires a public and private key n passwd Uses a username and password for client authentication You must create an OpenVPN authentication group and user See Configure an OpenVPN Authentication Group and Use...

Page 306: ...r example 192 168 1 0 24 l any No limit to IPv4 addresses that can access the service type Repeat this step to list additional IP addresses or networks n To limit access to specified IPv6 addresses and networks config vpn openvpn server name add acl address6 end value config vpn openvpn server name Where value can be l A single IP address or host name l A network designation in CIDR notation for e...

Page 307: ...config vpn openvpn server name firewall zone Zones A list of groups of network interfaces that can be referred to by packet filtering rules and access control lists Additional Configuration any dynamic_routes edge external internal ipsec loopback setup config vpn openvpn server name Repeat this step to list additional firewall zones 9 Optional Set additional OpenVPN parameters a Enable the use of ...

Page 308: ... from the device Configure an OpenVPN Authentication Group and User If username and password authentication is used for the OpenVPN server you must create an OpenVPN authentication group and user See Configure an OpenVPN server for information about configuring an OpenVPN server to use username and password authentication See IX20 user authentication for more information about creating authenticat...

Page 309: ...group for example OpenVPN_Group and click The new authentication group configuration is displayed c Click OpenVPN access to enable OpenVPN access rights for users of this group d Click to expand the OpenVPN node e Click to add a tunnel f For Tunnel select an OpenVPN tunnel to which users of this group will have access g Repeat to add additional OpenVPN tunnels ...

Page 310: ...word for the user This password is used for local authentication of the user You can also configure the user to use RADIUS or TACACS authentication by configuring authentication methods See User authentication methods for information d Click to expand the Groups node e Click to add a group to the user f Select a Group with OpenVPN access enabled 5 Click Apply to save the configuration and apply th...

Page 311: ...for users of this group config auth group OpenVPN_Group acl openvpn enable true 5 Add an OpenVPN tunnel to which users of this group will have access a Determine available tunnels config auth group OpenVPN_Group vpn openvpn server Servers A list of openvpn servers Additional Configuration OpenVPN_server1 OpenVPN server config auth group OpenVPN_Group b Add a tunnel config auth group OpenVPN_Group ...

Page 312: ...for the OpenVPN client n The login credentials for the OpenVPN client if configured on the OpenVPN server See Configure active recovery for OpenVPN for information about OpenVPN active recovery WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click VPN OpenVPN Cl...

Page 313: ... be used 9 Optional For Username and Password type the login credentials as configured on the OpenVPN server 10 For OVPN file paste the content of the client ovpn file 11 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection...

Page 314: ...e used config vpn openvpn client name metric value config vpn openvpn client name where value is an interger between 0 and 65535 The default is 0 6 Optional Set the login credentials as configured on the OpenVPN server config vpn openvpn client name username value config vpn openvpn client name password value config vpn openvpn client name 7 Paste the content of the client ovpn file into the value...

Page 315: ...A certificate usually in a ca crt file l The Public key for example client crt l The Private key for example client key Additional configuration items n The route metric for the OpenVPN client n The login credentials for the OpenVPN client if configured on the OpenVPN server n Additional OpenVPN parameters See Configure active recovery for OpenVPN for information about OpenVPN active recovery WebU...

Page 316: ... client 9 Optional Select the Metric for the OpenVPN client If multiple active routes match a destination the route with the lowest metric will be used 10 Optional For Username and Password type the login credentials as configured on the OpenVPN server 11 For VPN server IP type the IP address of the OpenVPN server 12 Optional Set the VPN port used by the OpenVPN server The default is 1194 13 Paste...

Page 317: ...t the command line type config to enter configuration mode config config 3 At the config prompt type config add vpn openvpn client name config vpn openvpn client name where name is the name of the OpenVPN server The OpenVPN client is enabled by default To disable the client type config vpn openvpn client name enable false config vpn openvpn client name 4 The default behavior is to use an OVPN file...

Page 318: ...gured on the OpenVPN server config vpn openvpn client name username value config vpn openvpn client name password value config vpn openvpn client name 9 Set the IP address of the OpenVPN server config vpn openvpn client name server ip_address config vpn openvpn client name 10 Optional Set the port used by the OpenVPN server config vpn openvpn client name port port config vpn openvpn client name Th...

Page 319: ...figuration saved 16 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Configure active recovery for OpenVPN You can configure the IX20 device to regularly probe OpenVPN client connections to determine if the connection has failed and take remedial action Required configuration items n A ...

Page 320: ...in access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click VPN OpenVPN Clients 4 Create a new OpenVPN client or select an existing one n To create a new OpenVPN client see Configure an OpenVPN client by using an ovpn file or Configure an OpenVPN client without using an ovpn file n To edit an existing OpenVPN client click...

Page 321: ...il over based on the failure of one of the test targets or all of the test targets 11 For Attempts type the number of probe attempts before the WAN is considered to have failed 12 For Response timeout type the amount of time that the device should wait for a response to a probe attempt before considering it to have failed Allowed values are any number of weeks days hours minutes or seconds and tak...

Page 322: ...to the interface before this test is considered to have failed Allowed values are any number of weeks days hours minutes or seconds and take the format number w d h m s For example to set Initial connection time to ten minutes enter 10m or 600s The default is 60 seconds 14 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full A...

Page 323: ...ection_monitor interval value config vpn openvpn client openvpn_client1 where value is any number of weeks days hours minutes or seconds and takes the format number w d h m s For example to set interval to ten minutes enter either 10m or 600s config vpn openvpn client openvpn_client1 connection_monitor interval 600s config vpn openvpn client openvpn_client1 The default is 15 minutes 8 Determine wh...

Page 324: ...itor target 0 test value config vpn openvpn client openvpn_client1 connection_monitor target 0 where value is one of n ping IPv4 or ping6 IPv6 Tests connectivity by sending an ICMP echo request to a specified hostname or IP address l Specify the hostname or IP address by using ping_host or ping_host6 config vpn openvpn client openvpn_client1 connection_monitor target 0 ping_host host config vpn op...

Page 325: ...rface can be down before this test is considered to have failed config vpn openvpn client openvpn_client1 connection_monitor target 0 interface_down_time value config vpn openvpn client openvpn_client1 connection_monitor target 0 where value is any number of weeks days hours minutes or seconds and takes the format number w d h m s For example to set interface_down_time to ten minutes enter either ...

Page 326: ...eb interface or the command line WebUI 1 Log into the IX20 WebUI as a user with Admin access 2 On the menu select Status OpenVPN Servers The OpenVPN Servers page appears 3 To view configuration details about an OpenVPN server click the configuration icon in the upper right of the OpenVPN server s status pane Command line 1 Log into the IX20 command line as a user with Admin access Depending on you...

Page 327: ... Admin access 2 On the menu select Status OpenVPN Clients The OpenVPN Clients page appears 3 To view configuration details about an OpenVPN client click the configuration icon in the upper right of the OpenVPN client s status pane Command line 1 Log into the IX20 command line as a user with Admin access Depending on your device configuration you may be presented with an Access selection menu Type ...

Page 328: ...rivate Networks VPN OpenVPN IX20 User Guide 328 4 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Page 329: ...RE tunnel Configuring a GRE tunnel involves the following items Required configuration items n A GRE loopback endpoint interface n GRE tunnel configuration l Enable the GRE tunnel The GRE tunnels are enabled by default l The local endpoint interface l The IP address of the remote device peer Additional configuration items n A GRE key n Enable the device to respond to keepalive packets Task One Cre...

Page 330: ...ending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Add the GRE endpoint interface For example to add an interface named gre_endpoint config add network interface gre_interface config network interface gre_interface 4 Set the interface zone to internal...

Page 331: ...ration window is displayed 3 Click VPN IP Tunnels 4 For Add IP tunnel type a name for the GRE tunnel and click 5 Enable the tunnel New tunnels are enabled by default To disable or to enable if it has been disabled click Enable 6 For Local endpoint select the GRE endpoint interface created in Task One 7 For Remote endpoint type the IP address of the GRE endpoint on the remote peer 8 Optional For Ke...

Page 332: ...tunnel gre_example 4 Set the local endpoint to the GRE endpoint interface created in Task One for example config vpn iptunnel gre_example local network interface gre_endpoint config vpn iptunnel gre_example 5 Set the IP address of the GRE endpoint on the remote peer config vpn iptunnel gre_example remote ip_address config vpn iptunnel gre_example 6 Optional Set a key that will be inserted in GRE p...

Page 333: ...ulation GRE IX20 User Guide 333 config vpn iptunnel gre_example save Configuration saved 9 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Page 334: ...iew information about currently configured GRE tunnels WebUI 1 Log into the IX20 WebUI as a user with Admin access 2 On the menu click Status IP tunnels The IP Tunnelspage appears 3 To view configuration details about a GRE tunnel click the configuration icon in the upper right of the tunnel s status pane ...

Page 335: ... 0 2 32 2 Create an IPsec endpoint interface named ipsec_endpoint1 a Zone set to Internal b Device set to Ethernet Loopback c IPv4 Address set to the IP address of the local GRE tunnel 172 30 0 1 32 3 Create a GRE tunnel named gre_tunnel1 a Local endpoint set to the IPsec endpoint interface Interface ipsec_endpoint1 b Remote endpoint set to the IP address of the GRE tunnel on IX20 2 172 30 0 2 4 C...

Page 336: ...dress of the GRE tunnel on IX20 1 172 30 0 1 4 Create an interface named gre_interface2 and add it to the GRE tunnel a Zone set to Internal b Device set to IP tunnel gre_tunnel2 c IPv4 Address set to a virtual IP address on the GRE tunnel 172 31 1 1 30 Configuration procedures Configure the IX20 1 device Task one Create an IPsec tunnel WebUI 1 Log into the IX20 WebUI as a user with full Admin acce...

Page 337: ...stom network 13 For Address type the IP address and subnet of the local GRE tunnel 172 30 0 1 32 14 For Remote network type the IP address and subnet of the remote GRE tunnel 172 30 0 2 32 15 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented wit...

Page 338: ..._gre1 policy 0 7 Set the local network policy type to custom config vpn ipsec tunnel ipsec_gre1 policy 0 local type custom config vpn ipsec tunnel ipsec_gre1 policy 0 8 Set the local network address to the IP address and subnet of the local GRE tunnel 172 30 0 1 32 config vpn ipsec tunnel ipsec_gre1 policy 0 local custom 172 30 0 1 32 config vpn ipsec tunnel ipsec_gre1 policy 0 9 Set the remote ne...

Page 339: ...ernet loopback 5 Click to expand IPv4 6 For Address type the IP address of the local GRE tunnel 172 30 0 1 32 7 Click Apply to save the configuration and apply the change Command line 1 At the command line type config to enter configuration mode config config 2 Add an interface named ipsec_endpoint1 config add network interface ipsec_endpoint1 config network interface ipsec_endpoint1 ...

Page 340: ...GRE tunnel 172 30 0 1 32 config network interface ipsec_endpoint1 ipv4 address 172 30 0 1 32 config network interface ipsec_endpoint1 6 Save the configuration and apply the change config vpn ipsec tunnel ipsec_endpoint1 policy 0 save Configuration saved Task three Create a GRE tunnel WebUI 1 Click VPN IP Tunnels 2 For Add IP Tunnel type gre_tunnel1 and click 3 For Local endpoint select the IPsec e...

Page 341: ... local network interface ipsec_endpoint1 config vpn iptunnel gre_tunnel1 4 Set the remote endpoint to the IP address of the GRE tunnel on IX20 2 172 30 0 2 config vpn iptunnel gre_tunnel1 remote 172 30 0 2 config vpn iptunnel gre_tunnel1 5 Save the configuration and apply the change config vpn iptunnel gre_tunnel1 save Configuration saved Task four Create an interface for the GRE tunnel device Web...

Page 342: ...ace gre_interface1 3 Set the zone to internal config network interface gre_interface1 zone internal config network interface gre_interface1 4 Set the device to the GRE tunnel created in Task three vpn iptunnel gre_tunnel1 config network interface gre_interface1 device vpn iptunnel gre_tunnel1 config network interface gre_interface1 5 Set 172 31 0 1 30 as the virtual IP address on the GRE tunnel co...

Page 343: ...l WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click VPN IPsec Tunnels 4 For Add IPsec Tunnel type ipsec_gre2 and click 5 Click to expand Authentication 6 For Pre shared key type the same pre shared key that was configured for the IX20 1 testkey 7 Click to ex...

Page 344: ...h full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Add an IPsec tunnel named ipsec_gre2 config add vpn ipsec tunnel ipsec_gre2 config vpn ipsec tunnel ipsec_gre2 4 Set the pre shared key to the same pre shared key that wa...

Page 345: ... ipsec tunnel ipsec_gre2 policy 0 local custom 172 30 0 2 32 config vpn ipsec tunnel ipsec_gre2 policy 0 9 Set the remote network address to the IP address and subnet of the remote GRE tunnel 172 30 0 1 32 config vpn ipsec tunnel ipsec_gre2 policy 0 remote network 172 30 0 1 32 config vpn ipsec tunnel ipsec_gre2 policy 0 10 Save the configuration and apply the change config vpn ipsec tunnel ipsec_...

Page 346: ...c_endpoint2 3 Set the zone to internal config network interface ipsec_endpoint2 zone internal config network interface ipsec_endpoint2 4 Set the device to network device loopback config network interface ipsec_endpoint2 device network device loopback config network interface ipsec_endpoint2 5 Set the IPv4 address to the IP address of the local GRE tunnel 172 30 0 2 32 config network interface ipse...

Page 347: ...pply the change Command line 1 At the command line type config to enter configuration mode config config 2 Add a GRE tunnel named gre_tunnel2 config add vpn iptunnel gre_tunnel2 config vpn iptunnel gre_tunnel2 3 Set the local endpoint to the IPsec endpoint interface created in Task two network interface ipsec_endpoint2 config vpn iptunnel gre_tunnel2 local network interface ipsec_endpoint2 config ...

Page 348: ...r Create an interface for the GRE tunnel device WebUI 1 Click Network Interfaces 2 For Add Interface type gre_interface2 and click 3 For Zone select Internal 4 For Device select the GRE tunnel created in Task three IP tunnel gre_tunnel2 5 Click to expand IPv4 6 For Address type 172 31 1 1 30 for a virtual IP address on the GRE tunnel 7 Click Apply to save the configuration and apply the change ...

Page 349: ...e2 ipv4 address 172 31 1 1 30 config network interface gre_interface2 6 Save the configuration and apply the change config network interface gre_interface2 save Configuration saved 7 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device NEMO Network Mobility NEMO is a mobile networking techn...

Page 350: ...ion lifetime This is provided by your cellular carrier n The local network interfaces that will be advertised on NEMO Additional configuration items n The home agent Software Parameter Index SPI n Path MTU discovery Path MTU discovery is enabled by default If it is disabled identify the MTU n Care of address the local network interface that is used to communicate with the peer l If set to Interfac...

Page 351: ...he default setting of 256 unless your service provider indicates a different value 9 For Home agent registration lifetime in seconds type the number of seconds number of seconds until the authorization key expires This is provided by your cellular carrier 10 For MTU discovery leave enabled to determine the maximum transmission unit MTU size If disabled for MTU type the MTU size The default MTU siz...

Page 352: ...Local Area Network LAN c Optional Repeat for additional interfaces 14 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mod...

Page 353: ...vpn nemo nemo_example If disabled set the MTU size The default MTU size for LANs on the IX20 device is 1500 The MTU size of the NEMO tunnel will be smaller to take into account the required headers config vpn nemo nemo_example mtu integer config vpn nemo nemo_example Allowed values are any integer between 68 and 1476 9 Set the Security Parameter Index SPI value which is used in the authentication ...

Page 354: ...k interface as the default route n interface If interface is used set the interface i Use the to determine available interfaces config vpn nemo nemo_example coaddress interface Interface Use the IP address of this network interface as this node s Care of Address Format defaultip defaultlinklocal eth1 eth2 loopback Current value config vpn nemo nemo_example coaddress interface ii Set the interface ...

Page 355: ...faultlinklocal eth1 eth2 loopback Current value config vpn nemo nemo_example tun_local interface ii Set the interface For example config vpn nemo nemo_example tun_local interface eth1 config vpn nemo nemo_example The default is defaultroute 13 Configure one or more local networks to use as a virtual NEMO network interface Generally this will be a Local Area Network LAN a Add a local network to use...

Page 356: ...configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 To display details about all configured NEMO tunnel type the following at the prompt show nemo NEMO Enable Status Address Agent CoAddress demo false test true up 1 2 3 4 4 3 2 1 10 10 10 1 3 To display details about a specific tunnel show nemo name test test NEMO Status Enabled true Status up Home...

Page 357: ...Private Networks VPN NEMO IX20 User Guide 357 4 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Page 358: ...authentication 375 Configure telnet access 378 Configure DNS 383 Simple Network Management Protocol SNMP 389 Configure the Modbus gateway 394 System time 409 Configure the system time 409 Network Time Protocol 412 Configure the device as an NTP server 412 Configure a multicast route 417 Ethernet network bonding 420 Enable service discovery mDNS 423 Use the iPerf service 426 IX20 User Guide 358 ...

Page 359: ...inistration or SSH service See Firewall configuration for information on zones n See Set the idle timeout for IX20 users for information about setting the inactivity timeout for the web administration and SSH services To allow web administration or SSH for the External firewall zone Add the External firewall zone to the web administration service WebUI 1 Log into the IX20 WebUI as a user with full...

Page 360: ...guration mode config config 3 Add the external zone to the web administration service config add service web_admin acl zone end external config 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Add the Extern...

Page 361: ...te access for web administration and SSH IX20 User Guide 361 3 Click Configuration Services SSH Access Control List Zones 4 For Add Zone click 5 Select External 6 Click Apply to save the configuration and apply the change ...

Page 362: ...ce by using the WebUI a browser based interface By default the web administration service is enabled and uses the standard HTTPS port 443 The default access control for the service uses the Internal firewall zone which means that only devices connected to the IX20 s LAN can access the WebUI If this configuration is sufficient for your needs no further configuration is required See Allow remote acc...

Page 363: ...nfiguration The Configuration window is displayed 3 Click Services Web administration 4 Click Enable 5 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type ...

Page 364: ...ick System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Services Web administration 4 Optional For Port enter the port number for the service Normally this should not be changed 5 Click Access control list to configure access control n To limit access to specified IPv4 addresses and networks a Click IPv4 Addresses b For Add Address click c For Addres...

Page 365: ...n to allow access through additional firewall zones 6 Multicast DNS mDNS is enabled by default mDNS is a protocol that resolves host names in small networks that do not have a DNS server To disable mDNS or enable it if it has been disabled click Enable mDNS 7 For SSL certificate if you have your own signed SSL certificate type the certificate and private key in PEM format If SSL certificate is bla...

Page 366: ...No limit to IPv4 addresses that can access the web administratrion service Repeat this step to list additional IP addresses or networks n To limit access to specified IPv6 addresses and networks config add service web_admin acl address6 end value config Where value can be l A single IP address or host name l A network designation in CIDR notation for example 2001 db8 48 l any No limit to IPv6 addr...

Page 367: ...play a list of available firewall zones Type firewall zone at the config prompt config firewall zone Zones A list of groups of network interfaces that can be referred to by packet filtering rules and access control lists Additional Configuration any dynamic_routes edge external internal ipsec loopback setup config Repeat this step to list additional firewall zones 4 Optional If you have your own s...

Page 368: ...o connect to the HTTPS session by using encryption protocols older than TLS 1 2 in addition to TLS 1 2 and later protocols This option is disabled by default which means that only TLS 1 2 and later encryption protocols are allowed with HTTPS connections To enable legacy encryption protocols config service web_admin legacy_encryption true config 8 Optional Disable legacy port redirection Legacy por...

Page 369: ...cess n Configure access control for the SSH service Additional configuration items n Port to use for communications with the SSH service n Multicast DNS mDNS support n A private key to use for communications with the SSH service See Set the idle timeout for IX20 users for information about setting the inactivity timeout for the SSH service Enable or disable the SSH service The SSH service is enabl...

Page 370: ...able or disable the SSH service n To enable the service config service ssh enable true config n To disable the sevice config service ssh enable false config 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device C...

Page 371: ...etworks a Click IPv6 Addresses b For Add Address click c For Address enter the IPv6 address or network that can access the device s SSH service Allowed values are l A single IP address or host name l A network designation in CIDR notation for example 2001 db8 48 l any No limit to IPv6 addresses that can access the SSH service d Click again to list additional IP addresses or networks n To limit acc...

Page 372: ...ration mode config config 3 Configure access control n To limit access to specified IPv4 addresses and networks config add service ssh acl address end value config Where value can be l A single IP address or host name l A network designation in CIDR notation for example 192 168 1 0 24 l any No limit to IPv4 addresses that can access the SSH service Repeat this step to list additional IP addresses ...

Page 373: ... n To limit access based on firewall zones config add service ssh acl zone end value Where value is a firewall zone defined on your device or the any keyword Display a list of available firewall zones Type firewall zone at the config prompt config firewall zone Zones A list of groups of network interfaces that can be referred to by packet filtering rules and access control lists Additional Configu...

Page 374: ...nable the mDNS protocol config service ssh mdns enable true config n To disable the mDNS protocl config service ssh mdns enable false config 6 Optional Set the port number for this service The default setting of 22 normally should not be changed config service ssh port 24 config 7 Save the configuration and apply the change config save Configuration saved 8 Type exit to exit the Admin CLI Dependin...

Page 375: ... Linux host an SSH key pair is usually created automatically in the user s ssh directory The private and public keys are named id_rsa and id_rsa pub If you need to generate an SSH key pair you can use the ssh keygen application For example the following entry generates an RSA key pair in the user s ssh directory ssh keygen t rsa f ssh id_rsa The private key file is named id_rsa and the public key ...

Page 376: ...when creating a new user See User authentication for information about creating a new user These instructions assume an existing user named temp_user 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configura...

Page 377: ... Guide 377 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Page 378: ...elnet service Additional configuration items n Port to use for communications with the telnet service n Multicast DNS mDNS support See Set the idle timeout for IX20 users for information about setting the inactivity timeout for the telnet service Enable the telnet service The telnet service is disabled by default To enable the service WebUI 1 Log into the IX20 WebUI as a user with full Admin acces...

Page 379: ... to enter configuration mode config config 3 Enable the telnet service config service telnet enable true config 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Configure the service WebUI 1 Log into the IX2...

Page 380: ...d networks a Click IPv6 Addresses b For Add Address click c For Address enter the IPv6 address or network that can access the device s telnet service Allowed values are l A single IP address or host name l A network designation in CIDR notation for example 2001 db8 48 l any No limit to IPv6 addresses that can access the telnet service d Click again to list additional IP addresses or networks n To ...

Page 381: ...net acl address end value config Where value can be l A single IP address or host name l A network designation in CIDR notation for example 192 168 1 0 24 l any No limit to IPv4 addresses that can access the telnet service Repeat this step to list additional IP addresses or networks n To limit access to specified IPv6 addresses and networks config add service telnet acl address6 end value config W...

Page 382: ...alue Where value is a firewall zone defined on your device or the any keyword Display a list of available firewall zones Type firewall zone at the config prompt config firewall zone Zones A list of groups of network interfaces that can be referred to by packet filtering rules and access control lists Additional Configuration any dynamic_routes edge external internal ipsec loopback setup config Rep...

Page 383: ... caches the results This server is used within the device and cannot be disabled Use the access control list to restrict external access to this server Required configuration items n Configure access control for the DNS service Additional configuration items n Whether the device should cache negative responses n Whether the device should always perform DNS queries to all available DNS servers n Wh...

Page 384: ...ick c For Address enter the IPv6 address or network that can access the device s DNS service Allowed values are l A single IP address or host name l A network designation in CIDR notation for example 2001 db8 48 l any No limit to IPv6 addresses that can access the DNS service d Click again to list additional IP addresses or networks n To limit access to hosts connected through a specified interfac...

Page 385: ...ervers b For Add Server click c Optional Enter a label for the DNS server d For DNS server enter the IP address of the DNS server e Domain restricts the device s use of this DNS server based on the domain If no domain are listed then all queries may be sent to this server 10 Optional To add host names and their IP addresses that the device s DNS server will resolve a Click Additional DNS hostnames...

Page 386: ...list additional IP addresses or networks n To limit access to hosts connected through a specified interface on the IX20 device config add service dns acl interface end value config Where value is an interface defined on your device Display a list of available interfaces Use network interface to display interface information config network interface Interfaces Additional Configuration defaultip Def...

Page 387: ...ice dns cache_negative_responses false config 5 Optional Query all servers By default the device s DNS server queries all available DNS servers Disabling this option may improve performance on networks with transient DNS results when one or more DNS servers may have positive results To disable config service dns query_all_servers false config 6 Optional Rebind protection By default rebind protecti...

Page 388: ... d Optional Set a label for this DNS server config service dns server 0 label label config service dns server 0 9 Optional Add host names and their IP addresses that the device s DNS server will resolve a Add a host config add service dns host end config service dns host 0 b Set the IP address of the host config service dns host 0 address ip addr config service dns host 0 c Set the host name confi...

Page 389: ... device to receive SNMP packets you must configure the SNMP access control list to allow the device to receive the packets See Configure Simple Network Management Protocol SNMP Configure Simple Network Management Protocol SNMP Required configuration items n Enable SNMP n Firewall configuration using access control to allow remote connections to the SNMP agent n The user name and password used to c...

Page 390: ... b For Add Address click c For Address enter the IPv6 address or network that can access the device s SNMP agent Allowed values are l A single IP address or host name l A network designation in CIDR notation for example 2001 db8 48 l any No limit to IPv6 addresses that can access the SNMP agent d Click again to list additional IP addresses or networks n To limit access to hosts connected through a...

Page 391: ...tion and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Enable the SNMP agent config service snmp enable true config 4 Configure access contr...

Page 392: ... interfaces Use network interface to display interface information config network interface Interfaces Additional Configuration defaultip Default IP defaultlinklocal Default Link local IP eth1 ETH1 eth2 ETH2 loopback Loopback modem Modem config Repeat this step to list additional interfaces n To limit access based on firewall zones config add service snmp acl zone end value Where value is a firewa...

Page 393: ... port config 8 Optional Configure Multicast DNS mDNS mDNS is a protocol that resolves host names in small networks that do not have a DNS server For the SNMP agent mDNS is disabled by default To enable config service snmp mdns enable true config 9 Optional Set the authentication type Allowed values are MD5 or SHA The default is MD5 config service snmp auth_type SHA config 10 Optional Set the priva...

Page 394: ...onfigure Simple Network Management Protocol SNMP for information about enabling and configuring SNMP support on the IX20 device 3 On the main menu click Status Under Services click SNMP The SNMP page is displayed 4 Click Download Configure the Modbus gateway Your IX20 supports the ability to function as a Modbus gateway to provide serial to Ethernet connectivity to Programmable Logic Controllers P...

Page 395: ...determine if messages should be forwarded to a destination device Additional configuration items n Server configuration l The packet mode l The maximum time between bytes in a packet l If the connection type is set to socket o The port to use o The inactivity timeout o Access control list l If the connection type is set to serial o Whether to use half duplex two wire mode n Client configuration l ...

Page 396: ...tion click Device Configuration The Configuration window is displayed 3 Click Services Modbus Gateway 4 Click Enable to enable the gateway 5 Click Debug to allow verbose logging in the system log Configure gateway servers 1 Click to expand Gateway Servers 2 For Add Modbus server type a name for the server and click The new Modbus gateway server configuration is displayed ...

Page 397: ... second and take the format number ms s For example to set Packet idle gap to 20 milliseconds enter 20ms 7 If Connection type is set to Socket for Inactivity timeout type the amount of time to wait before disconnecting the socket when it has become inactive Allowed values are any number of minutes or seconds up to a maximum of 15 minutes and take the format number m s For example to set Inactivity...

Page 398: ...t access to hosts connected through a specified interface on the IX20 device a Click Interfaces b For Add Interface click c For Interface select the appropriate interface from the dropdown d Click again to allow access through additional interfaces n To limit access based on firewall zones a Click Zones b For Add Zone click c For Zone select the appropriate firewall zone from the dropdown See Fire...

Page 399: ...onnection type is set to Socket for Inactivity timeout type the amount of time to wait before disconnecting the socket when it has become inactive Allowed values are any number of minutes or seconds up to a maximum of 15 minutes and take the format number m s For example to set Inactivity timeout to ten minutes enter 10m or 600s 8 Optional If Connection type is set to Serial click Half duplex to e...

Page 400: ... forwarded to a destination device If the Modbus address in the message matches one or more of the filters the message is forwarded If it does not match the filters the message is not forwarded 13 For Address or address range type a Modbus address or range of addresses Allowed values are 1 through 255 or a hyphen separated range For example to have this client filter for incoming messages that con...

Page 401: ...k Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Enable the Modbus gateway config service modbus_gateway ...

Page 402: ...t mode config service modbus_gateway server test_modbus_server socket packet_mode value config service modbus_gateway server test_modbus_server where value is either rtu or raw The default is rtu iv Set the maximum allowable time between bytes in a packet config service modbus_gateway server test_modbus_server socket idle_gap value config service modbus_gateway server test_modbus_server where valu...

Page 403: ...ver ii Set the packet mode config service modbus_gateway server test_modbus_server serial packet_mode value config service modbus_gateway server test_modbus_server where value is either rtu or ascii The default is rtu iii Set the maximum allowable time between bytes in a packet config service modbus_gateway server test_modbus_server serial idle_gap value config service modbus_gateway server test_m...

Page 404: ...nection type config service modbus_gateway client test_modbus_client connection_ type type config service modbus_gateway client test_modbus_client where type is either socket or serial The default is socket n If connection_type is set to socket i Set the IP protocol config service modbus_gateway client test_modbus_client socket protocol value config service modbus_gateway client test_modbus_client...

Page 405: ...any number of minutes or seconds up to a maximum of 15 minutes and takes the format number m s For example to set inactivity_timeout to ten minutes enter either 10m or 600s config service modbus_gateway client test_modbus_client inactivity_timeout 600s config service modbus_gateway client test_modbus_client vi Set the hostname or IP address of the remote host on which the Modbus server is running ...

Page 406: ...able half duplex two wire mode config service modbus_gateway client test_modbus_client serial half_duplex true config service modbus_gateway client test_modbus_client d Optional Enable the gateway to send broadcast messages to this client config service modbus_gateway client test_modbus_client broadcast true config service modbus_gateway client test_modbus_client e Set the maximum time to wait for...

Page 407: ...es handled by this client should always be forwarded to a specific device use fixed_server_address to set the device s Modbus address config service modbus_gateway client test_modbus_client fixed_server_ address value config service modbus_gateway client test_modbus_client Leave at the default setting of 0 to allow messages that match the Modbus address filter to be forwarded to devices based on t...

Page 408: ..._address set to 10 This will configure the gateway to deliver all messages that have the Modbus server address address of 20 to the device with address 10 i Repeat the above instructions for additional clients 6 Save the configuration and apply the change config save Configuration saved 7 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access sel...

Page 409: ...figure the system time for details about changing the default configuration The IX20 device can also be configured to use Network Time Protocol NTP In this configuration the device serves as an NTP server providing NTP services to downstream devices See Network Time Protocol for more information about NTP server support Configure the system time This procedure is optional The IX20 device s default...

Page 410: ...NTP servers If multiple servers are included servers are tried in the order listed until one succeeds Note This list is synchronized with the list of servers included with NTP server configuration and changes made to one will be reflected in the other See Configure the device as an NTP server for more information about NTP server configuration 6 Click Apply to save the configuration and apply the ...

Page 411: ...cecloud com config del service ntp server 0 n To add the NTP server to the beginning of the list use the index value of 0 to indicate that it should be added as the first server config add service ntp server 0 time server com config n To add the NTP server to the end of the list use the index keyword end config add service ntp server end time server com config n To add the NTP server in another lo...

Page 412: ...TP server is required Additional NTP servers can be configured If multiple servers are configured a number of time samples are obtained from each of the servers and a subset of the NTP clock filter and selection algorithms are applied to select the best of these See Configure the device as an NTP server for information about configuring your device as an NTP server Configure the device as an NTP s...

Page 413: ...addresses and networks a Click IPv6 Addresses b For Add Address click c For Address enter the IPv6 address or network that can access the device s NTP service Allowed values are l A single IP address or host name l A network designation in CIDR notation for example 2001 db8 48 l any No limit to IPv6 addresses that can access the NTP service d Click again to list additional IP addresses or networks...

Page 414: ... with the list of servers included with NTP client configuration and changes made to one will be reflected in the other See Configure the system time for more information about NTP client configuration 7 Optional Configure the system time zone The default is UTC a Click System Time b Select the Timezone for the location of your IX20 device 8 Click Apply to save the configuration and apply the chan...

Page 415: ...bout NTP client configuration 5 Optional Configure the access control list to limit downstream access to the IX20 device s NTP service n To limit access to specified IPv4 addresses and networks config add service ntp acl address end value config Where value can be l A single IP address or host name l A network designation in CIDR notation for example 192 168 1 0 24 l any No limit to IPv4 addresses...

Page 416: ...m config Repeat this step to list additional interfaces n To limit access based on firewall zones config add service ntp acl zone end value Where value is a firewall zone defined on your device or the any keyword Display a list of available firewall zones Type firewall zone at the config prompt config firewall zone Zones A list of groups of network interfaces that can be referred to by packet filt...

Page 417: ...ts actions that occur at a specific time of day Format Africa Abidjan Africa Accra Africa Addis_Ababa config 7 Save the configuration and apply the change config save Configuration saved 8 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Configure a multicast route Multicast routing all...

Page 418: ...s 10 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Add the multicast route For example to add a ro...

Page 419: ...k interface defaultlinklocal network interface eth1 network interface eth2 network interface loopback Current value config service multicast test src_interface b Set the interface For example config service multicast test src_interface network interface eth1 config service multicast test 8 Set the destination interface that the IX20 device will use to send mutlicast packets config service multicas...

Page 420: ...twork bonding The IX20 device supports bonding mode for the Ethernet network This allows you to configure the device so that Ethernet ports share one IP address When both ports are being used they act as one Ethernet network port Required configuration items n Enable Ethernet bonding n The mode either l Active backup Provides fault tolerance l Round robin Provides load balancing as well as fault t...

Page 421: ... Alternates between bonded devices to provide load balancing as well as fault tolerance 6 Click to expand Devices 7 Add Ethernet devices a For Add device click b For Device select an Ethernet device to participate in the bond pool c Repeat for each appropriate Ethernet device 8 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with f...

Page 422: ...hosen This mode provides for fault tolerance n round robin Alternates between bonded devices to provide load balancing as well as fault tolerance 5 Add Ethernet devices a Use the to determine available devices config network bond name network device Additional Configuration eth1 eth2 loopback config network bond name b Add a device config network bond name add device network device eth1 config net...

Page 423: ...IPv4 Addresses b For Add Address click c For Address enter the IPv4 address or network that can access the device s mDNS service Allowed values are l A single IP address or host name l A network designation in CIDR notation for example 192 168 1 0 24 l any No limit to IPv4 addresses that can access the mDNS service d Click again to list additional IP addresses or networks n To limit access to spec...

Page 424: ...ck Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Enable the mDNS service config service mdns enable true...

Page 425: ...nfig Where value is an interface defined on your device Display a list of available interfaces Use network interface to display interface information config network interface Interfaces Additional Configuration defaultip Default IP defaultlinklocal Default Link local IP eth1 ETH1 eth2 ETH2 loopback Loopback modem Modem config Repeat this step to list additional interfaces n To limit access based o...

Page 426: ...can handle This is useful when diagnosing network speed issues to determine for example whether a cellular connection is providing expected throughput The IX20 implementation of iPerf3 supports testing with both TCP and UDP Note Using iPerf clients that are at a version earlier than iPerf3 to connect to the IX20 device s iPerf3 server may result in unpredictable results As a result Digi recommends...

Page 427: ...iate port number for the iPerf server listening port 6 Optional Click to expand Access control list to restrict access to the iPerf server n To limit access to specified IPv4 addresses and networks a Click IPv4 Addresses b For Add Address click c For Address enter the IPv4 address or network that can access the device s service type Allowed values are l A single IP address or host name l A network...

Page 428: ...opdown See Firewall configuration for information about firewall zones d Click again to allow access through additional firewall zones 7 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Adm...

Page 429: ...this step to list additional IP addresses or networks n To limit access to hosts connected through a specified interface on the IX20 device config add service iperf acl interface end value config Where value is an interface defined on your device Display a list of available interfaces Use network interface to display interface information config network interface Interfaces Additional Configuratio...

Page 430: ...talled enter the following command iperf3 c device_ip where device_ip is the IP address of the IX20 device For example iperf3 c 192 168 2 1 Connecting to host 192 168 2 1 port 5201 4 local 192 168 3 100 port 54934 connected to 192 168 1 1 port 5201 ID Interval Transfer Bandwidth Retr Cwnd 4 0 00 1 00 sec 26 7 MBytes 224 Mbits sec 8 2 68 MBytes 4 1 00 2 00 sec 28 4 MBytes 238 Mbits sec 29 1 39 MByt...

Page 431: ...Services Use the iPerf service IX20 User Guide 431 ID Interval Transfer Bandwidth Retr 4 0 00 10 00 sec 315 MBytes 264 Mbits sec 37 sender 4 0 00 10 00 sec 313 MBytes 262 Mbits sec receiver iperf Done ...

Page 432: ...ice system restarts at specific intervals or at a specified time This chapter contains the following topics Configure applications to run automatically 433 Run a Python application at the shell prompt 439 Start an interactive Python session 441 Digidevice module 443 Use Python to access serial ports 464 Use the Paho MQTT python library 465 Stop a script that is currently running 468 Show script in...

Page 433: ... At a specified interval l During system maintenance Additional configuration items n A label used to identify the application n The action to take if the Python application finishes The actions that can be taken are l None l Restart the script l Reboot the device n The arguments for the Python application n Whether to write the application output and errors to the system log n The memory availabl...

Page 434: ... n hostname or ip is the hostname or ip address of the remote host n username is the name of the user on the remote host n remote path is the path and filename of the file on the remote host that will be copied to the IX20 device n local path is the location on the IX20 device where the copied file will be placed For example To upload a Python application from a remote host with an IP address of 1...

Page 435: ... with care WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click System Scheduled tasks Custom scripts 4 For Add Script click The schedule script configuration window is displayed Scheduled scripts are enabled by default To disable click Enable to toggle off 5 O...

Page 436: ...f Set Time is selected specify the time that the script should run in Run time using the format HH MM n During system maintenance The script will run during the system maintenance time window 7 For Commands enter the commands that will execute the script If the script begins with then the script will be invoked in the location specified by the path for the script command Otherwise the default shel...

Page 437: ...le script 0 label value config system schedule script 0 where value is any string if spaces are used enclose value within double quotes 5 Set the mode that will be used to run the script config system schedule script 0 when mode config system schedule script 0 where mode is one of the following n boot The script will run once each time the device boots l If boot is selected set the action that wil...

Page 438: ...et set the time that the script should run using the format HH MM config system schedule script 0 run_time HH MM config system schedule script 0 n maintenance_time The script will run during the system maintenance time window 6 Set the commands that will execute the script config system schedule script 0 commands filename config system schedule script 0 where filename is the path and filename of t...

Page 439: ...running on config system schedule script 0 sandbox true config system schedule script 0 11 Save the configuration and apply the change config save Configuration saved 12 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Run a Python application at the shell prompt Python applications can...

Page 440: ...presented with an Access selection menu Type admin to access the Admin CLI b At the command line use the scp command to upload the Python application script to the IX20 device scp host hostname or ip user username remote remote path local local path to local where n hostname or ip is the hostname or ip address of the remote host n username is the name of the user on the remote host n remote path i...

Page 441: ...teractive Python session Use the python command without specifying any parameters to start an interactive Python session The Python session operates interactively using REPL Read Evaluate Print Loop to allow you to write Python code on the command line Note The Python interactive session is not available from the Admin CLI You must access the device shell in order to run Python applications from t...

Page 442: ...442 NAME digidevice Digi device python extensions DESCRIPTION This module includes various extensions that allow Python to interact with additional features offered by the device 4 Use Ctrl D to exit the Python session You can also exit the session using exit or quit ...

Page 443: ...vice module This section contains the following topics Use digidevice cli to execute CLI commands 444 Use digidevice datapoint to upload custom datapoints to Digi Remote Manager 445 Use digidevice config for device configuration 447 Use Python to respond to Digi Remote Manager SCI requests 449 Use digidevice runtime to access the runtime database 458 Use Python to upload the device name to Digi Re...

Page 444: ...nteractive Python session python Python 3 6 10 default Jan 31 2020 08 45 19 GCC 8 3 0 on linux Type help copyright credits or license for more information 3 Import the cli submodule from digidevice import cli 4 Execute a CLI command using the cli execute command function For example to print the system status and statistics to stdout using the show system command response cli execute show system p...

Page 445: ...lp copyright credits or license for more information 3 Import the cli submodule from digidevice import cli 4 Use the help command with cli execute help cli execute Help on function execute in module digidevice cli execute command timeout 5 Execute a CLI command with the timeout specified returning the results 5 Use Ctrl D to exit the Python session You can also exit the session using exit or quit ...

Page 446: ... digidevice import datapoint import time 4 Upload the datapoints to Remote Manager datapoint upload Velocity 69 units mph datapoint upload Temperature 24 geo_location 54 409469 1 718836 129 datapoint upload Emergency_Door closed timestamp time time 5 Use Ctrl D to exit the Python session You can also exit the session using exit or quit Once the datapoints have been uploaded to Remote Manager they ...

Page 447: ...sion You can also exit the session using exit or quit Use digidevice config for device configuration Use the config Python module to access and modify the device configuration Read the device configuration Use the get method to read the device configuration 1 Log into the IX20 command line as a user with shell access Depending on your device configuration you may be presented with an Access select...

Page 448: ...o the IX20 command line as a user with shell access Depending on your device configuration you may be presented with an Access selection menu Type shell to access the device shell 2 At the shell prompt use the python command with no parameters to enter an interactive Python session python Python 3 6 10 default Jan 31 2020 08 45 19 GCC 8 3 0 on linux Type help copyright credits or license for more ...

Page 449: ...config Help on module acl config in acl NAME acl config Python interface to ACL configuration libconfig 5 Use Ctrl D to exit the Python session You can also exit the session using exit or quit Use Python to respond to Digi Remote Manager SCI requests The device_request Python module allows you to interact with Digi Remote Manager by using Remote Manager s Server Command Interface SCI a web service...

Page 450: ...handler Note Leave the interactive Python session active while completing task two below Once you have completed task two exit the interactive session by using Ctrl D You can also exit the session using exit or quit Task two Create and send an SCI request from Digi Remote Manager The second step in using the device_request module is to create an SCI request that Remote Manager will forward to the ...

Page 451: ...er you will receive a response similar to the following sci_reply version 1 0 data_service device id 00000000 00000000 0000FFFF A83CF6A3 requests device_request target_name myTarget status 0 OK device_ request requests device data_service sci_request Example Use digidevice cli with digidevice device_request In this example we will use the digidevice cli module in conjunction with the digidevice de...

Page 452: ...e request in Remote Manager to query both devices See Configure applications to run automatically for information about uploading Python applications to your device You can also create the script on the device by using the vi command when logged in with shell access 3 For both devices a Configure the device to automatically run the showsystem py application on reboot and to restart the application...

Page 453: ...tem py ix Click Apply to save the configuration and apply the change Command line i Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI ii At the command line type config to enter configuration mode config config iii Add an application entry config add sys...

Page 454: ...plication config system schedule script 0 commands python etc config scripts showsystem py config system schedule script 0 viii Save the configuration and apply the change config save Configuration saved b Run the showsystem py application You can run the application by either rebooting the device or by running it from the shell prompt n To reboot the device i From the WebUI i From the main menu c...

Page 455: ...FFF A83CF6A3 device id 00000000 00000000 0000FFFF 485740BC targets requests device_request target_name myTarget my payload string device_request requests data_service sci_request 7 For the device_request element replace the value of target_name with showSystem This matches the target parameter of the device_request register function in the showsystem py application device_request target_name showS...

Page 456: ...00000000 00000000 0000FFFF 485740BC requests device_request target_name showSystem status 0 Model Digi IX20 Serial Number IX20 000023 Hostname IX20 MAC 00 40 D0 26 79 1C Hardware Version 50001959 01 A Firmware Version 20 8 22 32 Bootloader Version 1 Firmware Build Date Fri 28 Aug 2020 9 25 12 Schema Version 461 Timezone UTC Current Time Fri 28 Aug 2020 9 25 12 CPU 1 1 Uptime 4 day 13 hours 43 minu...

Page 457: ...n 3 Import the device_request submodule from digidevice import device_request 4 Use the help command with device_request help device_request Help on module digidevice device_request in digidevice NAME digidevice device_request APIs for registering device request handlers You can also use the help command with available device_request functions n Use the help command with device_request register he...

Page 458: ...redits or license for more information 3 Import the runt submodule from digidevice import runt 4 Use start method to open the runtime database runt start 5 Display available keys in the runtime database print runt keys advanced drm firmware location manufacture metrics mm network pam serial system print runt keys system boot_count chassis cpu_temp cpu_usage disk load_avg local_time mac mcu model r...

Page 459: ...abase runt stop 8 Use Ctrl D to exit the Python session You can also exit the session using exit or quit Help for using Python to access the runtime database Get help for reading and modifying the device runtime database by accessing help for digidevice runt 1 Log into the IX20 command line as a user with shell access Depending on your device configuration you may be presented with an Access selec...

Page 460: ...ice based on the device name changing the name of the device may cause Remote Manager to automatically push a profile onto the device Together these two features allow you to swap one device for another by using the name submodule to change the device name while guaranteeing that the new device will have the same configuration as the previous one Note Because causing a profile to be automatically ...

Page 461: ...5 Use Ctrl D to exit the Python session You can also exit the session using exit or quit Help for upload the device name to Digi Remote Manager Get help for uploading the device name to Digi Remote Managerby accessing help for digidevice name 1 Log into the IX20 command line as a user with shell access Depending on your device configuration you may be presented with an Access selection menu Type s...

Page 462: ...Manager or Digi aView by using the digidevice sms module To use a script to send or receive SMS messages you must also enable the ability to schedule SMS scripting Enable the ability to schedule SMS scripting WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click...

Page 463: ...guration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device See Configure applications to run automatically for more information about scheduling scripts Example digidevice sms code The following example code receives an SMS message and sends a response usr bin python3 6 import os...

Page 464: ...g a serial port in Application mode To use Python to access serial ports 1 Log into the IX20 command line as a user with shell access Depending on your device configuration you may be presented with an Access selection menu Type shell to access the device shell 2 Determine the path to the serial port ls dev serial by id by path by usb port1 3 At the shell prompt use the python command with no para...

Page 465: ...rics from runt Reporting DHCP clients Firmware update feature simple implementation read TODO in cmd_fwupdate import sys import time import paho mqtt client as mqtt import json from acl import runt config from http import HTTPStatus import urllib request import tempfile import os from digidevice import cli POLL_TIME 60 def cmd_reboot params print Rebooting unit try cli execute reboot 10 except pri...

Page 466: ... def send_cmd_reply client cmd_path cid cmd status if not status or not cid return if cmd_path startswith PREFIX_CMD path cmd_path len PREFIX_CMD else print Invalid command path cannot send reply format cmd_path return reply cmd cmd status status client publish PREFIX_RSP path cid json dumps reply separators def on_connect client userdata flags rc print Connected to MQTT server client subscribe PR...

Page 467: ...TED send_cmd_reply client msg topic cid cmd status def publish_dhcp_leases leases try with open etc config dhcp leases r as f for line in f elems line split if len elems 5 continue leases append mac elems 1 ip elems 2 host elems 3 if leases client publish PREFIX_EVENT leases json dumps leases separators except print Failed to open DHCP leases file def publish_system avg1 avg5 avg15 runt get system...

Page 468: ...o MQTT server sys exit 1 while True publish_dhcp_leases publish_system time sleep POLL_TIME Stop a script that is currently running You can stop a script that is currently running by using the system script stop name command Command line 1 Log into the IX20 command line as a user with Admin access Depending on your device configuration you may be presented with an Access selection menu Type admin ...

Page 469: ...tatus and statistics about location information from either the WebUI or the command line WebUI 1 Log into the IX20 WebUI as a user with Admin access 2 At the Status page click Scripts The Scripts page displays Command line 1 Log into the IX20 command line as a user with Admin access Depending on your device configuration you may be presented with an Access selection menu Type admin to access the ...

Page 470: ...d_mgmt_intf_update pri runt get network mgmt log default if pri pri then default_net runt dump network route default grep m 1 o interface_ cut f2 d _ tr d if n default_net then default_intf runt get network interface default_net device runt set network mgmt log intf default_intf fi log runt log network mgmt log ...

Page 471: ...ation IX20 User Guide 471 accns_log network_mgmt log type mgmt log fi 3 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Page 472: ...ication methods 473 Authentication groups 480 Local users 490 Terminal Access Controller Access Control System Plus TACACS 502 Remote Authentication Dial In User Service RADIUS 510 LDAP 517 Disable shell access 524 Set the idle timeout for IX20 users 525 Example user configuration 528 IX20 User Guide 472 ...

Page 473: ...ocal users Groups Associates access permissions for a group You can modify the released groups and create additional groups as needed for your site A user can be assigned to more than one group n admin Provides the logged in user with administrative and shell access n serial Provides the logged in user with access to serial ports Users Defines local users for the IX20 n admin Belongs to both the a...

Page 474: ...tion Dial In User Service RADIUS for information about configuring RADIUS authentication n TACACS Users authenticated by using a remote TACACS server for authentication See Terminal Access Controller Access Control System Plus TACACS for information about configuring TACACS authentication n LDAP Users authenticated by using a remote LDAP server for authentication See LDAP for information about con...

Page 475: ...nu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Authentication Methods 4 For Add Method click 5 Select the appropriate authentication type for the new method from the Method drop down Note Authentication methods are attempted in the order they are listed until the first successful authentication result is returned See Rearrange the posit...

Page 476: ...d the new authentication method to the appropriate location in the list n To determine the current list of authentication methods a Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI b At the command line type config to enter configuration mode config con...

Page 477: ... rearrange existing methods See Rearrange the position of authentication methods for information about how to reorder the authentication methods 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Delete an aut...

Page 478: ...g 3 Use the show auth method command to determine the index number of the authentication method to be deleted config show auth method 0 local 1 radius 2 tacacs config 4 Delete the appropriate authentication method config del auth method n Where n is index number of the authentication method to be deleted For example to delete the TACACS authentication method as displayed by the example show comman...

Page 479: ...he following configuration has Local users as the first method and RADIUS as the second To reorder these so that RADIUS is first and Local users is second 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click to expand the first Method 4 In the Method drop down select...

Page 480: ... display current configuration config show auth method 0 local 1 radius config 4 Use the move command to rearrange the methods config move auth method 1 0 config 5 Use the show command again to verify the change config show auth method 0 radius 1 local config 6 Save the configuration and apply the change config save Configuration saved 7 Type exit to exit the Admin CLI Depending on your device con...

Page 481: ...with Serial access have the ability to log into the IX20 device by using the serial console Preconfigured authentication groups The IX20 device has two preconfigured authentication groups n The admin group is configured by default to have full Admin access and Shell access Shell access is not available if the Allow shell parameter has been disabled See Disable shell access for more information abo...

Page 482: ...o expand its configuration node 5 Click the box next to the following options as appropriate to enable or disable access rights for each n Admin access For groups assigned Admin access you can also determine whether the Access level should be Full access or Read only access l Full access provides users of this group with the ability to manage the IX20 device by using the WebUI or the Admin CLI l R...

Page 483: ...e Admin CLI 2 At the command line type config to enter configuration mode config config 3 Enable or disable access rights for the group For example n Admin access l To set the access level for Admin access of the admin group config auth group admin acl admin level value config where value is either o full provides users of this group with the ability to manage the IX20 device by using the WebUI or...

Page 484: ...le true config 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Add an authentication group Required configuration items n The access rights to be assigned to users that are assigned to this group Additional...

Page 485: ...he following options as appropriate to enable or disable access rights for each n Admin access For groups assigned Admin access you can also determine whether the Access level should be Full access or Read only access where value is either l Full access full provides users of this group with the ability to manage the IX20 device by using the WebUI or the Admin CLI l Read only access read only prov...

Page 486: ...Optional Enable users that belong to this group to query the device for Nagios monitoring by checking the box next to Nagios access 9 Optional Enable users that belong to this group to access the Bluetooth scanning service by checking the box next to Bluetooth scanner access 10 Optional Enable users that belong to this group to access the Wi Fi scanning service by checking the box next to Wi Fi sc...

Page 487: ...cess config auth group test acl shell enable true config Shell access is not available if the Allow shell parameter has been disabled See Disable shell access for more information about the Allow shell parameter n Serial access config auth group test acl serial enable true config 5 Optional Configure captive portal access a Return to the config prompt by typing three periods config auth group test...

Page 488: ... Fi scanning service config auth group group test acl wifi_scanner enable true config 9 Save the configuration and apply the change config save Configuration saved 10 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Delete an authentication group By default the IX20 device has two preco...

Page 489: ...ghts Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 At the config prompt type config del auth group groupname 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your devi...

Page 490: ... the device and is the most critical security feature for the device If you reset the device to factory defaults you must log in using the default user and password and you should immediately change the password to a custom password Before deploying or mounting the IX20 device record the default password so you have the information available when you need it even if you cannot physically access th...

Page 491: ... Device Configuration The Configuration window is displayed 3 Click Authentication Users 4 Click the username to expand the user s configuration node 5 For Password enter the new password The password must be at least ten characters long and must contain at least one uppercase letter one lowercase letter one number and one special character You can also change the password for the active user by c...

Page 492: ...one uppercase letter one lowercase letter one number and one special character 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Configure a local user Required configuration items n A username n A password T...

Page 493: ...n over SSH telnet and the serial console l The verification type for two factor authentication Either time based or counter based l The security key l Whether to allow passcode reuse time based verification only l The passcode refresh interval time based verification only l The valid code window size l The login limit l The login limit period l One time use eight digit emergency scratch codes To c...

Page 494: ...ick to toggle off Enable a For Lockout tries type the number of unsuccessful login attempts before the user is locked out of the device The default is 5 b For Lockout duration type the amount of time that the user is locked out after the number of unsuccessful login attempts defined in Lockout tries Allowed values are any number of minutes or seconds and take the format number m s For example to s...

Page 495: ...me password n Counter based HOTP HMAC based One Time Password HOTP uses a counter to validate a one time password d Generate a Secret key i Click next to the field label and select Generate secret key ii To display the QR code for the secret key click next to the field label and select Show secret key QR code iii Copy the secret key or scan or copy the QR code for use with an application or mobile...

Page 496: ...codes that may be used once at any time To add a scratch code i Click Scratch codes ii For Add Code click iii For Code enter the scratch code The code must be eight digits with a minimum of 10000000 iv Click again to add additional scratch codes 10 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depend...

Page 497: ...and takes the format number m s For example to set duration to ten minutes enter either 10m or 600s config auth user new_user lockout duration 600s config auth user new_user The minimum value is 1 second and the maximum is 15 minutes The default is 15 minutes 6 Add groups for the user Groups define user access rights See Authentication groups for information about configuring groups a Add a group ...

Page 498: ...gure two factor authentication for SSH telnet and serial console login a Change to the user s two factor authentication node config auth user new_user 2fa config auth user new_user 2fa b Enable two factor authentication for this user config auth user new_user 2fa enable true config auth user new_user 2fa c Configure the verification type Allowed values are n totp Time based One Time Password TOTP ...

Page 499: ...ry when the clocks used by the server and client are not synchronized config auth user new_user 2fa window_size 3 config auth user new_user 2fa h Configure the login limit This represents the number of times that the user is allowed to attempt to log in during the Login limit period Set to 0 to allow an unlimited number of login attempts during the Login limit period config auth user new_user 2fa ...

Page 500: ...atch codes use the add end code command again 9 Save the configuration and apply the change config auth user new 2fa scratch_code save Configuration saved 10 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Delete a local user To delete a user from your IX20 WebUI 1 Log into the IX20 We...

Page 501: ...g on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 At the config prompt type config del auth user username 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuratio...

Page 502: ...nd connection parameters to a TACACS server over TCP The TACACS server then authenticates the TACACS client requests and sends back a response message to the device When you are using TACACS authentication you can have both local users and TACACS users able to log in to the device To use TACACS authentication you must set up a TACACS server that is accessible by the IX20 device prior to configurat...

Page 503: ... sudo gedit etc tacacs tac_plus conf 2 Add users to the file using the following format This example will create two users one with admin and serial access and one with only serial access user user1 name User1 for IX20 pap cleartext password1 service system groupname admin serial user user2 name User2 for IX20 pap cleartext password2 service system groupname serial The groupname attribute is optio...

Page 504: ...ocally if the TACACS server is unavailable or if the user is not defined on the TACACS server then you should list the TACACS authentication method prior to the Local users authentication method See User authentication methods for more information about authentication methods If the TACACS servers are unavailable and the IX20 device falls back to local authentication only users defined locally on ...

Page 505: ...file for example key testing123 e Optional Click again to add additional TACACS servers 5 Optional Enable Authoritative to prevent other authentication methods from being used if TACACS authentication fails Other authentication methods will only be used if the TACACS server is unavailable 6 Optional For Group attribute type the name of the attribute used in the TACACS server s configuration to ide...

Page 506: ... 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Optional Prevent other authentication methods from being used if TACACS authentication fails Other authentication methods w...

Page 507: ...ure TCP connection to the LDAP server on port 389 then sends a request to upgrade the connection to a secure TLS connection This is the preferred method for LDAP The default is off 7 If tls is set to on or start_tls configure whether to verify the server certificate config auth ldap verify_server_cert value config where value is either n true Verifies the server certificate with a known Certificat...

Page 508: ...3 to 60 The default value is 3 13 Add an TACACS server a Add the server config add auth tacacs server end config auth tacacs server 0 b Enter the TACACS server s IP address or hostname config auth tacacs server 0 hostname hostname ip address config auth tacacs server 0 c Optional Change the default port setting to the appropriate port config auth tacacs server 0 port port config auth tacacs server...

Page 509: ...uide 509 config add auth method end tacacs config 15 Save the configuration and apply the change config save Configuration saved 16 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Page 510: ...erver over UDP The RADIUS server then authenticates the RADIUS client requests and sends back a response message to the device When you are using RADIUS authentication you can have both local users and RADIUS users able to log in to the device To use RADIUS authentication you must set up a RADIUS server that is accessible by the IX20 device prior to configuration The process of setting up a RADIUS...

Page 511: ...ely if the user is also configured as a local user on the IX20 device and the RADIUS server authenticates the user but does not return any groups the local configuration determines the list of groups See Authentication groups for more information about authentication groups The Unix FTP Group Names attribute can contain one group or multiple groups in a comma separated list 3 Save and close the fi...

Page 512: ... This section describes how to configure a IX20 device to use a RADIUS server for authentication and authorization Required configuration items n Define the RADIUS server IP address or domain name n Define the RADIUS server shared secret n Add RADIUS as an authentication method for your IX20 device Additional configuration items n Whether other user authentication methods should be used in additio...

Page 513: ...RADIUS server to respond Allowed value is any integer from 3 to 60 The default value is 3 f Optional Click again to add additional RADIUS servers 5 Optional Enable Authoritative to prevent other authentication methods from being used if RADIUS authentication fails Other authentication methods will only be used if the RADIUS server is unavailable 6 Optional Click RADIUS debug to enable additional d...

Page 514: ...the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Optional Prevent other authentication methods from being used if RADIUS authentication fails Other authentication methods will only be ...

Page 515: ...on or start_tls configure whether to verify the server certificate config auth ldap verify_server_cert value config where value is either n true Verifies the server certificate with a known Certificate Authority n false Does not verify the certificate Use this option if the server is using a self signed certificate The default is true 8 Set the distinguished name DN that is used to bind to the LDA...

Page 516: ...config auth radius server 0 hostname hostname ip address config auth radius server 0 c Optional Change the default port setting to the appropriate port config auth radius server 0 port port config auth radius server 0 d Enter the RADIUS server s shared secret This is configured in the secret parameter of the RADIUS server s client conf file For example config auth radius server 0 secret testing123...

Page 517: ...ion and authorization management for users who connect to the device With LDAP support the IX20 device acts as an LDAP client which sends user credentials and connection parameters to an LDAP server The LDAP server then authenticates the LDAP client requests and sends back a response message to the device When you are using LDAP authentication you can have both local users and LDAP users able to l...

Page 518: ...ng the following format dn uid john dc example dc com objectClass inetOrgPerson cn John Smith sn Smith uid john userPassword password ou admin serial n The value of uid and userPassword must correspond to the username and password used to log into the IX20 device n The ou attribute is optional If used the value must correspond to authentication groups configured on your IX20 Alternatively if the u...

Page 519: ... server then you should list the LDAP authentication method prior to the Local users authentication method See User authentication methods for more information about authentication methods If the LDAP servers are unavailable and the IX20 device falls back to local authentication only users defined locally on the device are able to log in LDAP users cannot log in until the LDAP servers are brought ...

Page 520: ...ange the default Port setting to the appropriate port Normally this should be left at the default setting of port 389 d Optional Click again to add additional LDAP servers 5 Optional Enable Authoritative to prevent other authentication methods from being used if LDAP authentication fails Other authentication methods will only be used if the LDAP server is unavailable 6 For TLS connection select th...

Page 521: ...ns 10 For User search base type the distinguished name DN on the server to search for users This can be the root of the directory tree for example dc example dc com or a sub tree for example ou People dc example dc com 11 Optional For Group attribute type the name of the user attribute that contains the list of IX20 authentication groups that the authenticated user has access to See LDAP user conf...

Page 522: ...n port 636 n start_tls Makes a non secure TCP connection to the LDAP server on port 389 then sends a request to upgrade the connection to a secure TLS connection This is the preferred method for LDAP The default is off 5 If tls is set to on or start_tls configure whether to verify the server certificate config auth ldap verify_server_cert value config where value is either n true Verifies the serv...

Page 523: ...P server to respond config auth ldap timeout value config where value is any integer from 3 to 60 The default value is 3 11 Add an LDAP server a Add the server config add auth ldap server end config auth ldap server 0 b Enter the LDAP server s IP address or hostname config auth ldap server 0 hostname hostname ip address config auth ldap server 0 c Optional Change the default port setting to the ap...

Page 524: ... shell access To prohibit access to the shell prompt for all authentication groups disable the Allow shell parameter This does not prevent access to the Admin CLI Note If shell access is disabled re enabling it will erase the device s configuration and perform a factory reset WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration clic...

Page 525: ...er configuration mode config config 3 Set the allow_shell parameter to false config auth allow_shell false Note If shell access is disabled re enabling it will erase the device s configuration and perform a factory reset 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an...

Page 526: ...that the active session can be idle before the user is automatically logged out Allowed values are any number of weeks days hours minutes or seconds and take the format number w d h m s For example to set Idle timeout to ten minutes enter 10m or 600s 5 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights De...

Page 527: ...umber of weeks days hours minutes or seconds and takes the format number w d h m s For example to set idle_timeout to ten minutes enter either 10m or 600s config auth idle_timeout 600s config 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type q...

Page 528: ...r rights who is authenticated locally on the device WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Authentication Users 4 In Add User enter a name for the user and click The user configuration window is displayed 5 Enter a Password for the user ...

Page 529: ... i Click Authentication Methods ii Verify that Local users is one of the methods listed in the list If not i For Add Method click ii For Method select Local users 7 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu ...

Page 530: ...dmin config auth user adminuser 8 Save the configuration and apply the change config auth user adminuser save Configuration saved 9 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Example 2 RADIUS TACACS and local authentication for one user Goal To create a user with administrator rig...

Page 531: ... configuration IX20 User Guide 531 This example uses a FreeRadius 3 0 server running on ubuntu and a TACACS server running on ubuntu Server configuration may vary depending on the platforms or type of servers used in your environment ...

Page 532: ... Group Names parameter c Save and close the users file 2 Configure a user on the TACACS server a On the ubuntu machine hosting the TACACS server open the etc tacacs tac_plus conf file sudo gedit etc tacacs tac_plus conf b Add a TACACS user to the tac_plus conf file user admin1 name Admin1 for TX64 pap cleartext password1 service system groupname admin In this example n The user s username is admin...

Page 533: ...s b For Method select RADIUS c For Add Method click to add a new method d For the new method select TACACS e Click to add another new method f For the new method select Local users 6 Create the local user a Click Authentication Users b In Add User type admin1 and click c For password type password1 d Assign the user to the admin group i Click Groups ii For Add Group click ...

Page 534: ...untu machine hosting the FreeRadius server open the etc freeradius 3 0 users file sudo gedit etc freeradius 3 0 users b Add a RADIUS user to the users file admin1 Cleartext Password password1 Unix FTP Group Names admin In this example n The user s username is admin1 n The user s password is password1 n The authentication group on the IX20 device admin is identified in the Unix FTP Group Names para...

Page 535: ...LI 4 At the command line type config to enter configuration mode config config 5 Configure the authentication methods a Determine the current authentication method configuration config show auth method 0 local config This output indicates that on this example system only local authentication is configured b Add RADIUS authentication to the beginning of the list config add auth method 0 radius conf...

Page 536: ... admin1 config add auth user admin1 config auth user admin1 b Assign a password to the user config auth user adminuser password password1 config auth user adminuser c Assign the user to the admin group config auth user adminuser add group end admin config auth user adminuser 8 Save the configuration and apply the change config auth user adminuser save Configuration saved 9 Type exit to exit the Ad...

Page 537: ...his chapter contains the following topics Firewall configuration 538 Port forwarding rules 543 Packet filtering 551 Configure custom firewall rules 558 Configure Quality of Service options 560 IX20 User Guide 537 ...

Page 538: ...way l Setup Used for interfaces involved in the initial setup of the device By default the firewall will only allow this zone to access administration services l IPsec The default zone for IPsec tunnels l Dynamic routes Used for routes learned using routing services n Port forwarding A list of rules that allow network connections to the IX20 to be forwarded to other servers by translating the dest...

Page 539: ...ply the change See Configure the firewall zone for a network interface for information about how to configure network interfaces to use a zone Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter con...

Page 540: ...e network interfaces to use a zone Configure the firewall zone for a network interface Firewall zones allow you to group network interfaces for the purpose of packet filtering and access control There are several preconfigured firewall zones and you can create custom zones as well The firewall zone that a network interfaces uses is selected during interface configuration This example procedure use...

Page 541: ...config to enter configuration mode config config 3 At the config prompt type config network interface eth2 zone my_zone config 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Command line 1 Log into the IX2...

Page 542: ...ing on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Delete a custom firewall zone You cannot delete preconfigured firewall zones To delete a custom firewall zone WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration wi...

Page 543: ...ction menu Type quit to disconnect from the device Port forwarding rules Most computers are protected by a firewall that prevents users on a public network from accessing servers on the private network To allow a computer on the Internet to connect to a specific server on a private network set up one or more port forwarding rules Port forwarding rules provide mapping instructions that direct incom...

Page 544: ...r IP address or firewall zone that are authorized to leverage this forwarding rule To configure a port forwarding rule WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Firewall Port forwarding 4 For Add port forward click The port forwarding rule configurat...

Page 545: ...e forwarded 11 For To port type the port number of the port on the server to which traffic should be forwarded 12 Optional Click Access control list to create a white list of devices that are authorized to leverage this forwarding rule based on either the IP address or firewall zone n To white list IP addresses a Click Addresses b For Add Address enter an IP address and click c Repeat for each add...

Page 546: ...o determine available interfaces config firewall dnat 0 interface Interface Network connections will only be forwarded if their destination address matches the IP address of this network interface Format defaultip defaultlinklocal eth1 eth2 loopback Current value config firewall dnat 0 interface b Set the interface For example config firewall dnat 0 interface eth1 config firewall dnat 0 5 Set the ...

Page 547: ...tions must use for their traffic to be forwarded config firewall dnat 0 to_port port config firewall dnat 0 10 Optional To create a white list of devices that are authorized to leverage this forwarding rule based on either the IP address or firewall zone change to the acl node config firewall dnat 0 acl config firewall dnat 0 acl n To white list an IP address l For IPv4 addresses config firewall d...

Page 548: ...1 Save the configuration and apply the change config save Configuration saved 12 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Delete a port forwarding rule To delete a port forwarding rule WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click Sy...

Page 549: ...ith full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Determine the index number of the port forwarding rule you want to delete config show firewall dnat 0 acl no address no zone enable true interface ip_version ipv4 label...

Page 550: ... bd63 bb12 9a6f 5569 4b53 c29a to_port 10003 config 4 To delete the rule use the index number with the del command For example config del firewall dnat 1 5 Save the configuration and apply the change config save Configuration saved 6 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Page 551: ...figuration items n The action that the packet filtering rule will perform either Accept Reject or Drop n The source firewall zone Packets originating from interfaces on this zone will be monitored by this rule n The destination firewall zone Packets destined for interfaces on this zone will be accepted rejected or dropped by this rule Additional configuration requirements n A label for the rule n ...

Page 552: ...n Reject Blocks matching network connections and sends an ICMP error if appropriate n Drop Blocks matching network connections and does not send a reply 6 Select the IP version 7 Select the Protocol 8 For Source zone select the firewall zone that will be monitored by this rule for incoming connections from network interfaces that are a member of this zone See Firewall configuration for more inform...

Page 553: ...x number of the appropriate packet filtering rule config show firewall filter 0 action accept dst_zone any enable true ip_version any label Allow all outgoing traffic protocol any src_zone internal 1 action drop dst_zone internal enable true ip_version any label myfilter protocol any src_zone external config b Select the appropriate rule by using its index number config firewall filter 1 config fi...

Page 554: ...ons from network interfaces that are a member of this zone See Firewall configuration for more information about firewall zones config firewall filter 1 src_zone my_zone config firewall filter 1 6 Set the destination firewall zone Packets destined for network interfaces that are members of this zone will either be accepted rejected or dropped by this rule See Firewall configuration for more inform...

Page 555: ...election menu Type quit to disconnect from the device Enable or disable a packet filtering rule To enable or disable a packet filtering rule WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Firewall Packet filtering 4 Click the appropriate packet filtering ...

Page 556: ...f the appropriate port forwarding rule config show firewall filter 0 action accept dst_zone any enable true ip_version any label Allow all outgoing traffic protocol any src_zone internal 1 action drop dst_zone internal enable true ip_version any label My packet filter protocol any src_zone external config 4 To enable a packet filtering rule use the index number with the enable true command For exa...

Page 557: ...lete a packet filtering rule WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Firewall Packet filtering 4 Click the menu icon next to the appropriate packet filtering rule and select Delete 5 Click Apply to save the configuration and apply the change Comman...

Page 558: ...rsion any label My packet filter protocol any src_zone external config 4 To delete the rule use the index number with the del command For example config del firewall filter 1 5 Save the configuration and apply the change config save Configuration saved 6 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect...

Page 559: ...o override all preconfigured firewall behavior and rely solely on the custom firewall rules 6 For Rules type the shell command that will execute the custom firewall rules script 7 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access ...

Page 560: ...nage the traffic performance of various services such as Voice over IP VoIP cloud computing traffic shaping traffic prioritizing and bandwidth allocation When configuring QOS you can only control the queue for outgoing packets on each interface egress packets not what is received on the interface packet ingress A QoS binding contains the policies and rules that apply to packets exiting the IX20 de...

Page 561: ...ropriate for your network 8 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Enable one of the precon...

Page 562: ...ue config firewall qos 0 interface b Set the interface For example config firewall qos 0 interface network interface eth1 config 5 Examine the remaining default settings and modify as appropriate for your network 6 Save the configuration and apply the change config save Configuration saved 7 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access ...

Page 563: ... only match traffic that is being sent out on this interface 8 Optional For Interface bandwidth Mbit set the maximum egress bandwidth of the interface in megabits allocated to this binding Typically this should be 95 of the available bandwidth Allowed value is any integer between 1 and 1000 9 Create a policy for the binding At least one policy is required for each binding Each policy can contain u...

Page 564: ...of packets A lower latency means that the packets will be scheduled more quickly for transmission f Select Default to identify this policy as a fall back policy The fall back policy will be used for traffic that is not matched by any other policy If there is no default policy associated with this binding packets that do not match any policy rules will be dropped g If Default is disabled you must c...

Page 565: ...ddress will be matched ix Click to expand Destination address and select the Type n Any Traffic destined for anywhere will be matched n Interface Only traffic destined for the selected Interface will be matched n IPv4 address Only traffic destined for the IP address typed in IPv4 address will be matched Use the format IPv4_address netmask or use any to match any IPv4 address n IPv6 address Only tr...

Page 566: ...ck Current value config firewall qos 2 interface b Set the interface For example config firewall qos 2 interface network interface eth1 config firewall qos 2 6 Optional Set the maximum egress bandwidth of the interface in megabits allocated to this binding config firewall qos 2 bandwidth int config firewall qos 2 where int is an integer between 1 and 1000 Typically this should be 95 of the availab...

Page 567: ...he maximum delay before the transmission of packets A lower number means that the packets will be scheduled more quickly for transmission config firewall qos 2 policy 0 latency int config firewall qos 2 policy 0 where int is any integer 1 or greater The default is 100 f To identify this policy as a fall back policy config firewall qos 2 policy 0 default true config firewall qos 2 policy 0 The fall...

Page 568: ...traffic matching criteria config firewall qos 2 policy 0 rule 0 srcport value config firewall qos 2 policy 0 rule 0 where value is the IP port number a range of port numbers using the format IP_port IP_port or any vii Set the destination port to define a destination matching criteria config firewall qos 2 policy 0 rule 0 dstport value config firewall qos 2 policy 0 rule 0 where value is the IP por...

Page 569: ...sk or any to match any IPv4 address n address6 Only traffic from the IP address typed in IPv6 address will be matched Set the address that will be matched config network qos 2 policy 0 rule 0 src address6 value config network qos 2 policy 0 rule 0 where value uses the format IPv6_address prefix_length or any to match any IPv6 address n mac Only traffic from the MAC address typed in MAC address wil...

Page 570: ...in IPv4 address will be matched Set the address that will be matched config network qos 2 policy 0 rule 0 src address value config network qos 2 policy 0 rule 0 where value uses the format IPv4_address netmask or any to match any IPv4 address n address6 Only traffic destined for the IP address typed in IPv6 address will be matched Set the address that will be matched config network qos 2 policy 0 ...

Page 571: ...view device status 572 Configure system information 573 Update system firmware 575 Update cellular module firmware 579 Reboot your IX20 device 580 Reset the device to factory defaults 582 Configuration files 586 Schedule system maintenance tasks 591 IX20 User Guide 571 ...

Page 572: ... system information use the show system command n Show basic system information 1 Log into the IX20 command line as a user with Admin access Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 Enter show system at the prompt show system Model Digi IX20 Serial Number IX20 000065 SKU IX20 Hostname IX20 MAC DF DD E2 AE 21 18 H...

Page 573: ...ersion 715 Timezone UTC Current Time Fri 28 Aug 2020 9 25 12 0000 CPU 1 4 Uptime 6 days 6 hours 21 minutes 57 seconds 541317s Temperature 40C Disk Load Average 0 09 0 10 0 08 RAM Usage 127 843MB 1880 421MB 6 Disk etc config Usage 18 421MB 4546 371MB 0 Disk opt Usage 4523 46MB 549 304MB 822 Disk overlay Usage MB MB Disk tmp Usage 0 007MB 256 0MB 0 Disk var Usage 1 765MB 256 0MB 1 Configure system i...

Page 574: ...t the command prompt 5 For Contact type the name of a contact for the device 6 For Location type the location of the device 7 For Banner type a banner message that will be displayed when users log into terminal services on the device 8 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your d...

Page 575: ...iguration you may be presented with an Access selection menu Type quit to disconnect from the device Update system firmware The IX20 operating system firmware images consist of a single file with the following naming convention platform version bin For example IX20 20 8 22 32 bin Manage firmware updates using Digi Remote Manager If you have a network of many devices you can use Digi Remote Manager...

Page 576: ... select the appropriate version of the device firmware 5 Click Update Firmware Update firmware from a local file 1 Download the IX20 operating system firmware from the Digi Support FTP site to your local machine 2 Log into the IX20 WebUI as a user with Admin access 3 On the main menu click System Under Administration click Firmware Update 4 Click Choose file 5 Browse to the location of the firmwar...

Page 577: ...ion on the IX20 device where the copied file will be placed For example scp host 192 168 4 1 user admin remote home admin bin IX20 20 8 22 32 bin local etc config to local admin 192 168 4 1 s password adminpwd IX20 20 8 22 32 bin 100 36MB 11 1MB s 00 03 4 Verify that the firmware file has been successfully uploaded to the device ls etc config rw r r 1 root root 37511229 May 16 20 10 IX20 20 8 22 3...

Page 578: ...ce n A copy of the firmware that was in use prior to your most recent firmware update When the device reboots it will attempt to use the current firmware version If the current firmware version fails to load after three consecutive attempts it is marked as invalid and the device will use the previous firmware version stored in the alternate memory bank If the device consistently looses power durin...

Page 579: ...Update cellular module firmware You can update modem firmware by downloading firmware from the Digi firmware repository or by uploading firmware from your local storage onto the device WebUI This operation is available from the WebUI only There is no equivalent functionality at the CLI 1 Optional Download the appropriate modem firmware from the Digi repository to your local machine 2 Log into the ...

Page 580: ...immediately or schedule a reboot for a specific time every day Note You may want to save your configuration settings to a file before rebooting See Save configuration to a file Reboot your device immediately WebUI 1 Log into the IX20 WebUI as a user with Admin access 2 From the main menu click System 3 Click Reboot 4 Click Reboot to confirm that you want to reboot the device Command line 1 Log int...

Page 581: ...at the device should reboot using the format HH MM The device will reboot at this time every day If a value is set for Reboot time but the device is unable to synchronize its time with an NTP server the device will reboot after it has been up for 24 hours See System time for information about configuring NTP servers 5 Click Apply to save the configuration and apply the change Command line 1 Log in...

Page 582: ...nfiguring NTP servers 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Reset the device to factory defaults Resetting the device to factory defaults performs the following actions n Clears all configuration ...

Page 583: ...password printed on the bottom label of the device or the printed label included in the package When you first log into the WebUI or the command line you must change the password for the admin user See Change the default password for the admin user for instructions Additionally for Wi Fi enabled models when you first log into the WebUI or the command line you will be required the change the SSID a...

Page 584: ...nstructions Additionally for Wi Fi enabled models when you first log into the WebUI or the command line you will be required the change the SSID and pre shared key password for the preconfigured Wi Fi access point See Reset default SSID and pre shared key for the preconfigured Wi Fi access point for instructions c Reset the default password for the admin account See Change the default password for...

Page 585: ...ccess point See Reset default SSID and pre shared key for the preconfigured Wi Fi access point for instructions c Reset the default password for the admin account See Change the default password for the admin user for further information Reset the device with the revert command You can reset the device to the default configuration without removing scripts keys and logfiles by using the revert comm...

Page 586: ...ation the changes are not automatically saved You must explicitly save configuration changes which also applies the changes If you do not save configuration changes the system discards the changes WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Make any necessar...

Page 587: ... to a file You can save your IX20 device s configuration to a file and use this file to restore the configuration either to the same device or to similar devices WebUI This procedure creates a binary archive file containing the device s configuration certificates and keys and other information 1 Log into the IX20 WebUI as a user with Admin access 2 On the main menu click System Under Configuration...

Page 588: ...iguration certificates and keys and other information l cli config Creates a text file containing only the configuration changes For example system backup etc config type archive 3 Optional Use scp to copy the file from your device to another host scp host hostname or ip user username remote remote path local local path to remote where n hostname or ip is the hostname or ip address of the remote h...

Page 589: ...The configuration will be restored and the device will be rebooted Command line 1 Log into the IX20 command line as a user with Admin access Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 If the configuration backup is on a remote host use scp to copy the file from the host to your device scp host hostname or ip user u...

Page 590: ...bin local etc config to local 3 Enter the following system restore path passphrase passphrase where n path is the location of configuration backup file on the IX20 s filesystem local path in the previous step n passphrase optional is the passphrase to restore the configuration backup if a passphrase was used when the backup was created For example system restore etc config ...

Page 591: ...tion items n Custom scripts that should be run as part of the configuration check WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click System Scheduled tasks System maintenance 4 For Start time type the time of day that the maintenance window should start using...

Page 592: ...Frequency select either Daily or Weekly for the frequency that the maintenance tasks should be run 7 Optional Click to enable Modem firmware update to instruct the system to look for any updated modem firmware during the maintenance window If updated firmware is found it will then be installed Modem firmware update looks for updated firmware both on the local device and over the network using eith...

Page 593: ...f Set Time is selected specify the time that the script should run in Run time using the format HH MM n During system maintenance The script will run during the system maintenance time window e For Commands enter the commands that will execute the script If the script begins with then the script will be invoked in the location specified by the path for the script command Otherwise the default shel...

Page 594: ...t time specified in the start time n If the duration length is set to 24 hours the start time is effectively obsolete and the maintenance tasks will be scheduled to run at any time Setting the duration length to 24 hours can potentially overstress the device and should be used with caution n If the duration length is set to any value other than to 0 or 24 hours the maintenance tasks will run at a ...

Page 595: ...dule custom scripts a Add a script config add system schedule script end config system schedule script 0 Scheduled scripts are enabled by default To disable config system schedule script 0 enable false config system schedule script 0 b Optional Provide a label for the script config system schedule script 0 label value config system schedule script 0 where value is any string if spaces are used enc...

Page 596: ...ript will be started at every interval regardless of whether the script is still running from a previous interval n set_time Runs the script at a specified time of the day l If set_time is set set the time that the script should run using the format HH MM config system schedule script 0 run_time HH MM config system schedule script 0 n maintenance_time The script will run during the system maintena...

Page 597: ...ript only once at the specified time config system schedule script 0 once true config system schedule script 0 If once is enabled rebooting the device will cause the script to run again The only way to re run the script is to n Remove the script from the device and add it again n Make a change to the script n Disable once h Sandbox is enabled by default This option protects the script from acciden...

Page 598: ...Monitoring This chapter contains the following topics intelliFlow 599 Configure NetFlow Probe 606 IX20 User Guide 598 ...

Page 599: ...ta usage by service n Host data usage over time intelliFlow charts are dymanic at any point you can click inside the chart to drill down to view more granular information and menu options allow you to change various aspects of the information being displayed Note When intelliFlow is enabled it adds an estimated 50MB of data usage for the device by reporting the metrics to Digi Remote Manager Enabl...

Page 600: ... IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Enable IntelliFlow config monitoring intelliflow enable true 4 Set the firewall zone Internal clients that are being monitored by IntelliF...

Page 601: ...routes edge external internal ipsec loopback setup Default value internal Current value internal config b Set the zone to be used by IntelliFlow config monitoring intelliflow zone my_zone 5 Save the configuration and apply the change config save Configuration saved 6 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit ...

Page 602: ... into the IX20 WebUI as a user with Admin access 2 If you have not already done so enable intelliFlow See Enable intelliFlow 3 From the menu click Status intelliFlow The System Utilisation chart is displayed n Display more granular information 1 Click and drag over an area in the chart to zoom into that area and provide more granular information 2 Release to display the selected portion of the cha...

Page 603: ...Select the time period to be displayed n Save or print the chart 1 Click the menu icon 2 To save the chart to your local filesystem select Export to PNG 3 To print the chart select Print chart Use intelliFlow to display top data usage information With intelliFlow you can display top data usage information based on the following n Top data usage by host n Top data usage by server n Top data usage b...

Page 604: ... the Top Data Usage by Server chart click Top Data Usage by Server n To display the Top Data Usage by Service chart click Top Data Usage by Service 5 Change the type of chart that is used to display the data a Click the menu icon b Select the type of chart 6 Change the number of top users displayed You can display the top five top ten or top twenty data users ...

Page 605: ...Use intelliFlow to display data usage by host over time To generate a chart displaying a host s data usage over time WebUI 1 Log into the IX20 WebUI as a user with Admin access 2 If you have not already done so enable intelliFlow See Enable intelliFlow 3 From the menu click Status intelliFlow 4 Click Host Data Usage Over Time n Display more granular information a Click and drag over an area in the...

Page 606: ...d configuration items n Enable NetFlow n The IP address of a NetFlow collector Additional configuration items n The NetFlow version n Enable flow sampling and select the flow sampling technique n The number of flows from which the flow sampler can sample n The number of seconds that a flow is inactive before it is exported to the NetFlow collectors n The number of seconds that a flow is active bef...

Page 607: ...tFlow v9 Supports IPv4 and IPv6 n NetFlow v10 IPFIX Supports both IPv4 and IPv6 and includes IP Flow Information Export IPFIX The default is NetFlow v10 IPFIX 6 Enable Flow sampler by selecting a sampling technique Flow sampling can reduce flow processing and transmission overhead by providing a representative subset of all flows Available options are n None No flow sampling method is used Each fl...

Page 608: ...imultaneously Allowed value is any number between 0 and 2000000 The default is 2000000 11 Add collectors a Click to expand Collectors b For Add Collector click c Optional Type a Label for the collector d For Address type the IP address of the collector e Optional For Port enter the port number used by the collector The default is 2055 Repeat to add additional collectors 12 Click Apply to save the ...

Page 609: ... is the value of the flow sample population 5 If you are using a flow sampler set the number of flows for the sampler config monitoring netflow sampler_population value config where value is any number between 2 and 16383 The default is 100 6 Set the number of seconds that a flow can be inactive before sent to a collector config monitoring netflow inactive_timeout value config where value is any i...

Page 610: ...ig monitoring netflow collector 0 d Optional Set a label for the collector config monitoring netflow collector 0 label This is a collector config monitoring netflow collector 0 Repeat to add additional collectors 10 Save the configuration and apply the change config monitoring netflow collector 0 save Configuration saved 11 Type exit to exit the Admin CLI Depending on your device configuration you...

Page 611: ...ealth data and set the sample interval 618 Log into Digi Remote Manager 621 Use Digi Remote Manager to view and manage your device 623 Add a device to Digi Remote Manager 624 View Digi Remote Manager connection status 624 Use the Digi Remote Manager mobile app 625 Configure multiple devices using profiles 626 Learn more 626 IX20 User Guide 611 ...

Page 612: ...ut Digi Remote Manager go to www digi com products cloud digi remote manager To learn more about Remote Manager features and functions see the Digi Remote Manager User Guide Configure Digi Remote Manager By default your IX20 device is configured to use central management using Digi Remote Manager Additional configuration options These additional configuration settings are not typically configured ...

Page 613: ...Central management Configure Digi Remote Manager IX20 User Guide 613 ...

Page 614: ...y interval to ten minutes enter 10m or 600s 8 Optional For Keep alive interval type the amount of time that the IX20 device should wait between sending keep alive messages to remote cloud services when using a non cellular interface The default is 60 seconds Allowed values are any number of hours minutes or seconds and take the format number h m s For example to set Keep alive interval to ten minu...

Page 615: ...ion is disabled The default is disabled 13 Optional Enable Locally authenticate CLI to require a login and password to authenticate the user from the remote cloud services CLI If disabled no login prompt will be presented and the user will be logged in as admin The default is disabled 14 Optional Configure the IX20 device to communicate with remote cloud services by using SMS a Click to expand Sho...

Page 616: ... ten seconds The default is 30 seconds config cloud drm retry_interval value where value is any number of hours minutes or seconds and takes the format number h m s For example to set the retry interval to ten minutes enter either 10m or 600s config cloud drm retry_interval 600s config 7 Optional Set the amount of time that the IX20 device should wait between sending keep alive messages to the Dig...

Page 617: ... to wait before restarting the connection to the remote cloud services once the connection is down where value is any number of hours minutes or seconds and takes the format number h m s For example to set restart_timeout to ten minutes enter either 10m or 600s config cloud drm restart_timeout 600s config The minimum value is 30 minutes and the maximum is 48 hours If not set this option is disable...

Page 618: ...e cloud services by using an HTTP proxy server a Enable the use of an HTTP proxy server config cloud drm proxy enable true config b Set the hostname of the proxy server config cloud drm proxy host hostname config c Optional Set the port number on the proxy server that the device should connect to The default is 2138 config cloud drm proxy port integer config 14 Save the configuration and apply the...

Page 619: ...min access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Monitoring Device Health Device health data upload is enabled by default To disable click to toggle off Enable Device Health samples upload 4 For Health sample interval select the interval between health sample uploads 5 Only report changed values to Digi Remote...

Page 620: ... to 60 minutes by default To change config monitoring devicehealth interval value config where value is one of 1 5 15 30 or 60 and represents the number of minutes between uploads of health sample data 5 By default the device will only report health metrics values to Digi Remote Manager that have changed health metrics were last uploaded This is useful to reduce the bandwidth used to report health...

Page 621: ...parameter set its value to false For example to turn off all reporting for the serial port config monitoring devicehealth tuning all serial rx bytes enabled false config monitoring devicehealth tuning all serial tx bytes enabled false config 7 Save the configuration and apply the change config save Configuration saved 8 Type exit to exit the Admin CLI Depending on your device configuration you may...

Page 622: ...r IX20 User Guide 622 1 If you have not already done so click here to sign up for a Digi Remote Manager account 2 Check your email for Digi Remote Manager login instructions 3 Go to remotemanager digi com 4 Log into your Digi Remote Manager account ...

Page 623: ...o view and manage your device 1 If you have not already done so connect to your Digi Remote Manager account 2 Click Device Management to display a list of your devices 3 Use the Search bar to locate the device you want to manage 4 Select the device and click Properties to view general information for the device 5 Click the More menu to perform a task ...

Page 624: ...your account and it appears in the Device Management view View Digi Remote Manager connection status To view the current Digi Remote Manager configuration WebUI 1 Log into the IX20 WebUI as a user with Admin access 2 The dashboard includes a Digi Remote Manager status pane Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration y...

Page 625: ...let you can use the Digi Remote Manager mobile app to automatically provision a new devices and monitor devices in your account To download the mobile app n For iPhone go to the App Store n For Android phones go to Google Play To sign up for a new Digi Remote Manager account using the mobile app 1 From the menu click Log in or Sign Up 2 Click Sign up to create a new account 3 You ll receive an ema...

Page 626: ...IX20 device in your Digi Remote Manager account 3 In Digi Remote Manager create a profile based on the configured IX20 4 Apply the profile to the IX20 devices you need to configure Digi Remote Manager provides multiple methods for applying profiles to registered devices You can also include site specific settings with a profile to override settings on a device by device basis Learn more n For info...

Page 627: ...he IX20 local file system 628 Display directory contents 628 Create a directory 629 Display file contents 630 Copy a file or directory 630 Move or rename a file or directory 631 Delete a file or directory 632 Upload and download files 633 IX20 User Guide 627 ...

Page 628: ...across reboots but are deleted if a factory reset of the system is performed See Reset the device to factory defaults for more information Display directory contents To display directory contents by using the WebUI or the Admin CLI WebUI 1 Log into the IX20 WebUI as a user with Admin access 2 On the menu click System Under Administration click File System The File System page appears 3 Highlight a...

Page 629: ...ing the name of the directory For example 1 Log into the IX20 command line as a user with Admin access Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the Admin CLI prompt type mkdir path dir_name For example to create a directory named temp in etc config mkdir etc config temp 3 Verify that the directory was created ...

Page 630: ...gr6ewr1yerHtXQdbafsatGswKg0YUm schema version 461 3 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Copy a file or directory This procedure is not available through the WebUI To copy a file or directory by using the Admin CLI use the cp command specifying the existing path and filename...

Page 631: ...ripts to final py 1 Log into the IX20 command line as a user with Admin access Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the Admin CLI prompt type mv etc config scripts test py etc config scripts final py 3 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Acces...

Page 632: ...t py in etc config scripts 1 Log into the IX20 command line as a user with Admin access Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the Admin CLI prompt type rm etc config scripts test py rm remove etc config scripts test py yes 3 Type exit to exit the Admin CLI Depending on your device configuration you may be p...

Page 633: ...using the WebUI or from the command line by using the scp Secure Copy command or by using a utility such as SSH File Transfer Protocol SFTP or an SFTP application like FileZilla Upload and download files by using the WebUI Upload files 1 Log into the IX20 WebUI as a user with Admin access 2 On the menu click System Under Administration click File System The File System page appears 3 Highlight the...

Page 634: ...s follows scp host hostname or ip user username remote remote path local local path to local where n hostname or ip is the hostname or ip address of the remote host n username is the name of the user on the remote host n remote path is the path and filename of the file on the remote host that will be copied to the IX20 device n local path is the location on the IX20 device where the copied file wi...

Page 635: ... config support report 0040D0133536 20 08 28 9 25 12 bin Support report saved 2 Use the scp command to transfer the report to a remote host scp host 192 168 4 1 user admin remote home admin temp local etc config support report 00 40 D0 13 35 36 20 08 28 9 25 12 bin to remote admin 192 168 4 1 s password adminpwd support report 0040D0133536 20 08 28 9 25 12 bin Upload and download files using SFTP ...

Page 636: ...File system Upload and download files IX20 User Guide 636 sftp ahmed 192 168 2 1 Password Connected to 192 168 2 1 sftp get test py Fetching test py to test py test py 100 254 0 3KB s 00 00 sftp exit ...

Page 637: ...638 View system event logs 639 Configure syslog servers 644 Configure options for the event and system logs 646 Analyze network traffic 651 Use the ping command to troubleshoot network connections 663 Use the traceroute command to diagnose IP routing problems 663 IX20 User Guide 637 ...

Page 638: ...ccess selection menu Type admin to access the Admin CLI 2 Use the system support report command to generate the report system support report etc config Saving support report to etc config support report 0040D0133536 20 08 28 9 25 12 bin Support report saved 3 Use the scp command to transfer the report to a remote host scp host 192 168 4 1 user admin remote home admin temp local etc config support ...

Page 639: ...t configuring the information displayed in event and system logs View System Logs WebUI 1 Log into the IX20 WebUI as a user with Admin access 2 On the main menu click System Logs The system log displays 3 Limit the display in the system log by using the Find search tool 4 Use filters to configure the types of information displayed in the system logs ...

Page 640: ...Diagnostics View system event logs IX20 User Guide 640 5 Click to download the system log ...

Page 641: ... the most recent ten lines show log number 10 Timestamp Message Nov 26 21 54 34 IX20 netifd Interface interface_wan is setting up now Nov 26 21 54 35 IX20 firewalld 621 reloading status 4 Optional Use the show log filter value command to limit the number of lines that are displayed Allowed values are critical warning info and debug For example to limit the event list to only info messages show log...

Page 642: ...er or scroll down to Events 4 Click Events to expand the event viewer 5 Limit the display in the event log by using the Find search tool 6 Click to download the event log Command line 1 Log into the IX20 command line as a user with Admin access Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 Use show event at the Admin ...

Page 643: ...1 type ethernet rx 11332435 tx 5038762 Nov 26 21 42 35 status system local_time Thu 08 Aug 2019 21 42 35 0000 uptime 3 hours 0 minutes 48 seconds 4 Optional Use the show event table value command to limit the number of lines that are displayed Allowed values are error info and status For example to limit the event list to only info messages show event table info Timestamp Type Category Message Nov...

Page 644: ...logs WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click System Log 4 Add and configure a remote syslog server a Click to expand Server list b For Add Server click The log server configuration window is displayed ...

Page 645: ...n with the syslog server Available options are TCP and UPD The default is UPD 5 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configu...

Page 646: ...The default is 514 5 Set the IP protocol to use for communication with the syslog server config system log remote 0 protocol value config system log remote 0 where value is either tcp or udp The default is udp 6 Save the configuration and apply the change config save Configuration saved 7 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access sel...

Page 647: ...or example to set Heartbeat interval to ten minutes enter 10m or 600s To disable the Heartbeat interval enter 0s 5 Optional To disable event categories or to enable them if they have been disabled a Click to expand Event Categories b Click an event category to expand c Depending on the event category you can enable or disable informational events status events and error events Some categories also...

Page 648: ...new value The heartbeat interval determines the amount of time to wait before sending a heartbeat event if no other events have been sent config system log heartbeat_interval value config where value is any number of weeks days hours minutes or seconds and takes the format number w d h m s For example to set the heartbeat interval to ten minutes enter either 10m or 600s config system log heartbeat...

Page 649: ...control restart Restart serial Serial sms SMS commands speed Speed stat Network statistics user User wireless WiFi wol Wake On LAN config system log event b Depending on the event category you can enable or disable informational events status events and error events Some categories also allow you to set the status interval which is the time interval between periodic status events For example to co...

Page 650: ...config where value is any number of weeks days hours minutes or seconds and takes the format number w d h m s For example to set the status interval to ten minutes enter either 10m or 600s config system log event dhcpserver status_interval 600s config 6 Optional See Configure syslog servers for information about configuring remote syslog servers to which log messages will be sent 7 Save the config...

Page 651: ... more detailed analysis you can download the captured data traffic from the device and view it using a third party application Note Data traffic is captured to RAM and the captured data is lost when the device reboots unless you save the data to a file See Save captured data traffic to a file This section contains the following topics Configure packet capture for the network analyzer 652 Example f...

Page 652: ...ecified event or at a particular time l The events or time that will trigger the analyzer to run using this capture configuration l The amount of time that the analyzer session will run l The frequency with which captured events will be saved To configure a packet capture configuration WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configur...

Page 653: ...figuration change is saved l If Interval is selected in Interval type the interval Allowed values are any number of weeks days hours minutes or seconds and take the format number w d h m s For example to set Interval to ten minutes enter 10m or 600s n Set time Runs the capture filter at a specified time of the day l If Set Time is selected specify the time that the capture filter should run in Run...

Page 654: ...use the space bar autocomplete feature config network analyzer name add device end space network device eth1 network device eth2 network device loopback network bridge lan network interface defaultip network interface defaultlinklocal network interface eth1 network interface eth2 network interface loopback network interface modem config network analyzer name add interface end network Repeat to add...

Page 655: ...config network analyzer name n set_time Runs the script at a specified time of the day If set_time is set set the time that the script should run using the format HH MM config network analyzer name run_time HH MM config network analyzer name n maintenance_time The script will run during the system maintenance time window c Set the amount of time that the scheduled analyzer session will run config ...

Page 656: ...l for detailed information about BPF syntax Example IPv4 capture filters n Capture traffic to and from IP host 192 168 1 1 ip host 192 168 1 1 n Capture traffic from IP host 192 168 1 1 ip src host 192 168 1 1 n Capture traffic to IP host 192 168 1 1 ip dst host 192 168 1 1 n Capture traffic for a particular IP protocol ip proto protocol where protocol is a number in the range of 1 to 255 or one o...

Page 657: ...ring Additional analyzer commands allow you to n Stop capturing packets n Save captured data traffic to a file n Clear captured data Required configuration items n A configured packet capture See Configure packet capture for the network analyzer for packet capture configuration information To start packet capture from the command line Command line 1 Log into the IX20 command line as a user with Ad...

Page 658: ...ection menu Type admin to access the Admin CLI 2 Type the following at the Admin CLI prompt analyzer stop name capture_filter where capture_filter is the name of a packet capture configuration See Configure packet capture for the network analyzer for more information To determine available packet capture configurations use the analyzer stop name name Name of the capture filter to use Format test_c...

Page 659: ...d on interface eth1 00 40 ff 80 01 20 b4 b6 86 21 b5 73 08 00 45 00 s E 00 28 3d 36 40 00 80 06 14 bc 0a 0a 4a 82 0a 0a 6 J 4a 48 cd ae 00 16 a4 4b ff 5f ee 1f d8 23 50 10 JH K _ P 08 02 c7 40 00 00 00 00 00 00 00 00 Ethernet Header Destination MAC Addr 00 40 D0 13 35 36 Source MAC Addr fb 03 53 05 11 2f Ethernet Type IP 0x0800 IP Header IP Version 4 Header Length 20 bytes ToS 0x00 Total Length 40...

Page 660: ...a file use the analyzer save command Command line 1 Log into the IX20 command line as a user with Admin access Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 Type the following at the Admin CLI prompt analyzer save filename filename name capture_filter where n filename is the name of the file that the captured data wil...

Page 661: ...cure copy file command WebUI 1 Log into the IX20 WebUI as a user with Admin access 2 On the menu click System Under Administration click File System The File System page appears 3 Highlight the analyzer directory and click to open the directory 4 Select the saved analyzer report you want to download and click download Command line 1 Log into the IX20 command line as a user with Admin access Depend...

Page 662: ...10 2 s password eth0 pcpng 100 11KB 851 3KB s 00 00 Clear captured data To clear captured data traffic in RAM use the analyzer clear command Command line 1 Log into the IX20 command line as a user with Admin access Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 Type the following at the Admin CLI prompt analyzer clear ...

Page 663: ...tion you may be presented with an Access selection menu Type quit to disconnect from the device Stop ping commands To stop pings when the number of pings to send the count parameter has been set to a high value enter Ctrl C Use the traceroute command to diagnose IP routing problems Use the traceroute command to diagnose IP routing problems This command traces the route to a remote IP host and disp...

Page 664: ...ting hops were required to reach the host 1 Log into the IX20 command line as a user with Admin access Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the Admin CLI prompt use the traceroute command to view IP routing information traceroute 8 8 8 8 traceroute to 8 8 8 8 8 8 8 8 30 hops max 52 byte packets 1 192 168 8...

Page 665: ...turning the equipment off and on the user is encouraged to correct the interference by one or more of the following measures n Reorient or relocate the receiving antenna n Increase the separation between the equipment and the receiver n Connect the equipment into an outlet that is on a circuit different from the receiver n Consult the dealer or an experienced radio TV technician for help Labeling ...

Page 666: ...o a product the manufacturer must ensure compliance of the final product with articles 3 1a and 3 1b of the RE Directive Radio Equipment Directive A Declaration of Conformity must be issued for each of these standards and kept on file as described in the RE Directive Radio Equipment Directive Furthermore the manufacturer must maintain a copy of the product name user manual documentation and ensure...

Page 667: ...regulatory and safety statements European Community CE Mark Declaration of Conformity DoC IX20 User Guide 667 account of the nature of the apparatus n The CE marking must be affixed visibly legibly and indelibly ...

Page 668: ...nds Maximum transmit power 13 overlapping channels at 22 MHz or 40 MHz wide spaced at 5 MHz Centered at 2 412 MHz to 2 472 MHz 651 784 mW 165 overlapping channels at 22 MHz or 40 MHz or 80 MHz wide spaced at 5 MHz Centered at 5180 MHz to 5825 MHz 351 295 mW Innovation Science and Economic Development Canada IC certifications This digital apparatus does not exceed the Class B limits for radio noise...

Page 669: ...ement n Changes or modifications not expressly approved by the party responsible for compliance could void the user s authority to operate the equipment Use only the accessories attachments and power supplies provided by the manufacturer connecting non approved antennas or power supplies may damage the router cause interference or create an electric shock hazard and will void the warranty n Do not...

Page 670: ...ter in areas where guidelines posted in sensitive areas instruct users to switch off mobile phones Medical equipment may be sensitive to RF energy The operation of cardiac pacemakers other implanted medical equipment and hearing aids can be affected by interference from cellular terminals such as the wireless routers when places close to the device If in doubt about potential danger contact the ph...

Page 671: ...uct MUST NOT be mixed with other commercial waste for disposal Check with the terms and conditions of your supplier for disposal information Digi International Ltd WEEE Registration number WEE HF1515VU DigiIX20 Certifications International EMC Electromagnetic Compatibility and safety standards This product complies with the requirements of the following Electromagnetic Compatibility standards Ther...

Page 672: ... the web interface 674 Display help for commands and parameters 675 Auto complete commands and parameters 676 Available commands 678 Use the scp command 679 Display status and statistics using the show command 680 Device configuration using the command line interface 681 Execute configuration commands at the root Admin CLI prompt 682 Configuration mode 684 Command line reference 696 IX20 User Guid...

Page 673: ...Configure the web administration service n SSH Configure SSH access n Telnet Configure telnet access Log in to the command line interface Command line 1 Connect to the IX20 device by using a serial connection SSH or telnet or the Terminal in the WebUI or the Console in the Digi Remote Manager See Access the command line interface for more information n For serial connections the default configurat...

Page 674: ...xit exit 2 Depending on the device configuration you may be presented with another menu for example Access selection menu a Admin CLI s Shell q Quit Select access or quit admin Type q or quit to exit Execute a command from the web interface 1 Log into the IX20 WebUI as a user with Admin access 2 At the main menu click Terminal The device console appears IX20 login 3 Log into the IX20 command line ...

Page 675: ...ne Ctrl E Move cursor to end of line Ctrl W Delete word under cursor until start of line or Ctrl R If the current input is invalid then characters will be deleted until a prefix for a valid command is found Ctrl left Jump cursor left until start of line or Ctrl right Jump cursor right until start of line or The question mark command When executed from the root command prompt displays available com...

Page 676: ...rial Show serial statistics system Show system statistics version Show firmware version show Use the Tab key or the space bar to display abbreviated help When executed from the root command prompt pressing the Tab key or the space bar displays an abbreviated list of available commands Similar behavior is available with any command name config network interface space defaultip defaultlinklocal lan ...

Page 677: ...etes the parameter as interface l system b Tab auto completes the parameter as backup n Parameter values where the value is one of an enumeration or an on off type for example config serial port1 enable t Tab auto completes to config serial port1 enable true Auto complete does not function for n Parameter values that are string types n Integer values n File names n Select parameters passed to comm...

Page 678: ... for information about the help command ls Lists the contents of a directory mkdir Creates a directory modem Executes modem commands more Displays the contents of a file mv Moves a file or directory ping Pings a remote host using Internet Control Message Protocol ICMP Echo Request messages reboot Reboots the IX20 device rm Removes a file scp Uses the secure copy protocol SCP to transfer files betw...

Page 679: ...e is being copied to a remote host from the IX20 device o The path and filename of the file on the IX20 device that will be copied to the remote host o The location on the remote host where the file will be copied Copy a file from a remote host to the IX20 device To copy a file from a remote host to the IX20 device use the scp command as follows scp host hostname or ip user username remote remote ...

Page 680: ...port report 0040D0133536 20 08 28 9 25 12 bin Support report saved 2 Use the scp command to transfer the report to a remote host scp host 192 168 4 1 user admin remote home admin temp local etc config support report 00 40 D0 13 35 36 20 08 28 9 25 12 bin to remote admin 192 168 4 1 s password adminpwd support report 0040D0133536 20 08 28 9 25 12 bin Display status and statistics using the show com...

Page 681: ...urrent Time Fri 28 Aug 2020 9 25 12 0000 CPU 1 4 Uptime 6 days 6 hours 21 minutes 57 seconds 541317s Temperature 40C show network The show network command displays status and statistics for network interfaces show network Interface Proto Status Address defaultip IPv4 up 192 168 210 1 24 defaultlinklocal IPv4 up 169 254 100 100 16 lan IPv4 up 192 168 2 1 lan IPv6 up 0 0 0 0 0 ffff c0a8 301 loopback...

Page 682: ...able false The IX20 device s ssh service is now disabled Note When the config command is executed at the root prompt certain configuration actions that are available in configuration mode cannot be performed This includes validating configuration changes canceling and reverting configuration changes and performing actions on elements in lists See Configuration mode for information about using conf...

Page 683: ...trol snmp SNMP ssh SSH telnet Telnet web_admin Web administration config service 3 Next display help for the config service ssh command config service ssh SSH An SSH server for managing the device Parameters Current Value enable true Enable key private Private key port 22 Port Additional Configuration acl Access control list mdns config service ssh 4 Lastly display the allowed values and other inf...

Page 684: ...ple to disable the ssh service by entering the full command string at the config prompt config service ssh enable false config n Execute commands by moving through the configuration schema For example to disable the ssh service by moving through the configuration and then executing the enable false command 1 At the config prompt enter service to move to the service node config service config servi...

Page 685: ...e configuration changes and to manage items and elements in lists The commands can be listed by entering a question mark at the config prompt The following actions are available Configuration actions Description cancel Discards unsaved configuration changes and exits configuration mode save Saves configuration changes and exits configuration mode validate Validates configuration changes revert Rev...

Page 686: ... cloud Central management firewall Firewall monitoring Monitoring network Network serial Serial service Services system System vpn VPN config 2 You can then display help for the additional configuration commands For example to display help for the config service command use one of the following methods n At the config prompt enter service config service n At the config prompt a Enter service to mo...

Page 687: ...ter service to move to the service node config service config service b Enter ssh to move to the ssh node config service ssh config service ssh c Enter to display help for the ssh node config service ssh Either of these methods will display the following information config service ssh SSH An SSH server for managing the device Parameters Current Value enable true Enable key private Private key port...

Page 688: ...ay the following information config service ssh enable Enable Enable the service Format true false yes no 1 0 Default value true Current value true config service ssh enable Move within the configuration schema You can perform configuration tasks at the CLI by moving within the configuration n Move forward one node in the configuration by entering the name of an Additional Configuration option 1 A...

Page 689: ...guration by entering three periods config service ssh acl zone config Manage elements in lists While in configuration mode you can use the add del and move action commands to manage elements in a list When working with lists these actions require an index number to identify the list item that will be acted on Add elements to a list When used with parameters that contains lists of elements the add ...

Page 690: ...h user new user group config 2 Use the end keyword to add the admin group to the user s configuration config add auth user new user group end admin config 3 Use the show command again to verify that the admin group has been added to the user s configuration config show auth user new user group 0 admin config Delete elements from a list When used with parameters that contains lists of elements the ...

Page 691: ... verify the change config show auth method 0 tacacs 1 local 2 radius config The revert command The revert command is used to revert changes to the IX20 device s configuration and restore default configuration settings The behavior of the revert command varies depending on where in the configuration hierarchy the command is executed and whether the optional path parameter is used After executing th...

Page 692: ...bset of configuration changes to the default settings n Enter the revert command with the path parameter For example to revert all changes to the authentication methods configuration 1 Enter the revert command with the path set to auth method config revert auth method config 2 Save the configuration and apply the change config save Configuration saved 3 Type exit to exit the Admin CLI Depending on...

Page 693: ...device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Enter strings in configuration commands For string parameters if the string value contains a space the value must be enclosed in quotation marks For example to assign a descriptive name for the device using the system command enter config system description Digi IX20 Example Create a new...

Page 694: ...he auth node config auth config auth b Enter user to move to the user node config auth user config auth user c Create a new user with the username user1 config auth user add user1 config auth user user1 4 Configure a password for the user config auth user user1 password pwd1 config auth user user1 5 List available authentication groups config auth user user1 show group admin acl admin enable true ...

Page 695: ...l enable false config auth user user1 6 Add the user to the admin group config auth user user1 add group end admin config auth user user1 7 Save the configuration and apply the change config auth user user1 save Configuration saved 8 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Page 696: ...eference IX20 User Guide 696 Command line reference analyzer 697 cp 698 help 699 ls 700 mkdir 701 modem 702 modem puk status imei STRING name STRING 705 more 707 mv 708 ping 709 reboot 710 rm 711 scp 712 show 713 system 722 traceroute 724 ...

Page 697: ...red traffic to a file Parameters filename The filename to save captured traffic to The file will be saved to the device s etc config analyzer directory Syntax STRING name Name of the capture filter to use Syntax STRING analyzer start name STRING Start a capture session of packets on this devices interfaces Parameters name Name of the capture filter to use Syntax STRING analyzer stop name STRING St...

Page 698: ...STINATION Copy a file or directory Parameters source The source file or directory to copy Syntax STRING destination The destination path to copy the source file or directory to Syntax STRING force Do not ask to overwrite the destination file if it exists Syntax BOOLEAN Default False Optional True ...

Page 699: ...Command line interface Command line reference IX20 User Guide 699 help Show CLI editing and navigation commands Parameters None ...

Page 700: ...e 700 ls Directory listing command ls show hidden PATH List a directory Parameters path List files and directories under this path Syntax STRING show hidden Show hidden files and directories Hidden filenames begin with Syntax BOOLEAN Default False Optional True ...

Page 701: ...Command line interface Command line reference IX20 User Guide 701 mkdir mkdir PATH Create a directory Parent directories are created as needed Parameters path The directory path to create Syntax STRING ...

Page 702: ...ame of the modem to execute this CLI command on Syntax STRING Optional True modem at interactive imei STRING name STRING Start an AT command session on the modem s AT serial port Parameters imei The IMEI of the modem to execute this CLI command on Syntax STRING Optional True name The configured name of the modem to execute this CLI command on Syntax STRING Optional True modem pin PIN commands pin ...

Page 703: ...Disable the PIN lock on the SIM card that is active in the modem Warning Attempting to use an incorrect PIN code may PUK lock the SIM Parameters pin The SIM s PIN code Syntax STRING imei The IMEI of the modem to execute this CLI command on Syntax STRING Optional True name The configured name of the modem to execute this CLI command on Syntax STRING Optional True pin enable imei STRING name STRING ...

Page 704: ...e PUK locked when there are no remaining retries Parameters imei The IMEI of the modem to execute this CLI command on Syntax STRING Optional True name The configured name of the modem to execute this CLI command on Syntax STRING Optional True pin unlock imei STRING name STRING PIN Temporarily unlock the SIM card with a PIN code Set the PIN field in the modem interface s configuration to unlock the...

Page 705: ...number of PUK unlock attempts remaining imei The IMEI of the modem to execute this CLI command on Syntax STRING Optional True name The configured name of the modem to execute this CLI command on Syntax STRING Optional True puk unlock imei STRING name STRING PUK NEW PIN Unlock the SIM with a PUK code from the SIM provider Parameters puk The SIM s PUK code Syntax STRING new pin The PIN code to chang...

Page 706: ... CLI command on Syntax STRING Optional True name The configured name of the modem to execute this CLI command on Syntax STRING Optional True modem sim slot imei STRING name STRING SLOT Show or change the modem s active SIM slot This applies only to modems with multiple SIM slots Parameters slot The SIM slot to change to Syntax 1 2 show imei The IMEI of the modem to execute this CLI command on Synt...

Page 707: ...Command line interface Command line reference IX20 User Guide 707 more path The file to view Syntax STRING ...

Page 708: ...ry mv force SOURCE DESTINATION Parameters source The source file or directory to move Syntax STRING destination The destination path to move the source file or directory to Syntax STRING force Do not ask to overwrite the destination file if it exists Syntax BOOLEAN Default False Optional True ...

Page 709: ...ax BOOLEAN Default False Optional True count The number of ICMP ping requests to send before terminating Syntax INT Minimum 1 Default 100 interface The network interface to send ping packets from when the host is reachable over a default route If not specified the system s primary default route will be used Syntax STRING Optional True ipv6 If a hostname is defined as the value of the host paramete...

Page 710: ...Command line interface Command line reference IX20 User Guide 710 reboot Reboot the system Parameters None ...

Page 711: ...mmand line reference IX20 User Guide 711 rm Remove a file or directory rm force PATH Parameters path The path to remove Syntax STRING force Force the file to be removed without asking Syntax BOOLEAN Default False Optional True ...

Page 712: ...TRING local The file to copy to or from on the local device Syntax STRING port The SSH port to use to connect to the remote host Syntax INT Maximum 65535 Minimum 1 Default 22 remote The file to copy to or from on the remote host Syntax STRING to Copy the file from the local device to the remote host or from the remote host to the local device Syntax remote local user The username to use when conne...

Page 713: ...IPV6 will be displayed Parameters ipv4 Display IPv4 routes If no IP version is specififed IPv4 and IPV6 will be displayed Syntax BOOLEAN Default False Optional True ipv6 Display IPv6 routes If no IP version is specififed IPv4 and IPV6 will be displayed Syntax BOOLEAN Default False Optional True verbose Display more information less concise more detail Syntax BOOLEAN Default False Optional True sho...

Page 714: ...ncise more detail Syntax BOOLEAN Default False Optional True show event number INTEGER table STRING Show event list high level Parameters number Number of lines to retrieve from log Syntax INT Minimum 1 Default 20 table Type of event log to be displayed status error info Syntax status error info Optional True show hotspot ip STRING name STRING Show hotspot statistics Parameters ip IP address of a ...

Page 715: ... STRING Optional True verbose Display status of one or all tunnels in plain text Syntax BOOLEAN Default False Optional True show location Show location information Parameters None show log filter STRING number INTEGER Show system log low level Parameters filter Filters for type of log message displayed critical warning info debug Note filters from the number of messages retrieved not the whole log...

Page 716: ...se Optional True show modem verbose imei STRING name STRING Show modem status and statistics Parameters imei The IMEI of the modem to execute this CLI command on Syntax STRING Optional True name The configured name of the modem to execute this CLI command on Syntax STRING Optional True verbose Display more information less concise more detail Syntax BOOLEAN Default False Optional True show nemo na...

Page 717: ...k interface Syntax STRING Optional True verbose Display more information less concise more detail Syntax BOOLEAN Default False Optional True show openvpn Show OpenVPN status and statistics openvpn client all name STRING Show OpenVPN client status statistics Parameters all Display all clients including disabled clients Syntax BOOLEAN Default False Optional True name Display more details and config ...

Page 718: ... Syntax STRING Optional True show route ipv4 ipv6 verbose Show IP routing information Parameters ipv4 Display IPv4 routes Syntax BOOLEAN Default False Optional True ipv6 Display IPv6 routes Syntax BOOLEAN Default False Optional True verbose Display more information less concise more detail Syntax BOOLEAN Default False Optional True show scripts Show scheduled system scripts Parameters None show se...

Page 719: ...rbose Display more information disk usage etc Syntax BOOLEAN Default False Optional True show usb Show USB information Parameters None show version verbose Show firmware version Parameters verbose Display more information build date Syntax BOOLEAN Default False Optional True show vrrp all verbose name STRING Show VRRP status and statistics Parameters all Display all VRRP instances including disabl...

Page 720: ...None show show wifi Show Wi Fi status and statistics wifi ap all name STRING Display details for Wi Fi access points Parameters all Display all Wi Fi access points including disabled Wi Fi access points Syntax BOOLEAN Default False Optional True name Display more details for a specific Wi Fi access point Syntax STRING Optional True wifi client all name STRING Display details for Wi Fi client mode ...

Page 721: ...e IX20 User Guide 721 name Display more details for a specific Wi Fi client mode connection Syntax STRING Optional True show wifi scanner Show Wi Fi scanner information wifi scanner log Show output log for the last update interval Parameters None ...

Page 722: ... and dynamic DHCP lease information CLI configuration backups are a list of CLI commands used to build the device s configuration Syntax cli config archive Default archive system disable cryptography Erase the device s configuration and reboot into a limited mode with no cryptography available The device s shell will be accessible over Telnet port 23 at IP address 192 168 210 1 To return the devic...

Page 723: ...archive or CLI commands file Parameters path The path to the backup file Syntax STRING passphrase Decrypt the archive with a passphrase Syntax STRING Optional True system script stop SCRIPT Stop an active running script Scripts scheduled to run again will still run again disable a script to prevent it from running again Parameters script Script to stop Syntax STRING system support report PATH Save...

Page 724: ...h to trace the route packets for Syntax STRING bypass Bypass the normal routing tables and send directly to a host on an attached network Syntax BOOLEAN Default False Optional True debug Enable socket level debugging Syntax BOOLEAN Default False Optional True dontfragment Do not fragment probe packets Syntax BOOLEAN Default False Optional True first_ttl Specifies with what TTL to start Syntax INT ...

Page 725: ... Syntax BOOLEAN Default False Optional True max_ttl Specifies the maximum number of hops max time to live value traceroute will probe Syntax INT Minimum 1 Default 30 nomap Do not try to map IP addresses to host names when displaying them Syntax BOOLEAN Default False Optional True nqueries Sets the number of probe packets per hop A value of 1 indicated Syntax INT Minimum 1 Default 3 packetlen Total...

Page 726: ... Note that you must select the address of one of the interfaces By default the address of the outgoing interface is used Syntax STRING Optional True tos For IPv4 set the Type of Service ToS and Precedence value Useful values are 16 low delay and 8 high throughput Note that in order to use some TOS precedence values you have to be super user For IPv6 set the Traffic Control value A value of 1 speci...

Reviews:

No comments

Related manuals for IX20

Cambium Networks E400 Manual preview
E400
Brand: Cambium Networks Pages: 5
Cambium Networks E400 Hardware Installation Manual preview
E400
Brand: Cambium Networks Pages: 44
D-Link DI-624S - AirPlus Xtreme G Wireless 108G USB Storage... Quick Installation Manual preview
DI-624S - AirPlus Xtreme G Wireless 108G USB Storage...
Brand: D-Link Pages: 22
Positron GAM-4-MRX Quick Installation Manual preview
GAM-4-MRX
Brand: Positron Pages: 36
Fortinet FortiAP U231F Quick Start Manual preview
FortiAP U231F
Brand: Fortinet Pages: 31
Steca TK-RW2 Installation And Operating Instructions Manual preview
TK-RW2
Brand: Steca Pages: 64
Alvarion BreezeNET BU Quick Installation Manual preview
BreezeNET BU
Brand: Alvarion Pages: 9
Topcom Skyr@cer 544 Quick Installation Manual preview
Skyr@cer 544
Brand: Topcom Pages: 196
Ubiquiti NanoBeam M2 Quick Start Manual preview
NanoBeam M2
Brand: Ubiquiti Pages: 28
Ubiquiti UAP-AC-SHD Quick Start Manual preview
UAP-AC-SHD
Brand: Ubiquiti Pages: 32
TRENDnet TEW -739APBO Quick Installation Manual preview
TEW -739APBO
Brand: TRENDnet Pages: 18
Aruba Networks AP-204 Installation Manual preview
AP-204
Brand: Aruba Networks Pages: 2
Bosslan BOSSW20451 User Manual preview
BOSSW20451
Brand: Bosslan Pages: 4
JBL LIVE 650BTNC Quick Start Manual preview
LIVE 650BTNC
Brand: JBL Pages: 17
EnGenius EAP150 Quick Installation Manual preview
EAP150
Brand: EnGenius Pages: 3
Kaon AR3030W User Manual preview
AR3030W
Brand: Kaon Pages: 17
Westermo 3623-077001 User Manual preview
3623-077001
Brand: Westermo Pages: 32
TSC RF-WKD User Manual preview
RF-WKD
Brand: TSC Pages: 19

Brands by name

Popular brands

Load more brands