GE MDS ORBIT ECR Technical Manual Download | Manualshive

Page: 248 / 463

background image

248

MDS Orbit MCR/ECR Technical Manual

MDS 05-6632A01, Rev. F

The first part, IKE, is the initial negotiation phase, where the Orbit device and VPN gateway agree on
which methods will be used to provide security for the underlying IP traffic. There are two IKE protocol
versions: IKE-v1 and IKE-v2. These are not compatible with each other. The IKE-v2 is more efficient
and therefore should be preferred for new deployments. The MCR supports IKE-v1 and IKE-v2.

The other part is the actual IP data being transferred, using the encryption and authentication methods
agreed upon in the IKE negotiation. This is accomplished by using IPsec protocols like Encapsulating
Security Payload (ESP) or Authentication Header (AH). Orbit MCR only supports ESP protocol as it
provides both encryption and authentication of the data. The AH protocol provides only data
authentication.

The process of IPsec VPN connection establishment consists of following phases:



IKE Phase-1 (IKE security negotiation)

-

IKE authenticates IPSec peers and negotiates IKE Security Association (SAs) during this
phase, setting up a secure channel for negotiating IPSec SAs in phase 2



IKE Phase-2 (IPsec Security Association)

-

IKE negotiates IPSec SA parameters and sets up matching IPSec SAs in the peers



Data Transfer

-

Data is transferred between IPSec peers based on the IPSec parameters and keys stored in the
SA database

Both the IKE and the IPsec connections have limited lifetimes. These lifetimes prevent a connection from
being used too long, which is desirable from a cryptanalysis perspective.

The IPsec lifetime is generally shorter than the IKE lifetime. This allows for the IPsec connection to be
re-keyed simply by performing another phase-2 negotiation.

Configuration

Site-to-Site IPsec VPN Configuration

The Figure 3-166 below shows a site-to-site policy-based IPsec VPN setup to securely connect remote
private network (LAN or WiFi) with the customer’s backoffice/data center private network. This enables
IP traffic from/to devices connected to either LAN, WiFi or Serial port of the Orbit to securely flow
to/from back-office applications via a secure tunnel through a public cellular network. The tunneled
application traffic is authenticated and encrypted to protect from eavesdropping, tampering and replay
attacks.

«
...
246
247
248
249
250
...
»

Summary of Contents for MDS ORBIT ECR

Page 1: ...MDS ORBIT MCR Multiservice Connect Router MDS ORBIT ECR Edge Connect Router MDS 05 6632A01 Rev F May 2016 Including New Features from Firmware Revsion 4 6 x Technical Manual Technical Manual ...

Page 2: ... videos Orbit MCR Learning and Development YouTube Channel Quick Start instructions for this product are contained in publication 05 6709A01 Visit our website for downloadable copies of all documentation at www gemds com ...

Page 3: ...ARROWBAND 21 2 3 6 2 4 TYPICAL APPLICATIONS 22 2 5 MCR AND ECR CONNECTORS AND INDICATORS 22 2 6 GROUNDING CONSIDERATIONS 28 2 7 MOUNTING OPTIONS 29 OPTIONAL DIN RAIL MOUNTING 30 2 7 1 2 8 ANTENNA PLANNING AND INSTALLATION 31 3 0 DEVICE MANAGEMENT 36 3 1 INITIAL SETTINGS OVERVIEW 39 SETTING BASIC PARAMETERS FIRST STEPS 39 3 1 1 ONE TIME RECOVERY PASSWORDS 39 3 1 2 CHANGE DEFAULT PASSWORDS 42 3 1 3 ...

Page 4: ...8 1 LAN 193 3 8 2 ETHERNET PORT SECURITY PORT BASED AUTHENTICATION 199 3 8 3 VLAN OPERATION 200 3 8 4 BRIDGING 203 3 8 5 ROUTING 206 3 8 6 STATIC NEIGHBOR ENTRIES 211 3 8 7 ACCESS CONTROL LIST PACKET FILTERING FIREWALL 214 3 8 8 SOURCE NAT MASQUERADING 226 3 8 9 DESTINATION NAT PORT FORWARDING 234 3 8 10 STATIC NAT 241 3 8 11 VPN 245 3 8 12 DHCP SERVICE 264 3 8 13 TERMINAL SERVICE 268 3 8 14 REMOT...

Page 5: ...N 395 6 7 CLI ENVIRONMENT 396 6 8 COMMAND OUTPUT PROCESSING 397 6 9 COUNT THE NUMBER OF LINES IN THE OUTPUT 398 6 10 SEARCH FOR A STRING IN THE OUTPUT 398 6 11 REGULAR EXPRESSIONS 399 6 12 DISPLAY LINE NUMBERS 399 6 13 SHOWING INFORMATION 400 6 14 CONTROL SEQUENCES 400 6 15 COMMANDS 400 6 16 OPERATIONAL MODE COMMANDS 401 6 17 CONFIGURE MODE COMMANDS 404 7 0 APPENDIX B INTEGRITY MEASUREMENT AUTHORI...

Page 6: ...RBIT 426 12 2 1 CISCO IOS 432 12 2 2 12 3 GRE IPSEC WITH JUNIPER JUNOS 437 ORBIT 437 12 3 1 JUNOS 441 12 3 2 13 0 APPENDIX H 802 1X PORT AUTHENTICATION W EAP 446 13 1 OVERVIEW 446 13 2 CONFIGURATION EXAMPLES 446 ORBIT DEVICE 446 13 2 1 FREERADIUS 447 13 2 2 WINDOWS AS 802 1X PEER SUPPLICANT START WIREDAUTOCONFIG SERVICE 448 13 2 3 WINDOWS CONFIGURATION 1 CISCO PEAP MODE 448 13 2 4 WINDOWS CONFIGUR...

Page 7: ...tennas must not be co located All transmission antennas must be at least 20 cm apart to comply with FCC co location rules Orbit Device vs Minimum RF Safety Distance Radio Module Equipped Minimum Safety Distance from Antenna Cell 33 cm NX915 23 cm LN400 143 cm using 5 dBi antenna 254 cm using 10 dBi antenna 507 cm using 16 dBi antenna LN900 108 cm using 5 dBi antenna 192 cm using 10 dBi antenna 382...

Page 8: ... regulations and obey all signs and notices Do not use the Orbit MCR when you suspect that it may cause interference or danger Near Medical and life support equipment Do not use the Orbit MCR in any area where medical equipment or life support equipment may be located or near any equipment that may be susceptible to any form of radio interference All cables and conductors making connections to the...

Page 9: ...anual updates can be found on our web site at www gemds com Environmental Information The manufacture of this equipment has required the extraction and use of natural resources Improper disposal may contaminate the environment and present a health risk due to hazardous substances contained within To avoid dissemination of these substances into our environment and to limit the demand on natural res...

Page 10: ...ccordance with CSA STD C22 2 No 213 M1987 CSA Conditions of Approval The transceiver is not acceptable as a stand alone unit for use in the hazardous locations described above It must either be mounted within another piece of equipment which is certified for hazardous locations or installed within guidelines or conditions of approval as set forth by the approving agencies These conditions of appro...

Page 11: ...h an explosive gas atmosphere other than mines susceptible to firedamp 3 G Zone 2 Normal Protection level Gas Provides a low level of protection and is intended for use in a Zone 2 hazardous area Ex nA Gas Air Mixture Zone 2 protection Non Sparking IIC Gas Group IIC Hydrogen Acetylene T4 temperature classification max surface temp 70 C Gc Gas atmospheres assured level of protection against becomin...

Page 12: ... shall be installed in an enclosure that maintains an ingress protection rating of at least IP54 and meets the enclosure requirements of EN 60079 0 and EN 60079 15 The installer shall ensure that the maximum ambient temperature of the module when installed is not exceeded The USB connection shall only be used in an unclassified non hazardous area The SIM card shall be connected disconnected only i...

Page 13: ...a a sistemas operando em caráter primário Este produto está homologado pela Anatel de acordo com os procedimentos regulamentados pela Resolução nº 242 2000 e atende aos requisitos técnicos aplicados incluindo os limites de exposição da Taxa de Absorção Específica referente a campos elétricos magnéticos e eletromagnéticos de radiofreqüência de acordo com as Resoluçãos nº 303 2002 e 533 2009 Este di...

Page 14: ...le que este equipo o dispositivo no cause interferencia perjudicial y 2 este equipo o dispositivo debe aceptar cualquier interferencia incluyendo la que pueda causar su operación no deseada New Zealand Philippines Conformity Number ESD GEC 1402584 South Africa UAE Registered number ER0133084 14 Dealer number DA0132013 14 ECR Selected Country Certification Information TBD ...

Page 15: ...MDS 05 6632A01 Rev F MDS Orbit MCR ECR Technical Manual 15 ...

Page 16: ...on site Figure 1 1 MCR 4G Unit Standard 2E1S configuration shown Figure 1 2 ECR 900 Unit With a common hardware architecture and user interface the MCR and ECR offers flexibility in network design and application with simplified training maintenance and deployment costs GE MDS provides an array of communication products with multiple interface options and a variety of enclosures to give customers ...

Page 17: ...LTE North America ECR 4GS Name for the product when configured with 4G LTE EMEA APAC ECR 3G Name for the product when configured with 3G ECR 900 Name for the product when configured with unlicensed 900 MHz FHSS and DTS ECR LN Name for the product when configured with licensed narrowband QAM radios About This Manual 1 1 2 This manual is intended for systems engineers network administrators and othe...

Page 18: ...her in some cases command lines will be shown with non bolded italicized text contained within the string Such text indicates the need for user supplied variable parameters such as the name of an item For example set interfaces interface myBridge type bridge In the above example you would enter the specific name of your bridge to complete the entry NOTE The LAN port should be assigned IP addresses...

Page 19: ...ly the serial or Ethernet connections on the unit s front panel Do not use the USB port in hazardous locations Network Management System Orbit MCR is supported by GE MDS PulseNET a Network Management System NMS providing monitoring of small and large scale deployment of all GE MDS devices Tamper Detection The unit contains a 3 axis magnetometer that can be used to detect changes to the unit s phys...

Page 20: ...orth America 2 3 3 This 4G modem supports following technologies LTE 1900 B2 AWS B4 850 B5 700 B13 700 B17 1900 B25 GSM GPRS EDGE 850 900 1800 1900 MHz UMTS HSPA HSPA 2100 B1 1900 B2 AWS B4 850 B5 900 B8 MHz Orbit MCR with this modem is PTCRB certified for operation on 4GLTE 3G GSM UMTS networks primarily in North America US and Canada This modem is also certified for operation on Verizon and Spri...

Page 21: ...ports multiple SAFs on any level Automatically adjusts Media Access scheme for SAF network to support simultaneous communications at alternating levels and minimize latency using dynamic fragmentation Supports dynamic and static paths providing flexibility in designing the wireless network Quality of Service QoS Priority Queues Source Destination port and addresses Protocol UDP TCP etc Licensed Na...

Page 22: ...that are located on a local internal private LAN or WiFi network The unit acts as an Access Point on the WiFi interface to provide connectivity to WiFi clients Figure 2 1 shows an example network in which the unit provides connectivity to multiple end devices The end devices are connected via Ethernet serial and WiFi links Figure 2 1 Typical MCR Application 2 5 MCR and ECR Connectors and Indicator...

Page 23: ...follows The unit s LED Indicator Panel is described in Table 2 5 Figure 2 3 ECR Connectors and Indicators Sample configuration with Cell WiFi Ethernet and Serial port PWR Two conductor DC input connection The DC power connector Figure 2 4 is keyed and can only be inserted one way Use Copper Conductors Only Use 18 AWG wire Tighten wire clamps to 5 lb in 0 6 Nm Figure 2 4 DC Power Connector P N 73 1...

Page 24: ...ciency based on the system s operating characteristics As viewed from the outside the unit Table 2 1 ETH1 2 Pin Details Pin Function Pin Function 1 Transmit Data TX High 5 Unused 2 Transmit Data TX Low 6 Receive Data RX Low 3 Receive Data RX High 7 Unused 4 Unused 8 Unused USB Port This port allows for connection of a laptop or PC The port provides a local console for management of the device A st...

Page 25: ...ollowing page provide pin descriptions for the COM1 data port in RS 232 mode and RS 485 modes respectively NOTE The COM2 port if present is restricted to RS 232 mode it cannot be used for RS 485 As viewed from the outside the unit Table 2 2 COM1 2 Port Pin Details RS 232 Pin Number Input Output Pin Description 1 Reserved COM1 only ALARM Output refer to Alarms on Page 150 2 OUT DCD Data Carrier Det...

Page 26: ...ted device COM1 Port notes and wiring arrangements for RS 485 The COM1 port supports 4 wire and 2 wire RS 485 mode as follows RXD RXB and RXD RXA are data sent into the unit RXD RXB is positive with respect to RXD RXA when the line input is a 0 TXD TXB and TXD TXA are data sent out by the unit TXD TXB is positive with respect to the TXD TXA when the line output is a 0 2 wire RS 485 mode connection...

Page 27: ...s Indicators Table 2 4 Description of LED Status Indicators LED Name LED State Description PWR DC Power Off Solid Green Fast Blink Red 1x sec No power to unit Unit is powered no problems detected Alarm indication ETH Ethernet Off Solid Green Blinking Green No Ethernet link to network Ethernet link present Ethernet traffic in out COM Serial Comm Port Off Blinking Green No serial connection or idle ...

Page 28: ...rrowband LnRadio MCR LN 3G Cellular Lic Narrowband LnRadio MCR LN Only Off Lic Narrowband LnRadio Table 2 6 ECR NIC LED Descriptions Product Configuration NIC1 NIC2 ECR 4G WiFi Cellular WiFi ECR 4G Only Cellular Off ECR 3G WiFi Cellular WiFi ECR 3G Only Cellular Off ECR WiFi only Off WiFi ECR 900 WiFi WiFi 900 ISM NxRadio ECR 900 Only Off 900 ISM NxRadio ECR LN WiFi WiFi Lic Narrowband LnRadio ECR...

Page 29: ...d if possible All grounds and cabling must comply with applicable codes and regulations One source for lightning protection products may be found online at http www protectiongroup com PolyPhaser 2 7 Mounting Options The unit may be mounted with flat mounting brackets or an optional 35 mm DIN rail attachment Figure 2 7 shows the mounting dimensions for a unit equipped with flat mounting brackets F...

Page 30: ...ll cables to prevent moisture from running along the cables and into the unit Optional DIN Rail Mounting 2 7 1 If ordered with the DIN rail mounting option the unit is supplied with a DIN rail clip attached to the case The integrated bracket on the unit s case allows for quick installation and removal from a DIN mounting rail as shown in Figure 2 9 Figure 2 9 DIN Rail Attachment and Removal Pull d...

Page 31: ...ectly Connected Cellular Antenna Typical Style GE MDS Part No 97 2485A04 WiFi Antenna Antenna connection for 2 4 GHz WiFi service The connector appears similar to the cellular connectors discussed above but is a Reverse SMA type It contains a pin that matches with an SMA F connector The GE MDS part number for this antenna is 97 4278A34 To connect an external WiFi antenna 97 4278A48 a Reverse SMA t...

Page 32: ... 4278A34 using a magnetic mount GE MDS PN 97 4278A78 This configuration offers easy mobility for evaluation purposes or indoor applications with good cellular signal coverage see Figure 2 11 Figure 2 11 Direct Mounting of Cell Antenna Cabled WiFi Antenna Minimum 8 inch 20 32 cm separation between cell and WiFi antennas This arrangement employs cabled mounting of the LTE paddle antennas GE MDS 97 2...

Page 33: ... 2 12 Typical Yagi Antenna mounted to mast Feedlines Selection of an antenna feedline is very important Poor quality cable should be avoided as it will result in power losses that may reduce the range and reliability of the radio system The tables which follow show the approximate losses that will occur when using various lengths and types of coaxial cable Regardless of the type used the cable sho...

Page 34: ...r factory representative or visit www gemds com to obtain a copy of the guide Table 2 9 Accessories Ancillary Items Item Description Part Number DC Power Plug 2 pin polarized Mates with power connector on the unit s case Screw terminals are provided for wires threaded locking screws to prevent accidental disconnect 73 1194A53 Setup Guide for installation instructions Describes the installation and...

Page 35: ...MDS 05 6632A01 Rev F MDS Orbit MCR ECR Technical Manual 35 ...

Page 36: ... use a user interface to add remove or alter a piece of configuration data The second step is to use the user interface to commit the change Multiple changes can be made prior to committing them This two step process allows users to make multiple changes to the configuration and apply them in a bulk commit Additionally the device can validate the bulk commit and reject it if there is an error The ...

Page 37: ...followed by a slash character and ending with the bit length max 32 of the prefix A subnet mask is expressed in dot decimal notation For example 192 168 1 0 24 is equivalent to specifying 192 168 1 0 with a subnet mask of 255 255 255 0 Enter the unit s IP address in a web browser window just as you would enter a website address 3 When the login screen appears Figure 3 2 Login Screen enter the User...

Page 38: ...ice Manager Overview Screen For initial configuration the Setup Wizard will appear and provide guidance in typical setups This will be disabled after initial setup is completed but may be re run at any time from the Wizards page Figure 3 4 Initial Setup Wizard Starting Page ...

Page 39: ...View Validate and Cancel Clicking the button defaults to Validate and saves the changes Figure 3 6 Save Button Changes to commit From the CLI all changes are made and committed using by using the commit command and enter commit 3 1 Initial Settings Overview Setting Basic Parameters First Steps 3 1 1 There are three tasks that should be performed after initial startup and connection to a PC as foll...

Page 40: ...hen your primary key is lost If you don t make a spare you are always at risk of locking yourself out A one time recovery password is different from the one used to log into the unit on a routine basis It is only for use when the primary password is lost or forgotten When a one time password is used to log in that password is automatically revoked from the list of passwords created You may create ...

Page 41: ...ccessed via TCP for example SSH Deleting a One Time Password As noted earlier a one time password is automatically revoked when it is used for log in A revoked password may be replaced but it must first be removed from the list so a new one can be generated Any of the five stored passwords may be removed on demand As long as there is a free slot an additional password can be created up to the maxi...

Page 42: ...t must be deleted if there are no more password slots available Change Default Passwords 3 1 3 For security purposes it is highly advised to change the default passwords for all user roles This is accomplished on the Change Password Screen shown below located at User Authentication Actions Change Passwords Figure 3 10 Change User Password Screen This feature is also a part of the Initial Setup Wiz...

Page 43: ...e User Authentication 1 Update factory default passwords Secure login access into Orbit with local or RADIUS based user authentication Device Management 2 Secure access to Orbit for device management by enabling disabling HTTP HTTPS SSH It is recommended that HTTP be disabled It is recommended that SNMPv1 v2c be disabled and SNMPv3 be enabled Static Routing Limit local broadcast and multicast traf...

Page 44: ...o meet field requirements but comes preconfigured as follows The COM and USB ports are enabled for local console operation When applicable interfaces are preconfigured as members of a bridge A DHCP server is enabled for WiFi clients and the Ethernet LAN ports Units are configured with a set of pre defined defaults set by the factory Default Ethernet IP address 192 168 1 1 Firewall NAT DNS proxy en...

Page 45: ...e 3 2 Checklist for Initial Setup Configuration Step Applicable Manual Section Comment Additional Information Establish connection to the device SSH Serial USB Web Initial Settings Overview Specific Application Examples Using Device Manager Using the Command Line Interface CLI With serial USB SSH interfaces the Command Line Interface CLI is provided Create One Time Programmable passwords for devic...

Page 46: ...lular service in the listed Appendix Configuring for 900MHz operation if present 3 5 4 Unlicensed 900 MHz ISM NX915 NX915 is the hardware module that provides the 900 MHz operations It is factory configured based on country codes for legal operations Configuring for Licensed Narrowband operation if present 3 5 5 Licensed Narrowband LN LNxxx hardware modules provide operation in various global freq...

Page 47: ...orts WiFi and the bridge The following chart lists the required steps to configure the MCR for this specific scenario Note that for each step the linked manual section is provided as well as detailed information for use in recreating the example Step Applicable Manual Section Comment Additional Information Configure WiFi 3 5 3 WiFi Enable unit as Access Point Set SSID mysid Configure network 3 8 5...

Page 48: ...MCR 1 Configure to bridge traffic from ETH1 and WiFi 3 8 5 Bridging Add ETH1 and WiFi to the bridge Orbit MCR 1 Set bridge IP address 3 8 5 Bridging Set to 192 168 1 21 prefix length 24 Orbit MCR 1 Enable DHCP Server on bridge 3 8 13 DHCP Service Set v4subnet 192 168 1 0 24 Set domain name gemds Set range start 192 168 1 10 Set range end 192 168 1 19 Set router 192 168 1 1 Set broadcast address 19...

Page 49: ...f myssid Orbit MCR 1 Configure to bridge traffic from ETH1 and WiFi 3 8 5 Bridging Add ETH1 and WiFi to the bridge Orbit MCR 1 Set bridge IP address 3 8 5 Bridging Set to 192 168 1 21 prefix length 24 Orbit MCR 1 Enable DHCP Server on bridge 3 8 13 DHCP Service Set v4subnet 192 168 1 0 24 Set domain name gemds Set range start 192 168 1 10 Set range end 192 168 1 19 Set router 192 168 1 1 Set broad...

Page 50: ...he incoming out of network address to drop all other traffic IN_UNTRUSTED 3 8 8 Access Control List Packet Filtering Firewall Set Rule 10 protocol all Action drop Configure the outgoing destination to allow local network OUT_UNTRUSTED 3 8 8 Access Control List Packet Filtering Firewall Set Rule 1 src Address LOCAL NETS Add Interface address true Action accept Configure the outgoing destination to ...

Page 51: ...munication Serial Interface 3 4 2 Follow these steps to configure the unit for its first use with serial console interface Connect a PC to the unit s COM port as shown in Figure 3 16 Maximum recommended cable 1 length is 50 ft 15 m NOTE Not all PCs include a serial port If one is not available the Orbit MCR s USB port can be used to access the device management console by using a Mini USB cable be...

Page 52: ... 3 Change the device name by typing in the following followed by enter set system name Device539 set system name Device539 Step 4 Verify the change looks correct by reading the data back using the following followed by the enter key show system name show system name name Device539 Step 5 Commit the change by typing in the following followed by the enter key commit commit Commit complete Step 6 Exi...

Page 53: ...be used as a quick reference before consulting the more detailed information which follows in this section Each CLI command is preceded by the symbol for operational command or for a configuration command Table 3 3 CLI Quick Reference Table If you wish to Enter this CLI command Create a one time password request system recovery one time password create function user function View all network inter...

Page 54: ...vice name set system name Mydevice Set the baud rate on COM1 set services serial ports COM1 baud rate b19200 Download a firmware package from TFTP server at 192 168 1 10 request system firmware reprogram inactive image filename mcr bkrc 4_0_0 mpk manual file server tftp address 192 168 1 10 Monitor firmware reprogramming status show system firmware reprogram status Export configuration file to a T...

Page 55: ...ommands will configure the MCR for this scenario set interfaces interface Wi Fi type wifi set interfaces interface Wi Fi wifi config mode access point ap config ap myssid enabled true set interfaces interface Bridge type bridge set interfaces interface Bridge bridge settings members port ETH1 set interfaces interface Bridge bridge settings members wifi ap myssid set interfaces interface Bridge ipv...

Page 56: ...terface Bridge bridge settings members wifi ap myssid set interfaces interface Bridge ipv4 address 192 168 1 21 prefix length 24 set services dhcp enabled true v4subnet 192 168 1 0 24 domain name gemds range start 192 168 1 10 range end 192 168 1 19 router 192 168 1 1 broadcast address 192 168 1 255 The following commands will configure the Orbit MCR 2 for this scenario set interfaces interface Wi...

Page 57: ...ding Connectivity to Serial Based SCADA Device via UDP The following commands will configure the Orbit MCR 2 for this scenario set interfaces interface Wi Fi type wifi set interfaces interface Wi Fi wifi config mode access point ap config ap myssid enabled true set interfaces interface Bridge type bridge set interfaces interface Bridge bridge settings members port ETH1 set interfaces interface Bri...

Page 58: ...col icmp set services firewall filter IN_UNTRUSTED rule 1 actions action accept set services firewall filter IN_UNTRUSTED rule 10 match protocol all set services firewall filter IN_UNTRUSTED rule 10 actions action drop set services firewall filter OUT_UNTRUSTED rule 1 match src address address set LOCAL NETS set services firewall filter OUT_UNTRUSTED rule 1 match src address add interface address ...

Page 59: ...n vary depending on the Orbit MCR options ordered 3 5 Interface Configuration Serial Interface 3 5 1 A serial cable RJ45 cable with proper ETH to DB9 converter may be used to connect to a COM port on the unit to access the CLI The default serial console settings are 115200 bps with 8N1 format A mini USB to USB cable may also be used to connect to a Computer in case no serial port exists If a mini ...

Page 60: ...arity 1 stop bit 8O1 8 char bits odd parity 1 stop bit 8N2 8 char bits no parity 2 stop bits 8E2 8 char bits even parity 2 stop bits 8O2 8 char bits odd parity 2 stop bits Hw Flow Control Hardware flow control enable disable DEFAULT using RTS CTS lines Vmin Receive Buffer Size The minimum number of data bytes that will be buffered by the serial port before handling of the data to be processed by t...

Page 61: ...rminal server 255 DEFAULT Vtime Receive Inter Byte Timeout The amount of time between bytes of data on the serial port in multiples of 1 millisecond that indicate the end of a serial message ready to be processed by the terminal server 100 DEFAULT From the CLI this sequence shows how to add console access to the COM1 and COM2 serial ports and set the COM2 baud rate to 19200 bps set services serial...

Page 62: ... devices including TransNET the device will act similar to a DTE but will provide signaling on the CTS line instead of the RTS line When the first character of a transmission is ready to be sent to the serial port the unit shall assert CTS and delay for CTS delay time expiration before outputting the first character After the last character of a transmission is output from the serial port the unit...

Page 63: ...Cts Hold 2 This is also where VMIN and VTIME can be adjusted 3 Save the Configuration 4 CLI Configuration Commands Change ITALICS to fit the system Configure the following as an example set services serial ports COM1 hw flow control true hw device mode CTSKEY cts delay 90 cts hold 40 commit Monitoring From the Web UI the Serial Ports screen shows the settings Navigate to Serial Basic Config Ports ...

Page 64: ...ial details ports COM1 line mode rs232 baud rate b115200 byte format bf8n1 hw flow control false vmin 255 vtime 1 capability rs485 2 wire rs485 4 wire ports COM2 line mode rs232 baud rate b19200 byte format bf8n1 hw flow control false vmin 255 vtime 1 capability console serial ports COM1 COM2 Cell 3 5 2 Understanding Orbit MCR product family is available with following cellular modem options Veriz...

Page 65: ... below table for approved Antenna Types Table 3 4 Approved Cell Antenna Types Application Location Frequency Range Gain Antenna Description GE MDS Part Number 3G 4G Cellular Indoor 698 2700MHz CELL BANDS 2 dBi Direct Connect SMA Paddle antenna 97 2485A04 3G 4G Cellular Outdoor 698 2700MHz CELL BANDS 4 5 dBi External Mount Omni Ant with N Female connector no cable Note requires a metal Ground Plane...

Page 66: ... unit will use the first connection profile to establish connection with the cellular network If connection profile switching described later is enabled then the unit will switch to second profile in the list if it is unable to establish a connection using the first profile after a configurable specified timeout An Orbit MCR equipped with a Verizon 4G LTE modem is shipped out of the factory with t...

Page 67: ...cho messages to a remote host server periodically to keep the connection alive Service Recovery Service recovery configuration If multiple cellular providers are supported the Connection Profile Switching choices may need to be configured The following is an example UI screen to create a connection profile named ORBIT1 by clicking on the ADD button and naming the profile as such Figure 3 24 Exampl...

Page 68: ... been set up with Verizon wireless a SIM card will be issued from that account When the modem is powered up with such a SIM the default APN on the modem is automatically updated to the one that identifies the user s private network This procedure is called OTA APN update This procedure might not always succeed and hence may require the user to manually update the APN on the MCR The following examp...

Page 69: ...meter specifies the number of keep alive messages that are sent before modem recovery is attempted DEFAULT 15 configurable only when recovery on timeout is enabled Service Recovery The service recovery configuration block contains various parameters related to service recovery feature The service recovery mechanism is meant as a watchdog mechanism for the cellular connection where the cellular mod...

Page 70: ...ailure occurs when using the current profile DEFAULT FALSE disabled Switch to Next on Failure Timeout This parameter specifies the time interval for which data connection is attempted using the current connection profile before switching to next one in the list DEFAULT 30 min Switch to First on Timeout This parameter enables switching of connection profile to the first one in the list irrespective...

Page 71: ...TE Dual SIM functionality is a selective order entry feature Default units are shipped with only SIM A enabled SIM B is not supported Monitoring From the Web UI status of the cell module can be reviewed on the page Interfaces Cell Status General Figure 3 26 Cell Interface Status Screen Type The type of the interface Admin Status The desired state of the interface Oper Status The current operationa...

Page 72: ...d be to free up buffer space In Errors For packet oriented interfaces the number of inbound packets that contained errors preventing them from being deliverable to a higher layer protocol In Unknown Protos For packet oriented interfaces the number of packets received via the interface which were discarded because of an unknown or unsupported protocol Out Octets The total number of octets transmitt...

Page 73: ...erfaces Cell Status Cellular Figure 3 28 Cell Operational Status Screen Imsi International mobile subscriber identity Imei International mobile equipment identity Iccid Unique serial number of the SIM card Mdn Mobile directory number Apn Access Point Name App Sw Version Application software version Modem Sw Version Modem software version Sim State SIM state Inserted Not Inserted Modem State Device...

Page 74: ...it with Verizon Wireless 4G LTE modem operating show interfaces state interface Cell cell status cell status imsi 311480023786469 cell status imei 990000947614196 cell status iccid 89148000000234127091 cell status mdn 5854724645 cell status apn VZWINTERNET cell status app sw version 0 0 5 cell status modem sw version 4 08 02 SVN 0 2012 12 21 10 52 58 cell status sim state ready cell status modem s...

Page 75: ... a previous user When the previous command is entered a number of items are returned as shown in the example below The first two items highlighted blue show the IMSI and IMEI codes These are unique for each unit cell status imsi 311480023631413 cell status imei 990000947608727 cell status iccid 89148000000232694605 cell status mdn 5857948168 cell status apn VZWINTERNET cell status app sw version 0...

Page 76: ...dem section The following example shows how to upload a cell modem firmware image file through the web browser and reprogram the cel modem with that image file Navigate to Interfaces Cell Actions Reprogram Click on the Begin Reprogramming button once the file source is configured Figure 3 29 Reprogram Cellular Modem The MCR supports file uploads through a web browser from a local file on the user ...

Page 77: ...ming the cell modem firmware from the CLI enter the following command to download the firmware image from the TFTP server request interfaces interface Cell firmware reprogram filename cell 4g5 1 0 2 mpk manual file server tftp address 192 168 1 10 Monitoring Reprogram Once the reprogramming is begun the process may be cancelled by clicking the Cancel Reprogramming button The current status of the ...

Page 78: ...oint or Station The specifications for the WiFi module are covered in LN400 101D LN400 LN900 101D LN900 2 4 GHz WiFi Specifications on Page 385 The table below contains the list of GE MDS approved antennas Table 3 6 Approved Cell Antenna Types Application Location Frequency Range Gain Antenna Description GE MDS Part Number WiFi Indoor 2 4 2 5 GHz 3 2 dBi Direct Connect RP SMA Dipole Whip 97 4278A3...

Page 79: ...keys via RADIUS The default SSID is based on the unit s serial number and takes the form of GEMDS_ SERNUM the serial number is printed on the chassis sticker The default password for WiFi operation is GEMDS_ORBIT The table below describes the Orbit MCR s LED behavior when using the WiFi interface The LED for the NIC varies depending on the configuration of the MCR When equipped with 900 MHz suppor...

Page 80: ...AULT 15 dBm 3 5 3 1 AP Mode Configuration To configure the parameters necessary for Access Point mode start by using the following section of the web UI Navigate to Interfaces Wi Fi Basic Config Wi Fi Figure 3 32 WiFi AP SSID Configuration Screen Each AP Profile contains specific information to be selected For each SSID however certain parameters are shared between each AP The parameters are Chann...

Page 81: ...ck on the ADD button or to delete an AP click on the SSID and then the Delete button By default an access point will be configured with the SSID GEMDS SERNUM and the WiFi password GEMDS ORBIT To edit an AP click on the SSID of the configured network In the following example the SSID is GEMDS_2344676 Figure 3 33 WiFi AP Details Configuration Screen Broadcast Ssid If checked true the SSID will be br...

Page 82: ... Access Only one VLAN can be configured on an access interface traffic carried for only one VLAN Trunk Two or more VLANs configured on a trunk port several VLANs can be carried simultaneously NOTE Remember to click on SAVE when finished The CLI commands below show how the WiFi settings are made The unit must be in Configuration Mode to make these settings Each command string begins with the word s...

Page 83: ...id is created this will become the first SSID and the SSID ssidexample will become the second SSID Each SSID is independent of the other except for the parameters noted above Each SSID can be in or out of the bridge However to use VLANs the SSIDs must be bridged 3 5 3 3 Station Mode To configure the WiFi interface as a station start at the following Navigate to Interfaces Wi Fi Basic Config Wi Fi ...

Page 84: ...tion mode to use Ccmp AES based encryption mechanism that is stronger than TKIP for WPA2 Tkip a stream cipher is used with a 128 bit per packet key meaning that it dynamically generates a new key for each packet Ccmp Tkip allows a mixture of WPA and WPA2 clients Key Mgmt The type of preshared key to use Wpa Psk Wpa Psk sha 256 Psk The Preshared Key 8 to 64 characters DEFAULT blank NOTE Remember to...

Page 85: ...ect normally contains a MAC address The interface s media specific modules must define the bit and byte ordering and the format of the value of this object For interfaces that do not have such an address e g a serial line this node is not present Figure 3 38 WiFi Statistics Information NOTE The following information is reset on system reboot or power cycle Discontinuity Time The time on the most r...

Page 86: ...be transmitted and which were not addressed to a multicast or broadcast address at this sub layer including those that were discarded or not sent Out Broadcast Pkts The total number of packets that higher level protocols requested be transmitted and which were addressed to a broadcast address at this sub layer including those that were discarded or not sent Out Multicast Pkts The total number of p...

Page 87: ...ds since last packet Rxbytes received byte count Rxpackets received packet count 3 5 3 6 WiFi Status When Configured as a Station Figure 3 41 WiFi Station Statistics Information Ssid SSID of access point to which the unit is connected up to 32 characters Bssid Basic SSID of access point to which the unit is connected up to 32 characters Rssi Received Signal Strength Indication possible values are ...

Page 88: ... ap somessid broadcast ssid true station max 7 station timeout 300 beacon interval 100 privacy mode none vlan mode none channel 6 operation mode 80211g dtim period 2 rts threshold 2347 fragm threshold 2346 Privacy Mode Configuration via CLI The default privacy mode is wpa2 personal The privacy mode in the previous example was set to none The following configures the unit to use WPA2 Personal secur...

Page 89: ...Fi wifi config details mode access point tx power 15 ap config ap somessid broadcast ssid false station max 7 station timeout 300 beacon interval 100 privacy mode wpa2 personal psk config encryption ccmp tkip key mgmt wpa psk psk somepassphrase vlan mode none channel 6 operation mode 80211g dtim period 2 rts threshold 2347 fragm threshold 2346 Other configurations The following configures the devi...

Page 90: ...ond SSID is intended to support auxiliary applications such as a dedicated management connection or guest LAN access The following example sets up a second Wi Fi AP with the SSID of somessid2 to the previous example s SSID somessid set interfaces interface Wi Fi wifi config mode access point ap config channel 3 operation mode 80211n ap somessid2 broadcast ssid true privacy mode wpa2 personal psk c...

Page 91: ...2 is created this will become the first SSID and the SSID somessid2 will become the second SSID Each SSID is independent of the other except for the parameters noted above Each SSID can be in or out of the bridge However to use VLANs the SSIDs must be bridged Station Mode This sets the unit to act as a WiFi station to connect to an AP with somessid and WPA2 Personal security set interfaces interfa...

Page 92: ...i statistics statistics discontinuity time 2013 09 24T13 12 25 04 00 statistics in octets 3747 statistics in unicast pkts 26 statistics in multicast pkts 0 statistics in discards 0 statistics in errors 0 statistics out octets 55511 statistics out unicast pkts 215 statistics out discards 0 statistics out errors 0 Station Mode The following shows status when connected to a configured Wi Fi AP show i...

Page 93: ...n of FHSS Frequency Hopping Spread Spectrum DTS Digital Transmission System and hybrid FHSS DTS technologies to provide dependable wireless communications The GE MDS NX915 NIC module is a point to multipoint medium speed long range 20 miles spread spectrum wireless data transmission product It operates as a Frequency Hopping Spread Spectrum FHSS or a Digital Transmission System DTS in the 902 to 9...

Page 94: ...ity when compared to 1000W kbps For clear spectrum use 1000W for unknown or busy spectrum it s safer to use the narrow 1000N modem Table 3 10 Approved NxRadio Antenna Types Application Location Frequency Range Gain Antenna Description GE MDS Part Number 900 MHz NX915 Indoor 902 928MHz 2 dBi Omni Indoor Flex 97 2952A01 900 MHz NX915 Indoor 902 928MHz 5 dBi Omni with 16 N F Connect and Mount 97 3194...

Page 95: ...ured to operate in the top half of the band while the Orbit can have its NX915 module configured for the lower half By default the radio ships from the factory with the 500kbps modem selected Dwell time is set to 50ms and Hop Set A is enabled For typical configuration e g North America this provides 27 discrete channels over which to hop Hop Sets provide a way of specifying the minimum channel spa...

Page 96: ...dio Interface LED Descriptions LED NIC2 State Description NxRadio Interface Off Interface disabled Access Point Mode Blink Red Solid Red Solid Green NIC Initialization No Remotes connected Linked with at least 1 Remote Remote Mode Blink Red Solid Green NIC Initialization Not linked to an Access Point Linked with Access Point Important Notes and Information Regarding LQI LQI is dependent on the mod...

Page 97: ...e not all the same and optimizing the system may take a little configuring based on Noise Floor Data Type Data Volume An LQI of 255 is reported on a given channel s during the setup sequence and might also be reported after the remote unit is associated with the AP This does not necessarily imply poor RF conditions only that no user traffic has been received by the remote from the AP on that speci...

Page 98: ...ll authenticate with the AP PSK or a backend RADIUS server EAP before they are allowed to pass data on the network The authentication protocol is compliant with IEEE 802 1X If device authentication is enabled over the air data encryption can also be enabled This ensures all over the air traffic is protected When encryption is enabled the device must occasionally rotate the encryption keys This rot...

Page 99: ...EFAULT Header Compression Disabled by DEFAULT Enable disable over the air robust header compression This feature compresses IP headers to improve system performance and is most useful in applications that rely on IP packets with small payloads such as terminal server operations or MODBUS polling This setting must match on each radio Remote and AP Power The transmit power of the radio Valid values ...

Page 100: ... DEFAULT aes128 ccm Protect data with 128 bit AES encryption using CCM mode aes256 ccm Protect data with 256 bit AES encryption using CCM mode Passphrase The passphrase used in PSK mode 8 to 64 letters DEFAULT blank Radius Server A reference to the RADIUS server configuration configured through the System RADIUS side menu item section 3 7 4 Rekey Interval The session key for an active secure link ...

Page 101: ...ficult to detect weak signals if at all but enhance the probability to detect the stronger ones High Sensitivity set when operating in a low noise environment with minimal radio interference DEFAULT High Immunity set when operating in an environment with radio interference Avoided Frequencies Frequencies that are not included in the hop pattern Decimal MHz in the form of A range is required with t...

Page 102: ...e ARP to the intended device ADR Mode Adaptive data rate mode controls whether the NIC will attempt to use different modem speeds for different remotes All downstream traffic uses the lowest rate only upstream traffic can use the variable rate ADR setting is automatically learned by remotes but remotes modem must be set to Auto or 125 for 125 250kbps or 500 for 500 1250 kbps operation 125 250kbps ...

Page 103: ... with defaults The advanced configuration on an NX915 module operating as a Remote shares the same configuration for LNA state stale packets timeout and data retries as an Access Point Using the default value of 0 zero for the NIC and Gateway Identifiers configure the module to automatically obtain a path in the network This is particularly useful in a network that contains Store and Forward devic...

Page 104: ...rk Name The name of the network Used to control what networks is connected to Valid values 1 to 31 letters DEFAULT mds nx The network name string is used to identify the logical network the device as a member of a network If the network name does not match the device will log an event to identify network name collisions Data Compression Over the air compression lzo Compresses the over the air traf...

Page 105: ...rotocol Encryption The type of encryption to perform none No data privacy DEFAULT aes128 ccm Protect data with 128 bit AES encryption using CCM mode aes256 ccm Protect data with 256 bit AES encryption using CCM mode Passphrase The passphrase used in PSK mode Valid Values are 8 to 64 letters DEFAULT blank Certificate ID Key ID CA Certificate ID Reference to the remotes certificate material loaded t...

Page 106: ...he lowest rate only upstream traffic can use the variable rate ADR setting is automatically learned by remotes but remotes modem must be set to Auto or 125 for 125 250kbps or 500 for 500 1250 kbps operation 125 250kbps ADR will attempt to use the FHSS modems 125kbps and 250kbps when trying to determin the best modem for the remote 500 1250kbps ADR will use the DTS modems 500kbps 1000kbps 1000W kbp...

Page 107: ...network Remote DEFAULT Access Point Store and Forward Network Name The name of the network Used to control what networks the radio connects to Valid values 1 to 31 letters DEFAULT is mds nx The network name string is used to identify the logical network that the device should join If the network name does not match the device will log an event to identify network name collisions Data Compression O...

Page 108: ...ity Mode The type of authentication to perform none Provide no device authentication or data privacy DEFAULT psk Use pre shared key authentication protocol eap Use Encapsulated Authentication Protocol Encryption The type of encryption to perform none No data privacy aes128 ccm Protect data with 128 bit AES encryption using CCM mode aes256 ccm Protect data with 256 bit AES encryption using CCM mode...

Page 109: ...ill not be trying extra to amplify the collocated RF noise It will be more difficult to detect weak signals if at all but enhance the probability to detect the stronger ones High Sensitivity set when operating in a low noise environment with minimal radio interference High Immunity set when operating in with radio interference Stale Packet Timeout If the MAC is unable to transmit a packet in this ...

Page 110: ...eshold the NIC will attempt to use a faster modem ADR Threshold must be set for each radio Remotes and AP This is advantageous in that you can run the majority of the network in ADR mode but if a particular remote has strong RSSI but difficult channel conditions you can effectively disable ADR on that specific remote by setting the ADR threshold artificially low DEFAULT 70 range from 127 to 0 Encr...

Page 111: ...is sub layer to a higher sub layer which were addressed to a broadcast address at this sub layer In Multicast Pkts The number of packets delivered by this sub layer to a higher sub layer which were addressed to a multicast address at this sub layer In Discards The number of inbound packets which were chosen to be discarded even though no errors had been detected to prevent their being deliverable ...

Page 112: ...nd packets that could not be transmitted because of errors NX Status Monitoring Interfaces NxRadio Status Nx Radio Figure 3 57 ISM 900 NX Status Init Status State of the NIC Initialization Off Not operating Initializing Powering on the NIC Discovering Determining the NIC address Reprogramming Programming the NIC firmware Configuring Configuring the NIC Complete Initialization complete Current Devi...

Page 113: ... ratio of RF power out to power reflected is approaching a 4 1 ratio or higher ideally this should be 1 1 This should be corrected to achieve optimal radio performance It may be helpful to use an SWR test device to troubleshoot unit address not programmed data parity error data framing error configuration error six v regulator output dc input rf output power internal temp Serial Number Serial numb...

Page 114: ...mation Regarding LQI MAC Statistics Figure 3 59 ISM 900 NX MAC Statistics Tx Success Successful transmissions Tx Fail Failed transmissions TTL expired or retry count exceeded Tx Queue Full Failed transmissions MAC queue full Tx No Sync Number of packets dropped because the MAC is not synchronized Tx No Assoc Packets dropped because the MAC is not associated Tx Error Packets dropped for other reaso...

Page 115: ...ccess point with the network name of MyNetwork and default settings set interfaces interface NxRadio nx config device mode access point network name MyNetwork show interfaces interface NxRadio nx config details modem mode 500kbps device mode access point network name MyNetwork data compression none header compression false power 30 dwell time 50 beacon interval 150 hop set a security security mode...

Page 116: ...rase and aes128 ccm encryption set interfaces interface NxRadio nx config data compression lzo security encryption aes128 ccm security mode psk passphrase mypassphrase show interfaces interface NxRadio nx config details modem mode 500kbps device mode access point network name MyNetwork data compression lzo header compression false power 30 dwell time 50 beacon interval 150 hop set a security secur...

Page 117: ...ragment threshold 0 remote age time 600 endpoint age time 300 allow retransmit true arp cache false adr mode none adr threshold 70 encryption protocol 2 0 Other configuration The following will configure the NX915 module to operate at 20 dBm on hop set b with a beacon interval of 25 ms and a dwell time of 75 ms It also setups several advanced configuration parameters to move the propagation delay ...

Page 118: ...ow retransmit true arp cache false adr mode none adr threshold 70 encryption protocol 2 0 Remote Mode The following will configure the NX915 module as a Remote with the network name of MyNetwork and default settings set interfaces interface NxRadio nx config device mode remote network name MyNetwork show interfaces interface NxRadio nx config details modem mode 500kbps device mode remote network n...

Page 119: ...ced config lna state high sensitivity stale packet timeout 1500 data retries 3 nic id 0 gateway id 0 arp cache false adr mode none adr threshold 70 encryption protocol 2 0 The following configures the NX915 module to use data compression EAP authentication and aes128 ccm encryption The EAP mode currently supports only EAP TLS This requires configuring the appropriate PKI Certificates and Keys to u...

Page 120: ...onfigured the module to automatically obtain a path in the network This is particularly useful in a network that contains Store and Forward devices Store and Forward Mode Basic configuration with defaults The following will configure the NX915 module as a Store and Forward SAF device with the network name of MyNetwork and default settings set interfaces interface NxRadio nx config device mode stor...

Page 121: ...rk access Monitoring Ensure the CLI is in operational mode Access Point Mode The following shows status with two remotes connected show interfaces state interface NxRadio nx status tab nx status init status complete nx status current device mode access point nx status current modem 500kbps nx status alarms nx status serial number 2652308 nx status firmware revision 0 6 0 nx status hardware id 14 n...

Page 122: ...924 840000 72 8 75 925 762500 72 7 78 926 685000 73 7 Remote and Store and Forward Mode The following shows status when connected to a configured Access Point show interfaces state interface NxRadio nx status nx status link status associated nx status init status complete nx status current device mode remote nx status current modem 500kbps nx status alarms nx status serial number 2501772 nx status...

Page 123: ...VG AVG CHANNEL FREQUENCY RSSI LQI 0 902 700000 68 7 3 903 622500 69 6 6 904 545000 69 6 9 905 467500 69 6 12 906 390000 70 6 15 907 312500 70 7 18 908 235000 71 5 21 909 157500 71 5 24 910 080000 72 6 27 911 002500 72 6 30 911 925000 71 5 33 912 847500 71 6 36 913 770000 71 7 39 914 692500 71 6 42 915 615000 71 6 45 916 537500 70 7 48 917 460000 70 7 51 918 382500 70 6 54 919 305000 69 7 57 920 22...

Page 124: ...greater throughput then traditional FSK solutions The module utilizes QAM modulation a highly efficient PA and a direct conversion receiver to provide dependable wireless communications An advanced Media Access Control provides advanced interference avoidance error detection retransmission auto repeat and guaranteed collision free data 10 Watts of peak power and dynamic FEC extend coverage to up t...

Page 125: ...nsmit and Receive frequencies are unprogrammed and left to field installation personel to prevent inadvertant operation on the wrong channel For the advanced user the module supports configuring more items including Data Retries Number of times to retry unicast data before declaring NACK Power RF output power control ARP Cache Feature that limits over the air ARP traffic Data and Header Compressio...

Page 126: ...n works in both upstream and downstream mode The mode selection varies between QPSK 16QAM and 64QAM A signal metric score is used to decide which modem selection to use The score is determined based on signal strength and packets received Advanced configuration can be used to provide some control over the adaptive modulation thresholds The primary use case for this feature is if an AP has some rem...

Page 127: ...network that the device should join If the network name does not match the device will log an event to identify network name collisions Data Compression Over the air compression lzo Compresses the over the air traffic with the LZO algorithm DEFAULT none No data compression Header Compression Enabled by DEFAULT Enable disable over the air robust header compression This feature compresses IP headers...

Page 128: ...useful in networks with some remotes close to the Access Point and others farther away or obstructed This mode allows the close remotes to take advantage of the higher data rate for the directed messages while the remotes use a more conservative modulation Radios with fixed modulation settings will operate only at the modulation that you specify If the specified modulation is higher than the conne...

Page 129: ...d Narrowband LN EAP on an access point Security Settings Security Mode The type of over the air authentication to perform none Provide no device authentication or data privacy DEFAULT psk Use pre shared key authentication protocol eap Use Encapsulated Authentication Protocol will change the fields displayed and give the user the ability to enter radius info on the AP and certificate info on the re...

Page 130: ...icate Management side menu section 3 9 Radius Server AP EAP mode only A reference to the RADIUS server configuration configured through the System RADIUS side menu item section 3 7 4 Rekey Interval AP only The session key for an active secure link changes at a regular basis You may increase the length of the rekey interval in order to reduce overhead caused by the rekeying communications between r...

Page 131: ...4967295 seconds DEFAULT 300 5 minutes Allow Retransmit AP only All traffic from the remotes is sent to the AP When enabled the AP will retransmit traffic from one remote to another based on the MAC address It will also resend any remotes broadcast traffic to all other remotes Disabled by DEFAULT NIC ID Remote only ADVANCED SETTING DO NOT CHANGE Manually overrides the NIC identifier ARP Cache Enabl...

Page 132: ...the interface Licensed Narrowband radios appear as ln Admin Status The desired state of the interface Oper Status The current operational state of the interface If Index The index value for this interface in the Orbit s interface table Valid values are 1 2147483647 Phys Address The interface s address at its protocol sub layer For a LN module this object normally contains a MAC address Statistics ...

Page 133: ...faces the number of inbound packets that contained errors preventing them from being deliverable to a higher layer protocol Out Octets The total number of octets transmitted out of the interface including framing characters Out Unicast Pkts The total number of packets that higher level protocols requested be transmitted and which were not addressed to a multicast or broadcast address at this sub l...

Page 134: ...d Firmware Revision NIC Firmware Revision Temperature The transceiver temperature in degrees C Modem Tx Success Number of packets successfully transmitted by the modem Modem Tx Error Number of transmit errors reported by the modem Modem Rx Success Number of packets successfully received by the modem Modem Rx Error Number of receive errors reported by the modem MAC Tx Success Successful transmissio...

Page 135: ...out the Licensed Narrowband NIC s hardware is also displayed on the LN Radio s Statistics menu This information may be helpful when calling technical support Connections Status AP Only In AP mode the Connected Remotes and Endpoints information will be displayed in addition to the Active Channel NOTE Clicking on the MAC address in either Connected Remotes or Endpoints will bring up more stats NOTE ...

Page 136: ...since link established After 4294967295 seconds the value displayed rolls over to 0 RSSI The RSSI measured at the time of the last received packet If using this reading to align an antenna or gather link status information we recommend setting the page refresh to 3 seconds EVM The Error Vector Magnitude measured at the time of the last received packet For more information refer to refer to Importa...

Page 137: ...ore automatically resuming normal operation We recommend that you remain in test mode 10 minutes or less State Receive Enter Receive mode to check the RSSI of a received signal Keyed Key the transmitter To prevent damage to the radio the unit will stop keying after one minute and automatically transition to the Receive state Stop Stop all test operations and exit test mode Test Values Test Mode Ti...

Page 138: ...data retries 3 packet ttl 600 remote age time 600 endpoint age time 300 allow retransmit true arp cache false qam16 threshold 85 qam64 threshold 70 Security configuration The default security mode as shown above is none The following configures the LN module to use pre shared key authentication with the passphrase mypassphrase and aes256 ccm encryption NOTE When viewing the configuration the passp...

Page 139: ...tication is selected from a list of configured Radius servers set interfaces interface LnRadio ln config security encryption aes256 ccm security mode eap radius server RADIUS_SERVER show interfaces interface LnRadio ln config details radio mode standard device mode access point network name MyNetwork data compression lzo header compression true power 40 tx frequency 451 4 rx frequency 456 4 channe...

Page 140: ...quency 451 4 channel 12 5KHz 9 6ksps modulation automatic fec false security security mode none encryption none advanced config data retries 3 nic id 0 inactivity timeout 600 remote age time 600 arp cache false qam16 threshold 85 qam64 threshold 70 Security Configuration The default security mode as shown above is none The following configures the LN module to use pre shared key authentication wit...

Page 141: ...s and Keys to use in the TLS authentication This information is selected from the PKI configuration set interfaces interface LnRadio ln config security encryption aes128 ccm security mode eap eap mode eap tls pki ca cert id CACert key id DevicePrivKey cert id DevicePubCert show interfaces interface LnRadio ln config details radio mode standard device mode remote network name MyNetwork data compres...

Page 142: ...x queue full 0 ln status mac stats mac tx error 0 ln status mac stats mac tx retry 132 ln status mac stats mac rx success 17952 ln status mac stats mac rx error 498 ln status last rx packet last rssi 128 ln status last rx packet last evm 255 ln status last rx packet last modulation qam64 ln status last rx packet rate 96 ln status hardware info serial number 2673840 ln status hardware info hardware...

Page 143: ...2 168 1 51 ln status ap info connected time 174 ln status ap info rssi 68 ln status ap info evm 0 ln status ap info rx modulation qpsk ln status last rx packet last rssi 68 ln status modem stats modem tx success 33116 ln status modem stats modem tx error 0 ln status modem stats modem rx success 198622 ln status modem stats modem rx error 55283 ln status mac stats mac tx success 11424 ln status mac...

Page 144: ...aces state interface LnRadio ln status test mode state keyed time 5 To enter Test Mode s receive state for 5 minutes request interfaces state interface LnRadio ln status test mode state receive time 5 To exit Test Mode request interfaces state interface LnRadio ln status test mode state stop To display the current test state show interfaces state interface LnRadio ln status test ...

Page 145: ...MDS 05 6632A01 Rev F MDS Orbit MCR ECR Technical Manual 145 ...

Page 146: ... interface status Event Logging 3 6 2 Understanding An event is a notification that something meaningful occurred on the unit Events contain information about the occurrence that may be useful for administrators The event can be stored locally and or transported to a remote server by using the log export feature and then clearing the log Also the device supports external logging using SysLog or th...

Page 147: ...t is stored in the local event log True False Priority If logging to Syslog alert action must be taken immediately crit critical condition debug debug level messages emerg system is unusable err error condition info informational set notice normal but significant condition warning warning condition Syslog Facility If logging to SysLog selection of auth authpriv cron daemon ftp kern lpr mail news s...

Page 148: ...ample the follow shows the cell connect disconnect disabled for local logging this would be useful in an environment where the cell modem reconnects many times as part of normal operations Click on Add and the Event Rules Details option will appear Click on the button to the right of the Name field to locate the event rule to configure This will automatically bring up the popup shown on the previo...

Page 149: ...n click on the Add button when finished Clicking on the add buton will display the Event Rule Details option Clicking the Finish button will add the event rule From the CLI this modification can be made with the commands set logging event rule cell_disconnected local true set logging event rule cell_connected local true ...

Page 150: ...er Choices tcp udp tls tcp6 udp6 tls6 Message Format Choose either json_cee or text insert more info here If the TLS protocol is selected the following fields may be filled in TLS CA Certificate The name of the certificate of the CA server that was used to sign the certificate that the syslog server will be using TLS Client Certificate The client certificate to use when communicating to the syslog...

Page 151: ...he event log navigate to Logging Actions Clear Event Log and click on the Perform Action button Figure 3 73 Clear Event Log The following example shows how to clear the event log from the CLI request logging clear event log Exporting the Event Log The following example shows how to have the device generate an exportable event log and download that log to a local file through the web browser Naviga...

Page 152: ...advanced setting use default Block Size For TFTP the block size as defined in RFP 2348 advanced setting use default Timeout For FTP TFTP and SFTP the timeout in seconds advanced setting use default The following example shows how to have the device generate and transfer an exportable event log named event log 2016 02 04 xml to a TFTP server running on a host address 192 168 1 10 that is accessible...

Page 153: ...The percentage complete for the operation To view the status of the process in the CLI ensure the CLI is in operational mode and then follow the example below show logging export event log status logging export event log status state complete logging export event log status detailed message Successfully exported event log logging export event log status size 345158 logging export event log status ...

Page 154: ... incorporates a Iperf server that can be utilized by an external client Figure 3 76 Setup using iperf for throughput testing in a private network Iperf features TCP Measure bandwidth Report MSS MTU size and observed read sizes Support for TCP window size via socket buffers Multi threaded if pthreads or Win32 threads are available Client and server can have multiple simultaneous connections UDP Cli...

Page 155: ...eboot to once the snapshot is restored Take note that restoring the unit to a snapshot will overwrite the current configuration and that it cannot be undone Three types of snapshots exist on an Orbit MCR Factory Automatic and user snapshots The Factory snapshot is the configuration with which the unit shipped Rolling back to this snapshot is equivalent to performing a factory reset Note that passw...

Page 156: ...unit to the specified firmware image and restores the unit s configuration to the specified snapshot This operation cannot be undone Managing user snapshots The User Snapshots menu found under the Rollback menu allows you to create delete and set the default user snapshot You cannot delete or modify the unit s Factory or Auto snapshots You may create up to two user snapshots These snapshots contai...

Page 157: ...ers including letters numbers dashes underscores and spaces Description Description of this user snapshot Up to 127 characters including letters numbers dashes underscores and spaces Optional Default Set the default user snapshot used in error recovery Optional Delete Snapshot Identifier The user snapshot to delete Once a snapshot is deleted it cannot be recovered ...

Page 158: ...t s name Description The snapshot s description Date This is the date that the snapshot was created Version This is the firmware version that the unit was running at the time the snapshot was created User Default Specifies the default user snapshot used in error recovery Using the CLI Rollback to a snapshot You can rollback to one of the unit s snapshots in either operational or configuration mode...

Page 159: ...command deletes the specified user snapshot request system recovery user snapshots delete identifier Snapshot1 You can set an existing snapshot as the default user snapshot with the following command request system recovery user snapshots set default identifier Snapshot1 Monitoring To view the device s snapshots ensure that the CLI is in operational mode show system recovery snapshot system recove...

Page 160: ...ble through the web UI and not through the CLI Server Address For FTP TFTP and SFTP the remote server s host name or IP address File Path For FTP TFTP and SFTP the path to the destination file on the remote server User Name For FTP and SFTP the user name on the remote server Password For FTP and SFTP the password on the remote server Control Port For FTP the TCP control port advanced setting use d...

Page 161: ...sk inactive preparing transfering cancelling complete failure cancelled Detailed Message The details regarding the operation such as Generating support package Size The total number of bytes in the package not displayed on the web UI Bytes Transferred The number of bytes already generated or transferred not displayed on the web UI Percent Complete The percentage complete for the operation To view ...

Page 162: ...the ability to increase the complexity of the configured user login passwords User passwords can be configured to have a minimum length a minimum amount of lower case letters a minimum amount of capital letters a minimum amount of numeric characters and a minimum amount of non alpha numeric values Configuring Manual Setting of Date Time and Timezone To manually set the System Clock date and time o...

Page 163: ...set the date and time use the request set current datetime request system clock set current datetime current datetime 2013 10 01T8 33 45 Automatic set using NTP or SNTP Server To use an NTP server the NTP settings on the Orbit MCR must be configured From the Web UI Navigate to the System Time Basic Config NTP Enable NTP or SNTP by clicking the Use NTP checkbox Click on the Mode option to choose wh...

Page 164: ...ng reliable NTP service such as pool ntp org Enabled Server enabled for use check True DEFAULT Iburst perform burst synchronization check True DEFAULT Prefer Use as preferred server check True DEFAULT Automatic set using GPS If the radio contains a GPS module and is connected to a functioning GPS signal by default the radio will sync time and date on the initial connection to the service From the ...

Page 165: ...01 00 00 Geographical location 3 7 2 The geographical location of the unit can be manually This information can be configured using the initial setup wizard Latitude in degrees Longitude in degrees Altitude in meters From the CLI set system geographical location altitude 1 0 latitude 43 117807 longitude 77 611896 User Management and Access Controls 3 7 3 Understanding There are three user accounts...

Page 166: ...ty to change the forgotten password See One Time Recovery Passwords on Page 39 Orbit user authentication provides the capability to manage the rules regarding logins and the setup rules regarding password strength The unit has protections against repeated login attempts The max login attempts configuration determines the number of failed logins that can occur in succession before the unit disables...

Page 167: ... method succeeds the user is denied access DEFAULT Local Users only Radius Sys Local Users Disable Non Admin Users Indicates whether or not tech and oper accounts are disabled DEFAULT false Note these are automatically disabled until default password is changed From the CLI these parameters may be set set system max login attempts 30 set system failed login lockout time 300 set system authenticati...

Page 168: ...ed to give preference to which method is used first when authenticating user access In the following example the list of RADIUS servers will be contacted first before the local authentication rules are used NOTE If the local users option is specified before RADIUS then only the local users option will be utilized the RADIUS servers will never be contacted set system authentication user authenticat...

Page 169: ...ll back to local authentication if the unit is configured to do so Many RADIUS servers do not respond to an invalid login attempt To the unit this appears the same as if the server is not there The consequence of this behavior is that after three default setting failed login attempts the authentication will take place against the local user password database if local fallback is enabled Refer to t...

Page 170: ...er 1 0 0 GEMDS value GEMDS UserAuth Group Administrator 2 GEMDS value GEMDS UserAuth Group Technician 1 GEMDS value GEMDS UserAuth Group Operator 0 The following line is required to be added to the vendors file GEMDS attr GEMDS value 4130 GEMDS And configuring users as follows admin Password admin GEMDS GEMDS UserAuth Group 2 tech Password tech GEMDS GEMDS UserAuth Group 1 oper Password oper GEMDS...

Page 171: ...quest This should be the address of the interface that is making the request If it is not provided the system will determine the address automatically Alternative entry is to use a Domain Name string From the CLI command line the following shows how to configure a RADIUS server on the MCR radio set system mds radius servers server1 address 192 168 1 2 shared secret abcd1234 user authentication typ...

Page 172: ... reprogram the firmware Users may add their own signatures to the firmware package using the GE MDS code signing tool NOTE Any additional signatures added to a firmware package will require the corresponding public certificates to be loaded into the unit for firmware reprogramming to complete successfully Similarly any additional firmware validation public certificates loaded into the unit require...

Page 173: ...on The following example shows how to upload a host firmware image file through the web browser and store the uploaded image file into the inactive region in memory Navigate to System Firmware Actions Reprogram Inactive Image Click on the Begin Reprogramming button once the file source is configured Figure 3 87 Reprogram Inactive Image The MCR supports file uploads through a web browser from a loc...

Page 174: ...d mcr bkrc 4_0_2 mpk from a TFTP server running on a host address 192 168 1 10 that is accessible from the MCR e g a locally connected host or remote host accessible via cellular interface To start reprogramming the inactive firmware image from the CLI enter the following command to download the firmware image from the TFTP server request system firmware reprogram filename mcr bkrc 4_0_2 mpk manua...

Page 175: ...irmware system firmware reprogram status size 38043384 system firmware reprogram status bytes transferred 38043384 system firmware reprogram status percent complete 100 Upon completion the unit can be re booted to the newly loaded image by navigating to the Power section Configuring Verify To verify a firmware image navigate to the Verify Image section and select the appropriate image 1 or 2 to ve...

Page 176: ...lete The percentage complete for the operation To view the status of the verification process in the CLI ensure the CLI is in operational mode and then follow the example below show system firmware verify image status system firmware verify image status state complete system firmware verify image status detailed message Successfully verified host firmware image system firmware verify image status ...

Page 177: ...that the web page does not display the current status if the device has not been instructed to copy the firmware image in other words if the state is inactive Figure 3 92 Copy Image Monitoring The copy status contains the following items Current State The status of the copying task inactive processing complete failure Detailed Message The details regarding the operation such as Copying host firmwa...

Page 178: ...Allow approximately 2 minutes for the unit to complete the restarting process and refresh the screen Figure 3 93 Restart to Image To initiate a restart from the CLI ensure the CLI is in operational mode and then follow the examples below to restart into the desired firmware image request system power restart inactive request system power restart active request system power restart image 1 request ...

Page 179: ...baseline When calibration is completed the device enters operational mode In operational mode the axis readings adjusted by the calibration results are used to determine current axis values Readings which exceed the trigger thresholds on any axis in either direction will generate an alarm Default Settings Calibration Offsets Calibrated coordinates determined when magnetometer tamper is enabled x a...

Page 180: ...hreshold for z axis Default 50 range 25 2000 NOTE None of these numbers for coordinates or thresholds has meaningful units They are just values that are all relative to each other A value of 50 cannot be equated to a specific number such as 6 inches In the CLI to view this enter configuration mode and execute the following command show system tamper detection magnetometer details enabled false tri...

Page 181: ...after calibration From the CLI the Device status when operational after calibration could be show system tamper detection magnetometer system tamper detection magnetometer calibration offsets x axis 916 system tamper detection magnetometer calibration offsets y axis 840 system tamper detection magnetometer calibration offsets z axis 1648 system tamper detection magnetometer current offsets x axis ...

Page 182: ...sing from the configuration file on import will be assumed by the radio to be deleted Make certain that all necessary parameters are kept in the configuration file unless they are expected to be deleted Configuring Export The following example shows how to have the device export the current configuration and download that configuration to a local file through the web browser Navigate to System Con...

Page 183: ...a host address 192 168 1 10 that is accessible from the MCR e g a locally connected host or remote host accessible via cellular interface To start the configuration file export from the CLI enter the following command to upload the configuration file to an external TFTP server request system configuration files export filename config 2016 02 04 xml manual file server tftp address 192 168 1 10 Moni...

Page 184: ... how to have the device import a set of configuration parameters by uploading a local file through the web browser Navigate to System Config Files Actions Import Configuration Click on the Begin Importing button once the file source is configured Figure 3 96 Import Configuration The MCR supports file uploads through a web browser from a local file on the user s PC The MCR also supports HTTP FTP TF...

Page 185: ...command to download the configuration from the TFTP server request system configuration files import filename config 2016 02 04 xml manual file server tftp address 192 168 1 10 Monitoring Import Once the import of a configuration file is begun the process may be cancelled by clicking the Cancel Import button The current status of the import process is displayed on the web page Note that the web pa...

Page 186: ...facilitate the resolution of domain names to IP addresses NOTE Manual configuration of DNS overrides any DNS settings obtained via DHCP Configuring Using the Web UI The following example shows how to configure a DNS server with IP address 192 168 1 2 on the MCR Navigate to System DNS Basic Config Figure 3 98 DNS Menu The following options are available Search Optional parameter A list of domains o...

Page 187: ...e working properly The example below shows the resolution of the name example com to the IP address 192 0 43 10 on a unit that is connected to the Internet Use the control sequence CTRL C to stop the ping utility ping example com PING example com 192 0 43 10 56 84 bytes of data 64 bytes from 43 10 any icann org 192 0 43 10 icmp_req 1 ttl 128 time 184 ms 64 bytes from 43 10 any icann org 192 0 43 1...

Page 188: ...188 MDS Orbit MCR ECR Technical Manual MDS 05 6632A01 Rev F ...

Page 189: ...on NAT Destination NAT Port Forwarding Translating the destination address and or port of traffic ingressing the unit Destination NAT allows forwarding of traffic directed to a public external network IP address and or port to a private internal network IP address and or port Source NAT Masquerading Source NAT allows private internal network hosts to share the same public external net work IP addr...

Page 190: ... network is not reachable through the higher preference route Link Layer 2 Failover The unit supports this feature by creation of a bond interface in an active backup mode that can aggregate a primary and secondary layer 2 link When primary link is down the secondary link is used to send layer 2 traffic etc From the Interface navigation bar the status may be displayed by clicking on the interface ...

Page 191: ...not vary in bandwidth or for those where no accurate estimation can be made this info should contain the nominal bandwidth For interfaces that have no concept of bandwidth this info is not present Open up the Statistics drop down below the General drop down to view the statistics for the Bridge interface Figure 3 100 Interface Statistics Screen Discontinuity Time The time on the most recent occasi...

Page 192: ...ddressed to a broadcast address at this sub layer including those that were discarded or not sent Out Multicast Pkts The total number of packets that higher level protocols requested be transmitted and which were addressed to a multicast address at this sub layer including those that were discarded or not sent Out Discards The number of outbound packets discarded even though no errors had been det...

Page 193: ...10 10 10 141 23 static LINK LAYER IP ADDRESS ORIGIN STATE 10 10 10 109 00 11 11 e0 2e 70 dynamic stale 10 10 10 98 80 c1 6e f0 3b 7a dynamic reachable LAN 3 8 2 Understanding The unit has external Local Area Network LAN ports ETH1 2 ports that can be used to connect to a local wired LAN It supports both IPv4 and IPv6 addresses and may be assigned multiple IP addresses The LAN port can be assigned ...

Page 194: ...led DEFAULT Disable will prevent usage Eth Phy Rate Choose the Ethernet speed support setting DEFAULT ALL Eth 10Mb Half Eth 10Mb Full Eth 100Mb Half Eth 100Mb Full Vlan Mode Virtual LAN Setting Ethernet port Security Port based Authentication Understanding Orbit devices support Ethernet port security using port based authentication Port based authentication blocks traffic on the front Ethernet por...

Page 195: ...Username the MAC address without punctuation of the peer device connected to Ethernet port Example 00063d089883 Password an encrypted version of the Username Calling Station Id the same as the Username but with hyphens Example 00 06 3d 08 98 83 In both security modes the NAS IP address in the RADIUS request can be static or dynamic A static NAS IP is used when the Orbit s RADIUS configuration cont...

Page 196: ...ingle VLAN Trunk Use this if this interface is intended to be a member of multiple VLANs Enabled Enable or disable the use of an IP address Forwarding Indicates if IPv4 packet forwarding is enabled or disabled on this interface True DEFAULT False Mtu The size in octets of the largest IPv4 packet that the interface will send and receive Range 68 65535 1500 DEFAULT Advanced setting Address Use for c...

Page 197: ...slation of source IP address of the traffic going out of the interface Source NAT Masquerading Use for selecting and applying a source NAT rule set from available source nat rule sets to outgoing traffic on this interface Choices MASQ MASQuerading This rule set translates the source address of the outgoing traffic to use the interface s IP address In general IP masquerading allows the user to use ...

Page 198: ...ence shows how to configure the ETH1 port with a static IPv4 address configure Entering configuration mode private set interfaces interface ETH1 ipv4 address 192 168 1 11 prefix length 24 commit Monitoring Ensure the CLI is in Operational mode Follow the example below to view the state and statistics of the ETH1 port show interfaces state interface ETH1 interfaces state interface ETH1 type etherne...

Page 199: ...ffic on the Ethernet port In MAB security mode the Orbit will block all traffic on the Ethernet port but it still captures Ethernet frame headers so that it can read the source MAC address of ingress traffic The Orbit sends RADIUS PAP Password Authentication Protocol requests for each MAC address that it captures until it receives a RADIUS ACCEPT message from the RADIUS server When the RADIUS ACCE...

Page 200: ... traffic is not blocked security rejected The RADIUS server rejected the last authentication request security pending A RADIUS request was sent and the Orbit is waiting for a response VLAN Operation 3 8 4 Understanding A Virtual Local Area Network VLAN is a logically segmented LAN network that exists across multiple physical LAN devices The VLANs are virtual interface types in the Orbit MCR and ca...

Page 201: ...ure the newly created VLAN After clicking the OK button on the pop up in Creation will automatically take the configuration screen for that interface or click on the new interface located in the Interfaces navigation section Description User defined identifier for the this connection up to 34 characters Enabled Checked indicates enabled DEFAULT Disable will prevent usage Scroll down and set the VL...

Page 202: ...erfaces interface mgmt_vlan vlan config vlan id 99 set interfaces interface video_vlan type vlan set interfaces interface video_vlan vlan config vlan id 300 Operational Modes As previously shown in previous sections interfaces can have three separate VLAN modes none default trunk or access These modes are used to set interface behavior and examples of their use are provided below Trunk To add ETH1...

Page 203: ...runk port is not a member of the native VLAN and an untagged packet arrives on that port the packet will be dropped As VLANs are implemented as bridges and it is not valid for a bridge to be a member of another bridge it follows that a VLAN interface cannot be configured as a member of a bridge VLANs can be configured with IP addresses just as any other interface in the system Monitoring As shown ...

Page 204: ...in the bridge are called routed interfaces Bridging is performed between bridged interfaces Routing is performed between routed interfaces The bridge interface itself is a routed interface NOTE The Cellular interface cannot be added to the bridge and is therefore a routed interface However a GRE interface in ethernet over gre mode can be configured to operate over Cell interface and added to a bri...

Page 205: ...tation mode to the bridge set interfaces interface Bridge bridge settings members wifi station interface Wi Fi Removing LAN ETH1 interface from the bridge delete interfaces interface Bridge bridge settings members port ETH1 Removing WiFi interface in Access Point mode from the bridge delete interfaces interface Bridge bridge settings members wifi ap somessid OR Removing WiFi interface in Station m...

Page 206: ...ted cost 100 designated bridge 8000 0002fd5dd280 designated port 32783 Routing 3 8 6 Understanding The Orbit MCR can forward IP packets between routed interfaces using a network path defined by the user These user defined network paths are known as static routes A static route may be configured if data intended for a specific subnet or IP address must egress a particular onboard NIC As an example ...

Page 207: ... Current routes may be viewed on the unit at any time by navigating to Routing on the left side of the screen The unit s current routes are displayed under the Status tab Figure 3 112 Routing status screen The following information is available Dest Prefix Indicates the destination network s IP address and prefix in either IPv4 or IPv6 format Next Hop If known the next hop router is displayed for ...

Page 208: ...lected The example network path in Figure 3 1 requires an IPv4 address When previous routes have been configured the IPv4 Route table will display all user configured IPv4 static routes are listed as shown below Figure 3 113 List of IPv4 static routes Delete any of the routes in the table by clicking on an entry to highlight it and clicking the Delete button To add a new route click the Add button...

Page 209: ...r is the destination in the example above so the server s address 216 171 112 36 is used with a prefix of 32 Next Hop As mentioned above this is the next routing device that occurs in the network path The example above contains a next hop router at 10 10 10 101 Once all items are configured appropriately click Save in the upper left corner of the screen Refresh the screen to see the new route in t...

Page 210: ... routes ipv4 route 1 description Default route outgoing interface Bridge dest prefix 0 0 0 0 0 next hop 192 168 1 1 commit Monitoring As mentioned in Configuring the unit s routes may be viewed on the web UI by navigating to Routing To view the list of routes in the CLI first ensure the CLI is in operational mode Follow the example below to view the state of the routing table show routing OUTGOING...

Page 211: ...is may occur if a neighbor does not respond to ARPs or neighbor solicitations or responds incorrectly Configuration To add a static IPv4 neighbor to the Wi Fi interface that maps the IP address 192 168 2 99 to the MAC address 00 11 22 33 44 55 first navigate to Interfaces Wi Fi Figure 3 116 WiFi Interface Menu Both IPv4 and IPv6 neighbors may be created This example uses IPv4 but IPv6 neighbors ar...

Page 212: ...or click the Add button The Configure New Neighbor menu appears Enter the neighbor s IP address and click Add Figure 3 118 Add New Neighbor Menu Following the IP address enter the neighbor s link layer address and then the Finish button Figure 3 119 Neighbor link layer address entry Once all items are configured appropriately click Save in the upper left corner of the screen The new neighbor will ...

Page 213: ...operational mode show interfaces state interface ipv4 neighbor LINK LAYER NAME IP ADDRESS ORIGIN STATE Bridge 192 168 1 3 00 80 c8 3b 97 bb dynamic reachable 192 168 1 2 00 12 17 5c 4f 2d dynamic reachable Wi Fi 192 168 2 65 74 de 2b a7 15 0a static reachable 192 168 2 99 00 11 22 33 44 55 static reachable The following information is available Name Name of the interface IP The neighbor s IP addre...

Page 214: ... outgoing direction on an interface For example a filter applied to the cellular WAN interface of the MCR is typically very restrictive permitting only a small set of traffic to enter the unit whereas outgoing filter might permit all outgoing traffic etc The MCR includes the four pre configured filters shown below Table 3 18 Predefined Filter Names and Default Settings Filter Name Actions IN_TRUST...

Page 215: ...er The first rules are added to permit the desired types of traffic and a final rule or default policy is created that denies all other traffic The example filter rules below permit SSH traffic on TCP port 22 and ICMP messages such as pings and routing error notifications All other traffic is denied Rule 1 permit protocol tcp dst port 22 Rule 2 permit protocol icmp Rule 3 deny everything Or create...

Page 216: ...stricts incoming traffic Incoming IPsec tunnel traffic is allowed as are UDP services DNS NTP and IKE to allow IPsec connection setup Incoming TCP services SSH and NETCONF are also permitted to allow management of the MCR via the cellular interface All other incoming traffic is denied Using the Access Control List Wizard The Access Control List Wizard is the web UI s simplest way to create delete ...

Page 217: ...zard displays the list of existing packet filtering rules on the device The MCR comes with four pre configured filters IN_TRUSTED IN_UNTRUSTED OUT_TRUSTED and OUT_UNTRUSTED Existing filters may be edited or deleted or a new one may be added To create a new filter click Add then Yes to verify the creation of a new filter Enter the name of the new filter for example Cell_Input_Filter Click OK to con...

Page 218: ...rules The following options are available Order Click the arrows to sort rules in order of priority Rules with higher priority are applied before rules with lower priority rule sets containing more than one rule should be sorted accordingly Protocol All SCTP TCP UDP ICMP ESP Specifies the IP protocol of traffic that the rule should be applied to ICMP When selected the rule will only apply to that ...

Page 219: ...urce Port Apply rule to traffic that originates at a specific source port This option is available only with protocols SCTP TCP and UDP Services Services Port Range Not Services Not Port Range Services Apply rule to traffic originating from one or more designated well known service source ports The services must be specified by name and separated by commas Port Range Apply rule to traffic originat...

Page 220: ...e Accept Allow packets to ingress or egress the unit Drop Block packets from ingress or egress Reject Block packets from ingress or egress and send an error message to the sender When ICMP protocol is selected a rejection message may be chosen Reject Type Net unreachable Host unreachable Port unreachable Proto unreachable Net prohibited Host prohibited Admin prohibited Log Optional Allows packets ...

Page 221: ...oming traffic will have these well known service ports as its destination port Set Destination Port to Services and enter netconf Ssh in the textbox next to Services Again ensure that Actions is set to Accept and Log Level can be set to Debug Figure 3 129 Creation of a packet filter rule for inbound TCP traffic The last step in the creation of a restrictive filter is a default rule to deny all tra...

Page 222: ...icipate that it will require outbound traffic restrictions in the future To allow interface specific customization we create a new packet filter To create a new filter click Add then Yes to verify the creation of a new filter Enter the name of the new filter for example Cell_Output_Filter Click OK to continue Using the Add new rule button enter each new rule as required After clicking Add New Rule...

Page 223: ... the Firewall service is running each network interface and IPsec connection on the device must be assigned an input and output packet filter Otherwise no traffic will flow By default each network device uses IN_TRUSTED and OUT_TRUSTED as filters Since the filters just created in this example are intended for the cellular interface click the In dropdown box next to the Cell interface and select th...

Page 224: ...d apply the changes click Submit To view the list of packet filters that exist on the device at any time navigate to Firewall Basic Config and view the list of filters in the Filter tab Change the packet filters applied to a network interface by navigating to Interfaces and click on the desired interface from the navigation bar Navigate to the Basic Config tab The input and output filters appear i...

Page 225: ...ion accept NOTE The rule stated in step 5 permits SSH or NETCONF connection addressed to the cellular interface s IP address If it is desired that SSH or NETCONF connection only be allowed via the VPN tunnel then remove rule 3 and instead apply appropriate filter to IPsec connection Create the last rule for this restrictive filter to deny everything else Note that rules are applied in 6 ascending ...

Page 226: ...sts in the private network will appear to have originated from a single IP address The IP address of the public interface of the MCR typically the cellular interface To allow return IP traffic for UDP TCP connections to be delivered to the right private host the MCR also performs source port translation Therefore masquerading consists of Network Address and Port Translation NAPT Figure 3 136 Sourc...

Page 227: ...cell interface The following example will illustrate the necessary steps in three ways Using the Source NAT wizard through the web UI and via the CLI Using the Source NAT Wizard The Source NAT Wizard allows the creation or editing of Source NAT rule sets First navigate to Wizards and click Source NAT Masquerading from either the navigation bar or the main Wizards page Figure 3 138 Configuration Wi...

Page 228: ...the checkbox next to an existing rule set and click Edit Selected or Delete Selected to modify existing rule sets To create a new rule set click the Add button Enter a name and click Ok to continue Figure 3 140 List of rules in current source NAT rule set The next menu shows all rules contained within the new rule set Since the rule set is new it has none Click Add New Rule to add one The rule cre...

Page 229: ...t does not originate from a specific source address range Not Address Set Apply rule to traffic that does not originate within a non contiguous set of source addresses Destination IP Apply rule to traffic that ingresses the unit at a specific address or addresses Mode Options All Apply rule regardless of destination address The example above uses this configuration Address Apply rule to a specific...

Page 230: ...ellular interface Click Next to continue Figure 3 142 Source NAT Wizard Summary Page A summary page appears that displays the changed items in the configuration s data model and the types of changes that occurred To save and apply the changes click Submit Using the Web UI The following process creates the same Source NAT rule set as the example above using the web UI instead of the Source NAT Wiza...

Page 231: ...s all current source NAT rule sets on the device To edit an existing rule set simply click on the rule set s name To delete an existing rule set highlight it and click the Delete button To add a new rule set click the Add button The Configure Rule Set Details menu appears Figure 3 146 Add New Rule Set menu First enter a name for the new rule set and click the Add button Figure 3 147 Rule Set Displ...

Page 232: ... be processed after a rule of ID 1 Therefore if the rules in a rule set should be applied in a particular order care must be taken to set the IDs accordingly In this example only one rule is required Clicking the Add button leads to additional items to configure for new rule Figure 3 149 Rule menu The following main sections can be accessed from this screen Match Edit this section if the rule shou...

Page 233: ...ource address to the specified address For this example rule select Interface Figure 3 151 Source Creation Click the check box from the left of Interface to apply this specifier to the rule Once finished click the Save button in the upper left corner of the screen The finished Rule will then populate the table Now the rule set must be applied to the desired interface Navigate to Interfaces and cli...

Page 234: ...Example rule 1 source nat interface Apply this source NAT rule set to the cellular interface 4 set interfaces Cell nat source Example Commit configuration and exit configuration mode 5 commit Monitoring At this time there are no commands to monitor traffic statistics for packets being masqueraded by the firewall This feature may be added in future revisions of firmware Destination NAT Port Forward...

Page 235: ...ss Configuring Destination NAT configuration on MCR involves following high level steps Create a destination NAT rule set 1 Add one or more rules to perform destination NAT for specific incoming traffic on the public 2 interface Apply the destination NAT rule set to the public interface 3 The following example describes the step by step configuration of an example destination NAT rule set to perfo...

Page 236: ...ion Wizards menu Figure 3 156 Port Forwarding Wizard Introductory Page The wizard s introduction page appears Click Next to continue Click Add to create a new rule set and enter name for the new rule set Spaces are not allowed use the underscore character instead Click OK to continue ...

Page 237: ...rs Figure 3 159 Creating a new destination NAT rule The following options are available within the rule creation menu Order Click the arrows to sort rules in order of priority Rules with higher priority are applied before rules with lower priority rule sets containing more than one rule should be sorted accordingly Protocol Options All SCTP TCP UDP ICMP ESP Specifies the IP protocol of incoming tr...

Page 238: ...esses Address Set Apply rule to a non contiguous set of destination addresses Not Address Apply rule to traffic that does not ingress at a specific address and prefix Not Address Range Apply rule to traffic that does not ingress at a specific destination address range Not Address Set Apply rule to traffic that does not ingress at a non contiguous set of destination addresses Incoming Port Apply ru...

Page 239: ...lays the items in the configuration s data model that were changed and type of changes that occurred To save and apply the changes click Submit Using the Web UI To view the list of destination NAT rule sets that exist on the device at any time navigate to Firewall Basic Config Destination NAT Figure 3 162 List of destination NAT rule sets ...

Page 240: ...2 set services firewall nat destination rule set IO_SERVICES Create a rule to port forward Modbus TCP traffic that enters the cellular interface on port 5512 to 3 port 512 on the private HOST 1 set services firewall nat destination rule set IO_SERVICES rule 1 match protocol tcp set services firewall nat destination rule set IO_SERVICES rule 1 match dst address address 10 150 1 10 32 set services f...

Page 241: ...ive MCRs cellular network connection to a VPN gateway on a back office network 172 16 1 0 24 Both subnets which are located in separate sites have the same IP address schemes 192 168 1 0 24 Two networks with the same IP addresses would result in routing issues so each MCR is configured with static NAT so that the local internal subnet 192 168 1 0 24 translates to a different external IP address bl...

Page 242: ...ing the Static NAT Wizard The following example demonstrates step by step static NAT configuration for Network A shown in Figure 3 164 During this example assume the following An IPsec connection named Network_A_IPsec_Connection is already created and configured on 1 the Orbit MCR in Network A Refer to Section 3 8 12VPN for more information on creating an IPsec connection Network B has already bee...

Page 243: ... Static NAT Wizard The following options are available within the rule creation menu Order Click the arrows to sort rules in order of priority Rules with higher priority are applied before rules with lower priority rule sets containing more than one rule should be sorted accordingly External Address The external address is the address that is translated to an internal address This is the rule 1 ma...

Page 244: ... rule list from the dropdown box to the right of the interface or IPsec connection and click Next to continue A summary page appears that displays the items in the configuration s data model that were changed and type of changes that occurred To save and apply the changes click Submit To view the list of destination NAT rule sets that exist on the device at any time navigate to Firewall Basic Conf...

Page 245: ...ration and exit configuration mode 5 commit VPN 3 8 12 Understanding Orbit supports following types of Virtual Private Network VPN setups 1 Site to Site Policy Based IPsec L3VPN This is enables routing of traffic to from single local LAN of Orbit from to single remote LAN on the other side of the Remote IPsec router through an IPsec tunnel Only unicast IP traffic matching the local and remote subn...

Page 246: ...e remote LANs on the other side of the Remote IPsec router through a single GRE tunnel protected by transport mode IPsec connection Orbit also supports VLAN trunking over GRE tunnel for a case where there is more than one LAN behind Orbit and remote router Orbit Remote IPsec Gateway Router Local LAN 192 168 1 0 24 Remote LAN 192 168 1 0 24 Customer Network Internet Cellular network GRE tunnel prot...

Page 247: ...standards it was created by Cisco and hence is primarily only supported by Cisco routers designed for use as IPsec hub routers Orbit Spoke HUB Router LAN 10 0 2 0 24 LAN 10 0 1 0 24 Customer Network Internet Cellular network GRE Tunnels protected by transport mode IPsec connections Orbit Spoke 10 0 3 0 24 Cell WAN IP 2 2 2 2 GRE Tunnel IP 172 16 0 2 Cell WAN IP 3 3 3 3 GRE Tunnel IP 172 16 0 3 WAN...

Page 248: ...iation SAs during this phase setting up a secure channel for negotiating IPSec SAs in phase 2 IKE Phase 2 IPsec Security Association IKE negotiates IPSec SA parameters and sets up matching IPSec SAs in the peers Data Transfer Data is transferred between IPSec peers based on the IPSec parameters and keys stored in the SA database Both the IKE and the IPsec connections have limited lifetimes These l...

Page 249: ...on The role specifies whether Orbit initiates the connection initiator or it waits for the connection from the peer responder This should usually be set to initiator Configure an IPsec policy specifying ESP cipher suites to be included in the proposal during IKE 8 phase 2 Configure an IPsec connection specifying IKE peer IPsec policy and local and remote private IP 9 subnets NOTE The above configu...

Page 250: ...r authentication will fail See section 3 7 1 Date Time and NTP on Page 162 In this example we assume that the pre shared key based authentication is used The VPN Setup Wizard is the simplest way to configure a VPN connection on the unit First navigate to Wizards and click on VPN Setup from the navigation side bar Figure 3 167 VPN Wizard Selection and Start Screen Click Next to continue The next sc...

Page 251: ...tup Selection Screen Click Next to continue The next screen shows an example network diagram for the selected setup Figure 3 169 VPN Setup Network Diagram Click Next to continue The next screen requires one to specify a name for this VPN connection Figure 3 170 VPN Specifying Name ...

Page 252: ...DN Force local address for this connection to an IP address resolved by the specified fully qualified domain name FQDN Local Identity Default address FQDN user FQDN DN Default Defaults to local IP address when using pre shared key based authentication and to the DN of the local certificate when using certificated based authentication Address Use the specified IP address as the local IKE identity F...

Page 253: ...the Orbit is the initiator it uses IKE v2 If the Orbit is the responder it accepts either IKE v1 or IKE v2 according to the policy proposed by the initiator IKE v1 As an initiator or responder the Orbit uses only IKE v1 IKE v2 As an initiator or responder the Orbit uses only IKE v2 Auth Method Public key EAP TTLS Pre shared key Public key Use RSA ECDSA public key based authentication NOTE The cert...

Page 254: ...d prior to running the VPN Setup Wizard The following options are available only when the authentication method chosen is Pre shared key Pre shared Key The pre shared key itself Click Next to continue The next screen requires configuration of IKE phase 1 and IPsec phase 2 ciphersuite encryption algorithm integrity MAC algorithm DH group Also local IP subnet and remote IP subnet needs to be configu...

Page 255: ...of the key in the Diffie Hellman key exchange Higher groups include more bits and are thus more secure but require more time to complete the key exchange For phase 2 ciphersuite configuration DH group is optional It needs to be configured only if perfect forward secrecy PFS is desired The local and remote subnets should also match those configured on the peer Local IP Subnet The local IP subnet be...

Page 256: ... cases However in case one needs to configure some advanced setup or manipulate parameters that are not available for configuration in the wizard one can navigate to Services VPN to get full access to VPN service configuration Figure 3 171 VPN Service Configuration The IKE panel includes configuration for IKE policy and peer settings When VPN wizard is used for configuration it automatically confi...

Page 257: ...the IPsec connection is detected Life Time 15 1440 The time interval in minutes after which the IKE security association expires DPD Enabled Enable Disable Enabling dead peer detection DPD clears an established VPN connection when a dead peer is detected and tries to establish a new one DPD Interval 30 3600 Specifies the number of seconds to wait before declaring a peer dead This should be set to ...

Page 258: ...ection See section 3 8 8 Access Control List Packet Filtering Firewall for more information An inbound filter to the connection must be applied or no traffic will pass If a filter hasn t been created specifically for the VPN connection use the preconfigured filter IN_TRUSTED which allows all inbound traffic Outbound Firewall Filter Apply an existing packet filter to the outgoing traffic on this co...

Page 259: ...t to no less than 300 seconds 5 minutes to reduce the periodic traffic in the network set services vpn ike peer VPN GW ike policy IKE POLICY 1 set services vpn ike peer VPN GW local identity default set services vpn ike peer VPN GW peer endpoint address 172 18 175 40 set services vpn ike peer VPN GW peer identity default set services vpn ike peer VPN GW role initiator set services vpn ike peer VPN...

Page 260: ...uth method pub key Configure Public Key Infrastructure PKI security credentials 2 d Certificate type as rsa if RSA public key encryption based certificates are being used e Client certificate ID This is the ID that was assigned to the client certificate obtained via SCEP or loaded manually assumed to be ID 1 f Client private key ID This is the ID that was assigned to the client private key generat...

Page 261: ...otocol all set services firewall filter IN_UNTRUSTED rule 12 actions action drop 2 Add following rules to OUT_UNTRUSTED filter that is applied to the Cell interface in the outgoing direction set services firewall address set CELL IP set services firewall filter OUT_UNTRUSTED rule 1 match src address address set CELL IP set services firewall filter OUT_UNTRUSTED rule 1 match src address add interfa...

Page 262: ...F Figure 3 174 VPN Status Under IKE panel click on the IKE security association row to view the detailed status Figure 3 175 VPN IKE Security Association Detailed Status Under IPsec panel click on the IPsec security association row to view the detailed status ...

Page 263: ...175 138 local id 172 18 175 138 remote host 172 18 175 40 remote id 172 18 175 40 initiator true initiator spi b19beb547030c7c3 responder spi 259b6cf8efb75dcc ciphersuite AES_CBC 128 HMAC_SHA2_256_128 PRF_HMAC_SHA2_256 MODP_2048 established time 5590 rekey time 4584 reauth time 1773488 services vpn ipsec security associations security association 40 name SRX240 1_t1 state INSTALLED mode TUNNEL udp...

Page 264: ...ablished device can take 2 few minutes to sync time from NTP server VPN connection will not succeed until time is synchronized Mismatch in cipher suites configured for IKE policy on device and peer VPN gateway 3 Mismatch in cipher suites configured for IPsec policy on device and peer VPN gateway 4 Mismatch in remote and local IP subnets configured for IPsec connection on device and peer VPN 5 gate...

Page 265: ...This value is only used if the client doesn t include a lease time in its DHCP request In IPv6 addressing this is also known as valid lifetime Min Lease Time The minimum number of seconds that a client s lease is valid If a client requests a lesser minimum lease time this value is used instead Max Lease Time The maximum number of seconds that a client s lease is valid If a client requests a greate...

Page 266: ...ration options are required Range Start The start of the range of IP addresses to be assigned Range End The last of the range of IP addresses to be assigned The following configuration options are optional Broadcast Address Address that clients should use for broadcast messages Router The IP address that the client should use as its default gateway This may be the unit s address Domain Name Server...

Page 267: ...esses to be assigned Range End The last of the range of IP addresses to be assigned Once all configuration is complete click Save Using the CLI The following shows an example of configuring DHCP service on the unit The unit will administer IPv4 addresses from the 192 168 x x network when requests are received from DHCP clients Enter the subnet s IPv4 address and prefix and click Add A menu appears...

Page 268: ...TCP connection is established then serial traffic from the COM port can pass to and from the TCP port as long as the TCP connection remains established When a terminal server on the unit is configured as a MODBUS TCP server then the unit listens on a TCP port for a client connection Once a TCP connection is established the unit will convert the incoming MODBUS TCP frame into either a MODBUS RTU or...

Page 269: ...e is detected the login prompt is presented as long as the port is enabled for console access Basic Setup of UDP Terminal Server Configuring The following shows how to enable a UDP terminal server on COM1 Navigate to Serial Basic Config Terminal Server Figure 3 182 Terminal Server Start Screen Click on Add and select the serial port for use by typing in COM1 or select after clicking on the button ...

Page 270: ...T Point to Multipoint Multipoint to Point Multipoint to Multipoint Local IPS Ipv4 IPS Configure to IPv4 address or leave blank for all Ipv6 IPS Configure to IPv6 address or leave blank for all Port The local port of the server 0 65535 30011 DEFAULT Remote Address The IPv4 IPv6 address Port The UDP port used when sending serial data to the remote address 30011 DEFAULT When selecting one of the Mult...

Page 271: ... pass through routers to a specified number of hops Setting TTL to a value of 0 restricts the frame to the same host Setting TTL to a value of 1 restricts the frame to the same subnet Setting TTL to a value of 32 restricts the frame to the same site Setting TTL to a value of 64 restricts the frame to the same region Setting TTL to a value of 128 restricts the frame to the same continent Setting TT...

Page 272: ...30 sec DEFAULT If TCP Client Server is selected options for both TCP Client and TCP Server are available below displays the client side configuration Figure 3 188 TCP Terminal Client Settings Screen Remote Address The IPv4 IPv6 address used when sending serial data Port The local port of the server 0 65535 30011 DEFAULT Idle Timeout The time interval in secs after which a tcp connection is disconn...

Page 273: ...nit handles the transmission of the multicast UDP packets This static route must define the Outgoing Interface for the Orbit to use to get to a Destination Prefix of the full multicast subnet of 224 0 0 0 4 It is also recommended that a multicast static route be configured on each multipoint unit NOTE If a unit participates in multiple multicast groups and each of these groups are accessible via d...

Page 274: ...IPv4 2 Click on Add 3 Type a numeric ID 220 which will be used to identify this route and click Add 4 Enter the following 224 0 0 0 4 This destination prefix will cover the entire Multicast Subnet and 5 send all Multicast data out of the Bridge interface Figure 3 190 Example Static Route Settings Save the configuration 6 View the finished IPv4 Route table to view that the route is present 7 Figure...

Page 275: ...box Configure the UDP Mode that best fits the system configure any local ports remote ports IPs and 14 Multicast ports IPs Figure 3 192 Example UDP TS Configuration Save the configuration 15 Command Line Interface CLI NOTE Change plain text italics as appropriate to set up the system Configure the following set routing static routes ipv4 route 220 dest prefix 224 0 0 0 4 outgoing interface Bridge ...

Page 276: ...Rx Packets The number of IP packets received IP Rx Bytes The number of IP bytes received Serial Tx Packets The number of serial packets transmitted Serial Tx Bytes The number of serial bytes transmitted Serial Rx Packets The number of serial packets received Serial Rx Bytes The number of serial bytes received From the CLI ensure the CLI is in operational mode Follow the example below to view the s...

Page 277: ...guration Therefore device management is allowed solely on ETH1 s IP address Figure 3 194 Device Management Example Network A contractor s laptop should be able to access the corporate intranet through the WiFi connection while remaining unable to manage the MCR Configuration Web UI HTTP HTTPS Configure To limit services to a specific statically assigned IP address navigate to Web Server Basic Conf...

Page 278: ...ent or empty the server will listen on all IPv6 addresses TLS Certificate The certificate to use for the HTTPS server If empty or not present a self signed certificate key pair will be used TLS Private Key The private key which matches the specified TLS certificate If empty or not present a self signed certificate key pair will be used As show in the screen above both HTTP and HTTPS web services c...

Page 279: ...nfigure To configure SSH to listen only to a specific address navigate to SSH Server Basic Config Figure 3 198 SSH Menu Enabled Whether or not to run the netconf server Default true Port The port to listen to netconf connections on Default 830 IPv4 Bind IPs Restrict the server to only listen for connections on the specified IPv4 addresses If not present or empty the server will listen on all IPv4 ...

Page 280: ...server to only listen for connections on the specified IPv6 addresses If not present or empty the server will listen on all IPv6 addresses Click Add an Entry next to IPv4 Bind IPs or IPv6 Bind IPs to access a dropdown box containing all IP addresses on the device Select the IP address belonging to the appropriate interface and click Add Once configuration is complete click Save CLI Configure To co...

Page 281: ...rfaces The Remote Management Service allows you to use the web UI of a radio to manage a second radio remotely You can also peform a broadcast firmware update from one radio typically the AP to other radios in the network Standard Web UI sessions and individual radio firmware push are prohibitively expensive on low bandwidth channels Remote management offers a far less bandwidth intensive means to...

Page 282: ...nical Manual MDS 05 6632A01 Rev F Figure 3 200 Narrowband example network Configuration Using the WebUI Navigate to Services Remote Management and click the Basic Config tab Figure 3 201 Basic configuration for Remote Management ...

Page 283: ...ed secret used to allow remote connections to or from the device It must be the same on both sides of the connection For greater security we recommend that you change this password and do not use the default DEFAULT rmadmin Firmware Enabled Enables the unit to either push firmware to other Orbit devices on the network or receive firmware pushed by other devices This feature must be enabled on both...

Page 284: ...k to reboot to the specified image version The Remote Management Service must be enabled on each remote radio in order for them to receive the request Interface The network interface on which to transmit the reboot request If a desired network interface is present in a bridge you must enter the bridge s name in this field Image Version Select either onboard firmware version Each remote Orbit unit ...

Page 285: ...rvice and TX Rate and Block Size parameters are set to their most conservative values Interface The network interface on which to transmit the reboot request If a desired network interface is present in a bridge you must enter the bridge s name in this field Image Version Select either onboard firmware image TX Rate Desired firmware transfer rate in kbps You may also enter 1 to transfer data as fa...

Page 286: ...cal unit and port 8080 Only HTTP connections not HTTPS are possible at the present time Server IP Address Enter the IPv4 address of the remote unit that you wish to connect to When you click Perform Action a new browser tab opens that contains the remote web UI To show that the web UI is a remote session the webpage header reads GE MDS Device Management Remote Popup blockers on some web browsers m...

Page 287: ...lso open a remote web UI session on Orbit LnRadio and NxRadio interfaces status menus if the local radio is serving as an access point To do so navigate to Interfaces LnRadio Status or Interfaces NxRadio Status and expand the LN Radio or NX Radio menu as applicable In the Connected Remotes list highlight the intended remote unit and click Remote Web Connect Figure 3 206 Connected Remotes display L...

Page 288: ...General Status Displays whether the service is currently running Web Proxy Client Status The current state of the web proxy client Disabled The radio is currently not connected to a remote web UI Operating A remote web UI session to another radio is currently open Web Proxy Server Status The current state of the web proxy server Disabled The unit is not accepting remote web connection requests Ope...

Page 289: ...ration mode The following command requests remote units to reboot to image version 4 0 4 request services remote management reboot remote devices interface Bridge which image version 4 0 4 The following command requests remote units to reboot to the active image version of the current radio For example if the local radio s active firmware image is version 4 0 0 remote radios will receive a request...

Page 290: ...c For example with business critical traffic like SCADA traffic shaping can be setup to guarantee that this class of traffic will always have at least 100Kbyte s of an 800Kbyte s link regardless of the amount of other traffic The remaing unclassified traffic can use the entire 800Kbyte s link as long as there is no SCADA traffic but as soon as SCADA traffic resumes it will be given at least 100Kby...

Page 291: ...ss Interface Bridge Ethernet Classifiers IPv4 Classifiers Packet Queue Egress Interface Figure 3 210 Packet classification of bridged traffic It is important to note that the Ethernet classifiers are only pertinent to traffic that is bridged through the system By design Orbit QoS will affect data priorities if and only if the interface is saturated For example QoS configured as GOOSE traffic treat...

Page 292: ...hat QoS is Enabled Figure 3 211 Enabling QoS To create a classifier for GOOSE messages click Add in the Classifier submenu The Configure Classifier Details appears Figure 3 212 Naming a new classifier Give the new classifier a name and click the Add button A menu bearing the classifier s name appears to configure it Figure 3 213 QoS classifier configuration The following options are available on t...

Page 293: ...ew match rule First give the new match rule a name and click the Add button Figure 3 215 Match Menu A match rule can be created to classify on either IPv4 or Ethernet In this example we use ether type to classify GOOSE messages To classify based on ether type click the check box to the left of Ether Type Figure 3 216 Ether type classification menu The following options are available on the Ether T...

Page 294: ...ler Higher priority packets will always be serviced first If there is excessive high priority traffic lower priority packets may be lost Fairness A fairness policy attempts to split up the traffic into different groups which it services in a round robin fashion to ensure one traffic flow does not prevent others from using the link A fairness policy determines traffic flows on its own and does not ...

Page 295: ...ppears Figure 3 221 Configuring a QoS priority class The following options are configurable Priority 1 16 This is the priority to be assigned to packets that match the classifier 1 is the highest priority and 16 is the lowest Classifier Any existing QoS classifier Next policy If a QoS fairness policy was created it may be applied it to this priority class In this case traffic matching this priorit...

Page 296: ...an interface Using the CLI Example Prioritize traffic with a particular ether type above all other traffic This example will create a QoS policy that uses a classifier to prioritize GOOSE messages above all others First ensure that QoS is enabled set services qos enabled true To set up the classifier set services qos classifier GOOSE match M1 ethernet ether type protocol goose To set up the policy...

Page 297: ...FTP match M1 ipv4 dst port services ssh set services qos classifier FROM1234 match M1 ipv4 src address address 1 2 3 4 32 set services qos policy Policy1 prioritization class HIGH priority 1 classifier FROM1234 set services qos policy Policy1 prioritization class BULK priority 15 classifier SFTP set services qos policy Policy1 prioritization default priority 5 This creates a policy with three clas...

Page 298: ... match M1 ipv4 protocol not assigned number tcp src address address 1 2 3 4 32 match M2 ipv4 protocol assigned number tcp src address address 1 2 3 4 32 dst port not services ssh This will make the classifier match everything from 1 2 3 4 that is not TCP and everything from 1 2 3 4 that is TCP and port is not SFTP The coupling of ports to IP protocols complicates negating ports Either constricting...

Page 299: ...sifier VIDEO match M1 ipv4 dst port port range 8080 set services qos policy HTB shaping htb class GOOSE priority 0 committed rate 100 max rate 800 classifier GOOSE set services qos policy HTB shaping htb class VIDEO priority 1 committed rate 200 max rate 400 classifier VIDEO set services qos policy HTB shaping htb class OTHER priority 16 committed rate 500 max rate 800 set services qos policy HTB ...

Page 300: ...aps informs The agent supports v1 traps v2c v3 traps and informs Ability to configure a list of SNMP targets managers that shall receive traps and informs The unit sends SNMP traps informs to the configured SNMP targets managers when events are logged and if the SNMP notification has been enabled for those events Standard MIBs supported SNMPv2 MIB RFC 3418 SNMP COMMUNITY MIB RFC 3584 SNMP USER BAS...

Page 301: ...s agent Configuration of the SNMP agent community List of communities notify List of notify names and tags system System group configuration target List of targets for notifications traps informs usm Configuration of the User based Security Model vacm Configuration of the View based Access Control Model In the Web UI these are provided on the screen by Navigating to SNMP Agent Advanced Config ...

Page 302: ...302 MDS Orbit MCR ECR Technical Manual MDS 05 6632A01 Rev F Figure 3 224 SNMP Main Page ...

Page 303: ...to r current folder For example for ORBIT MCR product the 1 MIB package is named mcr mib X_Y_Z zip where X Y Z is the corresponding firmware version Use snmpwalk tool to do SNMP walk on the unit only small subset of output is shown for the 2 sake of brevity snmwalk M c public v2c 192 168 1 1 internet SNMPv2 MIB sysDescr 0 STRING GE MDS Orbit SNMP Agent SNMPv2 MIB sysObjectID 0 OID MDS ORBIT SMI MI...

Page 304: ...es Port UDP protocol port to be used for communication Valid values 0 65535 Default 161 Max Message Size The privacy mode to use on this interface Debug Enabled The privacy mode to use on this interface Agent Version settings V 1 SNMP version 1 Only requires a plain text community with 32 bit counters and minimal security V 2C SNMP version 2 C DEFAULT V 2c is basically equivalent to version 1 exce...

Page 305: ...ent version v1 set services snmp agent version v2c set services snmp agent engine id from mac Create SNMP community named public with security name public 1 On the Web UI click on the community panel under advanced config tab on SNMP Agent main screen and set verify the parameters Filling in the parameter values can be accomplished via the CLI using the following commands set services snmp communi...

Page 306: ... commands set services snmp vacm view internet subtree 1 3 6 1 included VACM group A VACM group is used to organize a set of users in case of SNMP v3 or a set of community security names in case of SNMP v1 and v2c for the purpose of managing their access rights to MIB parameters OIDs For example in the case below the group name is all rights with one member whose security name is public as defined...

Page 307: ...an be accomplished via the CLI using the following commands set services snmp vacm group all rights member public sec model v1 v2c set services snmp vacm group all rights access any no auth no priv read view internet Click Save on the Web UI 3 Via the CLI using the following commands commit Configuring the SNMP agent for v3 only operation w Authentication and Encryption The example below assumes S...

Page 308: ...agent version v1 delete services snmp agent version v2c set services snmp agent version v3 Create a local user named User1 with SHA1 authentication with password sha1Password and 2 AES encryption with password aesPassword Click on the Add button in the User table and then enter User 1 Once done click the Add button This will then prompt the user for additional information ...

Page 309: ...onfiguration Choices select from the pulldown Sha DEFAULT secure hash algorithm SHA 1 a cryptographic hash function producing a 160 bit 20 byte hash value Md5 message digest 5 cryptographic hash function producing a 128 bit 16 byte hash value SHA Key Type Choices select from the choices pulldown Password DEFAULT Used to create a localized key Key 20 byte Authentication key MD5 Key Type Choices sel...

Page 310: ...AULT Used to create a localized key Key 20 byte Authentication key Filling in the User1 information values can be accomplished via the CLI using the following commands set services snmp usm local user User1 auth sha password sha1Password set services snmp usm local user User1 priv aes password aesPassword Create VACM group named secure and add User1 to this group with security model usm 3 Also ens...

Page 311: ... MDS Orbit MCR ECR Technical Manual 311 Click on Add and configure a name for the group In this example the group name will be 4 secure Once finished click the Add button which will present additional configurable fields 5 ...

Page 312: ...el 7 Read View The name of the MIB view of the SNMP context authorizing read access Write View The name of the MIB view of the SNMP context authorizing write access Notify View The name of the MIB view of the SNMP context authorizing notify access Filling in the VACM Group parameter values can be accomplished via the CLI using the following 8 commands set services snmp vacm group secure member Use...

Page 313: ...y above specifies a SNMP notify name e g std_v1_trap the tag e g std_v1_trap and the type of notification trap or inform The notify and tag names are kept the same for ease of configuration of SNMP targets The SNMP notify name is used to lookup up the tag in notify table that in turns is used to look up all the SNMP targets in target table to which the SNMP notification needs to be sent Each event...

Page 314: ...values can be accomplished via the CLI using the following commands set services snmp agent version v1 Configure SNMP manager as a target TARGET 1 v1 that listens on port 5000 has IP address 2 of 192 168 1 2 can receive v1 traps tag std_v1_trap with security name of public ...

Page 315: ...ds set services snmp vacm group all rights access any no auth no priv notify view internet Click Save on the Web UI 4 Via the CLI using the following commands commit To test above configuration start an SNMP trap receiver like snmptrapd with configuration file as shown below and generate ssh_login event by logging into the Orbit via SSH snmptrapd conf engineID testing snmpTrapdAddr 0 0 0 0 5000 au...

Page 316: ...RGET 1 v2c port 5000 set services snmp target TARGET 1 v2c tag std_v2_trap set services snmp target TARGET 1 v2c v2c sec name public Give the VACM group named all rights as configured in previous examples notify access to 3 internet view set services snmp vacm group all rights access any no auth no priv notify view internet Commit configuration 4 commit To test above configuration start an SNMP tr...

Page 317: ...and generate ssh_login event by logging into the Orbit via SSH NOTE When using SNMPv3 traps the Orbit is the authoritative engine since it is the one sending the trap Therefore the user created in snmptrapd conf must be tied to the EngineID of Orbit The EngineID of Orbit can be obtained by running following command run show SNMP FRAMEWORK MIB snmpEngine snmpEngineID SNMP FRAMEWORK MIB snmpEngine s...

Page 318: ...ion 4 commit To test above configuration start an SNMP trap receiver like snmptrapd with configuration file as shown below and generate ssh_login event by logging into the Orbit via SSH snmptrapd conf engineID testing snmpTrapdAddr 0 0 0 0 5000 authCommunity log execute net public doNotFork yes snmptrapd M Lo c snmptrapd conf NET SNMP version 5 4 3 2014 04 22 16 02 17 192 168 1 1 UDP 192 168 1 1 1...

Page 319: ...group secure as configured in example on SNMP v3 only 4 configuration with security model usm Also ensure VACM group secure has notify access to internet view under usm security model and auth priv security level set services snmp vacm group secure member User1 sec model usm set services snmp vacm group secure access usm auth priv notify view internet Commit configuration 5 commit To test above co...

Page 320: ... SM MIB usmStats usmStatsWrongDigests 0 SNMP USER BASED SM MIB usmStats usmStatsDecryptionErrors 0 show SNMP MPD MIB SNMP MPD MIB snmpMPDStats snmpUnknownSecurityModels 0 SNMP MPD MIB snmpMPDStats snmpInvalidMsgs 0 SNMP MPD MIB snmpMPDStats snmpUnknownPDUHandlers 0 show SNMP TARGET MIB SNMP TARGET MIB snmpTargetObjects snmpUnavailableContexts 0 SNMP TARGET MIB snmpTargetObjects snmpUnknownContexts...

Page 321: ...if 6 successive pings fail or succeed Enabled Whether or not to run this operation Type Type of monitor operation Icmp Echo Monitor Dst Host Destination IP address or DNS name to send icmp echo to Src Address Source address to use for icmp echo request Interval Time interval in seconds between icmp echo requests Value range 1 86400 DEFAULT 5 Timeout Time to wait in milliseconds for icmp echo respo...

Page 322: ...r Failback 3 8 20 Understanding The unit incorporates integrated bridging and routing functionality with multiple wired and wireless interfaces The reliability of network links can be enhanced using network link failover failback features The unit supports following two types of network link failover and failback features Route Layer 3 Failover The unit supports this feature by enabling configurat...

Page 323: ...nected to remote MCR called REMOTE hereafter that has both 900 MHz radio NX and Cellular radio options The IP packets sent by back office application to the remote asset are normally routed by the back office router R1 towards MCR configured as the NX AP called AP hereafter The IP packets sent by remote asset to the back office application are normally routed by the REMOTE towards the AP Both R1 a...

Page 324: ...work 2 A network link monitoring operation that checks connectivity to each remote over the primary 3 interface and that enables primary route to be used when connectivity is up and secondary route to be used when connectivity is down Primary and secondary routes towards each Remote LAN network 4 The user should refer to user manual of the specific device to configure these features REMOTE 1 Confi...

Page 325: ... 325 Configure Network Monitor Operation Configure a NETMON service icmp echo monitor operation named NX LINK CHECK that does a 3 periodic link check by pinging R1 over NX interface Please refer to NETMON service section for further help with configuration ...

Page 326: ...ack office network 10 10 1 0 24 with NX as the outgoing interface and with address of R1 s interface on NX backhaul as the next hop Also configure this route with verify reachability using NX LINK CHECK operation which checks the reachability of the back office network via this route Navigate to Routing Basic Config IPv4 and click Add to add the primary route over NX ...

Page 327: ...Technical Manual 327 6 Configure secondary route towards SCADA back office network 10 10 1 0 24 with GRE1 as the outgoing interface and preference value of 20 From the same page click Add to add the secondary route over GRE1 tunnel interface ...

Page 328: ...sec connection R1 filter input IN_TRUSTED set services vpn ipsec connection R1 filter output OUT_TRUSTED Configure GRE tunnel interface with mode ip over gre src address Local cell address and dst address R1 s WAN address set interfaces interface GRE1 type gre set interfaces interface GRE1 gre config mode ip over gre set interfaces interface GRE1 gre config src address 10 150 1 10 set interfaces i...

Page 329: ...s configured for REMOTE 2 10 10 7 0 24 NX primary 10 10 7 0 24 GRE TUN backup Failover to Cell enabled by checking primary route s reachability by pinging remote s NX interface CELL NX ETH GRE TUN ROUTER FUNCTION RTU AP 10 10 1 0 24 MCR to MCR NX CELL redundant network layer 3 setup using routing Use case 2 Figure 3 227 MCR to MCR NX CELL redundant network layer 3 setup using routing In above use ...

Page 330: ...led on Bridge Optional IPsec configured over Cell to provide security The failover happens at the remote CELL NX ETH GRE TUN BRIDGING FUNCTION RTU AP 192 168 1 0 24 MCR to MCR NX CELL redundant network layer 2 setup using bridging and bonding Use Case 3 BOND CELL NX ETH GRE TUN BRIDGING FUNCTION RTU 192 168 1 0 24 REMOTE 2 BOND Figure 3 228 MCR to MCR NX CELL redundant network layer 2 setup using ...

Page 331: ...er time for traffic from AP towards the failed over REMOTE Using the Web UI AP Configuration Following features need to be configured on the AP IPsec transport mode connection To secure GRE traffic to from REMOTE 1 and REMOTE 2 1 over Cellular network GRE tunnel To send receive layer 2 traffic to from REMOTE 1 and REMOTE 2 s LAN 2 segments over Cellular network Adding GRE tunnels to the Bridge int...

Page 332: ...WAN address as configured in IPsec VPN towards REMOTE 2 Add GRE tunnels to the Bridge interface Add the GRE REMOTE 1 tunnel interface to the bridge that has NX interface and disable STP on 1 the bridge Please refer to section on Bridging for help with adding members to a bridge Add the GRE REMOTE 2 tunnel interface to the bridge that has NX interface and disable STP on 2 the bridge Please refer to...

Page 333: ...ent and AP s LAN segments Network Monitor Operation To send a periodic traffic to enable failover at the AP as described in 5 the NOTE earlier in this section Configure IPsec Transport Mode Connection Configure an IPsec VPN transport mode connection host to host connection type for the AP 1 Please refer to section on IPsec VPN for help with configuring IPsec VPN using Web UI Configure GRE tunnel C...

Page 334: ...32A01 Rev F Configure BOND interface Configure BOND interface in active backup mode with NxRadio and GRE AP as members and 1 NxRadio as the primary member Navigate to Interfaces Add Delete Interfaces and click Add to create new interface named Bond1 ...

Page 335: ...nfigure NETMON operation Configure a NETMON service icmp echo monitor operation named NX LINK CHECK that does 1 a periodic link check by pinging AP This is needed to generate a periodic traffic towards AP to enable the latter to update its bridge forwarding table when the REMOTE switches its link from NX to from GRE tunnel The time interval of this traffic determines the time interval of failover ...

Page 336: ...nt and AP s LAN segments Network Monitor Operation To send a periodic traffic to enable failover at the AP as described in 5 the NOTE earlier in this section Configure IPsec transport mode connection Configure an IPsec VPN transport mode connection host to host connection type for the AP 1 Please refer to section on IPsec VPN for help with configuring IPsec VPN using Web UI Configure GRE tunnel Co...

Page 337: ... Manual 337 Configure BOND interface Configure BOND interface in active backup mode with NxRadio and GRE AP as members and 1 NxRadio as the primary member Navigate to Interfaces Add Delete Interfaces and click Add to create new interface named Bond1 ...

Page 338: ...nfigure NETMON operation Configure a NETMON service icmp echo monitor operation named NX LINK CHECK that does 1 a periodic link check by pinging AP This is needed to generate a periodic traffic towards AP to enable the latter to update its bridge forwarding table when the REMOTE switches its link from NX to from GRE tunnel The time interval of this traffic determines the time interval of failover ...

Page 339: ...cal identity default set services vpn ike peer REMOTE 1_ike_peer peer endpoint address 10 150 1 10 set services vpn ike peer REMOTE 1_ike_peer peer identity default set services vpn ike peer REMOTE 2_ike_peer role responder set services vpn ipsec policy REMOTE 1_ipsec_policy ciphersuite ipsec_policy_cipher0 set services vpn ipsec policy REMOTE 1_ipsec_policy life time 60 set services vpn ipsec con...

Page 340: ...ngs members port GRE REMOTE 1 set interfaces interface Bridge bridge settings members port GRE REMOTE 2 set interfaces interface Bridge bridge settings stp mode disabled REMOTE 1 Configuration Configure IPsec tunnel set services vpn enabled true set services vpn ike policy AP_ike_policy auth method pre shared key set services vpn ike policy AP_ike_policy pre shared key remote1 set services vpn ike...

Page 341: ... NxRadio Add BOND1 interface to Bridge disable STP on the bridge set interfaces interface Bridge bridge settings members port Bond1 set interfaces interface Bridge bridge settings stp mode disabled Configure a NETMON service icmp echo monitor operation named NX LINK CHECK that does a periodic link check by pinging AP This is needed to generate a periodic traffic towards AP say every 5 secs to enab...

Page 342: ...configured default action is ACCEPT The export route filter controls the routes that are exported into the routing protocol from the routing table By default the routing protocol prevents export of any routes from the local routing table to the peer router That is if no export filter is configured default action is NONE A route filter consists of one or more rules sorted by a numeric identifier Ea...

Page 343: ...ellular Network RTU R1 Backoffice Router 10 10 40 1 0 24 10 10 6 0 24 REMOTE 1 GRE configured as routed interface over Cell Optional IPsec transport mode configured over Cell to secure GRE traffic RIP or OSPF configured to export LOCAL LAN route 10 10 6 0 24 and import routes sent by back office router Back office router configured to terminate GRE and IPsec tunnels from remotes over cell RIP or O...

Page 344: ... 05 6632A01 Rev F Select the newly created LOCAL_LAN route filter and click Add to add a rule with ID 1 to this filter Select outgoing interface Bridge and Action accept Click Finish on the panels to close them To apply configuration click Save ...

Page 345: ... specific routing protocols RIP The basic RIP configuration consists of enabling the protocol and adding interfaces on which it should operate and configuring an export filter In addition MD5 authentication can be used to secure routing protocol updates In the example below RIP is enabled on GRE interface along with LOCAL_LAN as the export filter Navigate to Routing Basic Config RIP Select LOCAL_L...

Page 346: ...s The user can check the routing table in the General panel to ensure a dynamic route for the back office has been received from the back office router The RIP panel displays the state of RIP routing protocol including route import export statistics Using CLI In operational mode enter following commands ...

Page 347: ... state rip statistics import withdraws rejected 0 routing state rip statistics import withdraws ignored 0 routing state rip statistics import withdraws accepted 0 routing state rip statistics export updates received 10 routing state rip statistics export updates rejected 1 routing state rip statistics export updates filtered 7 routing state rip statistics export updates accepted 2 routing state ri...

Page 348: ... Manual MDS 05 6632A01 Rev F Under Area click Add to add area 0 0 0 0 backbone Under Interface click Add to add GRE interface to area 0 0 0 0 To apply configuration click Save Using CLI In configuration mode enter following commands ...

Page 349: ...rea 0 0 0 0 interface GRE commit Monitoring Navigate to Routing Status The user can check the routing table in the General panel to ensure a dynamic route for the back office has been received from the back office router The OSPF panel displays the state of OSPF routing protocol including route import export statistics and other OSPF protocol status ...

Page 350: ...table displays all link state advertisements LSAs received by this router Using CLI In operational mode enter following commands show routing state routes OUTGOING DEST PREFIX NEXT HOP INTERFACE SOURCE 0 0 0 0 0 172 18 175 129 Cell kernel 10 10 6 0 24 Bridge kernel 10 10 40 0 24 GRE dynamic 172 18 175 128 28 Cell kernel show routing state ospf routing state ospf routing instance MAIN_OSPF routing ...

Page 351: ...hbors 1 num adjacent neighbors 1 area networks routing state ospf interface GRE routing state ospf routing instance MAIN_OSPF routing state ospf state up routing state ospf preference 150 routing state ospf import filter ACCEPT routing state ospf export filter LOCAL_LAN routing state ospf statistics import updates received 4 routing state ospf statistics import updates rejected 0 routing state osp...

Page 352: ... 966 80000002 049b Area 0 0 0 0 0001 2 2 2 2 2 2 2 2 966 80000004 8785 Area 0 0 0 0 0001 10 10 6 1 10 10 6 1 967 80000002 d25b BGP The basic BGP configuration consists of adding a neighbor entry for each peer and configuring an export filter BGP can operate in two modes External BGP EBGP and Internal IBGP EBGP is used between BGP routers that are in different Autonomous AS systems and IBGP is used...

Page 353: ...on click Save NOTE Please see section 12 2 2 1 for an example on use of BGP to exchange routes over DMVPN network Using CLI In configuration mode enter following commands set routing bgp neighbor PRIMARY HUB peer address 172 16 0 1 set routing bgp neighbor PRIMARY HUB enabled true ...

Page 354: ...r PRIMARY HUB peer as 65500 set routing bgp neighbor PRIMARY HUB hold time 30 set routing bgp neighbor PRIMARY HUB keepalive time 10 Monitoring Navigate to Routing Status The user can check the routing table in the General panel to ensure a dynamic route for the back office has been received from the back office router Using CLI In operational mode enter following commands show routing state bgp ...

Page 355: ...xport updates filtered 6 statistics export updates accepted 1 statistics export withdraws received 0 statistics export withdraws accepted 0 local state established peer address 172 16 0 1 peer as 65500 peer id 172 16 0 1 local address 172 16 0 3 hold time 23 30 keepalive time 7 10 GPS Service 3 8 22 Understanding A unit may be equipped with internal GPS support The GPS service obtains location inf...

Page 356: ... antennas Configuring Navigate to Services GPS Service Basic Config The GPS service has very minimal configuration The user simply has to enable the GPS service for it to start collecting data from the first detected GPS data source in the system If there are more sources in the system then user can select the specific data source by configuring the source parameter To apply configuration click Sa...

Page 357: ...ces gps status speed 0 000000000000000e 0 services gps status heading 0 000000000000000e 0 NAME DEVICE SLOT1 CELL GPS dev ttyUSB1 Dynamic DNS 3 8 23 Understanding The unit supports Dynamic DNS DDNS service that enables update of the dynamic address of an interface typically cellular WAN interface on the unit against a pre registered fully qualified domain name FQDN for example pump1 dyndns org wit...

Page 358: ...S service provider Update Interval The interval in minutes at which periodic update interval will occur Failure Retry Interval The interval in seconds at which retries will occur if connection cannot be made to DDNS service provider Max Failure Retries The maximum number of times to retry connecting to the DDNS service provider for an update HTTPS Whether or not to use HTTPS when sending DDNS upda...

Page 359: ...om update hostname pump1 xyz com myip 1 1 1 1 Then user should enter following in the URL field http USERNAME PASSWORD xyz com update hostname HOSTNAME myip IP The username password hostname fields will be replaced with those configured when posting the DDNS update along with dynamic IP address of the configured interface NOTE In firmware versions prior to 4 x x the user might need to click the re...

Page 360: ...defined in the IETF RFC5798 In VRRP a group of physical routers are configured similarly with VRRP settings and together they act as one virtual router on the network Only one physical router is negotiated as the Master router at a time the remaining routers act as Backup until it has been determined that the Master has gone offline This failover mechanism is automatic and built into VRRP The grou...

Page 361: ...ical router in a group gets its own priority The higher the number the higher the priority that the physical router will be become the Master during negotiation advertisement interval The Master router advertises its presence to the Backups This controls the frequency of those advertisements preemption whether or not to allow higher priority routers become Master when they come online All physical...

Page 362: ...e is typically used for Orbit devices with cellular interfaces where the Orbit is connected to the end device via LAN and the IP address received from the cellular network needs to be passed to the end device so it can be accessed using that address from the network Configuration Using Web UI Navigate to Services IP Passthrough Basic Config Click Enable to enable the passtrough service Add any loc...

Page 363: ...llowing commands set services ip passthrough enabled true set services ip passthrough local service SSH protocol tcp port 22 set services ip passthrough local service HTTP protocol tcp port 80 set services ip passthrough local service HTTPS protocol tcp port 443 commit Monitoring Using Web UI Navigate to Services IP Passthrough Status ...

Page 364: ... can only be imported using the manual method The device can import certificates that are in DER PEM or encrypted PEM format The device can import private keys that are in DER PEM or encrypted PEM Private Keys 3 9 2 The device can manually import private keys or can generate a new private key of a specified length From the WebUI navigate to Certificate Management Basic Config The Private Keys sect...

Page 365: ... Size The number of bits in the key Allowed sizes include 1024 1536 2048 3072 and 4096 The following example shows how to have the device generate a private key of length 2048 bits with the identity generated_key_2048 request pki private_keys generate key identity generated_key_2048 key size 2048 Monitoring Generation Once the generation is begun the process may be cancelled by clicking the Cancel...

Page 366: ...ocess in the CLI ensure the CLI is in operational mode and then follow the example below show pki private keys generate status pki private keys generate status state complete pki private keys generate status detailed message Successfully generated private key generated_key_2048 with 2048 bits pki private keys generate status size 256 pki private keys generate status bytes transferred 256 pki priva...

Page 367: ...r FTP and SFTP the password on the remote server Control Port For FTP the TCP control port advanced setting use default Data Port For FTP the TCP data port advanced setting use default Block Size For TFTP the block size as defined in RFP 2348 advanced setting use default Timeout For FTP TFTP and SFTP the timeout in seconds advanced setting use default The following example shows how to have the de...

Page 368: ...n the CLI ensure the CLI is in operational mode and then follow the example below show pki private keys import status pki private keys import status state complete pki private keys import status detailed message Successfully imported private key pki private keys import status size 1191 pki private keys import status bytes transferred 1191 pki private keys import status percent complete 100 CA Cert...

Page 369: ...est pki ca certs delete cert identity imported_ca_cert_2048 Configuring The following example shows how to have the device import a CA certificate by uploading a local file through the web browser Navigate to the CA Certificates section in Certificate Management Basic Config Click on the Add button and then click on the Begin Importing button once the certificate identity and the file source are c...

Page 370: ...te file named ca_cert_2048 pem from a TFTP server running on a host address 192 168 1 10 that is accessible from the MCR e g a locally connected host or remote host accessible via cellular interface To start the CA certificate import from the CLI enter the following command to download the CA certificate file from the TFTP server request pki ca certs import cert identity imported_ca_cert_2048 file...

Page 371: ...n follow the example below show pki ca certs import status pki ca certs import status state complete pki ca certs import status detailed message Successfully imported CA certificate pki ca certs import status size 1586 pki ca certs import status bytes transferred 1586 pki ca certs import status percent complete 100 Client Certificates 3 9 4 The device can manually import client certificates or obt...

Page 372: ... button once the certificate identity and the file source are configured Figure 3 238 Import Client Certificate The MCR supports file uploads through a web browser from a local file on the user s PC The MCR also supports HTTP FTP TFTP SFTP and SCEP file downloads using external remote servers File Source File transfer method to use Available choices are From Local File DEFAULT From HTTP Server Fro...

Page 373: ...ccessible via cellular interface To start the client certificate import from the CLI enter the following command to download the client certificate from the TFTP server request pki client certs import cert identity scep_client_cert scep filename cert_2048 pem manual file server tftp address 192 168 1 10 The following example shows how to have the device import a new client certificate from a prede...

Page 374: ...tal number of bytes in the file not displayed on the web UI Bytes Transferred The number of bytes already transferred or processed not displayed on the web UI Percent Complete The percentage complete for the operation To view the status of the import process in the CLI ensure the CLI is in operational mode and then follow the example below show pki client certs import status pki client certs impor...

Page 375: ...nt certs import scep status pki client certs import scep status last status 0 pki client certs import scep status poll count 2 pki client certs import scep status state Success pki client certs import scep status req fp md5 80383787f3e17a0a2d8a61e784377 pki client certs import scep status req fp sha1 b3a37834c1421be99bff94fac45fd7b55c2ad035 pki client certs import scep status req fp sha256 b8a9174...

Page 376: ...he device may delete a firmware certificate by clicking the Delete button on the web user interface or using the CLI in operational mode See the following example for deleting CA certificates via the CLI request pki firmware certs delete cert identity firmware_cert_2048_delete_me Configuring The following example shows how to have the device import a firmware certificate by uploading a local file ...

Page 377: ...use default Data Port For FTP the TCP data port advanced setting use default Block Size For TFTP the block size as defined in RFP 2348 advanced setting use default Timeout For FTP TFTP and SFTP the timeout in seconds advanced setting use default The following example shows how to have the device download a firmware certificate file named firmware_cert_2048 pem from a TFTP server running on a host ...

Page 378: ... identified and the certificate information must be defined Configuring The certificate server is defined under certificate server In the operation shown below we define the SCEP server set pki certificate servers certificate server predefined_cert_server server type scep scep server setting uri 10 15 60 39 certserv mscep mscep dll poll interval 5 retry count 120 digest algo sha256 encrypt algo ae...

Page 379: ...p_ca_cert scep ca issuer identity predefined_ca_server cert server identity predefined_cert_server The next step is to request the new client certificate from the SCEP server request pki client certs import cert identity scep_client_cert scep cert server identity predefined_cert_server ca issuer identity predefined_ca_server cert info identity predefined_cert_info ca cert identity scep_ca_cert pri...

Page 380: ...380 MDS Orbit MCR ECR Technical Manual MDS 05 6632A01 Rev F ...

Page 381: ...oubleshooting Refer toTable 4 3 Table 4 4 Table 4 5 and Table 4 6 Depending on the interfaces ordered the NIC1 and NIC2 slot can be populated with a Cellular modem a WiFi interface an LnRadio interface or an NxRadio interface Described in Table 4 1 below are the possible NIC1 and NIC2 LED combinations based on the product configuration ordered Figure 4 1 LED Status Indicators Table 4 1 NIC LED Des...

Page 382: ...en No cellular connection Cell connection Table 4 4 WiFi Interface LED Descriptions LED NIC1 LED State Description WiFi Interface Off Interface disabled Access Point Mode Solid Green Solid Red Operating as AP and at least one client connection Operating as an AP and no client connection Station Mode Off Solid Green No connection Wi Fi connection established Table 4 5 NxRadio Interface LED Descript...

Page 383: ...ellow indicates a link at 100 Mbps operation A flashing green indicates Ethernet data traffic 4 2 Technical Specifications GENERAL Input Power 11 to 55 VDC NOMINAL 10 to 60 VDC 15 Watts maximum depending on configuration Below are power consumption figures for common configurations Typical High Throughput Wi Fi power consumption 4 1 Watts Minimum Wi Fi power consumption 3 4 Watts Table 4 7 Orbit M...

Page 384: ... Remote Associated Idle 4 8W 350mA Remote Associated 50 Duty 10 8W 780mA Ethernet Port s RJ 45 10 100 Mbps Auto MDIX Serial Port s RJ 45 supporting RS 232 RS 485 LAN Protocols 802 3 Ethernet 802 1D Spanning Tree TCP IP DHCP ICMP IGMP FTP TFTP SFTP UDP SNMP VPN VLAN Networking DHCP Port Forwarding NAT VLAN SNMP Configuration Serial console SSH HTTP HTTPS Configuration files Security Encryption Pass...

Page 385: ...0 4G cell 4G1 4G5 N7NMC7355 4G cell 4GP N7NMC7354B NX915 E5MDS NX915 LN400 E5MDS LN400 LN900 E5MDS LN900 IC Industry WiFi 3195A ZCN722MV1 4G cell E4V 3229B E362 3G Cell 5131A HE910 NX915 101D NX915 LN400 101D LN400 LN900 101D LN900 2 4 GHz WiFi Specifications Protocol IEEE 802 11b g n OFDM 6 to 54Mbps CCK 1 to 11Mbps Frequency Range 2400 to 2500 MHz Maximum Transmit Power 18 dBm Default is 15 dBm ...

Page 386: ...nge 902 to 928 MHz Power Output 20 dBm to 30 dBm in 1 0 dBm steps DEFAULT 30 dBm Output Impedance 50 Ohms Permissible Antennas GE MDS 93 97 3194A14 10dBd 12 15dBi YAGI Antenna GE MDS 93 97 3194A23 7dBd 9 15dBi 5 8 wavelength OMNI Antenna Connector TNC female Number of Frequency Channels Selectable 50 to 81 for FHSS 1 to 20 for DTS Channel Separation 307 5 kHz minimum Modulation Type 2 Level GFSK 4...

Page 387: ... Jumper N F Conn Mnt GE MDS 93 97 3194A19 430 450MHz 7dBi OMNI w 16 Jumper N F Conn Mnt GE MDS 93 97 3194A26 450 470MHz 11 dBi OMNI w N F Conn Mnt GE MDS 93 97 3194A02 406 430MHz 12 dBi YAGI w N F Conn Mnt GE MDS 93 97 3194A04 406 430MHz 12 dBi YAGI w N F Conn Mnt GE MDS 93 97 3194A06 450 470MHz 12 dBi YAGI w N F Conn Mnt Antenna Connector TNC female Modulation Type QAM QPSK 16QAM 64QAM Data Rates...

Page 388: ...nse including GE MDS 93 97 3194A17 902 928MHz 9dBi OMNI w 16 Jumper N F Conn GE MDS 93 97 3194A14 902 960MHz 12 dBi YAGI 6 Elementw N F Conn GE MDS 93 97 3194A13 902 960MHz 8 5 dBi YAGI 3 Elementw N F Conn Antenna Connector TNC female Modulation Type QAM QPSK 16QAM 64QAM Data Rates 20 40 60 kbps in 12 5Khz 40 80 120 kbps in 25 0Khz FCC Part 90 Part 101 FCC ID E5MDS LN900 IC 101D LN900 NOTE All spe...

Page 389: ...MDS 05 6632A01 Rev F MDS Orbit MCR ECR Technical Manual 389 ...

Page 390: ...rs CTS Clear to Send Decibel dB A measure computed from the ratio between two signal levels Frequently used to express the gain or loss of a system Data Circuit terminating Equipment See DCE Data Communications Equipment See DCE Data Terminal Equipment See DTE dBi Decibels referenced to an ideal isotropic radiator in free space frequently used to express antenna gain dBm Decibels referenced to one...

Page 391: ...0 MHz Poll A request for data issued from the host computer or master PLC to a Remote unit PLC Programmable Logic Controller A dedicated microprocessor configured for a specific application with discrete inputs and outputs It can serve as a host or as an RTU PPM Parts per Million Programmable Logic Controller See PLC Remote Terminal Unit See RTU RTS Request to send RTU Remote Terminal Unit A data ...

Page 392: ...fies a particular 802 11wireless LAN Supervisory Control And Data Acquisition See SCADA Telnet A terminal emulation protocol that enables an Internet user to communicate with a Remote device for management activities as if it were locally connected to a PC TX Abbreviation for Transmit WAN Wide Area Network ...

Page 393: ...MDS 05 6632A01 Rev F MDS Orbit MCR ECR Technical Manual 393 ...

Page 394: ...he CLI will provide feedback regarding the error The changes that were pending will still be pending at that point This gives the user the opportunity to discard the changes or to modify them and then try to commit them again 6 4 Inputting Values The format for each node in the data model is encoded in the data model itself The CLI enforces the user input to be compliant to that format There are s...

Page 395: ...otate Add a comment to a statement commit Commit current set of changes compare Show configuration differences copy Copy a dynamic element delete Delete a data element edit Edit a sub element exit Exit from this level help Provide help information insert Insert a parameter move Move a parameter quit Exit from this level rename Rename an identifier request Make system level requests resolved Confli...

Page 396: ...pletions IP address string min 1 chars max 253 chars set system dns search mds 6 7 CLI Environment There are a number of session variables in the CLI They are only used during the session and are not persistent Their values are inspected using show cli and set using set in operational mode show cli autowizard true complete on space true display level 99999999 history 100 idle timeout 1800 ignore l...

Page 397: ... enabled It is enabled by default screen width integer Current width of terminal This is used when paginating output to get proper line count screen length integer Current length of terminal This is used when paginating output to get proper line count terminal string Terminal type This setting is used for controlling how line editing is performed Supported terminals are dumb vt100 xterm linux and ...

Page 398: ...y include lines matching a regular expression For example show configuration logging match date event rules date_time_from_ntp event rules date_time_from_user event rules date_time_not_set In the example above only lines containing date are shown Similarly lines not containing a regular expression can be included show interface state except counters interfaces supported interfaces bridge true inte...

Page 399: ...f a string Matches the end of a string abc Character class which matches any of the characters abc Character ranges are specified by a pair of characters separated by a abc negated character class which matches any character except abc r1 r2 Alternation It matches either r1 or r2 r1r2 Concatenation It matches r1 and then r2 r Matches one or more rs r Matches zero or more rs r Matches zero or one r...

Page 400: ...lete the word before the cursor Ctrl w Esc Backspace or Alt Backspace Delete the word after the cursor Esc d or Alt d Insert the most recently deleted text at the cursor Ctrl y Scroll backward through the command history Ctrl p or Up Arrow Scroll forward through the command history Ctrl n or Down Arrow Search the command history in reverse order Ctrl r Show a list of previous commands run the show...

Page 401: ... if the CLI session is terminated without doing commit confirm default is confirm If the confirming commit was initiated with a persist argument then the same token needs to be supplied using the persist id argument to this command Configure private exclusive shared Enter configure mode The default is private Private Edit private copy of running configuration Exclusive Lock and edit candidate conf...

Page 402: ...en the CLI is in operational mode Note that the following are examples and will vary from one system to the next show configuration system contact Mark name Orbit1 location Tank1 clock timezone location America New_York ntp use ntp true ntp server 216 171 112 36 enabled true dns server 68 94 156 1 68 94 157 1 tamper detection magnetometer enabled false pre login banner Oil from Tanker1 authenticat...

Page 403: ... configuration interfaces interface ETH1 details type ethernetCsmacd enabled true ipv4 enabled true ip forwarding false address 192 168 1 10 prefix length 24 ipv6 enabled true ip forwarding false dup addr detect transmits 1 autoconf create global addresses true create temporary addressed false temporary valid lifetime 604800 temporary preferred lifetime 86400 Showing the complete data model that t...

Page 404: ...session will be terminated after this command since no further editing is possible Only available in configure exclusive and configure shared mode The confirming commit will be rolled back if the CLI session is terminated before confirming the commit unless the persist argument is given If the persist command is given then the CLI session can be terminated and a later session may confirm the pendi...

Page 405: ...ce insert path first last beforekey afterkey Insert a new element into an ordered list The element can be added first last default before or after another element move path first last beforekey afterkey Move an existing element to a new position in an ordered list The element can be moved first last default before or after another element quit Exit from this level rename instance path new id Renam...

Page 406: ...erational mode command set Set a parameter show Show a parameter status Display users currently editing the configuration tag add clear del tag add statement tag Add a tag to a configuration statement tag del statement tag Remove a tag from a configuration statement tag clear statement Remove all tags from a configuration statement top Exit to top level and optionally run command up Exit one level...

Page 407: ...MDS 05 6632A01 Rev F MDS Orbit MCR ECR Technical Manual 407 ...

Page 408: ...within it as instructed by the VPN gateway However MCR also supports an out of band IMA connection where the unit connects to a separate IMA server not to pass data but just to perform integrity measurement and attestation The IMA server in such a setup can then publish the unit s health information to the VPN server that is terminating the actual data connections This allows VPN server to enforce...

Page 409: ...d so on Obtaining Configuration File Hash 7 2 1 The following example shows the use of a request to get the system configuration hash admin none 22 09 59 request services vpn ipsec get config hash hash algo sha384 hash e60429aa127cb2f23e10ae00b6c1553fa9d1f598b2a206926ad0dcdf9a758622eec77ad559b32f 85ceea9013a961041f ok 2013 01 18 22 10 15 This hash can then be loaded in IMA database 7 3 Monitoring ...

Page 410: ...atus can then be checked again periodically for new attestation result show services vpn services vpn ipsec ipsec status connections connection IMA state disconnected failure reason none last timestamp 2013 01 18T22 19 02 00 00 ima evaluation compliant ima recommendation Access Allowed 7 4 IMA Troubleshooting Follow the troubleshooting steps described in VPN section on troubleshooting IMA connecti...

Page 411: ...CEE Core Profile is that it can be extended by an organization so that they can add additional taxonomy categories and fields that describe vendor specific events 8 1 Event Taxonomy The CEE Core Profile defines the following taxonomy categories Action The primary type of action that was undertaken as part of the event The status or result of the action should be detailed in the status field Domain...

Page 412: ...he beginning of the encoded CEE Event MUST be identified by the CEE Event Flag Within Syslog the CEE Event Flag is cee Character Encoding If the syslog implementation is only 7 bit all characters not in the ASCII character set MUST be escaped Examples 8 3 1 A valid CEE JSON Event Record embedded within an RFC5424 Syslog transport 165 1 2011 12 20T12 38 06Z 10 10 0 1 process example event 1 cee pna...

Page 413: ...originated the event to the application who should receive the event syslog MSG 8 3 4 For events of type audit the msg is vendor specific whereas events of type alert must be in a specified format which contains a GUID level and message Using the CEE approach all of the requested information would be present in all messages Example of message using format Jun 7 11 10 22 ccc99 csmgr 27417 Source AB...

Page 414: ... Ensure the CLI is in operational mode Follow the example below to view the state and statistics show logging event rules cell_connected description cell connection established local true priority notice syslog facility user syslog true snmp notification true netconf notification true show logging event rules cell_disconnected description cell connection disconnected local true priority notice sys...

Page 415: ...f the certificate information to aide lookup of the appropriate public key during signature verification infile The filepath for package file input outfile The filepath for signed package file output To display package info and verification status pkgsigner l v verifycert f infile where verifycert The filepath a public certificate to be used to verify the signature of the infile if and the infile ...

Page 416: ...sites ge_pubcert pem is the public certificate provided by GE MDS that is used to verify that the signed packaged is authentic The GE MDS public certificate will typically be downloaded by users from the GE MDS website user_key pem is a private key provided by the user mypass is the password used to decrypt user_key pem assuming the key is password protected If the key is not password protected th...

Page 417: ...ment Identity of the equipment in which the SIM card will be used The IMEI can be found by logging into the device and entering the following command show interfaces state interface Cell cell status imei cell status imei 991000947608727 If MEID Mobile Equipment Identifier is needed this is equal to the IMEI value minus the last digit NOTE Do not run the command above unless a provisioned SIM card ...

Page 418: ...et can be user configured that defines a specific collection of radio operation The following table show the number of discrete frequencies or channels available for each modem type based on the selected hop set Modem Mode Channel Frequency 125 250 500 1000 1000W 1250 0 902 700000 A A A A A A 1 903 007500 A A B B B B 2 903 315000 A A C C C C 3 903 622500 A A A D D D 4 903 930000 A A B A E E 5 904 ...

Page 419: ...5000 A A A C C A 43 915 922500 A A B D D B 44 916 230000 A A C A E C 45 916 537500 A A A B A D 46 916 845000 A A B C B E 47 917 152500 A A C D C F 48 917 460000 A A A A D A 49 917 767500 A A B B E B 50 918 075000 A A C C A C 51 918 382500 A A A D B D 52 918 690000 A A B A C E 53 918 997500 A A C B D F 54 919 305000 A A A C E A 55 919 612500 A A B D A B 56 919 920000 Unused 57 920 227500 A A A B C ...

Page 420: ...D B F 72 924 840000 A A A A C A 73 925 147500 A A B B D B 74 925 455000 A A C C E C 75 925 762500 A A A D A D 76 926 070000 A A B A B E 77 926 377500 A A C B C F 78 926 685000 A A A C D A 79 926 992500 A A B D E B 80 927 300000 A A C A A C Channels Hop Set A 80 80 27 20 17 14 B 0 0 27 20 15 14 C 0 0 26 20 16 13 D 0 0 0 20 16 13 E 0 0 0 0 16 13 F 0 0 0 0 0 13 ...

Page 421: ... SRX Local LAN 192 168 1 0 24 Remote LAN 192 168 2 0 24 Customer Network Internet Cellular network IPsec Tunnel carrying traffic between local and remote LANs The WAN IP address of SRX240 is 172 18 175 40 and Orbit cell ip address is 172 18 175 138 Orbit 12 1 1 12 1 1 1 Configuration Bridge LAN interface configuration set interfaces interface Bridge type bridge set interfaces interface Bridge ipv4...

Page 422: ...sha256 hmac set services vpn ipsec policy SRX240 IPSEC POLICY ciphersuite CS1 dh group dh14 set services vpn ipsec connection SRX240 ike peer SRX240 IKE PEER set services vpn ipsec connection SRX240 ipsec policy SRX240 IPSEC POLICY set services vpn ipsec connection SRX240 local ip subnet 192 168 1 0 24 set services vpn ipsec connection SRX240 remote ip subnets 192 168 2 0 24 set services vpn ipsec...

Page 423: ...address set services firewall filter OUT_UNTRUSTED rule 1 match src address address set CELL IP set services firewall filter OUT_UNTRUSTED rule 1 match src address add interface address true set services firewall filter OUT_UNTRUSTED rule 1 actions set services firewall filter OUT_UNTRUSTED rule 1 actions action accept set services firewall filter OUT_UNTRUSTED rule 2 match protocol all set servic...

Page 424: ...urity ike proposal IKE PROP PSK encryption algorithm aes 128 cbc set security ike policy IKE POLICY PSK proposals IKE PROP PSK set security ike policy IKE POLICY PSK pre shared key ascii text test123 set security ike gateway ORBIT138 ike policy IKE POLICY PSK set security ike gateway ORBIT138 address 172 18 175 138 set security ike gateway ORBIT138 local identity inet 172 18 175 40 set security ik...

Page 425: ...pplication any set security policies from zone TRUST to zone UNTRUST policy ORBIT138 NET 1 SA then permit tunnel ipsec vpn ORBIT138 set security policies from zone UNTRUST to zone TRUST policy ORBIT138 NET 1 SA match source address ORBIT138 NET 1 set security policies from zone UNTRUST to zone TRUST policy ORBIT138 NET 1 SA match destination address LOCAL NET 1 set security policies from zone UNTR...

Page 426: ...low we disable default route over Cell and instead setup BGP dynamic routing that advertises the local LAN network to the IOS router and received default route over the GRE tunnel form IOS router Orbit 12 2 1 12 2 1 1 Configuration NTP configuration set system ntp use ntp true set system ntp ntp server 172 18 175 62 Bridge LAN interface configuration set interfaces interface Bridge type bridge set...

Page 427: ...nerated as ID1 set services vpn ike policy DMVPN CERT pki key id ID1 Root CA certificayte is installed as CA1 set services vpn ike policy DMVPN CERT pki ca cert id CA1 Sub CA certificates are installed as SUBCA1 and SUBCA2 set services vpn ike policy DMVPN CERT pki sub ca cert ids SUBCA1 SUBCA2 set services vpn ike policy DMVPN CERT ciphersuite CS1 encryption algo aes256 cbc set services vpn ike p...

Page 428: ...nterface GRE1 map HUB nbma address 172 18 175 45 set services nhrp interface GRE1 map HUB register true set services nhrp interface GRE1 map HUB cisco true set services nhrp interface GRE1 authentication cisco123 set services nhrp interface GRE1 holding time 300 BGP routing configuration This configuration exports the local LAN network to the IOS router and imports default route over the GRE tunne...

Page 429: ...tion accept set services firewall filter IN_UNTRUSTED rule 11 match protocol esp set services firewall filter IN_UNTRUSTED rule 11 actions set services firewall filter IN_UNTRUSTED rule 11 actions action accept set services firewall filter IN_UNTRUSTED rule 12 match protocol all set services firewall filter IN_UNTRUSTED rule 12 actions set services firewall filter IN_UNTRUSTED rule 12 actions acti...

Page 430: ...F_HMAC_SHA1 MODP_1536 established time 574 rekey time 9200 reauth time 2075232 services vpn ipsec security associations security association 4 name DMVPN state INSTALLED mode TRANSPORT udp encap false in spi c0b5d5d0 out spi 26c5d2f3 ciphersuite AES_CBC 256 HMAC_SHA1_96 in bytes 34106 in packets 492 in last use 1 out bytes 9094 out packets 140 out last use 2 rekey time 2195 life time 3026 install ...

Page 431: ... PRIMARY HUB routing instance inet main state up preference 100 import filter ACCEPT export filter LOCAL LAN statistics import updates received 1 statistics import updates rejected 0 statistics import updates filtered 0 statistics import updates ignored 0 statistics import updates accepted 1 statistics import withdraws received 0 statistics import withdraws rejected 0 statistics import withdraws i...

Page 432: ...Ethernet0 0 Ensure that the MTU configured matches the cell interface MTU default 1428 mtu 1428 ip address 172 18 175 45 255 255 255 0 duplex auto speed auto Certificate configuration crypto pki trustpoint DMVPN 3 TIER SUBCA 2 enrollment terminal pem subject name C US ST NY L Rochester O GE MDS OU ENGG CN DMVPN HUB com revocation check none rsakeypair DMVPN 3 TIER SUBCA 2 2048 Below assumes that O...

Page 433: ...crypto ikev2 policy DMVPN_IKEV2_POLICY match fvrf any proposal DMVPN_IKEV2_PROPOSAL crypto ikev2 profile DMVPN_IKEV2_PROFILE match certificate ORBIT_CERT_MAP identity local dn authentication remote rsa sig authentication local rsa sig pki trustpoint DMVPN 3 TIER SUBCA 2 dpd 10 3 periodic crypto ipsec transform set DMVPN_TRANSFORM esp aes 256 esp sha hmac mode transport crypto ipsec profile DMVPN s...

Page 434: ...figuration router bgp 65500 bgp router id 172 16 0 1 bgp log neighbor changes bgp listen range 172 16 0 0 24 peer group DMVPN SPOKE neighbor DMVPN SPOKE peer group neighbor DMVPN SPOKE remote as 65550 neighbor DMVPN SPOKE next hop self neighbor DMVPN SPOKE default originate ip route 0 0 0 0 0 0 0 0 172 18 175 62 12 2 2 2 Status IKE IPsec status DMVPN HUB show crypto ikev2 sa IPv4 Crypto IKEv2 SA T...

Page 435: ...ssed 0 pkts decompress failed 0 send errors 0 recv errors 0 local crypto endpt 172 18 175 45 remote crypto endpt 172 18 175 138 path mtu 1500 ip mtu 1500 ip mtu idb none current outbound spi 0xCF3F2463 3477021795 PFS Y N N DH group none inbound esp sas spi 0x1BB50496 464848022 transform esp 256 aes esp sha hmac in use settings Transport conn id 2681 flow_id Onboard VPN 681 sibling_flags 80000000 c...

Page 436: ...dd State UpDn Tm Attrb 1 172 18 175 138 172 16 0 3 UP 16 55 28 D Routing status The highlighted route is the LAN network route received from Orbit via BGP DMVPN HUB show ip route Codes L local C connected S static R RIP M mobile B BGP D EIGRP EX EIGRP external O OSPF IA OSPF inter area N1 OSPF NSSA external type 1 N2 OSPF NSSA external type 2 E1 OSPF external type 1 E2 OSPF external type 2 i IS IS...

Page 437: ...The Juniper JUNOS based devices do not support IPsec transport mode for data traffic Therefore to protect GRE traffic one needs to setup IPsec tunnel instead of IPsec transport mode connection This leads to double tunneling GRE tunnel within IPsec tunnel Also GRE tunneling over IPsec tunnel is only supported for route based tunnel setup Orbit JUNOS SRX Local LAN 1 192 168 1 0 24 Remote LAN 1 192 1...

Page 438: ...es vpn ike policy SRX240 IKE POLICY auth method pre shared key set services vpn ike policy SRX240 IKE POLICY pre shared key test123 set services vpn ike policy SRX240 IKE POLICY ciphersuite CS1 encryption algo aes128 cbc set services vpn ike policy SRX240 IKE POLICY ciphersuite CS1 mac algo sha256 hmac set services vpn ike policy SRX240 IKE POLICY ciphersuite CS1 dh group dh14 set services vpn ike...

Page 439: ...firewall filter IN_TRUSTED rule 10 match protocol all set services firewall filter IN_TRUSTED rule 10 actions set services firewall filter IN_TRUSTED rule 10 actions action accept set services firewall filter IN_UNTRUSTED rule 1 match protocol icmp set services firewall filter IN_UNTRUSTED rule 1 actions set services firewall filter IN_UNTRUSTED rule 1 actions action accept set services firewall f...

Page 440: ...t set services firewall filter OUT_UNTRUSTED rule 2 match protocol all set services firewall filter OUT_UNTRUSTED rule 2 actions set services firewall filter OUT_UNTRUSTED rule 2 actions action drop 12 3 1 2 Status IKE IPsec status show services vpn services vpn ike security associations security association 54 name SRX240_SA state ESTABLISHED local host 172 18 175 135 local id 172 18 175 135 remo...

Page 441: ...that configured on Cell interface on Orbit default 1428 set interfaces ge 0 0 0 unit 0 family inet mtu 1428 set interfaces ge 0 0 0 unit 0 family inet address 172 18 175 40 26 Local LAN 1 interface set interfaces vlan unit 0 family inet address 192 168 3 1 24 set interfaces ge 0 0 1 unit 0 family ethernet switching vlan members vlan trust 1 set vlans vlan trust 1 vlan id 1 set vlans vlan trust l3 ...

Page 442: ...c set security ipsec policy IPSEC POLICY perfect forward secrecy keys group14 set security ipsec policy IPSEC POLICY proposals IPSEC PROP Common Policies set security policies from zone TRUST to zone TRUST policy TTT match source address any set security policies from zone TRUST to zone TRUST policy TTT match destination address any set security policies from zone TRUST to zone TRUST policy TTT ma...

Page 443: ...security ipsec vpn ORBIT135 ike gateway ORBIT135 set security ipsec vpn ORBIT135 ike ipsec policy IPSEC POLICY IPsec policies set security policies from zone TRUST to zone VPN ORBIT135 policy ORBIT135 match source address LOCAL NET 1 set security policies from zone TRUST to zone VPN ORBIT135 policy ORBIT135 match destination address ORBIT135 NET 1 set security policies from zone TRUST to zone VPN ...

Page 444: ...ecurity associations Total active tunnels 1 ID Algorithm SPI Life sec kb Mon vsys Port Gateway 131073 ESP aes 128 sha256 5e4fca36 3403 unlim root 500 172 18 175 135 131073 ESP aes 128 sha256 cb6ed905 3403 unlim root 500 172 18 175 135 Routing status show route 0 0 0 0 0 Static 5 1w5d 18 34 56 to 172 18 175 62 via ge 0 0 0 0 10 1 1 0 30 Direct 0 1w5d 18 35 02 via gr 0 0 0 0 10 1 1 1 32 Local 0 1w5d...

Page 445: ...an 0 192 168 3 1 32 Local 0 1w5d 20 14 32 Local via vlan 0 192 168 4 0 24 Direct 0 1w5d 18 34 56 via vlan 1 192 168 4 1 32 Local 0 1w5d 20 14 32 Local via vlan 1 192 168 1 0 24 Static 5 1w5d 18 35 02 via gr 0 0 0 0 192 168 2 0 24 Static 5 1w5d 18 35 02 via gr 0 0 0 0 ...

Page 446: ...ble to communicate with the RADIUS authentication server through a non authenticating Ethernet port or other backhaul network interface like the cellular modem Freeradius authentication server Wireless backhaul ETH1 ETH2 Windows7 802 1x Peer Kubuntu Linux 802 1x Peer GEMDS Orbit 802 1x authenticator 13 2 Configuration Examples Orbit Device 13 2 1 The following shows an example of port authenticati...

Page 447: ...cates users and network clients The following shows only a snippet of the configuration but has the most important sections listed etc freeradius users Username password example joe Cleartext Password password MAC Authentication Bypass MAB examples d89d67f4ffb6 Cleartext Password d89d67f4ffb6 0010186f8dfd Cleartext Password 0010186f8dfd 989096cbcd6e Cleartext Password 989096cbcd6e 00133b109b4c Cle...

Page 448: ...e to be started before configuring authentication on a wired network interface When using EAP the Orbit ETH port security mode must also be set to EAP The Orbit is agnostic to the specific EAP method chosen Examples in this document show Cisco PEAP and EAP TLS methods being used Windows configuration 1 Cisco PEAP mode 13 2 4 Following shows the configuration used to test Cisco PEAP mode on Windows...

Page 449: ...MDS 05 6632A01 Rev F MDS Orbit MCR ECR Technical Manual 449 ...

Page 450: ... 2 5 Following shows EAP TLS mode on Windows with certificates A certificate must be issued for the Windows peer The client certificate and the issuing certificate can be imported using the certmgr msc utility The wired interface is configured as shown in the next few diagrams on the following pages ...

Page 451: ...MDS 05 6632A01 Rev F MDS Orbit MCR ECR Technical Manual 451 ...

Page 452: ...452 MDS Orbit MCR ECR Technical Manual MDS 05 6632A01 Rev F ...

Page 453: ...MDS 05 6632A01 Rev F MDS Orbit MCR ECR Technical Manual 453 ...

Page 454: ...sents the following notification on Windows Clicking the notification presents the certificate selection box where the imported certificate can be chosen Running Wireshark in administrator mode on the Windows peer captures the EAP TLS conversation between the Orbit and Windows This tool can be used to diagnose communication errors on the peer ...

Page 455: ... of configuring PEAP mode on Kubuntu Linux Unlike Windows there is no need to start a service on this distribution Also this is no certificate import utility the certificates can reside anywhere on the file system Kubuntu Linux configuration 2 EAP TLS mode 13 2 7 The following shows an example of configuring EAP TLS mode on Kubuntu Linux ...

Page 456: ...uthentication dot1x default group radius aaa authorization network default group radius aaa authorization network mylist none aaa session id common switch 1 provision ws c2960s 24ts l dot1x system auth control spanning tree mode pvst spanning tree extend system id vlan internal allocation policy ascending interface FastEthernet0 no ip address interface GigabitEthernet1 0 1 switchport mode access i...

Page 457: ...ite under Orbit MCR Software Firmware Downloads Support Items and download license declaration n_n_n txt Upon request in accordance with certain software license terms GE will make available a copy of Open Source code contained in this product This code is provided to you on an as is basis and GE makes no representations or warranties for the use of this code by you independent of any GE provided ...

Page 458: ...d by the country for the Orbit MCR Operation of the unit must be in full compliance with all country and regional requirements Table 15 1 Country Specific Installation Data Country Applicable Symbol s Installation Operating Requirements Australia For professional use only not for sale to the general public Hot surface this product is only suitable for installation In restricted access locations ...

Page 459: ...MDS 05 6632A01 Rev F MDS Orbit MCR ECR Technical Manual 459 NOTES ...

Page 460: ...460 MDS Orbit MCR ECR Technical Manual MDS 05 6632A01 Rev F ...

Page 461: ......

Page 462: ...x and on any correspondence relating to the repair No equipment will be accepted for repair without an authorization number Return authorization numbers are issued online at www gedigitalenergy com Communications htm On the left side of the page click Login to my MDS and once logged in click Service Request Order Your number will be issued immediately after the required information is entered Plea...

Page 463: ...GE MDS LLC Rochester NY 14620 Telephone 1 585 242 9600 FAX 1 585 242 9620 www gemds com 175 Science Parkway ...

Reviews:

No comments

Related manuals for MDS ORBIT ECR

Brand: H3C Pages: 22

Brand: H3C Pages: 3

Brand: Netis Pages: 16

Brand: Paradyne Pages: 6

ISDN SOHO Router

Brand: AOpen Pages: 89

airHaul Nexus sB3010

Brand: SmartBridges Pages: 80

AlterPath Manager 2500

Brand: Cyclades Pages: 368

Brand: V-Count Pages: 2

DynaGST/2402G GEP-33224T-1

Brand: UNICOM Pages: 17

Brand: WTI Pages: 178

Brand: Planet Pages: 16

Brand: Vivotek Pages: 46

Brand: Paradyne Pages: 28

Brand: Umniah Pages: 12

RGB 460xi FSR Series

Brand: Extron electronics Pages: 9

Brand: Crestron Pages: 40

Brand: Huawei Pages: 3

Brand: Johnson Controls Pages: 45

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands