manualshive.com logo in svg

GE MDS ORBIT MCR, Technical Manual, Page: 214 / 463

Share
Download
GE MDS ORBIT MCR Technical Manual Download Page 214

 

 

214 

 

MDS Orbit MCR/ECR Technical Manual 

MDS 05-6632A01, Rev. F

 

-

 

Stale - The neighbor is not currently unreachable. The unit reevaluates the state of stale 
neighbors the next time it attempts to send traffic to them. 

-

 

Delay - The neighbor was formerly in a Stale state, and a recent attempt to send traffic to 
it failed. 

-

 

Probe - The neighbor was formerly in a Delay state, and the unit is currently sending 
ARPs/neighbor solicitations in an attempt to reach the neighbor. 

  Access Control List (Packet Filtering / Firewall) 

3.8.8

Understanding 

Packet filtering is a component of the firewall service. It can be used to permit or deny incoming or 
outgoing traffic on an interface. 

Packet filtering allows configuring and applying a packet filter (also called Access Control List, or ACL) 
to incoming or outgoing traffic on an interface. A filter is a set of one or more rules. Each rule consists of 
two parts: 

 

Matching criteria that a packet must satisfy for the rule to be applied. Matching criteria consists of 
various parameters like protocol, source/destination addresses and ports etc. 

 

Actions that specify what to do with the packet when the matching criteria is met, for example, to 
drop or accept the packet. 

The filter can then be applied to an interface in the incoming or outgoing direction. Typically, different 
filters are applied in the incoming and outgoing direction on an interface. For example, a filter applied to 
the cellular (WAN) interface of the MCR is typically very restrictive, permitting only a small set of traffic 
to enter the unit, whereas outgoing filter might permit all outgoing traffic etc. 

The MCR includes the four pre-configured filters shown below: 

Table 3-18. Predefined Filter Names and Default Settings 

Filter Name 

Actions 

IN_TRUSTED 

Allow ingress of all traffic 

IN_UNTRUSTED 

Allow ingress of ICMP traffic, DNS response traffic, 
drop all else 

OUT_TRUSTED 

Allow egress of all traffic 

OUT_UNTRUSTED 

Allow traffic originating from the interface to which this 
filter has been applied and from addresses specified 
in LOCAL-NETS address-set (typically LAN network). 

If the Firewall service is enabled, filters specifying ingress and egress rules must be applied to each 
network interface on the device. The MCR's network interfaces allow no traffic to pass unless a filter is 
applied to each one allowing them to do so. Except for the Cell, each network interface on the MCR is 
preconfigured with IN_TRUSTED as an input filter, and OUT_TRUSTED as an output filter. This allows 
all traffic to enter and exit the unit.   

The diagrams below provide a simplified view of packet flow for various categories of traffic flows going 
in and out of the MCR unit when packet filtering is enabled.  

Figure 3-120 shows the flow of packets terminating at the unit, such as device management traffic using 
SSH or NETCONF protocol terminating at local device management process within the unit. 

 

 

Summary of Contents for MDS ORBIT MCR

Page 1: ...MDS ORBIT MCR Multiservice Connect Router MDS ORBIT ECR Edge Connect Router MDS 05 6632A01 Rev F May 2016 Including New Features from Firmware Revsion 4 6 x Technical Manual Technical Manual...

Page 2: ...videos Orbit MCR Learning and Development YouTube Channel Quick Start instructions for this product are contained in publication 05 6709A01 Visit our website for downloadable copies of all documentati...

Page 3: ...RROWBAND 21 2 3 6 2 4 TYPICAL APPLICATIONS 22 2 5 MCR AND ECR CONNECTORS AND INDICATORS 22 2 6 GROUNDING CONSIDERATIONS 28 2 7 MOUNTING OPTIONS 29 OPTIONAL DIN RAIL MOUNTING 30 2 7 1 2 8 ANTENNA PLANN...

Page 4: ...1 LAN 193 3 8 2 ETHERNET PORT SECURITY PORT BASED AUTHENTICATION 199 3 8 3 VLAN OPERATION 200 3 8 4 BRIDGING 203 3 8 5 ROUTING 206 3 8 6 STATIC NEIGHBOR ENTRIES 211 3 8 7 ACCESS CONTROL LIST PACKET F...

Page 5: ...395 6 7 CLI ENVIRONMENT 396 6 8 COMMAND OUTPUT PROCESSING 397 6 9 COUNT THE NUMBER OF LINES IN THE OUTPUT 398 6 10 SEARCH FOR A STRING IN THE OUTPUT 398 6 11 REGULAR EXPRESSIONS 399 6 12 DISPLAY LINE...

Page 6: ...BIT 426 12 2 1 CISCO IOS 432 12 2 2 12 3 GRE IPSEC WITH JUNIPER JUNOS 437 ORBIT 437 12 3 1 JUNOS 441 12 3 2 13 0 APPENDIX H 802 1X PORT AUTHENTICATION W EAP 446 13 1 OVERVIEW 446 13 2 CONFIGURATION EX...

Page 7: ...must not be co located All transmission antennas must be at least 20 cm apart to comply with FCC co location rules Orbit Device vs Minimum RF Safety Distance Radio Module Equipped Minimum Safety Dist...

Page 8: ...egulations and obey all signs and notices Do not use the Orbit MCR when you suspect that it may cause interference or danger Near Medical and life support equipment Do not use the Orbit MCR in any are...

Page 9: ...nual updates can be found on our web site at www gemds com Environmental Information The manufacture of this equipment has required the extraction and use of natural resources Improper disposal may co...

Page 10: ...cordance with CSA STD C22 2 No 213 M1987 CSA Conditions of Approval The transceiver is not acceptable as a stand alone unit for use in the hazardous locations described above It must either be mounted...

Page 11: ...an explosive gas atmosphere other than mines susceptible to firedamp 3 G Zone 2 Normal Protection level Gas Provides a low level of protection and is intended for use in a Zone 2 hazardous area Ex nA...

Page 12: ...shall be installed in an enclosure that maintains an ingress protection rating of at least IP54 and meets the enclosure requirements of EN 60079 0 and EN 60079 15 The installer shall ensure that the m...

Page 13: ...ncia a sistemas operando em car ter prim rio Este produto est homologado pela Anatel de acordo com os procedimentos regulamentados pela Resolu o n 242 2000 e atende aos requisitos t cnicos aplicados...

Page 14: ...e que este equipo o dispositivo no cause interferencia perjudicial y 2 este equipo o dispositivo debe aceptar cualquier interferencia incluyendo la que pueda causar su operaci n no deseada New Zealand...

Page 15: ...MDS 05 6632A01 Rev F MDS Orbit MCR ECR Technical Manual 15...

Page 16: ...n site Figure 1 1 MCR 4G Unit Standard 2E1S configuration shown Figure 1 2 ECR 900 Unit With a common hardware architecture and user interface the MCR and ECR offers flexibility in network design and...

Page 17: ...TE North America ECR 4GS Name for the product when configured with 4G LTE EMEA APAC ECR 3G Name for the product when configured with 3G ECR 900 Name for the product when configured with unlicensed 900...

Page 18: ...er in some cases command lines will be shown with non bolded italicized text contained within the string Such text indicates the need for user supplied variable parameters such as the name of an item...

Page 19: ...y the serial or Ethernet connections on the unit s front panel Do not use the USB port in hazardous locations Network Management System Orbit MCR is supported by GE MDS PulseNET a Network Management S...

Page 20: ...rth America 2 3 3 This 4G modem supports following technologies LTE 1900 B2 AWS B4 850 B5 700 B13 700 B17 1900 B25 GSM GPRS EDGE 850 900 1800 1900 MHz UMTS HSPA HSPA 2100 B1 1900 B2 AWS B4 850 B5 900...

Page 21: ...orts multiple SAFs on any level Automatically adjusts Media Access scheme for SAF network to support simultaneous communications at alternating levels and minimize latency using dynamic fragmentation...

Page 22: ...hat are located on a local internal private LAN or WiFi network The unit acts as an Access Point on the WiFi interface to provide connectivity to WiFi clients Figure 2 1 shows an example network in wh...

Page 23: ...ollows The unit s LED Indicator Panel is described in Table 2 5 Figure 2 3 ECR Connectors and Indicators Sample configuration with Cell WiFi Ethernet and Serial port PWR Two conductor DC input connect...

Page 24: ...iency based on the system s operating characteristics As viewed from the outside the unit Table 2 1 ETH1 2 Pin Details Pin Function Pin Function 1 Transmit Data TX High 5 Unused 2 Transmit Data TX Low...

Page 25: ...llowing page provide pin descriptions for the COM1 data port in RS 232 mode and RS 485 modes respectively NOTE The COM2 port if present is restricted to RS 232 mode it cannot be used for RS 485 As vie...

Page 26: ...ed device COM1 Port notes and wiring arrangements for RS 485 The COM1 port supports 4 wire and 2 wire RS 485 mode as follows RXD RXB and RXD RXA are data sent into the unit RXD RXB is positive with re...

Page 27: ...Indicators Table 2 4 Description of LED Status Indicators LED Name LED State Description PWR DC Power Off Solid Green Fast Blink Red 1x sec No power to unit Unit is powered no problems detected Alarm...

Page 28: ...rowband LnRadio MCR LN 3G Cellular Lic Narrowband LnRadio MCR LN Only Off Lic Narrowband LnRadio Table 2 6 ECR NIC LED Descriptions Product Configuration NIC1 NIC2 ECR 4G WiFi Cellular WiFi ECR 4G Onl...

Page 29: ...if possible All grounds and cabling must comply with applicable codes and regulations One source for lightning protection products may be found online at http www protectiongroup com PolyPhaser 2 7 M...

Page 30: ...l cables to prevent moisture from running along the cables and into the unit Optional DIN Rail Mounting 2 7 1 If ordered with the DIN rail mounting option the unit is supplied with a DIN rail clip att...

Page 31: ...ctly Connected Cellular Antenna Typical Style GE MDS Part No 97 2485A04 WiFi Antenna Antenna connection for 2 4 GHz WiFi service The connector appears similar to the cellular connectors discussed abov...

Page 32: ...4278A34 using a magnetic mount GE MDS PN 97 4278A78 This configuration offers easy mobility for evaluation purposes or indoor applications with good cellular signal coverage see Figure 2 11 Figure 2 1...

Page 33: ...2 12 Typical Yagi Antenna mounted to mast Feedlines Selection of an antenna feedline is very important Poor quality cable should be avoided as it will result in power losses that may reduce the range...

Page 34: ...factory representative or visit www gemds com to obtain a copy of the guide Table 2 9 Accessories Ancillary Items Item Description Part Number DC Power Plug 2 pin polarized Mates with power connector...

Page 35: ...MDS 05 6632A01 Rev F MDS Orbit MCR ECR Technical Manual 35...

Page 36: ...use a user interface to add remove or alter a piece of configuration data The second step is to use the user interface to commit the change Multiple changes can be made prior to committing them This t...

Page 37: ...ollowed by a slash character and ending with the bit length max 32 of the prefix A subnet mask is expressed in dot decimal notation For example 192 168 1 0 24 is equivalent to specifying 192 168 1 0 w...

Page 38: ...ce Manager Overview Screen For initial configuration the Setup Wizard will appear and provide guidance in typical setups This will be disabled after initial setup is completed but may be re run at any...

Page 39: ...iew Validate and Cancel Clicking the button defaults to Validate and saves the changes Figure 3 6 Save Button Changes to commit From the CLI all changes are made and committed using by using the commi...

Page 40: ...en your primary key is lost If you don t make a spare you are always at risk of locking yourself out A one time recovery password is different from the one used to log into the unit on a routine basis...

Page 41: ...cessed via TCP for example SSH Deleting a One Time Password As noted earlier a one time password is automatically revoked when it is used for log in A revoked password may be replaced but it must firs...

Page 42: ...must be deleted if there are no more password slots available Change Default Passwords 3 1 3 For security purposes it is highly advised to change the default passwords for all user roles This is acco...

Page 43: ...User Authentication 1 Update factory default passwords Secure login access into Orbit with local or RADIUS based user authentication Device Management 2 Secure access to Orbit for device management b...

Page 44: ...meet field requirements but comes preconfigured as follows The COM and USB ports are enabled for local console operation When applicable interfaces are preconfigured as members of a bridge A DHCP ser...

Page 45: ...3 2 Checklist for Initial Setup Configuration Step Applicable Manual Section Comment Additional Information Establish connection to the device SSH Serial USB Web Initial Settings Overview Specific Ap...

Page 46: ...ular service in the listed Appendix Configuring for 900MHz operation if present 3 5 4 Unlicensed 900 MHz ISM NX915 NX915 is the hardware module that provides the 900 MHz operations It is factory confi...

Page 47: ...rts WiFi and the bridge The following chart lists the required steps to configure the MCR for this specific scenario Note that for each step the linked manual section is provided as well as detailed i...

Page 48: ...CR 1 Configure to bridge traffic from ETH1 and WiFi 3 8 5 Bridging Add ETH1 and WiFi to the bridge Orbit MCR 1 Set bridge IP address 3 8 5 Bridging Set to 192 168 1 21 prefix length 24 Orbit MCR 1 Ena...

Page 49: ...myssid Orbit MCR 1 Configure to bridge traffic from ETH1 and WiFi 3 8 5 Bridging Add ETH1 and WiFi to the bridge Orbit MCR 1 Set bridge IP address 3 8 5 Bridging Set to 192 168 1 21 prefix length 24...

Page 50: ...e incoming out of network address to drop all other traffic IN_UNTRUSTED 3 8 8 Access Control List Packet Filtering Firewall Set Rule 10 protocol all Action drop Configure the outgoing destination to...

Page 51: ...unication Serial Interface 3 4 2 Follow these steps to configure the unit for its first use with serial console interface Connect a PC to the unit s COM port as shown in Figure 3 16 Maximum recommende...

Page 52: ...3 Change the device name by typing in the following followed by enter set system name Device539 set system name Device539 Step 4 Verify the change looks correct by reading the data back using the foll...

Page 53: ...e used as a quick reference before consulting the more detailed information which follows in this section Each CLI command is preceded by the symbol for operational command or for a configuration comm...

Page 54: ...ice name set system name Mydevice Set the baud rate on COM1 set services serial ports COM1 baud rate b19200 Download a firmware package from TFTP server at 192 168 1 10 request system firmware reprogr...

Page 55: ...mmands will configure the MCR for this scenario set interfaces interface Wi Fi type wifi set interfaces interface Wi Fi wifi config mode access point ap config ap myssid enabled true set interfaces in...

Page 56: ...erface Bridge bridge settings members wifi ap myssid set interfaces interface Bridge ipv4 address 192 168 1 21 prefix length 24 set services dhcp enabled true v4subnet 192 168 1 0 24 domain name gemds...

Page 57: ...ing Connectivity to Serial Based SCADA Device via UDP The following commands will configure the Orbit MCR 2 for this scenario set interfaces interface Wi Fi type wifi set interfaces interface Wi Fi wi...

Page 58: ...ol icmp set services firewall filter IN_UNTRUSTED rule 1 actions action accept set services firewall filter IN_UNTRUSTED rule 10 match protocol all set services firewall filter IN_UNTRUSTED rule 10 ac...

Page 59: ...vary depending on the Orbit MCR options ordered 3 5 Interface Configuration Serial Interface 3 5 1 A serial cable RJ45 cable with proper ETH to DB9 converter may be used to connect to a COM port on t...

Page 60: ...rity 1 stop bit 8O1 8 char bits odd parity 1 stop bit 8N2 8 char bits no parity 2 stop bits 8E2 8 char bits even parity 2 stop bits 8O2 8 char bits odd parity 2 stop bits Hw Flow Control Hardware flow...

Page 61: ...minal server 255 DEFAULT Vtime Receive Inter Byte Timeout The amount of time between bytes of data on the serial port in multiples of 1 millisecond that indicate the end of a serial message ready to b...

Page 62: ...devices including TransNET the device will act similar to a DTE but will provide signaling on the CTS line instead of the RTS line When the first character of a transmission is ready to be sent to the...

Page 63: ...ts Hold 2 This is also where VMIN and VTIME can be adjusted 3 Save the Configuration 4 CLI Configuration Commands Change ITALICS to fit the system Configure the following as an example set services se...

Page 64: ...al details ports COM1 line mode rs232 baud rate b115200 byte format bf8n1 hw flow control false vmin 255 vtime 1 capability rs485 2 wire rs485 4 wire ports COM2 line mode rs232 baud rate b19200 byte f...

Page 65: ...below table for approved Antenna Types Table 3 4 Approved Cell Antenna Types Application Location Frequency Range Gain Antenna Description GE MDS Part Number 3G 4G Cellular Indoor 698 2700MHz CELL BAN...

Page 66: ...unit will use the first connection profile to establish connection with the cellular network If connection profile switching described later is enabled then the unit will switch to second profile in t...

Page 67: ...ho messages to a remote host server periodically to keep the connection alive Service Recovery Service recovery configuration If multiple cellular providers are supported the Connection Profile Switch...

Page 68: ...been set up with Verizon wireless a SIM card will be issued from that account When the modem is powered up with such a SIM the default APN on the modem is automatically updated to the one that identif...

Page 69: ...eter specifies the number of keep alive messages that are sent before modem recovery is attempted DEFAULT 15 configurable only when recovery on timeout is enabled Service Recovery The service recovery...

Page 70: ...ilure occurs when using the current profile DEFAULT FALSE disabled Switch to Next on Failure Timeout This parameter specifies the time interval for which data connection is attempted using the current...

Page 71: ...E Dual SIM functionality is a selective order entry feature Default units are shipped with only SIM A enabled SIM B is not supported Monitoring From the Web UI status of the cell module can be reviewe...

Page 72: ...be to free up buffer space In Errors For packet oriented interfaces the number of inbound packets that contained errors preventing them from being deliverable to a higher layer protocol In Unknown Pr...

Page 73: ...rfaces Cell Status Cellular Figure 3 28 Cell Operational Status Screen Imsi International mobile subscriber identity Imei International mobile equipment identity Iccid Unique serial number of the SIM...

Page 74: ...t with Verizon Wireless 4G LTE modem operating show interfaces state interface Cell cell status cell status imsi 311480023786469 cell status imei 990000947614196 cell status iccid 89148000000234127091...

Page 75: ...a previous user When the previous command is entered a number of items are returned as shown in the example below The first two items highlighted blue show the IMSI and IMEI codes These are unique for...

Page 76: ...em section The following example shows how to upload a cell modem firmware image file through the web browser and reprogram the cel modem with that image file Navigate to Interfaces Cell Actions Repro...

Page 77: ...ing the cell modem firmware from the CLI enter the following command to download the firmware image from the TFTP server request interfaces interface Cell firmware reprogram filename cell 4g5 1 0 2 mp...

Page 78: ...int or Station The specifications for the WiFi module are covered in LN400 101D LN400 LN900 101D LN900 2 4 GHz WiFi Specifications on Page 385 The table below contains the list of GE MDS approved ante...

Page 79: ...eys via RADIUS The default SSID is based on the unit s serial number and takes the form of GEMDS_ SERNUM the serial number is printed on the chassis sticker The default password for WiFi operation is...

Page 80: ...ULT 15 dBm 3 5 3 1 AP Mode Configuration To configure the parameters necessary for Access Point mode start by using the following section of the web UI Navigate to Interfaces Wi Fi Basic Config Wi Fi...

Page 81: ...k on the ADD button or to delete an AP click on the SSID and then the Delete button By default an access point will be configured with the SSID GEMDS SERNUM and the WiFi password GEMDS ORBIT To edit a...

Page 82: ...Access Only one VLAN can be configured on an access interface traffic carried for only one VLAN Trunk Two or more VLANs configured on a trunk port several VLANs can be carried simultaneously NOTE Reme...

Page 83: ...d is created this will become the first SSID and the SSID ssidexample will become the second SSID Each SSID is independent of the other except for the parameters noted above Each SSID can be in or out...

Page 84: ...ion mode to use Ccmp AES based encryption mechanism that is stronger than TKIP for WPA2 Tkip a stream cipher is used with a 128 bit per packet key meaning that it dynamically generates a new key for e...

Page 85: ...ct normally contains a MAC address The interface s media specific modules must define the bit and byte ordering and the format of the value of this object For interfaces that do not have such an addre...

Page 86: ...e transmitted and which were not addressed to a multicast or broadcast address at this sub layer including those that were discarded or not sent Out Broadcast Pkts The total number of packets that hig...

Page 87: ...s since last packet Rxbytes received byte count Rxpackets received packet count 3 5 3 6 WiFi Status When Configured as a Station Figure 3 41 WiFi Station Statistics Information Ssid SSID of access poi...

Page 88: ...ap somessid broadcast ssid true station max 7 station timeout 300 beacon interval 100 privacy mode none vlan mode none channel 6 operation mode 80211g dtim period 2 rts threshold 2347 fragm threshold...

Page 89: ...i wifi config details mode access point tx power 15 ap config ap somessid broadcast ssid false station max 7 station timeout 300 beacon interval 100 privacy mode wpa2 personal psk config encryption cc...

Page 90: ...nd SSID is intended to support auxiliary applications such as a dedicated management connection or guest LAN access The following example sets up a second Wi Fi AP with the SSID of somessid2 to the pr...

Page 91: ...is created this will become the first SSID and the SSID somessid2 will become the second SSID Each SSID is independent of the other except for the parameters noted above Each SSID can be in or out of...

Page 92: ...statistics statistics discontinuity time 2013 09 24T13 12 25 04 00 statistics in octets 3747 statistics in unicast pkts 26 statistics in multicast pkts 0 statistics in discards 0 statistics in errors...

Page 93: ...of FHSS Frequency Hopping Spread Spectrum DTS Digital Transmission System and hybrid FHSS DTS technologies to provide dependable wireless communications The GE MDS NX915 NIC module is a point to mult...

Page 94: ...ty when compared to 1000W kbps For clear spectrum use 1000W for unknown or busy spectrum it s safer to use the narrow 1000N modem Table 3 10 Approved NxRadio Antenna Types Application Location Frequen...

Page 95: ...red to operate in the top half of the band while the Orbit can have its NX915 module configured for the lower half By default the radio ships from the factory with the 500kbps modem selected Dwell tim...

Page 96: ...io Interface LED Descriptions LED NIC2 State Description NxRadio Interface Off Interface disabled Access Point Mode Blink Red Solid Red Solid Green NIC Initialization No Remotes connected Linked with...

Page 97: ...not all the same and optimizing the system may take a little configuring based on Noise Floor Data Type Data Volume An LQI of 255 is reported on a given channel s during the setup sequence and might...

Page 98: ...l authenticate with the AP PSK or a backend RADIUS server EAP before they are allowed to pass data on the network The authentication protocol is compliant with IEEE 802 1X If device authentication is...

Page 99: ...FAULT Header Compression Disabled by DEFAULT Enable disable over the air robust header compression This feature compresses IP headers to improve system performance and is most useful in applications t...

Page 100: ...DEFAULT aes128 ccm Protect data with 128 bit AES encryption using CCM mode aes256 ccm Protect data with 256 bit AES encryption using CCM mode Passphrase The passphrase used in PSK mode 8 to 64 letters...

Page 101: ...icult to detect weak signals if at all but enhance the probability to detect the stronger ones High Sensitivity set when operating in a low noise environment with minimal radio interference DEFAULT Hi...

Page 102: ...ARP to the intended device ADR Mode Adaptive data rate mode controls whether the NIC will attempt to use different modem speeds for different remotes All downstream traffic uses the lowest rate only...

Page 103: ...with defaults The advanced configuration on an NX915 module operating as a Remote shares the same configuration for LNA state stale packets timeout and data retries as an Access Point Using the defaul...

Page 104: ...k Name The name of the network Used to control what networks is connected to Valid values 1 to 31 letters DEFAULT mds nx The network name string is used to identify the logical network the device as a...

Page 105: ...otocol Encryption The type of encryption to perform none No data privacy DEFAULT aes128 ccm Protect data with 128 bit AES encryption using CCM mode aes256 ccm Protect data with 256 bit AES encryption...

Page 106: ...e lowest rate only upstream traffic can use the variable rate ADR setting is automatically learned by remotes but remotes modem must be set to Auto or 125 for 125 250kbps or 500 for 500 1250 kbps oper...

Page 107: ...etwork Remote DEFAULT Access Point Store and Forward Network Name The name of the network Used to control what networks the radio connects to Valid values 1 to 31 letters DEFAULT is mds nx The network...

Page 108: ...ty Mode The type of authentication to perform none Provide no device authentication or data privacy DEFAULT psk Use pre shared key authentication protocol eap Use Encapsulated Authentication Protocol...

Page 109: ...ll not be trying extra to amplify the collocated RF noise It will be more difficult to detect weak signals if at all but enhance the probability to detect the stronger ones High Sensitivity set when o...

Page 110: ...shold the NIC will attempt to use a faster modem ADR Threshold must be set for each radio Remotes and AP This is advantageous in that you can run the majority of the network in ADR mode but if a parti...

Page 111: ...s sub layer to a higher sub layer which were addressed to a broadcast address at this sub layer In Multicast Pkts The number of packets delivered by this sub layer to a higher sub layer which were add...

Page 112: ...d packets that could not be transmitted because of errors NX Status Monitoring Interfaces NxRadio Status Nx Radio Figure 3 57 ISM 900 NX Status Init Status State of the NIC Initialization Off Not oper...

Page 113: ...ratio of RF power out to power reflected is approaching a 4 1 ratio or higher ideally this should be 1 1 This should be corrected to achieve optimal radio performance It may be helpful to use an SWR t...

Page 114: ...ation Regarding LQI MAC Statistics Figure 3 59 ISM 900 NX MAC Statistics Tx Success Successful transmissions Tx Fail Failed transmissions TTL expired or retry count exceeded Tx Queue Full Failed trans...

Page 115: ...cess point with the network name of MyNetwork and default settings set interfaces interface NxRadio nx config device mode access point network name MyNetwork show interfaces interface NxRadio nx confi...

Page 116: ...ase and aes128 ccm encryption set interfaces interface NxRadio nx config data compression lzo security encryption aes128 ccm security mode psk passphrase mypassphrase show interfaces interface NxRadio...

Page 117: ...agment threshold 0 remote age time 600 endpoint age time 300 allow retransmit true arp cache false adr mode none adr threshold 70 encryption protocol 2 0 Other configuration The following will configu...

Page 118: ...w retransmit true arp cache false adr mode none adr threshold 70 encryption protocol 2 0 Remote Mode The following will configure the NX915 module as a Remote with the network name of MyNetwork and de...

Page 119: ...ed config lna state high sensitivity stale packet timeout 1500 data retries 3 nic id 0 gateway id 0 arp cache false adr mode none adr threshold 70 encryption protocol 2 0 The following configures the...

Page 120: ...nfigured the module to automatically obtain a path in the network This is particularly useful in a network that contains Store and Forward devices Store and Forward Mode Basic configuration with defau...

Page 121: ...k access Monitoring Ensure the CLI is in operational mode Access Point Mode The following shows status with two remotes connected show interfaces state interface NxRadio nx status tab nx status init s...

Page 122: ...24 840000 72 8 75 925 762500 72 7 78 926 685000 73 7 Remote and Store and Forward Mode The following shows status when connected to a configured Access Point show interfaces state interface NxRadio nx...

Page 123: ...G AVG CHANNEL FREQUENCY RSSI LQI 0 902 700000 68 7 3 903 622500 69 6 6 904 545000 69 6 9 905 467500 69 6 12 906 390000 70 6 15 907 312500 70 7 18 908 235000 71 5 21 909 157500 71 5 24 910 080000 72 6...

Page 124: ...reater throughput then traditional FSK solutions The module utilizes QAM modulation a highly efficient PA and a direct conversion receiver to provide dependable wireless communications An advanced Med...

Page 125: ...smit and Receive frequencies are unprogrammed and left to field installation personel to prevent inadvertant operation on the wrong channel For the advanced user the module supports configuring more i...

Page 126: ...works in both upstream and downstream mode The mode selection varies between QPSK 16QAM and 64QAM A signal metric score is used to decide which modem selection to use The score is determined based on...

Page 127: ...etwork that the device should join If the network name does not match the device will log an event to identify network name collisions Data Compression Over the air compression lzo Compresses the over...

Page 128: ...seful in networks with some remotes close to the Access Point and others farther away or obstructed This mode allows the close remotes to take advantage of the higher data rate for the directed messag...

Page 129: ...Narrowband LN EAP on an access point Security Settings Security Mode The type of over the air authentication to perform none Provide no device authentication or data privacy DEFAULT psk Use pre share...

Page 130: ...cate Management side menu section 3 9 Radius Server AP EAP mode only A reference to the RADIUS server configuration configured through the System RADIUS side menu item section 3 7 4 Rekey Interval AP...

Page 131: ...967295 seconds DEFAULT 300 5 minutes Allow Retransmit AP only All traffic from the remotes is sent to the AP When enabled the AP will retransmit traffic from one remote to another based on the MAC add...

Page 132: ...he interface Licensed Narrowband radios appear as ln Admin Status The desired state of the interface Oper Status The current operational state of the interface If Index The index value for this interf...

Page 133: ...aces the number of inbound packets that contained errors preventing them from being deliverable to a higher layer protocol Out Octets The total number of octets transmitted out of the interface includ...

Page 134: ...Firmware Revision NIC Firmware Revision Temperature The transceiver temperature in degrees C Modem Tx Success Number of packets successfully transmitted by the modem Modem Tx Error Number of transmit...

Page 135: ...ut the Licensed Narrowband NIC s hardware is also displayed on the LN Radio s Statistics menu This information may be helpful when calling technical support Connections Status AP Only In AP mode the C...

Page 136: ...ince link established After 4294967295 seconds the value displayed rolls over to 0 RSSI The RSSI measured at the time of the last received packet If using this reading to align an antenna or gather li...

Page 137: ...re automatically resuming normal operation We recommend that you remain in test mode 10 minutes or less State Receive Enter Receive mode to check the RSSI of a received signal Keyed Key the transmitte...

Page 138: ...ata retries 3 packet ttl 600 remote age time 600 endpoint age time 300 allow retransmit true arp cache false qam16 threshold 85 qam64 threshold 70 Security configuration The default security mode as s...

Page 139: ...ication is selected from a list of configured Radius servers set interfaces interface LnRadio ln config security encryption aes256 ccm security mode eap radius server RADIUS_SERVER show interfaces int...

Page 140: ...uency 451 4 channel 12 5KHz 9 6ksps modulation automatic fec false security security mode none encryption none advanced config data retries 3 nic id 0 inactivity timeout 600 remote age time 600 arp ca...

Page 141: ...and Keys to use in the TLS authentication This information is selected from the PKI configuration set interfaces interface LnRadio ln config security encryption aes128 ccm security mode eap eap mode...

Page 142: ...queue full 0 ln status mac stats mac tx error 0 ln status mac stats mac tx retry 132 ln status mac stats mac rx success 17952 ln status mac stats mac rx error 498 ln status last rx packet last rssi 1...

Page 143: ...168 1 51 ln status ap info connected time 174 ln status ap info rssi 68 ln status ap info evm 0 ln status ap info rx modulation qpsk ln status last rx packet last rssi 68 ln status modem stats modem...

Page 144: ...ces state interface LnRadio ln status test mode state keyed time 5 To enter Test Mode s receive state for 5 minutes request interfaces state interface LnRadio ln status test mode state receive time 5...

Page 145: ...MDS 05 6632A01 Rev F MDS Orbit MCR ECR Technical Manual 145...

Page 146: ...interface status Event Logging 3 6 2 Understanding An event is a notification that something meaningful occurred on the unit Events contain information about the occurrence that may be useful for admi...

Page 147: ...is stored in the local event log True False Priority If logging to Syslog alert action must be taken immediately crit critical condition debug debug level messages emerg system is unusable err error...

Page 148: ...mple the follow shows the cell connect disconnect disabled for local logging this would be useful in an environment where the cell modem reconnects many times as part of normal operations Click on Add...

Page 149: ...click on the Add button when finished Clicking on the add buton will display the Event Rule Details option Clicking the Finish button will add the event rule From the CLI this modification can be mad...

Page 150: ...r Choices tcp udp tls tcp6 udp6 tls6 Message Format Choose either json_cee or text insert more info here If the TLS protocol is selected the following fields may be filled in TLS CA Certificate The na...

Page 151: ...e event log navigate to Logging Actions Clear Event Log and click on the Perform Action button Figure 3 73 Clear Event Log The following example shows how to clear the event log from the CLI request l...

Page 152: ...dvanced setting use default Block Size For TFTP the block size as defined in RFP 2348 advanced setting use default Timeout For FTP TFTP and SFTP the timeout in seconds advanced setting use default The...

Page 153: ...he percentage complete for the operation To view the status of the process in the CLI ensure the CLI is in operational mode and then follow the example below show logging export event log status loggi...

Page 154: ...incorporates a Iperf server that can be utilized by an external client Figure 3 76 Setup using iperf for throughput testing in a private network Iperf features TCP Measure bandwidth Report MSS MTU siz...

Page 155: ...boot to once the snapshot is restored Take note that restoring the unit to a snapshot will overwrite the current configuration and that it cannot be undone Three types of snapshots exist on an Orbit M...

Page 156: ...nit to the specified firmware image and restores the unit s configuration to the specified snapshot This operation cannot be undone Managing user snapshots The User Snapshots menu found under the Roll...

Page 157: ...rs including letters numbers dashes underscores and spaces Description Description of this user snapshot Up to 127 characters including letters numbers dashes underscores and spaces Optional Default S...

Page 158: ...s name Description The snapshot s description Date This is the date that the snapshot was created Version This is the firmware version that the unit was running at the time the snapshot was created U...

Page 159: ...ommand deletes the specified user snapshot request system recovery user snapshots delete identifier Snapshot1 You can set an existing snapshot as the default user snapshot with the following command r...

Page 160: ...le through the web UI and not through the CLI Server Address For FTP TFTP and SFTP the remote server s host name or IP address File Path For FTP TFTP and SFTP the path to the destination file on the r...

Page 161: ...k inactive preparing transfering cancelling complete failure cancelled Detailed Message The details regarding the operation such as Generating support package Size The total number of bytes in the pac...

Page 162: ...he ability to increase the complexity of the configured user login passwords User passwords can be configured to have a minimum length a minimum amount of lower case letters a minimum amount of capita...

Page 163: ...et the date and time use the request set current datetime request system clock set current datetime current datetime 2013 10 01T8 33 45 Automatic set using NTP or SNTP Server To use an NTP server the...

Page 164: ...g reliable NTP service such as pool ntp org Enabled Server enabled for use check True DEFAULT Iburst perform burst synchronization check True DEFAULT Prefer Use as preferred server check True DEFAULT...

Page 165: ...1 00 00 Geographical location 3 7 2 The geographical location of the unit can be manually This information can be configured using the initial setup wizard Latitude in degrees Longitude in degrees Alt...

Page 166: ...y to change the forgotten password See One Time Recovery Passwords on Page 39 Orbit user authentication provides the capability to manage the rules regarding logins and the setup rules regarding passw...

Page 167: ...method succeeds the user is denied access DEFAULT Local Users only Radius Sys Local Users Disable Non Admin Users Indicates whether or not tech and oper accounts are disabled DEFAULT false Note these...

Page 168: ...d to give preference to which method is used first when authenticating user access In the following example the list of RADIUS servers will be contacted first before the local authentication rules are...

Page 169: ...l back to local authentication if the unit is configured to do so Many RADIUS servers do not respond to an invalid login attempt To the unit this appears the same as if the server is not there The con...

Page 170: ...r 1 0 0 GEMDS value GEMDS UserAuth Group Administrator 2 GEMDS value GEMDS UserAuth Group Technician 1 GEMDS value GEMDS UserAuth Group Operator 0 The following line is required to be added to the ven...

Page 171: ...uest This should be the address of the interface that is making the request If it is not provided the system will determine the address automatically Alternative entry is to use a Domain Name string F...

Page 172: ...reprogram the firmware Users may add their own signatures to the firmware package using the GE MDS code signing tool NOTE Any additional signatures added to a firmware package will require the corresp...

Page 173: ...n The following example shows how to upload a host firmware image file through the web browser and store the uploaded image file into the inactive region in memory Navigate to System Firmware Actions...

Page 174: ...mcr bkrc 4_0_2 mpk from a TFTP server running on a host address 192 168 1 10 that is accessible from the MCR e g a locally connected host or remote host accessible via cellular interface To start rep...

Page 175: ...rmware system firmware reprogram status size 38043384 system firmware reprogram status bytes transferred 38043384 system firmware reprogram status percent complete 100 Upon completion the unit can be...

Page 176: ...ete The percentage complete for the operation To view the status of the verification process in the CLI ensure the CLI is in operational mode and then follow the example below show system firmware ver...

Page 177: ...hat the web page does not display the current status if the device has not been instructed to copy the firmware image in other words if the state is inactive Figure 3 92 Copy Image Monitoring The copy...

Page 178: ...llow approximately 2 minutes for the unit to complete the restarting process and refresh the screen Figure 3 93 Restart to Image To initiate a restart from the CLI ensure the CLI is in operational mod...

Page 179: ...aseline When calibration is completed the device enters operational mode In operational mode the axis readings adjusted by the calibration results are used to determine current axis values Readings wh...

Page 180: ...reshold for z axis Default 50 range 25 2000 NOTE None of these numbers for coordinates or thresholds has meaningful units They are just values that are all relative to each other A value of 50 cannot...

Page 181: ...fter calibration From the CLI the Device status when operational after calibration could be show system tamper detection magnetometer system tamper detection magnetometer calibration offsets x axis 91...

Page 182: ...ing from the configuration file on import will be assumed by the radio to be deleted Make certain that all necessary parameters are kept in the configuration file unless they are expected to be delete...

Page 183: ...host address 192 168 1 10 that is accessible from the MCR e g a locally connected host or remote host accessible via cellular interface To start the configuration file export from the CLI enter the f...

Page 184: ...how to have the device import a set of configuration parameters by uploading a local file through the web browser Navigate to System Config Files Actions Import Configuration Click on the Begin Import...

Page 185: ...ommand to download the configuration from the TFTP server request system configuration files import filename config 2016 02 04 xml manual file server tftp address 192 168 1 10 Monitoring Import Once t...

Page 186: ...acilitate the resolution of domain names to IP addresses NOTE Manual configuration of DNS overrides any DNS settings obtained via DHCP Configuring Using the Web UI The following example shows how to c...

Page 187: ...working properly The example below shows the resolution of the name example com to the IP address 192 0 43 10 on a unit that is connected to the Internet Use the control sequence CTRL C to stop the p...

Page 188: ...188 MDS Orbit MCR ECR Technical Manual MDS 05 6632A01 Rev F...

Page 189: ...n NAT Destination NAT Port Forwarding Translating the destination address and or port of traffic ingressing the unit Destination NAT allows forwarding of traffic directed to a public external network...

Page 190: ...network is not reachable through the higher preference route Link Layer 2 Failover The unit supports this feature by creation of a bond interface in an active backup mode that can aggregate a primary...

Page 191: ...ot vary in bandwidth or for those where no accurate estimation can be made this info should contain the nominal bandwidth For interfaces that have no concept of bandwidth this info is not present Open...

Page 192: ...dressed to a broadcast address at this sub layer including those that were discarded or not sent Out Multicast Pkts The total number of packets that higher level protocols requested be transmitted and...

Page 193: ...0 10 10 141 23 static LINK LAYER IP ADDRESS ORIGIN STATE 10 10 10 109 00 11 11 e0 2e 70 dynamic stale 10 10 10 98 80 c1 6e f0 3b 7a dynamic reachable LAN 3 8 2 Understanding The unit has external Loca...

Page 194: ...ed DEFAULT Disable will prevent usage Eth Phy Rate Choose the Ethernet speed support setting DEFAULT ALL Eth 10Mb Half Eth 10Mb Full Eth 100Mb Half Eth 100Mb Full Vlan Mode Virtual LAN Setting Etherne...

Page 195: ...sername the MAC address without punctuation of the peer device connected to Ethernet port Example 00063d089883 Password an encrypted version of the Username Calling Station Id the same as the Username...

Page 196: ...ngle VLAN Trunk Use this if this interface is intended to be a member of multiple VLANs Enabled Enable or disable the use of an IP address Forwarding Indicates if IPv4 packet forwarding is enabled or...

Page 197: ...lation of source IP address of the traffic going out of the interface Source NAT Masquerading Use for selecting and applying a source NAT rule set from available source nat rule sets to outgoing traff...

Page 198: ...nce shows how to configure the ETH1 port with a static IPv4 address configure Entering configuration mode private set interfaces interface ETH1 ipv4 address 192 168 1 11 prefix length 24 commit Monito...

Page 199: ...fic on the Ethernet port In MAB security mode the Orbit will block all traffic on the Ethernet port but it still captures Ethernet frame headers so that it can read the source MAC address of ingress t...

Page 200: ...traffic is not blocked security rejected The RADIUS server rejected the last authentication request security pending A RADIUS request was sent and the Orbit is waiting for a response VLAN Operation 3...

Page 201: ...re the newly created VLAN After clicking the OK button on the pop up in Creation will automatically take the configuration screen for that interface or click on the new interface located in the Interf...

Page 202: ...rfaces interface mgmt_vlan vlan config vlan id 99 set interfaces interface video_vlan type vlan set interfaces interface video_vlan vlan config vlan id 300 Operational Modes As previously shown in pre...

Page 203: ...unk port is not a member of the native VLAN and an untagged packet arrives on that port the packet will be dropped As VLANs are implemented as bridges and it is not valid for a bridge to be a member o...

Page 204: ...n the bridge are called routed interfaces Bridging is performed between bridged interfaces Routing is performed between routed interfaces The bridge interface itself is a routed interface NOTE The Cel...

Page 205: ...ation mode to the bridge set interfaces interface Bridge bridge settings members wifi station interface Wi Fi Removing LAN ETH1 interface from the bridge delete interfaces interface Bridge bridge sett...

Page 206: ...ed cost 100 designated bridge 8000 0002fd5dd280 designated port 32783 Routing 3 8 6 Understanding The Orbit MCR can forward IP packets between routed interfaces using a network path defined by the use...

Page 207: ...Current routes may be viewed on the unit at any time by navigating to Routing on the left side of the screen The unit s current routes are displayed under the Status tab Figure 3 112 Routing status sc...

Page 208: ...ected The example network path in Figure 3 1 requires an IPv4 address When previous routes have been configured the IPv4 Route table will display all user configured IPv4 static routes are listed as s...

Page 209: ...is the destination in the example above so the server s address 216 171 112 36 is used with a prefix of 32 Next Hop As mentioned above this is the next routing device that occurs in the network path...

Page 210: ...routes ipv4 route 1 description Default route outgoing interface Bridge dest prefix 0 0 0 0 0 next hop 192 168 1 1 commit Monitoring As mentioned in Configuring the unit s routes may be viewed on the...

Page 211: ...s may occur if a neighbor does not respond to ARPs or neighbor solicitations or responds incorrectly Configuration To add a static IPv4 neighbor to the Wi Fi interface that maps the IP address 192 168...

Page 212: ...r click the Add button The Configure New Neighbor menu appears Enter the neighbor s IP address and click Add Figure 3 118 Add New Neighbor Menu Following the IP address enter the neighbor s link layer...

Page 213: ...perational mode show interfaces state interface ipv4 neighbor LINK LAYER NAME IP ADDRESS ORIGIN STATE Bridge 192 168 1 3 00 80 c8 3b 97 bb dynamic reachable 192 168 1 2 00 12 17 5c 4f 2d dynamic reach...

Page 214: ...outgoing direction on an interface For example a filter applied to the cellular WAN interface of the MCR is typically very restrictive permitting only a small set of traffic to enter the unit whereas...

Page 215: ...r The first rules are added to permit the desired types of traffic and a final rule or default policy is created that denies all other traffic The example filter rules below permit SSH traffic on TCP...

Page 216: ...tricts incoming traffic Incoming IPsec tunnel traffic is allowed as are UDP services DNS NTP and IKE to allow IPsec connection setup Incoming TCP services SSH and NETCONF are also permitted to allow m...

Page 217: ...ard displays the list of existing packet filtering rules on the device The MCR comes with four pre configured filters IN_TRUSTED IN_UNTRUSTED OUT_TRUSTED and OUT_UNTRUSTED Existing filters may be edit...

Page 218: ...ules The following options are available Order Click the arrows to sort rules in order of priority Rules with higher priority are applied before rules with lower priority rule sets containing more tha...

Page 219: ...rce Port Apply rule to traffic that originates at a specific source port This option is available only with protocols SCTP TCP and UDP Services Services Port Range Not Services Not Port Range Services...

Page 220: ...Accept Allow packets to ingress or egress the unit Drop Block packets from ingress or egress Reject Block packets from ingress or egress and send an error message to the sender When ICMP protocol is...

Page 221: ...ming traffic will have these well known service ports as its destination port Set Destination Port to Services and enter netconf Ssh in the textbox next to Services Again ensure that Actions is set to...

Page 222: ...cipate that it will require outbound traffic restrictions in the future To allow interface specific customization we create a new packet filter To create a new filter click Add then Yes to verify the...

Page 223: ...the Firewall service is running each network interface and IPsec connection on the device must be assigned an input and output packet filter Otherwise no traffic will flow By default each network devi...

Page 224: ...apply the changes click Submit To view the list of packet filters that exist on the device at any time navigate to Firewall Basic Config and view the list of filters in the Filter tab Change the pack...

Page 225: ...on accept NOTE The rule stated in step 5 permits SSH or NETCONF connection addressed to the cellular interface s IP address If it is desired that SSH or NETCONF connection only be allowed via the VPN...

Page 226: ...ts in the private network will appear to have originated from a single IP address The IP address of the public interface of the MCR typically the cellular interface To allow return IP traffic for UDP...

Page 227: ...ell interface The following example will illustrate the necessary steps in three ways Using the Source NAT wizard through the web UI and via the CLI Using the Source NAT Wizard The Source NAT Wizard a...

Page 228: ...he checkbox next to an existing rule set and click Edit Selected or Delete Selected to modify existing rule sets To create a new rule set click the Add button Enter a name and click Ok to continue Fig...

Page 229: ...does not originate from a specific source address range Not Address Set Apply rule to traffic that does not originate within a non contiguous set of source addresses Destination IP Apply rule to traf...

Page 230: ...llular interface Click Next to continue Figure 3 142 Source NAT Wizard Summary Page A summary page appears that displays the changed items in the configuration s data model and the types of changes th...

Page 231: ...all current source NAT rule sets on the device To edit an existing rule set simply click on the rule set s name To delete an existing rule set highlight it and click the Delete button To add a new ru...

Page 232: ...be processed after a rule of ID 1 Therefore if the rules in a rule set should be applied in a particular order care must be taken to set the IDs accordingly In this example only one rule is required C...

Page 233: ...urce address to the specified address For this example rule select Interface Figure 3 151 Source Creation Click the check box from the left of Interface to apply this specifier to the rule Once finish...

Page 234: ...xample rule 1 source nat interface Apply this source NAT rule set to the cellular interface 4 set interfaces Cell nat source Example Commit configuration and exit configuration mode 5 commit Monitorin...

Page 235: ...s Configuring Destination NAT configuration on MCR involves following high level steps Create a destination NAT rule set 1 Add one or more rules to perform destination NAT for specific incoming traffi...

Page 236: ...on Wizards menu Figure 3 156 Port Forwarding Wizard Introductory Page The wizard s introduction page appears Click Next to continue Click Add to create a new rule set and enter name for the new rule s...

Page 237: ...s Figure 3 159 Creating a new destination NAT rule The following options are available within the rule creation menu Order Click the arrows to sort rules in order of priority Rules with higher priorit...

Page 238: ...sses Address Set Apply rule to a non contiguous set of destination addresses Not Address Apply rule to traffic that does not ingress at a specific address and prefix Not Address Range Apply rule to tr...

Page 239: ...ays the items in the configuration s data model that were changed and type of changes that occurred To save and apply the changes click Submit Using the Web UI To view the list of destination NAT rule...

Page 240: ...set services firewall nat destination rule set IO_SERVICES Create a rule to port forward Modbus TCP traffic that enters the cellular interface on port 5512 to 3 port 512 on the private HOST 1 set ser...

Page 241: ...ve MCRs cellular network connection to a VPN gateway on a back office network 172 16 1 0 24 Both subnets which are located in separate sites have the same IP address schemes 192 168 1 0 24 Two network...

Page 242: ...ng the Static NAT Wizard The following example demonstrates step by step static NAT configuration for Network A shown in Figure 3 164 During this example assume the following An IPsec connection named...

Page 243: ...Static NAT Wizard The following options are available within the rule creation menu Order Click the arrows to sort rules in order of priority Rules with higher priority are applied before rules with l...

Page 244: ...rule list from the dropdown box to the right of the interface or IPsec connection and click Next to continue A summary page appears that displays the items in the configuration s data model that were...

Page 245: ...ation and exit configuration mode 5 commit VPN 3 8 12 Understanding Orbit supports following types of Virtual Private Network VPN setups 1 Site to Site Policy Based IPsec L3VPN This is enables routing...

Page 246: ...remote LANs on the other side of the Remote IPsec router through a single GRE tunnel protected by transport mode IPsec connection Orbit also supports VLAN trunking over GRE tunnel for a case where th...

Page 247: ...tandards it was created by Cisco and hence is primarily only supported by Cisco routers designed for use as IPsec hub routers Orbit Spoke HUB Router LAN 10 0 2 0 24 LAN 10 0 1 0 24 Customer Network In...

Page 248: ...ation SAs during this phase setting up a secure channel for negotiating IPSec SAs in phase 2 IKE Phase 2 IPsec Security Association IKE negotiates IPSec SA parameters and sets up matching IPSec SAs in...

Page 249: ...n The role specifies whether Orbit initiates the connection initiator or it waits for the connection from the peer responder This should usually be set to initiator Configure an IPsec policy specifyin...

Page 250: ...authentication will fail See section 3 7 1 Date Time and NTP on Page 162 In this example we assume that the pre shared key based authentication is used The VPN Setup Wizard is the simplest way to con...

Page 251: ...up Selection Screen Click Next to continue The next screen shows an example network diagram for the selected setup Figure 3 169 VPN Setup Network Diagram Click Next to continue The next screen require...

Page 252: ...N Force local address for this connection to an IP address resolved by the specified fully qualified domain name FQDN Local Identity Default address FQDN user FQDN DN Default Defaults to local IP addr...

Page 253: ...he Orbit is the initiator it uses IKE v2 If the Orbit is the responder it accepts either IKE v1 or IKE v2 according to the policy proposed by the initiator IKE v1 As an initiator or responder the Orbi...

Page 254: ...prior to running the VPN Setup Wizard The following options are available only when the authentication method chosen is Pre shared key Pre shared Key The pre shared key itself Click Next to continue...

Page 255: ...f the key in the Diffie Hellman key exchange Higher groups include more bits and are thus more secure but require more time to complete the key exchange For phase 2 ciphersuite configuration DH group...

Page 256: ...cases However in case one needs to configure some advanced setup or manipulate parameters that are not available for configuration in the wizard one can navigate to Services VPN to get full access to...

Page 257: ...he IPsec connection is detected Life Time 15 1440 The time interval in minutes after which the IKE security association expires DPD Enabled Enable Disable Enabling dead peer detection DPD clears an es...

Page 258: ...ction See section 3 8 8 Access Control List Packet Filtering Firewall for more information An inbound filter to the connection must be applied or no traffic will pass If a filter hasn t been created s...

Page 259: ...to no less than 300 seconds 5 minutes to reduce the periodic traffic in the network set services vpn ike peer VPN GW ike policy IKE POLICY 1 set services vpn ike peer VPN GW local identity default se...

Page 260: ...th method pub key Configure Public Key Infrastructure PKI security credentials 2 d Certificate type as rsa if RSA public key encryption based certificates are being used e Client certificate ID This i...

Page 261: ...tocol all set services firewall filter IN_UNTRUSTED rule 12 actions action drop 2 Add following rules to OUT_UNTRUSTED filter that is applied to the Cell interface in the outgoing direction set servic...

Page 262: ...Figure 3 174 VPN Status Under IKE panel click on the IKE security association row to view the detailed status Figure 3 175 VPN IKE Security Association Detailed Status Under IPsec panel click on the...

Page 263: ...75 138 local id 172 18 175 138 remote host 172 18 175 40 remote id 172 18 175 40 initiator true initiator spi b19beb547030c7c3 responder spi 259b6cf8efb75dcc ciphersuite AES_CBC 128 HMAC_SHA2_256_128...

Page 264: ...blished device can take 2 few minutes to sync time from NTP server VPN connection will not succeed until time is synchronized Mismatch in cipher suites configured for IKE policy on device and peer VPN...

Page 265: ...his value is only used if the client doesn t include a lease time in its DHCP request In IPv6 addressing this is also known as valid lifetime Min Lease Time The minimum number of seconds that a client...

Page 266: ...ation options are required Range Start The start of the range of IP addresses to be assigned Range End The last of the range of IP addresses to be assigned The following configuration options are opti...

Page 267: ...sses to be assigned Range End The last of the range of IP addresses to be assigned Once all configuration is complete click Save Using the CLI The following shows an example of configuring DHCP servic...

Page 268: ...CP connection is established then serial traffic from the COM port can pass to and from the TCP port as long as the TCP connection remains established When a terminal server on the unit is configured...

Page 269: ...is detected the login prompt is presented as long as the port is enabled for console access Basic Setup of UDP Terminal Server Configuring The following shows how to enable a UDP terminal server on C...

Page 270: ...Point to Multipoint Multipoint to Point Multipoint to Multipoint Local IPS Ipv4 IPS Configure to IPv4 address or leave blank for all Ipv6 IPS Configure to IPv6 address or leave blank for all Port The...

Page 271: ...pass through routers to a specified number of hops Setting TTL to a value of 0 restricts the frame to the same host Setting TTL to a value of 1 restricts the frame to the same subnet Setting TTL to a...

Page 272: ...0 sec DEFAULT If TCP Client Server is selected options for both TCP Client and TCP Server are available below displays the client side configuration Figure 3 188 TCP Terminal Client Settings Screen Re...

Page 273: ...it handles the transmission of the multicast UDP packets This static route must define the Outgoing Interface for the Orbit to use to get to a Destination Prefix of the full multicast subnet of 224 0...

Page 274: ...Pv4 2 Click on Add 3 Type a numeric ID 220 which will be used to identify this route and click Add 4 Enter the following 224 0 0 0 4 This destination prefix will cover the entire Multicast Subnet and...

Page 275: ...ox Configure the UDP Mode that best fits the system configure any local ports remote ports IPs and 14 Multicast ports IPs Figure 3 192 Example UDP TS Configuration Save the configuration 15 Command Li...

Page 276: ...x Packets The number of IP packets received IP Rx Bytes The number of IP bytes received Serial Tx Packets The number of serial packets transmitted Serial Tx Bytes The number of serial bytes transmitte...

Page 277: ...uration Therefore device management is allowed solely on ETH1 s IP address Figure 3 194 Device Management Example Network A contractor s laptop should be able to access the corporate intranet through...

Page 278: ...nt or empty the server will listen on all IPv6 addresses TLS Certificate The certificate to use for the HTTPS server If empty or not present a self signed certificate key pair will be used TLS Private...

Page 279: ...figure To configure SSH to listen only to a specific address navigate to SSH Server Basic Config Figure 3 198 SSH Menu Enabled Whether or not to run the netconf server Default true Port The port to li...

Page 280: ...erver to only listen for connections on the specified IPv6 addresses If not present or empty the server will listen on all IPv6 addresses Click Add an Entry next to IPv4 Bind IPs or IPv6 Bind IPs to a...

Page 281: ...faces The Remote Management Service allows you to use the web UI of a radio to manage a second radio remotely You can also peform a broadcast firmware update from one radio typically the AP to other r...

Page 282: ...ical Manual MDS 05 6632A01 Rev F Figure 3 200 Narrowband example network Configuration Using the WebUI Navigate to Services Remote Management and click the Basic Config tab Figure 3 201 Basic configur...

Page 283: ...d secret used to allow remote connections to or from the device It must be the same on both sides of the connection For greater security we recommend that you change this password and do not use the d...

Page 284: ...to reboot to the specified image version The Remote Management Service must be enabled on each remote radio in order for them to receive the request Interface The network interface on which to transm...

Page 285: ...vice and TX Rate and Block Size parameters are set to their most conservative values Interface The network interface on which to transmit the reboot request If a desired network interface is present i...

Page 286: ...al unit and port 8080 Only HTTP connections not HTTPS are possible at the present time Server IP Address Enter the IPv4 address of the remote unit that you wish to connect to When you click Perform Ac...

Page 287: ...so open a remote web UI session on Orbit LnRadio and NxRadio interfaces status menus if the local radio is serving as an access point To do so navigate to Interfaces LnRadio Status or Interfaces NxRad...

Page 288: ...eneral Status Displays whether the service is currently running Web Proxy Client Status The current state of the web proxy client Disabled The radio is currently not connected to a remote web UI Opera...

Page 289: ...ation mode The following command requests remote units to reboot to image version 4 0 4 request services remote management reboot remote devices interface Bridge which image version 4 0 4 The followin...

Page 290: ...For example with business critical traffic like SCADA traffic shaping can be setup to guarantee that this class of traffic will always have at least 100Kbyte s of an 800Kbyte s link regardless of the...

Page 291: ...s Interface Bridge Ethernet Classifiers IPv4 Classifiers Packet Queue Egress Interface Figure 3 210 Packet classification of bridged traffic It is important to note that the Ethernet classifiers are o...

Page 292: ...at QoS is Enabled Figure 3 211 Enabling QoS To create a classifier for GOOSE messages click Add in the Classifier submenu The Configure Classifier Details appears Figure 3 212 Naming a new classifier...

Page 293: ...w match rule First give the new match rule a name and click the Add button Figure 3 215 Match Menu A match rule can be created to classify on either IPv4 or Ethernet In this example we use ether type...

Page 294: ...er Higher priority packets will always be serviced first If there is excessive high priority traffic lower priority packets may be lost Fairness A fairness policy attempts to split up the traffic into...

Page 295: ...pears Figure 3 221 Configuring a QoS priority class The following options are configurable Priority 1 16 This is the priority to be assigned to packets that match the classifier 1 is the highest prior...

Page 296: ...n interface Using the CLI Example Prioritize traffic with a particular ether type above all other traffic This example will create a QoS policy that uses a classifier to prioritize GOOSE messages abov...

Page 297: ...TP match M1 ipv4 dst port services ssh set services qos classifier FROM1234 match M1 ipv4 src address address 1 2 3 4 32 set services qos policy Policy1 prioritization class HIGH priority 1 classifier...

Page 298: ...match M1 ipv4 protocol not assigned number tcp src address address 1 2 3 4 32 match M2 ipv4 protocol assigned number tcp src address address 1 2 3 4 32 dst port not services ssh This will make the cla...

Page 299: ...ifier VIDEO match M1 ipv4 dst port port range 8080 set services qos policy HTB shaping htb class GOOSE priority 0 committed rate 100 max rate 800 classifier GOOSE set services qos policy HTB shaping h...

Page 300: ...ps informs The agent supports v1 traps v2c v3 traps and informs Ability to configure a list of SNMP targets managers that shall receive traps and informs The unit sends SNMP traps informs to the confi...

Page 301: ...agent Configuration of the SNMP agent community List of communities notify List of notify names and tags system System group configuration target List of targets for notifications traps informs usm C...

Page 302: ...302 MDS Orbit MCR ECR Technical Manual MDS 05 6632A01 Rev F Figure 3 224 SNMP Main Page...

Page 303: ...o r current folder For example for ORBIT MCR product the 1 MIB package is named mcr mib X_Y_Z zip where X Y Z is the corresponding firmware version Use snmpwalk tool to do SNMP walk on the unit only s...

Page 304: ...s Port UDP protocol port to be used for communication Valid values 0 65535 Default 161 Max Message Size The privacy mode to use on this interface Debug Enabled The privacy mode to use on this interfac...

Page 305: ...nt version v1 set services snmp agent version v2c set services snmp agent engine id from mac Create SNMP community named public with security name public 1 On the Web UI click on the community panel u...

Page 306: ...commands set services snmp vacm view internet subtree 1 3 6 1 included VACM group A VACM group is used to organize a set of users in case of SNMP v3 or a set of community security names in case of SNM...

Page 307: ...n be accomplished via the CLI using the following commands set services snmp vacm group all rights member public sec model v1 v2c set services snmp vacm group all rights access any no auth no priv rea...

Page 308: ...gent version v1 delete services snmp agent version v2c set services snmp agent version v3 Create a local user named User1 with SHA1 authentication with password sha1Password and 2 AES encryption with...

Page 309: ...nfiguration Choices select from the pulldown Sha DEFAULT secure hash algorithm SHA 1 a cryptographic hash function producing a 160 bit 20 byte hash value Md5 message digest 5 cryptographic hash functi...

Page 310: ...ULT Used to create a localized key Key 20 byte Authentication key Filling in the User1 information values can be accomplished via the CLI using the following commands set services snmp usm local user...

Page 311: ...MDS Orbit MCR ECR Technical Manual 311 Click on Add and configure a name for the group In this example the group name will be 4 secure Once finished click the Add button which will present additional...

Page 312: ...l 7 Read View The name of the MIB view of the SNMP context authorizing read access Write View The name of the MIB view of the SNMP context authorizing write access Notify View The name of the MIB view...

Page 313: ...above specifies a SNMP notify name e g std_v1_trap the tag e g std_v1_trap and the type of notification trap or inform The notify and tag names are kept the same for ease of configuration of SNMP tar...

Page 314: ...alues can be accomplished via the CLI using the following commands set services snmp agent version v1 Configure SNMP manager as a target TARGET 1 v1 that listens on port 5000 has IP address 2 of 192 1...

Page 315: ...s set services snmp vacm group all rights access any no auth no priv notify view internet Click Save on the Web UI 4 Via the CLI using the following commands commit To test above configuration start a...

Page 316: ...GET 1 v2c port 5000 set services snmp target TARGET 1 v2c tag std_v2_trap set services snmp target TARGET 1 v2c v2c sec name public Give the VACM group named all rights as configured in previous examp...

Page 317: ...nd generate ssh_login event by logging into the Orbit via SSH NOTE When using SNMPv3 traps the Orbit is the authoritative engine since it is the one sending the trap Therefore the user created in snmp...

Page 318: ...on 4 commit To test above configuration start an SNMP trap receiver like snmptrapd with configuration file as shown below and generate ssh_login event by logging into the Orbit via SSH snmptrapd conf...

Page 319: ...roup secure as configured in example on SNMP v3 only 4 configuration with security model usm Also ensure VACM group secure has notify access to internet view under usm security model and auth priv sec...

Page 320: ...SM MIB usmStats usmStatsWrongDigests 0 SNMP USER BASED SM MIB usmStats usmStatsDecryptionErrors 0 show SNMP MPD MIB SNMP MPD MIB snmpMPDStats snmpUnknownSecurityModels 0 SNMP MPD MIB snmpMPDStats snmp...

Page 321: ...f 6 successive pings fail or succeed Enabled Whether or not to run this operation Type Type of monitor operation Icmp Echo Monitor Dst Host Destination IP address or DNS name to send icmp echo to Src...

Page 322: ...Failback 3 8 20 Understanding The unit incorporates integrated bridging and routing functionality with multiple wired and wireless interfaces The reliability of network links can be enhanced using ne...

Page 323: ...ected to remote MCR called REMOTE hereafter that has both 900 MHz radio NX and Cellular radio options The IP packets sent by back office application to the remote asset are normally routed by the back...

Page 324: ...ork 2 A network link monitoring operation that checks connectivity to each remote over the primary 3 interface and that enables primary route to be used when connectivity is up and secondary route to...

Page 325: ...325 Configure Network Monitor Operation Configure a NETMON service icmp echo monitor operation named NX LINK CHECK that does a 3 periodic link check by pinging R1 over NX interface Please refer to NET...

Page 326: ...ck office network 10 10 1 0 24 with NX as the outgoing interface and with address of R1 s interface on NX backhaul as the next hop Also configure this route with verify reachability using NX LINK CHEC...

Page 327: ...echnical Manual 327 6 Configure secondary route towards SCADA back office network 10 10 1 0 24 with GRE1 as the outgoing interface and preference value of 20 From the same page click Add to add the se...

Page 328: ...ec connection R1 filter input IN_TRUSTED set services vpn ipsec connection R1 filter output OUT_TRUSTED Configure GRE tunnel interface with mode ip over gre src address Local cell address and dst addr...

Page 329: ...configured for REMOTE 2 10 10 7 0 24 NX primary 10 10 7 0 24 GRE TUN backup Failover to Cell enabled by checking primary route s reachability by pinging remote s NX interface CELL NX ETH GRE TUN ROUT...

Page 330: ...ed on Bridge Optional IPsec configured over Cell to provide security The failover happens at the remote CELL NX ETH GRE TUN BRIDGING FUNCTION RTU AP 192 168 1 0 24 MCR to MCR NX CELL redundant network...

Page 331: ...r time for traffic from AP towards the failed over REMOTE Using the Web UI AP Configuration Following features need to be configured on the AP IPsec transport mode connection To secure GRE traffic to...

Page 332: ...AN address as configured in IPsec VPN towards REMOTE 2 Add GRE tunnels to the Bridge interface Add the GRE REMOTE 1 tunnel interface to the bridge that has NX interface and disable STP on 1 the bridge...

Page 333: ...nt and AP s LAN segments Network Monitor Operation To send a periodic traffic to enable failover at the AP as described in 5 the NOTE earlier in this section Configure IPsec Transport Mode Connection...

Page 334: ...2A01 Rev F Configure BOND interface Configure BOND interface in active backup mode with NxRadio and GRE AP as members and 1 NxRadio as the primary member Navigate to Interfaces Add Delete Interfaces a...

Page 335: ...figure NETMON operation Configure a NETMON service icmp echo monitor operation named NX LINK CHECK that does 1 a periodic link check by pinging AP This is needed to generate a periodic traffic towards...

Page 336: ...t and AP s LAN segments Network Monitor Operation To send a periodic traffic to enable failover at the AP as described in 5 the NOTE earlier in this section Configure IPsec transport mode connection C...

Page 337: ...Manual 337 Configure BOND interface Configure BOND interface in active backup mode with NxRadio and GRE AP as members and 1 NxRadio as the primary member Navigate to Interfaces Add Delete Interfaces a...

Page 338: ...figure NETMON operation Configure a NETMON service icmp echo monitor operation named NX LINK CHECK that does 1 a periodic link check by pinging AP This is needed to generate a periodic traffic towards...

Page 339: ...al identity default set services vpn ike peer REMOTE 1_ike_peer peer endpoint address 10 150 1 10 set services vpn ike peer REMOTE 1_ike_peer peer identity default set services vpn ike peer REMOTE 2_i...

Page 340: ...gs members port GRE REMOTE 1 set interfaces interface Bridge bridge settings members port GRE REMOTE 2 set interfaces interface Bridge bridge settings stp mode disabled REMOTE 1 Configuration Configur...

Page 341: ...NxRadio Add BOND1 interface to Bridge disable STP on the bridge set interfaces interface Bridge bridge settings members port Bond1 set interfaces interface Bridge bridge settings stp mode disabled Con...

Page 342: ...onfigured default action is ACCEPT The export route filter controls the routes that are exported into the routing protocol from the routing table By default the routing protocol prevents export of any...

Page 343: ...llular Network RTU R1 Backoffice Router 10 10 40 1 0 24 10 10 6 0 24 REMOTE 1 GRE configured as routed interface over Cell Optional IPsec transport mode configured over Cell to secure GRE traffic RIP...

Page 344: ...05 6632A01 Rev F Select the newly created LOCAL_LAN route filter and click Add to add a rule with ID 1 to this filter Select outgoing interface Bridge and Action accept Click Finish on the panels to c...

Page 345: ...specific routing protocols RIP The basic RIP configuration consists of enabling the protocol and adding interfaces on which it should operate and configuring an export filter In addition MD5 authentic...

Page 346: ...The user can check the routing table in the General panel to ensure a dynamic route for the back office has been received from the back office router The RIP panel displays the state of RIP routing p...

Page 347: ...state rip statistics import withdraws rejected 0 routing state rip statistics import withdraws ignored 0 routing state rip statistics import withdraws accepted 0 routing state rip statistics export up...

Page 348: ...Manual MDS 05 6632A01 Rev F Under Area click Add to add area 0 0 0 0 backbone Under Interface click Add to add GRE interface to area 0 0 0 0 To apply configuration click Save Using CLI In configuratio...

Page 349: ...ea 0 0 0 0 interface GRE commit Monitoring Navigate to Routing Status The user can check the routing table in the General panel to ensure a dynamic route for the back office has been received from the...

Page 350: ...able displays all link state advertisements LSAs received by this router Using CLI In operational mode enter following commands show routing state routes OUTGOING DEST PREFIX NEXT HOP INTERFACE SOURCE...

Page 351: ...bors 1 num adjacent neighbors 1 area networks routing state ospf interface GRE routing state ospf routing instance MAIN_OSPF routing state ospf state up routing state ospf preference 150 routing state...

Page 352: ...966 80000002 049b Area 0 0 0 0 0001 2 2 2 2 2 2 2 2 966 80000004 8785 Area 0 0 0 0 0001 10 10 6 1 10 10 6 1 967 80000002 d25b BGP The basic BGP configuration consists of adding a neighbor entry for ea...

Page 353: ...n click Save NOTE Please see section 12 2 2 1 for an example on use of BGP to exchange routes over DMVPN network Using CLI In configuration mode enter following commands set routing bgp neighbor PRIMA...

Page 354: ...PRIMARY HUB peer as 65500 set routing bgp neighbor PRIMARY HUB hold time 30 set routing bgp neighbor PRIMARY HUB keepalive time 10 Monitoring Navigate to Routing Status The user can check the routing...

Page 355: ...port updates filtered 6 statistics export updates accepted 1 statistics export withdraws received 0 statistics export withdraws accepted 0 local state established peer address 172 16 0 1 peer as 65500...

Page 356: ...antennas Configuring Navigate to Services GPS Service Basic Config The GPS service has very minimal configuration The user simply has to enable the GPS service for it to start collecting data from the...

Page 357: ...es gps status speed 0 000000000000000e 0 services gps status heading 0 000000000000000e 0 NAME DEVICE SLOT1 CELL GPS dev ttyUSB1 Dynamic DNS 3 8 23 Understanding The unit supports Dynamic DNS DDNS ser...

Page 358: ...service provider Update Interval The interval in minutes at which periodic update interval will occur Failure Retry Interval The interval in seconds at which retries will occur if connection cannot b...

Page 359: ...m update hostname pump1 xyz com myip 1 1 1 1 Then user should enter following in the URL field http USERNAME PASSWORD xyz com update hostname HOSTNAME myip IP The username password hostname fields wil...

Page 360: ...efined in the IETF RFC5798 In VRRP a group of physical routers are configured similarly with VRRP settings and together they act as one virtual router on the network Only one physical router is negoti...

Page 361: ...cal router in a group gets its own priority The higher the number the higher the priority that the physical router will be become the Master during negotiation advertisement interval The Master router...

Page 362: ...is typically used for Orbit devices with cellular interfaces where the Orbit is connected to the end device via LAN and the IP address received from the cellular network needs to be passed to the end...

Page 363: ...lowing commands set services ip passthrough enabled true set services ip passthrough local service SSH protocol tcp port 22 set services ip passthrough local service HTTP protocol tcp port 80 set serv...

Page 364: ...can only be imported using the manual method The device can import certificates that are in DER PEM or encrypted PEM format The device can import private keys that are in DER PEM or encrypted PEM Priv...

Page 365: ...Size The number of bits in the key Allowed sizes include 1024 1536 2048 3072 and 4096 The following example shows how to have the device generate a private key of length 2048 bits with the identity ge...

Page 366: ...cess in the CLI ensure the CLI is in operational mode and then follow the example below show pki private keys generate status pki private keys generate status state complete pki private keys generate...

Page 367: ...FTP and SFTP the password on the remote server Control Port For FTP the TCP control port advanced setting use default Data Port For FTP the TCP data port advanced setting use default Block Size For T...

Page 368: ...the CLI ensure the CLI is in operational mode and then follow the example below show pki private keys import status pki private keys import status state complete pki private keys import status detail...

Page 369: ...st pki ca certs delete cert identity imported_ca_cert_2048 Configuring The following example shows how to have the device import a CA certificate by uploading a local file through the web browser Navi...

Page 370: ...e file named ca_cert_2048 pem from a TFTP server running on a host address 192 168 1 10 that is accessible from the MCR e g a locally connected host or remote host accessible via cellular interface To...

Page 371: ...follow the example below show pki ca certs import status pki ca certs import status state complete pki ca certs import status detailed message Successfully imported CA certificate pki ca certs import...

Page 372: ...button once the certificate identity and the file source are configured Figure 3 238 Import Client Certificate The MCR supports file uploads through a web browser from a local file on the user s PC Th...

Page 373: ...cessible via cellular interface To start the client certificate import from the CLI enter the following command to download the client certificate from the TFTP server request pki client certs import...

Page 374: ...al number of bytes in the file not displayed on the web UI Bytes Transferred The number of bytes already transferred or processed not displayed on the web UI Percent Complete The percentage complete f...

Page 375: ...t certs import scep status pki client certs import scep status last status 0 pki client certs import scep status poll count 2 pki client certs import scep status state Success pki client certs import...

Page 376: ...e device may delete a firmware certificate by clicking the Delete button on the web user interface or using the CLI in operational mode See the following example for deleting CA certificates via the C...

Page 377: ...se default Data Port For FTP the TCP data port advanced setting use default Block Size For TFTP the block size as defined in RFP 2348 advanced setting use default Timeout For FTP TFTP and SFTP the tim...

Page 378: ...identified and the certificate information must be defined Configuring The certificate server is defined under certificate server In the operation shown below we define the SCEP server set pki certifi...

Page 379: ..._ca_cert scep ca issuer identity predefined_ca_server cert server identity predefined_cert_server The next step is to request the new client certificate from the SCEP server request pki client certs i...

Page 380: ...380 MDS Orbit MCR ECR Technical Manual MDS 05 6632A01 Rev F...

Page 381: ...ubleshooting Refer toTable 4 3 Table 4 4 Table 4 5 and Table 4 6 Depending on the interfaces ordered the NIC1 and NIC2 slot can be populated with a Cellular modem a WiFi interface an LnRadio interface...

Page 382: ...n No cellular connection Cell connection Table 4 4 WiFi Interface LED Descriptions LED NIC1 LED State Description WiFi Interface Off Interface disabled Access Point Mode Solid Green Solid Red Operatin...

Page 383: ...llow indicates a link at 100 Mbps operation A flashing green indicates Ethernet data traffic 4 2 Technical Specifications GENERAL Input Power 11 to 55 VDC NOMINAL 10 to 60 VDC 15 Watts maximum dependi...

Page 384: ...Remote Associated Idle 4 8W 350mA Remote Associated 50 Duty 10 8W 780mA Ethernet Port s RJ 45 10 100 Mbps Auto MDIX Serial Port s RJ 45 supporting RS 232 RS 485 LAN Protocols 802 3 Ethernet 802 1D Spa...

Page 385: ...4G cell 4G1 4G5 N7NMC7355 4G cell 4GP N7NMC7354B NX915 E5MDS NX915 LN400 E5MDS LN400 LN900 E5MDS LN900 IC Industry WiFi 3195A ZCN722MV1 4G cell E4V 3229B E362 3G Cell 5131A HE910 NX915 101D NX915 LN4...

Page 386: ...ge 902 to 928 MHz Power Output 20 dBm to 30 dBm in 1 0 dBm steps DEFAULT 30 dBm Output Impedance 50 Ohms Permissible Antennas GE MDS 93 97 3194A14 10dBd 12 15dBi YAGI Antenna GE MDS 93 97 3194A23 7dBd...

Page 387: ...Jumper N F Conn Mnt GE MDS 93 97 3194A19 430 450MHz 7dBi OMNI w 16 Jumper N F Conn Mnt GE MDS 93 97 3194A26 450 470MHz 11 dBi OMNI w N F Conn Mnt GE MDS 93 97 3194A02 406 430MHz 12 dBi YAGI w N F Conn...

Page 388: ...se including GE MDS 93 97 3194A17 902 928MHz 9dBi OMNI w 16 Jumper N F Conn GE MDS 93 97 3194A14 902 960MHz 12 dBi YAGI 6 Elementw N F Conn GE MDS 93 97 3194A13 902 960MHz 8 5 dBi YAGI 3 Elementw N F...

Page 389: ...MDS 05 6632A01 Rev F MDS Orbit MCR ECR Technical Manual 389...

Page 390: ...s CTS Clear to Send Decibel dB A measure computed from the ratio between two signal levels Frequently used to express the gain or loss of a system Data Circuit terminating Equipment See DCE Data Commu...

Page 391: ...MHz Poll A request for data issued from the host computer or master PLC to a Remote unit PLC Programmable Logic Controller A dedicated microprocessor configured for a specific application with discre...

Page 392: ...ies a particular 802 11wireless LAN Supervisory Control And Data Acquisition See SCADA Telnet A terminal emulation protocol that enables an Internet user to communicate with a Remote device for manage...

Page 393: ...MDS 05 6632A01 Rev F MDS Orbit MCR ECR Technical Manual 393...

Page 394: ...e CLI will provide feedback regarding the error The changes that were pending will still be pending at that point This gives the user the opportunity to discard the changes or to modify them and then...

Page 395: ...tate Add a comment to a statement commit Commit current set of changes compare Show configuration differences copy Copy a dynamic element delete Delete a data element edit Edit a sub element exit Exit...

Page 396: ...letions IP address string min 1 chars max 253 chars set system dns search mds 6 7 CLI Environment There are a number of session variables in the CLI They are only used during the session and are not p...

Page 397: ...enabled It is enabled by default screen width integer Current width of terminal This is used when paginating output to get proper line count screen length integer Current length of terminal This is us...

Page 398: ...include lines matching a regular expression For example show configuration logging match date event rules date_time_from_ntp event rules date_time_from_user event rules date_time_not_set In the examp...

Page 399: ...a string Matches the end of a string abc Character class which matches any of the characters abc Character ranges are specified by a pair of characters separated by a abc negated character class whic...

Page 400: ...ete the word before the cursor Ctrl w Esc Backspace or Alt Backspace Delete the word after the cursor Esc d or Alt d Insert the most recently deleted text at the cursor Ctrl y Scroll backward through...

Page 401: ...if the CLI session is terminated without doing commit confirm default is confirm If the confirming commit was initiated with a persist argument then the same token needs to be supplied using the persi...

Page 402: ...n the CLI is in operational mode Note that the following are examples and will vary from one system to the next show configuration system contact Mark name Orbit1 location Tank1 clock timezone locatio...

Page 403: ...configuration interfaces interface ETH1 details type ethernetCsmacd enabled true ipv4 enabled true ip forwarding false address 192 168 1 10 prefix length 24 ipv6 enabled true ip forwarding false dup a...

Page 404: ...ession will be terminated after this command since no further editing is possible Only available in configure exclusive and configure shared mode The confirming commit will be rolled back if the CLI s...

Page 405: ...e insert path first last beforekey afterkey Insert a new element into an ordered list The element can be added first last default before or after another element move path first last beforekey afterke...

Page 406: ...rational mode command set Set a parameter show Show a parameter status Display users currently editing the configuration tag add clear del tag add statement tag Add a tag to a configuration statement...

Page 407: ...MDS 05 6632A01 Rev F MDS Orbit MCR ECR Technical Manual 407...

Page 408: ...ithin it as instructed by the VPN gateway However MCR also supports an out of band IMA connection where the unit connects to a separate IMA server not to pass data but just to perform integrity measur...

Page 409: ...so on Obtaining Configuration File Hash 7 2 1 The following example shows the use of a request to get the system configuration hash admin none 22 09 59 request services vpn ipsec get config hash hash...

Page 410: ...tus can then be checked again periodically for new attestation result show services vpn services vpn ipsec ipsec status connections connection IMA state disconnected failure reason none last timestamp...

Page 411: ...EE Core Profile is that it can be extended by an organization so that they can add additional taxonomy categories and fields that describe vendor specific events 8 1 Event Taxonomy The CEE Core Profil...

Page 412: ...e beginning of the encoded CEE Event MUST be identified by the CEE Event Flag Within Syslog the CEE Event Flag is cee Character Encoding If the syslog implementation is only 7 bit all characters not i...

Page 413: ...riginated the event to the application who should receive the event syslog MSG 8 3 4 For events of type audit the msg is vendor specific whereas events of type alert must be in a specified format whic...

Page 414: ...Ensure the CLI is in operational mode Follow the example below to view the state and statistics show logging event rules cell_connected description cell connection established local true priority noti...

Page 415: ...the certificate information to aide lookup of the appropriate public key during signature verification infile The filepath for package file input outfile The filepath for signed package file output T...

Page 416: ...ites ge_pubcert pem is the public certificate provided by GE MDS that is used to verify that the signed packaged is authentic The GE MDS public certificate will typically be downloaded by users from t...

Page 417: ...ent Identity of the equipment in which the SIM card will be used The IMEI can be found by logging into the device and entering the following command show interfaces state interface Cell cell status im...

Page 418: ...t can be user configured that defines a specific collection of radio operation The following table show the number of discrete frequencies or channels available for each modem type based on the select...

Page 419: ...000 A A A C C A 43 915 922500 A A B D D B 44 916 230000 A A C A E C 45 916 537500 A A A B A D 46 916 845000 A A B C B E 47 917 152500 A A C D C F 48 917 460000 A A A A D A 49 917 767500 A A B B E B 50...

Page 420: ...B F 72 924 840000 A A A A C A 73 925 147500 A A B B D B 74 925 455000 A A C C E C 75 925 762500 A A A D A D 76 926 070000 A A B A B E 77 926 377500 A A C B C F 78 926 685000 A A A C D A 79 926 992500...

Page 421: ...SRX Local LAN 192 168 1 0 24 Remote LAN 192 168 2 0 24 Customer Network Internet Cellular network IPsec Tunnel carrying traffic between local and remote LANs The WAN IP address of SRX240 is 172 18 175...

Page 422: ...ha256 hmac set services vpn ipsec policy SRX240 IPSEC POLICY ciphersuite CS1 dh group dh14 set services vpn ipsec connection SRX240 ike peer SRX240 IKE PEER set services vpn ipsec connection SRX240 ip...

Page 423: ...ddress set services firewall filter OUT_UNTRUSTED rule 1 match src address address set CELL IP set services firewall filter OUT_UNTRUSTED rule 1 match src address add interface address true set servic...

Page 424: ...rity ike proposal IKE PROP PSK encryption algorithm aes 128 cbc set security ike policy IKE POLICY PSK proposals IKE PROP PSK set security ike policy IKE POLICY PSK pre shared key ascii text test123 s...

Page 425: ...plication any set security policies from zone TRUST to zone UNTRUST policy ORBIT138 NET 1 SA then permit tunnel ipsec vpn ORBIT138 set security policies from zone UNTRUST to zone TRUST policy ORBIT138...

Page 426: ...ow we disable default route over Cell and instead setup BGP dynamic routing that advertises the local LAN network to the IOS router and received default route over the GRE tunnel form IOS router Orbit...

Page 427: ...erated as ID1 set services vpn ike policy DMVPN CERT pki key id ID1 Root CA certificayte is installed as CA1 set services vpn ike policy DMVPN CERT pki ca cert id CA1 Sub CA certificates are installed...

Page 428: ...terface GRE1 map HUB nbma address 172 18 175 45 set services nhrp interface GRE1 map HUB register true set services nhrp interface GRE1 map HUB cisco true set services nhrp interface GRE1 authenticati...

Page 429: ...ion accept set services firewall filter IN_UNTRUSTED rule 11 match protocol esp set services firewall filter IN_UNTRUSTED rule 11 actions set services firewall filter IN_UNTRUSTED rule 11 actions acti...

Page 430: ..._HMAC_SHA1 MODP_1536 established time 574 rekey time 9200 reauth time 2075232 services vpn ipsec security associations security association 4 name DMVPN state INSTALLED mode TRANSPORT udp encap false...

Page 431: ...PRIMARY HUB routing instance inet main state up preference 100 import filter ACCEPT export filter LOCAL LAN statistics import updates received 1 statistics import updates rejected 0 statistics import...

Page 432: ...thernet0 0 Ensure that the MTU configured matches the cell interface MTU default 1428 mtu 1428 ip address 172 18 175 45 255 255 255 0 duplex auto speed auto Certificate configuration crypto pki trustp...

Page 433: ...rypto ikev2 policy DMVPN_IKEV2_POLICY match fvrf any proposal DMVPN_IKEV2_PROPOSAL crypto ikev2 profile DMVPN_IKEV2_PROFILE match certificate ORBIT_CERT_MAP identity local dn authentication remote rsa...

Page 434: ...iguration router bgp 65500 bgp router id 172 16 0 1 bgp log neighbor changes bgp listen range 172 16 0 0 24 peer group DMVPN SPOKE neighbor DMVPN SPOKE peer group neighbor DMVPN SPOKE remote as 65550...

Page 435: ...sed 0 pkts decompress failed 0 send errors 0 recv errors 0 local crypto endpt 172 18 175 45 remote crypto endpt 172 18 175 138 path mtu 1500 ip mtu 1500 ip mtu idb none current outbound spi 0xCF3F2463...

Page 436: ...d State UpDn Tm Attrb 1 172 18 175 138 172 16 0 3 UP 16 55 28 D Routing status The highlighted route is the LAN network route received from Orbit via BGP DMVPN HUB show ip route Codes L local C connec...

Page 437: ...he Juniper JUNOS based devices do not support IPsec transport mode for data traffic Therefore to protect GRE traffic one needs to setup IPsec tunnel instead of IPsec transport mode connection This lea...

Page 438: ...s vpn ike policy SRX240 IKE POLICY auth method pre shared key set services vpn ike policy SRX240 IKE POLICY pre shared key test123 set services vpn ike policy SRX240 IKE POLICY ciphersuite CS1 encrypt...

Page 439: ...irewall filter IN_TRUSTED rule 10 match protocol all set services firewall filter IN_TRUSTED rule 10 actions set services firewall filter IN_TRUSTED rule 10 actions action accept set services firewall...

Page 440: ...set services firewall filter OUT_UNTRUSTED rule 2 match protocol all set services firewall filter OUT_UNTRUSTED rule 2 actions set services firewall filter OUT_UNTRUSTED rule 2 actions action drop 12...

Page 441: ...hat configured on Cell interface on Orbit default 1428 set interfaces ge 0 0 0 unit 0 family inet mtu 1428 set interfaces ge 0 0 0 unit 0 family inet address 172 18 175 40 26 Local LAN 1 interface set...

Page 442: ...set security ipsec policy IPSEC POLICY perfect forward secrecy keys group14 set security ipsec policy IPSEC POLICY proposals IPSEC PROP Common Policies set security policies from zone TRUST to zone T...

Page 443: ...ecurity ipsec vpn ORBIT135 ike gateway ORBIT135 set security ipsec vpn ORBIT135 ike ipsec policy IPSEC POLICY IPsec policies set security policies from zone TRUST to zone VPN ORBIT135 policy ORBIT135...

Page 444: ...curity associations Total active tunnels 1 ID Algorithm SPI Life sec kb Mon vsys Port Gateway 131073 ESP aes 128 sha256 5e4fca36 3403 unlim root 500 172 18 175 135 131073 ESP aes 128 sha256 cb6ed905 3...

Page 445: ...n 0 192 168 3 1 32 Local 0 1w5d 20 14 32 Local via vlan 0 192 168 4 0 24 Direct 0 1w5d 18 34 56 via vlan 1 192 168 4 1 32 Local 0 1w5d 20 14 32 Local via vlan 1 192 168 1 0 24 Static 5 1w5d 18 35 02 v...

Page 446: ...le to communicate with the RADIUS authentication server through a non authenticating Ethernet port or other backhaul network interface like the cellular modem Freeradius authentication server Wireless...

Page 447: ...ates users and network clients The following shows only a snippet of the configuration but has the most important sections listed etc freeradius users Username password example joe Cleartext Password...

Page 448: ...to be started before configuring authentication on a wired network interface When using EAP the Orbit ETH port security mode must also be set to EAP The Orbit is agnostic to the specific EAP method c...

Page 449: ...MDS 05 6632A01 Rev F MDS Orbit MCR ECR Technical Manual 449...

Page 450: ...2 5 Following shows EAP TLS mode on Windows with certificates A certificate must be issued for the Windows peer The client certificate and the issuing certificate can be imported using the certmgr msc...

Page 451: ...MDS 05 6632A01 Rev F MDS Orbit MCR ECR Technical Manual 451...

Page 452: ...452 MDS Orbit MCR ECR Technical Manual MDS 05 6632A01 Rev F...

Page 453: ...MDS 05 6632A01 Rev F MDS Orbit MCR ECR Technical Manual 453...

Page 454: ...ents the following notification on Windows Clicking the notification presents the certificate selection box where the imported certificate can be chosen Running Wireshark in administrator mode on the...

Page 455: ...of configuring PEAP mode on Kubuntu Linux Unlike Windows there is no need to start a service on this distribution Also this is no certificate import utility the certificates can reside anywhere on the...

Page 456: ...thentication dot1x default group radius aaa authorization network default group radius aaa authorization network mylist none aaa session id common switch 1 provision ws c2960s 24ts l dot1x system auth...

Page 457: ...te under Orbit MCR Software Firmware Downloads Support Items and download license declaration n_n_n txt Upon request in accordance with certain software license terms GE will make available a copy of...

Page 458: ...by the country for the Orbit MCR Operation of the unit must be in full compliance with all country and regional requirements Table 15 1 Country Specific Installation Data Country Applicable Symbol s...

Page 459: ...MDS 05 6632A01 Rev F MDS Orbit MCR ECR Technical Manual 459 NOTES...

Page 460: ...460 MDS Orbit MCR ECR Technical Manual MDS 05 6632A01 Rev F...

Page 461: ......

Page 462: ...and on any correspondence relating to the repair No equipment will be accepted for repair without an authorization number Return authorization numbers are issued online at www gedigitalenergy com Com...

Page 463: ...GE MDS LLC Rochester NY 14620 Telephone 1 585 242 9600 FAX 1 585 242 9620 www gemds com 175 Science Parkway...

Reviews:

No comments