manualshive.com logo in svg

Siemens RUGGEDCOM ROX II, User Manual

Introducing the Siemens RUGGEDCOM ROX II, a robust and reliable networking solution designed for extreme environments. Enhance your understanding of its advanced features and functionalities with our comprehensive User Manual. Download the user manual for free from manualshive.com and explore the full potential of this exceptional product.

Share
Download
background image

RUGGEDCOM ROX II

CLI User Guide

Chapter 6

Security

Managing Firewalls

183

no

 admin known-hosts server-identification 

name

Where 

name

 is the unique name of the server.

3. Type 

commit

 and press 

Enter

 to save the changes, or type 

revert

 and press 

Enter

 to abort.

Section 6.9

Managing Firewalls

Firewalls are software systems designed to prevent unauthorized access to or from private networks. Firewalls are

most often used to prevent unauthorized Internet users from accessing private networks (Intranets) connected to

the Internet.
When the RUGGEDCOM ROX II firewall is enabled, the router serves as a gateway machine through which all

messages entering or leaving the Intranet pass. The router examines each message and blocks those that do not

meet the specified security criteria. The router also acts as a proxy, preventing direct communication between

computers on the Internet and Intranet. Proxy servers can filter the kinds of communication that are allowed

between two computers and perform address translation.

NOTE

In general, the RUGGEDCOM ROX II firewall implementation will maintain established connections.

This applies when adding, deleting, or changing rules, and also when adding, deleting, or changing

policies. When applying new, or modified, rules or policies, previous traffic seen by the router might

still be considered as having valid connections by the connection tracking table. For instance:
a. A rule for the TCP and UDP protocols is applied.
b. The router sees both TCP and UDP traffic that qualifies for NAT.
c. The rule is then modified to allow only UDP.
d. The router will still see TCP packets (i.e. retransmission packets).
If required, reboot the router to flush all existing connection streams.

RUGGEDCOM ROX II employs a stateful firewall system known as netfilter, a subsystem of the Linux kernel that

provides the ability to examine IP packets on a per-session basis.
For more information about firewalls, refer to 

Section 6.9.1, “Firewall Concepts”

.

CONTENTS

Section 6.9.1, “Firewall Concepts”

Section 6.9.2, “Viewing a List of Firewalls”

Section 6.9.3, “Adding a Firewall”

Section 6.9.4, “Deleting a Firewall”

Section 6.9.5, “Working with Multiple Firewall Configurations”

Section 6.9.6, “Configuring the Firewall for a VPN”

Section 6.9.7, “Configuring the Firewall for a VPN in a DMZ”

Section 6.9.8, “Configuring Netfilter”

Section 6.9.9, “Managing Zones”

Section 6.9.10, “Managing Interfaces”

Summary of Contents for RUGGEDCOM ROX II

Page 1: ...1 Using RUGGEDCOM ROX II 2 Getting Started 3 Device Management 4 System Administration 5 Security 6 IP Address Assignment 7 Layer 2 8 Layer 3 9 Serial Server 10 Wireless 11 Tunneling and VPNs 12 Unicast and Multicast Routing 13 Network Redundancy 14 Network Discovery and Management 15 Continued on next page ...

Page 2: ...RUGGEDCOM ROX II CLI User Guide ii ...

Page 3: ...RUGGEDCOM ROX II v2 12 CLI User Guide For RX5000 MX5000 MX5000RE 07 2018 RC1402 EN 02 Continued Traffic Control and Classification 16 Time Services 17 Applications 18 Troubleshooting 19 ...

Page 4: ...RUGGEDCOM ROX II CLI User Guide iv ...

Page 5: ...mens Canada Ltd Linux is the registered trademark of Linus Torvalds in the United States and other countries The registered trademark Linux is used pursuant to a sublicense from LMI the exclusive licensee of Linus Torvalds owner of the mark on a world wide basis Other designations in this manual might be trademarks whose use by third parties for their own purposes would infringe the rights of the ...

Page 6: ... Agreement for the applicable warranty terms and conditions if any For warranty details visit https www siemens com ruggedcom or contact a Siemens customer service representative Contacting Siemens Address Siemens Canada Ltd Industry Sector 300 Applewood Crescent Concord Ontario Canada L4K 5C7 Telephone Toll free 1 888 264 0006 Tel 1 905 856 5288 Fax 1 905 856 1995 E mail ruggedcom info i ia sieme...

Page 7: ...User Permissions 10 1 6 Removable Memory 13 1 7 Logged Events 14 1 7 1 Structure of a Syslog Event 14 1 7 2 Syslog Event Types 15 1 7 3 Logged Security Events 15 Chapter 2 Using RUGGEDCOM ROX II 19 2 1 Default User Names and Passwords 19 2 2 Logging In 19 2 3 Logging Out 20 2 4 Using Network Utilities 20 2 4 1 Pinging an IPv4 Address or Host 21 2 4 2 Pinging an IPv6 Address or Host 21 2 4 3 Pingin...

Page 8: ...ds 34 2 5 10 2 File Commands 35 2 5 10 3 Interface and Services Commands 39 2 5 10 4 Administration Commands 39 2 5 10 5 Configuration Mode General Commands 41 2 6 Configuring the CLI Interface 44 2 7 Accessing Different Modes 45 2 7 1 Accessing BIST Mode 45 2 7 2 Accessing Service Mode 47 2 7 3 Accessing Maintenance Mode 49 Chapter 3 Getting Started 51 3 1 Connecting to RUGGEDCOM ROX II 51 3 1 1 ...

Page 9: ... Enabling Disabling Secure Remote Syslog 71 4 10 3 2 Viewing a List of Permitted Peers 72 4 10 3 3 Adding a Permitted Peer 72 4 10 3 4 Deleting a Permitted Peer 72 4 10 3 5 Configuring a Source IP Address for Remote Syslog Messages 73 4 10 4 Managing Diagnostic Logs 73 4 10 4 1 Enabling Disabling the Developer s Log 74 4 10 4 2 Enabling Disabling the SNMP Log 74 4 10 4 3 Enabling Disabling the NET...

Page 10: ...g the Status of the Firmware Integrity Check 90 4 14 Managing the Fan Controller 91 4 14 1 Viewing the Fan Controller Status 91 4 14 2 Configuring the Activation Temperature 92 4 15 Managing Fixed Modules 92 4 15 1 Viewing a List of Fixed Module Configurations 92 4 15 2 Adding a Fixed Module Configuration 93 4 15 3 Deleting a Fixed Module Configuration 93 4 16 Managing Line Modules 94 4 16 1 Remov...

Page 11: ...5 8 Managing Users 111 5 8 1 Viewing a List of Users 112 5 8 2 Adding a User 112 5 8 3 Deleting a User 113 5 8 4 Monitoring Users 113 5 8 4 1 Kicking Users from the Network 113 5 8 4 2 Sending Messages to Users 114 5 9 Managing Passwords and Passphrases 114 5 9 1 Configuring Password Passphrase Complexity Rules 115 5 9 2 Setting a User Password Passphrase 116 5 9 3 Setting the Boot Password Passph...

Page 12: ...7 3 1 Configuring RADIUS Authentication for LOGIN Services 139 6 7 3 2 Configuring RADIUS Authentication for PPP Services 140 6 7 3 3 Configuring RADIUS Authentication for Switched Ethernet Ports 141 6 7 4 Configuring TACACS Authentication 141 6 8 Managing Certificates and Keys 143 6 8 1 Viewing the Local Host SSH RSA Public Key 143 6 8 2 Managing the Trusted Certificate Store 144 6 8 2 1 Configur...

Page 13: ... 183 6 9 1 Firewall Concepts 184 6 9 1 1 Stateless vs Stateful Firewalls 184 6 9 1 2 Linux netfilter 184 6 9 1 3 Network Address Translation 185 6 9 1 4 Port Forwarding 185 6 9 1 5 Protecting Against a SYN Flood Attack 186 6 9 1 6 Protecting Against IP Spoofing 186 6 9 2 Viewing a List of Firewalls 186 6 9 3 Adding a Firewall 187 6 9 4 Deleting a Firewall 188 6 9 5 Working with Multiple Firewall C...

Page 14: ...gs 203 6 9 14 2 Adding Masquerade or SNAT Settings 204 6 9 14 3 Deleting a Masquerade or SNAT Setting 205 6 9 15 Managing Rules 205 6 9 15 1 Viewing a List of Rules 205 6 9 15 2 Adding a Rule 206 6 9 15 3 Configuring the Source Zone 207 6 9 15 4 Configuring the Destination Zone 208 6 9 15 5 Deleting a Rule 208 6 9 16 Validating a Firewall Configuration 208 6 9 17 Enabling Disabling a Firewall 209 ...

Page 15: ...rd DHCP Client Configuration Options IPv4 227 7 3 5 2 Configuring Standard DHCP Client Configuration Options IPv6 228 7 3 5 3 Viewing a List of Custom DHCP Client Configuration Options 229 7 3 5 4 Adding a Custom DHCP Client Configuration Option 230 7 3 5 5 Deleting a Custom DHCP Client Configuration Option 230 7 3 6 Managing DHCP Listen Interfaces 231 7 3 6 1 Viewing a List of DHCP Listen Interfa...

Page 16: ...ing IP Ranges IPv6 251 7 3 14 1 Viewing a List of IP Ranges IPv6 252 7 3 14 2 Adding an IP Range IPv6 252 7 3 14 3 Deleting an IP Range IPv6 253 7 3 15 Managing IPv6 Prefixes 253 7 3 15 1 Viewing a List of IPv6 Prefixes 253 7 3 15 2 Adding an IPv6 Prefix 254 7 3 15 3 Deleting an IPv6 Prefix 254 7 3 16 Managing Temporary Subnets 255 7 3 16 1 Viewing a List of Temporary Subnets 255 7 3 16 2 Adding a...

Page 17: ...1 8 Testing Switched Ethernet Port Cables 277 8 1 8 1 Running a Cable Diagnostic Test 278 8 1 8 2 Viewing Cable Diagnostic Statistics 278 8 1 8 3 Clearing Cable Diagnostic Statistics 279 8 2 Managing Ethernet Trunk Interfaces 280 8 2 1 Viewing a List of Ethernet Trunk Interfaces 280 8 2 2 Adding an Ethernet Trunk Interface 281 8 2 3 Deleting an Ethernet Trunk Interface 283 8 2 4 Managing Ethernet ...

Page 18: ...6 Viewing a Summary of Multicast Groups 300 8 4 7 Viewing a List of IP Multicast Groups 301 8 5 Managing VLANs 301 8 5 1 VLAN Concepts 302 8 5 1 1 Tagged vs Untagged Frames 302 8 5 1 2 Native VLAN 303 8 5 1 3 Edge and Trunk Port Types 303 8 5 1 4 Ingress Filtering 303 8 5 1 5 Forbidden Ports List 304 8 5 1 6 VLAN Aware Mode of Operation 304 8 5 1 7 GARP VLAN Registration Protocol GVRP 304 8 5 1 8 ...

Page 19: ... Static ARP Table Entry 320 9 3 3 Deleting a Static ARP Table Entry 321 9 4 Viewing a Static and Dynamic ARP Table Summary 321 9 5 Viewing Routing Rules 322 9 6 Flushing Dynamic Hardware Routing Rules 324 Chapter 10 Serial Server 325 10 1 Managing Serial Ports 325 10 1 1 Viewing Serial Port Statistics 326 10 1 2 Viewing Transport Connection Statistics 327 10 1 3 Viewing DNP Device Table Statistics...

Page 20: ...Configured as a Source and Sink for Multicast Streams 345 10 5 Managing Remote Hosts 347 10 5 1 Viewing a List of Remote Hosts 347 10 5 2 Adding a Remote Host 348 10 5 3 Deleting a Remote Host 349 10 6 Managing Local Hosts 349 10 6 1 Viewing a List of Local Hosts 349 10 6 2 Adding a Local Host 350 10 6 3 Deleting a Local Host 350 10 7 Managing Remote Host Interfaces 351 10 7 1 Viewing a List of Re...

Page 21: ...366 12 1 7 Managing In Out Interfaces 367 12 1 7 1 Viewing a List of In Out Interfaces 367 12 1 7 2 Adding an In Out Interface 368 12 1 7 3 Deleting an In Out Interface 368 12 1 8 Managing VLANs for Virtual Switches 368 12 1 8 1 Viewing a List of Virtual Switch VLANs 369 12 1 8 2 Adding a Virtual Switch VLAN 369 12 1 8 3 Deleting a Virtual Switch VLAN 370 12 2 Managing the Layer2 Tunnel Daemon 370...

Page 22: ...5 5 Managing Remote Daemons for GOOSE Tunnels 390 12 5 5 1 Viewing a List of Remote Daemons 391 12 5 5 2 Adding a Remote Daemon 391 12 5 5 3 Deleting a Remote Daemon 391 12 6 Managing Generic Tunnels 392 12 6 1 Viewing the Generic Tunnel Statistics 392 12 6 2 Viewing a List of Generic Tunnels 393 12 6 3 Adding a Generic Tunnel 393 12 6 4 Deleting a Generic Tunnel 394 12 6 5 Managing Remote Daemon ...

Page 23: ...Status 408 12 8 5 Managing Pre Shared Keys 409 12 8 5 1 Viewing a List of Pre Shared Keys 410 12 8 5 2 Adding a Pre Shared Key 410 12 8 5 3 Deleting a Pre Shared Key 410 12 8 6 Managing Connections 411 12 8 6 1 Viewing a List of Connections 411 12 8 6 2 Adding a Connection 412 12 8 6 3 Configuring Dead Peer Detection 413 12 8 6 4 Deleting a Connection 414 12 8 6 5 Viewing the Status of a Connectio...

Page 24: ...431 12 10 3 2 Adding a DMVPN Interface 432 12 10 3 3 Deleting a DMVPN Interface 433 12 10 4 Viewing the Status of DMVPN 433 Chapter 13 Unicast and Multicast Routing 435 13 1 Viewing the Status of IPv4 Routes 435 13 2 Viewing the Status of IPv6 Routes 436 13 3 Viewing the Memory Statistics 437 13 4 Configuring ICMP 438 13 5 Managing Event Trackers 438 13 5 1 Viewing a List of Event Trackers 439 13 ...

Page 25: ...5 13 6 10 Managing LSP Refresh Intervals 455 13 6 10 1 Viewing a List of LSP Refresh Intervals 456 13 6 10 2 Adding an LSP Refresh Interval 456 13 6 10 3 Deleting an LSP Refresh Interval 457 13 6 11 Managing Network Entity Titles NETs 457 13 6 11 1 Viewing a List of NETs 458 13 6 11 2 Adding a NET 458 13 6 11 3 Deleting a NET 459 13 6 12 Managing Redistribution Metrics 459 13 6 12 1 Viewing a List...

Page 26: ...refix List Distribution Path 473 13 7 9 Managing Key Chains and Keys 473 13 7 9 1 Viewing a List of Key Chains 474 13 7 9 2 Viewing a List of Keys 474 13 7 9 3 Adding a Key Chain 474 13 7 9 4 Adding a Key 475 13 7 9 5 Deleting a Key Chain 476 13 7 9 6 Deleting a Key 476 13 7 10 Managing Redistribution Metrics 477 13 7 10 1 Viewing a List of Redistribution Metrics 477 13 7 10 2 Adding a Redistribut...

Page 27: ...g Autonomous System Paths and Entries 491 13 8 5 1 Viewing a List of Autonomous System Paths 491 13 8 5 2 Viewing a List of Autonomous System Path Entries 492 13 8 5 3 Adding an Autonomous System Path Filter 492 13 8 5 4 Adding an Autonomous System Path Filter Entry 492 13 8 5 5 Deleting an Autonomous System Path 493 13 8 5 6 Deleting an Autonomous System Path Filter Entry 493 13 8 6 Managing Neig...

Page 28: ...4 Clients 516 13 8 12 Viewing the Status of Dynamic BGP Routes 516 13 8 13 Resetting a BGP Session 519 13 9 Managing OSPF 520 13 9 1 OSPF Concepts 521 13 9 2 Configuring OSPF 521 13 9 3 Viewing the Status of Dynamic OSPF Routes 522 13 9 4 Managing Prefix Lists and Entries 524 13 9 4 1 Viewing a List of Prefix Lists 524 13 9 4 2 Viewing a List of Prefix Entries 525 13 9 4 3 Adding a Prefix List 525...

Page 29: ...nabling Disabling MPLS 544 13 10 4 Managing the MPLS Interfaces 544 13 10 4 1 Viewing the Status of MPLS Interfaces 544 13 10 4 2 Viewing a List of MPLS Interfaces 545 13 10 4 3 Enabling Disabling an MPLS Interface 545 13 10 5 Managing Static Label Binding 546 13 10 5 1 Viewing the Status of Static Label Binding 546 13 10 5 2 Viewing a List of Static Labels 547 13 10 5 3 Adding a Static Label 547 ...

Page 30: ...arget 564 13 11 7 Managing VRF Instances and OSPF 564 13 11 7 1 Viewing a List of VRF Instances 564 13 11 7 2 Adding a VRF Instance and Configuring OSPF 565 13 11 7 3 Deleting a VRF Instance 566 13 11 8 Managing IP VPN Tunnels 566 13 11 8 1 Viewing a List of IP VPN Tunnels 567 13 11 8 2 Adding an IP VPN Tunnel 567 13 11 8 3 Deleting an IP VPN Tunnels 568 13 11 9 Managing VPNv4 Neighbors 568 13 11 ...

Page 31: ...uting 581 13 12 1 Viewing a List of Static Routes 581 13 12 2 Adding an IPv4 Static Route 582 13 12 3 Adding an IPv6 Static Route 582 13 12 4 Deleting a Static Route 583 13 12 5 Configuring a Black Hole Connection for an IPv4 Static Route 583 13 12 6 Managing Gateways for Static Routes 583 13 12 6 1 Configuring Gateways for IPv6 Static Routes 584 13 12 6 2 Viewing a List of Gateways for IPv4 Stati...

Page 32: ...97 13 14 8 2 Adding a Static RP Address 597 13 14 8 3 Deleting a Static RP Address 597 13 14 9 Managing Multicast Group Prefixes 598 13 14 9 1 Viewing a List of Multicast Group Prefixes 598 13 14 9 2 Adding a Multicast Group Prefix 598 13 14 9 3 Deleting a Multicast Group Prefix 599 Chapter 14 Network Redundancy 601 14 1 Managing VRRP 601 14 1 1 VRRP Concepts 602 14 1 1 1 Static Routing vs VRRP 60...

Page 33: ...ing a Dedicated Link 618 14 1 10 5 Deleting a Dedicated Link 618 14 1 10 6 Selecting a Default Dedicated Link 619 14 1 10 7 Viewing the Status of Each Dedicated Link 619 14 2 Managing Link Failover Protection 620 14 2 1 Viewing the Link Failover Log 621 14 2 2 Viewing the Link Failover Status 621 14 2 3 Managing Link Failover Parameters 622 14 2 3 1 Viewing a List of Link Failover Parameters 622 1...

Page 34: ...nces Globally 645 14 3 6 1 Viewing Statistics for Multiple Spanning Tree Instances 645 14 3 6 2 Viewing a List of Multiple Spanning Tree Instances 647 14 3 6 3 Adding a Multiple Spanning Tree Instance 647 14 3 6 4 Deleting a Multiple Spanning Tree Instance 648 14 3 7 Managing Multiple Spanning Tree Instances Per Port 648 14 3 7 1 Viewing Per Port Multiple Spanning Tree Instance Statistics 649 14 3...

Page 35: ... SNMP Communities 675 15 2 5 2 Adding an SNMP Community 675 15 2 5 3 Deleting an SNMP Community 675 15 2 6 Managing SNMP Target Addresses 676 15 2 6 1 Viewing a List of SNMP Target Addresses 676 15 2 6 2 Adding an SNMP Target Address 676 15 2 6 3 Deleting an SNMP Target Address 678 15 2 7 Managing SNMP Users 678 15 2 7 1 Viewing a List of SNMP Users 678 15 2 7 2 Adding an SNMP User 679 15 2 7 3 De...

Page 36: ...terface 694 16 2 3 Managing Traffic Control Priorities 695 16 2 3 1 Viewing a List of Traffic Control Priorities 695 16 2 3 2 Adding a Traffic Control Priority 695 16 2 3 3 Deleting a Traffic Control Priority 696 16 2 4 Managing Traffic Control Classes 697 16 2 4 1 Viewing a List of Traffic Control Classes 697 16 2 4 2 Adding a Traffic Control Class 698 16 2 4 3 Deleting a Traffic Control Class 69...

Page 37: ...1 Flow Records 719 16 4 2 Configuring NetFlow Data Export 720 16 4 3 Enabling Disabling NetFlow 720 16 4 4 Setting the NetFlow Engine ID 721 16 4 5 Controlling the NetFlow Cache 721 16 4 6 Controlling Active Inactive Flows 721 16 4 7 Managing NetFlow Interfaces 722 16 4 7 1 Viewing a List of NetFlow Interfaces 722 16 4 7 2 Adding a NetFlow Interface 722 16 4 7 3 Deleting a NetFlow Interface 723 16...

Page 38: ... Multicast Clients 740 17 9 1 Enabling and Configuring NTP Multicast Clients 741 17 9 2 Enabling and Configuring NTP Broadcast Clients 741 17 9 3 Managing NTP Broadcast Multicast Addresses 741 17 9 3 1 Viewing a List of Broadcast Multicast Addresses 742 17 9 3 2 Adding a Broadcast Multicast Address 742 17 9 3 3 Deleting a Broadcast Multicast Address 743 Chapter 18 Applications 745 18 1 Viewing a L...

Page 39: ...RUGGEDCOM ROX II CLI User Guide Table of Contents xxxix 19 5 VLANs 752 ...

Page 40: ...Table of Contents RUGGEDCOM ROX II CLI User Guide xl ...

Page 41: ...essing Documentation License Conditions Training Customer Support Conventions This CLI User Guide uses the following conventions to present information clearly and effectively Alerts The following types of alerts are used when necessary to highlight important information DANGER DANGER alerts describe imminently hazardous situations that if not avoided will result in death or serious injury WARNING...

Page 42: ...ented in the order they must be entered Related Documents The following are other documents related to this product that may be of interest Unless indicated otherwise each document is available on the Siemens Industry Online Support SIOS https support industry siemens com website NOTE Documents listed are those available at the time of publication Newer versions of these documents or their associa...

Page 43: ...n view 94772587 What Should You Watch Out For When Configuring a Link Aggregation Between SCALANCE X Switches and RUGGEDCOM Switches https support industry siemens com cs ww en view 76798136 What Should You Watch Out For When Ordering and Installing Interface Modules For RUGGEDCOM Switches https support industry siemens com cs ww en view 77896782 What Options Do You Have For Connecting an R STP Se...

Page 44: ...s open source software Read the license conditions for open source software carefully before using this product License conditions are detailed in a separate document accessible via RUGGEDCOM ROX II To access the license conditions log in to the RUGGEDCOM ROX II CLI and type the following command file show license LicenseSummary txt Training Siemens offers a wide range of educational services rang...

Page 45: ... Support Request SR or check on the status of an existing SR Telephone Call a local hotline center to submit a Support Request SR To locate a local hotline center visit http www automation siemens com mcms aspa db en automation technology Pages default aspx Mobile App Install the Industry Online Support app by Siemens AG on any Android Apple iOS or Windows mobile device and be able to Access Sieme...

Page 46: ...Preface RUGGEDCOM ROX II CLI User Guide xlvi Customer Support ...

Page 47: ...ents Section 1 1 Features and Benefits Feature support in RUGGEDCOM ROX II is driven by feature keys that unlock feature levels For more information about feature keys refer to Section 1 2 Feature Keys The following describes the many features available in RUGGEDCOM ROX II and their benefits Cyber Security Cyber security is an urgent issue in many industries where advanced automation and communica...

Page 48: ... VLAN Simple Network Management Protocol SNMP SNMP provides a standardized method for network management stations to interrogate devices from different vendors RUGGEDCOM ROX II supports v1 v2c and v3 SNMPv3 is generally recommended as it provides security features such as authentication privacy and access control not present in earlier SNMP versions RUGGEDCOM ROX II also supports numerous standard...

Page 49: ...de a snapshot of recent events that have yet to be acknowledged by the network administrator An external hardware relay is de energized during the presence of critical alarms allowing an external controller to react if desired HTML Web Browser User Interface RUGGEDCOM ROX II provides a simple intuitive user interface for configuration and monitoring via a standard graphical Web browser or via a st...

Page 50: ...COM ROX II If an external host fails to log in to the CLI NETCONF or Web interfaces after a fixed number of attempts the host s IP address will be blocked for a period of time That period of time will increase if the host continues to fail on subsequent attempts USB Mass Storage Use a removable USB Mass Storage drive to manage important files and configure RUGGEDCOM ROX II Upgrade Downgrade Firmwa...

Page 51: ... each new RUGGEDCOM RX5000 MX5000 MX5000RE is ordered with a base feature key which is permanently installed on the device Additional feature keys can be installed on the compact flash card or placed on a USB Mass Storage device which allows them to be moved to other devices when needed NOTE Each feature key is signed with the serial number of the device it is intended to be used in Feature keys c...

Page 52: ...iewing the contents of feature keys refer to Section 4 8 Managing Feature Keys Section 1 3 Security Recommendations To prevent unauthorized access to the device note the following security recommendations Authentication CAUTION Accessibility hazard risk of data loss Do not misplace the passwords for the device If both the maintenance and boot passwords are misplaced the device must be returned to ...

Page 53: ...l console Make sure to take appropriate precautions when shipping the device beyond the boundaries of the trusted environment Replace the SSH and SSL keys with throwaway keys prior to shipping Take the existing SSH and SSL keys out of service When the device returns create and program new keys for the device Replace all default and auto generated SSL certificates with certificates and keys signed ...

Page 54: ...s enabled on the device While some protocols such as HTTPS SSH and 802 1x are secure others such as Telnet and RSTP were not designed for this purpose Appropriate safeguards against non secure protocols should be taken to prevent unauthorized access to the device network Make sure the device is fully decommissioned before taking the device out of service For more information refer to Section 4 7 D...

Page 55: ...re it complies with these recommendations and or any internal security policies Review the user documentation for other Siemens products used in coordination with the device for further security recommendations Section 1 4 Available Services by Port The following table lists the services available by the device including the following information Services The service supported by the device Port N...

Page 56: ...nd opens random port to listen Open if configured Closed Yes L2TP Random Port Open if configured Closed Yes BGP TCP 179 Open if configured Closed No RIP UDP 520 Open if configured Closed No MPLS Ping UDP 3503 Open if configured Closed No LDP TCP 646 and UDP 646 Open if configured Closed No L2TPv3 UDP 1701 Open if configured Closed No Section 1 5 User Permissions The following table lists the opera...

Page 57: ...d cannot create users admin cli R U R U No admin snmp C R U No No admin netconf R U No No admin dns C R U No No admin webui R U R U No admin scheduler C R U No No admin contact R U No No admin hostname R U No No admin location R U No No admin session limits R U No No admin session security R U No No admin sftp R U No No admin time status R R No admin switch config status R U R No admin system R U ...

Page 58: ...nterfaces R C R U R interface C R U R U R routing C R U C R U R routing dynamic ospf interface C R U C R U R routing dynamic rip interface C R U C R U R routing multicast dynamic pim sm interface C R U C R U R routing dynamic isis interface C R U C R U R security firewall C R U C R U R security crypto C R U R R security crypto private key C R U No No services C R U C R U R services time ntp key C ...

Page 59: ... or a fleet of devices Upgrade Downgrade Firmware Use the USB Mass Storage device as a portable repository for new or legacy versions of the RUGGEDCOM ROX II firmware Backup Files Configure RUGGEDCOM ROX II to backup important information to the USB Mass Storage device such as rollbacks log files feature keys and configuration files Share Files Quickly configure or upgrade other RUGGEDCOM RX5000 M...

Page 60: ...re of a Syslog Event Section 1 7 2 Syslog Event Types Section 1 7 3 Logged Security Events Section 1 7 1 Structure of a Syslog Event A syslog event is defined by the following elements Element Description Date The date when the event was received logged in the syslog server Time The time when the event was received logged in the System server Hostname The name of the device that sent the event Fac...

Page 61: ...roups User Group Name LOG_AUTH Notice Event Auth log audit user Username 0 no such local user LOG_DAEMON Info Alarm Auth log SE_LOCAL_UNSUCCESSFUL_LOGON Invalid Username login failed reason No such local user user ipaddr User IP Address LOG_AUTHPRIV Notice Alarm Auth log audit user Username 0 Provided Invalid Password LOG_DAEMON Info Alarm Auth log SE_LOCAL_UNSUCCESSFUL_LOGON Invalid Password logi...

Page 62: ...ddress LOG_AUTH Notice Event Auth log web audit user Username User ID logged out from Web UI LOG_DAEMON Info Event Auth log SE_LOGOFF Web UI username Username usid User ID stopped webui session from ip IP Address LOG_AUTH Notice Event Auth log SE_ACCESS_PWD_ENABLED Enabling Brute Force Attack Protection LOG_USER Error Event Syslog SE_ACCESS_PWD_DISABLED Brute Force Attack protection not enabled LO...

Page 63: ...ck has failed This may indicate that some operating system files have been modified or tampered with For assistance contact Siemens Customer Support LOG_DAEMON Critical Alarm Syslog SE_SESSION_CLOSED username Username usid User ID stopped Context session from ip IP Address LOG_AUTH Notice Event Auth log SE_SESSION_CLOSED console username Username usid User ID started Context session from ip 127 0 ...

Page 64: ... LOG_DAEMON Notice Event Upgrade SE_PATCH_DEPLOYMENT_FAILED Failed to configure boot partition ROXFLASH Failed to configure system to boot partition s on next boot LOG_DAEMON Notice Event Upgrade SE_PATCH_DEPLOYMENT_FAILED Failed to upgrade target partition upgrade Failed upgrading target partition LOG_DAEMON Notice Event Upgrade SE_PATCH_DEPLOYMENT_FAILED General upgrade Failed running Command on...

Page 65: ...tion 2 7 Accessing Different Modes Section 2 1 Default User Names and Passwords The following default passwords are pre configured on the device for each access mode CAUTION Security hazard risk of unauthorized access and or exploitation To prevent unauthorized access to the device change the default passwords before commissioning the device For more information refer to Section 5 9 Managing Passw...

Page 66: ...o access the device When enabled the protection system will block an IP address after 15 failed login attempts over a 10 minute period The IP address will be blocked for 720 seconds or 12 minutes the first time If the same IP address fails again 15 times in a 10 minute period it will be blocked again but the waiting period will be 1 5 times longer than the previous wait period Siemens strongly rec...

Page 67: ...terface Section 2 4 10 Capturing Packets from a VRF Network Interface Section 2 4 1 Pinging an IPv4 Address or Host To ping an IPv4 address or host do the following 1 At the command prompt type ping address Where address is the target IPv4 address or host name The results of the ping are displayed For example ruggedcom ping 192 168 0 7 PING 192 168 0 7 192 168 0 7 56 84 bytes of data 64 bytes from...

Page 68: ...ection 2 4 3 Pinging MPLS Endpoints To ping an MPLS endpoint type mpls ping address number Where address is the IPv4 address and prefix of the MPLS endpoint number is the number of ping attempts Section 2 4 4 Pinging VRF Endpoints To ping an VRF endpoint type vrf ping address address count attempts vrfname name Where address is the IPv4 address and prefix of the VRF endpoint attempts is the number...

Page 69: ...e results of the trace are displayed For example ruggedcom traceroute6 2001 0db8 85a3 0000 0000 8a2e 0370 7334 traceroute to 2001 0db8 85a3 0000 0000 8a2e 0370 7334 2001 0db8 85a3 0000 0000 8a2e 0370 7334 30 hops max 60 byte packets 1 2 3 4 5 Section 2 4 7 Tracing a Route to an MPLS Endpoint To trace a route to an MPLS endpoint do the following mpls traceroute address Where address is the IPv4 add...

Page 70: ...nore a protocol place an n before the protocol name e g ntui verbosity The verbosity level Type v vv or vvv to set the level Section 2 4 10 Capturing Packets from a VRF Network Interface VRF Tcpdump is a packet analyzer for TCP IP and other packets It can be used to capture packets at a specified VRF network interface and dump them to a terminal or file To capture packets type vrf tcpdump and conf...

Page 71: ... modes Mode Description Operational Mode Operational mode is the default mode after a user logs in to the device It allows users to perform general device management actions and provides troubleshooting and maintenance utilities It is used for viewing the system status controlling the CLI environment monitoring and troubleshooting network connectivity and launching the Configuration mode Configura...

Page 72: ...mple who file foo bar or who file foo bar NOTE Auto completion also applies to filenames and directories but cannot be initiated using a space Auto completion using a space is disabled when typing a filename or directory name Section 2 5 3 Displaying Available Commands To display a list of available commands at any point in the CLI type For example in Operational mode typing at the command prompt ...

Page 73: ...rs from the cursor to the end of the line Ctrl U or Ctrl X Delete the whole line Ctrl W Esc Backspace or Alt Backspace Delete the whole before the cursor Esc D or Alt D Delete the whole after the cursor Inserting Recently Deleted Text Command Description Ctrl Y Inserts the most recently deleted text at the cursor s location Displaying Previously Entered Commands Command Description Ctrl P or Up Ar...

Page 74: ...er contains spaces unless otherwise stated wrap the value in double quotes For example admin scheduler scheduled jobs save myconfig job command show running config save myconfig Section 2 5 6 Using Output Redirects Information returned from a CLI term can be processed in various ways using an output redirect term To specify an output redirect type after the CLI term and then type the redirect term...

Page 75: ...16 05 50 2014 rox imaging roxflash progress phase Inactive status message image flashing 0 netconf statistics in bad hellos 0 in sessions 0 dropped sessions 0 in rpcs 0 in bad rpcs 0 out rpc errors 0 out notifications 0 alarms active alarms chassis 11 1 severity notice description Line Module with serial number L15R 1710 PR002 in slot lm4 is i nserted or up begin Begins the output with the line co...

Page 76: ...n that is a child of the included line is usually included but may not be in some cases Regular expressions can be used with this redirect For more information about regular expressions refer to Section 2 5 7 Using Regular Expressions For example show admin include time shows the time lines from the admin information ruggedcom show admin include time time gmtime Tue Feb 15 08 34 55 2011 n localtim...

Page 77: ... Repeats the term at the specified interval Specify an interval in seconds The term repeats until you cancel it with Ctrl C For example show admin repeat 10s repeats the show admin term every 10 seconds save Saves the output to the specified ASCII text file For example show chassis save foo txt saves the chassis information to the file foo txt select This redirect is not yet implemented tab Enforc...

Page 78: ...tches the beginning of the line 100 Matches the end of the line 100 Matches only the characters specified 38a Matches any character other than those specified abc _ underscore The underscore character has special meanings in an autonomous system path It matches to Each space and comma Each AS set delimiter e g and Each AS confederation delimiter e g and The beginning and end of the line Therefore ...

Page 79: ...t address name Opens a telnet session to another host Parameters include host is the name or IP address of the host Further information about these well known applications is publicly available on the Internet Section 2 5 9 Specifying a Range Some CLI commands accept a range of values such as LM1 3 or 3 6 to specify multiple targets In the following example a command is applied to port 1 on LM1 LM...

Page 80: ...the CLI session send all admin message Sends a message to all users of the specified type The message appears in both the CLI and web interface For example ruggedcom send all Rebooting at midnight Message from admin ruggedcom at 2011 02 15 08 42 49 Rebooting at midnight EOF show admin chassis interface interfaces netconf routing services Shows selected configuration information Use auto completion...

Page 81: ...put redirects to restrict the information to be shown Section 2 5 10 2 File Commands Operational mode provides commands for managing log configuration and feature key files on the device Parameter Description file Performs file operations including compare config copy config delete config delete featurekey list config list featurekey rename config rename featurekey scp config from url scp config t...

Page 82: ...g ruggedcom file rename config test002 production_config file rename config current filename new filename Renames a feature key file For example the following command renames the feature key 1_cmRX1K 12 11 0217 key file to old_featurekey ruggedcom file rename featurekey 1_cmRX1K 12 11 0217 key old_featurekey file scp config from url user host path current filename new filename Securely copies a co...

Page 83: ...feature key file from a remote computer to the device The remote computer must have an SCP or SSH secure shell service or client installed and running To use this command the user credentials for the remote computer the IP address or host name of the remote computer the directory path to the feature key file on the remote computer and the feature key file filename must all be known Type the comman...

Page 84: ...h to the log file on the remote computer and the log file filename must all be known Where current filename is the current filename of the log file user is a user name with access rights to the remote computer host is the host name or IP address of the remote computer path path specifies where to save the log file on the remote computer new filename is the new filename for the log file To use the ...

Page 85: ...tration Commands Operational mode provides commands for performing device administration tasks Parameter Description admin acknowledge all alarms Acknowledges all system alarms admin clear all alarms Clears all system alarms admin delete all ssh known hosts Deletes the list of known hosts admin delete ssh known hosts Deletes the host entry from the list of known hosts admin restore factory default...

Page 86: ... an extensive collection of device specific statistics If necessary the output can be redirected to a file For information on how to redirect output refer to Section 2 5 6 Using Output Redirects config private Enters a configuration mode where users can make changes to the system This is the primary mode for most users who want to make changes to the device network configuration It can be accessed...

Page 87: ...eout Temporarily commits changes for a period of time allowing users to test the configuration before fully committing the changes The changes must be committed using a standard commit command before the timeout period ends If changes are not committed before the timeout period ends they are automatically discarded and the previous settings are restored A timeout period can be specified at the end...

Page 88: ... full configuration file saved and want to load it back on to the device The full configuration file can be previously created with the CLI save command executed from the top level in the configuration tree or with the admin full configuration save command With the override parameter the entire running configuration is overwritten by the contents of the configuration file The override option has t...

Page 89: ...rmed Conflicts typically arise when multiple users edit the same parts of a configuration revert no confirm Copies the running configuration into the current configuration This discards all changes to the current configuration This command will prompt the user to confirm the action Use the no confirm parameter to revert the configuration without requiring confirmation rollback configuration number...

Page 90: ...rox_flash or rox_upgrade wizards For more information refer to Section 4 12 5 2 Downgrading Using ROXflash and Section 4 12 3 Upgrading the RUGGEDCOM ROX II Software Section 2 6 Configuring the CLI Interface The following commands can be used to configure certain characteristics and customize the CLI interface Parameter Description autowizard true false When enabled the CLI prompts for required se...

Page 91: ...ut have no explicit support Section 2 7 Accessing Different Modes Aside from normal mode there are three additional modes within RUGGEDCOM ROX II that offer various controls over the operating system CONTENTS Section 2 7 1 Accessing BIST Mode Section 2 7 2 Accessing Service Mode Section 2 7 3 Accessing Maintenance Mode Section 2 7 1 Accessing BIST Mode BIST Built In Self Test mode is used by RUGGE...

Page 92: ...mode 6 2 Debian GNU Linux kernel 3 0 0 2 8360e single user mode 6 3 Debian GNU Linux kernel 3 0 0 2 8360e service mode Auto booting 4 0 Hit ESC key to stop 0 Welcome to the boot menu Please select from the following options Enter BootPartition BootTarget e g 4 0 to boot h Show this help menu l List the available boot targets c Exit to the boot loader command line Will reboot after 60 seconds of in...

Page 93: ...2 7 2 Accessing Service Mode Service mode grants access to the Linux shell To access service mode do the following CAUTION Configuration hazard risk of data corruption Service mode is provided for troubleshooting and advanced configuration purposes and should only be used by Siemens technicians As such this mode is not fully documented Misuse of the commands available in this mode can corrupt the ...

Page 94: ...his help menu l List the available boot targets c Exit to the boot loader command line Will reboot after 60 seconds of inactivity NOTE In the example above the text Auto booting 4 0 indicates the active partition is Boot Partition 4 4 Enter service mode on the active partition by typing the associated target number For example if the active partition is Boot Partition 6 type 6 3 A login prompt for...

Page 95: ...azard risk of data corruption Maintenance mode is provided for troubleshooting purposes and should only be used by Siemens Canada Ltd technicians As such this mode is not fully documented Misuse of the commands available in this mode can corrupt the operational state of the device and render it inaccessible IMPORTANT Changes made to the configuration in this mode will override the current configur...

Page 96: ...Chapter 2 Using RUGGEDCOM ROX II RUGGEDCOM ROX II CLI User Guide 50 Accessing Maintenance Mode ...

Page 97: ...and Command Line Interface CLI can be accessed via a direct connection between a workstation and a device or a remote connection over the network CONTENTS Section 3 1 1 Default IP Address Section 3 1 2 Connecting Directly Section 3 1 3 Connecting Remotely Section 3 1 1 Default IP Address The default IP address for the device is as follows Port IP Address Mask MGMT 192 168 1 2 24 All other Ethernet...

Page 98: ...flow control 3 Establish a connection to the device and press any key The login prompt appears host name login 4 Log in to RUGGEDCOM ROX II For more information refer to Section 2 2 Logging In Section 3 1 3 Connecting Remotely The Command Line Interface CLI can be accessed securely and remotely using an SSH client To access the CLI do the following 1 Launch an SSH client and specify the following ...

Page 99: ...following table lists the default IP addresses Interface IP Address switch 0001 192 168 0 2 24 fe cm 1 192 168 1 2 24 fe em 1 a 192 168 2 1 24 a Optional expansion module CONTENTS Section 3 2 1 Configuring a Basic IPv4 Network Section 3 2 2 Configuring a Basic IPv6 Network Section 3 2 1 Configuring a Basic IPv4 Network To configure a basic IPv4 network do the following 1 Connect a computer to the ...

Page 100: ...4 1 24 and FDD1 9AEF 3DE4 2 3 Configure the fe cm 1 and switch 0001 interfaces on the device with IPv6 addresses 4 Connect one of the switched ports from any available line module to an IPv6 capable network 5 Configure the computers on the IPv6 network to be on the same IP subnet as switch 0001 and configure the default gateway address 6 Enable the Brute Force Attack BFA protection system on the d...

Page 101: ...tion 4 11 Managing the Software Configuration Section 4 12 Upgrading Downgrading the RUGGEDCOM ROX II Software Section 4 13 Monitoring Firmware Integrity Section 4 14 Managing the Fan Controller Section 4 15 Managing Fixed Modules Section 4 16 Managing Line Modules Section 4 17 Managing SFP Transceivers RUGGEDCOM RX5000 Only Section 4 18 Managing Routable Ethernet Ports Section 4 1 Displaying Devi...

Page 102: ...g The system serial number on the chassis label This parameter is mandatory last integrity check Synopsis A string 1 to 32 characters long The last time the firmware integrity was checked last integrity check result Synopsis A string The result of the last integrity check Section 4 2 Viewing Chassis Information and Status This section describes how to view information about the device chassis such...

Page 103: ...silkscreen across the top of the chassis order field Synopsis A string 1 to 25 characters long The order code of the chassis as derived from the current hardware configuration This parameter is mandatory detected module Synopsis A string 1 to 60 characters long The installed module s type specifier This parameter is mandatory Section 4 2 2 Viewing Module Information To view information about the m...

Page 104: ... 994896 current partition Partition 1 current partition capacity 490496 secondary partition capacity 490496 current partition usage 67 This table or list provides the following information Parameter Description storage name Synopsis A string 0 to 32 characters long The type of storage total capacity Synopsis A 32 bit unsigned integer between 0 and 4294967295 The total capacity of the flash storage...

Page 105: ... lm3 lm4 lm5 lm6 swport eth serport celport wlanport cm em trnk The slot name as marked on the silkscreen across the top of the chassis detected module Synopsis A string 1 to 60 characters long The installed module s type specifier This parameter is mandatory cpu load Synopsis A 32 bit signed integer between 0 and 100 The CPU load in percent on the installed module ram avail Synopsis A 32 bit sign...

Page 106: ...017 01 12Z 03 19 16Z em none empty N A 2017 01 12Z 03 19 16Z This table or list provides the following information Parameter Description slot Synopsis pm1 pm2 main sm lm1 lm2 lm3 lm4 lm5 lm6 swport eth serport celport wlanport cm em trnk The slot name as marked on the silkscreen across the top of the chassis detected module Synopsis A string 1 to 60 characters long The installed module s type spec...

Page 107: ...he chassis detected module Synopsis A string 1 to 60 characters long The installed module s type specifier This parameter is mandatory temperature Synopsis A 32 bit signed integer between 55 and 125 The temperature in degrees C of the installed module If multiple temperature sensors are present on the board the maximum reading is reported This parameter is mandatory current supply Synopsis A 32 bi...

Page 108: ...view a list of parts installed in the device type show running config chassis part list If jobs have been configured a table or list similar to the following example appears ruggedcom show running config chassis part list tab MODEL ORDERFIELD PARTNUMBER PARTNAME RX5000 16TX01 12 86 0010 001 16x 10 100TX RJ45 RX5000 4CG01 12 86 0015 001 4x 10 100 1000TX RJ45 12 86 0203 001 12 86 0203 001 RX5000 4CG...

Page 109: ...86 0018 008 4x 100FX Singlemode 1310nm SC 50km Section 4 4 Shutting Down the Device To shut down the device type CAUTION Security hazard risk of unauthorized access and or exploitation Always shutdown the device before disconnecting power Failure to shutdown the device first could result in data corruption NOTE The device never enters a permanent shutdown state When instructed to shutdown the devi...

Page 110: ...ermanently or for maintenance by a third party make sure the device has been fully decommissioned This includes removing any sensitive proprietary information To decommission the device do the following 1 Obtain a copy of the RUGGEDCOM ROX II firmware currently installed on the device For more information contact Siemens Customer Support 2 Log in to maintenance mode For more information refer to S...

Page 111: ...tive to arrange for an RMA Return to Manufacturer Authorization to program the feature key into the device When ordering feature levels make sure to provide the main serial numberand cm serial number for the device An upgraded feature key file will be provided that is licensed to the device For information on how to determine the main serial numberand cm serial number refer to Section 4 1 Displayi...

Page 112: ... file is stored host is the hostname or IP address of the computer where the feature key file is stored path is the directory path to the feature key file in the host computer current filename is the current name of the feature key file new filename is the new name of the feature key file on the device This parameter is optional The current filename will be used if a new filename is not provided F...

Page 113: ...and from the device using the following methods Install Allows users to upload files from a USB flash drive or from a remote server using a file transfer protocol such as FTP Backup Allows users to download files to a USB flash drive or to a remote server using a file transfer protocol such as FTP CONTENTS Section 4 9 1 Installing Files Section 4 9 2 Backing Up Files Section 4 9 1 Installing Files...

Page 114: ... RX5000 MX5000 MX5000RE Installation Guide 2 Make sure the CLI is in Configuration mode 3 Navigate to admin backup files and configure the following parameter s as required NOTE RUGGEDCOM ROX II supports implicit FTP over TLS FTPS URLs Explicit FTP over TLS is not supported Parameter Description file type file type Synopsis config featurekey logfiles rollbacks licenses logarchive The file types to...

Page 115: ...ions to record important non security event information The remote Syslog protocol defined in RFC 3164 http tools ietf org html rfc3164 is a UDP IP based transport that enables a device to send event notification messages across IP networks to event message collectors also known as Syslog servers The protocol is designed to simply transport these event messages from the generating device to the co...

Page 116: ...to view the auth log type show log auth log A result similar to the following is displayed ruggedcom show log auth log Jan 29 09 25 00 ruggedcom confd 2068 audit user admin 0 failed to login using externalauth Local authentication Jan 29 09 25 00 ruggedcom confd 2068 audit user admin 0 logged in through Web UI from 192 168 0 200 Jan 29 09 25 00 ruggedcom confd 2068 audit user admin 32 assigned to ...

Page 117: ...ote syslog server is configured TCP port 6514 is automatically opened 2 Enable or disable secure remote syslog by typing either Enabling admin logging secure remote syslog enable Disabling no admin logging secure remote syslog enable IMPORTANT All certificates must meet the following requirements X 509 v3 digital certificate format PEM format RSA key pair 512 to 2048 bits in length 3 If secure rem...

Page 118: ...er Section 4 10 3 3 Adding a Permitted Peer To add a permitted peer for secure remote syslog do the following 1 Make sure the CLI is in Configuration mode 2 Add the permitted peer by typing admin logging secure remote syslog permitted peer pattern Where pattern is the pattern used to match the common name defined in the SSL certificate received from the server 3 Type commit and press Enter to save...

Page 119: ...ress 3 Configure the source IP address by typing admin logging source ip address Where address is the alternative source IP address 4 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 4 10 4 Managing Diagnostic Logs Diagnostic logs are available for troubleshooting the device Various device behavior is recorded in the following logs Log Filename Develo...

Page 120: ...diagnostics developer log enabled Disable no admin logging diagnostics developer log enabled 3 Configure the level of information provided by the Developer s log by typing Parameter Description log level log level Synopsis error info trace Default info Sets the verbosity level for developer logging 4 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 4 ...

Page 121: ...f id 9450 sending rpc reply attrs message id 103 CAUTION Configuration hazard risk of reduced performance Enabling diagnostic logging will significantly affect the performance of RUGGEDCOM ROX II Only enable diagnostic logging when directed by Siemens To enable or disable the NETCONF Summary log do the following 1 Make sure the CLI is in Configuration mode 2 Enable or disable the NETCONF Summary l...

Page 122: ... Trace log by typing the following commands Enable admin logging diagnostics netconf trace log enabled Disable no admin logging diagnostics netconf trace log enabled 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 4 10 4 5 Enabling Disabling the XPATH Trace Log The XPATH trace log records internal events related to XPATH routines that require inter...

Page 123: ...bUI Trace log do the following 1 Make sure the CLI is in Configuration mode 2 Enable or disable the WebUI Trace log by typing the following commands Enable admin logging diagnostics webui trace log enabled Disable no admin logging diagnostics webui trace log enabled 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 4 10 5 Managing Remote Syslog Serve...

Page 124: ...in Configuration mode 2 Add the remote server by typing admin logging server address Where address is the IP address of the remote server 3 Configure the following parameter s as required Parameter Description enabled Enables disables the feed to the remote logging server transport transport Synopsis udp tcp Default udp TCP or UDP monitor interface monitor interface Synopsis A string The interface...

Page 125: ... 6 1 Viewing a List of Remote Server Selectors Section 4 10 6 2 Adding a Remote Server Selector Section 4 10 6 3 Deleting a Remote Server Selector Section 4 10 6 1 Viewing a List of Remote Server Selectors To view a list of remote server selectors type show running config admin logging server address selector Where address is the IP address of the remote server If remote server selectors have been...

Page 126: ...Level field same_or_higher includes messages of the severity level selected in the Level field and all messages of higher severity For example Selecting debug in the Level field and same in the Comparison field includes only debug messages in the log Selecting debug in the Level field and same_or_higher in the Comparison field includes debug and all higher severity messages in the log level level ...

Page 127: ... Section 4 11 1 Saving the Configuration To save the configuration settings for RUGGEDCOM ROX II as a separate file type admin full configuration save format cli file name filename Where filename is the name of the configuration file Alternatively to include only the default configuration parameter values in the saved configuration file do the following 1 Make sure the CLI is in Configuration mode...

Page 128: ...e CONTENTS Section 4 12 1 Configuring the Upgrade Source Section 4 12 2 Setting Up an Upgrade Server Section 4 12 3 Upgrading the RUGGEDCOM ROX II Software Section 4 12 4 Stopping Declining a Software Upgrade Section 4 12 5 Downgrading the RUGGEDCOM ROX II Software Section 4 12 1 Configuring the Upgrade Source Firmware for upgrading or downgrading RUGGEDCOM ROX II can be uploaded from either an up...

Page 129: ...mit and press Enter to save the changes or type revert and press Enter to abort Section 4 12 2 Setting Up an Upgrade Server An upgrade server containing a software repository can be used to upgrade or downgrade the RUGGEDCOM ROX II software via the network The upgrade server must meet the following requirements Each device that will be upgraded downgraded must have access to a host that acts as a ...

Page 130: ...For example 2 12 1 File Type File Name MIME Type RUGGEDCOM ROX II Image Archive imagerr2 x y tar bz2 application x bzip2 RUGGEDCOM ROX II Upgrade Archive rr2 dists rr2 x y Release extracted from rr2 x y zip text plain GNU Privacy Guard GPG imagerr2 x y tar bz2 gpg text plain RUGGEDCOM ROX II software and application upgrades installations may fail if these MIME types or not configured Enable Doubl...

Page 131: ...der i e rr2 dists rr2 12 1 Section 4 12 3 Upgrading the RUGGEDCOM ROX II Software RUGGEDCOM ROX II software upgrades are managed between two partitions One partition is always active while the other is always inactive Software upgrades are always applied to the inactive partition This allows the active partition to function normally during a software upgrade and for users to roll back a software u...

Page 132: ... to change it The software release you are upgrading to is rr2 Press ENTER to accept this or type a different version Checking for a more recent version of the upgrade system Already running the most recent version of the upgrade system Launching ROXII Upgrade Upgrading system to Partition 2 Estimating size of upgrade This may take a few minutes 31 packages to install 20799050 bytes to download 15...

Page 133: ... The RUGGEDCOM ROX II software can be downgraded to a previous release at any time CONTENTS Section 4 12 5 1 Rolling Back a Software Upgrade Section 4 12 5 2 Downgrading Using ROXflash Section 4 12 5 1 Rolling Back a Software Upgrade To activate a previous version of the RUGGEDCOM ROX II software stored on the inactive partition do the following 1 Make sure the CLI is in Configuration mode 2 Rollb...

Page 134: ...ation refer to the RUGGEDCOM RX5000 MX5000 MX5000RE Installation Guide 4 Make sure the CLI is in Configuration mode IMPORTANT For downgrades via HTTPS SSL a custom Certificate Authority CA must be configured on the device For more information about adding a CA refer to Section 6 8 4 3 Adding a CA Certificate and CRL 5 Launch the ROXflash wizard by typing wizard rox_flash The wizard will require us...

Page 135: ...time of the upgrade During operation the integrity of the installed files is verified and all running programs are verified to be part of the validated installation CAUTION Security hazard risk of unauthorized access and or exploitation For the firmware integrity check to be meaningful appropriate care must be taken to protect the device Make sure physical access to the device is restricted to aut...

Page 136: ...act Siemens Customer Support Section 4 13 3 Scheduling a Recurring Firmware Integrity Check Using the RUGGEDCOM ROX II scheduler the firmware integrity check can be scheduled to run automatically at a specific time and date either once or on a recurring schedule For more information about scheduling the firmware integrity check refer to Section 5 10 Scheduling Jobs Section 4 13 4 Viewing the Statu...

Page 137: ...tion 4 14 Managing the Fan Controller RUGGEDCOM RX5000 MX5000 MX5000RE devices may be equipped with an optional fan module to monitor and control the temperature of the device When the internal temperature exceeds a user specified value one of the three fan arrays will activate automatically CONTENTS Section 4 14 1 Viewing the Fan Controller Status Section 4 14 2 Configuring the Activation Tempera...

Page 138: ...ing 1 Make sure the CLI is in Configuration mode 2 Configure the following parameter s as required Parameter Description setpoint temp setpoint temp Synopsis A 32 bit unsigned integer between 25 and 85 Default 50 The temperature above which the fans will be activated The minimum and maximum values of this parameter are 25C and 85C 3 Type commit and press Enter to save the changes or type revert an...

Page 139: ...e CLI is in Configuration mode 2 Add the module by typing chassis fixed modules fixed module slot Where slot is the name of the module location 3 Configure the following parameter s as required Parameter Description module type module type Synopsis A string 1 to 60 characters long The module type to be used in this slot This parameter is mandatory partnumber partnumber Synopsis A string 1 to 74 ch...

Page 140: ...remove a line module from the chassis do the following 1 Shut down the device The device will shutdown for a period of time before rebooting and restarting The default time out period is 300 seconds five minutes If more time is required to complete the procedure disconnect power from the device during the time out period For more information on how to shutdown the device refer to Section 4 4 Shutt...

Page 141: ...ULE TYPE ENABLED BYPASS sm SM 8 Gigabit Layer 2 w 2x 10 100 1000TX RJ45 X lm1 none lm2 4x 1000LX SFP X lm3 16x 10 100TX RJ45 X lm4 8x 100FX SFP X lm5 none lm6 none If no line modules have been configured install line module as needed For more information refer to Section 4 16 2 Installing a New Line Module Section 4 16 4 Configuring a Line Module To configure a line module do the following 1 Make ...

Page 142: ...rs to make sure they can withstand harsh conditions If a different SFP transceiver model is used it is the user s responsibility to verify it meets environmental and usage requirements CONTENTS Section 4 17 1 SFP Transceiver Support Section 4 17 2 Viewing SFP Information Section 4 17 3 Enabling Disabling Smart SFP Mode RUGGEDCOM RX5000 Only Section 4 17 1 SFP Transceiver Support RUGGEDCOM ROX II o...

Page 143: ...available In these cases a message similar to the following will appear ID Unknown FF interfaces switch slot port sfp Where slot is the name of the module location port is the port number or a list of ports if aggregated in a port trunk for the module If an SFP transceiver exists in the selected port details about the transceiver are displayed For example ruggedcom interfaces switch lm1 1 sfp sfp ...

Page 144: ...The parameter will display the following if the SFP transceiver is marked as Unidentified SFP Unidentified The SFP transceiver is not marked as Unidentified the media displays information about the SFP transceiver For example SFP 1000LX SM LC 10 km NOTE If an SFP transceiver remains marked as Unidentified after disabling Smart SFP mode contact Siemens Customer Support To enable or disable Smart SF...

Page 145: ...ggedcom show running config interface eth interface eth cm 1 auton no proxyarp no on demand no alias lldp no notify Section 4 18 2 Configuring a Routable Ethernet Port To configure a routable Ethernet port do the following 1 Make sure the CLI is in Configuration mode 2 Navigate to interface eth interface where interface is the routable Ethernet port 3 Configure the port settings by configuring the...

Page 146: ... static Determines whether the IP address is static or dynamically assigned via DHCP or BOOTP The DYNAMIC option is a common case of a dynamically assigned IP address It switches between BOOTP and DHCP until it gets the response from the relevant server It must be static for non management interfaces ipv6 address src ipv6 address src Synopsis static dynamic Default static Determines whether the IP...

Page 147: ...s for Routable Ethernet Ports This section describes how to manage VLANs for routable Ethernet ports CONTENTS Section 4 18 3 1 Viewing a List of VLANs for Routable Ethernet Ports Section 4 18 3 2 Adding a VLAN to a Routable Ethernet Port Section 4 18 3 3 Deleting a VLAN for a Routable Ethernet Port Section 4 18 3 1 Viewing a List of VLANs for Routable Ethernet Ports To view a list of VLANs configu...

Page 148: ...be static for non management interfaces ipv6 address src ipv6 address src Synopsis static dynamic Default static Whether the IPv6 address is static or dynamically assigned via DHCPv6 Option DYNAMIC is a common case of a dynamically assigned IPv6 address This must be static for non management interfaces on demand This interface is up or down on the demand of the link failover 4 Add a QoS map for th...

Page 149: ...tion 5 9 Managing Passwords and Passphrases Section 5 10 Scheduling Jobs Section 5 1 Configuring the System Name and Location To configure the system name and location of the device do the following 1 Make sure the CLI is in Configuration mode 2 Navigate to admin and configure the following parameter s as required Parameter Description system name system name Synopsis A string 1 to 255 characters ...

Page 150: ...arameter Description name name Synopsis A string 1 to 63 characters long Default ruggedcom The host name for the device This name appears in the command line prompt The host name must not contain special characters i e _ domain domain Synopsis A string 1 to 253 characters long Default localdomain The domain name associated with the device This name is appended to the end of unqualified names e g r...

Page 151: ...isten on for WebUI requests port port Synopsis A 16 bit unsigned integer between 0 and 65535 Default 443 The port on which the WebUI listens for WebUI requests extra ip ports extra ip ports Synopsis A string The WebUI will also listen on these IP Addresses For port values add to set non default port value ie xxx xxx xxx xxx 19343 16000 If using the default address do not specify another listen add...

Page 152: ... accessing the Web user interface via a browser e g https x x x x HTTP is not supported on SNMP connections To enable or disable this function on a VRF instance do the following 1 Make sure at least one VRF instance has been configured For information about configuring a VRF instance refer to Section 13 11 3 Configuring VRF 2 Make sure the CLI is in Configuration mode 3 Enable remote administratio...

Page 153: ... for SNMP make sure the listen ip parameter for SNMP sessions is set to 0 0 0 0 For more information refer to Section 15 2 2 Enabling and Configuring SNMP Sessions Section 5 7 Managing Alarms The alarm system in RUGGEDCOM ROX II notifies users when events of interest occur The system is highly configurable allowing users to Enable disable most alarms with the exception of mandatory alarms Configur...

Page 154: ...re or request an updated key from Siemens Customer Support Chassis PM1 bad supply Input power to the power module is outside nominal operating range Make sure the input power operating range meets the device requirements Chassis PM2 bad supply Input power to the power module is outside nominal operating range Make sure the input power operating range meets the device requirements Chassis PM1 MOV p...

Page 155: ...table or list similar to the following example appears ruggedcom show admin alarms tab ALARM EVENT SUBSYSTEM ID ID SEVERITY DESCRIPTION DATE TIME USER ACTIONS ACTUATORS switch 1 1 notice Link up on port lm1 8 Wed Feb 6 16 08 44 2013 clear or ack none For information on how to clear or acknowledge an active alarm refer to Section 5 7 3 Clearing and Acknowledging Alarms Section 5 7 3 Clearing and Ac...

Page 156: ... admin acknowledge all alarms Alternatively to acknowledge an individual alarm type admin alarms active alarms type id event acknowledge Where type is the type of alarm Options include admin cellmodem chassis eth security switch and wan id is the ID for the chosen alarm event is the ID for the chosen event Section 5 7 4 Configuring an Alarm While all alarms are pre configured on the device some al...

Page 157: ... If enabled this alarm will assert the failrelay led enable If enabled the main Alarm LED light will be red when this alarm is asserted If disabled the main Alarm LED light is not affected by this alarm auto clear If enabled the LED and failrelay will be cleared automatically when condition is met 4 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 5 8...

Page 158: ...Section 5 8 1 Viewing a List of Users To view a list of user accounts type show running config admin users If users have been configured a table or list similar to the following example appears ruggedcom show running config admin users tab admin users userid NAME PASSWORD ROLE admin 1 LmRO j7 q wtlwjfUvbOVrbt4o administrator guest 1 uGztU0 6b7YS6gqwtrelTzA 2noQ guest oper 1 eSsFfFMh NEHgTHsU1T4RRz...

Page 159: ... 2 Delete the user account by typing no admin users userid name Where name is the name of the user account 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 5 8 4 Monitoring Users Users currently logged in to the device are monitored by RUGGEDCOM ROX II and can be viewed through the CLI RUGGEDCOM ROX II allows administrators to monitor users log user...

Page 160: ...ged before the device is commissioned NOTE For a list of default passwords refer to Section 2 1 Default User Names and Passwords The complexity of each password passphrase can be chosen by the user or enforced through the device by an administrator If a user s password passphrase does not meet the password requirements an alarm is generated For example Error Supplied password is shorter than the m...

Page 161: ...Section 5 9 6 Resetting the Boot Password Passphrase Section 5 9 7 Resetting the Maintenance Password Passphrase Section 5 9 1 Configuring Password Passphrase Complexity Rules Special rules for password passphrase complexity can be configured These include setting the password passphrase length and enabling requirements for special characters To configure the password passphrase complexity rules f...

Page 162: ...s userid profile set password new password Where profile is the user profile e g admin oper or guest 2 At the prompt type the new password passphrase and then press Enter Value for new password string min 1 chars max 128 chars 3 At the next prompt type the new password passphrase again and then press Enter Value for new password repeat string min 1 chars max 128 chars The password passphrase is up...

Page 163: ...128 chars set password result success Section 5 9 4 Setting the Maintenance Password Passphrase The maintenance password passphrase grants access to the maintenance mode which is only accessible through the Command Line Interface CLI For more information about this mode refer to Section 2 5 1 Accessing Different CLI Modes CAUTION Configuration hazard risk of data corruption Maintenance mode is pro...

Page 164: ...wizard true 6 Type config and press Enter IMPORTANT Passwords passphrases that contain special characters including spaces must be wrapped in quotes e g password 2 7 Reset the admin password passphrase by typing admin users userid admin set password new password new password passphrase new password repeat new password passphrase If special characters are used make sure to encapsulate the password ...

Page 165: ...xample if the active partition is Boot Partition 4 type 6 0 and press Enter to enter Boot Partition 6 11 Repeat Step 1 and Step 10 to reset the password passphrase on the inactive partition and switch back to the original partition Section 5 9 6 Resetting the Boot Password Passphrase The boot password passphrase provides access to BIST mode through the maint login command and service mode If this ...

Page 166: ... 8360e 4 1 Debian GNU Linux kernel 3 0 0 2 8360e BIST mode 4 2 Debian GNU Linux kernel 3 0 0 2 8360e single user mode 4 3 Debian GNU Linux kernel 3 0 0 2 8360e service mode Boot Partition 6 6 0 Debian GNU Linux kernel 3 0 0 2 8360e 6 1 Debian GNU Linux kernel 3 0 0 2 8360e BIST mode 6 2 Debian GNU Linux kernel 3 0 0 2 8360e single user mode 6 3 Debian GNU Linux kernel 3 0 0 2 8360e service mode Au...

Page 167: ...heduled Job Section 5 10 1 Viewing a List of Scheduled Jobs To view a list of scheduled jobs type show running config admin scheduler If jobs have been configured a table or list similar to the following example appears ruggedcom show running config admin scheduler tab admin scheduler scheduled jobs JOB JOB SCHEDULER JOB JOB JOB DAY JOB DAY NAME JOB TYPE MINUTE HOUR MONTH MONTH WEEK JOB COMMAND Ba...

Page 168: ...y a list of values enter the values as a comma separated list For example to launch the job at 9 00 am 12 00 pm and 5 00 pm enter 9 12 17 To specify a range of values enter the range as comma separated values For example to launch the job every hour between 9 00 am and 5 00 pm enter 9 17 This parameter is not required for configchange jobs job day month job day month Synopsis A string 1 to 64 char...

Page 169: ...nge jobs job command job command Synopsis A string 1 to 1024 characters long One or more commands to execute at the scheduled time For example this command saves the running configuration to a file name myconfig show running config save myconfig Do not use interactive commands or commands that require a manual response or confirmation When entered in the CLI the command string must be enclosed in ...

Page 170: ...Chapter 5 System Administration RUGGEDCOM ROX II CLI User Guide 124 Deleting a Scheduled Job ...

Page 171: ...ure CLI sessions do the following 1 Make sure the CLI is in Configuration mode 2 Navigate to admin cli and configure the following parameter s as required Parameter Description enabled Synopsis true false Default true When enabled a command line interface CLI may be used to configure the device A secure shell SSH client or serial console may be used to access the CLI listen ip listen ip Synopsis A...

Page 172: ...le if the CLI is waiting for notifications or if commits are pending If the value of this parameter is changed during a session the change will not take effect until the next session greeting greeting Synopsis A string 1 to 8192 characters long A greeting message presented to users when they log in to the CLI The message must be enclosed in quotation marks 3 Type commit and press Enter to save the...

Page 173: ...other to be considered malicious behavior Once the time has expired the host will be allowed to access the device again If the malicious behavior continues from the same IP address e g another 15 failed login attempts then the IP address will be blocked again but the time blocked will increase by a factor of 1 5 This will continue as long as the host repeats the same behavior IMPORTANT Enabling di...

Page 174: ...ion mechanism by typing no security bruteforce enabled 3 Type commit and press Enter to save the changes or type revert and press Enter to abort 4 Optional Enable or disable the default alarm for brute force attacks For more information refer to Section 5 7 4 Configuring an Alarm Section 6 4 Enabling Disabling Compact Flash Card Removal Detection RUGGEDCOM ROX II features a detection mechanism to ...

Page 175: ...cation static MAC address based authorization or both Using IEEE 802 1x authentication RUGGEDCOM ROX II authenticates a source device against a remote RADIUS authentication server Access is granted if the source device provides the proper credentials Using static MAC address based authorization RUGGEDCOM ROX II authenticates the source device based on its MAC address Access is granted if the MAC a...

Page 176: ...ed In this case the configured MAC address will be automatically authorized on the port where it is detected This allows devices to be connected to any secure port on the switch without requiring any reconfiguration The device can also be programmed to learn and thus authorize a pre configured number of the first source MAC addresses encountered on a secure port This enables the capture of the app...

Page 177: ...f the host authentication is rejected by the authentication server Section 6 6 1 3 IEEE 802 1X Authentication with MAC Address Based Authentication This method also referred to as MAB MAC Authentication Bypass is commonly used for devices such as VoIP phones and Ethernet printers that do not support the IEEE 802 1x protocol This method allows such devices to be authenticated using the same databas...

Page 178: ...rg html rfc2868 so the VLANID integer value is encoded as a string If the tunnel attributes are not returned by the authentication server the VLAN assigned to the switch port remains unchanged Section 6 6 2 Configuring Port Security To configure port security for a switched Ethernet port do the following 1 Make sure the CLI is in Configuration mode 2 Navigate to interface switch slot port port sec...

Page 179: ... Default 30 The maximum time in seconds s allowed for one full set of packets to be transferred between the port and its client quiet period quiet period Synopsis A 32 bit signed integer between 0 and 65535 Default 60 The time in seconds s to wait before retransmitting EAPoL packets to the client after a failed authentication session reauth enable When enabled the port will attempt to reauthentica...

Page 180: ...Configuring RADIUS Authentication for Switched Ethernet Ports 6 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 6 6 3 Viewing the Security Status of Switched Ethernet Ports To view the port security status of all switched Ethernet ports type show interfaces switch slot port security Where slot is the name of the module location For example ruggedcom ...

Page 181: ...er If the user cannot be authenticated they will then be authenticated locally If tacacsplus_local is selected users will be authenticated against the configured TACACS server If the user cannot be authenticated they will then be authenticated locally If tacacsplus_onlyis selected users will be authenticated against the configured TACACS server If the user cannot be authenticated authentication is...

Page 182: ...re the private key outside the organization or with untrusted personnel The private key is used to decrypt all encrypted correspondences with the associated public key IMPORTANT It is strongly recommended to apply an encryption passphrase during the key creation process The passphrase will be applied to the private key and prevent malicious users from accessing its contents NOTE Only SSH 2 RSA key...

Page 183: ...key Where key is the name assigned to the authentication key for easy identification 4 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 6 7 2 4 Associating Disassociating a User Authentication Key One or more user authentication keys can be associated with a single user account allowing users to access the device from different workstations when neede...

Page 184: ... authentication server It provides centralized authentication and authorization for network access RADIUS is also widely used in conjunction with the IEEE 802 1x standard for port security using the Extensible Authentication Protocol EAP NOTE For more information about the RADIUS protocol refer to RFC 2865 http tools ietf org html rfc2865 For more information about the Extensible Authentication Pr...

Page 185: ...ded For more information about the authentication log file refer to Section 4 10 1 Viewing Logs RUGGEDCOM ROX II supports RADIUS authentication for the LOGIN and PPP services Different RADIUS servers can be configured to authenticate both services separately or in combination The LOGIN services consist of the following access types Local console logins via the serial port Remote shell logins via S...

Page 186: ... either primary or secondary and configuring the following parameter s as required Parameter Description address address Synopsis A string 7 to 15 characters long or a string 6 to 40 characters long The IP address of the server port udp port udp Synopsis A 32 bit signed integer between 1 and 65535 Default 1812 The network port of the server password password Synopsis A string The password of the R...

Page 187: ...ired Parameter Description address address Synopsis A string 7 to 15 characters long The IPv4 address of the server port udp port udp Synopsis A 32 bit signed integer between 1 and 65535 Default 1812 The IPv4 port of the server password password Synopsis A string The password of the server 4 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 6 7 4 Confi...

Page 188: ...el s for operator oper users Options include any number between 0 and 15 or a range e g 4 12 guest priv guest priv Synopsis A string 1 to 5 characters long Default 1 The privilege level s for guest users Options include any number between 0 and 15 or a range e g 4 12 4 On the Primary Tacacsplus Server form configure the following parameters as required Parameter Description address address Synopsi...

Page 189: ... by user defined certificates and keys Auto generated certificates are self signed Siemens recommends that all certificates be replaced by ones signed by a trusted Certificate Authority CA NOTE Only admin users can read write certificates and keys on the device CONTENTS Section 6 8 1 Viewing the Local Host SSH RSA Public Key Section 6 8 2 Managing the Trusted Certificate Store Section 6 8 3 Managi...

Page 190: ...e information about adding a custom certificate refer to Section 6 8 7 3 Adding a Certificate CONTENTS Section 6 8 2 1 Configuring the Trusted Certificate Store Section 6 8 2 2 Enabling Disabling the Trusted Certificate Store Section 6 8 2 3 List of Root Certificates in the Trusted Certificate Store Section 6 8 2 1 Configuring the Trusted Certificate Store To configure the Trusted Certificate Stor...

Page 191: ...18 GMT Go_Daddy_Class_2_CA crt Subject Name C US O The Go Daddy Group Inc OU Go Daddy Class 2 Certification Authority Fingerprint 27 96 BA E6 3F 18 01 E2 77 26 1B A0 D7 77 70 02 8F 20 EE E4 Issued Jun 29 17 06 20 2004 GMT Expires Jun 29 17 06 20 2034 GMT Staat_der_Nederlanden_EV_Root_CA Subject Name C NL O Staat der Nederlanden CN Staat der Nederlanden EV Root CA Fingerprint 76 E2 7E C1 4F DB 82 C...

Page 192: ...ika_Hizmet_SaÄŸlayÄ cÄ sÄ _H5 Subject Name C TR L Ankara O TxC3x9CRKTRUST Bilgi xC4xB0letixC5x9Fim ve BilixC5x9Fim GxC3xBCvenlixC4x9Fi Hizmetleri A xC5x9E CN TxC3x9CRKTRUST Elektronik Sertifika Hizmet SaxC4x9FlayxC4xB1cxC4xB1sxC4xB1 H5 Fingerprint C4 18 F6 4D 46 D1 DF 00 3D 27 30 13 72 43 A9 12 11 C6 75 FB Issued Apr 30 08 07 01 2013 GMT Expires Apr 28 08 07 01 2023 GMT Verisign_Class_2_Public_Pri...

Page 193: ...AffirmTrust_Premium_ECC Subject Name C US O AffirmTrust CN AffirmTrust Premium ECC Fingerprint B8 23 6B 00 2F 1D 16 86 53 01 55 6C 11 A4 37 CA EB FF C3 BB Issued Jan 29 14 20 24 2010 GMT Expires Dec 31 14 20 24 2040 GMT Staat_der_Nederlanden_Root_CA_ _G3 Subject Name C NL O Staat der Nederlanden CN Staat der Nederlanden Root CA G3 Fingerprint D8 EB 6B 41 51 92 59 E0 F3 E7 85 00 C0 3D B6 88 97 C9 E...

Page 194: ...004 GMT Expires Dec 31 23 59 59 2028 GMT DigiCert_Global_Root_G3 Subject Name C US O DigiCert Inc OU www digicert com CN DigiCert Global Root G3 Fingerprint 7E 04 DE 89 6A 3E 66 6D 00 E6 87 D3 3F FA D9 3B E8 3D 34 9E Issued Aug 1 12 00 00 2013 GMT Expires Jan 15 12 00 00 2038 GMT DST_ACES_CA_X6 Subject Name C US O Digital Signature Trust OU DST ACES CN DST ACES CA X6 Fingerprint 40 54 DA 6F 1C 3F ...

Page 195: ...xC4xB1k 2007 Fingerprint F1 7F 6F B6 31 DC 99 E3 A3 C8 7F FE 1C F1 81 10 88 D9 60 33 Issued Dec 25 18 37 19 2007 GMT Expires Dec 22 18 37 19 2017 GMT Certplus_Class_2_Primary_CA Subject Name C FR O Certplus CN Class 2 Primary CA Fingerprint 74 20 74 41 72 9C DD 92 EC 79 31 D8 23 10 8D C2 81 92 E2 BB Issued Jul 7 17 05 00 1999 GMT Expires Jul 6 23 59 59 2019 GMT IdenTrust_Public_Sector_Root_CA_1 Su...

Page 196: ... CA Fingerprint 05 63 B8 63 0D 62 D7 5A BB C8 AB 1E 4B DF B5 A8 99 B2 4D 43 Issued Nov 10 00 00 00 2006 GMT Expires Nov 10 00 00 00 2031 GMT GlobalSign_ECC_Root_CA_ _R4 Subject Name OU GlobalSign ECC Root CA R4 O GlobalSign CN GlobalSign Fingerprint 69 69 56 2E 40 80 F4 24 A1 E7 19 9F 14 BA F3 EE 58 AB 6A BB Issued Nov 13 00 00 00 2012 GMT Expires Jan 19 03 14 07 2038 GMT AffirmTrust_Premium Subje...

Page 197: ...1 37 07 2007 GMT Expires Aug 21 11 37 07 2017 GMT AddTrust_Qualified_Certificates_Root Subject Name C SE O AddTrust AB OU AddTrust TTP Network CN AddTrust Qualified CA Root Fingerprint 4D 23 78 EC 91 95 39 B5 00 7F 75 8F 03 3B 21 1E C5 4D 8B CF Issued May 30 10 44 50 2000 GMT Expires May 30 10 44 50 2020 GMT AffirmTrust_Commercial Subject Name C US O AffirmTrust CN AffirmTrust Commercial Fingerpri...

Page 198: ...3E 2D 58 47 6A 0F Issued Sep 17 19 46 36 2006 GMT Expires Sep 17 19 46 36 2036 GMT StartCom_Certification_Authority_2 Subject Name C IL O StartCom Ltd OU Secure Digital Certificate Signing CN StartCom Certification Authority Fingerprint A3 F1 33 3F E2 42 BF CF C5 D1 4E 8F 39 42 98 40 68 10 D1 A0 Issued Sep 17 19 46 37 2006 GMT Expires Sep 17 19 46 36 2036 GMT Go_Daddy_Root_Certificate_Authority_ _...

Page 199: ... AutoritxC3xA9 Racine Fingerprint 2E 14 DA EC 28 F0 FA 1E 8E 38 9A 4E AB EB 26 C0 0A D3 83 C3 Issued Sep 17 08 28 59 2008 GMT Expires Sep 17 08 28 59 2028 GMT NetLock_Notary_ Class_A _Root Subject Name C HU ST Hungary L Budapest O NetLock Halozatbiztonsagi Kft OU Tanusitvanykiadok CN NetLock Kozjegyzoi Class A Tanusitvanykiado Fingerprint AC ED 5F 65 53 FD 25 CE 01 5F 1F 7A 48 3B 6A 74 9F 61 78 C6...

Page 200: ...n OU c 2008 thawte Inc For authorized use only CN thawte Primary Root CA G3 Fingerprint F1 8B 53 8D 1B E9 03 B6 A6 F0 56 43 5B 17 15 89 CA F3 6B F2 Issued Apr 2 00 00 00 2008 GMT Expires Dec 1 23 59 59 2037 GMT AddTrust_External_Root Subject Name C SE O AddTrust AB OU AddTrust External TTP Network CN AddTrust External CA Root Fingerprint 02 FA F3 E2 91 43 54 68 60 78 57 69 4D F5 E4 5B 68 85 18 68 ...

Page 201: ...munication_EV_RootCA1 Subject Name C JP O SECOM Trust Systems CO LTD OU Security Communication EV RootCA1 Fingerprint FE B8 C4 32 DC F9 76 9A CE AE 3D D8 90 8F FD 28 86 65 64 7D Issued Jun 6 02 12 32 2007 GMT Expires Jun 6 02 12 32 2037 GMT Microsec_e Szigno_Root_CA_2009 Subject Name C HU L Budapest O Microsec Ltd CN Microsec e Szigno Root CA 2009 emailAddress info e szigno hu Fingerprint 89 DF 74...

Page 202: ...Certification_Authority Subject Name C GB ST Greater Manchester L Salford O COMODO CA Limited CN COMODO ECC Certification Authority Fingerprint 9F 74 4E 9F 2B 4D BA EC 0F 31 2C 50 B6 56 3B 8E 2D 93 C3 11 Issued Mar 6 00 00 00 2008 GMT Expires Jan 18 23 59 59 2038 GMT Trustis_FPS_Root_CA Subject Name C GB O Trustis Limited OU Trustis FPS Root CA Fingerprint 3B C0 38 0B 33 C3 F6 A6 0C 86 15 22 93 D9...

Page 203: ...FxC5x91tanxC3xBAsxC3xADtvxC3xA1ny Fingerprint 06 08 3F 59 3F 15 A1 04 A0 69 A4 6B A9 03 D0 06 B7 97 09 91 Issued Dec 11 15 08 21 2008 GMT Expires Dec 6 15 08 21 2028 GMT Sonera_Class_1_Root_CA Subject Name C FI O Sonera CN Sonera Class1 CA Fingerprint 07 47 22 01 99 CE 74 B9 7C B0 3D 79 B2 64 A2 C8 55 E9 33 FF Issued Apr 6 10 49 13 2001 GMT Expires Apr 6 10 49 13 2021 GMT GeoTrust_Primary_Certific...

Page 204: ...T Expires Dec 7 17 55 54 2030 GMT Camerfirma_Global_Chambersign_Root Subject Name C EU O AC Camerfirma SA CIF A82743287 OU http www chambersign org CN Global Chambersign Root Fingerprint 33 9B 6B 14 50 24 9B 55 7A 01 87 72 84 D9 E0 2F C3 D2 D8 E9 Issued Sep 30 16 14 18 2003 GMT Expires Sep 30 16 14 18 2037 GMT S TRUST_Authentication_and_Encryption_Root_CA_2005_PN Subject Name C DE ST Baden Wuertte...

Page 205: ...i xC4xB0letixC5x9Fim ve BilixC5x9Fim GxC3xBCvenlixC4x9Fi Hizmetleri A xC5x9E CN TxC3x9CRKTRUST Elektronik Sertifika Hizmet SaxC4x9FlayxC4xB1cxC4xB1sxC4xB1 H6 Fingerprint 8A 5C 8C EE A5 03 E6 05 56 BA D8 1B D4 F6 C9 B0 ED E5 2F E0 Issued Dec 18 09 04 10 2013 GMT Expires Dec 16 09 04 10 2023 GMT CA_Disig_Root_R2 Subject Name C SK L Bratislava O Disig a s CN CA Disig Root R2 Fingerprint B5 61 EB EA A...

Page 206: ...13 59 B6 76 CB Issued Aug 8 01 00 01 2009 GMT Expires Aug 8 01 00 01 2039 GMT Equifax_Secure_Global_eBusiness_CA Subject Name C US O Equifax Secure Inc CN Equifax Secure Global eBusiness CA 1 Fingerprint 7E 78 4A 10 1C 82 65 CC 2D E1 F1 6D 47 B4 40 CA D9 0A 19 45 Issued Jun 21 04 00 00 1999 GMT Expires Jun 21 04 00 00 2020 GMT Actalis_Authentication_Root_CA Subject Name C IT L Milan O Actalis S p ...

Page 207: ...ess info netlock hu Fingerprint 01 68 97 E1 A0 B8 F2 C3 B1 34 66 5C 20 A7 27 B7 A1 58 E2 8F Issued Mar 30 01 47 11 2003 GMT Expires Dec 15 01 47 11 2022 GMT StartCom_Certification_Authority_G2 Subject Name C IL O StartCom Ltd CN StartCom Certification Authority G2 Fingerprint 31 F1 FD 68 22 63 20 EE C6 3B 3F 9D EA 4A 3E 53 7C 7C 39 17 Issued Jan 1 01 00 01 2010 GMT Expires Dec 31 23 59 01 2039 GMT...

Page 208: ...T Expires Dec 31 15 59 59 2030 GMT GeoTrust_Universal_CA Subject Name C US O GeoTrust Inc CN GeoTrust Universal CA Fingerprint E6 21 F3 35 43 79 05 9A 4B 68 30 9D 8A 2F 74 22 15 87 EC 79 Issued Mar 4 05 00 00 2004 GMT Expires Mar 4 05 00 00 2029 GMT VeriSign_Universal_Root_Certification_Authority Subject Name C US O VeriSign Inc OU VeriSign Trust Network OU c 2008 VeriSign Inc For authorized use o...

Page 209: ...ss contacto procert net ve L Chacao ST Miranda OU Proveedor de Certificados PROCERT O Sistema Nacional de Certificacion Electronica C VE CN PSCProcert Fingerprint 70 C1 8D 74 B4 28 81 0A E4 FD A5 75 D7 01 9F 99 B0 3D 50 74 Issued Dec 28 16 51 00 2010 GMT Expires Dec 25 23 59 59 2020 GMT QuoVadis_Root_CA_2 Subject Name C BM O QuoVadis Limited CN QuoVadis Root CA 2 Fingerprint CA 3A FB CF 12 40 36 4...

Page 210: ... 05 2007 GMT Expires Jun 29 15 13 05 2027 GMT SecureTrust_CA Subject Name C US O SecureTrust Corporation CN SecureTrust CA Fingerprint 87 82 C6 C3 04 35 3B CF D2 96 92 D2 59 3E 7D 44 D9 34 FF 11 Issued Nov 7 19 31 18 2006 GMT Expires Dec 31 19 40 55 2029 GMT SwissSign_Silver_CA_ _G2 Subject Name C CH O SwissSign AG CN SwissSign Silver CA G2 Fingerprint 9B AA E5 9F 56 EE 21 CB 43 5A BE 25 93 DF A7 ...

Page 211: ... 2D 64 C9 3F 6C 3A Issued Nov 5 00 00 00 2007 GMT Expires Jan 18 23 59 59 2038 GMT Verisign_Class_1_Public_Primary_Certification_Authority_ _G2 Subject Name C US O VeriSign Inc OU Class 1 Public Primary Certification Authority G2 OU c 1998 VeriSign Inc For authorized use only OU VeriSign Trust Network Fingerprint 27 3E E1 24 57 FD C4 F9 0C 55 E8 2B 56 16 7F 62 F5 32 E5 47 Issued May 18 00 00 00 19...

Page 212: ...0 23 42 2006 GMT Expires Nov 27 20 53 42 2026 GMT Network_Solutions_Certificate_Authority Subject Name C US O Network Solutions L L C CN Network Solutions Certificate Authority Fingerprint 74 F8 A3 C3 EF E7 B3 90 06 4B 83 90 3C 21 64 60 20 E5 DF CE Issued Dec 1 00 00 00 2006 GMT Expires Dec 31 23 59 59 2029 GMT QuoVadis_Root_CA_3_G3 Subject Name C BM O QuoVadis Limited CN QuoVadis Root CA 3 G3 Fin...

Page 213: ...17 0D 72 A8 C5 BA 6E 14 09 BD Issued Jan 1 00 00 00 2004 GMT Expires Dec 31 23 59 59 2028 GMT Secure_Global_CA Subject Name C US O SecureTrust Corporation CN Secure Global CA Fingerprint 3A 44 73 5A E5 81 90 1F 24 86 61 46 1E 3B 9C C4 5F F5 3A 1B Issued Nov 7 19 42 28 2006 GMT Expires Dec 31 19 52 06 2029 GMT SwissSign_Gold_CA_ _G2 Subject Name C CH O SwissSign AG CN SwissSign Gold CA G2 Fingerpri...

Page 214: ... 04 52 29 2023 GMT Security_Communication_RootCA2 Subject Name C JP O SECOM Trust Systems CO LTD OU Security Communication RootCA2 Fingerprint 5F 3B 8C F2 F8 10 B3 7D 78 B4 CE EC 19 19 C3 73 34 B9 C7 74 Issued May 29 05 00 39 2009 GMT Expires May 29 05 00 39 2029 GMT QuoVadis_Root_CA_2_G3 Subject Name C BM O QuoVadis Limited CN QuoVadis Root CA 2 G3 Fingerprint 09 3C 61 F3 8B 8B DC 7D 55 DF 75 38 ...

Page 215: ...res Oct 26 08 38 03 2040 GMT GeoTrust_Global_CA Subject Name C US O GeoTrust Inc CN GeoTrust Global CA Fingerprint DE 28 F4 A4 FF E5 B9 2F A3 C5 03 D1 A3 49 A7 F9 96 2A 82 12 Issued May 21 04 00 00 2002 GMT Expires May 21 04 00 00 2022 GMT GlobalSign_Root_CA_ _R2 Subject Name OU GlobalSign Root CA R2 O GlobalSign CN GlobalSign Fingerprint 75 E0 AB B6 13 85 12 27 1C 04 F8 5F DD DE 38 E4 B7 24 2E FE...

Page 216: ... D3 D5 52 DC 0D 0F C6 92 D3 EA 88 0D 15 2E 1A 6B Issued Jun 24 09 45 08 2011 GMT Expires Jun 25 08 45 08 2031 GMT CA_Disig Subject Name C SK L Bratislava O Disig a s CN CA Disig Fingerprint 2A C8 D5 8B 57 CE BF 2F 49 AF F2 FC 76 8F 51 14 62 90 7A 41 Issued Mar 22 01 39 34 2006 GMT Expires Mar 22 01 39 34 2016 GMT ePKI_Root_Certification_Authority Subject Name C TW O Chunghwa Telecom Co Ltd OU ePKI...

Page 217: ...Store To view a list of CA certificates added to the Trusted Certificate Store type show admin system ca certificates configured cas If CA certificates have been added to the Store a table or list similar to the following example appears ruggedcom show running config admin system ca certificates configured cas tab NAME cert If no CA certificates have been added to the Store add certificates as nee...

Page 218: ...wing a List of CA Certificates and CRLs Section 6 8 4 2 Viewing the Status of a CA Certificate and CRL Section 6 8 4 3 Adding a CA Certificate and CRL Section 6 8 4 4 Deleting a CA Certificate and CRL Section 6 8 4 1 Viewing a List of CA Certificates and CRLs To view a list of certificates issued by a Certified Authority CA and the Certificate Revocation Lists CRLs associated with them type show r...

Page 219: ...s Where certificate is the name of the certificate This table or list provides the following information Parameter Description issuer Synopsis A string subject Synopsis A string not before Synopsis A string This certificate is not valid before this date not after Synopsis A string This certificate is not valid after this date To view the status of a Certificate Revocation List CRL that was not sig...

Page 220: ...cate contents Where certificate is the name of the certificate contents is the contents of the certificate 4 Add the associated Certificate Revocation List CRL NOTE Large CRLs bigger than 100KB are not currently supported and may be difficult to add view in the configuration NOTE Before inserting the contents of the CRL enter multi line mode by pressing Esc m Press Ctrl d to exit multi line mode a...

Page 221: ...section describes how to view add and delete private keys on the device NOTE Private keys are automatically encrypted using an AES CFB 128 cipher to protect them from being viewed by unauthorized users CONTENTS Section 6 8 5 1 Viewing a List of Private Keys Section 6 8 5 2 Adding a Private Key Section 6 8 5 3 Deleting a Private Key Section 6 8 5 1 Viewing a List of Private Keys To view a list of u...

Page 222: ...a dsa ssh rsa The type of key This parameter is mandatory contents contents Synopsis A string 1 to 8192 characters long The contents of the unsigned private key This parameter is mandatory 4 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 6 8 5 3 Deleting a Private Key To delete an unsigned private key do the following 1 Make sure the CLI is in Confi...

Page 223: ...m rsa contents contents private key name ipsec generated If no public keys have been configured add keys as needed For more information refer to Section 6 8 6 2 Adding a Public Key Section 6 8 6 2 Adding a Public Key To add an unsigned public key do the following NOTE Do not associate the public key with the private key if the public key belongs to another device 1 Make sure the private key associ...

Page 224: ...ey is visible via the System Public Key form under tunnel ipsec connection name end where name is the name of the connection and end is the either the left local router or right remote router connection end Type must be set to rsasig to display the public key The public key can be copied from the System Public Key form and added to another RUGGEDCOM ROX II device as described in the following proc...

Page 225: ... the device CONTENTS Section 6 8 7 1 Viewing a List of Certificates Section 6 8 7 2 Viewing the Status of a Certificate Section 6 8 7 3 Adding a Certificate Section 6 8 7 4 Deleting a Certificate Section 6 8 7 1 Viewing a List of Certificates To view a list of certificates type show running config security crypto certificate If certificates have been configured a table or list similar to the follo...

Page 226: ...ion issuer Synopsis A string subject Synopsis A string not before Synopsis A string This certificate is not valid before this date not after Synopsis A string This certificate is not valid after this date Section 6 8 7 3 Adding a Certificate To add a certificate do the following NOTE Only admin users can read write certificates and keys on the device 1 Make sure the required CA certificates and or...

Page 227: ...nter to abort Section 6 8 7 4 Deleting a Certificate To delete a certificate do the following 1 Make sure the CLI is in Configuration mode 2 Delete the certificate by typing no security crypto certificate certificate Where certificate is the name of the certificate 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 6 8 8 Managing Known Hosts RUGGEDCOM...

Page 228: ...erver s public key has been added to the device For more information refer to Section 6 8 6 Managing Public Keys 2 Make sure the CLI is in Configuration mode 3 Add the server by typing admin known hosts server identification name server id id server port port server public key key enabled Where name is the unique name of the server id is the name to identify the server The name may be host name or...

Page 229: ...n established connections This applies when adding deleting or changing rules and also when adding deleting or changing policies When applying new or modified rules or policies previous traffic seen by the router might still be considered as having valid connections by the connection tracking table For instance a A rule for the TCP and UDP protocols is applied b The router sees both TCP and UDP tr...

Page 230: ...out regard to traffic history They simply open a path for the traffic type based on a TCP or UDP port number Stateless firewalls are relatively simple easily handling Web and e mail traffic However stateless firewalls have some disadvantages All paths opened in the firewall are always open and connections are not opened or closed based on outside criteria Static IP filters offer no form of authent...

Page 231: ...ce When the Internet host replies to the internal host s packet it is addressed to the NAT gateway s external IP address at the translation port number The NAT gateway searches its tables and makes the opposite changes it made to the outgoing packet NAT then forwards the reply packet to the internal host Translation of ICMP packets happens in a similar fashion but without the source port modificat...

Page 232: ...ive To prevent SYN flood attacks on closed ports set the firewall to block all traffic to closed ports This prevents SYN packets from reaching the kernel Siemens also recommends setting the listen ports to include IP addresses on separate interfaces For example set the device to listen to an IP address on switch 0001 and fe cm 1 This will make sure that one port is accessible if the other is flood...

Page 233: ... more information about configuring policies refer to Section 6 9 12 Managing Policies 8 Configure the network address translation NAT masquerading or static network address translation SNAT settings For more information about configuring NAT settings refer to Section 6 9 13 Managing Network Address Translation Settings For more information about configuring masquerading and or SNAT settings refer...

Page 234: ...guration 3 Specify the active configuration by typing security firewall active config name Where name is the name of a firewall configuration 4 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 6 9 6 Configuring the Firewall for a VPN To configure the firewall for a policy based VPN do the following 1 Make sure a basic firewall has been configured For ...

Page 235: ...entication Header AH and Encapsulation Security Payload ESP protocols NOTE The IPsec protocol operates on UDP port 500 using protocols Authentication Header AH and Encapsulation Security Payload ESP protocols The firewall must be configured to accept this traffic in order to allow the IPsec protocol Action Source Zone Destination Zone Protocol Dest Port Accept net fw ah Accept net fw esp Accept ne...

Page 236: ...n order to allow the IPsec protocol Action Source Zone Destination Zone Protocol Dest Port Accept Net dmz Ah Accept Net dmz Esp Accept Net dmz UDP 500 Accept dmz Net Ah Accept dmz Net Esp Accept dmz Net Udp 500 For more information about configuring rules refer to Section 6 9 15 Managing Rules Section 6 9 8 Configuring Netfilter To configure Netfilter do the following 1 Make sure the CLI is in Con...

Page 237: ...erfaces CONTENTS Section 6 9 9 1 Viewing a List of Zones Section 6 9 9 2 Adding a Zone Section 6 9 9 3 Deleting a Zone Section 6 9 9 1 Viewing a List of Zones To view a list of zones type show running config security firewall fwconfig firewall fwzone Where firewall is the name of the firewall If zones have been configured a table or list similar to the following example appears ruggedcom show runn...

Page 238: ...applying to both IPv4 and IPv6 plain IP firewall or IPSec type6 type6 Synopsis ipv6 ipsec firewall Default ipv6 Zone types are plain IPv6 firewall or IPSec type type Synopsis ipv4 ipsec firewall Default ipv4 Zone types are plain IPv4 firewall or IPSec description description Synopsis A string Optional The description string for this zone 4 Type commit and press Enter to save the changes or type re...

Page 239: ...f Interfaces Section 6 9 10 2 Adding an Interface Section 6 9 10 3 Associating an Interface with a Zone Section 6 9 10 4 Configuring a Broadcast Address Section 6 9 10 5 Deleting an Interface Section 6 9 10 1 Viewing a List of Interfaces To view a list of interfaces type show running config security firewall fwconfig firewall fwinterface Where firewall is the name of the firewall If interfaces hav...

Page 240: ...ng for this interface Parameter Description arp_filter IPv4 ONLY See additional info Responds only to ARP requests for configured IP addresses This is permanently enabled system wide since ROX 2 3 0 and this option no longer has any effect routeback IPv4 and IPv6 Interface traffic routed back out that same interface tcpflags IPv4 and IPv6 Illegal combinations of TCP flags dropped and logged at inf...

Page 241: ...ned zone Synopsis A string A pre defined zone undefined zone This is used in conjunction with hosts definitions 4 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 6 9 10 4 Configuring a Broadcast Address To configure a broadcast address for an interface do the following 1 Make sure the CLI is in Configuration mode 2 Navigate to security firewall fwcon...

Page 242: ...to handle the VPN traffic separately from the other traffic on the interface which carries the VPN traffic Table Example Zone Interface IP Address or Network Local Switch 0003 10 0 0 0 8 Guests Switch 0003 192 168 0 0 24 CONTENTS Section 6 9 11 1 Viewing a List of Hosts Section 6 9 11 2 Adding a Host Section 6 9 11 3 Deleting a Host Section 6 9 11 1 Viewing a List of Hosts To view a list of hosts ...

Page 243: ...tion iptype iptype Synopsis ipv4 ipv6 ipv4ipv6 Default ipv4 Internet protocol type use both when no addresses are used otherwise define IPv4 and IPv6 rules for each type of addresses used zone zone Synopsis A string A pre defined zone This parameter is mandatory interface interface Synopsis A string A pre defined interface to which optional IPs and or networks can be added This parameter is mandat...

Page 244: ...ection between the source and destination zones The first policy accepts all connection requests from the local network to the Internet The second policy drops or ignores all connection requests from the Internet to any device on the network The third policy rejects all other connection requests and sends a TCP RST or an ICMP destination unreachable packet to the client The order of the policies i...

Page 245: ...e a policy for the firewall do the following 1 Make sure the CLI is in Configuration mode 2 Add the policy by typing security firewall fwconfig firewall fwpolicy policy Where firewall is the name of the firewall policy is the name of the policy 3 Configure the following parameter s as required Parameter Description iptype iptype Synopsis ipv4 ipv6 ipv4ipv6 Default ipv4 Internet protocol type use b...

Page 246: ...wall fwconfig firewall fwpolicy policy source zone where firewall is the name of the firewall and policy is the name of the policy 3 Configure the following parameter s as required Parameter Description predefined zone predefined zone Synopsis A string all 4 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 6 9 12 4 Configuring the Destination Zone To ...

Page 247: ...etwork Address Translation DNAT can be setup by configuring the destination zone in a rule For more information on rules refer to Section 6 9 15 Managing Rules CONTENTS Section 6 9 13 1 Viewing a List of NAT Settings Section 6 9 13 2 Adding a NAT Setting Section 6 9 13 3 Deleting a NAT Setting Section 6 9 13 1 Viewing a List of NAT Settings To view a list of NAT settings type show running config s...

Page 248: ...IP Address The address must not be a DNS name External IP addresses must be manually added to the interface This parameter is mandatory interface interface Synopsis A string An interface that has an external IP address This parameter is mandatory ipalias Create IP Alias for NAT rule internal addr internal addr Synopsis A string The internal IP address The address must not be a DNS Name This parame...

Page 249: ... a static IP address CONTENTS Section 6 9 14 1 Viewing a List of Masquerade and SNAT Settings Section 6 9 14 2 Adding Masquerade or SNAT Settings Section 6 9 14 3 Deleting a Masquerade or SNAT Setting Section 6 9 14 1 Viewing a List of Masquerade and SNAT Settings To view a list of masquerade and SNAT settings type show running config security firewall fwconfig firewall fwmasq Where firewall is th...

Page 250: ...or SNAT setting 3 Configure the following parameter s as required Parameter Description iptype iptype Synopsis ipv4 ipv6 ipv4ipv6 Default ipv4 Internet protocol type use both when no addresses are used otherwise define IPv4 and IPv6 rules for each type of addresses used out interface out interface Synopsis A string An outgoing interface list usually the internet interface This parameter is mandato...

Page 251: ...ffic sources or destinations Each rule defines specific criteria If an incoming packet matches that criteria the default policy is overridden and the action defined by the rule is applied CONTENTS Section 6 9 15 1 Viewing a List of Rules Section 6 9 15 2 Adding a Rule Section 6 9 15 3 Configuring the Source Zone Section 6 9 15 4 Configuring the Destination Zone Section 6 9 15 5 Deleting a Rule Sec...

Page 252: ...able For instance a A rule for the TCP and UDP protocols is applied b The router sees both TCP and UDP traffic that qualifies for NAT c The rule is then modified to allow only UDP d The router will still see TCP packets i e retransmission packets If required reboot the router to flush all existing connection streams Parameter Description iptype iptype Synopsis ipv4 ipv6 ipv4ipv6 Default ipv4 Inter...

Page 253: ...p for rules using copy dnat actions source ports source ports Synopsis A string Default none Optional The TCP UDP port s the connection originated from Default all ports Add a single port or a list of comma separated ports destination ports destination ports Synopsis A string Default none Optional The TCP UDP port s the connection is destined for Default all ports Add a single port or a list of co...

Page 254: ...escription predefined zone predefined zone Synopsis A string A pre defined zone other other Synopsis A string An undefined zone string all All zones 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 6 9 15 5 Deleting a Rule To delete a rule do the following 1 Make sure the CLI is in Configuration mode 2 Delete the rule by typing no security firewall ...

Page 255: ...isable the firewall do the following IMPORTANT Enabling or disabling the firewall will reset but not disable the BFA protection mechanism if previously enabled Any hosts that were previously blocked will be allowed to log in again If multiple hosts are actively attacking at the time this could result in reduced system performance 1 Make sure the CLI is in Configuration mode 2 Enable the firewall b...

Page 256: ...Chapter 6 Security RUGGEDCOM ROX II CLI User Guide 210 Enabling Disabling a Firewall ...

Page 257: ... Section 7 1 1 Configuring Costing for Routable Interfaces Section 7 1 2 Viewing Statistics for Routable Interfaces Section 7 1 3 Managing IPv4 Addresses Section 7 1 4 Managing IPv6 Addresses Section 7 1 5 Configuring IPv6 Neighbor Discovery Section 7 1 6 Managing IPv6 Network Prefixes Section 7 1 1 Configuring Costing for Routable Interfaces To configure the costing for a routable interface do th...

Page 258: ...on admin state Synopsis not set up down testing unknown dormant notPresent lowerLayerDown The port s administrative status This parameter is mandatory state Synopsis not set up down testing unknown dormant notPresent lowerLayerDown Shows whether the link is up or down This parameter is mandatory pointopoint Synopsis true false The point to point link This parameter is mandatory bytes Synopsis A 64...

Page 259: ...rameter is mandatory collisions Synopsis A 32 bit unsigned integer The number of collisions detected on the port This parameter is mandatory Section 7 1 3 Managing IPv4 Addresses This section describes how to manage IPv4 addresses for a routable interface CONTENTS Section 7 1 3 1 Viewing a List of IPv4 Addresses Section 7 1 3 2 Adding an IPv4 Address Section 7 1 3 3 Deleting an IPv4 Address Sectio...

Page 260: ... sure the CLI is in Configuration mode 2 Add the address by typing ip interface ipv4 address address peer peer Where interface is the name of the interface address is the IPv4 address and prefix peer is the peer IPv4 address 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 7 1 3 3 Deleting an IPv4 Address To delete an IPv4 address for a routable int...

Page 261: ...e interface If addresses have been configured a table or list similar to the following example appears ruggedcom show running config ip dummy0 ipv6 address ip dummy0 ipv6 address 2001 db8 a0b 12f0 1 24 address 2001 db9 a2C 25f0 2 24 If no addresses have been configured add addresses as needed For more information refer to Section 7 1 4 2 Adding an IPv6 Address Section 7 1 4 2 Adding an IPv6 Addres...

Page 262: ...n The Neighbor Discovery protocol uses five types of ICMPv6 messages Router Solicitation ICMPv6 type 133 This message is sent by hosts to routers as a request to router advertisement message It uses a destination multicast address i e FF02 2 Router Advertisement Messages ICMPv6 type 134 This message is used by routers to announce its presence in a network The message includes network information r...

Page 263: ...lag in IPv6 router advertisements which indicates to hosts that they should use the managed stateful protocol for addresses autoconfiguraiton in addition to any addresses autoconfigured using stateless address autoconfiguration other config flag The flag in IPv6 router advertisements which indicates to hosts that they should use the administered stateful protocol to obtain autoconfiguration inform...

Page 264: ...ure the lifetime settings by configuring the following parameter s Parameter Description valid valid Synopsis infinite or a 32 bit unsigned integer between 0 and 4294967295 The length of time in seconds during which time the prefix is valid for the purpose of on link determination preferred preferred Synopsis infinite or a 32 bit unsigned integer between 0 and 4294967295 The length of time in seco...

Page 265: ...number of the access port 2 bytes the circuit ID sub option and the switch s MAC address the remote ID sub option This information uniquely defines the access port s position in the network For example in RUGGEDCOM ROX II the Circuit ID for VLAN 2 on Line Module LM 4 Port 15 is 00 00 00 02 04 0F The DHCP Server supporting DHCP Option 82 sends a unicast reply and echoes Option 82 The DHCP Relay Age...

Page 266: ...o Section 7 2 4 Adding a DHCP Client Port 4 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 7 2 2 Assigning a DHCP Server Address To assign a DHCP server address to the DHCP relay agent do the following 1 Make sure the CLI is in Configuration mode 2 Configure the following parameter s as required Parameter Description dhcp server address dhcp server ...

Page 267: ...the changes or type revert and press Enter to abort Section 7 2 5 Deleting a DHCP Client Port To delete a client port for the DHCP relay agent do the following 1 Make sure the CLI is in Configuration mode 2 Delete the client port by typing no switch dhcp relay agent dhcp client ports slot port Where slot is the name of the module location port is the port number or a list of ports if aggregated in...

Page 268: ...dd VLAN 2 and VLAN 3 For more information refer to Section 8 5 5 2 Adding a Static VLAN b Assign IP address 192 168 0 8 to VLAN 1 For more information refer to Section 7 1 3 2 Adding an IPv4 Address or Section 7 1 4 2 Adding an IPv6 Address c Change the PVID of port 1 to PVID 2 and change the PVID of port 2 to PVID 3 Refer to Section 8 1 2 Configuring a Switched Ethernet Port for more information ...

Page 269: ...7 3 4 Configuring DHCP Server Options Section 7 3 5 Managing DHCP Client Configuration Options Section 7 3 6 Managing DHCP Listen Interfaces Section 7 3 7 Managing Shared Networks Section 7 3 8 Managing Subnets Section 7 3 9 Managing Host Groups Section 7 3 10 Managing DHCP Hosts Section 7 3 11 Managing Address Pools IPv4 Section 7 3 12 Managing Address Pools IPv6 Section 7 3 13 Managing IP Ranges...

Page 270: ...the device as a DHCP server For a configuration example that includes a DHCP relay agent refer to Section 7 3 19 Example Configuring the Device as a DHCP Server to Support a Relay Agent 1 Optional Configure a separate device as a DHCP relay agent The relay agent may be a RUGGEDCOM ROX II device a RUGGEDCOM ROS device or a third party device with relay agent capabilities If the relay agent being us...

Page 271: ... class on the relay agent if used For more information refer to Section 7 3 18 2 Adding an Option 82 Class to an Address Pool 9 Optional Add and configure hosts and host groups For more information refer to Section 7 3 10 2 Adding a Host Section 7 3 3 Enabling Disabling the DHCP Server To enable or disable the DHCP server do the following 1 Make sure the CLI is in Configuration mode 2 Enable or di...

Page 272: ...nformation refer to Section 7 3 8 3 Configuring Subnet Options Parameter Description unknown client unknown client Synopsis allow deny ignore The action to take for previously unregistered clients authorize server Enables disables the server s authorization on this client If enabled the server will send deny messages to the client that is trying to renew the lease which the server knows the client...

Page 273: ...ame to refer to the host within a DHCP configuration subnetmask subnetmask Synopsis A string 7 to 15 characters long Subnet mask default route default route Synopsis A string 7 to 15 characters long The default route that the server offers to the client when it issues the lease to the client broadcast broadcast Synopsis A string 7 to 15 characters long The broadcast address that the server offers ...

Page 274: ...rd DHCP Client Configuration Options IPv6 Configuration options for DHCP clients can be configured globally or for an individual shared network subnet host group or host NOTE Options set for individual shared networks subnets host groups or hosts override the options set at the global level To configure client options do the following 1 Make sure the CLI is in Configuration mode 2 Navigate to serv...

Page 275: ...fer to Section 7 3 5 4 Adding a Custom DHCP Client Configuration Option 6 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 7 3 5 3 Viewing a List of Custom DHCP Client Configuration Options To view a list of custom DHCP client configuration options set at the global level or for a specific shared network type For IPv4 show running config services dhcp...

Page 276: ...tom options at the path level are only available for IPv4 For example to access the custom IPv4 options for a shared network named Shared navigate to services dhcpserver shared network Shared options client custom To access custom IPv4 options at the global level navigate to services dhcpserver options client custom 3 Configure the following parameter s as required Parameter Description number Syn...

Page 277: ...network subnet host group or host number is the option number 4 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 7 3 6 Managing DHCP Listen Interfaces DHCP listen interfaces specify the IP interface to which the client sends a request CONTENTS Section 7 3 6 1 Viewing a List of DHCP Listen Interfaces Section 7 3 6 2 Adding a DHCP Listen Interface Secti...

Page 278: ...ce 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 7 3 6 3 Deleting a DHCP Listen Interface To delete a DHCP listen interface do the following 1 Make sure the CLI is in Configuration mode 2 Delete the interface by typing For IPv4 no services dhcpserver interface name For IPv6 no services dhcpserver6 interface name Where name is the name of the inte...

Page 279: ...nfig services dhcpserver shared network For IPv6 show running config services dhcpserver6 shared network If shared networks have been configured a table or list similar to the following example appears ruggedcom show running config services dhcpserver shared network services dhcpserver shared network Shared options client no hostname no subnetmask no default route no broadcast no domain no dns ser...

Page 280: ...he DHCP server some clients will try to renew a lease immediately after receiving it by requesting a renewal directly from the DHCP server Because the DHCP server is configured by default to only provide the lease through a relay agent configured with the current Option 82 fields the server sends the client a NAK negative acknowledgment or not acknowledged message to disallow the lease Enabling Op...

Page 281: ...to abort Section 7 3 7 4 Deleting a Shared Network To delete a shared network do the following 1 Make sure the CLI is in Configuration mode 2 Delete the shared network by typing For IPv4 no services dhcpserver shared network name For IPv6 no services dhcpserver6 shared network name Where name is the name of the shared network 3 Type commit and press Enter to save the changes or type revert and pre...

Page 282: ...n refer to Section 7 3 8 2 Adding a Subnet Section 7 3 8 2 Adding a Subnet To add a subnet to the DHCP server do the following NOTE At least one shared network must be available if two or more subnets are configured for the same interface For information about configuring a shared network refer to Section 7 3 7 2 Adding a Shared Network 1 Make sure the CLI is in Configuration mode 2 Add the subnet...

Page 283: ...uring Subnet Options To configure options for a subnet do the following NOTE Options set at the subnet level override options set at the DHCP server level 1 Make sure the CLI is in Configuration mode 2 Navigate to For IPv4 services dhcpserver subnet name name options For IPv6 services dhcpserver6 subnet6 name name options Where name is the name of the subnet 3 Configure the leased time settings by...

Page 284: ...e client for special options refer to the client documentation DHCP relay support can also be enabled on individual subnets For IPv4 Parameter Description unknown client unknown client Synopsis allow deny ignore The action to take for previously unregistered clients option82 Enables disables the NAK of option 82 clients for this subnet authorize server Enables disables the server s authorization o...

Page 285: ...roups Host groups allow identical settings to be created for a group of hosts making it easier to manage changes to the settings for all the hosts contained within the group Host groups contain hosts CONTENTS Section 7 3 9 1 Viewing a List of Host Groups Section 7 3 9 2 Adding a Host Group Section 7 3 9 3 Configuring Host Group Options Section 7 3 9 4 Deleting a Host Group Section 7 3 9 1 Viewing ...

Page 286: ...te to For IPv4 services dhcpserver host groups For IPv6 services dhcpserver6 host groups 3 Configure the following parameter s as required Parameter Description name Synopsis A string 1 to 32 characters long The description of the host groups 4 Configure the options for the host group For more information refer to Section 7 3 9 3 Configuring Host Group Options 5 Type commit and press Enter to save...

Page 287: ...tion default default Synopsis A 32 bit unsigned integer Default 600 The minimum leased time in seconds that the server offers to the clients maximum maximum Synopsis A 32 bit unsigned integer Default 7200 The maximum leased time in seconds that the server offers to the clients 5 Configure the client settings by configuring the following parameter s For IPv4 Parameter Description unknown client unk...

Page 288: ...elete a host group do the following 1 Make sure the CLI is in Configuration mode 2 Delete the host group by typing For IPv4 no services dhcpserver host groups name For IPv6 no services dhcpserver6 host groups name Where name is the name of the host group 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 7 3 10 Managing DHCP Hosts Host entries assign ...

Page 289: ...route no nis server no nis domain If no hosts have been configured add hosts as needed For more information refer to Section 7 3 10 2 Adding a Host Section 7 3 10 2 Adding a Host To add a host to the DHCP server do the following 1 Make sure the CLI is in Configuration mode 2 Add the host by typing For IPv4 services dhcpserver host name For IPv6 services dhcpserver6 host name Where name is the name...

Page 290: ...hernet This parameter is mandatory 4 Configure the leased time settings by configuring the following parameter s Parameter Description default default Synopsis A 32 bit unsigned integer Default 600 The minimum leased time in seconds that the server offers to the clients maximum maximum Synopsis A 32 bit unsigned integer Default 7200 The maximum leased time in seconds that the server offers to the ...

Page 291: ...6 subnet6 Synopsis A string The subnet that this host belongs to host groups host groups Synopsis A string The host groups that this host belongs to 6 Optional Configure configuration options for DHCP clients at the host level For more information refer to refer to Section 7 3 5 1 Configuring Standard DHCP Client Configuration Options IPv4 or Section 7 3 5 2 Configuring Standard DHCP Client Config...

Page 292: ...name options ippool Where name is the name of the subnet If pools have been configured a table or list similar to the following example appears ruggedcom show running config services dhcpserver subnet name Local options ippool services dhcpserver subnet Local options ippool pool1 no unknown client iprange 172 0 0 0 end 172 0 0 1 option82 class1 remote id 00 00 00 01 03 01 circuit id 00 00 00 01 01...

Page 293: ...to take for previously unregistered clients failover peer failover peer Synopsis A string 7 to 15 characters long The IP address of a DHCP peer server if a failover pool is created 5 Add one or more IP ranges to the pool For more information refer to Section 7 3 13 2 Adding an IP Range IPv4 6 Add one or more Option82 classes to the pool For more information refer to Section 7 3 18 2 Adding an Opti...

Page 294: ...r6 subnet6 name name options ippool6 Where name is the name of the subnet If pools have been configured a table or list similar to the following example appears ruggedcom show running config services dhcpserver6 subnet6 name options ippool6 services dhcpserver6 subnet6 name Sub options ippool6 Pool1 iprange6 2001 db8 2728 2221 end 2001 db8 2728 2230 If no IP pools have been configured add pools as...

Page 295: ...more IP ranges to the pool For more information refer to Section 7 3 14 2 Adding an IP Range IPv6 6 Optional Add one or more subnets to the pool For more information refer to Section 7 3 17 2 Adding a IPv6 Subnet 7 Optional Add one or more temporary subnets to the pool For more information refer to Section 7 3 16 2 Adding a Temporary Subnet 8 Optional Add one or more prefixes to the pool For more ...

Page 296: ... dhcpserver subnet name name options iprange For an address pool show running config services dhcpserver subnet name name options ippool description iprange Where name is the name of the subnet description if applicable is the name of the address pool If ranges have been configured a table or list similar to the following example appears ruggedcom show running config services dhcpserver subnet nam...

Page 297: ...ion mode 2 Delete the IP range by typing For a DHCP subnet no dhcpserver subnet name name options iprange start end end For an address pool no services dhcpserver subnet name name options ippool description iprange start end end Where name is the name of the subnet description if applicable is the name of the address pool start is the starting IP address pool the server uses to offer to the client...

Page 298: ... options iprange6 2001 db8 2728 2200 end 2001 db8 2728 2220 If no IP ranges have been configured add ranges as needed For more information refer to Section 7 3 14 2 Adding an IP Range IPv6 Section 7 3 14 2 Adding an IP Range IPv6 To add an IP range to a DHCP subnet or one of its associated address pools do the following 1 Make sure the CLI is in Configuration mode 2 Add the IP range by typing For ...

Page 299: ...ype commit and press Enter to save the changes or type revert and press Enter to abort Section 7 3 15 Managing IPv6 Prefixes One or more optional IPv6 prefix can be defined for the server to offer to the client A prefix6 delegation includes the IPv6 subnetwork along with the prefix length in bits The subnetwork value used should be within the subnetwork value of the enclosing subnet6 declaration C...

Page 300: ...ix delegation 3 Configure the IPv6 Range Configuration by configuring the following parameter s as required Parameter Description end end Synopsis A string 6 to 40 characters long The ending IPv6 prefix delegation that the server uses to offer to the client This parameter is mandatory bits bits Synopsis An 8 bit unsigned integer between 1 and 64 Prefix delegations of bits length that are offered t...

Page 301: ...ry Subnets To view a list of temporary subnets type For DHCP IPv6 subnets show running config services dhcpserver6 subnet6 name name options temporarysubnet6 Where name is the name of the subnet If temporary subnets have been configured a table or list similar to the following example appears ruggedcom show running config services dhcpserver6 subnet6 name sub2 options temporarysubnet6 services dhc...

Page 302: ...he name of the subnet temporaryname is the temporary subnet 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 7 3 17 Managing IPv6 Subnets One or more optional IPv6 subnets can be defined for the server to offer to the client CONTENTS Section 7 3 17 1 Viewing a List of IPv6 Subnets Section 7 3 17 2 Adding a IPv6 Subnet Section 7 3 17 3 Deleting an IP...

Page 303: ... is the name of the IPv6 subnet 3 Configure the following parameter s as required Parameter Description subnet number Synopsis A string 4 to 43 characters long The IPv6 subnet that the server uses to offer to the client This parameter is mandatory 4 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 7 3 17 3 Deleting an IPv6 Subnet To delete an IPv6 sub...

Page 304: ...nformation refer to either Section 7 3 4 Configuring DHCP Server Options or Section 7 3 8 3 Configuring Subnet Options Once Option 82 is enabled sub option components or classes must be defined for each address pool that includes DHCP clients that will send Option 82 information This section describes how to manage the sub option components for address pools CONTENTS Section 7 3 18 1 Viewing a Lis...

Page 305: ...t If the remote host is connected to LM3 1 on VLAN 1 the ID would be 00 00 00 01 03 01 The Circuit ID uses hexadecimal values Parameter Description remote id remote id Synopsis A string 17 characters long Specifies the information relating to the remote host end of the circuit This parameter is mandatory circuit id circuit id Synopsis A string 1 to 17 characters long Specifies the local informatio...

Page 306: ...Ns The DHCP relay agent manages the requests and responses between the clients and the DHCP server IMPORTANT The values shown are specific to the provided topology Actual values can vary based on the user s configuration 192 168 0 52 P2 switch 0001 192 168 0 8 P10 PVID 1 10 10 10 1 24 P2 PVID 3 172 16 10 1 24 P1 PVID 2 4 6 5 1 7 3 1 2 Figure 5 Topology Device as a DHCP Server 1 DHCP Server RUGGEDC...

Page 307: ... 10 1 as a default route for clients For more information refer to Section 7 3 5 1 Configuring Standard DHCP Client Configuration Options IPv4 8 Create an address pool for the LAN A 172 subnet and configure the IP range for the address pool with the following parameters Pool Name Starting Address Ending Address LAN A_VLAN2 172 16 10 10 172 16 10 200 For more information refer to Section 7 3 11 2 A...

Page 308: ... Address Pool Final Configuration Example The following configuration reflects the topology show running config services dhcpserver enabled interface switch 0001 options client no hostname no subnetmask no default route no broadcast no domain no dns server no static route no nis server no nis domain shared network LAN 10 LAN 172 options option82 options client no hostname no subnetmask no default ...

Page 309: ...o unknown client ippool LAN B_VLAN3 no unknown client iprange 10 10 10 10 end 10 10 10 200 option82 LAN B_Option remote id 00 0a dc 00 00 00 circuit id 00 03 00 02 client no hostname no subnetmask default route 10 10 10 1 no broadcast no domain no dns server no static route no nis server no nis domain subnet name mainSub network ip 192 168 0 0 24 shared network LAN 10 LAN 172 options no unknown cl...

Page 310: ...names when querying a domain name server The list of domain names can include the domain in which the router is a member of and other domains that may be used to search for an unqualified host name i e as though it were local CONTENTS Section 7 4 1 1 Viewing a List of Domain Names Section 7 4 1 2 Adding a Domain Name Section 7 4 1 3 Deleting a Domain Name Section 7 4 1 1 Viewing a List of Domain N...

Page 311: ...press Enter to save the changes or type revert and press Enter to abort Section 7 4 2 Managing Domain Name Servers A hierarchical list of domain name servers can be configured for the DNS service RUGGEDCOM ROX II will contact each server in the order they are listed when domain names require resolution CONTENTS Section 7 4 2 1 Viewing a List of Domain Name Servers Section 7 4 2 2 Adding a Domain N...

Page 312: ...de 2 Add the domain name server by typing admin dns server address Where address is the IP address of the domain name server 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 7 4 2 3 Deleting a Domain Name Server To delete a domain name server do the following 1 Make sure the CLI is in Configuration mode 2 Delete the domain name server by typing no a...

Page 313: ...wing a List of Switched Ethernet Ports Section 8 1 2 Configuring a Switched Ethernet Port Section 8 1 3 Viewing Switched Ethernet Port Statistics Section 8 1 4 Viewing the Status of a Switched Ethernet Port Section 8 1 5 Viewing RMON Port Statistics Section 8 1 6 Clearing Switched Ethernet Port Statistics Section 8 1 7 Resetting a Switched Ethernet Port Section 8 1 8 Testing Switched Ethernet Port...

Page 314: ...lowing 1 Make sure the CLI is in Configuration mode 2 Navigate to interface switch slot port where slot is the module and port is the switched Ethernet port 3 Configure the port settings by configuring the following parameter s as required CAUTION Security hazard risk of unauthorized access and or exploitation Switched Ethernet ports are enabled by default It is recommended that ports that are not...

Page 315: ...per second or gigabits per second If auto negotiation is enabled this is the speed capability advertised by the auto negotiation process If auto negotiation is disabled the port is explicitly forced to this speed mode AUTO means advertise all supported speed modes This parameter is mandatory duplex duplex Synopsis A string If auto negotiation is enabled this is the duplex capability advertised by ...

Page 316: ...rames Synopsis broadcast multicast mcast flood ucast all Default broadcast This parameter specifies the types of frames to rate limit on this port It applies only to received frames BROADCAST only broadcast frames will be limited MULTICAST all multicast frames including broadcast will be limited MCAST FLOOD UCAST all multicast frames including broadcast will be limited Unicast will not be limited ...

Page 317: ...ames to determine what Class of Service CoS they should be assigned When ToS parsing is enabled the switch will use the differentiated services bits in the TOS field 8 Configure the VLAN settings by configuring the following parameter s as required Parameter Description pvid pvid Synopsis A 32 bit signed integer between 1 and 4094 The Port VLAN Identifier specifies the VLAN ID associated with unta...

Page 318: ...d Ethernet Trunk Interfaces 12 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 8 1 3 Viewing Switched Ethernet Port Statistics To view statistics collected for a specific switched Ethernet port type show interfaces switch slot port port stats Where slot is the name of the module location port is the port number or a list of ports if aggregated in a p...

Page 319: ...ac 00 0a dc f6 c6 21 This table or list provides the following information Parameter Description name Synopsis A string 1 to 10 characters long A descriptive name that may be used to identify the device connected on that port This parameter is mandatory state Synopsis not set up down testing unknown dormant notPresent lowerLayerDown The port s link status This parameter is mandatory media Synopsis...

Page 320: ...ction 8 1 5 Viewing RMON Port Statistics To view Remote Network Monitoring RMON statistics collected for a specific switched Ethernet port type show interfaces switch slot port rmon stats Where slot is the name of the module location port is the port number or a list of ports if aggregated in a port trunk for the module A table or list similar to the following example appears ruggedcom show interf...

Page 321: ...otal in pkts Synopsis A 64 bit unsigned integer The number of received packets This includes rejected dropped and local packets as well as packets which are not forwarded to the switching core for transmission It should reflect all packets received on the line This parameter is mandatory out octets Synopsis A 64 bit unsigned integer The number of octets in transmitted good packets This parameter i...

Page 322: ...ich a Collision Event has been detected This parameter is mandatory late collisions Synopsis A 32 bit unsigned integer The number of received packets for which a Late Collision Event has been detected This parameter is mandatory pkts 64 octets Synopsis A 32 bit unsigned integer The number of received and transmitted packets with a size of 64 octets This includes received and transmitted packets as...

Page 323: ...ction 8 1 6 Clearing Switched Ethernet Port Statistics To clear the statistics collected for a specific switched Ethernet port type interfaces switch slot port clear port stats Where slot is the name of the module location port is the port number or a list of ports if aggregated in a port trunk for the module Section 8 1 7 Resetting a Switched Ethernet Port To reset a switched Ethernet port type i...

Page 324: ... an Ethernet cable with a known length e g 50m to the port that requires calibration Do not connect the other end of the cable to any link partner 2 Run a cable diagnostic test a few times on the port An OPEN fault should be detected 3 Find the average distance to the OPEN fault recorded in the log and compare it to the known length of the cable The difference can be used as the calibration value ...

Page 325: ...ected on the cable pairs of the selected port This parameter is mandatory pass fail total Synopsis A string 1 to 19 characters long This field summarizes the results of the cable diagnostics performed so far Pass the number of times cable diagnostics were successfully completed on the selected port Fail the number of times cable diagnostics failed to complete on the selected port Total the total n...

Page 326: ...rnet Trunk Interfaces This section describes how to configure and manage Ethernet trunk interfaces CONTENTS Section 8 2 1 Viewing a List of Ethernet Trunk Interfaces Section 8 2 2 Adding an Ethernet Trunk Interface Section 8 2 3 Deleting an Ethernet Trunk Interface Section 8 2 4 Managing Ethernet Trunk Ports Section 8 2 1 Viewing a List of Ethernet Trunk Interfaces To view a list of Ethernet trunk...

Page 327: ...a dynamically assigned IP address It switches between BOOTP and DHCP until it gets the response from the relevant server This must be static for non management interfaces ipv6 address src ipv6 address src Synopsis static dynamic Default static Whether the IP address is static or dynamically assigned via DHCP Option DYNAMIC is a common case of a dynamically assigned IP address This must be static f...

Page 328: ...ed and 802 1p priority tagged frames received on this port Frames tagged with a non zero VLAN ID will always be associated with the VLAN ID retrieved from the frame tag type type Synopsis edge trunk pvlanedge Default edge How the port determines its membership in VLANs There are the following port types EDGE the port is only a member of one VLAN its native VLAN specified by the PVID parameter PVLA...

Page 329: ...ort assignments CONTENTS Section 8 2 4 1 Viewing a List of Ethernet Trunk Ports Section 8 2 4 2 Adding an Ethernet Trunk Port Section 8 2 4 3 Deleting an Ethernet Trunk Port Section 8 2 4 1 Viewing a List of Ethernet Trunk Ports To view a list of Ethernet trunk interfaces type show running config interface trunks id trunk ports Where id is the ID given to the interface If trunk ports have been con...

Page 330: ...lot is the name of the module location port is the port number or a list of ports if aggregated in a port trunk for the module 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 8 3 Managing MAC Addresses As part of the Layer 2 functionality RUGGEDCOM ROX II maintains a Media Access Control MAC address table a list of unique MAC addresses for network ...

Page 331: ...perates This parameter is mandatory slot Synopsis sm lm1 lm2 lm3 lm4 lm5 lm6 swport eth serport celport wlanport The slot containing the module including the port This parameter is mandatory port Synopsis A 32 bit signed integer between 1 and 16 The port on which the MAC address has been learned This parameter is mandatory type Synopsis static dynamic How the MAC address has been learned by the sw...

Page 332: ...avigate to switch mac tables and configure the following parameter s as required Parameter Description mac aging time mac aging time Synopsis A 32 bit signed integer between 15 and 800 Default 300 The time a learned MAC address is held before being aged out mac age on loss Synopsis true false Default true When link failure and potentially a topology change occurs the switch may have some MAC addre...

Page 333: ...how running config switch mac tables static mac table tab MAC VID LEARNED SLOT PORT COS 00 0a dc f6 8b ff 4085 lm1 2 normal 00 10 94 00 24 01 4084 lm1 1 normal 00 10 94 00 30 01 1 lm1 2 normal 00 10 94 00 40 01 4086 lm1 2 normal If no static MAC addresses have been configured add addreses as needed For more information refer to Section 8 3 4 2 Adding a Static MAC Address Section 8 3 4 2 Adding a S...

Page 334: ...e the static MAC address by the typing no switch mac tables static mac table static mac address vlan Where address is the Unicast MAC address that is to be statically configured It can have up to 6 wildcard characters continuously applied from the right vlan is the ID of the VLAN upon which the MAC address operates 3 Type commit and press Enter to save the changes or type revert and press Enter to...

Page 335: ...r withheld from that host The IGMP protocol operates between multicast routers and IP hosts When an unmanaged switch is placed between multicast routers and their hosts the multicast streams will be distributed to all ports This may introduce significant traffic onto ports that do not require it and receive no benefit from it IGMP Snooping when enabled will act on IGMP messages sent from the route...

Page 336: ... router will immediately issue a group specific membership query to determine whether there are any remaining subscribers of that group on the segment After the last consumer of a group has unsubscribed the router will prune the multicast stream from the given segment Switch IGMP Operation The IGMP Snooping feature provides a means for switches to snoop i e watch the operation of routers respond w...

Page 337: ...switches perform multicast pruning using a multicast frame s destination MAC multicast address which depends on the group IP multicast address IP address W X Y Z corresponds to MAC address 01 00 5E XX YY ZZ where XX is the lower 7 bits of X and YY and ZZ are simply Y and Z coded in hexadecimal One can note that IP multicast addresses such as 224 1 1 1 and 225 1 1 1 will both map onto the same MAC ...

Page 338: ...the router Processing Joins If host C1 wants to subscribe to the multicast streams for both P1 and P2 it will generate two membership reports The membership report from C1 on VLAN 2 will cause the switch to immediately initiate its own membership report to multicast router 1 and to issue its own membership report as a response to queries The membership report from host C1 for VLAN 3 will cause the...

Page 339: ...e rest of network As long as one host on the Layer 2 network has registered for a given multicast group traffic from the corresponding multicast source will be carried on the network Traffic multicast by the source is only forwarded by each switch in the network to those ports from which it has received join messages for the multicast group Leaving a Multicast Group Periodically the switch sends G...

Page 340: ...oup 1 Therefore Port E2 on Switch E is statically configured to forward traffic for Multicast Group 1 2 Switch E advertises membership in Multicast Group 1 to the network through Port E1 making Port B4 on Switch B a member of Multicast Group 1 3 Switch B propagates the join message causing Ports A1 C1 and D1 to become members of Multicast Group 1 4 Host H2 is GMRP aware and sends a join request fo...

Page 341: ...s whether or not multicast streams will be flooded out of all Rapid Spanning Tree Protocol RSTP non edge ports upon detection of a topology change Such flooding is desirable if multicast stream delivery must be guaranteed without interruption leave timer leave timer Synopsis A 32 bit signed integer between 600 and 300000 Default 4000 The time in milliseconds to wait after issuing Leave or LeaveAll...

Page 342: ...SIVE mode router forwarding Synopsis true false Default true Whether or not multicast streams will always be forwarded to multicast routers rstp flooding Whether or not multicast streams will be flooded out of all Rapid Spanning Tree Protocol RSTP non edge ports upon detection of a topology change Such flooding is desirable if multicast stream delivery must be guaranteed without interruption 3 Ass...

Page 343: ...ation mode 2 Delete the router port by typing no switch mcast filtering igmp snooping router ports slot port Where slot is the name of the module location port is the port number or a list of ports if aggregated in a port trunk for the module 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 8 4 4 Managing the Static Multicast Group Table This sectio...

Page 344: ...e lowercase switch mcast filtering static mcast table id address Where id is the ID for the VLAN upon which the static multicast group operates address is the MAC address for the device in the form of 01 xx xx xx xx xx 3 Add one or more egress ports For more information refer to Section 8 4 5 2 Adding an Egress Port 4 Type commit and press Enter to save the changes or type revert and press Enter t...

Page 345: ...e device in the form of 01 xx xx xx xx xx If egress ports have been established a table or list similar to the following example appears ruggedcom show running config switch mcast filtering static mcast table 10 01 00 00 01 01 01 egress ports switch mcast filtering static mcast table 10 01 00 00 01 01 01 egress ports lm2 1 If no egress ports have been configured add egress ports as needed For more...

Page 346: ... address for the device in the form of 01 xx xx xx xx xx slot is the name of the module location port is the port number or a list of ports if aggregated in a port trunk for the module 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 8 4 6 Viewing a Summary of Multicast Groups To view a summary of all multicast groups type show switch mcast filterin...

Page 347: ... to the group multicast IP address This parameter is mandatory Joined Slot The name of the module location provided on the silkscreen across the top of the device Joined Ports The selected ports on the module installed in the indicated slot Router Slot The name of the module location provided on the silkscreen across the top of the device Router Ports The selected ports on the module installed in ...

Page 348: ...ection 8 5 1 VLAN Concepts This section describes some of the concepts important to the implementation of VLANs in RUGGEDCOM ROX II CONTENTS Section 8 5 1 1 Tagged vs Untagged Frames Section 8 5 1 2 Native VLAN Section 8 5 1 3 Edge and Trunk Port Types Section 8 5 1 4 Ingress Filtering Section 8 5 1 5 Forbidden Ports List Section 8 5 1 6 VLAN Aware Mode of Operation Section 8 5 1 7 GARP VLAN Regis...

Page 349: ...TE It may be desirable to manually restrict the traffic on the trunk to a specific group of VLANs For example when the trunk connects to a device such as a Layer 3 router that supports a subset of the available LANs To prevent the trunk port from being a member of the VLAN include it in the VLAN s Forbidden Ports list For more information about the Forbidden Ports list refer to Section 8 5 1 5 For...

Page 350: ...ave requirements conflicting with IEEE 802 Q native mode of operation For example some applications explicitly require priority tagged frames to be received by end devices Section 8 5 1 7 GARP VLAN Registration Protocol GVRP GARP VLAN Registration Protocol GVRP is a standard protocol built on GARP Generic Attribute Registration Protocol to automatically distribute VLAN configuration information in...

Page 351: ...re End nodes A E and C are GVRP unaware Ports A2 and C2 are configured with PVID 7 Port E2 is configured with PVID 20 End node D is interested in VLAN 20 hence VLAN 20 is advertised by it towards switch D D2 becomes a member of VLAN 20 Ports A1 and C1 advertise VID 7 Ports B1 and B2 become members of VLAN 7 Ports D1 and B1 advertise VID 20 Ports B3 B4 and D1 become members of VLAN 20 Section 8 5 1...

Page 352: ...PVLAN Edge group are listed below A PVLAN Edge group with 10 100 Mbit ports from any line modules with the exception of 2 port 100Base FX line modules A PVLAN Edge group with Gbit ports from any line modules A PVLAN Edge group with 10 10 Mbit ports from 2 port 100Base FX and Gbit ports from any line modules Section 8 5 1 9 VLAN Advantages The following are a few of the advantages offered by VLANs ...

Page 353: ...Ns the host s VLAN membership and priority are simply copied to the new port Reduced Hardware Without VLANs traffic domain isolation requires the use of separate bridges for separate networks VLANs eliminate the need for separate bridges The number of network hosts may often be reduced Often a server is assigned to provide services for independent networks These hosts may be replaced by a single m...

Page 354: ...Configuration hazard risk of data loss If the range start or range end values are changed in a way that invalidates any configured internal VLANs the configurations defined for the affected VLANs will be lost upon repositioning IMPORTANT VLAN IDs reserved for internal VLANs should not be used by the network NOTE Changing the range end value repositions the matching serial VLAN However the matching...

Page 355: ...d range end range end Synopsis A 32 bit signed integer between 2 and 4094 Default 4094 Defines the higher end of a range of VLANs used for the device only VLAN ID 1 is not permitted 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 8 5 3 Enabling Disabling Ingress Filtering When ingress filtering is enabled any tagged packet arriving at a port which ...

Page 356: ...the following example appears ruggedcom show switch vlans vlan summary IGMP UNTAGD UNTAGD TAGGED TAGGED VID SNOOPING MSTI SLOT PORTS SLOT PORTS QOS INGRESS MARK 1 false 0 sm none lm1 1 2 lm2 none lm3 none lm4 none lm5 none lm6 none sm none lm1 none lm2 none lm3 none lm4 none lm5 none lm6 none 0 0 1 0 2 0 3 0 4 0 The VLANs listed are based on the PVIDs assigned to the switched Ethernet ports For mo...

Page 357: ...dynamic Default static Whether the IPv6 address is static or dynamically assigned via Dynamic Host Configuration Protocol DHCP This must be static for non management interfaces proxyarp Enables Disables whether the VLAN will respond to ARP requests for hosts other than itself on demand Brings up this interface on demand only mtu mtu Synopsis A 32 bit signed integer between 68 and 9216 Default 1500...

Page 358: ... Configure the following parameter s as required Parameter Description igmp snooping Enables or disables IGMP Snooping on the VLAN msti msti Synopsis cst or a 32 bit signed integer between 1 and 16 Default cst Only valid for Multiple Spanning Tree Protocol MSTP and has no effect if MSTP is not used The parameter specifies the Multiple Spanning Tree Instance MSTI the VLAN should be mapped to 4 If n...

Page 359: ... Viewing a List of Forbidden Ports To view a list of forbidden ports type show running config switch vlans static vlan forbidden ports If ports have been forbidden a table or list similar to the following example appears ruggedcom show running config switch vlans static vlan forbidden ports tab VID SLOT PORT 50 lm1 1 lm1 2 60 lm1 2 lm1 3 lm1 4 70 lm1 5 If no ports have been forbidden add forbidden...

Page 360: ... ports where name is the name of the static VLAN 3 Configure the following parameter s as required no switch vlans static vlan name forbidden ports slot port Where name is the name of the static VLAN slot is the name of the module location port is the port number or a list of ports if aggregated in a port trunk for the module 4 Type commit and press Enter to save the changes or type revert and pre...

Page 361: ...namic Hardware Routing Rules Section 9 1 Layer 3 Switching Concepts This section describes some of the concepts important to the implementation of Layer 3 switching in RUGGEDCOM ROX II CONTENTS Section 9 1 1 Layer 3 Switch Forwarding Table Section 9 1 2 Static Layer 3 Switching Rules Section 9 1 3 Dynamic Learning of Layer 3 Switching Rules Section 9 1 4 Layer 3 Switch ARP Table Section 9 1 5 Mult...

Page 362: ...ration can be explicitly configured If hardware acceleration is selected an appropriate Layer 3 switching rule is installed in the ASIC s TCAM and never ages out NOTE Only TCP and UDP traffic flows will be accelerated by the IP Layer 3 switch fabric Section 9 1 3 Dynamic Learning of Layer 3 Switching Rules For static routes without hardware acceleration or for dynamic routes Layer 3 switching rule...

Page 363: ...s also needed by the Layer 3 switching ASIC when it switches IP packets between subnets The destination or gateway MAC address is usually obtained through ARP However ARP entries can also be statically configured in the Layer 3 Switch so that they do not time out When configuring a static ARP entry if no value is entered for the MAC Address parameter the address is automatically resolved through A...

Page 364: ...itches all the traffic matching the rule before the firewall inspects the traffic Layer 3 switch ASICs are somewhat limited in how switching rules can be defined These limitations do not allow configuring arbitrary firewall rules directly in the Layer 3 switch hardware For sophisticated firewall rules the firewall has to be implemented in software and the Layer 3 Switch must not switch traffic tha...

Page 365: ...or example in a system with complex configuration where static routes do not conflict with a firewall while traffic flows following dynamic routes have to be subject to sophisticated firewall filtering Auto Both statically configured and dynamically learned Layer 3 switching rules will be used In this mode maximum routing hardware acceleration is utilized learn mode learn mode Synopsis flow orient...

Page 366: ... 11 0 4 00 11 94 11 00 03 4084 192 11 0 5 00 11 94 11 00 04 4084 192 11 0 6 00 11 94 11 00 05 4084 If no ARP table entries have been configured add static ARP table entries as needed For more information about adding static ARP table entries refer to Section 9 3 2 Adding a Static ARP Table Entry Section 9 3 2 Adding a Static ARP Table Entry To add a static ARP table entry do the following 1 Make s...

Page 367: ...2 00 11 94 11 00 01 4084 false resolved 192 11 0 3 00 11 94 11 00 02 4084 false resolved 192 11 0 4 00 11 94 11 00 03 4084 false resolved 192 11 0 5 00 11 94 11 00 04 4084 false resolved 192 11 0 6 00 11 94 11 00 05 4084 false resolved This table or list provides the following information Parameter Description ip address Synopsis A string The IP address of the network device the entry describes ma...

Page 368: ...t 17 192 11 0 92 1024 192 12 0 92 1024 192 12 0 92 11 false forward active 4 unicast 17 192 12 0 92 1024 192 11 0 92 1024 192 11 0 92 11 false forward active 5 unicast 17 192 12 0 254 1024 192 11 0 254 1024 192 11 0 254 11 false forward active 6 unicast 17 192 12 0 223 1024 192 11 0 223 1024 192 11 0 223 11 false forward active 7 unicast 17 192 11 0 85 1024 192 12 0 85 1024 192 12 0 85 11 false fo...

Page 369: ... flow A value of 0 means Not Applicable gateway Synopsis A string Defines the nexthop IP address The matched unicast packet is sent to the identified gateway packets per second Synopsis A 32 bit unsigned integer Displays the statistical throughput of all packets matching the rule in packets per second static Synopsis true false Whether the rule is static or dynamic Static rules are configured as a...

Page 370: ...uting rules removed dynamic rules from the Routing Rules Summary table NOTE Only dynamic rules can be flushed Static rules enabled by activating hardware acceleration never age out For more information about enabling hardware acceleration refer to Section 9 1 Layer 3 Switching Concepts To flush dynamic hardware routing rules type switch layer3 switching flush dynamic rules ...

Page 371: ... en view 109748778 RUGGEDCOM Modules Catalog for the RUGGEDCOM MX5000RE series https support industry siemens com cs ww en view 109748780 CONTENTS Section 10 1 Managing Serial Ports Section 10 2 Managing Serial Port Protocols Section 10 3 Managing Device Address Tables Section 10 4 Managing Serial Multicast Streaming Section 10 5 Managing Remote Hosts Section 10 6 Managing Local Hosts Section 10 7...

Page 372: ...ace media Synopsis A string 1 to 31 characters long The type of port media RS232 RS422 RS485 This parameter is mandatory speed Synopsis auto 1 5M 2 4M 10M 100M 1G 10G 1 776M 3 072M 7 2M 1 2K 2 4K 9 6K 19 2K 38 4K 57 6K 115 2K 230 4K 4 8K 76 8K The speed in Kilobits per second This parameter is mandatory protocol Synopsis A string 1 to 31 characters long The serial protocol assigned to this port Th...

Page 373: ...OCAL RX TX TARGET INDEX REMOTE IP PORT PORT TRANSPORT PACKETS PACKETS PORT STATUS 1 10 200 22 199 15836 20000 TCP 177 0 ser 3 1 Active To view the statistics collected for a specific transport connection type show interfaces serial transport connections index A table or list similar to the following appears ruggedcom show interfaces serial transport connections 1 tab REMOTE LOCAL RX TX TARGET INDE...

Page 374: ...ng 1 to 31 characters long The connection status of the serial port This parameter is mandatory Section 10 1 3 Viewing DNP Device Table Statistics To view the statistics collected for DNP device tables type show interfaces serial dnp device table A table or list similar to the following appears ruggedcom show interfaces serial dnp device table tab DEVICE SERIAL ADDRESS REMOTE IP PORT 10 ser 3 1 20...

Page 375: ...TS Section 10 2 1 Serial Port Protocol Concepts Section 10 2 2 Viewing a List of Serial Port Protocols Section 10 2 3 Adding a Serial Port Protocol Section 10 2 4 Configuring the DNP Protocol Section 10 2 5 Configuring the Modbus TCP Protocol Section 10 2 6 Configuring the Raw Socket Protocol Section 10 2 7 Deleting a Serial Port Protocol Section 10 2 1 Serial Port Protocol Concepts This section d...

Page 376: ...or bidirectionally Configure the device at the host end to establish a connection with the remote host when The host end uses a port redirector that must make the connection The host end is only occasionally activated and will make the connection when it becomes active A host end firewall requires the connection to be made outbound If the host end wants to open multiple connections with the remote...

Page 377: ...rver Gateway offers the ability to resend a request to a remote host should the remote host receive the request in error or the Server Gateway receives the remote host response in error The decision to use retransmissions and the number to use depends upon factors such as The probability of a line failure The number of remote hosts and the amount of traffic on the port The cost of retransmitting t...

Page 378: ...nation address is received from the IP network it is sent to all local serial ports configured as DNP ports NOTE Learned addresses are not recorded in the Device Address Table UDP transport is used during the DNP address learning phase An aging timer is maintained for each DNP address in the table and is reset whenever a DNP message is sent to or received for the specified address This learning fa...

Page 379: ... protocol is the protocol type Options include dnp tcpmodbus rawsocket and vmserial 3 If dnp tcpmodbus or rawsocket was selected configure the protocol For information about configuring a DNP protocol refer to Section 10 2 4 Configuring the DNP Protocol For information about configuring a Modbus TCP protocol refer to Section 10 2 5 Configuring the Modbus TCP Protocol For information about configur...

Page 380: ... timer Synopsis A 32 bit signed integer between 50 and 10000 Default 100 The maximum time from the last transmitted character of the outgoing poll until the first character of the response If the RTU does not respond in this time the poll will have been considered failed pack timer pack timer Synopsis A 32 bit signed integer between 5 and 1000 Default 1000 The maximum allowable time to wait for a ...

Page 381: ... 1000 Default 1000 The delay from the last received character until when data is forwarded pack size pack size Synopsis max or a 32 bit signed integer between 16 and 1400 Default max The maximum number of bytes received from the serial port to be forwarded turnaround turnaround Synopsis A 32 bit signed integer between 0 and 1000 Default 0 The amount of delay if any to insert between the transmissi...

Page 382: ... following 1 Make sure the CLI is in Configuration mode 2 Delete the serial port protocol by typing no interface serial slot port protocols protocol Where slot is the name of the module location port is the port number or a list of ports if aggregated in a port trunk for the module protocol is the protocol type 3 Type commit and press Enter to save the changes or type revert and press Enter to abo...

Page 383: ...e name of the module location port is the port number or a list of ports if aggregated in a port trunk for the module address is the local or remote DNP device address The address may be that of a DNP device connected to a local serial port or one available via the serial port of a remote IP host 3 Configure the following parameter s as required Parameter Description remote ip remote ip Synopsis A...

Page 384: ...l multicast streaming CONTENTS Section 10 4 1 Understanding Serial Multicast Streaming Section 10 4 2 Configuring Serial Multicast Streaming Section 10 4 3 Example Serial Interfaces Configured as a Sink for Multicast Streams Section 10 4 4 Example Serial Interfaces Configured as a Source for Multicast Streams Section 10 4 5 Example Serial Interfaces Configured as a Source and Sink for Multicast St...

Page 385: ...ast stream to all or some connected serial devices Serial Interfaces Configured as a Source for Multicast Streams In this configuration the source of the multicast data comes from the serial port and device side and is transmitted to multiple Ethernet interfaces over one multicast stream The advantage of this scenario is the ease of configuration of listening devices There will be a lesser need to...

Page 386: ...m group 232 1 1 1 directed to UDP port 5001 reaching ser 1 1 from the interface switch 0010 via raw socket connections Ser 1 1 upon receiving these messages passes on the data to serial device S1 to which it is directly connected IMPORTANT The values shown are specific to the provided topology Actual values can vary based on the user s configuration switch 0010 10 1 0 1 8 switch 0020 20 1 0 1 8 se...

Page 387: ...1 1 1 For more information refer to Section 10 6 2 Adding a Local Host 6 Set switch 0010 as the interface for the local host interface switch 0010 For more information refer to Section 10 8 2 Adding a Local Host Interface 7 Type commit and press Enter to save the changes or type revert and press Enter to abort Step 2 Configure ser 1 2 1 Create a raw socket connection for ser 1 2 interface serial l...

Page 388: ... 232 1 1 1 interface switch 0010 ser 1 2 Configuration serial lm1 2 no alias protocols rawsocket setrawsocket local port 6001 setrawsocket transport udp setrawsocket local host 232 2 2 2 interface switch 0020 Section 10 4 4 Example Serial Interfaces Configured as a Source for Multicast Streams This configuration example shows ser 1 1 receiving data on the wire from S1 then creating multiple raw so...

Page 389: ...re IP addresses for the interfaces switch 0010 switch 0020 switch 0030 and switch 0040 For more information refer to Section 7 1 3 2 Adding an IPv4 Address 2 Create a raw socket connection for ser 1 1 interface serial lm1 1 protocols rawsocket For more information refer to Section 10 2 3 Adding a Serial Port Protocol 3 Set the raw socket of the local port to 10001 setrawsocket local port 10001 For...

Page 390: ...cket transport udp For more information refer to Section 10 2 6 Configuring the Raw Socket Protocol 4 Set the multicast group for the local host to 232 2 2 2 and the UDP destination port to 6001 setrawsocket local host 232 2 2 2 6001 For more information refer to Section 10 6 2 Adding a Local Host 5 Set switch 0030 and switch 0040 as the interfaces for the remote host interface switch 0030 interfa...

Page 391: ...icast packets and sent to destination group 232 1 1 1 and destination UDP port 5001 Additionally ser 1 1 forwards the same data stream to ser 1 2 which then sends the data to S2 IMPORTANT The values shown are specific to the provided topology Actual values can vary based on the user s configuration switch 0010 10 1 0 1 8 switch 0020 20 1 0 1 8 ser 1 1 ser 1 2 10 1 1 1 8 232 1 1 1 5001 10 1 2 1 8 2...

Page 392: ...emote Host 6 Set switch 0010 and switch 0020 as the interfaces for the remote host interface switch 0010 interface switch 0020 For more information refer to Section 10 7 2 Adding a Remote Host Interface 7 Enable remote host loopback loopback true For more information refer to Section 10 6 2 Adding a Local Host 8 Create a raw socket connection for ser 1 2 interface serial lm1 2 protocols rawsocket ...

Page 393: ...ch 0020 Serial Port 2 Configuration serial lm1 2 no alias protocols rawsocket setrawsocket local port 5001 setrawsocket transport udp setrawsocket local host 232 1 1 1 loopback true Section 10 5 Managing Remote Hosts Remote hosts are required when the UDP transport connection protocol is selected for the raw socket protocol CONTENTS Section 10 5 1 Viewing a List of Remote Hosts Section 10 5 2 Addi...

Page 394: ...onfiguration mode 2 Add the remote host by typing interface serial slot port protocols rawsocket setrawsocket remote host address remote port Where slot is the name of the module location port is the port number or a list of ports if aggregated in a port trunk for the module address is the IP address for the remote host or a multicast group IP address for which the interface is a source remote por...

Page 395: ...vert and press Enter to abort Section 10 6 Managing Local Hosts Local hosts are required when the UDP transport connection protocol is selected and multicast streams are to be received for the raw socket protocol CONTENTS Section 10 6 1 Viewing a List of Local Hosts Section 10 6 2 Adding a Local Host Section 10 6 3 Deleting a Local Host Section 10 6 1 Viewing a List of Local Hosts To view a list o...

Page 396: ...must be enabled or a local host interface must be added 3 If a local host interface is required proceed to Step 4 Otherwise select Loopback to enable the local host to receive data from a loopback interface The loopback interface must have the same source multicast group IP address and local port number as the serial port A matching remote host with loopback enabled must also be configured 4 Optio...

Page 397: ...nterfaces To view a list of remote host interfaces configured for a serial port using the raw socket protocol type show running config interface serial slot port protocols rawsocket setrawsocket remote host remote host interface Where slot is the name of the module location port is the port number or a list of ports if aggregated in a port trunk for the module remote host is the remote host If int...

Page 398: ... parameter s as required Parameter Description name Synopsis A string The transmitting interface s name for the destination multicast group IP address and remote port 4 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 10 7 3 Deleting a Remote Host Interface To delete a remote host interface do the following 1 Make sure the CLI is in Configuration mode...

Page 399: ...ket setrawsocket local host local host interface Where slot is the name of the module location port is the port number or a list of ports if aggregated in a port trunk for the module local host is the local host If interfaces have been configured a table or list similar to the following example appears ruggedcom show running config interface serial lm5 1 protocols rawsocket setrawsocket local host...

Page 400: ...lticast group IP address and the local port number defined for the serial port 4 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 10 8 3 Deleting a Local Host Interface To delete a local host interface do the following 1 Make sure the CLI is in Configuration mode 2 Delete the local host by typing no interface serial slot port protocols rawsocket setra...

Page 401: ...ter describes how to configure and manage the various wireless interfaces and utilities available in RUGGEDCOM ROX II NOTE Some wireless features require the device to be equipped with a specific line module CONTENTS Section 11 1 Managing Cellular Modem Profiles Section 11 1 Managing Cellular Modem Profiles ...

Page 402: ...Chapter 11 Wireless RUGGEDCOM ROX II CLI User Guide 356 Managing Cellular Modem Profiles ...

Page 403: ...orwarding is done in Layer 2 and allows all network traffic including Layer 2 Multicast i e GOOSE ISO IP Multicast Unicast and Broadcast messages to travel through the virtual switch tunnel without any modifications A virtual switch can be useful in particular for GOOSE messaging when the sender and receiver need to communicate through a routable IP network Since there is no IP encapsulation for t...

Page 404: ...ce Any IP address assigned to an interface becomes inactive and hidden when the interface is added to the virtual switch The address on the interface is reactivated after removing the interface from the virtual switch Be careful when adding interfaces to the virtual switch Any network services running on the individual interfaces will need to be reconfigured after adding the interface to the virtu...

Page 405: ...ables this interface retain ip Synopsis true false Default false Retain IP on bridge device forward delay forward delay Synopsis An 8 bit unsigned integer Default 15 Delay in seconds of the listening and learning state before goes to forwarding state alias alias Synopsis A string 1 to 64 characters long The SNMP alias name of the interface ip address src ip address src Synopsis static dynamic Defa...

Page 406: ...ng no interface virtualswitch name Where name is the name assigned to the virtual switch 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 12 1 4 Managing Virtual Switch Interfaces This section describes how to configure and manage interfaces for virtual switches CONTENTS Section 12 1 4 1 Viewing a List of Virtual Switch Interfaces Section 12 1 4 2 A...

Page 407: ...ke sure the CLI is in Configuration mode 2 Add an interface to the virtual switch by typing interface virtualswitch name interface interface Where name is the name assigned to the virtual switch interface is the name assigned to the interface The new interface is now accessible by typing ip vsw name The new virtual switch is now visible under the ip menu with the prefix vsw i e vsw vs1 vsw vs2 etc...

Page 408: ...Section 12 1 5 2 Viewing a List of Virtual Switch Filters Section 12 1 5 3 Adding a Virtual Switch Filter Section 12 1 5 4 Deleting a Virtual Switch Filter Section 12 1 5 1 Enabling Disabling Virtual Switch Filtering To enable or disable virtual switch filtering do the following 1 Make sure the CLI is in Configuration mode 2 Enable or disable virtual switch filtering by typing Enabling Virtual Swi...

Page 409: ... needed For more information refer to Section 12 1 5 3 Adding a Virtual Switch Filter Section 12 1 5 3 Adding a Virtual Switch Filter To add a virtual switch filter do the following 1 Make sure the CLI is in Configuration mode 2 Make sure one or more virtual switches are configured For more information refer to Section 12 1 2 Adding a Virtual Switch 3 Add the virtual switch filter by typing securi...

Page 410: ...1 6 2 Viewing a List of Rules Assigned to a Virtual Switch Filter Section 12 1 6 3 Adding a Rule Section 12 1 6 4 Adding a Rule to a Virtual Switch Filter Section 12 1 6 5 Deleting a Rule Section 12 1 6 6 Deleting a Rule from a Virtual Switch Filter Section 12 1 6 1 Viewing a List of Rules To view a list of rules that can be used by a virtual switch filter type show running config security virtual...

Page 411: ...0020 goose switch 0010 switch 0020 If no rules have been assigned assign them as needed For more information refer to Section 12 1 6 4 Adding a Rule to a Virtual Switch Filter Section 12 1 6 3 Adding a Rule To add a rule that can be used by a virtual switch filter do the following 1 Make sure the CLI is in Configuration mode 2 Make sure one or more virtual switches are configured For more informat...

Page 412: ...r do the following 1 Make sure the CLI is in Configuration mode 2 Add the rule by typing security virtualswitch filter virtualswitch name rule rule Where name is the name of the virtual switch filter rule is the name of the rule 3 Configure the in out interfaces for the rule For more information refer to Section 12 1 7 2 Adding an In Out Interface 4 Type commit and press Enter to save the changes ...

Page 413: ...ion 12 1 7 1 Viewing a List of In Out Interfaces Section 12 1 7 2 Adding an In Out Interface Section 12 1 7 3 Deleting an In Out Interface Section 12 1 7 1 Viewing a List of In Out Interfaces To view a list of in out interfaces that can be used by a virtual switch filter type show running config security virtualswitch filter virtualswitch name rule rule in interface out interface Where name is the...

Page 414: ...t Section 12 1 7 3 Deleting an In Out Interface To delete an in out interface that can be used by a virtual switch filter do the following 1 Make sure the CLI is in Configuration mode 2 Delete the interface by typing no security virtualswitch filter virtualswitch name rule rule in interface out interface interface Where name is the name of the virtual switch filter rule is the name of the rule int...

Page 415: ... Switch VLAN Section 12 1 8 2 Adding a Virtual Switch VLAN To add virtual switch VLAN do the following 1 Make sure the CLI is in Configuration mode 2 Add the VLAN by typing interface virtualswitch id vlan vlan id Where id is the ID assigned to the virtual switch vlan id is the ID assigned to the VLAN 3 Configure the following parameter s as required Parameter Description ip address src ip address ...

Page 416: ...by Ethernet type CONTENTS Section 12 2 1 Viewing Round Trip Time Statistics Section 12 2 2 Configuring the Layer 2 Tunnel Daemon Section 12 2 1 Viewing Round Trip Time Statistics The round trip time statistics reflect the measured round trip time to each remote daemon The minimum average maximum and standard deviation of times is presented Entries with a large difference between the transmitted an...

Page 417: ...The Maximum Beacon Round Trip Time This parameter is mandatory deviation Synopsis A string 1 to 32 characters long The standard deviation This parameter is mandatory Section 12 2 2 Configuring the Layer 2 Tunnel Daemon To configure the Layer 2 tunnel daemon do the following IMPORTANT Make sure there are no traffic loops possible between the substation LAN and other LANs that could forward GOOSE fr...

Page 418: ...t Windows VPN L2TP client IMPORTANT L2TPD listens on UDP port 1701 If a firewall is enabled it must be configured to only allow connections to L2TPD through IPsec Direct connections to L2TPD must be prevented CONTENTS Section 12 3 1 Configuring L2TP Tunnels Section 12 3 2 Configuring DNS Servers Section 12 3 3 Configuring PPP Options Section 12 3 4 Configuring WINS Servers Section 12 3 1 Configuri...

Page 419: ...o configure redundant Domain Name System DNS servers for L2TP tunnels do the following 1 Make sure the CLI is in Configuration mode 2 Configure the primary and secondary DNS servers by typing tunnel l2tp dns server primary primary ip secondary secondary ip Where primary ip is the IP address of the primary DNS server secondary ip is the IP address of the secondary DNS server 3 Type commit and press...

Page 420: ...rt Section 12 4 Managing L2TPv3 Tunnels L2TPv3 Layer 2 Tunneling Protocol Version 3 provides a pseudo wire service that encapsulates multi protocol Layer 2 traffic over IP networks There are no restrictions on the Layer 2 data formats that can be transmitted or received unlike L2TP L2TPv3 is a simplified alternative to MPLS Multiprotocol Label Switching that offers improved performance e g high da...

Page 421: ...ome of the ways in which L2TPv3 tunnels can be implemented Basic L2TPv3 Tunnel In the following topology an L2TPv3 tunnel is established between routers R1 and R2 over a WAN interface The tunnel interface is assigned an IPv4 address on both devices Traffic routed from R1 is encapsulated in an L2TPv3 header and decapsulated by R2 The reverse is true when traffic is routed from R2 192 168 10 130 swi...

Page 422: ...from 192 158 10 110 to 192 168 10 130 traverses the l2t 1 1 bridge and vice versa Traffic sent from 192 158 10 110 to 192 168 11 110 traverses the l2t 2 1 bridge and vice versa 192 168 10 130 switch 0002 R2 switch 0002 R3 192 168 11 110 192 168 10 110 switch 0002 R1 l2t 1 1 l2t 2 1 Figure 17 Multiple LAN Extensions Over Multiple L2TPv3 Tunnels Section 12 4 2 Creating an L2TPv3 Tunnel To create an ...

Page 423: ...ormation about adding the L2TPv3 tunnel interface to a virtual switch refer to Section 12 1 4 2 Adding a Virtual Switch Interface For information about assigning an IP address to the L2TPv3 tunnel interface refer to either Section 7 1 3 Managing IPv4 Addresses or Section 7 1 4 Managing IPv6 Addresses Section 12 4 3 Managing Static L2TPv3 Tunnels Configure static L2TPv3 tunnels to manually control ...

Page 424: ...ig tunnel l2tpv3 static tunnel tunnel l2tpv3 static tunnel 1 tunnel id 1 remote tunnel id 2 transport encap udp local ip 192 168 0 10 local port 1024 remote ip 192 168 0 11 remote port 1025 session 1 local session id 10 remote session id 20 l2tp specific sublayer default vlan 4 session 2 local session id 30 remote session id 40 l2tp specific sublayer default If no tunnels have been configured add ...

Page 425: ...y local ip Synopsis A string The interface upon which the tunnel is created This parameter is mandatory local port Synopsis A 32 bit signed integer Local transport port for l2tpv3 service This parameter is mandatory remote ip Synopsis A string 6 to 40 characters long Ip address of remote tunnel end This parameter is mandatory remote port Synopsis A 32 bit signed integer Transport port of remote tu...

Page 426: ...1 Enabling and Configuring Dynamic L2TPv3 Tunnels Section 12 4 4 2 Viewing a List of Dynamic L2TPv3 Tunnels Section 12 4 4 3 Adding a Dynamic L2TPv3 Tunnel Section 12 4 4 4 Deleting a Dynamic L2TPv3 Tunnel Section 12 4 4 1 Enabling and Configuring Dynamic L2TPv3 Tunnels To enable and configure dynamic L2TPv3 tunnels do the following 1 Make sure the CLI is in Configuration mode 2 Enable dynamic L2T...

Page 427: ...L2TPv3 Tunnel To add a dynamic L2TPv3 tunnel do the following 1 Make sure the CLI is in Configuration mode NOTE The tunnel name must consist of one to three numeric and or lowercase alphanumeric characters 2 Add the tunnel by typing tunnel l2tpv3 dynamic tunnel name Where name is the name of the tunnel 3 Configure the following parameter s as required NOTE Transport encapsulation is only configura...

Page 428: ...t persist pend timeout Synopsis A 32 bit signed integer between 10 and 6000 Default 60 The time in seconds that a persisting tunnel will wait in RETRY state before trying to establish itself again hello hello Synopsis A 32 bit signed integer between 5 and 1000 Default 60 timeout used for periodic L2TP Hello messages in seconds hidden Synopsis true false Default false Enables Disabled AVP hidden re...

Page 429: ...els A single L2TPv3 can support up to 128 active sessions CONTENTS Section 12 4 5 1 Viewing a List of Sessions Section 12 4 5 2 Adding a Session Section 12 4 5 3 Deleting a Session Section 12 4 5 1 Viewing a List of Sessions To view a list of sessions defined for an L2TPv3 tunnel type show running config tunnel l2tpv3 static dynamic tunnel tunnel name session Where tunnel name is the name of the t...

Page 430: ...ion enabled Synopsis true false Default true Enables Disables the session remote end id remote end id Synopsis A 32 bit signed integer between 1 and 65535 Remote endpoint ID to identify session with remote system This parameter is mandatory l2tp specific sublayer l2tp specific sublayer Synopsis default none Default default L2TP specific sublayer processing type mtu mtu Synopsis A 32 bit signed int...

Page 431: ...e in byte low value low value Synopsis A 32 bit unsigned integer Lower value of cookie This value must match with low value of other endpoint s local cookie high value high value Synopsis A 32 bit unsigned integer Higher value of cookie if its size is 8 This value must match with high value of other endpoint s local cookie 6 Type commit and press Enter to save the changes or type revert and press ...

Page 432: ...nnel name is the name of the tunnel tunnel session is the name of the tunnel session A table or list similar to the following example appears ruggedcom show running config tunnel l2tpv3 static tunnel 1 session vlan tunnel l2tpv3 static tunnel 1 session 1 vlan 4 If no VLANs have been configured add VLANs as needed For more information refer to Section 12 4 6 2 Adding a VLAN Section 12 4 6 2 Adding ...

Page 433: ...ibute them Statistics report availability of remote GOOSE daemons packet counts and Round Trip Time RTT for each remote daemon When the Virtual Router Redundancy Protocol VRRP is employed GOOSE transport is improved by sending redundant GOOSE packets from each VRRP gateway You can enable GOOSE forwarding by configuring a generic Layer 2 tunnel When configured the device listens for GOOSE packets o...

Page 434: ... 12 5 1 Viewing the GOOSE Tunnel Statistics Section 12 5 2 Viewing a List of GOOSE Tunnels Section 12 5 3 Adding a GOOSE Tunnel Section 12 5 4 Deleting a GOOSE Tunnel Section 12 5 5 Managing Remote Daemons for GOOSE Tunnels Section 12 5 1 Viewing the GOOSE Tunnel Statistics To view the GOOSE tunnel statistics type show tunnel l2tunneld status goose A table or list similar to the following example ...

Page 435: ... unsigned integer The number of bytes transmitted through the tunnel This parameter is mandatory errors Synopsis A 32 bit unsigned integer The number of errors through the tunnel This parameter is mandatory Section 12 5 2 Viewing a List of GOOSE Tunnels To view a list of GOOSE tunnels type show running config tunnel l2tunneld goose If tunnels have been configured a table or list similar to the fol...

Page 436: ...ress Enter to save the changes or type revert and press Enter to abort Section 12 5 4 Deleting a GOOSE Tunnel To delete a GOOSE tunnel do the following 1 Make sure the CLI is in Configuration mode 2 Delete the GOOSE tunnel by typing no tunnel l2tunneld goose tunnel name Where name is the name of the GOOSE tunnel 3 Type commit and press Enter to save the changes or type revert and press Enter to ab...

Page 437: ...ion refer to Section 12 5 5 2 Adding a Remote Daemon Section 12 5 5 2 Adding a Remote Daemon To configure a remote daemon for a GOOSE tunnel do the following 1 Make sure the CLI is in Configuration mode 2 Add the remote daemon by typing tunnel l2tunneld goose tunnel remote daemon address Where address is the IP address of the remote daemon 3 Type commit and press Enter to save the changes or type ...

Page 438: ...ging Remote Daemon IP Addresses for Generic Tunnels Section 12 6 6 Managing Remote Daemon Egress Interfaces for Generic Tunnels Section 12 6 7 Managing Ethernet Types for Generic Tunnels Section 12 6 1 Viewing the Generic Tunnel Statistics To view the generic tunnel statistics type show tunnel l2tunneld status generic A table or list similar to the following example appears ruggedcom show tunnel l...

Page 439: ... number of errors received through the tunnel This parameter is mandatory Section 12 6 2 Viewing a List of Generic Tunnels To view a list of generic tunnels type show running config tunnel l2tunneld generic tunnel If tunnels have been configured a table or list similar to the following example appears ruggedcom show running config tunnel l2tunneld generic tunnel tab REPLACE EGRESS IP NAME INGRESS ...

Page 440: ...ng a Generic Tunnel To delete a generic tunnel do the following 1 Make sure the CLI is in Configuration mode 2 Delete the generic tunnel by typing no tunnel l2tunneld generic tunnel name Where name is the name of the generic tunnel 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 12 6 5 Managing Remote Daemon IP Addresses for Generic Tunnels In plac...

Page 441: ...e Layer 2 protocols server to a generic tunnel configuration do the following 1 Make sure the CLI is in Configuration mode 2 Add the IP address by typing tunnel l2tunneld generic tunnel name remote daemon ip address address Where name is the name of the generic tunnel address is the IP address of the remote Layer 2 protocols server 3 Type commit and press Enter to save the changes or type revert a...

Page 442: ...ote daemon egress if If egress interfaces have been configured a table or list similar to the following example appears ruggedcom show running config tunnel l2tunneld generic tunnel remote daemon egress if tab NAME EGRESS IF 1 switch 0001 If no egress interfaces have been configured add interfaces as needed For more information refer to Section 12 6 6 2 Adding an Egress Interface Section 12 6 6 2 ...

Page 443: ... how to define the types of Ethernet protocols that can be forwarded by generic tunnels CONTENTS Section 12 6 7 1 Viewing a List of Ethernet Types Section 12 6 7 2 Adding an Ethernet Type Section 12 6 7 3 Deleting an Ethernet Type Section 12 6 7 1 Viewing a List of Ethernet Types To view a list of Ethernet types configured for a generic tunnel type show running config tunnel l2tunneld generic tunn...

Page 444: ... ethernet type type Where name is the name of the generic tunnel type is the Ethernet type i e 0xFEFE 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 12 7 Managing Generic Routing Encapsulation Tunnels RUGGEDCOM ROX II can employ the Generic Routing Encapsulation GRE protocol to encapsulate multicast traffic and IPv6 packets together and transport ...

Page 445: ...ing Statistics for GRE Tunnels Section 12 7 2 Viewing a List of GRE Tunnels Section 12 7 3 Adding a GRE Tunnel Section 12 7 4 Configuring a DSCP Marking for GRE Tunnel Traffic Section 12 7 5 Enabling Disabling Keepalive Messages Section 12 7 6 Deleting a GRE Tunnel Section 12 7 1 Viewing Statistics for GRE Tunnels To view the statistics collected for GRE tunnels type show interfaces gre A table or...

Page 446: ... by the tunnel This parameter is mandatory tx packets Synopsis A 64 bit unsigned integer The number of packets transmitted through the tunnel This parameter is mandatory tx errors Synopsis A 64 bit unsigned integer The number of error packets transmitted through the tunnel This parameter is mandatory tx drops Synopsis A 64 bit unsigned integer The number of packets dropped by the tunnel This param...

Page 447: ...rs long or a string 6 to 40 characters long The IP address of the remote end of the tunnel This parameter is mandatory remote net remote net Synopsis A string 9 to 18 characters long or a string 4 to 43 characters long The target network of remote end of the tunnel mtu mtu Synopsis A 32 bit signed integer Default 1476 The MTU of the GRE interface multicast Enables multicast traffic on the tunnel i...

Page 448: ...nges or type revert and press Enter to abort Section 12 7 4 Configuring a DSCP Marking for GRE Tunnel Traffic Each packet traversing a GRE tunnel can be assigned a Differentiated Services Code Point DSCP mark either defined by the device or inherited by the original IP header To the configure how DSCP marks are assigned for a specific GRE tunnel do the following 1 Make sure the CLI is in Configura...

Page 449: ...re the CLI is in Configuration mode 2 Enable or disable keepalive messages by typing Enable tunnel gre name gre keepalives enabled Disable no tunnel gre name gre keepalives enabled Where name is the interface name of the GRE tunnel network The interface name must start with a lowercase letter but may contain any combination of lowercase letters numbers and dashes up to a maximum of 10 characters T...

Page 450: ...ol be used on both IPsec peers to synchronize their clocks For more information about configuring NTP refer to Section 17 8 Managing NTP Servers CONTENTS Section 12 8 1 IPsec Tunneling Concepts Section 12 8 2 Configuring IPsec Tunnels Section 12 8 3 Configuring Certificates and Keys Section 12 8 4 Viewing the IPsec Tunnel Status Section 12 8 5 Managing Pre Shared Keys Section 12 8 6 Managing Conne...

Page 451: ...osed of a new IP header IPsec headers old IP header and IP payload Tunnel mode is most commonly used between gateways the gateway acting as a proxy for the hosts behind it Section 12 8 1 2 Supported Encryption Protocols Libreswan supports the following standard encryption protocols 3DES Triple DES Uses three Data Encryption Standard DES encryptions on a single data block with at least two differen...

Page 452: ... of the certificate is verified it was not tampered with and the public key in the certificate is assumed to be the valid public key of the connecting host Section 12 8 1 5 NAT Traversal Historically IPsec has presented problems when connections must traverse a firewall providing Network Address Translation NAT The Internet Key Exchange IKE used in IPsec is not NAT translatable When IPsec connecti...

Page 453: ...ed as IPsec encoded and presented as having arrived directly from the same network interface on which they were originally received Firewall rules are written to allow traffic to and from VPN tunnels These are based on the normal form of source destination IP addresses and IP protocol and port numbers These rules by virtue of the zones they match use the policy flags inserted by the netkey to rout...

Page 454: ...outer connection end 7 Configure the system public key by typing tunnel ipsec connection connection left right key type certificate Where connection is the name of the connection 8 Configure the system identifier by typing tunnel ipsec connection connection left right identifier type from certificate Where connection is the name of the connection 9 Type commit and press Enter to save the changes o...

Page 455: ...name OAKLEY_SHA2_256 hashsize 32 000 algorithm IKE hash id 6 name OAKLEY_SHA2_512 hashsize 64 000 algorithm IKE dh group id 2 name OAKLEY_GROUP_MODP1024 bits 1024 000 algorithm IKE dh group id 5 name OAKLEY_GROUP_MODP1536 bits 1536 000 algorithm IKE dh group id 18 name OAKLEY_GROUP_MODP8192 bits 8192 000 000 stats db_ops curr_cnt total_cnt maxsz context 0 0 0 trans 0 0 0 attrs 0 0 0 000 000 ipsec ...

Page 456: ...needed For more information refer to Section 12 8 5 2 Adding a Pre Shared Key Section 12 8 5 2 Adding a Pre Shared Key To add a pre shared key do the following 1 Make sure the CLI is in Configuration mode 2 Add the pre shared key by typing tunnel ipsec preshared key remote address local address key key Where remote address is the remote IP address local address is the local IP address key is the i...

Page 457: ... devices who share the same pre authorized authentication key CONTENTS Section 12 8 6 1 Viewing a List of Connections Section 12 8 6 2 Adding a Connection Section 12 8 6 3 Configuring Dead Peer Detection Section 12 8 6 4 Deleting a Connection Section 12 8 6 5 Viewing the Status of a Connection Section 12 8 6 1 Viewing a List of Connections To view a list of connections configured for a VPN type sh...

Page 458: ...mode Options include tunnel Encrypts traffic on host to host host to subnet or subnet to subnet tunnels This is the default type mode unless overwritten by the default connection setting transport Encrypts traffic on a host to host tunnel passthrough Traffic is not encrypted address family address family Synopsis ipv4 ipv6 Default ipv4 The address family to run for the connection Accepted values i...

Page 459: ... 7 2 Adding an IKE Algorithm 6 If required configure Encapsulated Security Payload ESP encryption for the connection For more information refer to Section 12 8 8 Managing the Encapsulated Security Payload ESP Protocol 7 If required configure the left local router and right remote router ends of the connection For more information refer to Section 12 8 9 Configuring the Connection Ends 8 If require...

Page 460: ...e time in seconds to wait before a peer is declared dead action action Synopsis hold clear restart restart all sa Default restart The action to be taken when a DPD enabled peer is declared dead Options include hold The route will be put on hold status clear The route and Security Association SA will both be cleared restart The SA will immediately be renegotiated restart all sa All SA s to the dead...

Page 461: ...Exchange IKE protocol negotiates connection parameters including keys for the Encapsulated Security Payload ESP protocol employed by IPsec IKE is based on the Diffie Hellman key exchange protocol which allows two parties without any initially shared secret to create one in a manner immune to eavesdropping CONTENTS Section 12 8 7 1 Viewing a List of IKE Algorithms Section 12 8 7 2 Adding an IKE Alg...

Page 462: ...ault is modp2048 The option any selects the default 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 12 8 7 3 Deleting an IKE Algorithm To delete an algorithm for the Internet Key Exchange IKE protocol do the following 1 Make sure the CLI is in Configuration mode 2 Delete the algorithm by typing no tunnel ipsec connection connection ike algorithm ci...

Page 463: ...s the name of the connection 3 Configure the encryption algorithm by typing tunnel ipsec connection connection esp modpgroup modpgroup Where connection is the name of the connection modpgroup is the Modular Exponential MODP group Options include any modp1024 modp1536 modp2048 modp3072 modp4096 modp6144 and modp8192 The default is modp2048 depending on the default connection setting The option any ...

Page 464: ... the default method is the hash method Options include any md5 sha1 and sha2 The default is sha1 The option any selects the default 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 12 8 8 4 Deleting an ESP Algorithm To delete an algorithm for the Encapsulated Security Payload ESP protocol do the following 1 Make sure the CLI is in Configuration mode...

Page 465: ...default route any address hostname Default none The public IP address type value value Synopsis A string 1 to 4095 characters long The public hostname or IP address 4 Configure the system public key by configuring the following parameters Parameter Description type type Synopsis none rsasig certificate any certificate Default none Key type rsa sig rsa sig Synopsis A string The RSA signature key na...

Page 466: ... traversal negotiation method Some IPsec endpoints prefer RFC 3947 over draft ietf ipsec nat t ike 02 when connecting with Libreswan as these implementations use different identifiers when NAT is involved For example when a Windows XP 2003 client connects Libreswan reports the main mode peer ID is ID_FQDN example com but when a Vista Windows 7 or other RFC 3947 compliant client connects Libreswan ...

Page 467: ...or a Private Subnet 5 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 12 8 10 2 Viewing a List of Addresses for Private Subnets To view a list of IP addresses configured for private subnets type show running config tunnel ipsec connection name right left subnet Where name is the name of the connection If IP addresses have been configured a table or l...

Page 468: ...net do the following 1 Make sure the CLI is in Configuration mode 2 Delete the IP address by typing no tunnel ipsec connection name right left subnet address Where name is the name of the connection address is the IP address and prefix of the private subnet 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 12 8 11 Example Configuring an Encrypted VPN...

Page 469: ...Add a unique pre shared key and configure the following parameters Parameter Value Local Address 2 2 2 1 30 Remote Address 2 2 2 2 30 For more information refer to Section 12 8 5 2 Adding a Pre Shared Key c Add an IPsec connection and configure the following parameters Parameter Value Startup Operation start Authenticate By secret Connection Type tunnel For more information about IPsec connections...

Page 470: ...ubnet 3 Configure Device B a Configure a host name for the device For more information refer to Section 5 2 Configuring the Host Name b Add a unique pre shared key and configure the following parameters Parameter Value Local Address 2 2 2 2 30 Remote Address 2 2 2 1 30 For more information refer to Section 12 8 5 2 Adding a Pre Shared Key c Add an IPsec connection and configure the following param...

Page 471: ... Tunnels 5 Verify the tunnel status and make sure the traffic between the two sites is encrypted a View the IPsec tunnel status and look for a message that includes the connection name and the words erouted eroute owner For example 000 ipsec 12 192 168 22 0 24 192 168 12 2 192 168 12 2 C CA ST Ontario O RuggedCom CN router2 E router2 example com S C 192 168 12 1 192 168 12 1 C CA ST Ontari o O Rug...

Page 472: ...address public ip value 2 2 2 1 subnet 192 168 50 0 24 right public ip type address public ip value 2 2 2 2 subnet 192 168 60 0 24 Section 12 9 Managing 6in4 and 4in6 Tunnels In networks where IPv4 and IPv6 operate simultaneously 6in4 and 4in6 tunnels can be used to enable IPv6 IPv4 hosts to reach services using the opposite protocol IPv6 IPv4 hosts and networks isolated from one another can also ...

Page 473: ...o tunnel ip6in4 ip4in6 enabled 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 12 9 2 Viewing a List of 6in4 or 4in6 Tunnels To view a list of 6in4 or 4in6 tunnels configured on the device type show running config tunnel ip6in4 ip4in6 tunnel A table or list similar to the following example appears ruggedcom show running config tunnel ip6in4 tunnel ...

Page 474: ... 15 characters long The interface upon which the tunnel is created This parameter is mandatory remote ip Synopsis A string 7 to 15 characters long Ip address of remote tunnel end This parameter is mandatory status Synopsis A string Current status of tunnel This parameter is mandatory 4 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 12 9 5 Deleting a...

Page 475: ...uilding scalable and secure VPN networks It allows network designers to rapidly deploy routers for medium to large enterprises without having to configure static connections between all devices DMPVN can be deployed in one of two ways Hub and Spoke Spoke to Spoke RUGGEDCOM ROX II supports hub and spoke deployments where a central router the hub uses Multipoint Generic Routing Encapsulation mGRE to...

Page 476: ...oke Topology Single Hub 1 Hub Static IP Address 2 Spoke Static IP Address 3 Hub to Spoke GRE IPsec Tunnel Spokes can also be connected to a secondary hub when redundancy is required 2 2 2 1 3 4 1 Figure 21 Hub and Spoke Topology Dual Hub 1 Hub Static IP Address 2 Spoke Static IP Address 3 Hub to Spoke GRE IPsec Tunnel ...

Page 477: ...vices nhrp enabled NOTE RUGGEDCOM ROX II supports up to two DMVPN interfaces each of which can be assigned to different GRE tunnels 6 Configure a DMVPN interface for each GRE tunnel For more information refer to Section 12 10 3 2 Adding a DMVPN Interface 7 Configure an IPsec GRE tunnel from the hub to the device using the IP address defined for the device s DMVPN interface 8 Verify the status of t...

Page 478: ...d or exploitation For increased security Siemens recommends configuring a key to authenticate the NHRP interface Parameter Description enabled A boolean flag to indicate Next Hop Resolution Protocol NHRP is enabled on this interface address address Synopsis A string 9 to 18 characters long IPv4 address of remote GRE interface to be used for this NHRP session holdtime holdtime Synopsis A 32 bit uns...

Page 479: ...w services nhrp status If DMVPN interfaces have been configured a table or list similar to the following example appears ruggedcom show services nhrp status ROW RAW FROM OPENNHRPCTL 0 1 Status ok 2 3 Interface gre gre 1 4 Type local 5 Protocol Address 192 168 0 1 32 6 Flags up 7 8 Status ok 9 10 Interface gre gre 1 11 Type static 12 Protocol Address 192 168 0 2 24 13 NBMA Address 61 1 1 2 14 Flags...

Page 480: ...erface s IP address Protocol Address 172 30 168 2 32 Flags The flag s assigned to the last NHRP registration request packet Possible values unique The NHRP peer is unique Its NRHP mapping entry cannot be overwritten by a mapping entry with the same IP address even if the associated peer has a different NBMA address used The NHRP peer is in the kernel ARP table up A connection with the NHRP peer ha...

Page 481: ...al Routing and Forwarding VRF Section 13 12 Managing Static Routing Section 13 13 Managing Static Multicast Routing Section 13 14 Managing Dynamic Multicast Routing Section 13 1 Viewing the Status of IPv4 Routes To view the status of the IPv4 routes configured on the device type NOTE It is possible to create a route on a locally connected broadcast network i e without a gateway without also bringi...

Page 482: ...7 1 3 2 Adding an IPv4 Address Section 13 2 Viewing the Status of IPv6 Routes To view the status of the IPv6 routes configured on the device type show routing status ipv6routes If IPv6 routes have been configured a table or list similar to the following example appears ruggedcom show routing status ipv6routes DESTINATION GATEWAY INTERFACE TYPE WEIGHT METRIC fe80 64 switch kernel 256 fe80 64 dp1 ke...

Page 483: ...ing the Memory Statistics To view statistics related to the Core RIP OSPF and BGP daemons type show routing status memory A list similar to the following example appears ruggedcom show routing status memory routing status memory zebra total 405504 used 359424 free 46080 rip total 0 used 0 free 0 ospf total 0 used 0 free 0 bgp total 0 used 0 free 0 This list provides the following information Param...

Page 484: ...opriate Parameter Description ignore icmp all Synopsis true false Default false Ignores all ICMP echo requests sent to it ignore icmp broadcast Synopsis true false Default true Ignores all ICMP ECHO and TIMESTAMP requests sent to it via broadcast multicast send icmp redirect Synopsis true false Default true Sends the ICMP redirect 3 Type commit and press Enter to save the changes or type revert an...

Page 485: ...ackers have been configured a table or list similar to the following example appears ruggedcom show running config global tracking global tracking event host in lan 11 target 192 168 11 100 timeout 500 interval 500 fall 3 rise 3 If no event trackers have been configured add event trackers as needed For more information refer to Section 13 5 3 Adding an Event Tracker Section 13 5 2 Viewing Event Tr...

Page 486: ...nfiguration mode 2 Add the event tracker by typing global tracking event name name is the name of the tracking event 3 Configure the following parameter s as required Parameter Description target target Synopsis A string 1 to 253 characters long Configures the ping target as an IPv4 address or hostname domain This parameter is mandatory source ip source ip Synopsis A string 7 to 15 characters long...

Page 487: ...evert and press Enter to abort Section 13 6 Managing IS IS Intermediate System Intermediate System IS IS is one of a suite of routing protocols tasked with sharing routing information between routers The job of the router is to enable the efficient movement of data over sometimes complex networks Routing protocols are designed to share routing information across these networks and use sophisticate...

Page 488: ...ve on the same router at the same time Typically however only one dynamic routing protocol is employed at one time CONTENTS Section 13 6 1 1 IS IS Routers Section 13 6 1 2 Network Entity Title NET Addresses Section 13 6 1 3 Advantages and Disadvantages of Using IS IS Section 13 6 1 1 IS IS Routers IS IS routers can be defined as Level 1 Level 2 or both Level 1 routers form the area while Level 2 r...

Page 489: ...dvantages of using IS IS include the following Advantages runs natively on the OSI network layer can support both IPv4 and IPv6 networks due to it s independence from IP addressing IS IS concept of areas is simpler to understand and implement IS IS updates grouped together and sent as one LSP rather than several small LSAs as with OSPF better scalability than OSPF due to a leaner daemon with less ...

Page 490: ...nterface use point to point network communication and be in the same area 192 168 12 0 24 192 168 11 0 24 R4 16 16 16 16 R5 15 15 15 15 R3 18 18 18 18 R1 78 78 78 78 R2 72 72 72 72 eth1 3 1 3 5 0 32 3 2 1 2 6 0 32 2 eth1 eth1 1 eth2 1 eth2 1 9 5 0 32 2 2 3 1 4 5 0 32 2 Figure 22 Multi Level IS IS Configuration Section 13 6 3 Viewing the Status of Neighbors To view the status of neighboring devices...

Page 491: ...status by typing routing status isis isis database status Or display a more detailed status by typing routing status isis isis database detail status If IS IS routes have been configured a list similar to the following example appears ruggedcom routing status isis isis database status isis database status Area area1 IS IS Level 1 link state database LSP ID PduLen SeqNumber Chksum Holdtime ATT P OL...

Page 492: ...s ATT Attach bit indicating the router is attached to another area P Partition bit set only if LSP supports partition repair OL Overload set only if the originator s LSP database is overloaded Section 13 6 5 Managing Area Tags An IS IS area is a grouping of inter connected or neighboring IS IS configured routers As opposed to OSPF where an Area Border Router ABR can exist in two areas at once IS I...

Page 493: ...min domain authentication validate net 49 0001 1921 6800 1001 00 redistribute bgp is type level 1 2 metric type internal metric 10 lsp gen interval is type level 1 only interval 60 lsp refresh interval is type level 1 2 interval 20 max lsp lifetime is type level 2 only interval 10 spf interval is type level 1 2 interval 5 If no area tags have been configured add area tags as needed For more inform...

Page 494: ...sis A string 1 to 254 characters long The domain password to be used for transmission of level 2 LSPs domain authentication domain authentication Synopsis send only validate Default send only The authentication option to be used with the domain password on SNP PDUs Default is send only 4 Add one or more Network Entity Titles NETs For more information refer to Section 13 6 11 Managing Network Entit...

Page 495: ...and WAN HDLC ETH interfaces CONTENTS Section 13 6 6 1 Viewing a List of Interfaces Section 13 6 6 2 Configuring an Interface Section 13 6 6 1 Viewing a List of Interfaces To view a list of interfaces for dynamic IS IS routes type show running config routing isis interface If interfaces have been configured a table or list similar to the following example appears ruggedcom show running config routi...

Page 496: ...vel 2 backbone can have neighbors on different areas Level 1 2 can have neighbors on any areas Default is level 1 2 point to point Synopsis true false Default false Enable or disable point to point network communication passive Synopsis true false Default true Whether an interface is active or passive Passive interfaces do not send packets to other routers and are not part of an IS IS area circuit...

Page 497: ...ew LSP causes other routers in the area to recalculate routes it is recommended to increase the interval to decrease flooding during periods of network instability so as to reduce the load on other routers in the area CONTENTS Section 13 6 7 1 Viewing a List of LSP Generation Intervals Section 13 6 7 2 Adding an LSP Generation Interval Section 13 6 7 3 Deleting an LSP Generation Interval Section 1...

Page 498: ...erface by typing no routing isis area name lsp gen interval is type level 1 2 level 1 only level 2 only interval seconds Where name is the unique name for a routing process that belongs to a specific router level is the IS type seconds is the minimum interval in seconds ranging from 1 to 120 The default value is 30 3 Type commit and press Enter to save the changes or type revert and press Enter to...

Page 499: ... Adding an SPF Calculation Interval To add an SPF calculation interval to an IS IS area do the following 1 Make sure the CLI is in Configuration mode 2 Add a new interval by typing routing isis area name spf interval is type level 1 2 level 1 only level 2 only interval seconds Where name is the unique name for a routing process that belongs to a specific router level is the IS type seconds is the ...

Page 500: ...IS IS network NOTE For information about configuring the refresh interval for an LSP refer to Section 13 6 10 Managing LSP Refresh Intervals CONTENTS Section 13 6 9 1 Viewing a List of LSP Lifetime Intervals Section 13 6 9 2 Adding an LSP Lifetime Interval Section 13 6 9 3 Deleting an LSP Lifetime Interval Section 13 6 9 1 Viewing a List of LSP Lifetime Intervals To view a list of LSP lifetime int...

Page 501: ...nges or type revert and press Enter to abort Section 13 6 9 3 Deleting an LSP Lifetime Interval To delete an LSP lifetime interval for an IS IS area do the following 1 Make sure the CLI is in Configuration mode 2 Delete the LDP interface by typing no routing isis area name max lsp lifetime is type level 1 2 level 1 only level 2 only interval seconds Where name is the unique name for a routing proc...

Page 502: ...igured a table or list similar to the following example appears ruggedcom show running config routing isis area Area_1 lsp refresh interval tab ISTYPE INTERVAL level 1 only 60 If no intervals have been configured add intervals as needed For more information refer to Section 13 6 10 2 Adding an LSP Refresh Interval Section 13 6 10 2 Adding an LSP Refresh Interval To add an LSP refresh interval to a...

Page 503: ... NETs Network Entity Titles NETs define the area address and system ID for the router Traffic received from another router that shares the same area address and system ID will be forwarded to this router RUGGEDCOM ROX II supports IS IS multi homing which allows for multiple NETs to be defined for a single router and increases the list of possible traffic sources Each NET has a hexadecimal value wh...

Page 504: ...o the following example appears ruggedcom show running config routing isis area Area_1 net tab NET TITLE 49 0001 1921 6800 1001 00 If no NETs have been configured add NETs as needed For more information refer to Section 13 6 11 2 Adding a NET Section 13 6 11 2 Adding a NET To add a Network Entity Title NET for an IS IS area do the following 1 Make sure the CLI is in Configuration mode 2 Add the NE...

Page 505: ...ining a metric for the source routing protocol As each routing protocol calculates routes differently care must be taken to define a metric that is understood by the protocol There are two types of metrics internal and external Both types can be assigned a value between 0 and 63 However to prevent external metrics from competing with internal metrics 64 is automatically added to any external metri...

Page 506: ...ansmitting packets over the IS IS route Options include bgp connected kernel ospf rip and static 3 Configure the following parameter s as required Parameter Description is type is type Synopsis level 1 only level 2 only level 1 2 IS type of the IS IS information specified as level 1 only level 2 only or level 1 2 If not provided uses IS type from area metric type metric type Synopsis internal exte...

Page 507: ... interface may exchange routes A neighbor is a specific router specified by its IP address to exchange routes with For point to point links i e T1 E1 links neighbor entries must be used to add other routers to exchange routes with The maximum number of hops between two points on a RIP network is 15 placing a limit on network size Link failures will eventually be noticed when using RIP although it ...

Page 508: ...ynopsis An 8 bit signed integer between 1 and 2 Set the RIP version to accept for reads and send The version can be either 1 or 2 Disabling RIPv1 by specifying version 2 is STRONGLY encouraged 3 Configure prefix lists For more information refer to Section 13 7 3 3 Adding a Prefix List 4 Configure a network For more information refer to Section 13 7 4 1 Configuring a Network 5 Configure the prefix ...

Page 509: ...is route comes from tag Synopsis A string Tag time Synopsis A string The route update time To view the status of the RIP interfaces configured on the device type show routing status rip interface If RIP interfaces have been configured a table or list similar to the following example appears ruggedcom show routing status rip interface tab NEXT NAME NETWORK TYPE SUB TYPE HOP METRIC FROM TAG TIME swi...

Page 510: ...13 7 3 1 Viewing a List of Prefix Lists Section 13 7 3 2 Viewing a List of Prefix Entries Section 13 7 3 3 Adding a Prefix List Section 13 7 3 4 Adding a Prefix Entry Section 13 7 3 5 Deleting a Prefix List Section 13 7 3 6 Deleting a Prefix Entry Section 13 7 3 1 Viewing a List of Prefix Lists To view a list of prefix lists for dynamic RIP routes type show running config routing rip filter prefix...

Page 511: ...ation refer to Section 13 7 3 4 Adding a Prefix Entry Section 13 7 3 3 Adding a Prefix List To add a prefix list for dynamic RIP routes do the following 1 Make sure the CLI is in Configuration mode 2 Add the list by typing routing rip filter prefix list name Where name is the name of the prefix list 3 Configure the following parameter s as required Parameter Description description description Syn...

Page 512: ...be matched ge ge Synopsis An 8 bit unsigned integer between 1 and 32 The minimum prefix length to be matched 4 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 13 7 3 5 Deleting a Prefix List To delete a prefix list for dynamic RIP routes do the following 1 Make sure the CLI is in Configuration mode NOTE Deleting a prefix list removes all associate pr...

Page 513: ... Neighbor NOTE RIP v1 does not send subnet mask information in its updates Any networks defined are restricted to the classic i e Class A B and C networks NOTE If neighbors are specified but no networks are specified the router will receive routing information from its neighbors but will not advertise any routes to them For more information about neighbors refer to Section 13 7 7 Managing Neighbor...

Page 514: ...which to filter routing updates and interface is the name of the interface 3 Configure the following parameter s as required Parameter Description event event Synopsis A string Selects an event to track The distribute prefix list is applied only when the tracked event is in the UP state This parameter is mandatory apply when apply when Synopsis up down Default up Applies the distribute prefix list...

Page 515: ...bnet address and prefix for the network 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 13 7 5 3 Deleting a Network IP Address To delete an IP address from a RIP network do the following 1 Make sure the CLI is in Configuration mode 2 Delete the IP address by typing no routing rip network ip address Where address is the IP subnet address and prefix ...

Page 516: ...re information refer to Section 13 7 7 2 Adding a Neighbor Section 13 7 6 2 Adding a Network Interface To add an interface for a RIP network do the following 1 Make sure the CLI is in Configuration mode 2 Add the neighbor by typing routing rip network interface name Where name is the name of the interface 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Sec...

Page 517: ...xample appears ruggedcom show running config routing rip network neighbor routing rip network neighbor 192 168 33 2 If no neighbors have been configured add neighbors as needed For more information refer to Section 13 7 7 2 Adding a Neighbor Section 13 7 7 2 Adding a Neighbor To add a neighbor for a RIP network do the following 1 Make sure the CLI is in Configuration mode 2 Add the neighbor by typ...

Page 518: ...paths for dynamic RIP routes type show running config routing rip distribute prefix list If distribution paths have been configured a table or list similar to the following example appears ruggedcom show running config routing rip distribute prefix list routing rip distribute prefix list out prefix list list permit lan 22 If no prefix list distribution paths have been configured add distribution p...

Page 519: ...no routing rip distribute prefix list direction interface Where direction is the direction incoming or outgoing in which to filter routing updates interface is the name of the interface This parameter is optional 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 13 7 9 Managing Key Chains and Keys Key chains are collections of keys or shared secrets ...

Page 520: ...nfigured add key chains as needed For more information refer to Section 13 7 9 3 Adding a Key Chain Section 13 7 9 2 Viewing a List of Keys To view a list of keys in a key chain type show running config routing rip rip key chain name key Where name is the name of the key chain If keys have been configured a table or list similar to the following example appears ruggedcom show running config routin...

Page 521: ...me is the time period in which the key is accepted by the device The send lifetime is the time period in which they key can be sent to other devices This is referred to as hitless authentication key rollover a method for seamlessly updating authentication keys without having to reset network sessions To add a key to a key chain do the following 1 Make sure the CLI is in Configuration mode 2 Add th...

Page 522: ...ete a key chain for dynamic RIP routes do the following 1 Make sure the CLI is in Configuration mode 2 Delete the key chain by typing no routing rip key chain name Where name is the name of the key chain 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 13 7 9 6 Deleting a Key To delete a key from a key chain do the following 1 Make sure the CLI is i...

Page 523: ...ning config routing rip redistribute If metrics have been configured a table or list similar to the following example appears ruggedcom show running config routing rip redistribute routing rip redistribute bgp no metric If no redistribution metrics have been configured add metrics as needed For more information refer to Section 13 7 10 2 Adding a Redistribution Metric Section 13 7 10 2 Adding a Re...

Page 524: ...erface A table or list similar to the following example appears ruggedcom show running config routing rip interface tab KEY RECEIVE SEND SPLIT IFNAME MODE CHAIN STRING PASSIVE VERSION VERSION HORIZON dummy0 yes fe cm 1 yes switch 0001 yes Section 13 7 11 2 Configuring a Routing Interface To configure a routing interface for a RIP network do the following NOTE OSPF regards router interfaces as eith...

Page 525: ... 2 packets will be sent split horizon split horizon Synopsis yes no poisoned reverse Default yes A split horizon mode mode Synopsis md5 rfc md5 old ripd text none The authentication mode key chain key chain Synopsis A string The authentication key chain string string Synopsis A string 1 to 16 characters long The authentication string 5 Type commit and press Enter to save the changes or type revert...

Page 526: ...P Routes Section 13 8 13 Resetting a BGP Session Section 13 8 1 Configuring BGP To configure dynamic routing with BGP do the following 1 Make sure the CLI is in Configuration mode 2 Navigate to routing bgp and configure the following parameter s as required Parameter Description enabled Enables BGP as id as id Synopsis A 32 bit unsigned integer between 1 and 65535 Autonomous System ID always compa...

Page 527: ...pe revert and press Enter to abort NOTE Following a change in the routing policy due to a configuration change the BGP session must be reset for the new policy to take effect 11 Reset the BGP session For more information refer to Section 13 8 13 Resetting a BGP Session Section 13 8 2 Managing Route Maps Route maps are sequential statements used to filter routes that meet the defined criteria If a ...

Page 528: ...ion refer to Section 13 8 5 3 Adding an Autonomous System Path Filter Section 13 8 2 2 Viewing a List of Route Map Filter Entries To view a list of entries for a route map filter for either BGP type show running config routing bgp filter route map tag entry Where tag is the tag for the route map filter If entries have been configured a table or list similar to the following example appears ruggedc...

Page 529: ...number Where tag is the tag for the route map filter number is the sequence number for the entry 3 Configure the following parameter s as required Parameter Description action action Synopsis deny permit Default permit Action call call Synopsis A string Jump to another route map after match set on match goto on match goto Synopsis A string Go to this entry on match 4 Configure the match rules for ...

Page 530: ... changes or type revert and press Enter to abort Section 13 8 2 7 Configuring Match Rules To configure match rules for a route map filter entry do the following 1 Make sure the CLI is in Configuration mode 2 Navigate to routing bgp filter route map tag entry number match where tag is the tag for the route map filter and number is the sequence number for the entry 3 Configure the following paramete...

Page 531: ...meter is not supported and any value is ignored by the system weight weight Synopsis A 32 bit unsigned integer Weight 4 Add pre pended and or excluded autonomous system paths For more information refer to Section 13 8 3 3 Adding a Prepended Autonomous System Path Filter and or Section 13 8 3 4 Adding an Excluded Autonomous System Path filter 5 Type commit and press Enter to save the changes or typ...

Page 532: ...For more information refer to Section 13 8 3 3 Adding a Prepended Autonomous System Path Filter Section 13 8 3 2 Viewing a List of Excluded Autonomous System Paths To view a list of excluded autonomous system path filters configured for a BGP route map entry type show running config routing bgp filter route map name entry number set as path exclude Where name is the name of the route map number is...

Page 533: ...I is in Configuration mode 2 Add the path by typing routing bgp filter route map name entry number set as path exclude path Where name is the name of the route map number is the entry number path is the number for the autonomous system path 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 13 8 3 5 Deleting a Prepended Autonomous System Path Filter T...

Page 534: ...ies Neighbors can be associated with prefix lists which allow the BGP daemon to filter incoming or outgoing routes based on the allow and deny entries in the prefix list CONTENTS Section 13 8 4 1 Viewing a List of Prefix Lists Section 13 8 4 2 Viewing a List of Prefix Entries Section 13 8 4 3 Adding a Prefix List Section 13 8 4 4 Adding a Prefix Entry Section 13 8 4 5 Deleting a Prefix List Sectio...

Page 535: ...EQ ACTION SUBNET LE GE 5 permit 192 168 40 0 24 32 6 deny 192 168 5 21 32 If no entries have been configured add entries as needed For more information refer to Section 13 8 4 4 Adding a Prefix Entry Section 13 8 4 3 Adding a Prefix List To add a prefix list for dynamic BGP routes do the following 1 Make sure the CLI is in Configuration mode 2 Add the list by typing routing bgp filter prefix list ...

Page 536: ...work xxx xxx xxx xxx xx This parameter is mandatory le le Synopsis An 8 bit unsigned integer between 1 and 32 The maximum prefix length to match ipaddress within subnet ge ge Synopsis An 8 bit unsigned integer between 1 and 32 The minimum prefix length to match ipaddress within subnet 4 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 13 8 4 5 Deletin...

Page 537: ...ction 13 8 5 1 Viewing a List of Autonomous System Paths Section 13 8 5 2 Viewing a List of Autonomous System Path Entries Section 13 8 5 3 Adding an Autonomous System Path Filter Section 13 8 5 4 Adding an Autonomous System Path Filter Entry Section 13 8 5 5 Deleting an Autonomous System Path Section 13 8 5 6 Deleting an Autonomous System Path Filter Entry Section 13 8 5 1 Viewing a List of Auton...

Page 538: ...th Filter To add an autonomous system path filter for dynamic BGP routes do the following 1 Make sure the CLI is in Configuration mode 2 Add the new filter by typing routing bgp filter as path name Where name is the name of the autonomous system path filter 3 Add one or more entries For more information refer to Section 13 8 5 4 Adding an Autonomous System Path Filter Entry 4 Type commit and press...

Page 539: ...ath name Where name is the name of the autonomous system path filter 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 13 8 5 6 Deleting an Autonomous System Path Filter Entry To delete an entry for an autonomous system path filter do the following 1 Make sure the CLI is in Configuration mode 2 Delete the filter key by typing no routing bgp filter as...

Page 540: ...ewing a List of Neighbors To view a list of neighbors configured for a BGP network type show running config routing bgp neighbor If neighbors have been configured a table or list similar to the following example appears ruggedcom show running config routing bgp neighbor routing bgp neighbor 192 168 123 3 remote as 100 no ebgp multihop no maximum prefix no next hop self no password no route map in ...

Page 541: ...ks maximum prefix maximum prefix Synopsis A 32 bit unsigned integer between 1 and 4294967295 The maximum prefix number accepted from this peer next hop self Disables the next hop calculation for this neighbor password password Synopsis A string 1 to 1024 characters long Password update source update source Synopsis A string 7 to 15 characters long Source IP address of routing updates disable conne...

Page 542: ...ereby advertising the network to a router s BGP peers when the tracked target is unavailable To track a command for a BGP neighbor do the following 1 Make sure the CLI is in Configuration mode 2 Navigate to routing dynamic bgp neighbor address where address is the IP subnet address and prefix for the neighbor 3 Configure the following parameter s as required Parameter Description event event Synop...

Page 543: ...4 of the 192 168 0 0 16 range it is more efficient to advertise the one Class B network specification 192 168 0 0 16 to its BGP neighbors NOTE If neighbors are specified but no networks are specified the router will receive routing information from its neighbors but will not advertise any routes to them For more information about neighbors refer to Section 13 8 6 Managing Neighbors CONTENTS Sectio...

Page 544: ...d on the event tracker s state The apply when parameter determines when the command is activated For example if the apply when parameter is set to down the network command becomes active thereby advertising the network to a router s BGP peers when the tracked target is unavailable To track a command for a BGP network do the following 1 Make sure the CLI is in Configuration mode 2 Navigate to routi...

Page 545: ...ion 13 8 8 1 Viewing a List of Aggregate Addresses To view a list of aggregate addresses for dynamic BGP routes type show running config routing bgp aggregate address If addresses have been configured a table or list similar to the following example appears ruggedcom show running config routing bgp aggregate address routing bgp aggregate address 11 11 0 0 16 options summary only If no aggregate ad...

Page 546: ...e revert and press Enter to abort Section 13 8 9 Managing Aggregate Address Options This section describes how to set the as set and summary only options for BGP aggregate addresses CONTENTS Section 13 8 9 1 Viewing a List of Aggregate Address Options Section 13 8 9 2 Adding an Aggregate Address Option Section 13 8 9 3 Deleting an Aggregate Address Option Section 13 8 9 1 Viewing a List of Aggrega...

Page 547: ...ate address address options summary only as set Where address is the subnet address and prefix for the aggregate address 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 13 8 10 Managing Redistribution Metrics Redistribution metrics redistribute routing information from other routing protocols static routes or routes handled by the kernel Routes for...

Page 548: ...buted routes 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 13 8 10 3 Deleting a Redistribution Metric To delete a redistribution metric for dynamic BGP routes do the following 1 Make sure the CLI is in Configuration mode 2 Delete the metric by typing no routing bgp redistribute rip ospf connected static kernel 3 Type commit and press Enter to sav...

Page 549: ...identifier However in internal BGP iBGP each router shares the same AS numeric identifier so all routes received by a router would be dropped One method for solving this problem is to have each iBGP router establish neighborship with its peers but that would result in a significant number of BGP sessions and unnecessary traffic on large networks The formula for determining the number of BGP sessio...

Page 550: ...GP Topology 1 Fully Meshed iBGP Peers Non Clients 2 Route Reflector 3 Cluster Clients Combining Clusters for Scalability Multiple clusters can be linked together via their route reflectors to form a full mesh topology of internal peers In this configuration routes advertised to a route reflector are not only re advertised to its clients but also with the other route reflectors who in turn advertis...

Page 551: ...ally meshed by combining them in a cluster of their own RR1 RR3 RR4 RR2 Figure 27 Multiple Clusters Partially Meshed Redundant Route Reflectors To avoid a single point of failure in the BGP network each cluster should be served by more than one route reflector to provide redundancy in case of failure In this arrangement each route reflectors are configured to have the same BGP neighbors as clients...

Page 552: ...f the device For more information refer to Section 13 8 11 3 Configuring BGP Neighbors as Clients 4 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 13 8 11 3 Configuring BGP Neighbors as Clients When the device is configured to be a route reflector BGP neighbors can then be configured to be clients of the reflector BGP Neighbors To configure a BGP ne...

Page 553: ...family to be a client of the device do the following 1 Make sure a VPNv4 address family is defined For more information refer to Section 13 11 9 2 Adding a Neighbor 2 Configure the desired BGP neighbor in the VPNv4 address family to be a client of the route reflector by typing routing bgp address family vpnv4 address route reflector client enabled Where address is the IP address of the BGP neighbo...

Page 554: ... to Section 13 8 11 2 Configuring the Device as a Route Reflector 2 For each router that advertises and forwards routes to the route reflector define a BGP neighbor Make sure each belongs to the same AS For more information refer to Section 13 8 6 2 Adding a Neighbor 3 For each BGP neighbor that belongs to the route reflector s cluster enable the neighbor as a route reflector client For more infor...

Page 555: ...pology three route reflectors RR1 RR2 and RR3 are internal peers of one another RR3 RR2 RR1 R1 Figure 30 Linked Clusters When an external BGP eBGP router R1 advertises routes to RR1 RR1 readvertises the routes to RR2 RR3 and its clients RR2 and RR3 then readvertise the routes again to their clients Configuration To configure this topology do the following 1 Configure the clusters for RR1 RR2 RR3 F...

Page 556: ... remote as 100 route reflector client enabled neighbor 172 30 140 30 Client remote as 100 route reflector client enabled RR2 172 30 110 20 routing bgp enabled as id 100 route reflector cluster id 10 11 12 13 neighbor 172 30 110 10 RR1 remote as 100 no route reflector client enabled neighbor 172 30 110 30 RR3 remote as 100 no route reflector client enabled neighbor 172 30 150 10 Client remote as 10...

Page 557: ...logy a route reflector RR1 forms a cluster with two other route reflectors RR2 and RR3 RR2 and RR3 are also part of their own individual clusters each of which consists of three clients RR2 C1 C2 C3 RR3 C4 C5 C6 RR1 R1 Figure 31 Hierarchical Clusters Topology When an external BGP eBGP router R1 advertises routes to RR1 RR1 readvertises the routes to RR2 and RR3 RR2 and RR3 then readvertise the rou...

Page 558: ... id 10 11 12 13 neighbor 172 30 140 10 RR1 remote as 100 no route reflector client enabled neighbor 172 30 150 10 Client remote as 100 route reflector client enabled neighbor 172 30 150 20 Client remote as 100 route reflector client enabled neighbor 172 30 150 30 Client remote as 100 route reflector client enabled RR3 172 30 140 30 routing bgp enabled as id 100 route reflector enabled route reflec...

Page 559: ...ion from R2 via its VRF interface 1 1 2 1 It then readvertises the information to its client R1 R2 receives BGP routing information from R3 an external BGP eBGP router Configuration To configure this topology do the following 1 Configure RR a Configure a VRF definition for VRF1 with a route distinguisher of 100 1 For more information refer to Section 13 11 5 2 Adding a VRF Definition b Define a ro...

Page 560: ...s Family h Define a redistribution metric for IPv4 family of type connected For more information refer to Section 13 11 11 2 Adding a Redistribution 2 Configure R1 a Enable BGP and configure the following parameters Parameter Value Autonomous System ID 100 Router ID 5 5 5 1 For more information refer to Section 13 8 1 Configuring BGP b Define the following BGP neighbor Parameter Value Neighbor IP ...

Page 561: ... Value Autonomous System ID 101 Router ID 5 5 5 3 For more information refer to Section 13 8 1 Configuring BGP b Define the following BGP neighbor Parameter Value Neighbor IP Address 1 1 3 1 Autonomous System ID 101 For more information refer to Section 13 8 6 2 Adding a Neighbor c Define a redistribution metric for BGP of type connected For more information refer to Section 13 8 10 2 Adding a Red...

Page 562: ...nnected R3 Configuration routing bgp enabled as id 100 router id 5 5 5 3 neighbor 1 1 3 1 remote as 100 redistribute connected Section 13 8 11 8 Example Route Reflection with VPNv4 Clients BGP route reflection can be used to advertise VPNv4 routes between Provider Edge PE devices inside a provider network This specific application is complicated by the fact that VPNv4 routes to the Customer Edge C...

Page 563: ...ference Synopsis A string Local preference weight Synopsis A 32 bit signed integer Weight as path Synopsis A string Path origin Synopsis A string Origin To view the status of the dynamic BGP neighbor configured on the device type show routing status bgp neighbor If BGP neighbors have been configured a table or list similar to the following example appears ruggedcom show routing status bgp neighbor...

Page 564: ...fix received Synopsis A string Number of prefixes networks received from this neighbor Parameter Description network Synopsis A string Network next hop Synopsis A string Next hop address selected Synopsis true false Selected next hop for this route internal Synopsis true false Internal route metric Synopsis A 32 bit signed integer Metric value local preference Synopsis A string Local preference we...

Page 565: ...s continue to run while running both inbound and outbound actions soft inbound The existing peering sessions continue to run while generating inbound updates from all neighbors soft outbound The existing peering sessions continue to run while sending outbound updates to all neighbors 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Resetting a BGP Session f...

Page 566: ...outes Area numbers are assigned to each area All routers in the area are known as Area routers If traffic must flow between two areas a router with links in each area is selected to be an Area Border router and serves as a gateway NOTE The router id parameter defines the ID of the router By default this is the highest IP assigned to the router It is recommended to configure this value manually to ...

Page 567: ...the area Once a designated router is picked all routing state changes are sent to the designated router which then sends the resulting changes to all the routers The election is decided based on the priority assigned to the interface of each router The highest priority wins If the priority is tied the highest router id wins Section 13 9 2 Configuring OSPF To configure dynamic routing using the Ope...

Page 568: ...e information refer to Section 13 9 8 2 Adding a Redistribution Metric 7 Configure interfaces For more information refer to Section 13 9 9 2 Configuring a Routing Interface 8 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 13 9 3 Viewing the Status of Dynamic OSPF Routes To view the status of the dynamic OSPF routes configured on the device type show...

Page 569: ...string Address interface Synopsis A string Interface priority Synopsis A string Priority state Synopsis A string State dead time Synopsis A string Dead Time To view the status of the dynamic OSPF database configured on the device type show routing status ospf database If an OSPF neighbor have been configured a table or list similar to the following example appears ruggedcom show routing status osp...

Page 570: ...rmation about configuring OSPF refer to Section 13 9 2 Configuring OSPF Section 13 9 4 Managing Prefix Lists and Entries Neighbors can be associated with prefix lists which allow the OSPF daemon to filter incoming or outgoing routes based on the allow and deny entries in the prefix list CONTENTS Section 13 9 4 1 Viewing a List of Prefix Lists Section 13 9 4 2 Viewing a List of Prefix Entries Secti...

Page 571: ...ix List Section 13 9 4 2 Viewing a List of Prefix Entries To view a list of entries for dynamic OSPF OSPF or OSPF prefix lists type For Standard OSPF Routes routing ospf filter prefix list name entry For VRF Routes via OSPF routing ospf vrf vrf filter prefix list name entry Where vrf is the name of the chosen VRF name is the name of the prefix list If entries have been configured a table or list s...

Page 572: ...nges or type revert and press Enter to abort Section 13 9 4 4 Adding a Prefix Entry To add an entry for a dynamic OSPF prefix list do the following 1 Make sure the CLI is in Configuration mode 2 Add the entry by typing For Standard OSPF Routes routing ospf filter prefix list name entry number For VRF Routes via OSPF routing ospf vrf vrf filter prefix list name entry number Where vrf is the name of...

Page 573: ...pf filter prefix list name For VRF Routes via OSPF no routing ospf vrf vrf filter prefix list name Where vrf is the name of the chosen VRF name is the name of the prefix list 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 13 9 4 6 Deleting a Prefix Entry To delete an entry for a dynamic OSPF prefix list do the following 1 Make sure the CLI is in C...

Page 574: ...ection 13 9 5 1 Viewing a List of Areas Section 13 9 5 2 Adding an Area Section 13 9 5 3 Deleting an Area Section 13 9 5 1 Viewing a List of Areas To view a list of areas configured for dynamic OSPF routes type For Standard OSPF Routes show running config routing ospf area For VRF Routes via OSPF show running config routing ospf vrf vrf area Where vrf is the name of the chosen VRF If areas have be...

Page 575: ...t in the router LSA originated for the area and uses it for shortcutting Other ABRs in the area must also report the new bit However if the ABR does not have an active backbone connection it uses the area unconditionally for shortcutting and sets the new bit in the router LSA originated for the area Disable The ABR does not use this area for shortcutting or set the new bit S bit in the router LSA ...

Page 576: ...s Section 13 9 6 2 Viewing a List of Route Map Filter Entries Section 13 9 6 3 Adding a Route Map Filter Section 13 9 6 4 Adding a Route Map Filter Entry Section 13 9 6 5 Deleting a Route Map Filter Section 13 9 6 6 Deleting a Route Map Filter Entry Section 13 9 6 7 Configuring Match Rules Section 13 9 6 1 Viewing a List of Route Map Filters To view a list of route map filters for either dynamic O...

Page 577: ...IX PREFIX PREFIX LOCAL NEXT ORIGINATOR SEQ ACTION CALL GOTO PATH LIST LIST LIST METRIC PEER ORIGIN AS IP PREFERENCE OPERATION VALUE HOP ORIGIN ID WEIGHT AS 10 permit If no filters have been configured add filters as needed For more information refer to Section 13 9 6 4 Adding a Route Map Filter Entry Section 13 9 6 3 Adding a Route Map Filter To add a route map filter for dynamic OSPF routes do th...

Page 578: ...ion action Synopsis deny permit Default permit Action call call Synopsis A string Jump to another route map after match set on match goto on match goto Synopsis A string Go to this entry on match Parameter Description metric metric Synopsis A 32 bit unsigned integer Metric value metric type metric type Synopsis An 8 bit signed integer between 1 and 2 External route type 4 Configure the match rules...

Page 579: ... For VRF Routes via OSPF no routing ospf vrf vrf filter route map tag entry number Where vrf is the name of the chosen VRF tag is the tag for the route map filter number is the sequence number for the entry 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 13 9 6 7 Configuring Match Rules To configure match rules for a route map filter entry do the f...

Page 580: ...rom the routing table NOTE For more information about route map filters refer to Section 13 9 6 Managing Route Maps CONTENTS Section 13 9 7 1 Viewing List of Incoming Route Filters Section 13 9 7 2 Adding an Incoming Route Filter Section 13 9 7 3 Deleting an Incoming Route Filter Section 13 9 7 1 Viewing List of Incoming Route Filters To view a list of route filters configured for incoming adverti...

Page 581: ... incoming route filter route map For VRF Routes via OSPF routing ospf vrf vrf incoming route filter route map Where vrf is the name of the chosen VRF route map is the name of the route map 4 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 13 9 7 3 Deleting an Incoming Route Filter To delete a route filter configured for incoming advertised routes do ...

Page 582: ...OSPF routes type For Standard OSPF Routes routing ospf redistribute For VRF Routes via OSPF routing ospf vrf vrf redistribute Where vrf is the name of the chosen VRF If metrics have been configured a table or list similar to the following example appears ruggedcom show running config routing ospf redistribute routing ospf redistribute bgp no metric type no metric If no redistribution metrics have ...

Page 583: ...nges or type revert and press Enter to abort Section 13 9 8 3 Deleting a Redistribution Metric To delete a redistribution metric for dynamic OSPF routes do the following 1 Make sure the CLI is in Configuration mode 2 Delete the metric by typing For Standard OSPF Routes no routing ospf redistribute bgp rip connected static kernel For VRF Routes via OSPF no routing ospf vrf vrf redistribute bgp rip ...

Page 584: ... cm 1 40 10 1 true 5 1 switch 0001 40 10 1 true 5 1 Section 13 9 9 2 Configuring a Routing Interface To configure a routing interface for an OSPF network do the following 1 Make sure the CLI is in Configuration mode 2 Navigate to either For Standard OSPF Routes routing dynamic ospf interface name For VRF Routes via OSPF routing dynamic ospf vrf vrf interface name Where vrf is the chosen VRF name i...

Page 585: ...s of their interface links NOTE The link cost determines which route to use when multiple links can reach a given destination By default OSPF assigns the same cost to all links unless it is provided with extra information about the links Each interface is assumed to be 10 Mbit unless otherwise specified by the auto cost bandwidth parameter set for the interface For more information about the auto ...

Page 586: ...n one second 5 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 13 9 10 Managing Message Digest Keys Message digest keys use the MD5 algorithm to authenticate OSPF neighbors and prevent unauthorized routers from joining the OSPF network By enabling authentication and configuring a shared key on all the routers only routers which have the same authenti...

Page 587: ...ospf interface switch 0001 message digest key 1 md5 RUGGEDCOM If no message digest keys have been configured add keys as needed For more information refer to Section 13 9 10 2 Adding a Message Digest Key Section 13 9 10 2 Adding a Message Digest Key To add a message digest key to an OSPF routing interface do the following 1 Make sure the CLI is in Configuration mode 2 Add the key by typing For Sta...

Page 588: ...ocol MPLS makes forwarding decisions based on labels where the labels are mapped to destination IP networks MPLS traffic flows are connection oriented as they operate on pre configured LSPs Label Switch Paths built based on the dynamic Label Distribution Protocol LDP or through static label bindings CONTENTS Section 13 10 1 Viewing the Status of IP Binding Section 13 10 2 Viewing the Status of the...

Page 589: ...g The remote label Section 13 10 2 Viewing the Status of the Forwarding Table To view the status of the forwarding table on the device type show mpls status forwarding table A table or list similar to the following example appears ruggedcom show mpls status forwarding table LOCAL OUTGOING OUTGOING LABEL LABEL PREFIX INTERFACE NEXT HOP UPTIME 17 Pop 1 1 1 1 32 switch 0010 192 168 10 1 01 04 31 18 P...

Page 590: ...ls enable Disable no mpls enable 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 13 10 4 Managing the MPLS Interfaces This section describes how to manage the MPLS interfaces CONTENTS Section 13 10 4 1 Viewing the Status of MPLS Interfaces Section 13 10 4 2 Viewing a List of MPLS Interfaces Section 13 10 4 3 Enabling Disabling an MPLS Interface Sec...

Page 591: ...ng config mpls interface mpls If interfaces have been configured a table or list similar to the following example appears ruggedcom show running config mpls interface mpls tab IFNAME ENABLED fe cm 1 false switch 0001 false switch 0010 true switch 0020 false Where IFNAME is the name of the interface ENABLED refers to the status of the MPLS operation on the interface If no MPLS interfaces have been ...

Page 592: ...Adding a Static Label Section 13 10 5 4 Deleting a Static Label Section 13 10 5 1 Viewing the Status of Static Label Binding To view the status of all configured static label binding type show mpls status static binding If static label binding has been configured a table similar to the following example appears ruggedcom show mpls status static binding IN OUT IP ADDRESS LABEL LABEL NEXTHOP 192 168...

Page 593: ... information about adding static labels refer to Section 13 10 5 3 Adding a Static Label Section 13 10 5 3 Adding a Static Label To add a static label do the following 1 Make sure the CLI is in Configuration mode 2 Add a static label by typing mpls static mpls binding ipv4 ipv6 dest address address Where address is the destination address and prefix 3 Configure the following parameter s as require...

Page 594: ...er to save the changes or type revert and press Enter to abort Section 13 10 6 Managing Static Cross Connects Configure MPLS static cross connects when the device is the core MPLS router Cross connects build Label Switch Paths LSPs when neighboring routers do not deploy the Label Distribution Protocol LDP The entry for static cross connects is added to the Label Forwarding Information Base LFIB An...

Page 595: ...ng a Static Cross Connect Section 13 10 6 2 Viewing a List of Static Cross Connects To view a list of configured static cross connects type show running config mpls static mpls crossconnects If static cross connects have been configured a table or list similar to the following example appears ruggedcom show running config mpls static mpls crossconnect tab OUT OUT LABEL INTERFACE NEXT HOP LABEL 20 ...

Page 596: ...l Where in label is the incoming label 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 13 10 7 Managing LDP LDP Label Distribution Protocol defined by RFC 5036 http tools ietf org html rfc5036 is a protocol that enables an MPLS capable router to exchange MPLS label information The labels are distributed in both directions so that an LSP Label Switc...

Page 597: ...e following example appears ruggedcom show mpls ldp status binding LOCAL NEXT REMOTE PREFIX LABEL HOP LABEL IN USE 1 1 1 1 17 2 2 2 2 imp null in use 1 1 1 1 17 6 6 6 6 17 2 2 2 2 18 2 2 2 2 imp null in use 2 2 2 2 18 6 6 6 6 18 3 3 3 3 imp null 4 4 4 4 imp null 5 5 5 5 19 2 2 2 2 19 5 5 5 5 19 6 6 6 6 imp null in use This table or list provides the following information Parameter Description pref...

Page 598: ...Synopsis A string LDP discovery peer IP address state Synopsis A string The LDP discovery interface state For more information about configuring LDP discovery interfaces refer to Section 13 10 7 9 Enabling Disabling an LDP Interface Section 13 10 7 3 Viewing the Status of the LDP Neighbor Local Node Information To view the status of the local node s for the LDP neighbor on the device type show mpl...

Page 599: ...ion Synopsis A string The TCP connection of the LDP neighbor connection state Synopsis A string The state of the LDP neighbor connection uptime Synopsis A string The up time of the LDP neighbor connection This table provides the following information Parameter Description peer id Synopsis A string The peer ID of the LDP neighbor connection tcp connection Synopsis A string The TCP connection of the...

Page 600: ...y state peer hello holdtime Synopsis A string The peer hello holdtime of the LDP neighbor discovery agreed hello holdtime Synopsis A string The agreed upon hello holdtime shorter holdtime of local peer of the LDP neighbor discovery peer session holdtime Synopsis A string The peer session holdtime of the LDP neighbor discovery Section 13 10 7 6 Configuring LDP To configure the LDP do the following ...

Page 601: ...rval Synopsis A 32 bit unsigned integer Default 5 The time in seconds between the sending of consecutive Hello messages holdtime holdtime Synopsis A 32 bit unsigned integer Default 15 The time in seconds that a discovered LDP neighbor is remembered without receipt of an LDP Hello message from the neighbor Section 13 10 7 8 Viewing a List of LDP Interfaces To view a list of LDP interfaces type show...

Page 602: ... providers to route different types of traffic emanating from the same router Each routing instance is completely isolated and has its own set of interfaces Any traffic sent on those interfaces is considered to be part of that VRF only An MPLS label can be applied as well to traffic traversing the tunnel to improve security This is considered full VRF as compared to VRF Lite first introduced by Ci...

Page 603: ...IP VPNs to provide a greater level of security than VRF Lite RUGGEDCOM ROX II supports both VRF and VRF Lite simultaneously Use of full VRF interfaces and VRF Lite interfaces can be mixed Section 13 11 1 2 Advantages and Disadvantages of Using VRF The advantages and disadvantages of using VRF include the following Advantages Create multiple isolated network pipes for various data streams Provide i...

Page 604: ...24 fe 1 3 not set not set false 7730176 120784 0 0 9423076 120810 0 0 0 1 1 1 1 32 This table or list provides the following information Parameter Description name Synopsis A string 1 to 15 characters long The name of the interface admin state Synopsis not set up down testing unknown dormant notPresent lowerLayerDown The port s administrative status This parameter is mandatory state Synopsis not s...

Page 605: ...ions detected on the port This parameter is mandatory Section 13 11 3 Configuring VRF To configure Virtual Routing and Forwarding VRF do the following IMPORTANT BGP routing must be enabled before VRF is configured Full VRF Configuration 1 Make sure BGP is enabled and configure the Autonomous System ID for the Border Gateway Protocol BGP For more information refer to Section 13 8 1 Configuring BGP ...

Page 606: ...on 13 9 2 Configuring OSPF 5 Configure one or more VRF instances for OSPF For more information refer to Section 13 9 2 Configuring OSPF 6 Configure an IPv4 address family for each VRF instance For more information refer to Section 13 11 10 2 Adding an IPv4 Address Family 7 Configure one or more static VRF routes For more information refer to Section 13 11 13 2 Adding a Static VRF Route 8 Verify th...

Page 607: ...ition can also be associated with one or more route targets CONTENTS Section 13 11 5 1 Viewing a List of VRF Definitions Section 13 11 5 2 Adding a VRF Definition Section 13 11 5 3 Deleting a VRF Definition Section 13 11 5 1 Viewing a List of VRF Definitions To view a list of VRF definitions type show running config global vrf If definitions have been configured a table or list similar to the foll...

Page 608: ...e route targets For more information refer to Section 13 11 6 2 Adding a Route Target 5 Configure a routable interface for the VRF instance For more information refer to Section 13 11 4 Configuring a VRF Interface 6 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 13 11 5 3 Deleting a VRF Definition To delete a VRF definition do the following 1 Make s...

Page 609: ...s ruggedcom show running config global vrf definition vrf1 route target global vrf definition vrf1 route target export 200 1 route target import 200 2 route target both 100 2 If no VRF definitions have been configured add definitions as needed For more information refer to Section 13 11 5 2 Adding a VRF Definition Section 13 11 6 2 Adding a Route Target To add a route target do the following 1 Mak...

Page 610: ...13 11 7 Managing VRF Instances and OSPF OSPF can be configured for one or more VRF definitions This is done by by enabling OSPF for a VRF instance and then configuring the required OSPF parameters OSPF can be run on any physical or switched interface as well as VRF Lite interfaces IPv4 and full VRF interfaces IP VPN using MPLS CONTENTS Section 13 11 7 1 Viewing a List of VRF Instances Section 13 1...

Page 611: ...ording to bandwidth 1 4294967 Mbps compatible rfc1583 Enables the compatibility with the obsolete RFC1583 OSPF the current is RFC2178 default information originate Advertises the default route default metric default metric Synopsis A 32 bit unsigned integer between 0 and 16777214 The default metric of redistribute routes distance distance Synopsis A 32 bit unsigned integer between 1 and 255 The ad...

Page 612: ...the VRF instance For more information refer to Section 13 9 6 3 Adding a Route Map Filter 6 Configure redistribution metrics for the VRF instance For more information refer to Section 13 9 8 2 Adding a Redistribution Metric 7 Configure interfaces for the VRF instance For more information refer to Section 13 9 9 2 Configuring a Routing Interface 8 Type commit and press Enter to save the changes or ...

Page 613: ...to the following example appears ruggedcom show running config routing bgp address family vpnv4 tab routing bgp address family vpnv4 neighbor SEND IP COMMUNITY 1 2 6 2 both Section 13 11 8 2 Adding an IP VPN Tunnel To add a new IP VPN tunnel for VRF do the following 1 Make sure the CLI is in Configuration mode 2 Add the neighbor by typing routing bgp address family vpnv4 neighbor address Where add...

Page 614: ...er routers with which to exchange routes One or more neighbors must be specified in order for VRF Lite to operate CONTENTS Section 13 11 9 1 Viewing a List of Neighbors Section 13 11 9 2 Adding a Neighbor Section 13 11 9 3 Deleting a Neighbor Section 13 11 9 1 Viewing a List of Neighbors To view a list of configured VPNv4 neighbors type show running config routing bgp address family vpnv4 neighbor...

Page 615: ... do the following 1 Make sure the CLI is in Configuration mode 2 Delete the network by typing no routing bgp address family vpnv4 neighbor address Where address is the IP address of the neighbor 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 13 11 10 Managing IPv4 Address Families IPv4 address families are configured when deploying VRF Lite Addres...

Page 616: ...p If no IPv4 address families have been configured add them as needed For more information refer to Section 13 11 10 2 Adding an IPv4 Address Family Section 13 11 10 2 Adding an IPv4 Address Family To add an IPv4 address family do the following 1 Make sure the CLI is in Configuration mode 2 Add the IPv4 address family by typing routing bgp address family ipv4 vrf vrf Where vrf is the name of the a...

Page 617: ...c routing protocol is supported For each VRF instance one or more redistributions can be defined A redistribution defines the source of the routing information a metric and optional a pre defined routing map The metric is used for route decision making within the Autonomous System AS Care must be taken to define a metric that is understood by the OSPF routing protocol CONTENTS Section 13 11 11 1 V...

Page 618: ...etween 0 and 4294967295 The metric for redistributed routes route map route map Synopsis A string The route map name 4 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 13 11 11 3 Deleting a Redistribution To delete a redistribution defined for an IPv4 address family do the following 1 Make sure the CLI is in Configuration mode 2 Delete the redistribut...

Page 619: ...ng config routing bgp address family ipv4 vrf VRF1 neighbor routing bgp address family ipv4 vrf VRF1 neighbor 192 168 12 30 remote as 1 no ebgp multihop no maximum prefix no next hop self no password no disable connected check no soft reconfiguration no weight no route map in no route map out If no neighbors have been configured add neighbors as needed For more information refer to Section 13 11 1...

Page 620: ...onnected check Disables connection verification when establishing an eBGP peering session with a single hop peer that uses a loopback interface soft reconfiguration Per neighbor soft reconfiguration weight weight Synopsis A 16 bit unsigned integer The default weight for routes from this neighbor 4 Configure the route map settings by configuring the following parameter s Parameter Description in in...

Page 621: ... advertising the network to a router s RIP peers when the tracked target is unavailable To track a command for an IPv4 address family do the following 1 Make sure the CLI is in Configuration mode 2 Navigate to routing dynamic bgp address family ipv4 vrf neighbor address distribute prefix list In out where vrf is the chosen VRF instance and address is the IP address of the neighbor 3 Configure the ...

Page 622: ... 13 11 13 2 Adding a Static VRF Route Section 13 11 13 3 Configuring a Black Hole Connection for a Static VRF Route Section 13 11 13 4 Deleting a Static VRF Route Section 13 11 13 1 Viewing a List of Static VRF Routes To view a list of routable Ethernet ports type show running config routing vrf vrf ipv4 Where vrf is the chosen VRF instance If routes have been configured a table or list similar to...

Page 623: ...sary add gateways for the static route For more information refer to Section 13 11 14 2 Adding a Gateway for a Static VRF Route 6 If necessary add interfaces for the static route For more information refer to Section 13 11 15 2 Adding a Gateway for a Static VRF Route 7 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 13 11 13 3 Configuring a Black Hol...

Page 624: ...oute Section 13 11 14 1 Viewing a List of Gateways for Static VRF Routes To view a list of gateway addresses assigned to an IPv4 static route type show running config routing vrf vrf ipv4 route subnet via Where vrf is the chosen VRF instance subnet is the subnet network prefix of the static route If gateway addresses have been configured a table or list similar to the following example appears rug...

Page 625: ...to a static VRF route do the following 1 Make sure the CLI is in Configuration mode 2 Delete the gateway address by typing no routing vrf vrf ipv4 route subnet via gateway Where vrf is the chosen VRF instance subnet is the subnet network prefix of the static route gateway is the gateway address for the static route 3 Type commit and press Enter to save the changes or type revert and press Enter to...

Page 626: ...F route do the following 1 Make sure the CLI is in Configuration mode 2 Add the gateway address by typing routing vrf vrf ipv4 route subnet dev interface Where vrf is the chosen VRF instance subnet is the subnet network prefix of the static route interface is the name of the interface for the static route 3 Configure the following parameter s as required Parameter Description distance distance Syn...

Page 627: ...c Route Section 13 12 4 Deleting a Static Route Section 13 12 5 Configuring a Black Hole Connection for an IPv4 Static Route Section 13 12 6 Managing Gateways for Static Routes Section 13 12 7 Managing Interfaces for Static Routes Section 13 12 1 Viewing a List of Static Routes To view a list of routable Ethernet ports type show running config routing protocol Where protocol is either IPv4 or IPv6...

Page 628: ...route can be hardware accelerated this option will be available For a static unicast route to be accelerated the ingress and egress interfaces must be switched 4 Optional Configure the route as a black hole route For more information refer to Section 13 12 5 Configuring a Black Hole Connection for an IPv4 Static Route 5 Optional If the static route is not a black hole route configure either the in...

Page 629: ...c route 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 13 12 5 Configuring a Black Hole Connection for an IPv4 Static Route To configure a black hole connection for an IPV4 static route do the following 1 Make sure the CLI is in Configuration mode 2 Navigate to routing ipv4 subnet blackhole where subnet is the subnet network prefix of the static r...

Page 630: ...eter s as required Parameter Description gw gw Synopsis A string 6 to 40 characters long The gateway for the static route This parameter is mandatory distance distance Synopsis A 32 bit unsigned integer between 1 and 255 The distance for the static route 4 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 13 12 6 2 Viewing a List of Gateways for IPv4 S...

Page 631: ...3 12 6 4 Deleting a Gateway for an IPv4 Static Route To delete a gateway for an IPv4 static route do the following 1 Make sure the CLI is in Configuration mode 2 Delete the gateway address by typing no routing ipv4 route subnet via gateway Where subnet is the subnet network prefix of the static route gateway is the gateway address for the static route 3 Type commit and press Enter to save the chan...

Page 632: ...unsigned integer between 1 and 255 The distance for the static route 4 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 13 12 7 2 Viewing a List of Interfaces for IPv4 Static Routes To view a list of interfaces assigned to an IPv4 static route type show running config routing ipv4 route subnet dev Where subnet is the subnet network prefix of the stati...

Page 633: ...n interface for an IPv4 static route do the following 1 Make sure the CLI is in Configuration mode 2 Delete the gateway address by typing no routing ipv4 route subnet dev interface Where subnet is the subnet network prefix of the static route interface is the name of the interface for the static route 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section...

Page 634: ...while the destination IP address is always a multicast address e g 225 2 100 1 CONTENTS Section 13 13 2 1 Viewing a List of Static Multicast Groups Section 13 13 2 2 Adding a Static Multicast Group Section 13 13 2 3 Deleting a Static Multicast Group Section 13 13 2 1 Viewing a List of Static Multicast Groups To view a list of static multicast groups type show running config routing multicast stati...

Page 635: ...ction 13 13 3 2 Adding an Out Interface 5 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 13 13 2 3 Deleting a Static Multicast Group To delete a static multicast group do the following 1 Make sure the CLI is in Configuration mode 2 Delete the multicast group by typing no routing multicast static mcast groups description Where description is the name...

Page 636: ...13 13 3 2 Adding an Out Interface To add an out interface do the following 1 Make sure the CLI is in Configuration mode 2 Add the out interface by typing routing multicast static mcast groups group out interface ifname Where group is the name of the multicast group ifname is a string of up to 15 characters used to name the out interface 3 Type commit and press Enter to save the changes or type rev...

Page 637: ...re subscribers for a given multicast flow Note that the shared tree is on a per group basis This means that the shared tree for one group could be different than the shared tree for another on the same network depending on the distribution of the multicast traffic subscribers Shortest Path Tree The shortest path tree SPT is a traffic distribution tree which begins at the source of the multicast tr...

Page 638: ...ree has been established the RP may choose to to send a Join message to the source declaring that it only wants traffic for a group e g group G from the source e g source S The DR for the source then starts sending the traffic in multicast form instead of unicast Without encapsulation there is little performance overhead other than what is normal for the traffic when routing in general The RP will...

Page 639: ... 0 24 DR NO NBR 5 192 168 12 1 192 168 12 0 24 PIM 192 168 12 2 6 192 168 14 1 192 168 14 0 24 PIM 192 168 14 4 rp ID PREFIX PRIORITY HOLDTIME 3 3 3 3 225 0 0 1 32 1 105 225 0 0 2 32 1 105 Parameter Description index Synopsis A 32 bit unsigned integer Virtual interface index local address Synopsis A string 1 to 16 characters long Local address subnet Synopsis A string 1 to 20 characters long Subne...

Page 640: ...t elections to determine upstream routers default metric default metric Synopsis A 16 bit unsigned integer equaling 1 or higher Default 1024 Default metric value Metric is the cost of sending data through interface broken cisco checksum If your RP is a cisco and shows many PIM_REGISTER checksum errors from this router setting this option will help 4 Type commit and press Enter to save the changes ...

Page 641: ...save the changes or type revert and press Enter to abort Section 13 14 7 Managing PIM SM Interfaces PIM SM requires at least one interface on which to receive or transmit advertisements The interface must be non passive and be assigned an IP address CONTENTS Section 13 14 7 1 Viewing a List of PIM SM Interfaces Section 13 14 7 2 Enabling Disabling a PIM SM Interface Section 13 14 7 1 Viewing a Lis...

Page 642: ... PIM SM by typing no interface ifname passive Where ifname is the name of the interface passive determines whether the interface is passive default or active no passive NOTE A maximum of 30 non passive interfaces can be active for PIM SM 3 Make sure the chosen interface is assigned an IP address For more information refer to Section 7 1 Managing IP Addresses for Routable Interfaces 4 For VLAN inte...

Page 643: ... routing multicast dynamic pim sm rp address tab ADDRESS GROUP PRIORITY 172 30 145 254 225 0 2 6 8 192 168 0 10 225 0 0 1 8 If no addresses have been configured add addresses as needed For more information refer to Section 13 14 8 2 Adding a Static RP Address Section 13 14 8 2 Adding a Static RP Address To add a static RP address do the following 1 Make sure the CLI is in Configuration mode 2 Add ...

Page 644: ... 2 Adding a Multicast Group Prefix Section 13 14 9 3 Deleting a Multicast Group Prefix Section 13 14 9 1 Viewing a List of Multicast Group Prefixes To view a list of multicast group prefixes type show running config routing multicast dynamic pim sm group prefix If prefixes have been configured a table or list similar to the following example appears ruggedcom show running config routing multicast ...

Page 645: ...changes or type revert and press Enter to abort Section 13 14 9 3 Deleting a Multicast Group Prefix To delete a multicast group prefix do the following 1 Make sure the CLI is in Configuration mode 2 Delete the multicast group prefix by typing no routing multicast dynamic pim sm group prefix prefix Where prefix is the chosen prefix 3 Type commit and press Enter to save the changes or type revert an...

Page 646: ...Chapter 13 Unicast and Multicast Routing RUGGEDCOM ROX II CLI User Guide 600 Deleting a Multicast Group Prefix ...

Page 647: ...end traffic through the gateway VRRP eliminates a single point of failure associated with statically routed networks by providing automatic failover using alternate routers The RUGGEDCOM ROX II VRRP daemon keepalived is an RFC 5798 http tools ietf org html rfc5798 version 2 and version 3 compliant implementation of VRRP NOTE RFC 5798 defines the standard for VRRP version 3 on IPv4 and IPv6 Only IP...

Page 648: ...protocol Even when available these approaches are not always practical due to administrative and operation overhead VRRP solves the problem by allowing the establishment of a virtual router group composed of a number of routers that provide one gateway IP VRRP uses an election protocol to dynamically assign responsibility for the gateway to one of the routers in the group This router is called the...

Page 649: ...es inoperative or if its w1ppp link fails it will relinquish control of gateway IP 1 1 1 253 to router 2 In a similar fashion host 2 can use the VRID 11 gateway address of 1 1 1 252 which will normally be supplied by router 2 1 1 1 200 1 1 1 201 w1ppp w2ppp 3 2 4 6 4 5 1 Figure 33 VRRP Example 1 Network 2 Remote Router 1 3 Remote Router 2 4 Switch 5 Host 1 6 Host 2 In this example the remote route...

Page 650: ...4 Switch 5 Host 1 6 Host 2 In this example the remote routers are configured as follows Remote Router 1 Remote Router 2 VRID_20 Gateway IP 192 168 2 10 VRID_20 Priority 100 VRID_21 Gateway IP 192 168 3 10 VRID_21 Priority 100 VRID_20 Gateway IP 192 168 2 10 VRID_20 Priority 50 VRID_21 Gateway IP 192 168 3 10 VRID_21 Priority 50 Other VRRP parameters are the Advertisement Interval and Gratuitous AR...

Page 651: ...mple when the master router R1 fails the firewall connection and NAT states are initialized automatically for the backup router R2 The backup router then becomes the new VRRP master R2 R1 3 2 6 2 1 4 5 Figure 35 Connection Synchronization Example 1 Host A 2 Switch 3 Primary VRRP Firewall and Router R1 4 Backup VRRP Firewall and Router R2 5 Dedicated Links 6 Host B Section 14 1 2 Viewing the Status...

Page 652: ...e VRRP by typing Enabling VRRP services vrrp enabled Disabling VRRP no services vrrp enabled 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 14 1 4 Managing VRRP Trackers VRRP trackers monitor the state condition of a route When the route is unavailable VRRP will lower its priority or transition it to a fault state NOTE The decision to increase or ...

Page 653: ...ection 14 1 4 2 Adding a VRRP Tracker To add a VRRP tracker do the following 1 Make sure the CLI is in Configuration mode 2 Add the tracker by typing services vrrp trackers name Where name is the name of the VRRP tracker 3 Configure the following parameter s as required Parameter Description type type Synopsis route Default route The type of condition for the tracker to check network network Synop...

Page 654: ...nging the router priority 4 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 14 1 4 3 Deleting a VRRP Tracker To delete a VRRP tracker do the following 1 Make sure the CLI is in Configuration mode 2 Delete the tracker by typing no services vrrp trackers name Where name is the name of the VRRP tracker 3 Type commit and press Enter to save the changes o...

Page 655: ...group 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 14 1 5 3 Deleting a VRRP Group To delete a VRRP group do the following 1 Make sure the CLI is in Configuration mode 2 Delete the group by typing no services vrrp group name Where name is the name of the VRRP group 3 Type commit and press Enter to save the changes or type revert and press Enter t...

Page 656: ...o VRRP instances have been configured add instances as needed For more information refer to Section 14 1 6 2 Adding a VRRP Instance Section 14 1 6 2 Adding a VRRP Instance To add a VRRP instance do the following 1 Make sure the CLI is in Configuration mode 2 Make sure a VRRP group has been configured For more information refer to Section 14 1 5 2 Adding a VRRP Group 3 Add the instance by typing se...

Page 657: ...cond must be multiple of 10 garp delay garp delay Synopsis An 8 bit unsigned integer between 1 and 255 Default 5 Gratuitous ARP delay in seconds Sets the delay after the router changes state state before a second set of gratuitous ARPs are sent nopreempt When enabled a lower priority router maintains its role as master even if this router has a higher priority preempt delay preempt delay Synopsis ...

Page 658: ...lable the router will relinquish control of the gateway IP address to another VRRP Router CONTENTS Section 14 1 7 1 Viewing a List of VRRP Monitors Section 14 1 7 2 Adding a VRRP Monitor Section 14 1 7 3 Deleting a VRRP Monitor Section 14 1 7 1 Viewing a List of VRRP Monitors To view a list of VRRP monitors type show running config services vrrp instance name monitor Where name is the name of the ...

Page 659: ...itive the priority increases by this amount when the interface is up When not set the state changes to the fault state when the interface falls 4 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 14 1 7 3 Deleting a VRRP Monitor To delete a VRRP monitor do the following 1 Make sure the CLI is in Configuration mode 2 Delete the monitor by typing no serv...

Page 660: ... script do the following 1 Make sure the CLI is in Configuration mode 2 Add the track script by typing services vrrp instance name track script tracker Where name is the name of the VRRP instance tracker is the name of the tracker to use to monitor the VRRP instance 3 Configure the following parameter s as required Parameter Description weight weight Synopsis A 32 bit signed integer between 254 an...

Page 661: ...resses Section 14 1 9 2 Adding a Virtual IP Address Section 14 1 9 3 Deleting a Virtual IP Address Section 14 1 9 1 Viewing a List of Virtual IP Addresses To view a list of virtual IP addresses type show running config services vrrp instance name vrip Where name is the name of the VRRP instance If addresses have been configured a table or list similar to the following example appears ruggedcom sho...

Page 662: ...ress is the virtual IP address and netmask 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 14 1 10 Managing Connection Synchronization This section describes how to configure connection synchronization between two VRRP enabled routers CONTENTS Section 14 1 10 1 Configuring Connection Synchronization Section 14 1 10 2 Enabling Disabling Connection S...

Page 663: ...Enable the configuration synchronization service For more information refer to Section 14 1 10 2 Enabling Disabling Connection Synchronization Once the configuration is complete verify the status of the service on both devices For more information refer to Section 14 1 10 7 Viewing the Status of Each Dedicated Link Section 14 1 10 2 Enabling Disabling Connection Synchronization To enable or disabl...

Page 664: ...link ip ip Synopsis A string 7 to 15 characters long or a string 6 to 40 characters long The IPv4 or IPv6 address of the dedicated link interface mcast ip mcast ip Synopsis A string 7 to 15 characters long or a string 7 to 39 characters long Default 225 0 0 50 The destination IPv4 or IPv6 multicast address of the dedicated link group group Synopsis A 16 bit unsigned integer between 1 and 65535 Def...

Page 665: ...re link is the name of the default dedicated link 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 14 1 10 7 Viewing the Status of Each Dedicated Link To view the status of all dedicated links do the following 1 Make sure the CLI is in Configuration mode 2 To view the status of all dedicated links type the following show services conn sync status A ...

Page 666: ...teger The number of errors received on conn sync dedicated link Section 14 2 Managing Link Failover Protection Link failover provides an easily configurable means of raising a backup link upon the failure of a designated main link The main and backup links can only be Ethernet Link failover can back up to multiple remote locations managing multiple main to backup link relationships Link failover c...

Page 667: ...val 60 var log syslog Jan 25 09 46 51 R1 RX1512 linkd 4183 ping_retry_count 3 var log syslog Jan 25 09 46 51 R1 RX1512 linkd 4183 backup_interface fe 1 1 var log syslog Jan 25 09 46 51 R1 RX1512 linkd 4183 backup gateway 192 168 1 2 var log syslog Jan 25 09 46 51 R1 RX1512 linkd 4183 ondemand yes var log syslog Jan 25 09 46 51 R1 RX1512 linkd 4183 distance 1 var log syslog Jan 25 09 46 51 R1 RX151...

Page 668: ...nging the target using the main interface time of last state change Synopsis A string The time of the last state change link backup state Synopsis A string The backup link state backup interface in use Synopsis A string The name of the backup interface that is being used Section 14 2 3 Managing Link Failover Parameters This section describes how to manage parameter settings for link failover CONTE...

Page 669: ...lt PVID VLAN 1 switch 0001 1 Make sure the CLI is in Configuration mode 2 Add the parameter by typing services link failover interface Where interface is the name of the interface 3 Configure the following parameter s as required Parameter Description enabled Enables this link backup ping timeout ping timeout Synopsis A 32 bit signed integer between 1 and 65536 Default 2 The time interval in secon...

Page 670: ...e name of the interface 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 14 2 4 Managing Link Failover Backup Interfaces A backup interface is the interface to which link failover switches when the main interface is determined to be down You can add up to three backup interfaces to each link failover configuration CONTENTS Section 14 2 4 1 Viewing a...

Page 671: ...the secondary backup interface 3 Configure the following parameter s as required NOTE Do not configure the backup gateway parameter for Point to Point P2P links NOTE The on demand parameter is set at the interface itself Parameter Description priority priority Synopsis third second first Default first The priority which is applied to the backup interface when switching transfer default route The t...

Page 672: ...over Ping Targets A link failover ping target is an IP address that link failover pings to determine if the main link is down The address can be a dedicated host or a dummy address on a router Up to three link failover ping targets can be added to each link failover configuration CONTENTS Section 14 2 5 1 Viewing a List of Link Failover Ping Targets Section 14 2 5 2 Adding a Link Failover Ping Tar...

Page 673: ...the CLI is in Configuration mode 2 Add the ping target by typing services link failover interface target address Where interface is the name of the interface address is the IP address of the target host to verify the main path 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 14 2 5 3 Deleting a Link Failover Ping target To delete a link failover pin...

Page 674: ...re the CLI is in Configuration mode 2 Start the test by typing services link failover interface start test start test delay delay test duration duration Where interface is the name of the interface delay is the time in seconds to wait before running the test duration is the maximum time in minutes to run the test before restoring service to the main trunk Section 14 2 7 Canceling a Link Failover T...

Page 675: ...nt to Point and Multipoint Links Section 14 3 1 4 Path and Port Costs Section 14 3 1 5 Bridge Diameter Section 14 3 1 6 eRSTP Section 14 3 1 7 Fast Root Failover Section 14 3 1 1 RSTP States and Roles RSTP bridges have roles to play either root or designated One bridge the Root Bridge is the logical center of the network All other bridges in the network are Designated bridges RSTP also assigns eac...

Page 676: ...nt it is connected to All bridges on the same LAN segment listen to each other s messages and agree on which bridge is the Designated Bridge The ports of other bridges on the segment must become either Root Alternate or Backup ports 3 2 1 C 1 2 1 2 3 3 D 4 2 2 1 3 4 5 6 3 Figure 36 Bridge and Port Roles 1 Root Bridge 2 Designated Bridge 3 Designated Port 4 Root Port 5 Alternate Port 6 Backup Port ...

Page 677: ...on about the point to point state of the link simply by examining the half duplex status namely The port attaches only to a single partner but through a half duplex link The port attaches to a shared media hub through a full duplex link The shared media link attaches to more than one RSTP enabled bridge In such cases the user may configure the bridge to override the half duplex determination mecha...

Page 678: ...on 14 3 1 5 Bridge Diameter The bridge diameter is the maximum number of bridges between any two possible points of attachment of end stations to the network The bridge diameter reflects the realization that topology information requires time to propagate hop by hop through a network If configuration messages take too long to propagate end to end through the network the result will be an unstable ...

Page 679: ... RUGGEDCOM switches with the exception of the root switch All RUGGEDCOM switches in the network must use the same Fast Root Failover algorithm Two Fast Root Failover algorithms are available Robust Guarantees a deterministic root failover time but requires support from all switches in the network including the root switch Relaxed Ensures a deterministic root failover time in most network configura...

Page 680: ... in Structured Wiring Configurations RSTP may be used to construct structured wiring systems where connectivity is maintained in the event of link failures For example a single link failure of any link between A and N in Figure 37 would leave all the ports of bridges 555 through 888 connected to the network 3 777 4 2 1 4 3 444 5 6 2 1 3 1 222 4 2 3 2 111 4 1 4 3 333 5 6 2 1 3 888 4 2 1 I G 3 666 4...

Page 681: ... bridge and then tune each bridge s priority to correspond to its distance from the root bridge 5 Identify desired steady state topology Identify the desired steady state topology taking into account link speeds offered traffic and QOS Examine of the effects of breaking selected links taking into account network loading and the quality of alternate links 6 Decide upon a port cost calculation strat...

Page 682: ... These bridges should not be used if network fail over recovery times are to be minimized 3 Identify edge ports Ports that connect to host computers IEDs and controllers may be set to edge ports in order to guarantee rapid transitioning to forwarding as well as to reduce the number of topology change notifications in the network 4 Choose the root bridge The root bridge can be selected to equalize ...

Page 683: ...ple Port Redundancy Section 14 3 3 MSTP Operation The Multiple Spanning Tree MST algorithm and protocol provide greater control and flexibility than RSTP and legacy STP MSTP Multiple Spanning Tree Protocol is an extension of RSTP whereby multiple spanning trees may be maintained on the same bridged network Data traffic is allocated to one or several spanning trees by mapping one or more VLANs to d...

Page 684: ...aintains separate hop counters for spanning tree information exchanged at the MST region boundary versus information propagated inside the region For information received at the MST region boundary the R STP Message Age is incremented only once Inside the region a separate Remaining Hop Count is maintained one for each spanning tree instance The external Message Age parameter is referred to the R ...

Page 685: ...te also that it is possible for the CIST Regional Root to be the CIST Root MSTI Regional Root The root bridge for an MSTI within an MSTP region A root bridge is independently elected for each MSTI in an MSTP region Port Roles Each port on an MSTP bridge may have more than one CIST role depending on the number and topology of spanning tree instances defined on the port Role Description CIST Port Ro...

Page 686: ...be used to balance the data traffic load among sets of VLANs enabling more complete utilization of a bridged network that has multiple redundant interconnections between bridges A bridged network controlled by a single spanning tree will block redundant links by design to avoid harmful loops However when using MSTP any given link may have a different blocking state for MSTI as maintained by MSTP A...

Page 687: ...que bridge priority For more information refer to Section 14 3 6 3 Adding a Multiple Spanning Tree Instance 3 Create static VLANs and map them to the MSTIs For more information refer to Section 8 5 5 2 Adding a Static VLAN 4 Configure individual MSTI for each switched Ethernet port and or Ethernet trunk interface that will transmit receive MST BPDU Bridge Protocol Data Unit traffic For more inform...

Page 688: ...idered unlimited forward delay forward delay Synopsis A 32 bit unsigned integer between 4 and 30 Default 15 The amount of time a bridge spends learning MAC addresses on a rising port before beginning to forward traffic Lower values allow the port to reach the forwarding state more quickly but at the expense of flooding unlearned addresses to all ports max hops max hops Synopsis A 32 bit unsigned i...

Page 689: ...witch failure may result in excessive connectivity recovery time in a mesh network On Fast Root Failover is enabled and the most robust algorithm is used which restores network connectivity quickly in case of root bridge failure in a mesh network On with standard root Fast Root Failover is enabled but a relaxed algorithm is used allowing the use of a standard switch in the root role dot1w interop ...

Page 690: ...auto RSTP uses a peer to peer protocol that provides for rapid transitioning on point to point links This protocol is automatically turned off in situations where multiple STP bridges communicate over a shared non point to point LAN The bridge will automatically take point to point to be true when the link is found to be operating in full duplex mode The point to point parameter allows this behavi...

Page 691: ...s MSTI For more information refer to Section 14 3 6 3 Adding a Multiple Spanning Tree Instance 5 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 14 3 6 Managing Multiple Spanning Tree Instances Globally MSTP Multiple Spanning Tree Protocol as defined by the IEEE 802 1 standard maps multiple VLANs to a single Spanning Tree instance otherwise referred ...

Page 692: ...ter Description instance id Synopsis A 32 bit signed integer between 1 and 16 The bridge identifier of this bridge status Synopsis none designatedBridge notDesignatedForAnyLAN rootBridge The spanning tree status of the bridge The status may be root or designated This field may show text saying not designated for any LAN if the bridge is not the designated bridge for any of its ports This parameter...

Page 693: ...igh or rapidly increasing counts signal network problems This parameter is mandatory Section 14 3 6 2 Viewing a List of Multiple Spanning Tree Instances To view a list of Multiple Spanning Tree Instances MSTIs type show running config switch spanning tree mstp instance If instances have been configured a table or list similar to the following example appears ruggedcom show running config switch sp...

Page 694: ...f traffic flows in normal and abnormal conditions 4 Map one or more static VLANs and map them to the MSTI For more information refer to Section 8 5 5 2 Adding a Static VLAN 5 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 14 3 6 4 Deleting a Multiple Spanning Tree Instance To delete a Multiple Spanning Tree Instance MSTI do the following 1 Make sure...

Page 695: ...able provides the following information Parameter Description instance id Synopsis A 32 bit signed integer between 1 and 16 The Multiple Spanning Tree Protocol MSTP Instance ID slot Synopsis sm lm1 lm2 lm3 lm4 lm5 lm6 swport eth serport celport wlanport trnk The slot of the module that contains this port port Synopsis A 32 bit signed integer between 1 and 16 The port number as seen on the front pl...

Page 696: ...instance of Multiple Spanning Tree Protocol MSTP this is an external root path cost which is the cost of the path from the Internal Spanning Tree IST root i e regional root bridge to the Common Spanning Tree CST root i e network global root bridge This parameter is mandatory desig bridge priority Synopsis A 32 bit signed integer The bridge identifier of this bridge This parameter is mandatory desi...

Page 697: ...ng Tree Instance To add a Multiple Spanning Tree Instance MSTI for a switched Ethernet port or an Ethernet trunk interface do the following NOTE RUGGEDCOM ROX II supports up to 16 MSTIs per port interface 1 Make sure the CLI is in Configuration mode IMPORTANT Since each MSTI acts as an independent RSTP instance its configuration is similar to that of RSTP However until one or more VLANs are mapped...

Page 698: ...RSTP parameter configuration Setting the cost manually provides the ability to preferentially select specific ports to carry traffic over others Leave this field set to auto to use the standard RSTP port costs as negotiated 20 000 for 1Gbps 200 000 for 100 Mbps links and 2 000 000 for 10 Mbps links For MSTP this parameter applies to both external and internal path costs 4 Map one or more static VL...

Page 699: ...tatus Synopsis none designatedBridge notDesignatedForAnyLAN rootBridge The spanning tree status of the bridge The status may be root or designated This field may show text saying not designated for any LAN if the bridge is not the designated bridge for any of its ports This parameter is mandatory bridge priority Synopsis A 32 bit signed integer The bridge identifier of this bridge This parameter i...

Page 700: ... Spanning Tree IST root i e regional root bridge to the Common Spanning Tree CST root i e network global root bridge This parameter is mandatory regional root path cost Synopsis A 32 bit unsigned integer For the Common and Internal Spanning Tree CIST instance of the Multiple Spanning Tree Protocol MSTP this is the cost of the path to the Internal Spanning Tree IST root i e regional root bridge Thi...

Page 701: ... 0 This table or list provides the following information Parameter Description slot Synopsis sm lm1 lm2 lm3 lm4 lm5 lm6 swport eth serport celport wlanport trnk The slot of the module that contains this port port Synopsis A 32 bit signed integer between 1 and 16 The port number as seen on the front plate silkscreen of the module stp state Synopsis disabled blocking listening learning forwarding li...

Page 702: ...aximum of 65535 This parameter is mandatory desg bridge priority Synopsis A 32 bit signed integer between 0 and 65535 Provided on the root ports of the designated bridges the bridge identifier of the bridge this port is connected to This parameter is mandatory desg bridge mac Synopsis A string 17 characters long Provided on the root ports of the designated bridges the bridge identifier of the brid...

Page 703: ...ailability IMPORTANT RNA functions are only available for RUGGEDCOM MX5000 and MX5000RE devices equipped with a PRP module CONTENTS Section 14 4 1 Understanding RNA Section 14 4 2 Configuring RNA Section 14 4 3 Viewing the Proxy Nodes Table Section 14 4 4 Viewing the Nodes Table Section 14 4 5 Viewing Statistics Collected for RNA Ports Section 14 4 6 Clearing Statistics Collected for RNA Ports Sec...

Page 704: ...d to LAN A and and a network port connected to LAN B DANs duplicate each received data packet and assign them both a Redundancy Check Trailer RCT before sending them simultaneously to their destination nodes An RCT contains a sequence number that helps the destination node identify which packets are duplicates Destination nodes remove the RCT from the first packet they receive and then consume the...

Page 705: ...nfigurable Entries in both the node and proxy node tables will age out if a supervision or non PRP frame is not received within 60 seconds of the last received frame Section 14 4 1 3 PRP Requirements Before deploying the device on a PRP aware redundancy network note the following requirements Redundancy Check Trailer RCT sequence numbers expand each Ethernet frame by 6 octets Make sure the redunda...

Page 706: ...le type show switch rna proxy node table A table similar to the following appears ruggedcom show switch rna proxy node table tab LRE INTERFACE STATS LRE PROXY LRE PROXY NODE INDEX NODE INDEX MAC ADDRESS 129 1892881004 00 0a dc ee b9 80 129 2063258065 00 0a dc ee b9 81 This table displays the following information about each node Parameter Description lreInterfaceStatsIndex Synopsis A 32 bit unsign...

Page 707: ...string Time in TimeTicks 1 100s since the last frame from this remote LRE was received over LAN A Initialized with a value of 0 upon node registration in the node table lreTimeLastSeenB Synopsis A string Time in TimeTicks 1 100s since the last frame from this remote LRE was received over LAN B Initialized with a value of 0 upon node registration in the node table lreRemNodeType Synopsis DAN type a...

Page 708: ...a porta portb Where slot is the slot where the chosen PRP module resides port is the chosen port on the PRP module ruggedcom show interfaces switch lm4 1 rna porta rna porta rx count 30311 rx tagged count 28410 rx duplicated count 0 rx wrong lan count 0 rx error count 0 Section 14 4 6 Clearing Statistics Collected for RNA Ports Statistics collected for each RNA port can be cleared individually To ...

Page 709: ...asic networking capabilities and configuration It can simplify the troubleshooting of complex networks and can be used by Network Management Systems NMS to obtain and monitor detailed information about a network s topology LLDP data are made available via SNMP through support of LLDP MIB LLDP allows a networked device to discover its neighbors across connected network links using a standard mechan...

Page 710: ...he Link Layer Discovery Protocol LLDP do the following 1 Make sure the CLI is in Configuration mode 2 Navigate to switch net discovery lldp and configure the following parameter s as required Parameter Description enabled Synopsis true false Default true Enables the Link Layer Discovery Protocol LLDP Note that LLDP is enabled on a port when LLDP is enabled globally and along with enabling per port...

Page 711: ...dp global statistics global statistics inserts 21 deletes 20 drops 0 ageouts 8 last change time 3D14m19s This table or list displays the following information Parameter Description inserts Synopsis A 32 bit unsigned integer between 0 and 4294967295 The number of times an entry was inserted into the LLDP Neighbor Information Table This parameter is mandatory deletes Synopsis A 32 bit unsigned integ...

Page 712: ...sis A string 17 characters long local chassis id This parameter is mandatory local system name Synopsis A string 1 to 255 characters long local system name This parameter is mandatory local system desc Synopsis A string 1 to 255 characters long local system desc This parameter is mandatory local system caps Synopsis other repeater bridge wlanAccessPoint router telephone docsisCableDevice stationOn...

Page 713: ...mation received from a remote Link Layer Discovery Protocol LLDP agent system desc Synopsis A string 1 to 255 characters long The system descriptor information received from a remote Link Layer Discovery Protocol LLDP agent port desc Synopsis A string 1 to 255 characters long The port description information received from a remote Link Layer Discovery Protocol LLDP agent man address Synopsis A str...

Page 714: ...ace subtype received from a remote Link Layer Discovery Protocol LLDP agent last update Synopsis A string The duration of time between power on and when this information was received Section 15 1 4 Viewing Statistics for LLDP Ports To view statistics for LLDP ports type show switch net discovery lldp port lldp stats A table or list similar to the following appears ruggedcom show switch net discove...

Page 715: ...the times that a neighbor s information has been deleted from the Link Layer Discovery Protocol LLDP remote system MIB because the txinfoTTL timer has expired This parameter is mandatory tlvs drop Synopsis A 32 bit unsigned integer between 0 and 4294967295 A counter of all TLVs discarded This parameter is mandatory tlvs unknown Synopsis A 32 bit unsigned integer between 0 and 4294967295 A counter ...

Page 716: ...tions its users can receive a group also defines the security model and security level for its users CONTENTS Section 15 2 1 MIB Files and SNMP Traps Section 15 2 2 Enabling and Configuring SNMP Sessions Section 15 2 3 Viewing Statistics for SNMP Section 15 2 4 Discovering SNMP Engine IDs Section 15 2 5 Managing SNMP Communities Section 15 2 6 Managing SNMP Target Addresses Section 15 2 7 Managing...

Page 717: ...astChangeTime changes It can be utilized by a Network Management System NMS to trigger LLDP remote systems table maintenance polls Note that transmission of lldpRemTablesChange notifications are throttled by the agent as specified by the lldpNotificationInterval object linkUp A linkUp trap signifies that the SNMP entity acting in an agent role has detected that the ifOperStatus object for one of i...

Page 718: ...Listen IP and Source IP for Traps parameters Parameter Description enabled Synopsis true false Default false Provides the ability to configure SNMP features on the device listen ip listen ip Synopsis A string Default 0 0 0 0 The IP Address the SNMP agent will listen on for SNMP requests port port Synopsis A 16 bit unsigned integer between 0 and 65535 Default 161 The port the SNMP agent will listen...

Page 719: ...nd press Enter to save the changes or type revert and press Enter to abort Section 15 2 3 Viewing Statistics for SNMP To view the statistics collected for SNMP type show admin snmp statistics If statistics are available a table or list similar to the following example appears ruggedcom show admin snmp statistics statistics unsupported sec levels 1 not in time windows 1 unknown user names 1 unknown...

Page 720: ...d integer The total number of packets received by the SNMP engine which were dropped because they could not be decrypted This parameter is mandatory Section 15 2 4 Discovering SNMP Engine IDs To discover an ID of a remote SNMP protocol engine do the following 1 At the prompt type the following command admin snmp snmp discover 2 When prompted type the IP address of the remote SNMP protocol engine r...

Page 721: ...hem as needed For more information refer to Section 15 2 5 2 Adding an SNMP Community Section 15 2 5 2 Adding an SNMP Community To add an SNMP community do the following 1 Make sure the CLI is in Configuration mode 2 Add the SNMP community by typing admin snmp snmp community name Where name is the name of the community 3 Configure the following parameter s as required Parameter Description user na...

Page 722: ...ample appears ruggedcom show running config admin snmp snmp target address tab TARGET TRAP SECURITY USER SECURITY TARGET NAME ENABLED ADDRESS PORT MODEL NAME LEVEL 127 0 0 1 v1 true 127 0 0 1 162 v1 oper noAuthNoPriv 127 0 0 1 v2 true 127 0 0 1 162 v2c oper noAuthNoPriv 127 0 0 1 v3 guest true 127 0 0 1 162 v3 admin noAuthNoPriv 127 0 0 1 v3 inform true 127 0 0 1 162 v3 admin authPriv 127 0 0 1 v3...

Page 723: ...l authPriv Communication with authentication and privacy authNoPriv Communication with authentication and without privacy noAuthnoPriv Communication without authentication and privacy control community control community Synopsis A string 1 to 32 characters long Restricts incoming SNMP requests from the IPv4 or IPv6 address associated with this community tag list tag list Synopsis snmpv1_trap snmpv...

Page 724: ...SNMP users CONTENTS Section 15 2 7 1 Viewing a List of SNMP Users Section 15 2 7 2 Adding an SNMP User Section 15 2 7 3 Deleting an SNMP User Section 15 2 7 1 Viewing a List of SNMP Users To view a list of SNMP users configured on the device type show running config admin snmp snmp user If users have been configured a table or list similar to the following example appears ruggedcom show running co...

Page 725: ...equired Parameter Description auth protocol auth protocol Synopsis none md5 sha1 Default none The authentication protocol providing data integrity and authentication for SNMP exchanges between the user and the SNMP engine auth key auth key Synopsis A string The authentication passphrase The passphrase must be 8 characters long at minimum privacy protocol privacy protocol Synopsis none des3cbc aesc...

Page 726: ... Section 15 2 8 1 Viewing a List of SNMP Security Models To view a list of SNMP security models configured on the device type show running config admin snmp snmp security to group If target addresses have been configured a table or list similar to the following example appears ruggedcom show running config admin snmp snmp security to group tab SECURITY USER MODEL NAME GROUP v1 oper all rights v1 g...

Page 727: ...ke sure the CLI is in Configuration mode 2 Delete the SNMP security model by typing no admin snmp snmp security to group model name Where model is the security model name is the name of the associated user profile 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 15 2 9 Managing SNMP Group Access This section describes how to manage access for SNMP g...

Page 728: ...ons include any v1 v2c or v3 level is the security level for the group Options include authPriv Communication with authentication and privacy authNoPriv Communication with authentication and without privacy noAuthnoPriv Communication without authentication and privacy 3 Configure the following parameter s as required Parameter Description read view name read view name Synopsis no view v1 mib restr...

Page 729: ...pload change and delete the configuration data on network devices RUGGEDCOM ROX II devices also support the ability to collect data and perform direct actions on the device such as rebooting the device clearing statistics and restarting services NOTE For more information about NETCONF and its use refer to the NETCONF Reference Guide for RUGGEDCOM ROX II v2 12 CONTENTS Section 15 3 1 Enabling and C...

Page 730: ...s and default port number This is the default configuration port represents an IPv6 address followed by a colon and port number For example fe80 5eff 35ff 16000 If using the default address do not specify another listen address with the same port max sessions max sessions Synopsis a 32 bit unsigned integer Default 10 The maximum number of concurrent NETCONF sessions idle timeout idle timeout Synop...

Page 731: ...number of NETCONF sessions started towards the NETCONF peer inSessions inBadHellos The number of correctly started NETCONF sessions This parameter is mandatory dropped sessions Synopsis A 32 bit unsigned integer The total number of NETCONF sessions dropped inSessions inBadHellos The number of correctly started NETCONF sessions This parameter is mandatory in rpcs Synopsis A 32 bit unsigned integer ...

Page 732: ...Chapter 15 Network Discovery and Management RUGGEDCOM ROX II CLI User Guide 686 Viewing NETCONF Statistics ...

Page 733: ...Mbps port onto a 10 Mbps port may result in an improperly mirrored stream Frames will be dropped if the full duplex rate of frames on the source port exceeds the transmission speed of the target port Since both transmitted and received frames on the source port are mirrored to the target port frames will be discarded if the sum traffic exceeds the target port s transmission rate This problem reach...

Page 734: ...ress and ingress source ports For more information refer to Section 16 1 2 2 Adding an Egress Source Port and Section 16 1 3 2 Adding an Ingress Source Port 5 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 16 1 2 Managing Egress Source Ports This section describes how to configure and manage egress source ports for port mirroring CONTENTS Section 16...

Page 735: ...ype commit and press Enter to save the changes or type revert and press Enter to abort Section 16 1 2 3 Deleting an Egress Source Port To delete an egress source port for port mirroring do the following 1 Make sure the CLI is in Configuration mode 2 Delete the address by typing no switch port mirroring egress src slot port Where slot is the name of the module location port is the port number or a ...

Page 736: ...Source Port To add an ingress source port for port mirroring do the following 1 Make sure the CLI is in Configuration mode 2 Add the ingress source port by typing switch port mirroring ingress src slot port Where slot is the name of the module location port is the port number or a list of ports if aggregated in a port trunk for the module 3 Type commit and press Enter to save the changes or type r...

Page 737: ...e for Ethernet traffic on any line module when Layer 3 hardware acceleration is enabled It is intended to be used only on WAN interfaces CONTENTS Section 16 2 1 Enabling and Configuring Traffic Control Section 16 2 2 Managing Traffic Control Interfaces Section 16 2 3 Managing Traffic Control Priorities Section 16 2 4 Managing Traffic Control Classes Section 16 2 5 Managing Traffic Control Devices ...

Page 738: ...number protocol packet length and more The two modes cannot be accessed simultaneously Only the mode that is currently configured can be accessed To enable and configure traffic control do the following 1 Make sure the CLI is in Configuration mode 2 Configure the following parameter s as required Parameter Description enabled Enables disables traffic control TC for the current firewall configurati...

Page 739: ... of Traffic Control Interfaces To view a list of traffic control interfaces type show running config qos traffic control basic configuration tcinterfaces If interfaces have been configured a table or list similar to the following example appears ruggedcom show running config qos traffic control basic configuration tcinterfaces qos traffic control basic configuration tcinterfaces te1 2 1c01ppp type...

Page 740: ...he given rate received packets are dropped randomly When unspecified maximum speed is assumed Specify only the number here The unit kilobits megabits is specified in the in unit in unit in unit Synopsis none kilobits megabits Default none The unit for inbandwidth per second outbandwidth outbandwidth Synopsis A 16 bit unsigned integer The outgoing bandwidth for this interface Specify only the numbe...

Page 741: ...affic Control Priorities To view a list of traffic control priorities type show running config qos traffic control basic configuration tcpriorities If priorities have been configured a table or list similar to the following example appears ruggedcom show running config qos traffic control basic configuration tcpriorities qos traffic control basic configuration tcpriorities high band high protocol ...

Page 742: ... includes mmc 0x02 mt 0x08 mmc mt 0x0a mr mt 0x0c mmc mr mt 0x0e protocol protocol Synopsis tcp udp icmp all or a string choice A targeted protocol port port Synopsis A string choice Source port can be specified only if protocol is TCP UDP DCCP SCTP or UDPlite address address Synopsis A string choice The source address This can be specified only if the protocol port and interface are not defined i...

Page 743: ...trol class must be added for each network interface NOTE Type of Service ToS is defined by the Internet Engineering Task Force IETF For more information about ToS refer to RFC 1349 http tools ietf org html rfc1349 CONTENTS Section 16 2 4 1 Viewing a List of Traffic Control Classes Section 16 2 4 2 Adding a Traffic Control Class Section 16 2 4 3 Deleting a Traffic Control Class Section 16 2 4 1 Vie...

Page 744: ...its own unique mark This parameter is mandatory min bandwidth min bandwidth Synopsis A string The minimum bandwidth this class should have when the traffic load rises This can be either a numeric value or a calculated expression based on the bandwidth of the interface A fixed numerical value must only be a number its unit is specified in Minbw unit A calculated expression is based on a fraction of...

Page 745: ...revert and press Enter to abort Section 16 2 4 3 Deleting a Traffic Control Class To delete a traffic control class do the following 1 Make sure the CLI is in Configuration mode 2 Delete the traffic control class by typing no qos traffic control advanced configuration tcclasses name Where name is the name of the traffic control class entry 3 Type commit and press Enter to save the changes or type ...

Page 746: ...ontrol Device To add a new traffic control device do the following 1 Make sure the CLI is in Configuration mode 2 Add the traffic control device by typing qos traffic control advanced configuration tcdevices name Where name is the name of the interface to which traffic shaping will apply Lowercase alphanumerical as well as and characters are allowed 3 Configure the following parameter s as require...

Page 747: ...Device To delete a traffic control device do the following 1 Make sure the CLI is in Configuration mode 2 Delete the traffic control device by typing no qos traffic control advanced configuration tcdevices name Where name is the name of the interface to which traffic shaping will apply 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 16 2 6 Managing...

Page 748: ... 2 Adding a Traffic Control Rule Section 16 2 6 2 Adding a Traffic Control Rule To add a new traffic control rule do the following 1 Make sure the CLI is in Configuration mode 2 Add the traffic control rule by typing qos traffic control advanced configuration tcrule name Where name is the name of the traffic control rule entry 3 Configure the following parameter s as required Parameter Description...

Page 749: ...esser or equal to 65 65 In between 64 and 768 64 768 tos tos Synopsis minimize delay maximize throughput maximize reliability minimize cost normal service or a string Optional Type of Service A pre defined ToS value or a numerical value The numerical value is hexadecimal Ex 0x38 description description Synopsis A string A description for this configuration item 4 Type commit and press Enter to sav...

Page 750: ...in option preroute or default In this case the actual destination address is 192 168 3 101 but it will be translated to 192 168 3 33 by DNAT Another example of a traffic control rule is Destination IP 192 168 3 33 Chain option postrouting Forward Mark the connection in the FORWARD chain This is the default chain option and it can be used for normal IP traffic without any address or port translatio...

Page 751: ...ration mode 2 Configure the Save option by typing qos traffic control advanced configuration tcrules name mark choice save Where name is the name of the traffic control rule 3 Configure the following parameter s Parameter Description value mask value mask Synopsis A string Mask to process the mark with op chain op chain Synopsis forward prerouting Default forward A chain in which the operation wil...

Page 752: ...sis forward prerouting Default forward A chain in which the operation will take place 4 Type commit and press Enter to save the changes or type revert and press Enter to abort Configuring a DSCP Mark 1 Make sure the CLI is in Configuration mode 2 Select the DSCP Marking option by typing qos traffic control advanced configuration tcrules name mark choice dscpmarking Where name is the name of the tr...

Page 753: ...the priority queues according to the traffic control rules specified for the marked rule In addition traffic control can assign the same priority or a different priority value when a frame needs to be egressed with a VLAN tag through a traffic control interface QoS maps can be configured for VLAN connections on routable Ethernet ports and virtual switches CONTENTS Section 16 2 7 1 Viewing a List o...

Page 754: ...16 2 7 2 Adding a QoS Map To add a QoS map for a VLAN connection do the following 1 Make sure the CLI is in Configuration mode 2 Add the QoS map by typing For Switched Ethernet Ports switch vlans all vlans id qosmap priority Where id is the ID given to the VLAN priority is the priority assigned to the QoS map For Routable Only Ethernet Ports interface eth slot port vlan id qosmap priority Where sl...

Page 755: ...nection by typing For Switched Ethernet Ports no switch vlans all vlans id qosmap priority Where id is the ID given to the VLAN priority is the priority assigned to the QoS map For Routable Ethernet Ports no interface eth slot port vlan id qosmap priority Where slot is the name of the module location port is the port number or a list of ports if aggregated in a port trunk for the module id is the ...

Page 756: ...y is the priority assigned to the QoS map For Routable Only Ethernet Ports show running config interface eth slot port vlan id qosmap priority egress Where slot is the name of the module location port is the port number or a list of ports if aggregated in a port trunk for the module id is the ID given to the VLAN priority is the priority assigned to the QoS map For Virtual Switches show running co...

Page 757: ...rts interface eth slot port vlan id qosmap priority egress mark Where slot is the name of the module location port is the port number or a list of ports if aggregated in a port trunk for the module id is the ID given to the VLAN priority is the priority assigned to the QoS map mark is the value of the egress mark For Virtual Switches interface virtualswitch id vlan vlan id qosmap priority egress m...

Page 758: ...the module location port is the port number or a list of ports if aggregated in a port trunk for the module id is the ID given to the VLAN priority is the priority assigned to the QoS map mark is the value of the egress mark 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 16 2 9 Viewing QoS Statistics RUGGEDCOM ROX II provides statistics for traffi...

Page 759: ...his class droppedpackets Synopsis A string The number of packets that were dropped in this class rate Synopsis A string Based on a 10 second average average Synopsis A string Based on a 10 second average Section 16 3 Managing Classes of Service Classes of Service CoS provides the ability to expedite the transmission of certain frames and port traffic over others The CoS of a frame can be set to No...

Page 760: ...s collected into one of the priority queues according to the assigned CoS CoS weighting selects the degree of preferential treatment that is attached to different priority queues The ratio of the number of higher CoS to lower CoS frames transmitted can be configured If desired the user can configure lower CoS frames to be transmitted only after all higher CoS frames have been serviced CONTENTS Sec...

Page 761: ...ies type show running config switch class of service priority to cos If entries have been configured a table or list similar to the following example appears ruggedcom show running config switch class of service priority to cos tab PRIORITY COS 0 normal 1 normal 2 normal 3 medium 4 medium 5 medium 6 high 7 high If no entries have been configured add entries as needed For more information refer to ...

Page 762: ...y to cos priority Where priority is the value of the IEEE 802 1p priority 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 16 3 3 Managing DSCP to CoS Mapping Assigning CoS to different values of the Differentiated Services Code Point DSCP field in the IP header of received packets is done by defining DSCP to CoS mapping table entries CONTENTS Secti...

Page 763: ...iption cos cos Synopsis N A normal medium high crit Default normal The Class of Service CoS assigned to the received frames with the specified DSCP 4 Configure the CoS parameters on select switched Ethernet ports and or trunk interfaces as needed For more information refer to Section 8 1 2 Configuring a Switched Ethernet Port and or Section 8 2 2 Adding an Ethernet Trunk Interface 5 Type commit an...

Page 764: ...NetFlow Interfaces Section 16 4 8 Managing NetFlow Collectors Section 16 4 9 Viewing the Status of NetFlow Section 16 4 10 Example Exporting Flows to Multiple Collectors Section 16 4 1 Understanding NetFlow Data Export NetFlow is a traffic analysis tool developed by Cisco that allows network operators to characterize traffic flows across their networks It provides information that allows operators...

Page 765: ...for TCP and UDP Type of Service ToS Each flow record is exported using the User Datagram Protocol UDP which requires each packet to include the IP address of the target NetFlow collector and its designated UDP port A flow record is considered ready to export when either of the following conditions are met The flow has been inactive e g no new packets for a specific period of time The flow has been...

Page 766: ...ection 16 4 4 Setting the NetFlow Engine ID 5 Optional Set the maximum number of active flows tracked by the device This can help improve performance in some scenarios For more information refer to Section 16 4 5 Controlling the NetFlow Cache 6 Optional Control how RUGGEDCOM ROX II manages active and inactive flows For more information refer to Section 16 4 6 Controlling Active Inactive Flows 7 De...

Page 767: ...ollowing 1 Make sure the CLI is in Configuration mode 2 Configure the maximum number of active flows tracked by NetFlow by typing services netflow maxflows number Where number is the number of active flows The default value is 16384 but the value can be set anywhere between 0 and 65535 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 16 4 6 Controll...

Page 768: ...UGGEDCOM ROX II does not support Netflow data collection on hardware accelerated interfaces CONTENTS Section 16 4 7 1 Viewing a List of NetFlow Interfaces Section 16 4 7 2 Adding a NetFlow Interface Section 16 4 7 3 Deleting a NetFlow Interface Section 16 4 7 1 Viewing a List of NetFlow Interfaces To view a list of interfaces configured to monitor traffic for NetFlow type show running config servi...

Page 769: ...e the CLI is in Configuration mode 2 Delete the interface by typing no services netflow interface interface Where interface is the desired interface 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 16 4 8 Managing NetFlow Collectors RUGGEDCOM ROX II can be configured to forward flows to up to four NetFlow collectors CONTENTS Section 16 4 8 1 Viewing...

Page 770: ...ort is the UDP port used by the NetFlow Collector to receive messages 3 Optional Enable the collector so RUGGEDCOM ROX II can forward NetFlow packets to it For more information refer to Section 16 4 8 3 Enabling Disabling a NetFlow Collector 4 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 16 4 8 3 Enabling Disabling a NetFlow Collector To enable or...

Page 771: ...d by the NetFlow Collector to receive messages 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 16 4 9 Viewing the Status of NetFlow To view the status of NetFlow type show services netflow status For example ruggedcom show services netflow status status flow status active flows 2 rate status bits sec 19311176 pkts sec 2399 bits sec min 19009225 pkt...

Page 772: ...ion fe 1 1 50 1 1 1 30 fe 1 2 192 168 0 2 24 fe cm 1 172 30 150 1 19 172 30 142 224 172 30 142 124 1 2 3 4 4 3 Figure 42 Topology Exporting Data to Multiple Collectors 1 NetFlow Exporter RUGGEDCOM ROX II 2 WAN 3 LAN 4 NetFlow Collector Configuration To configure RUGGEDCOM ROX II to export NetFlow packets to two NetFlow collectors do the following 1 Make sure Layer 3 switching is disabled by settin...

Page 773: ...o Multiple Collectors 727 6 Verify the NetFlow collectors are receiving flows from the device Final Configuration Example services netflow enabled engine id 10 timeouts active timeout 1800 timeouts inactive timeout 15 collector 172 30 142 124 2 enabled collector 172 30 142 224 1 enabled interface fe 1 1 ...

Page 774: ...Chapter 16 Traffic Control and Classification RUGGEDCOM ROX II CLI User Guide 728 Example Exporting Flows to Multiple Collectors ...

Page 775: ...onfigure the system time and date For more information refer to Section 17 2 Configuring the System Time and Date 2 Configure the system time zone For more information refer to Section 17 3 Configuring the System Time Zone 3 Configure the local time settings For more information refer to Section 17 4 Configuring the Local Time Settings 4 If multicast addresses will be configured for the NTP server...

Page 776: ...ere time date is the date time in the format YYYY MM DD HH MM SS 3 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 17 3 Configuring the System Time Zone To configure the system time zone do the following 1 Make sure the CLI is in Configuration mode 2 Set the system time zone by typing NOTE The Etc GMT time zones conform to the POSIX style and have th...

Page 777: ...th IPv4 and IPv6 addresses Parameter Description enabled Synopsis true false Default false Enables NTP service bind interface bind interface Synopsis A string Sets the IP address for the selected interface as the source IP address for outgoing NTP messages Make sure an IP address is first assigned to the selected interface The dummy0 interface should be used unless required otherwise 3 Type commit...

Page 778: ...illiseconds to communicate with the reference clock offset Synopsis A string 1 to 32 characters long The offset in milliseconds between our time and that of the reference clock jitter Synopsis A string 1 to 32 characters long The observed jitter in milliseconds A character before an address is referred to as a tally code Tally codes indicate the fate of the peer in the clock selection process The ...

Page 779: ...eter Description address Synopsis A string 1 to 40 characters long The IP address of the reference clock state Synopsis A string 1 to 32 characters long The state of the clock reference id Synopsis A string 1 to 40 characters long The identification of the reference clock stratum Synopsis A string 1 to 32 characters long The stratum number of the reference clock address type Synopsis A string 1 to...

Page 780: ...ing a Server Key CONTENTS Section 17 8 1 Viewing a List of NTP Servers Section 17 8 2 Monitoring Subscribers Section 17 8 3 Adding an NTP Server Section 17 8 4 Deleting an NTP Server Section 17 8 5 Managing Server Keys Section 17 8 6 Managing Server Restrictions Section 17 8 1 Viewing a List of NTP Servers To view a list of NTP servers configured on the device type show running config services ntp...

Page 781: ...92 168 2 1 123 1 4 4 nomodify nopeer noquery notrap 837 837 192 168 2 4 123 1 4 4 nomodify nopeer noquery notrap 834 834 192 168 2 10 123 1 4 4 nomodify nopeer noquery notrap 830 830 192 168 3 3 123 1 1 4 nomodify nopeer noquery notrap 823 823 192 168 3 7 123 1 1 4 nomodify nopeer noquery notrap 816 816 192 168 3 9 123 1 1 4 nomodify nopeer noquery notrap 813 813 The table list provides the follow...

Page 782: ...when contact is lost with the hosts in the NTP servers menu minpoll minpoll Synopsis An 8 bit unsigned integer between 4 and 17 Default 6 The minimum poll interval for NTP messages in seconds as a power of two maxpoll maxpoll Synopsis An 8 bit unsigned integer between 4 and 17 Default 10 The maximum poll interval for NTP messages in seconds as a power of two iburst When the server is unreachable a...

Page 783: ...imestamps When using authentication both the local and remote servers must share the same key and key identifier Packets sent to and received from the server peer include authentication fields encrypted using the key CONTENTS Section 17 8 5 1 Viewing a List of Server Keys Section 17 8 5 2 Adding a Server Key Section 17 8 5 3 Deleting a Server Key Section 17 8 5 1 Viewing a List of Server Keys To v...

Page 784: ...hentication procedures require that both the local and remote servers share the same key and key identifier 4 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 17 8 5 3 Deleting a Server Key To delete a server key do the following 1 Make sure the CLI is in Configuration mode 2 Delete the chosen key by typing no services ntp key id Where id is the ID as...

Page 785: ...used to match the address A value of 255 255 255 255 indicates the address is treated as the address of an individual host 3 Configure the following parameter s as required CAUTION Security hazard risk of unauthorized access and or exploitation It is recommended to restrict queries via ntpdc and ntpq unless the queries come from a localhost or to disable this feature entirely if not required This ...

Page 786: ...t and press Enter to abort Section 17 8 6 3 Deleting a Server Restriction To delete an NTP server restriction do the following 1 Make sure the CLI is in Configuration mode 2 Delete the restriction by typing no services ntp restrict address mask Where address is the IP address to match The address can be a host or network IP address or a valid host DNS name mask is the mask used to match the addres...

Page 787: ...ter to abort Section 17 9 2 Enabling and Configuring NTP Broadcast Clients The NTP broadcast client enables the NTP server to receive advertisements from other NTP servers and send advertisements of its own To enable and configure the NTP broadcast client do the following 1 Make sure the CLI is in Configuration mode 2 Navigate to services time ntp 3 Configure the following parameters as required P...

Page 788: ...tion refer to Section 17 9 3 2 Adding a Broadcast Multicast Address Section 17 9 3 2 Adding a Broadcast Multicast Address To add a broadcast multicast address for an NTP server do the following IMPORTANT It is strongly recommended to enable NTP authentication unless all hosts on the network are trusted 1 Make sure a server key has been configured with the broadcast multicast setting to enable NTP ...

Page 789: ...other than 4 ttl ttl Synopsis An 8 bit unsigned integer between 1 and 127 Default 1 Time to live 5 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 17 9 3 3 Deleting a Broadcast Multicast Address To delete a broadcast multicast address for an NTP server do the following 1 Make sure the CLI is in Configuration mode 2 Delete the restriction by typing no...

Page 790: ...Chapter 17 Time Services RUGGEDCOM ROX II CLI User Guide 744 Deleting a Broadcast Multicast Address ...

Page 791: ...ore information about setting up an upgrade server refer to Section 4 12 2 Setting Up an Upgrade Server CONTENTS Section 18 1 Viewing a List of Installed Applications Section 18 2 Installing an Application Section 18 3 Upgrading an Application Section 18 4 Uninstalling an Application Section 18 5 Managing Application Repositories Section 18 1 Viewing a List of Installed Applications To view a list...

Page 792: ... typing admin software upgrade apps upgrade app app name name Where name is the name of the application to upgrade as it appears in the repository configuration To upgrade more than one application use a comma separated list Section 18 4 Uninstalling an Application To uninstall an application do the following 1 Make sure the CLI is in Configuration mode 2 Install the application by typing admin so...

Page 793: ... rs2 If no repositories have been configured add repositories as needed For more information refer to Section 18 5 3 Adding a Repository Section 18 5 2 Checking the Repository Connection To check the connection with a repository type admin software upgrade apps check repository connection app name name Where name is the name of the repository as it appears in the repository configuration To check ...

Page 794: ...version Synopsis A string 1 to 64 characters long The version of the app you are installing or upgrading 4 Type commit and press Enter to save the changes or type revert and press Enter to abort Section 18 5 4 Deleting a Repository To delete an application repository do the following 1 Make sure the CLI is in Configuration mode 2 Add the repository by typing no admin software upgrade apps reposito...

Page 795: ... Section 19 5 VLANs Section 19 1 Feature Keys The following describes common problems related to feature keys Problem Solution A file based feature key does not match the hardware Each file based feature key is licensed to a particular device When transferring a feature key from one device to another such as when configuring a backup unit to replace a malfunctioning device the device will detect a...

Page 796: ... the router included in the Router Ports list To determine whether the multicast stream is being delivered to the router view the statistics collected for switched Ethernet ports For more information refer to Section 8 1 3 Viewing Switched Ethernet Port Statistics Verify the traffic count transmitted to the router is the same as the traffic count received from the multicasting source The video str...

Page 797: ... possible cause of intermittent operation is that of an auto negotiation mismatch If one end of the link is fixed to full duplex mode and the peer auto negotiates the auto negotiating end will fall back to half duplex operation At lower traffic the volumes the link may display few if any errors As the traffic volume rises the fixed negotiation side will begin to experience dropped packets while th...

Page 798: ...ew port is brought up the root moves on to that port instead of the port it should move to or stay on Is it possible that the port cost is incorrectly programmed or that auto negotiation derives an undesired value Inspect the port and path costs with each port active as root An IED controller does not work with the device Certain low CPU bandwidth controllers have been found to behave less than pe...

Reviews:

No comments

Related manuals for RUGGEDCOM ROX II

Baracoda All in One Printer Communication Protocol Manual preview
All in One Printer
Brand: Baracoda Pages: 42
D-Link DSL-2640BT Installation Manual preview
DSL-2640BT
Brand: D-Link Pages: 12
dbx 902 Manual preview
902
Brand: dbx Pages: 8
3Com EtherLink 3C509B Quick Manual preview
EtherLink 3C509B
Brand: 3Com Pages: 8
3Com 3CRWB6096 Quick Start Manual preview
3CRWB6096
Brand: 3Com Pages: 8
Abus TVVR36500 User Manual preview
TVVR36500
Brand: Abus Pages: 60
Watchguard Firebox SOHO 6 Wireless Instructions Manual preview
Firebox SOHO 6 Wireless
Brand: Watchguard Pages: 8
YASKAWA SI-EP3/V Installation Manual preview
SI-EP3/V
Brand: YASKAWA Pages: 68
Lorex LNR100 SERIES Instruction Manual preview
LNR100 SERIES
Brand: Lorex Pages: 186
MiLAN E-MCC-1600 Install Manual preview
E-MCC-1600
Brand: MiLAN Pages: 1
Symantec PacketShaper PS-S200 Quick Start Manual preview
PacketShaper PS-S200
Brand: Symantec Pages: 2
Buffalo LinkStation Mini User Manual preview
LinkStation Mini
Brand: Buffalo Pages: 71
ZyXEL Communications P-335U Specifications preview
P-335U
Brand: ZyXEL Communications Pages: 2
Planet ADE-3110 User Manual preview
ADE-3110
Brand: Planet Pages: 66
Sharedband Power Router 2 Configuration Manual preview
Power Router 2
Brand: Sharedband Pages: 3
Ubiquiti EdgeRouter X ER-X-SFP Quick Start Manual preview
EdgeRouter X ER-X-SFP
Brand: Ubiquiti Pages: 20
NCR VOYIX 7772-K141 Kit Instructions preview
VOYIX 7772-K141
Brand: NCR Pages: 10
Acconeer XE132 Getting Started Manual preview
XE132
Brand: Acconeer Pages: 13

Brands by name

Popular brands

Load more brands