Comnet reliance RL1000GW Скачать руководство пользователя страница 186 | Manualshive

Страница: 186 / 192

background image

INS_RL1000GW_REV– 15 Jul 2016 PAGE 186

INSTALLATION AND OPERATION MANUAL

RL1000GW

TECH SUPPORT: 1.888.678.9427

Application Aware Firewall

The integrated SCADA protocol firewall provides a network-based distributed security.

The firewall implemented is “application-aware”, meaning that it inspects the contents of the data
packets of selected SCADA protocols according to the rules set by the user.

Using the firewall, the router becomes distributed Intrusion Prevention System (IPS) realizing
detailed service-aware inspection.

»

Supported protocols: Modbus TCP, IEC 104, DNP3

The service-aware firewall checks each packet in details including:

»

Protocol validity – Check that the packet structure and all its control fields comply with the
standard and that the session flow follows the expected logic (i.e. session initiated by master,
response matches request, session setup sequence, etc.).

»

Application logic – Per each pair of source and destination devices verify that only the allowed
communication is performed by checking the function code and the command parameters
according to the operator defined values.

Firewall Service flow

In order for a protocol flow to be inspected by the firewall the following is achieved by the
ComNet NMS- iSIM.

»

A designated service vlan is created and the ports are tagged.

»

ACLs are placed on the relevant access port and network ports to redirect the traffic flow to
service vlan and to the firewall process. The ACLs will allow traffic between service members
only. ACLs will permit traffic only of the TCP/UDP type correlating to the service protocol
determined by the user. Other ports are blocked by default.

»

The ACLs as well validate the packet direction and block messages in violation of proper
session.

»

A file holding a list of allowed messages is created upon user configuration and is downloaded
to the router. The file holds specific addressing properties of the target device under the
relevant SCADA protocol (for example Common Address of ASDU in IEC104) and so the packet
inspection is done not only at the IP header but as well in the payload itself.

»

Service packets will be inspected towards this file.

»

A packet originated and designated to a service member will be directed to the firewall
process for in depth inspection of the payload before allowed to pass to the network.

«
...
184
185
186
187
188
...
»

Содержание reliance RL1000GW

Страница 1: ...ges are routinely encountered such as electrical utility substations and switchyards heavy manufacturing facilities track side electronic equipment and other difficult out of plant installations Layer...

Страница 2: ...and Interfaces 14 Graphic View of Hardware 16 Distance kept for natural air flow 17 Logical Structure 17 Grounding 17 Connecting to a Power Source 18 Power Budget 18 Configuration Environment 19 Comma...

Страница 3: ...e id 41 IP interface VLAN id 41 IP Interface Commands Hierarchy 41 IP Interface Commands Description 42 Example 43 Diagnostic 46 System logs export 46 Commands Hierarchy 46 Commands Description 46 Cap...

Страница 4: ...6 ACG 67 Comments 67 Example 68 ACL Commands Hierarchy 68 ACL Commands Descriptions 70 Configuration Example 71 QOS 72 QOS Commands Hierarchy 72 QOS Commands Descriptions 72 NAT 73 Networking 73 NAT C...

Страница 5: ...int 94 Modes of Operation 94 Reference drawing 96 Serial Traffic Direction 97 Allowed latency 97 Tx Delay 98 Bus Idle Time 98 Example 1 98 Example 2 100 Protocol Gateway IEC 101 to IEC 104 102 Modes o...

Страница 6: ...ec VPN 135 DM VPN Commands Hierarchy 136 IPSec VPN Commands Hierarchy 137 IPSec 138 Applications 138 Authentication Header AH 138 Encapsulating Security Payload ESP 138 Security Associations 139 ISAKM...

Страница 7: ...nels Commands Hierarchy 170 Discrete IO Channels Commands 170 VPN Setup Examples 171 DM VPN Setup 171 Network drawing 172 DM VPN over Cellular Setup 176 Network drawing 177 Configuration 177 Testing t...

Страница 8: ...epresentations defined in the agreement executed between ComNet and the customer shall bind and obligate ComNet ComNet however has made all reasonable efforts to ensure that the instructions contained...

Страница 9: ...ich provide the industry with a standard platform for analytics and security management systems enabling leading performance compact and cost effective solutions ComNet products are available in comme...

Страница 10: ...nment such as fit to the harsh environment high reliability and network resiliency In addition the ComNet routers have unique service aware capabilities that enable an integrated handling of applicati...

Страница 11: ...o MODBUS RTU and IEC 61850 101 104 TCP to IEC 61850 101 104 RTU This level of protocol conversion allows legacy protocols to be secured by enterprise and industry best practice level encryption across...

Страница 12: ...uch as magnetic card readers biometric identification sensors facial recognition cameras etc to create a two factor authentication to the APA feature This provides an additional level of validation of...

Страница 13: ...ComNet s Reliance Product Configuration Utility and CLI allowing the secure switch router to be easily configured and to diagnose network and security functions Configuration of the secure firewall i...

Страница 14: ...FP and 2G 3G HSPA Cellular Modem 12 24 VDC RL1000GW 12 E S22 CNA RL1000GW with 2 x RS 232 1 x 10 100 Tx and 4G LTE Cellular Modem NA Bands 12 24 VDC RL1000GW 12 E S24 CNA RL1000GW with 1 x RS 232 1 x...

Страница 15: ...s 24 48 VDC RL1000GW 48 E S22 CEU RL1000GW with 2 x RS 232 1 x 10 100 Tx and 4G LTE Cellular Modem EU Bands 24 48 VDC RL1000GW 48 E S24 CEU RL1000GW with 1 x RS 232 1 x RS 485 1 x 10 100 Tx and 4G LTE...

Страница 16: ...Call out Description Manual Reference 1 Antenna Female Connection 2 SIM Card Ports 1 2 3 Power and Run LED Indicators 4 Console Interface Link Activity L A and Speed LED Indicators 5 RS 232 Ports 1 2...

Страница 17: ...erminated by a crimped two hole lug with hole diameter and spacing as shown in the below figure Use a suitable crimping tool to fasten the lug securely to the wire Adhere to your company s policy as t...

Страница 18: ...the grounding and a Blue wire for the Neutral conductor use 18AWG 1mm2 wire with insulated ferrules Power Budget The following table details power consumption of the Hardware variants with cellular a...

Страница 19: ...s mode would mean the user to log out from the system Use the command exit Global Hierarchy Configuration From the Global Configuration mode command you may drill down to specific feature sub tree Exa...

Страница 20: ...er supporting L3 dynamic and static Routing SCADA services Firewall Secure networking The below table gives a high level view of the supported features Feature Set TFTP Ethernet ports Serial ports Cel...

Страница 21: ...IEEE 802 1q X Backup Restore running config X Conditioned scheduled system reboot X Console serial port X TFTP client X Inband Management X Outband Management X Remote Upgrade X Safe Mode X SFTP Clie...

Страница 22: ...X Terminal Server X VPN L3 mGRE DM VPN X System Default state The following table details the default state of features and interfaces Feature Default state Ethernet Ports All ports are enabled Serial...

Страница 23: ...export help show start stop date discrete service show dns host resolver exit firewall log profile tcp serial idle timeout iec101 gw cnt operation config iec 101 config iec 104 config gw show ipsec e...

Страница 24: ...onfiguration as a file with a chosen name for backup and import the file back to boot the system with when needed User configuration is saved using the following command RL1000GW commit Building confi...

Страница 25: ...oading a new OS file to the router make sure the RL1000GW has on it only one the active file If needed delete the unused file before attempting to download new Commands Hierarchy Root commit delete di...

Страница 26: ...3 Check connectivity to the tftp server from which the software will be downloaded PING 172 18 212 240 172 18 212 240 56 data bytes 64 bytes from 172 18 212 240 seq 0 ttl 64 time 1 026 ms 64 bytes fr...

Страница 27: ...000GW os image download status Finished Download 8 Activating desired OS file will automatically reboot the device RL1000GW os image activate version name RF _ RL1000GW _ 4 0 02 67 tar RL1000GW os ima...

Страница 28: ...first Safe mode is used for approved technician only and should not be used unless specified by ComNet This safe mode state is available at the prompt For first safe mode Press s The second safe mode...

Страница 29: ...ll 4 Install first sw version from TFTP continue c Continue with start up process help H Display help about this utility c Extracting software s OK 01 01 70 00 01 09 Running applications For safe mode...

Страница 30: ...t the device format 2 Format flash activate 3 Activate sw version on flash install 4 Install first sw version from TFTP continue c Continue with start up process help H Display help about this utility...

Страница 31: ...nter the OS image file name Enter version number on TFTP Server For main menu press X RF _ RL1000GW _ 4 0 02 52 tar 8 OS Image file will be downloaded and activated 01 01 70 00 03 18 downloading RF _...

Страница 32: ...er RJ45 Included at all variants Referred to in CLI as eth1 Gigabitethernet SFP SGMII Optional ordering SFP modules are not included Copper and fiber SFP of 100 1000 types are supported Referred to in...

Страница 33: ...In unicast packets 233 Out unicast packets 4 In errors packets 0 Out errors packets 0 In octets 311651 Out octets 690 Unknown packets 0 RL1000GW port show status idx slot port admin Status auto Negot...

Страница 34: ...PAGE 34 INSTALLATION AND OPERATION MANUAL RL1000GW TECH SUPPORT 1 888 678 9427 multicast 725 Size 65 127 1239 align error 0 Size 128 255 435 dropped event 0 Size 256 511 35 fragmented 0 Size 512 1023...

Страница 35: ...OTE A console cable is supplied in the box The cable is uniquely colored white Connecting to the Console Port The console port is an EIA232 VT 100 compatible port to enable the definition of the devic...

Страница 36: ...wing are commands related to the CLI terminal root idle timeout Management The router can be managed via following methods IP based Serial console port Default state Feature Default state Layer 3 inte...

Страница 37: ...chedule date and time YYYY MM DD HH MM SS schedule every 180 604800 seconds schedule time HH MM SS schedule in 0 604800 seconds cancel show users modify username su password password show commit delet...

Страница 38: ...cific time for router reload Time format HH MM SS configuration which was not committed will not be available after reload reload schedule in Set specific timer for next router reload Permissible rang...

Страница 39: ...ateway L2 VPN L3 DMVPN IPSec Interface Assignment Rules An IP interface may optionally be set with a VLAN tag to result on vlan tagging at the interface egress The VLAN tag set to an interface must be...

Страница 40: ...will be routable with IP interface set to be in the same subnet as the packets origin if such is available at the RL1000GW IP interfaces associated to vlans are given an automatic name indicating the...

Страница 41: ...are untagged IP interface VLAN id When an IP interface is assigned with a VLAN id it supports vlan tagging Packet coming inward to the physical interface eth1 or eth2 as assigned will be received by...

Страница 42: ...interface The configuration should include Address prefix IP address in the format aa bb cc dd xx VLAN vlan ID for egress packets from the interface Purpose application host or general physical inter...

Страница 43: ...ce show Id VLAN Name IP Subnet Mtu Purpose Admin status Description 1 5 eth1 5 10 10 10 100 24 1500 application host enable router static router static enable router static configure terminal router s...

Страница 44: ...IP interface without vlan id RL1000GW RL1000GW router interface create address prefix 172 17 203 100 24 physical interface eth2 purpose application host commit commit ok RL1000GW router interface show...

Страница 45: ...1 Enable dhcp on interface eth1 to retrieve an IP from a dhcp server RL1000GW router dhcp enable physical interface eth1 router interface show VLAN Name Id IP Subnet Purpose Description N A eth1 N A N...

Страница 46: ...minute month year remove task name copy logs show Commands Description Command Description Schedule manage scheduled task to copy system logs to the usb drive To mound a usb drive insert it to the ro...

Страница 47: ...estination address A B C D show captured packets c number status help Commands Description Command Description Capture Start initiate Ethernet traffic capture on a selected ACE IP interface i mandator...

Страница 48: ...ITIVE RESPONSE UNICAST 16 55 07 616319 IP 172 18 212 240 17500 255 255 255 255 17500 UDP length 112 16 55 07 616628 IP 172 18 212 240 17500 172 18 212 255 17500 UDP length 112 16 55 07 926503 arp who...

Страница 49: ...undamental tenets of the syslog protocol and process is its simplicity The transmission of syslog messages may be started on a device without a receiver being configured or even actually physically pr...

Страница 50: ...4 security authorization messages 4x8 level 5 messages generated internally by syslog 5x8 level 6 line printer subsystem 6x8 level 7 network news subsystem 7x8 level 8 UUCP subsystem 8x8 level 9 cloc...

Страница 51: ...4 132 notification 5 133 informational 6 134 debugging 7 135 Message Format The following will describe the structure of syslog messages Message severity Severity S indicaror Description 0 S E Emergen...

Страница 52: ...1 Example for violation type no rule configured RF _ Syslog module 3 firewall severity 3 message firewall ID 74 T 2014 05 12 11 52 43 S E SG 3500 SRC 172 18 212 50 52011 DST 172 18 212 46 2404 LEN 56...

Страница 53: ...r violation type protocol type mismatch 05 12 2014 16 53 40 Local0 Alert 172 18 212 183 May 12 11 52 59 SW RLGE2FE16R firewall ID 80 T 2014 05 12 11 52 59 S A SG 3500 SRC 172 18 212 50 52011 DST 172 1...

Страница 54: ...Violation description string Major Protocol Id Major protocol id value for ModBus Function Code for IEC101 104 Type Id for DNP3 Function Code Minor Protocol Id Minor protocol id value for ModBus Sub F...

Страница 55: ...violation not allowed WRITE quantity Rule violation out of the allowed address range Rule violation out of the allowed FIFO addresse range Rule violation out of the allowed encapsulated interface rang...

Страница 56: ...igured between dm vpn interfaces WTR stopped for MGRE IF NAME ip mask NBMA address Relevant when protection group is configured between dm vpn interfaces Failed to create dm vpn mGRE interface MGRE IF...

Страница 57: ...ot present or disabled RSSI is RSSI below required threshold Threshold but primary SIM is not present or disabled Continiuty check failed attempt moving to alternative provider will be performed Annou...

Страница 58: ...n slot Slot is Active Serial Card on slot Slot failure Last seen SEC Serial Station SLOT PORT Traffic is now resumed Time TIME service id SVC Serial Point SLOT PORT SVC No traffic since TIME latest Rx...

Страница 59: ...r warn kernel Speed 100 Duplex 1 pause 0 May 18 19 27 48 SmartSwitch user warn kernel adjust _ link Addr 1 link 0 speed 100 o 100 dup 1 o 1 May 18 19 27 48 SmartSwitch user info kernel PHY mdio ff7240...

Страница 60: ...te of discrete input channels is supported by the RL1000GW NOTE Software support for the DI channels will be available from R5 0 Interfaces Connection terminal are as shown in below figure Diagnostics...

Страница 61: ...el 2 Digital outputs are dry mechanical relay contacts Maximum power to be implemented at the contacts AC Max 250v 37 5vA DC Max 220v 30 watt Above mentioned power limitations should not be exceeded M...

Страница 62: ...rchy config terminal date YYYY MM DD hh mm ss hh mm ss date Commands Description Command Description Config terminal date YYYY MM DD hh mm ss hh mm ss Sets the current time and date date Show the syst...

Страница 63: ...und authentication outbound authentication and change password request for the Authentication service Provides some level of protection against an active attacker TACACS is a security application that...

Страница 64: ...se is supported tacacs server add This command configures the TACACS server with the parameters host retries key and specifies the IP address of one or more servers Host ipv4 address Configures the IP...

Страница 65: ...list RL1000GW tacacs server add host 192 168 1 250 key Ab11 59 retries 5 timeout 50 port 49 RL1000GW tacacs server add host 172 18 212 230 key Ab11 RF 3 configure default server RL1000GW tacacs serve...

Страница 66: ...the network and prevent another host from accessing the same area Flow of ACL Inspection ACL Rules An ACL has a unique identifier acl number 1001 65535 ACL may consist of a single or multiple rules E...

Страница 67: ...rding to the ACG priorities until first match is found The packet will then be permitted denied with the ACL option of redirect The packet will not be further inspected by lower priority ACGs If a pac...

Страница 68: ...P is not met the packet is examined by the next rule priority 80 The condition of UDP is met and the packet is permitted ACL Commands Hierarchy root ip access list extended create acl num 1001 65535 a...

Страница 69: ...65535 1 65535 dst port range 1 65535 1 65535 permit icmp acl num 1001 65535 rule name priority 1 256 src ip any a b c d a b c d e dst ip any a b c d a b c d e deny icmp acl num 1001 65535 rule name p...

Страница 70: ...ax Priority this field will determine the rules execution order Higher value of filter priority implies it will be executed first This value ranges between 1 and 256 Permit deny icmp acl num 1001 6553...

Страница 71: ...ip access list extended permit tcp acl num 1010 priority 40 src ip any dst ip 192 168 2 101 RL1000GW ip access list extended deny tcp acl num 1010 priority 30 src ip any dst ip 192 168 1 101 RL1000GW...

Страница 72: ...ial services QOS Commands Hierarchy qos mark rule create src ip A B C D E dest ip A B C D E protocol tcp udp src port 1 65535 dest port 1 65535 dscp 0 63 mark rule remove src ip A B C D E dest ip A B...

Страница 73: ...the required public ip addresses to a single one Static NAT settings direct incoming WAN traffic to a particular target LAN client As the WAN stations usually will not have a route to the private LAN...

Страница 74: ...ived at the PC Sessions initiated by the Server towards the PC will not be received by the PC Dynamic and Static NAT together Both the Server and the PC can initiate sessions and receive replies NAT C...

Страница 75: ...the nat should traverse the original ip to Original port the original protocol destination port at the incoming packet ip header Modified port the protocol port to which the nat should traverse the or...

Страница 76: ...nat static create original ip 192 168 10 11 modified ip 10 10 10 10 original port 23 modified port 23 protocol tcp 5 Set Static NAT settings directing WAN traffic targeted to 192 168 10 11 towards 10...

Страница 77: ...NSTALLATION AND OPERATION MANUAL RL1000GW TECH SUPPORT 1 888 678 9427 Rule Id Original Dst IP Original Dst Port Protocol Modified Dst IP Modified Dst Port 1 192 168 10 11 23 tcp 10 10 10 10 23 2 192 1...

Страница 78: ...icular network destinations which describes the state of its own links and it also sends the complete routing structure topography The advantage of shortest path first algorithms is that they result i...

Страница 79: ...Network can be given as A B C D M or as a name of a preconfigured interface eth1 vlan id passive interface Suppress routing updates on an interface given as a name of a preconfigured interface eth1 v...

Страница 80: ...ged all exit interface fast 0 1 switchport pvid 4 exit interface vlan 2 ip address 192 168 2 101 255 255 255 0 no shutdown exit interface vlan 4 ip address 192 168 4 101 255 255 255 0 no shutdown exit...

Страница 81: ...al interface eth2 2 configure OSPF router ospf enable configure terminal router ospf router id 192 168 1 102 network 192 168 1 102 24 area 0 0 0 0 network 192 168 2 102 24 area 0 0 0 0 passive interfa...

Страница 82: ...2 OSPF router routing table OSPF external routing table router ospf exit Connection closed by foreign host RL1000GW router route show Kernel IP routing table Destination Gateway Genmask Flags Metric R...

Страница 83: ...pplication type Hierarchy Level Transparent Tunneling Terminal Server 101 104 Gateway Router IP Interface X X X Serial Port X X X Serial Local end point X X X Serial Remote end point required if servi...

Страница 84: ...disable show show port clear counters create slot 1 port 1 2 baudrate 9600 50 368400 parity no no odd even stopbits 1 1 2 bus idle time bits 30 1000 mode of operation Serial tunnel serial tunnel term...

Страница 85: ...frame connection mode udp tcp remove remote address A B C D service id 1 100 show Serial Commands Description Command Description Serial Access serial configuration hierarchy Configuration for ports...

Страница 86: ...packet with 9 6kbps rate Remove Slot 1 constant Port port number 1 2 Show Local end point Create Slot 1 constant Port port number 1 2 Service id numeric value of serial service Position Master point t...

Страница 87: ...the low border range value x and result in a permissible range of x to x 100 The actual port number which will be used is dependent on the service id value as such service id low border ip port Defau...

Страница 88: ...aration root serial Port create port 1 Port create port 2 Commit Default State The default state of the serial ports is non configured RS 232 Port Pin Assignment Below is the pin assignment of the ser...

Страница 89: ...RJ 45 and second end of female DB 9 The cable should be used when no control lines are needed Serial port at the router DB 9 female connector for end device Pinout for crossed cable CBL RJ45 DB9 NULL...

Страница 90: ...485 ports are of RJ 45 type The RS 485 supported mode is 4 wires RJ45 Female Router port Direction 1 B Rx 4 GND 5 A Rx 6 B Tx 8 A Tx LED States Each serial port has a led to indicate its state Port c...

Страница 91: ...omer serial device at the router serial port is encapsulated as UDP or TCP Ethernet packets by the router An IP interface is configured to route the packets over the Ethernet network The Ethernet clou...

Страница 92: ...g topologies Point to point Point to multipoint point Multi Point to multipoint point Point to Point Below picture illustrates Point to point service at which the master and slave are connected locall...

Страница 93: ...27 Point to multipoint point Below picture illustrates Point to multipoint service at which the master and slaves are connected locally at the same router Figure 5 P2MP local service Below picture ill...

Страница 94: ...ration is set at the serial port configuration level and defines how serial data is collected Transparent Tunneling Transparent tunneling is a mode at which serial data is sent with a distinct start b...

Страница 95: ...ial processor collects bytes and encapsulates the data at a UDP TCP Ethernet frame The number of bytes collected to a single Ethernet packet is determined by the following factors Allowed latency Bus...

Страница 96: ...nneling connection is defined by the values of service id and the low border ip port set at the serial settings Reference drawing For ease of explanation of following terms and serial properties at th...

Страница 97: ...network to router 2 and to the serial processor The serial processor transmits the data to CE2 over S1 and increases the Tx counters Allowed latency Allowed latency is the maximum time allowed for th...

Страница 98: ...serial byte to CE2 Following data bytes are sent without delay Bus Idle Time This parameter determines a silence on the serial line to identify frame end The configurable value for it is given in numb...

Страница 99: ...l remote end point create remote address 192 168 1 101 service id 1 position master commit Configuration router A MASTER 1 Configure the IP interface router interface create address prefix 192 168 1 1...

Страница 100: ...l any Master Bytes disable any Example 2 Below network demonstrates a P2P topology of transparent serial tunneling between RLGE2FE16R and RL1000GW routers Configuration RL1000GW SLAVE 1 Configure the...

Страница 101: ...rface vlan 100 ip address 192 168 1 101 255 255 255 0 no shutdown end write startup cfg 2 Configure the ACE IP interface application connect router interface create address prefix 192 168 1 201 24 vla...

Страница 102: ...r to commands issued by the IEC101 master with the proper IEC101 address and sending the responses vice versa IEC101 Master The application module will act as a IEC101 master to the IEC101 server devi...

Страница 103: ...INS_RL1000GW_REV 15 Jul 2016 PAGE 103 INSTALLATION AND OPERATION MANUAL RL1000GW TECH SUPPORT 1 888 678 9427 Unbalanced Mode Up to 32 ASDU addresses behind each IEC101 server device...

Страница 104: ...sical layer Transmission speed in monitor control direction 300 38400bps Link layer Link transmission procedure Balanced transmission Unbalanced transmission Address field of the link Not present bala...

Страница 105: ...e uplink traffic This application IP interface acts as the IEC104 server in the Ethernet network and represents all the IEC101 devices connected locally to the router towards the IEC104 clients Option...

Страница 106: ...nfigured with mode of operation set to transparent b Configure a local service serial local end point i Create a local end point and assign the serial port ii The local end point field application mus...

Страница 107: ...ooting is usually at the IEC101 connection to the locally connected RTU The IEC 104 connection between the gateway and the client SCADA is based on straightforward Ethernet connectivity which is easy...

Страница 108: ...no odd even stopbits 1 2 databits 8 5 8 admin status up down show local end point create create slot 1 port 1 2 application iec101 gw service id 1 100 position slave remove slot 1 port 1 2 service id...

Страница 109: ...y gen_inter n n y time_tag n n y iec101 remove slot 1 port 1 2 iec101 add_asdu remove_asdu port 1 2 asdu_addr 1 255 1 65534 link address 1 255 1 65534 iec101 add_ioa_trans remove_ioa_trans port 1 2 sr...

Страница 110: ...al to the configuration at the IEC 101 server translated_cmn_addr used when a translation service required for the common address of asdu The value should be identical to the actual common address of...

Страница 111: ...depending on the settings of ioa_length A value is expected as byte1 byte2 byte3 or byte1 byte2 or byte 1 Permissible value for each byte is 1 255 example for 3 bytes size IOA 5 212 151 iec104 update...

Страница 112: ...tion iec101 gw 4 Configure the gateway mode of operation and choose the ACE interface to be used The IP interface must be available in advance iec101 gw config gw update mode balanced ip _ addr 192 16...

Страница 113: ...168 1 101 0 n n 30 15 10 20 192 168 1 250 0 n n 30 15 10 20 IEC 101 SLOT PORT OP ST LINK ADR CMN ADR CONV CMN ADR LINK LEN CMN LEN COT LEN IOA LEN SRC IOA CONV IOA 1 1 UP 27 1 0 2 2 2 3 SLOT PORT ORI...

Страница 114: ...ts A usage example console ports of remote devices to be reached via terminal server service using telnet from any PC with Ethernet link In below drawing the management station PC is a Telnet client w...

Страница 115: ...e serial services the application will direct the traffic from the management station to the RTUs allowing each its own path for management Below is a second option at which the terminal servers are s...

Страница 116: ...ill be encapsulated as an individual UDP TCP packet Service Connection Mode The service connection mode is set at the terminal server settings and defines the protocol option to be used for all servic...

Страница 117: ...the terminal server settings Terminal Server Commands Hierarchy root serial port clear counters create slot 1 port 1 2 baudrate 9600 50 368400 databits 8 5 8 parity no no odd even stopbits 1 1 2 bus...

Страница 118: ...imeout min 10 0 1440 buffer mode frame frame byte show tcp service create remote address A B C D service id 1 100 telnet port port num null cr mode off off on max tcp clients 1 1 8 remove service id 1...

Страница 119: ...400 460800 921600 Parity no odd even Stopbits 1 2 Mode of operation transparent Remove Slot 1 constant Port port number 1 2 Show Local end point Create Slot 1 constant Port port number 1 2 Service id...

Страница 120: ...ompleted This mode avoids fragmentation of serial messages to different tcp packets byte serial originated packets will be egressed without additional buffering at the terminal server Show display the...

Страница 121: ...ield settings on off allows flexability in working with different types of terminals as PuTTY hyper terminal CRT as each handles the CR bit differently When set to On the switch will drop NULL charact...

Страница 122: ...ate low border telnet tcp port 19999 buffer mode byte terminal server tcp service create service id 1 remote address 192 168 1 101 telnet port 20000 commit NOTE Make sure to use proper serial connecti...

Страница 123: ...000GW terminal server tcp service show index service id telnet port dest ip null cr mode max ip clients 1 1 20000 192 168 1 101 off 1 5 Ping between the PC 192 168 1 250 and the RL1000GW 192 168 1 101...

Страница 124: ...counters RL1000GW serial port show briefly slot 1 port 1 idx slot port svc mode baud data parity stop id rate bits bits 1 1 1 1 Transparent 9600 8 None 1 OctetsIn 20 OctetsOut 25 TxError 0 RxError 0 O...

Страница 125: ...o listen on port 20000 terminal server admin status enable terminal server settings update low border telnet tcp port 19999 buffer mode byte terminal server tcp service create service id 1 remote addr...

Страница 126: ...is set to use a ACE IP interface as its TCP traffic source Packet sent from Modbus TCP Client will carry the gateway IP interface and the Modbus RTU station ID as its target The gateway will listen to...

Страница 127: ...l end point create create slot 1 port 1 4 application modbus gw service id position protocol show modbus gw show gw list connection clear show counters clear id gw id 1 5 unit id 1 255 clear port slot...

Страница 128: ...tion ids behind a serial port map units on bus show show to station ids identified behind the serial port History Show Show latest reply from each unit and the time in seconds from that connection Per...

Страница 129: ...al port to be used for connecting the Modbus rtu slave serial port create slot 1 port 1 serial local end point create slot 1 port 1 service id 1 protocol modbus _ rtu application modbus gw 3 assign th...

Страница 130: ...show by id gw id 4 gwid 4 unit id 65535 Gw Unit Id Rx valid Rx error Tx valid Tx error 4 3 477 0 599 0 Slot Port Rx valid Rx error Tx valid Tx error 1 1 477 0 616 0 modbus gw debug map units on bus s...

Страница 131: ...H SUPPORT 1 888 678 9427 Serial points slot 1 port 1 pointer 0x1007c408 modbus gw debug show server points Server points IP addr 192 168 40 10 GwId 4 Subnet mask 255 255 255 0 pointer 0x10081580 modbu...

Страница 132: ...ructure Example Following setup demonstrates DNP3 gateway configuration 1 assign IP interface for the gateway router interface create address prefix 192 168 40 10 24 physical interface eth1 purpose ap...

Страница 133: ...y and its integrity The RADiFlow switches support such a VPN Virtual Private Network connection using GRE tunnels RFC2 2784 over an IPSec encrypted link The IPSec tunnel can be set to use 3DES or AES...

Страница 134: ...static routing and OSPF 6 Layer 3 protection 7 The hub is recommended to be connected to the network using one of its Ethernet ports A cellular uplink at the hub is not recommended as an aggregation...

Страница 135: ...3 Single tunnel is allowed at the spoke 4 The hub must be connected to the network using one of its Ethernet ports 5 The spoke is recommended to be connected to the network using one of its Ethernet...

Страница 136: ...u 1418 128 9600 tos inherint hex 0 255 cisco authentication tunnel destination tunnel source remove name show name nhrp map create update multipoint gre name nbma address A B C D protocol address pref...

Страница 137: ...L1000GW TECH SUPPORT 1 888 678 9427 IPSec VPN Commands Hierarchy root vpn ipsec tunnel crate name address prefix A B C D M lower layer dev ppp0 eth0 eth1 vlan id eth2 vlan id remote address A B C D mt...

Страница 138: ...tablished over the public network and or when security is required Authentication Header AH The IP Authentication Header AH is used to provide connectionless integrity and data origin authentication f...

Страница 139: ...for subsequent ISAKMP exchanges It also indicates the authentication method and key exchange that will be performed as part of the ISAKMP protocol After the basic set of security attributes has been a...

Страница 140: ...g material is typically used as a key encryption key KEK to encrypt the VPN GRE traffic This key is kept secret and never exchanged over the insecure channel The D H groups are identified by the lengt...

Страница 141: ...ddress 2 Fully qualified domain name FQDN a Allowed only when Aggressive IKE mode is used Below is an example of PSK configuration 1 Detail the preshared IDs of the VPN members and specify the id of l...

Страница 142: ...INS_RL1000GW_REV 15 Jul 2016 PAGE 142 INSTALLATION AND OPERATION MANUAL RL1000GW TECH SUPPORT 1 888 678 9427 The above configuration example will result in following show output...

Страница 143: ...them Figure 9 The certificate files 1 Import the key file RL1000GW rsA signature import tftp 172 17 203 31 ipsec key RSA signature file ipsec key imported successfully 2 Import the certificate file R...

Страница 144: ...INS_RL1000GW_REV 15 Jul 2016 PAGE 144 INSTALLATION AND OPERATION MANUAL RL1000GW TECH SUPPORT 1 888 678 9427 The above configuration example will result in following show output...

Страница 145: ...he VPN network are not static for example a cellular spoke retrieving dynamic IP from the ISP over its PPP interface the Main mode of IKE is not applicable Pre shared key When used in main mode the PS...

Страница 146: ...s used over a cellular link the IKE mode to be used is Aggressive The PSK may be of IP format or fqdn Settings structure Authentication method PSK X 509 Diffie Hellman key exchange group a k a OAKLY g...

Страница 147: ...future The VPN GRE IPSEC sessions can negotiate new keys for every communication and if a key is compromised only the specific session it protected will be revealed The PFS uses as well the D H group...

Страница 148: ...Log level log level Dead Peer Discovery delay dpd delay max failure dpd maxfail max retires dpd retry flush Security Association flush sa proto id type id type soft timer soft lifetime Phase 1 Authent...

Страница 149: ...address prefix Destination address dst address prefix Source protocol port src port Destination protocol port src port Protocol protocol Preshared Keys Key key Own PSK id id Partner PSK id id Partner...

Страница 150: ...p6144 pfs group none modp768 modp1024 modp1536 modp2048 modp3072 modp4096 modp6144 modp8192 dpd delay 5 0 120 dpd maxfail 5 2 20 dpd retry 5 1 20 log level error warning notify info debug debug2 my id...

Страница 151: ...1000GW_REV 15 Jul 2016 PAGE 151 INSTALLATION AND OPERATION MANUAL RL1000GW TECH SUPPORT 1 888 678 9427 show log grep num of lines global defs policy preshared rsa signature file sa proto ah esp ipsec...

Страница 152: ...used dh group Diffie Hellman key exchange Group Relates to phase 1 determines the strength of the key used in the key exchange process The higher the group number the stronger the key and security in...

Страница 153: ...lt ip interface Address this option is not supported in current version fqdn the units own preshared id will be in a domain name format For example spoke radiflow com default none ike phase1 mode Inte...

Страница 154: ...1 99 hard lifetime 100 rsa sig name The name set by the user for the signature Policy create Configure the policy to determine the type of traffic to encrypt src ip A B C D form Ip address of the pack...

Страница 155: ...INS_RL1000GW_REV 15 Jul 2016 PAGE 155 INSTALLATION AND OPERATION MANUAL RL1000GW TECH SUPPORT 1 888 678 9427 IPSec defaults...

Страница 156: ...connection to site The RL1000GW supports options for GPRS UMTS modem or LTE A modem provides a key solution for connectivity to remote sites The modem support dual SIM card for redundancy and backup b...

Страница 157: ...1 888 678 9427 FREQUENCY BANDS LTE 2600 7 N Y FREQUENCY BANDS LTE 900 8 N Y FREQUENCY BANDS LTE 700 13 Y N FREQUENCY BANDS LTE 700 17 Y N FREQUENCY BANDS LTE 800 20 N Y FREQUENCY BANDS LTE 1900 25 Y...

Страница 158: ...e spoke the important availability also when retrieving private IP from the ISP Interface Name At various applications the addressing of configuration to the cellular interface will be done using its...

Страница 159: ...2 NAT VPN Application Once Holding an IP address retrieved from the ISP at its PPP interface and with a VPN configured the Spoke will initiate NHRP request for registration towards the Hub The Hub mu...

Страница 160: ...ividually configured and enabled disabled Dependent on configuration and availability the status of a SIM may be one of the following at the modem Unknown SIM is either Not available at the slot Cellu...

Страница 161: ...cellular wan show 2 SIM 1 is connected following the modem enable and the SIM properties configured SIM 2 is configured an in READY state cellular enable cellular wan update admin status enable apn na...

Страница 162: ...the ISP a reload can be trigger to the router A configuration parameter retry threshold reload is available to be set between 0 disabled and 30 whereas values 1 30 represents the number of consecutive...

Страница 163: ...rtt threshold 5000msec 1 000 20 000 interval 60sec 1 1440 request size 100bytes 64 1500 remove dest ip address ip address name show config show status modem power_down power up send command at cgsn ge...

Страница 164: ...igger to a watchdog is one of these 2 conditions to be met Create update name name of the test text dest ip address ip address of a reachable routable host Format aa bb cc dd rtt threshold round trip...

Страница 165: ...ttempts to establish Connected status of the cellular modem Configuration which was not committed will not be saved after the reload Settings show Show show configured interval time Wan update Sim slo...

Страница 166: ...The modem has a led indicator for each SIM slot to represent the SIM cad state Modem admin state SIM admin state SIM Operation state LED disable N A N A OFF enable disable N A OFF enable Ready ON enab...

Страница 167: ...000GW TECH SUPPORT 1 888 678 9427 Example for retrieving the IMEI Below is an example of retrieving the IMEI identifier of the modem RL1000GW cellular disable cellular modem power up Completed OK cell...

Страница 168: ...ample of 2 SIM cards and their permissible state status cellular wan update admin status enable apn name internetg sim slot 1 operator name cellcom user name guest password guest cellular wan update a...

Страница 169: ...rator can decide if any action is required Digital output channels are not supported at current version Connection terminal are as shown in below figure Technical data At digital Inputs please connect...

Страница 170: ...in no shutdown shutdown set name clear show Discrete IO Channels Commands Command Description Discrete in Shutdown disable the input channels no shutdown enable the input channels Set name Set a name...

Страница 171: ...he spoke and Hub will establish connection over the shared link At below examples see vlan 20 subnet 172 18 20 x 2 Both will be set with a common mGRE tunnel each holding an mGRE interfaces See 10 10...

Страница 172: ...n the VPN from default vlan 1 config terminal no spanning tree vlan 1 no ports fastethernet 0 1 0 8 gigabitethernet 0 3 untagged fastethernet 0 1 0 8 exit 3 Assign the user and network vlans and set P...

Страница 173: ...0 0 0 192 168 10 201 1 end commit 6 Assign ACE IP interface which will route user traffic application connect router interface create address prefix 192 168 10 201 24 vlan 10 purpose general 7 Assign...

Страница 174: ...outer interface create address prefix 192 168 40 201 24 physical interface eth1 description UNI purpose general admin status enable 2 Assign IP interface towards the WAN router router interface create...

Страница 175: ...mp update my id RTU1 radiflow com ipsec preshared create id HUB radiflow com key secretkey ipsec preshared create id RTU1 radiflow com key secretkey ipsec isakmp update id type fqdn ipsec policy creat...

Страница 176: ...er 4 As the hub is located behind a NAT router a default gateway should be assigned at the ACE interface 172 18 212 100 5 As this is layer 3 service the users behind the spoke and hub are in different...

Страница 177: ...cription UNI purpose application host admin status enable 2 Setting the cellular modem cellular settings update default route yes 3 Wan update menu SIM card configuration slot 1 cellular wan update si...

Страница 178: ...the tunnel remote end router static enable configure terminal ip route 192 168 10 0 24 10 10 10 10 write memory exit exit commit 8 IPSec configuration RL1000GW ipsec isakmp update my id RTU1 radiflow...

Страница 179: ...1 255 255 255 0 no shut exit ip route 0 0 0 0 0 0 0 0 192 168 10 10 1 end 2 Create an IP interface ETH 20 in the subnet of the router router interface create address prefix 172 18 212 230 24 vlan 20...

Страница 180: ...10 20 router static enable configure terminal ip route 192 168 40 0 24 10 10 10 20 ip route 0 0 0 0 0 172 18 212 100 write exit exit 7 IPSec configuration RL1000GW application connect ipsec isakmp up...

Страница 181: ...FE16R hub Show vlan router interface show 2 Make sure both the IP of the hub and the one of the spoke are each accessible from the internet using a PC connected to the internet send ping commands ping...

Страница 182: ...00GW vpn gre nhrp map show status Tunnel Protocol Changes Oper Last Name address prefix Status change sec ago mgre1 10 10 10 10 24 1 up 1151 RL1000GW ipsec show sa 46 210 228 96 4500 80 74 102 38 4500...

Страница 183: ...bc e106edb4 40103b21 95609c4a 2dcedbe5 4ac0a5d2 b6762651 A hmac md5 5719c1c7 a42a25b5 b9a3bb2a d391f8da seq 0x00000000 replay 4 flags 0x00000000 state mature created May 18 13 09 36 2014 current May 1...

Страница 184: ...rial local end point create port 1 service id 1 application terminal server commit 2 Create the terminal server service terminal server admin status enable terminal server tcp service create service i...

Страница 185: ...rial tunnel position master serial remote end point create remote address 192 168 40 10 service id 2 position slave exit write startup cfg Spoke 1 Create the serial port and transparent serial tunneli...

Страница 186: ...according to the operator defined values Firewall Service flow In order for a protocol flow to be inspected by the firewall the following is achieved by the ComNet NMS iSIM A designated service vlan...

Страница 187: ...RL1000GW variants support the firewall as an option Configuration The firewall configuration consists of two parts 1 Access lists at the ports filtering L3 L4 traffic and directing the designated SCA...

Страница 188: ...104 traffic to the firewall RL1000GW ip access list extended RL1000GW ip access list extended create acl num 1101 acl name SCADA redirect fw RL1000GW ip access list extended permit tcp acl num 1101 r...

Страница 189: ...acl num 1102 interface eth1 direction in priority 10 completed ok 5 Create the firewall rules file Done only with EMS 6 Download and activate the firewall rules file firewall profile import tftp remo...

Страница 190: ...sabled Packets are not inspected Enabled packets are inspected and blocked in case of violation Violations are logged Simulate packets are inspected but are not blocked in case of violations Violation...

Страница 191: ...INS_RL1000GW_REV 15 Jul 2016 PAGE 191 INSTALLATION AND OPERATION MANUAL RL1000GW TECH SUPPORT 1 888 678 9427...

Страница 192: ...RIVE DANBURY CT 06810 USA T 203 796 5300 F 203 796 5303 TECH SUPPORT 1 888 678 9427 INFO COMNET NET 8 TURNBERRY PARK ROAD GILDERSOME MORLEY LEEDS UK LS27 7LE T 44 0 113 307 6400 F 44 0 113 253 7462 IN...

Отзывы:

Нет отзывов

Похожие инструкции для reliance RL1000GW

Бренд: Ubiquiti Страницы: 24

Бренд: Ubiquiti Страницы: 23

Бренд: Matrix Switch Corporation Страницы: 61

IntroSpect Analyzer 2 Series

Бренд: Aruba Страницы: 5

Бренд: Justec Страницы: 61

Бренд: Eicon Networks Страницы: 32

Бренд: QUNDIS Страницы: 42

netHOST NHST-T100

Бренд: hilscher Страницы: 75

TeraStation WSS WS5020N6

Бренд: Buffalo Страницы: 115

Бренд: IBM Страницы: 90

Бренд: Paradyne Страницы: 28

Бренд: Pakedge Страницы: 8

Бренд: Patton electronics Страницы: 93

Бренд: Divio Страницы: 78

Бренд: Tripp Lite Страницы: 2

Бренд: Advantage Страницы: 4

Бренд: Westermo Страницы: 22

Бренд: Infrant Technologies Страницы: 2

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды