Digi IX20 Скачать руководство пользователя страница 266 | Manualshive

Страница: 266 / 726

Digi IX20 Скачать руководство пользователя страница 266

Virtual Private Networks (VPN)

IPsec

IX20 User Guide

266

Aggressive mode is usually used when one or both of the devices have a dynamic external IP
address.

Phase 2

In phase 2, IKE negotiates the SAs for IPsec. This creates two unidirectional SAs, one for each
direction. Once the phase 2 negotiation is complete, the IPsec tunnel should be fully functional.

IPsec and IKE renegotiation

To reduce the chances of an IPsec tunnel being compromised, the IPsec SAs and IKE SA are
renegotiated at a regular interval. This results in different encryption keys being used in the IPsec
tunnel.

Authentication

Client authenticaton

XAUTH (extended authentication) pre-shared key authentication mode provides additional security by
using client authentication credentials in addition to the standard pre-shared key. The IX20 device can
be configured to authenticate with the remote peer as an XAUTH client.

RSA Signatures

With RSA signatures authentication, the IX20 device uses a private RSA key to authenticate with a
remote peer that is using a corresponding public key.

Certificate-based Authentication

X.509 certificate-based authentication makes use of private keys on both the server and client which
are secured and never shared. Both the server and client have a certificate which is generated with
their respective private key and signed by a Certificate Authority (CA).

The IX20 implementation of IPsec can be configured to use X.509 certificate-based authentication
using the private keys and certificates, along with a root CA certificate from the signing authority and,
if available, a Certificate Revocation List (CRL).

Configure an IPsec tunnel

Configuring an IPsec tunnel with a remote device involves configuring the following items:

Required configuration items

n

IPsec tunnel configuration items:

l

The mode: either tunnel or transport.

l

Enable the IPsec tunnel.

The IPsec tunnel is enabled by default.

l

The firewall zone of the IPsec tunnel.

l

The authentication type and pre-shared key or other applicable keys and certificates.

l

The local endpoint type and ID values, and the remote endpoint host and ID values.

«
...
264
265
266
267
268
...
»

Содержание IX20

Страница 1: ...IX20 User Guide ...

Страница 2: ...pport l Support for remote proxy server for Digi Remote Manager l Watchdog support for connection to Digi Remote Manager l Locally authenticate CLI option added to Digi Remote Manager configuration to control whether a user is required to provide device level authentication when accessing the console of the device through Digi Remote Manager l Added a randomized two minute delay window for uploadi...

Страница 3: ...points are uploaded as health metrics to Digi Remote Manager l Added the ability to select Digi aView as the cloud service n Added the ability to duplicate firmware to copy the active firmware to the secondary firmware partition n Moved the update firmware CLI command to system firmware update n Added new Authoritative option under TACACS RADIUS and LDAP user authentication methods to prevent fall...

Страница 4: ...ks and copyright Digi Digi International and the Digi logo are trademarks or registered trademarks in the United States and other countries worldwide All other trademarks mentioned in this document are the property of their respective owners 2020 Digi International Inc All rights reserved Disclaimers Information in this document is subject to change without notice and does not represent a commitme...

Страница 5: ...to reproduce Contact Digi technical support Digi offers multiple technical support plans and service packages Contact us at 1 952 912 3444 or visit us at www digi com support Feedback To provide feedback on this document email your comments to techcomm digi com Include the document title and part number IX20 User Guide 90002381 C in the subject line of your email IX20 User Guide 5 ...

Страница 6: ...ew 21 IX20 LEDs 22 Power 23 INT 23 Wi Fi Service IX20W model only 23 SIM1 23 SIM2 23 LTE 24 Signal quality indicators 24 Ethernet Link and Activity 25 Signal quality bars explained 25 IX20 power supply requirements 26 Digi IX20 serial connector pinout 26 Configuration for extreme thermal conditions 27 Hardware setup Install SIM cards in the Plug in LTE modem 31 Tips for improving cellular signal s...

Страница 7: ...reless Wide Area Networks WWANs 49 Configure WAN WWAN priority and default route metrics 49 WAN WWAN failover 52 Configure SureLink active recovery to detect WAN WWAN failures 53 Configure the device to reboot when a failure is detected 60 Disable SureLink 66 Example Use a ping test for WAN failover from Ethernet to cellular 70 Using Ethernet devices in a WAN 73 Using cellular modems in a Wireless...

Страница 8: ...g 207 Configure a static route 208 Delete a static route 211 Policy based routing 213 Configure a routing policy 213 Example Dual WAN policy based routing 221 Example Route traffic to a specific WAN interface based on the client MAC address 224 Routing services 229 Configure routing services 230 Show the routing table 233 Dynamic DNS 234 Configure dynamic DNS 234 Virtual Router Redundancy Protocol...

Страница 9: ...rk Management Protocol SNMP 389 Download MIBs 394 Configure the Modbus gateway 394 Configure gateway servers 396 Configure clients 398 System time 409 Configure the system time 409 Network Time Protocol 412 Configure the device as an NTP server 412 Configure a multicast route 417 Ethernet network bonding 420 Enable service discovery mDNS 423 Use the iPerf service 426 Example performance test using...

Страница 10: ... use a TACACS server 504 Remote Authentication Dial In User Service RADIUS 510 RADIUS user configuration 511 RADIUS server failover and fallback to local configuration 511 Configure your IX20 device to use a RADIUS server 512 LDAP 517 LDAP user configuration 518 LDAP server failover and fallback to local configuration 519 Configure your IX20 device to use an LDAP server 519 Disable shell access 52...

Страница 11: ...display top data usage information 603 Use intelliFlow to display data usage by host over time 605 Configure NetFlow Probe 606 Central management Digi Remote Manager support 612 Configure Digi Remote Manager 612 Collect device health data and set the sample interval 618 Log into Digi Remote Manager 621 Use Digi Remote Manager to view and manage your device 623 Add a device to Digi Remote Manager 6...

Страница 12: ... IX20 regulatory and safety statements RF exposure statement 665 Federal Communication FCC Part 15 Class B 665 Radio Frequency Interference RFI FCC 15 105 665 European Community CE Mark Declaration of Conformity DoC 666 CE mark Europe 666 Maximum transmit power for radio frequencies 668 Innovation Science and Economic Development Canada IC certifications 668 RoHS compliance statement 669 Safety st...

Страница 13: ...ion mode 684 Enter configuration commands in configuration mode 684 Save changes and exit configuration mode 684 Exit configuration mode without saving changes 685 Configuration actions 685 Display command line help in configuration mode 686 Move within the configuration schema 688 Manage elements in lists 689 The revert command 691 Enter strings in configuration commands 693 Example Create a new ...

Страница 14: ...i Remote Manager l Added the ability to select Digi aView as the cloud service n Added the ability to duplicate firmware to copy the active firmware to the secondary firmware partition n Moved the update firmware CLI command to system firmware update n Added new Authoritative option under TACACS RADIUS and LDAP user authentication methods to prevent falling back to additional authentication method...

Страница 15: ...iving SMS messages in a custom python script n MQTT client support via Paho Python module n Added a random unprivileged port for performing ntp time syncs if standard port 123 fails n Scripting enhancements l Added a Status Scripts page in the web UI and show scripts command to the Admin CLI to view custom scripts and applications configured in the device along with their status Added the system s...

Страница 16: ...r code and scan the installation QR code on the label 4 Follow the prompts to complete your IX20 registration If you need to sign up for a Digi Remote Manager account 1 Click here to create a new account You ll receive an email with login instructions 2 On your smartphone or tablet download the Digi Remote Manager mobile app from the App Store iPhone or Google Play Android 3 Open the Digi Remote M...

Страница 17: ...he power input n Digi 1002 CM unit n CM unit cover plate n Antennas Two cellular antenna are included For the Wi Fi enabled IX20W device a Wi Fi antenna is also included n Power supply and adapters n Ethernet cable n Insert cards n Digi IX20 label Printed copy of the product label on the bottom of your device You can affix this label to the top or side of the device such that you can access the la...

Страница 18: ...For optionally mounting the IX20 to a DIN rail Laptop or personal computer Use an Ethernet cable to connect your IX20 to a laptop or PC SIM card s If you intend to configure cellular WWAN access at this time acquire SIM cards as needed Note the carrier network APN Access Point Name and SIM pin if any for each card Smart phone or tablet Optional Use a smart phone or table to to automatically regist...

Страница 19: ...tach spare label included with the CORE modem to the device 6 Attach antenna s 7 If you intend to configure Ethernet WAN access at this time use an Ethernet cable to connect the IX20 s WAN ETH1 port to a hub with access to the Internet 8 Use an Ethernet cable to connect the IX20 ETH2 port to your PC Step 4 Power up a Connect DC power Note If you need help understanding power requirements see IX20 ...

Страница 20: ...printed on the bottom label of the device or the printed label included in the package When you first log into the WebUI or the command line you must change the password for the admin user See Change the default password for the admin user for instructions Additionally for Wi Fi enabled models when you first log into the WebUI or the command line you will be required the change the SSID and pre sh...

Страница 21: ...0 100 BaseT Ethernet ports for high speed connectivity For a detailed list of IX20 hardware specifications see https www digi com products networking cellular routers industrial digi ix20 specifications IX20 accessories When accessories are purchased with the IX20 device the following are provided n Cellular antennas n Wi Fi antennas for the IX20W device only n Power supply n Ethernet cable n DIN ...

Страница 22: ...SE button one time will reset the device configurations to the factory default It will not remove any automatically generated certificates and keys 2 Full device reset After the device reboots from the first button press press the ERASE button again before the device is connected to the internet to also remove generated certificates keys 3 Firmware reversion Press and hold the ERASE button and the...

Страница 23: ...he WAN ETH1 Ethernet port is connecting Solid green The WAN ETH1 Ethernet port is connected and has activity Wi Fi Service IX20W model only Off No Wi Fi access points or Wi Fi clients are enabled Solid green Wi Fi access points or Wi Fi clients are enabled SIM1 Indicates that SIM1 is in use Off SIM1 not in use Solid green SIM1 is in use SIM2 Indicates that SIM2 is in use ...

Страница 24: ... to a device on its ETH2 port Flashing white ETH2 port connection established and in the process of connecting to the cellular network Solid blue Connected to the 4G LTE and also has a ETH2 connection Flashing green Connected to 2G or 3G and is in the process of connecting to any device on its ETH2 port or nothing is connected to the port Alternating Red yellow or orange Upgrading firmware WARNING...

Страница 25: ...explained The signal status bars for the Digi IX20 measure more than simply signal strength The value reported by the 4G LTE signal bars is calculated using an algorithm that takes into consideration the Reference Signals Received Power RSRP the Signal to noise ratio SNR and the Received Signal Strength Indication RSSI to provide an accurate indicator of the quality of the signal that the device i...

Страница 26: ... then reported as the signal strength bars IX20 power supply requirements IX20 is intended to be powered by a certified power supply with output rated at either 12 VDC 0 75 A or 24 VDC 0 375 A minimum n Use the included power supply part number 24000154 n If you are providing the DC power source with a non Digi power supply you must use a certified LPS power supply rated at either 12 VDC 0 75 A or...

Страница 27: ...n the following temperate ranges n IX20W Wi Fi enabled version 20C to 70C 40F to 158F n IX20 non Wi Fi version 40C to 70C 4F to 158F However in extreme temperature conditions up to 70C 158F you must add a Quality of Service QOS rule that limits the upload speed of the modem to 1 Mpbs For less extreme temperatures a modem upload speed of up to 10 Mpbs is acceptable WebUI 1 Log into the IX20 WebUI a...

Страница 28: ...nd line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Add a binding config add firewall qos end config firewall qos 2 4 Set the interface to the modem interface config fi...

Страница 29: ...ig firewall qos 2 policy 0 add rule end config firewall qos 2 policy 0 rule 0 The default settings for the policy and rule are sufficient 8 Save the configuration and apply the change config firewall qos 2 policy 0 rule 09 save Configuration saved 9 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from...

Страница 30: ...Hardware setup This chapter contains the following topics Install SIM cards in the Plug in LTE modem 31 Connect data cables 32 Mount the IX20 device 32 IX20 User Guide 30 ...

Страница 31: ... in an environment with high vibration levels SIM card contact fretting may cause unexpected SIM card failures To protect the SIM cards Digi strongly recommends that you apply a thin layer of dielectric grease to the SIM contacts prior to installing the SIM cards 3 On the IX20 back panel remove the CORE modem cover by loosening the cover plate thumb screw and removing the cover plate 4 With the an...

Страница 32: ...o service try the following things to improve signal strength n Move the device to another location n Try connecting a different set of antennas if available n Purchase a Digi Antenna Extender Kit Antenna Extender Kit 1m Connect data cables The IX20 provides two types of data ports n Ethernet RJ 45 Use a Cat 5e or Cat 6 Ethernet cable n Serial 9 pin RS 232 Use a serial cable with a 9 pin RS 232 co...

Страница 33: ...unting tabs Attach to DIN rail with clip The DIN rail clip is an optional accessory included when the IX20 is purchased with accessories 1 Attach the DIN rail clip to the bottom of the device with the screws provided 2 Set the IX20 device onto a DIN rail and gently press until the clip snaps into the rail ...

Страница 34: ...ed 2 Attach the IX20 device to the bracket with the screws provided 3 Set the bracket with the clip onto a DIN rail and gently press until the clip snaps into the rail WARNING If being installed above head height on a wall or ceiling ensure the device is fitted securely to avoid the risk of personal injury Digi recommends that this device be by an accredited contractor ...

Страница 35: ...38 Reset default SSID and pre shared key for the preconfigured Wi Fi access point 40 Configuration methods 42 Using Digi Remote Manager 42 Access Digi Remote Manager 42 Using the web interface 43 Using the command line 45 Access the command line interface 45 Log in to the command line interface 45 Exit the command line interface 46 IX20 User Guide 35 ...

Страница 36: ... Click Device Management to display a list of your devices 3 Locate and select your device as described in Use Digi Remote Manager to view and manage your device 4 Click Configure The following tables list important factory default settings for the IX20 Default interface configuration Interface type Preconfigured interfaces Devices Default configuration Wide Area Network WAN n ETH1 n Ethernet ETH1...

Страница 37: ...N n Firewall zone Setup n IP address 192 168 210 1 24 n Default Link local IP n Bridge LAN n Firewall zone Setup n IP address 169 254 100 100 16 Wi Fi available with IX20W models only n Wi Fi access point Digi AP n Wi Fi radio n Enabled n SSID Digi IX20W serial_number n Encryption WAP2 Personal PSK n Pre shared key The unique password printed on the bottom label of the device Bridges Wi Fi model o...

Страница 38: ...and on the loose label included in the package When you first log into the WebUI or the command line you will be required to change the password for the admin user prior to being able to save any configuration changes If you erase the device configuration or reset the device to factory defaults the password for the admin user will revert to the original factory assigned default password Additional...

Страница 39: ...ration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Set a new password for the admin user The password must be at least ten characters ...

Страница 40: ...nt For the Wi Fi enabled IX20W device by default the SSID and pre shared key for the preconfigured Wi Fi access point are n Enabled n SSID Digi IX20W serial_number n Encryption WAP2 Personal PSK n Pre shared key The unique password printed on the bottom label of the device When you first log into the WebUI or the command line or after erasing the configuration you will be required to change the SS...

Страница 41: ...a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Set a new SSID for the digi_ap access point config network wifi ap digi_ap ssid new_ssid config 4 Set a new pre shared key config network wifi ap digi_ap encryp...

Страница 42: ...e your IX20 device Web based instructions in this guide are applicable to both the Remote Manager and the local web interface n Command line A robust command line allows you to perform all configuration and management tasks from within a command shell Both the Remote Manager and the local web interface also have the option to open a terminal emulator for executing commands on your IX20 device See ...

Страница 43: ... label packaged with your device After logging in the local web admin dashboard is displayed The dashboard shows the current state of the device Dashboard area Description Network activity Summarizes network statistics the total number of bytes sent and received over all configured bridges and Ethernet devices Digi Remote Manager Displays the device connection status for Digi Remote Manager the am...

Страница 44: ...Configuration and management Using the web interface IX20 User Guide 44 Log out of the web interface n On the main menu click your user name Click Log out ...

Страница 45: ...ommand line your device must be configured to allow access and you must log in as a user who has been configured for the appropriate access For further information about configuring access to these services see n Serial Configure the serial port n WebUI Configure the web administration service n SSH Configure SSH access n Telnet Configure telnet access Log in to the command line interface Command ...

Страница 46: ...he IX20 command line You will now be connected to the Admin CLI Connecting now exit to disconnect from Admin CLI See Command line interface for detailed instructions on using the command line interface Exit the command line interface Command line 1 At the command prompt type exit exit 2 Depending on the device configuration you may be presented with another menu for example Access selection menu a...

Страница 47: ...unications interfaces These interfaces can be bridged in a Local Area Network LAN or assigned to a Wide Area Network WAN This chapter contains the following topics Wide Area Networks WANs 48 Local Area Networks LANs 108 Bridging 137 IX20 User Guide 47 ...

Страница 48: ...ink enabled for IPv4 You can modify configuration settings for the existing WAN and WWANs and you can create new WANs and WWANs This section contains the following topics Wide Area Networks WANs and Wireless Wide Area Networks WWANs 49 Configure WAN WWAN priority and default route metrics 49 WAN WWAN failover 52 Configure SureLink active recovery to detect WAN WWAN failures 53 Configure the device...

Страница 49: ...e as configured in the WAN s IPv4 and IPv6 metric settings Assigning priority to WANs By default the IX20 device s WAN ETH1 is configured with the lowest metric 1 and is therefor the highest priority WAN By default the Wireless WAN Modem is configured with a metric of 3 which means it has a lower priority than ETH1 You can assign priority to WANs based on the behavior you want to implement for pri...

Страница 50: ... Guide 50 3 Set the metrics for Modem a Click Network Interfaces Modem IPv4 b For Metric type 1 c Click IPv6 d For Metric type 1 4 Set the metrics for ETH1 a Click Network Interfaces ETH1 IPv4 b For Metric type 2 c Click IPv6 d For Metric type 2 ...

Страница 51: ...to the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Set the metrics for Modem a Set the IPv4 metric for Modem to 1 For example config network interface modem ipv4 metric 1 config b Set...

Страница 52: ... There are two ways to detect WAN or WWAN failure active detection and passive detection n Active detection uses Digi SureLinkTM technology to send probe tests to a target host or to test the status of the interface The WAN WWAN is considered to be down if there are no responses for a configured amount of time See Configure SureLink active recovery to detect WAN WWAN failures for more information ...

Страница 53: ...s n Enable SureLink SureLink can be enabled for both IPv4 and IPv6 configurations By default SureLink is enabled for IPv4 for the preconfigured WAN ETH1 and WWAN Modem It is disabled for IPv6 n The type of probe test to be performed either l Ping Requires the hostname or IP address of the host to be pinged l DNS query You can perform a DNS query to a named DNS server or to the DNS servers configur...

Страница 54: ...be configured for both IPv4 and IPv6 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Network Interfaces 4 Create a new WAN or WWAN or select an existing one n To create a new WAN or WWAN see Configure a Wide Area Network WAN or Configure a Wireless Wide Area Net...

Страница 55: ... s For example to set Down time to ten minutes enter 10m or 600s The default is 60 seconds l Initial connection time The amount of time to wait for an initial connection to the interface before this test is considered to have failed Allowed values are any number of weeks days hours minutes or seconds and take the format number w d h m s For example to set Initial connection time to ten minutes ent...

Страница 56: ...ions are for IPv4 to configure IPv6 active recovery replace ipv4 in the command line with ipv6 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Create a new WAN or WWAN or e...

Страница 57: ...t 0 n dns Tests connectivity by sending a DNS query to the specified DNS server l Specify the DNS server Allowed value is the IP address of the DNS server config network interface my_wan ipv4 surelink target 0 dns_ server ip_address config network interface my_wan ipv4 surelink target 0 n dns_configured Tests connectivity by sending a DNS query to the DNS servers configured for this interface n ht...

Страница 58: ... minutes or seconds and takes the format number w d h m s For example to set interface_timeout to ten minutes enter either 10m or 600s config network interface my_wan ipv4 surelink target 0 interface_timeout 600s config network interface my_wan ipv4 surelink target 0 The default is 60 seconds Optional Repeat to add additional test targets 7 Optional active recovery configuration parameters a Move ...

Страница 59: ... ipv4 surelink success_condition value config network interface my_wan ipv4 surelink Where value is either one or all f Set the number of probe attempts before the WAN is considered to have failed config network interface my_wan ipv4 surelink attempts num config network interface my_wan ipv4 surelink The default is 3 g Set the amount of time that the device should wait for a response to a probe at...

Страница 60: ...performed either l Ping Requires the hostname or IP address of the host to be pinged l DNS query You can perform a DNS query to a named DNS server or to the DNS servers configured for the WAN l HTTP or HTTPS test Requires the URL of the host to be tested l Interface status Determines if the interface has an IP address assigned to it that the physical link is up and that a route is present to send ...

Страница 61: ...or the preconfigured WAN ETH1 and WWAN Modem It is disabled for IPv6 7 Enable Reboot device Note If both the Restart interface and Reboot device parameters are enabled the Reboot device parameter takes precedence 8 Click to expand Test targets 9 For Add Test Target click 10 Select the Test type n Ping test Tests connectivity by sending an ICMP echo request to the hostname or IP address specified i...

Страница 62: ...arameters a Change the Interval between connectivity tests Allowed values are any number of weeks days hours minutes or seconds and take the format number w d h m s For example to set Interval to ten minutes enter 10m or 600s The default is 15 minutes b If more than one test target is configured for Success condition determine whether the interface should fail over based on the failure of one of t...

Страница 63: ...rk interface my_wan 4 Enable SureLink SureLink can be enabled for both IPv4 and IPv6 configurations By default SureLink is enabled for IPv4 for the preconfigured WAN eth1 and WWAN modemwwan2 It is disabled for IPv6 config network interface my_wan ipv4 surelink enable true config network interface my_wan 5 Set the device to reboot when the interface is considered to have failed config network inter...

Страница 64: ...RL l Specify the url config network interface my_wan ipv4 surelink target 0 http_url value config network interface my_wan ipv4 surelink target 0 where value uses the format http s hostname path n interface_up The interface is considered to be down based on the interfaces down time and the amount of time an initial connection to the interface takes before this test is considered to have failed l O...

Страница 65: ...vity tests config network interface my_wan ipv4 surelink interval value config network interface my_wan ipv4 surelink where value is any number of weeks days hours minutes or seconds and takes the format number w d h m s For example to set interval to ten minutes enter either 10m or 600s config network interface my_wan ipv4 surelink interval 600s config network interface my_wan ipv4 surelink The d...

Страница 66: ...nterface my_wan ipv4 surelink save Configuration saved 11 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Disable SureLink If your device uses a private APN with no Internet access or your device has a restricted wired WAN connection that doesn t allow DNS resolution follow this proced...

Страница 67: ... to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Change to the WAN or WWAN s node in the configuration schema For example to disable SureLink for the Modem interface config network interface modem config network interface modem 4 Disable SureLink config network interface modem ipv4 surelink enable false config network interface modem 5 Save the...

Страница 68: ...to it that the physical link is up and that a route is present to send traffic out of the network interface WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Network Interfaces 4 Select the appropriate WAN or WWAN on which SureLink should be disabled 5 After...

Страница 69: ...cess selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Change to the WAN or WWAN s node in the configuration schema For example to disable SureLink for the Modem interface config network interface modem config network interface modem 4 Determine the index number of the target config network interface modem show ipv4 sure...

Страница 70: ...as the primary WAN while the cellular Modem interface serves as the backup WAN In this example configuration SureLink is used over for the ETH1 interface to send a probe packet of size 256 bytes to the IP host 43 66 93 111 every 10 seconds If there are three consecutive failed responses the IX20 device brings the ETH1 interface down and starts using the Modem interface It continues to regularly te...

Страница 71: ...expand Test targets d Delete the existing test targets Click the menu icon next to each target and select Delete e For Add Test Target click f For Test type select Ping test g For Ping host type 43 66 93 111 h For Ping payload size type 256 4 Repeat the above step for Modem to enable SureLink on that interface 5 Click Apply to save the configuration and apply the change ...

Страница 72: ...ig network interface eth1 del ipv4 surelink target 1 config network interface eth1 c Add a test target config add network interface eth1 ipv4 surelink target end config network interface eth1 ipv4 surelink target 0 d Set the probe type to ping config network interface eth1 ipv4 surelink target 0 test ping config network interface eth1 ipv4 surelink target 0 e Set the packet size to 256 bytes confi...

Страница 73: ...n these Ethernet devices to a WAN Using cellular modems in a Wireless WAN WWAN The IX20 supports one cellular modem named Modem which is included in a preconfigured Wireless WAN also named Modem The cellular modem can have only one active interface at any one time For example Modem can have either SIM1 or SIM2 up at one time Typically you configure SIM1 of the cellular modem as the primary cellula...

Страница 74: ...ests only an IPv4 address n IPv6 Requests only an IPv6 address The default is Automatic 6 Optional Authentication method For Authentication method select one of the following n None No authentication is required n Automatic The device will attempt to connect using CHAP first and then PAP n CHAP Uses the Challenge Handshake Authentication Profile CHAP to authenticate n PAP Uses the Password Authent...

Страница 75: ...LI 2 At the command line type config to enter configuration mode config config 3 At the config prompt type config network interface modem modem apn 0 apn value config where value is the APN for the SIM card 4 Optional To add additional APNs a Use the add command to add a new APN entry For example config add network interface modem modem apn end config network interface modem modem apn 1 b Set the ...

Страница 76: ...ssword required to authenticate config network interface modem modem apn 0 username name config network interface modem modem apn 0 password pwd config The default is none 7 Optional To configure the device to bypass its preconfigured APN list and only use the configured APNs config network interface modem modem apn_lock true config 8 Save the configuration and apply the change config save Configu...

Страница 77: ...dem SIM Status APN Signal Strength modem 1 ready connected 1234 Good 84 dBm n To view detailed status and statistics use the show modem name name command show modem name modem modem Telit LM940 IMEI 781154796325698 Manufacturer Telit Model LM940 FW Version 24 01 541_ATT Revision 24 01 541 Status State connected APN 1234 Signal Strength Good 85 dBm Bars 2 5 Access Mode 4G Temperature 34C IP address...

Страница 78: ...modem named modem with PUK code 12345678 and set the new SIM PIN to 1234 modem puk unlock 12345678 1234 modem 3 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Note If the SIM remains in a locked state after using the unlock command contact your cellular carrier Signal strength for 4G ...

Страница 79: ... CLI prompt type modem at interactive and press Enter Type n if you do not want exclusive access This allows you to send AT commands to the device while still allowing the device to connect disconnect and or reconnect to the cellular network 3 At the Admin CLI prompt use the modem command to begin an interactive AT command session modem at interactive Do you want exclusive access to the modem y n ...

Страница 80: ... through the private connection n Separation of untrusted Internet traffic from trusted internal network traffic n Secure connection to internal customer network without using a VPN n Separate billing structures for public and private traffic n Site to site networking without the overhead of tunneling for each device In the following example configuration all traffic on LAN1 is routed through the ...

Страница 81: ...terfaces type 2 4 Create the WWAN interfaces In this example we will create two interfaces named WWAN_Public and WWAN_Private a Click Network Interfaces b For Add Interface type WWAN_Public and click c For Interface type select Modem d For Zone select External e For Device select Modem f Optional Configure the public APN If the public APN is not configured the IX20 will attempt to determine the AP...

Страница 82: ... External j For Device select Modem This should be the same modem selected for the WWAN_Public WWAN k Enable APN list only l Click to expand APN list APN m For APN type the private APN provided to you by your cellular carrier 5 Create the routing policies For example to route all traffic from LAN1 through the public APN and LAN2 through the private APN ...

Страница 83: ...Interface select LAN1 f Configure the destination address i Click to expand Destination address ii For Type select Interface iii For Interface select Interface WWAN_Public g Click the to add another route policy h For Label enter Route through private APN i For Interface select Interface WWAN_Private j Configure the source address i Click to expand Source address ii For Type select Interface iii F...

Страница 84: ...ter configuration mode config config 3 Set the maximum number of interfaces for the modem config network modem modem max_intfs 2 config 4 Create the WWAN interfaces a Create the WWANPublic interface config add network interface WWANPublic config network interface WWANPublic b Set the interface type to modem config network interface WWANPublic type modem config network interface WWANPublic c Set th...

Страница 85: ...vice modem config network interface WWANPrivate i Enable APN list only config network interface WWANPrivate apn_lock true config network interface WWANPrivate j Set the private APN config network interface WWANPublic modem apn private_apn config network interface WWANPublic 5 Create the routing policies For example to route all traffic from LAN1 through the public APN and LAN2 through the private ...

Страница 86: ...licy 0 interface network interface WWANPublic config network route policy 0 f Use to periods to move back one level in the configuration config nnetwork route policy 0 config nnetwork route policy g Add a new routing policy config network route policy add end config network route policy 1 h Set the label that will be used to identify this route policy config network route policy 1 label Route thro...

Страница 87: ...y 1 dst type interface config network route policy 1 ii Set the interface to WWANPrivate config network route policy 1 interface network interface WWANPrivate config network route policy 1 6 Save the configuration and apply the change config network route policy 1 save Configuration saved 7 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access s...

Страница 88: ...rvers for this interface l Whether to include the IX20 device s hostname in DHCP requests l SureLink active recovery configuration See Configure SureLink active recovery to detect WAN WWAN failures for further information n IPv6 configuration l The metric for IPv6 routes associated with the WAN l The relative weight for IPv6 routes associated with the WAN l The IPv6 management priority of the WAN ...

Страница 89: ...k n To edit an existing WAN click to expand the WAN The Interface configuration window is displayed New WANs are enabled by default To disable click Enable 5 For Interface type leave at the default setting of Ethernet 6 For Zone select External 7 For Device select an Ethernet device a Wi Fi client or a bridge See Bridging for more information about bridging 8 Configure IPv4 settings a Click to exp...

Страница 90: ...en be configured to register the device s hostname and IP address with an associated DNS server n See RFC4702 for further information about DHCP server support for the Client FQDN option n See Configure system information for information about setting the IX20 device s system name d See Configure SureLink active recovery to detect WAN WWAN failures for information about configuring Active recovery...

Страница 91: ... See Configure system information for information about setting the IX20 device s system name 10 Optional Click to expand MAC address blacklist Incoming packets will be dropped from any devices whose MAC addresses is included in the MAC address blacklist a Click to expand MAC address blacklist b For Add MAC address click c Type the MAC address 11 Optional Click to expand MAC address whitelist If t...

Страница 92: ...bridge See Bridging for more information about bridging a Enter device to view available devices and the proper syntax config network interface my_wan device Device The network device used by this network interface Format network device eth1 network device eth2 network device loopback network bridge lan network wireless ap digi_ap Current value config network interface my_wan device b Set the devi...

Страница 93: ...interface my_wan iv Set the MTU config network interface my_wan ipv4 mtu num config network interface my_wan v Configure how to use DNS config network interface my_wan ipv4 use_dns value config network interface my_wan where value is one of n always DNS will always be used for this WAN when multiple interfaces have the same DNS server the interface with the lowest metric will be used for DNS reque...

Страница 94: ...6 support are sufficient You can view the default IPv6 settings by using the question mark config network interface my_wan ipv6 IPv6 Parameters Current Value dhcp_hostname false DHCP Hostname enable true Enable metric 0 Metric mgmt 0 Management priority mtu 1500 MTU type dhcpv6 Type use_dns always Use DNS weight 10 Weight Additional Configuration connection_monitor Active recovery config network i...

Страница 95: ...PN configuration n The custom gateway netmask n IPv4 configuration l The metric for IPv4 routes associated with the WAN l The relative weight for IPv4 routes associated with the WAN l The IPv4 management priority of the WAN The active interface with the highest management priority will have its address reported as the preferred contact address for central management and direct device access l The ...

Страница 96: ...WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Network Interfaces 4 Create the WWAN or select an existing WWAN n To create a new WWAN for Add interface type a name for the WWAN and click n To edit an existing WWAN click to expand the WWAN New WWANs are enabled by default To disabl...

Страница 97: ...s selected for Match ICCID type the unique SIM card ICCID that must be in active for this WWAN to be used b Type the PIN for the SIM Leave blank if no PIN is required c Type the Phone number for the SIM for SMS connections Normally this should be left blank It is only necessary to complete this field if the SIM does not have a phone number or if the phone number is incorrect d Roaming is enabled b...

Страница 98: ...0 Optional To configure the IP address of a custom gateway or a custom netmask a Click Custom gateway to expand b Click Enable c For Gateway Netmask enter the IP address and netmask of the custom gateway To override only the gateway netmask but not the gateway IP address use all zeros for the IP address For example 0 0 0 0 32 will use the network provided gateway but with a 32 netmask 11 Optional ...

Страница 99: ...ing Active recovery 2 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Create a new WWAN or edit an e...

Страница 100: ...configuration items a Set theSIM matching criteria to determine when this WWAN should be used config network interface my_wwan modem match value config network interface my_wwan Where value is one of n any n carrier Set the cellular carrier must be in active for this WWAN to be used i Use to determine available carriers config network interface my_wwan modem carrier Match SIM carrier The SIM carri...

Страница 101: ...ace my_wwan modem plmn_id PLMN_ID config network interface my_wwan n sim_slot Set which SIM slot must be in active for this WWAN to be used config network interface my_wwan modem sim_slot value config network interface my_wwan where value is either 1 or 2 b Set the PIN for the SIM Leave blank if no PIN is required config network interface my_wwan modem pin value config network interface my_wwan c ...

Страница 102: ...imes that the device should attempt to connect to the active SIM before failing over to the next available SIM config network interface my_wwan modem sim_failover_retries num config network interface my_wwan The default setting is 5 ii Configure how SIM failover will function if automatic SIM switching is unavailable config network interface my_wwan modem sim_failover_alt value config network inte...

Страница 103: ...wwan b Set the metric config network interface my_wwan ipv4 metric num config network interface my_wwan See Configure WAN WWAN priority and default route metrics for further information about metrics c Set the relative weight for default routes associated with this interface For multiple active interfaces with the same metric the weight is used to load balance traffic to the interfaces config netw...

Страница 104: ...t the management priority This determines which interface will have priority for central management activity The interface with the highest number will be used config network interface my_wwan ipv6 mgmt num config network interface my_wwan f Set the MTU config network interface my_wwan ipv6 mtu num config network interface my_wwan g See Configure SureLink active recovery to detect WAN WWAN failure...

Страница 105: ... up fd00 2704 1 48 loopback IPv4 up 127 0 0 1 8 modem IPv4 up 10 200 1 101 30 modem IPv6 down 3 Enter show network interface name at the Admin CLI prompt to display additional information about a specific WAN For example to display information about ETH1 enter show network interface eth1 show network interface eth1 wan1 Interface Status Device eth1 Zone external IPv4 Status up IPv4 Type dhcp IPv4 ...

Страница 106: ...m You cannot delete the preconfigured WAN ETH1 or the preconfigured WWAN Modem WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Network Interfaces 4 Click the menu icon next to the name of the WAN or WWAN to be deleted and select Delete 5 Click Apply to sav...

Страница 107: ...g to enter configuration mode config config 3 Use the del command to delete the WAN or WWAN For example to delete a WWAN named my_ wwan config del network interface my_wwan 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect f...

Страница 108: ... DHCP server enabled n LAN priority Metric 5 n Loopback n Ethernet Loopback n Firewall zone Loopback n IP address 127 0 0 1 8 n Default IP n Bridge LAN n Firewall zone Setup n IP address 192 168 210 1 24 n Default Link local IP n Bridge LAN n Firewall zone Setup n IP address 169 254 100 100 16 You can modify configuration settings for ETH2 and you can create new LANs This section contains the foll...

Страница 109: ... LAN n The IPv4 address and subnet mask for the LAN While it is not strictly necessary for a LAN to have an IP address if you want to send traffic from other networks to the LAN you must configure an IP address Note By default ETH2 is set to an IP address of 192 168 2 1 and uses the IP subnet of 192 168 2 0 24 If the WAN ETH1 Ethernet device is being used by a WAN with the same IP subnet you shoul...

Страница 110: ...ion Unit MTU of the LAN l The IPv6 prefix length and ID l IPv6 DHCP server configuration See DHCP servers for more information n MAC address blacklist and whitelist To create a new LAN or edit an existing LAN WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click...

Страница 111: ...utes associated with this interface For multiple active interfaces with the same metric Weight is used to load balance traffic to the interfaces iii Set the Management priority This determines which interface will have priority for central management activity The interface with the highest number will be used iv Set the MTU e Enable the DHCP server i Click to expand DHCP server ii Click Enable See...

Страница 112: ...al Click to expand MAC address whitelist If there whitelist entries are specified incoming packets will only be accepted from the listed MAC addresses a Click to expand MAC address whitelist b For Add MAC address click c Type the MAC address 13 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending ...

Страница 113: ...evice for the LAN config network interface my_lan device device config network interface my_lan 6 Configure IPv4 settings n IPv4 support is enabled by default To disable config network interface my_lan ipv4 enable false config network interface my_lan n The LAN is configured by default to use a static IP address for its IPv4 configuration To configure the LAN to be a DHCP client rather than using ...

Страница 114: ... config network interface my_lan iv Set the MTU config network interface my_lan ipv4 mtu num config network interface my_lan c Enable the DHCP server config network interface my_lan ipv4 dhcp_server enable true See DHCP servers for information about configuring the DHCP server 7 Optional Configure IPv6 settings a Enable IPv6 support config network interface my_lan ipv6 enable true config network i...

Страница 115: ...ce my_lan d Modify any of the remaining default settings as appropriate For example to change the minimum length of the prefix config network interface my_lan ipv6 prefix_length 60 config network interface my_lan If the minimum length is not available then a longer prefix will be used See Configure WAN WWAN priority and default route metrics for further information about metrics 8 Save the configu...

Страница 116: ...aultlinklocal IPv4 up 169 254 100 100 16 eth1 IPv4 up 10 10 10 10 24 eth1 IPv6 up fe00 2404 240 f4ff fe80 120 64 eth2 IPv4 up 192 168 2 1 24 eth2 IPv6 up fd00 2704 1 48 loopback IPv4 up 127 0 0 1 8 modem IPv4 up 10 200 1 101 30 modem IPv6 down 3 Enter show network interface name at the Admin CLI prompt to display additional information about a specific LAN For example to display information about ...

Страница 117: ...lete a LAN Follow this procedure to delete any LANs that have been added to the system You cannot delete the preconfigured LAN LAN1 WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Network Interfaces 4 Click the menu icon next to the name of the LAN to be d...

Страница 118: ...ocal network Addresses are assigned from a specified pool of IP addresses For a local network the device uses the DHCP server that has the IP address pool in the same IP subnet as the local network When a host receives an IP configuration the configuration is valid for a particular amount of time known as the lease time After this lease time expires the configuration must be renewed The host renew...

Страница 119: ...ck to expand an existing LAN or create a new LAN See Configure a LAN 5 Click to expand IPv4 DHCP server 6 Enable the DHCP server 7 Optional For Lease time type the amount of time that a DHCP lease is valid Allowed values are any number of weeks days hours minutes or seconds and take the format number w d h m s For example to set Lease time to ten minutes enter 10m or 600s The default is 12 hours 8...

Страница 120: ...er and Primary and Secondary WINS server select either n None No server is broadcast n Automatic Broadcasts the IX20 device s server n Custom Allows you to identify the IP address of the server f For Bootfile name type the relative path and file name of the bootfile on the TFTP server g For TFTP server name type the IP address or host name of the TFTP server 10 See Configure DHCP options for infor...

Страница 121: ...ainder of the IP address will be based on the LAN s static IP address as defined in the address parameter config network interface my_lan ipv4 dhcp_server lease_start num config Allowed values are between 1 and 254 and the default is 100 6 Optional Set the highest IP address that the DHCP server will assign to a client config network interface my_lan ipv4 dhcp_server lease_end num config Allowed v...

Страница 122: ...dress or host name of the primary and secondary DNS the primary and secondary NTP server and the primary and secondary WINS servers config network interface my_lan ipv4 dhcp_server advanced primary_dns value config network interface my_lan ipv4 dhcp_server advanced secondary_ dns value config network interface my_lan ipv4 dhcp_server advanced primary_ntp value config network interface my_lan ipv4 ...

Страница 123: ...rk interface my_lan ipv4 dhcp_server advanced static_lease 0 save Configuration saved 11 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Map static IP addresses to hosts You can configure the DHCP server to assign static IP addresses to specific hosts Required configuration items n IP ...

Страница 124: ...This does not have to be the device s actual hostname 10 Repeat for each additional DHCP static lease 11 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line typ...

Страница 125: ...label for this static lease config network interface my_lan ipv4 dhcp_server advanced static_lease 0 name label config network interface my_lan ipv4 dhcp_server advanced static_lease 0 7 Save the configuration and apply the change config network interface my_lan ipv4 dhcp_server advanced static_lease 0 save Configuration saved 8 Type exit to exit the Admin CLI Depending on your device configuratio...

Страница 126: ...46 24 0E D9 no name 1 ip 192 168 2 11 mac E3 C1 1F 65 C3 0E no name config 4 Type cancel to exit configuration mode config cancel 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Delete static IP mapping entries To delete a static IP entry WebUI 1 Log into the IX20 WebUI as a user wit...

Страница 127: ... Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Show the static lease configuration For example to show the static leases for a lan named my_lan config show network interfac...

Страница 128: ...ou can configure DHCP servers running on your IX20 device to send certain specified DHCP options to DHCP clients You can also set the user class which enables you to specify which specific DHCP clients will receive the option You can also force the command to be sent to the clients DHCP options can be set on a per LAN basis or can be set for all LANs A total of 32 DHCP options can be configured Re...

Страница 129: ...type select the data type that the option uses If the incorrect data type is selected the device will send the value as a string 12 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CL...

Страница 130: ...ption 0 7 Optional Set a label for this custom option config network interface my_lan ipv4 dhcp_server advanced custom_option 0 name label config network interface my_lan ipv4 dhcp_server advanced custom_option 0 8 Optional To force the DHCP option to always be sent to the client even if the client does not ask for it config network interface my_lan ipv4 dhcp_server advanced custom_option 0 force ...

Страница 131: ...CP relay server and an IP address range are specified DHCP relay is used and the specified IP address range is ignored Multiple DHCP relay servers can be provided for each LAN If multiple relay servers are provided DHCP requests are forwarded to all servers without waiting for a response Clients will typically use the IP address from the first DHCP response received Configuring DHCP relay involves...

Страница 132: ... Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Add a DHCP relay server to an existing LAN For example to add a server to a LAN named my_ lan config add netwo...

Страница 133: ... my_lan ipv4 dhcp_relay 1 dhcp_server enable false config network interface my_lan ipv4 dhcp_relay 1 6 Save the configuration and apply the change config network interface lan1 ipv4 dhcp_relay 1 save Configuration saved 7 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Show DHCP server...

Страница 134: ...tual LANs VLANs allow splitting a single physical LAN into separate Virtual LANs This is useful for security reasons and also helps to reduce broadcast traffic on the LAN Required configuration items n Device to be assigned to the VLAN n The VLAN ID The TCP header uses the VLAN ID to identify the destination VLAN for the packet To create a VLAN WebUI 1 Log into the IX20 WebUI as a user with full A...

Страница 135: ... enter configuration mode config config 3 Add the VLAN config add network vlan name config 4 Set the device to be used by the VLAN a View a list of available devices config network vlan vlan1 device Device The Ethernet device to use for this virtual LAN Format network device eth1 network device eth2 network device loopback network vlan vlan1 network bridge lan network wireless ap digi_ap Current v...

Страница 136: ... Save the configuration and apply the change config network vlan vlan1 save Configuration saved 7 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Страница 137: ...owing preconfigured bridges Interface type Preconfigured interfaces Devices Default configuration Bridges Wi Fi model only n Bridge LAN n Ethernet ETH2 n Wi Fi access point Digi AP n Enabled n Used by the ETH1 interface You can modify configuration settings for the existing bridge and you can create new bridges This section contains the following topics Edit the preconfigured ETH2 bridge 138 Confi...

Страница 138: ...WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Network Bridges LAN 4 The LAN bridge is enabled by default To disable uncheck Enable 5 Modify the list of devices that are a part of the bridge By default the LAN bridge includes the following devices n Ethernet ETH2 n Wi Fi access po...

Страница 139: ... is 2 seconds 7 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 The LAN bridge is enabled by default...

Страница 140: ...a show network bridge lan1 device command after each device is deleted to determine the new index numbering b Add devices to the bridge i Determine available devices config network bridge my_bridge interface lan device Device The network device used by this network interface Format network device eth1 network device eth2 network device loopback network bridge lan network wireless ap digi_ap Defaul...

Страница 141: ...tion saved 7 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Configure a bridge Required configuration items n A name for the bridge Bridges are enabled by default n Devices to be included in the bridge Additional configuration items n Enable Spanning Tree Protocol STP To create a brid...

Страница 142: ...licts a Click STP b Click Enable c For Forwarding delay enter the number of seconds that the device will spend in each of the listening and learning states before the bridge begins forwarding data The default is 2 seconds 8 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device config...

Страница 143: ...lan network wireless ap digi_ap Default value network bridge lan Current value network bridge lan config network bridge my_bridge b Add the appropriate device For example to add the Digi AP Wi Fi access point config network bridge my_bridge add device end network wireless ap digi_ap config 6 Optional Enable Spanning Tree Protocol STP STP is used when using multiple LANs on the same device to preve...

Страница 144: ...7 Save the configuration and apply the change config save Configuration saved 8 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Страница 145: ...evice s serial port The default serial port configuration is n Enabled n Serial mode Remote n Label None n Baud rate 9600 n Data bits 8 n Parity None n Stop bits 1 n Flow control None Configure the serial port By default the IX20 serial port is configured as follows n Enabled n Serial mode Remote n Label None n Baud rate 9600 n Data bits 8 n Parity None n Stop bits 1 n Flow control None To change ...

Страница 146: ...is enabled by default To disable toggle off Enable 4 For Mode one of the following n Login Allows the user to log into the device through the serial port n Remote access Allows for remote access to another device that is connected to the serial port n Application Provides access to the serial device from Python applications See Use Python to access serial ports for information about creating Pytho...

Страница 147: ...al If Remote Access is selected for Mode a Click to expand Service Settings All service settings are disabled by default Click available options to toggle them to enabled and set the IP ports as appropriate b Click to expand Session Settings c Enable Exclusive access to limit access to the serial port to a single active session d For Escape sequence type the characters used to start an escape sequ...

Страница 148: ...I 2 At the command line type config to enter configuration mode config config 3 The serial port is enabled by default To disable config serial port1 enable false config 4 Set the mode config serial port1 mode mode config where mode is either n login Allows the user to log into the device through the serial port n remote Allows for remote access to another device that is connected to the serial por...

Страница 149: ...by the device to which you want to connect config serial port1 stopbits bits config e Set the type of flow control used by the device to which you want to connect config serial port1 flow type config Allowed values are n none n rts cts n xon xoff The default is none 7 If mode is set to remote a Set the characters used to start an escape sequence config serial port1 escape string config If no chara...

Страница 150: ...ue config f Optional Enable monitoring of DCD Data Carrier Detect changes on this port config serial port1 monitor dcd true config g Configure TCP access to this port i Set the connection type config serial USB_port service tcp conn_type value config serial USB_port where value is one of i tcp The TCP connection is unencrypted ii tls The TCP connection uses Transport Layer Security TLS encryption ...

Страница 151: ...or host name l A network designation in CIDR notation for example 2001 db8 48 l any No limit to IPv6 addresses that can access the tcp port Repeat this step to list additional IP addresses or networks n To limit access to hosts connected through a specified interface on the IX20 device config serial USB_port add service tcp acl interface end value config serial USB_port Where value is an interface...

Страница 152: ...y dynamic_routes edge external internal ipsec loopback setup config serial USB_port Repeat this step to list additional firewall zones v Optional Enable mDNS mDNS is a protocol that resolves host names in small networks that do not have a DNS server config serial USB_port service tcp mdns enable true config serial USB_port h Configure telnet access to this port CAUTION This connection is not authe...

Страница 153: ...ial USB_port Where value can be l A single IP address or host name l A network designation in CIDR notation for example 2001 db8 48 l any No limit to IPv6 addresses that can access the telnet port Repeat this step to list additional IP addresses or networks n To limit access to hosts connected through a specified interface on the IX20 device config serial USB_port add service telnet acl interface ...

Страница 154: ...ts Additional Configuration any dynamic_routes edge external internal ipsec loopback setup config serial USB_port Repeat this step to list additional firewall zones iv Optional Enable mDNS mDNS is a protocol that resolves host names in small networks that do not have a DNS server config serial USB_port service telnet mdns enable true config serial USB_port i Configure ssh access to this port i Ena...

Страница 155: ...or host name l A network designation in CIDR notation for example 2001 db8 48 l any No limit to IPv6 addresses that can access the ssh port Repeat this step to list additional IP addresses or networks n To limit access to hosts connected through a specified interface on the IX20 device config serial USB_port add service ssh acl interface end value config serial USB_port Where value is an interface...

Страница 156: ...s Additional Configuration any dynamic_routes edge external internal ipsec loopback setup config serial USB_port Repeat this step to list additional firewall zones iv Optional Enable mDNS mDNS is a protocol that resolves host names in small networks that do not have a DNS server config serial USB_port service ssh mdns enable true config serial USB_port 8 Configure TCP access to this port CAUTION T...

Страница 157: ... value can be l A single IP address or host name l A network designation in CIDR notation for example 2001 db8 48 l any No limit to IPv6 addresses that can access the tcp port Repeat this step to list additional IP addresses or networks n To limit access to hosts connected through a specified interface on the IX20 device config add serial port1 service tcp acl interface end value config Where valu...

Страница 158: ... Additional Configuration any dynamic_routes edge external internal ipsec loopback setup config Repeat this step to list additional firewall zones d Optional Enable mDNS mDNS is a protocol that resolves host names in small networks that do not have a DNS server config serial port1 service tcp mdns enable true config 9 Configure telnet access to this port CAUTION This connection is not authenticate...

Страница 159: ...e value can be l A single IP address or host name l A network designation in CIDR notation for example 2001 db8 48 l any No limit to IPv6 addresses that can access the telnet port Repeat this step to list additional IP addresses or networks n To limit access to hosts connected through a specified interface on the IX20 device config add serial port1 service telnet acl interface end value config Whe...

Страница 160: ...l lists Additional Configuration any dynamic_routes edge external internal ipsec loopback setup config Repeat this step to list additional firewall zones d Optional Enable mDNS mDNS is a protocol that resolves host names in small networks that do not have a DNS server config serial port1 service telnet mdns enable true config 10 Configure ssh access to this port a Enable ssh access config serial p...

Страница 161: ...DR notation for example 2001 db8 48 l any No limit to IPv6 addresses that can access the ssh port Repeat this step to list additional IP addresses or networks n To limit access to hosts connected through a specified interface on the IX20 device config add serial port1 service ssh acl interface end value config Where value is an interface defined on your device Display a list of available interface...

Страница 162: ... to list additional firewall zones d Optional Enable mDNS mDNS is a protocol that resolves host names in small networks that do not have a DNS server config serial port1 service ssh mdns enable true config 11 Save the configuration and apply the change config save Configuration saved 12 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selec...

Страница 163: ...ration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 Use the show serial command show serial Label Port Enable Mode Baudrate Serial 1 port1 true login 9600 3 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Страница 164: ...ol 169 Configure the Wi Fi radio s transmit power 170 Configure a Wi Fi access point with no security 172 Configure a Wi Fi access point with personal security 177 Configure a Wi Fi access point with enterprise security 182 Isolate Wi Fi clients 189 Show Wi Fi access point status and statistics 196 Configure a Wi Fi client and add client networks 197 Show Wi Fi client status and statistics 204 IX2...

Страница 165: ...ss point enabled The default SSID for the access points is Digi IX20W serial_number The password for the default access point is the unique password as found on the device s label Prior to saving any configuration changes to the device you will need to configure the access point to change the default SSID and password See Reset default SSID and pre shared key for the preconfigured Wi Fi access poi...

Страница 166: ...e 802 11b g n Channel Automatic Channel width 20 40 MHz Beacon interval 100 n Access point Default setting Name Digi AP Enabled or disabled Enabled SSID Digi IX20W serial_number SSID broadcast Enabled Encyrption WAP2 Personal PSK Pre shared key The unique password printed on the bottom label of the device Group rekey interval 10 minutes n Client mode connections none ...

Страница 167: ...ing the following steps Note For the 2 4 GHz band only channels 1 to 11 are supported channels 12 13 and 14 are not supported For the 5 0 GHz band only non Dynamic Frequency Selection DFS channels are supported WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Cli...

Страница 168: ...onfiguration mode config config 3 Set the channel for the radio a Determine the band for the radio config network wifi radio phy0 band 2400mhz config b Set the channel for the Wi Fi radio config network wifi radio phy0 2400mhz channel value config where value is n For 2 4 GHz l 1 through 11 l auto n For 5 GHz l 36 l 40 l 44 l 48 l auto 4 Save the configuration and apply the change config save Conf...

Страница 169: ... band WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Network WiFi 4 For Frequency band select either 2 4 GHz or 5 GHz 5 For Access point mode select the appropriate mode Only modes appropriate for the selected band are displayed 6 Click Apply to save the ...

Страница 170: ...If the Wi Fi radio has a band of 2400mhz config network wifi radio phy0 2400mhz mode value config where value is one of b bg bgn g gn or n n If the Wi Fi radio has a band of 5000mhz config network wifi radio phy0 5000mhz mode value config where value is one of ac acn or n 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on yo...

Страница 171: ...ork WiFi 4 For Tx power percentage type or select the appropriate percentage for the Wi Fi radio s transmit power 5 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the comma...

Страница 172: ...nd uses no security or encryption By default the IX20 device comes with one preconfigured access point Digi AP You cannot delete default access points but you can modify them or you can create your own access points Required configuration items n Enable the Wi Fi access point n Select a Wi Fi radio for the access point n The Service Set Identifier SSID for the access point n Configure security for...

Страница 173: ...4 Create a new access point or modify an existing access point n To create a new access point for Add WiFi access point type a name for the access point and click n To modify an existing access point click to expand the access point The Wi Fi access point configuration window is displayed 5 Enable the access point New access points are enabled by default The default preconfigured access points are...

Страница 174: ...es in noisy environments To disable group rekeys set to 0 This will allow any client that has previously connected see all broadcast traffic on the wireless network until the Wi Fi radio is restarted The default is 10 minutes 11 Assign the Wi Fi access point to a LAN interface or to a bridge See Configure a LAN and Configure a bridge for more information The access point must be assigned to an act...

Страница 175: ..._AP where value is any number of days hours minutes or seconds and takes the format number d h m s For example to set group rekey interval to ten minutes enter either 10m or 600s config network wireless ap new_AP encryption group_rekey 600s config network wireless ap new_AP Increasing the time between rekeys can improve connectivity issues in noisy environments To disable group rekeys set to 0 Thi...

Страница 176: ...none config network wifi ap digi_ap encryption type none config 7 Optional Determine whether to prevent clients that are connected to this access point from communicating with each other config network wifi ap digi_ap isolate_client true config See Isolate Wi Fi clients for information about how to prevent clients connected to different access points from communicating with each other 8 Optional S...

Страница 177: ...modes allow a Wi Fi access point to authenticate clients by using a preshared key that the client enters when connecting to the access point By default the IX20 device comes with one preconfigured access point Digi AP You cannot delete default access points but you can modify them or you can create your own access points Required configuration items n Enable the Wi Fi access point n Select a Wi Fi...

Страница 178: ...oint or modify an existing access point n To create a new access point for Add WiFi access point type a name for the access point and click n To modify an existing access point click to expand the access point The Wi Fi access point configuration window is displayed 5 Enable the access point New access points are enabled by default The default preconfigured access points are disabled by default 6 ...

Страница 179: ...or example to set Group rekey interval to ten minutes enter 10m or 600s Increasing the time between rekeys can improve connectivity issues in noisy environments To disable group rekeys set to 0 This will allow any client that has previously connected see all broadcast traffic on the wireless network until the Wi Fi radio is restarted The default is 10 minutes 12 Assign the Wi Fi access point to a ...

Страница 180: ...changing the group key The group key is shared by all in clients of the access point and after a client has disconnected it will be able to use the group key to decrypt broadcast packets until the key is changed config network wifi ap new_AP encryption group_rekey value config network wifi ap new_AP where value is any number of days hours minutes or seconds and takes the format number d h m s For ...

Страница 181: ...s config network wifi ap Additional Configuration digi_ap Digi AP config 4 Set the SSID for the appropriate access point config network wifi ap digi_ap ssid my_SSID config 5 SSID broadcasting is enabled by default for the preconfigured access points If SSID broadcasting is disabled config network wifi ap digi_ap ssid_broadcast true config 6 Set the security for the access point to psk or psk2 conf...

Страница 182: ...k until the Wi Fi radio is restarted The default is 10 minutes 5 Assign the Wi Fi access point to a LAN interface or to a bridge See Configure a LAN and Configure a bridge for more information The access point must be assigned to an active LAN or a bridge that is assigned to an active LAN 6 Save the configuration and apply the change config save Configuration saved 7 Type exit to exit the Admin CL...

Страница 183: ... for more information Additional configuration items n Determine whether to broadcast the access point s SSID n Determine whether to isolate clients connected to this access point so that they cannot communicate with each other n The server port for one or more RADIUS server n The amount of time to wait before changing the group key To configure a Wi Fi access point with WPA2 enterprise security W...

Страница 184: ...adcast the SSID 8 Optional Enable Isolate clients to prevent clients that are connected to this access point from communicating with each other See Isolate Wi Fi clients for information about how to prevent clients connected to different access points from communicating with each other 9 For Encryption select WPA2 Enterprise 10 Configure one or more RADIUS servers a Click to expand RADIUS server l...

Страница 185: ... traffic on the wireless network until the Wi Fi radio is restarted The default is 10 minutes 12 Assign the Wi Fi access point to a LAN interface or to a bridge See Configure a LAN and Configure a bridge for more information The access point must be assigned to an active LAN or a bridge that is assigned to an active LAN 13 Click Apply to save the configuration and apply the change Command line Con...

Страница 186: ...work wifi ap new_AP encryption radius_servers 0 key secret_ key config network wifi ap new_AP c Optional Set the RADIUS server s port The default is 1812 config network wifi ap new_AP encryption radius_servers 0 port port config network wifi ap new_AP d Optional Add and configure additional radius servers i Add a server config network wifi ap new_AP add encryption radius_servers end config network...

Страница 187: ...e See Configure a LAN and Configure a bridge for more information The access point must be assigned to an active LAN or a bridge that is assigned to an active LAN 6 Save the configuration and apply the change config save Configuration saved 7 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the de...

Страница 188: ...r config network wifi ap digi_ap encryption key_wpa2 secret_key config 10 Optional Set the RADIUS server s port The default is 1812 config network wifi ap digi_ap encryption port_wpa2 port config 11 Optional Set the amount of time to wait before changing the group key The group key is shared by all in clients of the access point and after a client has disconnected it will be able to use the group ...

Страница 189: ...n menu Type quit to disconnect from the device Isolate Wi Fi clients Client isolation prevents wireless clients connected to the IX20 device from communicating with other clients There are two mechanisms for client isolation configuration n Isolate clients connected to the same access point n Isolate clients connected to different access points This section provides instructions for both mechanism...

Страница 190: ...ify an existing access point See Configure a Wi Fi access point with no security Configure a Wi Fi access point with personal security or Configure a Wi Fi access point with enterprise security 4 Optional Set the client isolation config network wifi ap digi_ap isolate_client true config 5 Save the configuration and apply the change config save Configuration saved 6 Type exit to exit the Admin CLI ...

Страница 191: ...nt named new_AP a Click Network WiFi Access points b For Add WiFi access point type a name for the access point and click c For SSID type the SSID Up to 32 characters are allowed d Select the appropriate type of Encryption and complete the encryption related fields as appropriate See Configure a Wi Fi access point with no security Configure a Wi Fi access point with personal security or Configure ...

Страница 192: ...v For Source zone select Internal vi For Destination zone select LAN2_isolation_zone e Rearrange the firewall filters Firewall filters are applied in the order that they are listed As a result in order to drop traffic from the Internal zone to the LAN2_isolation_zone this filter must be listed prior to the Allow all outgoing traffic filter which allows the Internal zone to have access to any zone ...

Страница 193: ...th full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Configure a new access point a Create a new access point config add network wifi ap new_AP config network wifi ap new_AP New access points are enabled by default b Set t...

Страница 194: ...Return to the root config prompt by typing three periods config firewall zone LAN2_isolation_zone config ii Add the new packet filter config add firewall filter end config firewall filter 1 iii Set the label for the filter config firewall filter 1 label Allow LAN2_isolation_zone to External config firewall filter 1 iv Set the source zone to LAN2_isolation_zone config firewall filter 1 src_zone LAN...

Страница 195: ...ig firewall filter 0 v Set the filter to drop traffic between the zones config firewall filter 0 action drop config firewall filter 0 5 Create a new LAN By default the IX20 device comes with one preconfigured LAN which includes the default access point We will use that LAN for the default access point and create a new LAN for the second access point a Return to the root config prompt by typing thr...

Страница 196: ... Wi Fi access point status and statistics You can show summary status for all Wi Fi access points and detailed status and statistics for individual Wi Fi access points WebUI 1 Log into the IX20 WebUI as a user with Admin access 2 On the main menu click Status 3 Under Connections click Wi Fi Access Points Command line Show summary of Wi Fi access points To show the status and statistics for Wi Fi a...

Страница 197: ... Admin access Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the Admin CLI prompt type show wifi ap name name show wifi ap name my_AP Enabled true Status up SSID my_AP Security none Channel Channel Width Radio wifi BSSID 01 41 D1 14 36 37 Client Signal RX TX Uptime cc c0 78 34 d5 a2 68 260997 279481 801 Configure a ...

Страница 198: ...that have the same SSID as their signal strength varies n Additional access points that client will attempt to use If connection to one access point fails the device will attempt to connect to the next access point in the list To configure a Wi Fi client WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration...

Страница 199: ...B that is used to determine the scanning frequency The allowed value is an integer between 113 and 0 The Scan threshold works with the Short interval and Long interval options to determine how often the device should scan for available access points n If the signal strength from the access point to which the client is currently connected is below the Scan threshold it will use the Short interval t...

Страница 200: ...e menu icon next to the channel and select Delete h To add a channel click Add Scan frequency and select the appropriate channel 8 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI...

Страница 201: ...ncryption n wpa2 WPA2 enterprise encryption c If the type of encryption is set to n psk or psk2 set the password that the client will use to connect to the access point config network wifi client new_client ssid 0 encryption key_ psk2 password config network wifi client new_client n wpa2 i Set the username that the client will use to connect to the access point config network wifi client new_clien...

Страница 202: ..._long_interval are set to the same value bgscan_strength is ignored For example the default configuration has both bgscan_short_interval and bgscan_long_interval set to 1 second which means that the device will scan for access points once per second regardless of the value of bgscan_strength c Set the number of seconds to wait between scans for access points when the signal strength from the acces...

Страница 203: ...g network wifi client new_client g To add a frequency i Use the with an existing index number to determine the allowed values for frequencies config network wifi client new_client background_scanning scan_ freq 1 Scan frequency Enable this frequency in the background scan Format 2412 2417 2422 2427 2432 2437 2442 2447 2452 2457 2462 Current value 2437 ii Add the appropriate frequency For example t...

Страница 204: ...ne as a user with Admin access Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the Admin CLI prompt type show wifi client show wifi client Client Enabled SSID Status Sig MAC my_client true my_SSID up 43 91 fe 86 d1 0e 81 3 To view information about both active and inactive clients include the all parameter show wifi ...

Страница 205: ...ide 205 2 At the Admin CLI prompt type show wifi cleint name name show wifi client name my_client Client my_client Enabled true SSID my_SSID Status up Signal 43 MAC 91 fe 86 d1 0e 81 Channel 48 Radio wifi1 TX Power 23 Link Quality 67 70 BSSID 6D B9 DD BD EE C4 ...

Страница 206: ...Routing This chapter contains the following topics IP routing 207 Show the routing table 233 Dynamic DNS 234 Virtual Router Redundancy Protocol VRRP 239 IX20 User Guide 206 ...

Страница 207: ...ay or interface 3 If it cannot find a route for the destination it uses a default route 4 If there are two or more routes to a destination the device uses the route with the longest mask 5 If there are two or more routes to a destination with the same mask the device uses the route with the lowest metric This section contains the following topics Configure a static route 208 Delete a static route ...

Страница 208: ...e IPv4 address of the gateway used to reach the destination n The metric for the route When multiple routes are available to reach the same destination the route with the lowest metric is used n The Maximum Transmission Units MTU of network packets using this route To configure a static route WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under C...

Страница 209: ...et to blank if the destination can be accessed without a gateway 9 Optional For Metric type the metric for the route When multiple routes are available to reach the same destination the route with the lowest metric is used 10 Optional For MTU type the Maximum Transmission Units MTU of network packets using this route 11 Click Apply to save the configuration and apply the change Command line 1 Log ...

Страница 210: ...vailable interfaces config network route static 0 interface Interface The network interface to use to reach the destination Format network interface defaultip network interface defaultlinklocal network interface eth1 network interface eth2 network interface loopback Current value config network route static 0 interface b Set the interface For example config network route static 0 interface network...

Страница 211: ...Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Delete a static route WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Network Routes Static routes 4 Click the menu ...

Страница 212: ...show network route static 0 dst 10 0 0 1 enable true no gateway interface network interface lan1 label new_static_route metric 0 mtu 0 1 dst 192 168 5 1 enable true gateway 192 168 5 1 interface network interface lan2 label new_static_route_1 metric 0 mtu 0 config 4 Use the index number to delete the static route config del network route static 0 config 5 Save the configuration and apply the chang...

Страница 213: ...are processed sequentially as a result if a packet matches an earlier policy it will be routed using that policy s rules It will not be processed by any subsequent rules Configure a routing policy Required configuration items n The packet matching parameters It can any combination of the following l Source interface l Source address This can be a firewall zone an interface a single IPv4 IPv6 addre...

Страница 214: ...rop packets that match the policy when the gateway interface is disconnected rather than forwarded through other interfaces 8 For IP version select Any IPv4 or IPv6 9 For Protocol select Any TCP UDP or ICMP n If TCP or UDP is selected for Protocol type the port numbers of the Source port and Destination port or set to any to match for any port n If ICMP is selected for Protocol type the ICMP type ...

Страница 215: ...ss to the selected interface s network address n IPv4 address Matches the destination IP address to the specified IP address or network Use the format IPv4_address netmask or use any to match any IPv4 address n IPv6 address Matches the destination IP address to the specified IP address or network Use the format IPv6_address prefix_length or use any to match any IPv6 address n Domain Matches the de...

Страница 216: ... satisfy the matching criteria will be routed through this interface If the interface has a gateway then it will be used as the next hop Format network interface defaultip network interface defaultlinklocal network interface eth1 network interface eth2 network interface loopback Current value config network route policy 0 interface b Set the interface For example config network route policy 0 inte...

Страница 217: ...y port as the destination port n upd Source and destination ports are matched a Set the source port config network route policy 0 src_port value config network route policy 0 where value is the port number or the keyword any to match any port as the source port b Set the destination port config network route policy 0 dst_port value config network route policy 0 where value is the port number or th...

Страница 218: ...cy 0 src zone external config network route policy 0 See Firewall configuration for more information about firewall zones n interface Matches the source IP address to the selected interface s network address Set the interface a Use the to determine available interfaces config network route policy 0 src interface Interface The network interface Format network interface defaultip network interface d...

Страница 219: ...mat IPv6_address prefix_length or any to match any IPv6 address n mac Matches the source MAC address to the specified MAC address Set the MAC address to be matched config network route policy 0 src mac MAC_address config network route policy 0 10 Set the destination address type config network route policy 0 dst type value config network route policy 0 where value is one of n zone Matches the dest...

Страница 220: ...or example config network route policy 0 dst interface network interface eth1 config network route policy 0 n address Matches the destination IPv4 address to the specified IP address or network Set the address that will be matched config network route policy 0 dst address value config network route policy 0 where value uses the format IPv4_address netmask or any to match any IPv4 address n address...

Страница 221: ...uit to disconnect from the device Example Dual WAN policy based routing This example routes traffic to a specific IP address to go through the cellular WWAN interface while all other traffic uses the Ethernet WAN interface WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is dis...

Страница 222: ...ick to expand Destination address b For Type select IPv4 address c For IPv4 address type the IP address that will be the destination for outgoing traffic routed through the WWAN interface In the above example this is 241 236 162 59 9 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your dev...

Страница 223: ...y 0 src type zone config network route policy 0 ii Set the zone to internal config network route policy 0 src zone internal config network route policy 0 e Configure the destination address i Set the destination to use an IPv4 address config network route policy 0 dst type address config network route policy 0 ii Set the IP address that will be the destination for outgoing traffic routed through t...

Страница 224: ...ll data from a certain client device through a cellular WAN based on the device s MAC address while all other client devices are routed through the Ethernet WAN WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed ...

Страница 225: ...d Zone type EthernetWAN and click ii Enable Source NAT 4 Configure the WAN interfaces to use the new zones a Configure the cellular WAN interface i Click Network Interfaces Modem ii For Zone select CellularWAN b Configure the Ethernet WAN interface i Click Network Interfaces ETH1 ii For Zone select EthernetWAN 5 Configure the policy based route for traffic from the client device that will be sent ...

Страница 226: ... zone i Click to expand Destination address ii For Type select Zone iii For Zone select CellularWAN 6 Create a packet filtering rule that rejects all other LAN packets on the cellular WAN interface a Click Firewall Packet filtering b Click the to add a new packet filtering rule c For Label type Reject LAN traffic to cellular WAN d For Action select Drop e For Source zone select Internal f For Dest...

Страница 227: ...e CellularWAN ii Enable Source NAT on the new zone config firewall zone CellularWAN src_nat true config firewall zone CellularWAN b Create second firewall zone named EthernetWAN with Source NAT enabled i Type to move back one node in the configuration config firewall zone CellularWAN config firewall zone ii Create the firewall zone config firewall zone add EthernetWAN config firewall zone Ethernet...

Страница 228: ...IP phone config network route policy 0 c Set the interface config network route policy 0 interface network interface modem config network route policy 0 d Configure the source as the MAC address of the VoIP phone i Set the source type to mac config network route policy 0 src type mac config network route policy 0 ii Set the MAC address to the MAC address of the VoIP phone config network route poli...

Страница 229: ... config firewall filter 2 d Set the source zone to internal config firewall filter 2 src_zone internal config firewall filter 2 e Set the destination zone to CellularWAN config firewall filter 2 dst_zone CellularWAN config firewall filter 2 7 Save the configuration and apply the change config firewall filter 2 save Configuration saved 8 Type exit to exit the Admin CLI Depending on your device conf...

Страница 230: ...ocol BGP service supports BGP 4 RFC1771 Babel The IPv4 and IPv6 Babel service IS IS The IPv4 and IPv6 Intermediate System to Intermediate System IS IS service Configure routing services Required configuration items n Enable routing services n Enable and configure the types of routing services that will be used WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu cl...

Страница 231: ...y the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Enable routing services config network route service enable true config 4 Configure routing servic...

Страница 232: ...e routing service For example use the to view the available parameters for the RIP service config network route service rip Parameters Current Value ecmp false Allow ECMP enable true Enable Additional Configuration interface Interfaces neighbour Neighbours redis Route redistribution timer Timers config 5 Save the configuration and apply the change config save Configuration saved 6 Type exit to exi...

Страница 233: ...Load Balance to view IPv4 load balancing 5 Click IPv6 Load Balance to view IPv6 load balancing Command line 1 Log into the IX20 command line as a user with Admin access Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the Admin CLI prompt type show route show route Destination Gateway Source Metric Interface default 1...

Страница 234: ... selection menu Type quit to disconnect from the device Dynamic DNS The Domain Name System DNS uses name servers to provide a mapping between computer readable IP addresses and human readable hostnames This allows users to access websites and personal networks with easy to remember URLs Unfortunately IP addresses change frequently invalidating these mappings when they do Dynamic DNS has become the...

Страница 235: ...should be used to update the IP address with the Dynamic DNS provider n The amount of time to wait to check if the interface s IP address needs to be updated n The amount of time to wait to force an update of the interface s IP address n The amount of time to wait for an IP address update to succeed before retrying the update n The number of times to retry a failed IP address update WebUI 1 Log in...

Страница 236: ...d values are any number of weeks days hours minutes or seconds and take the format number w d h m s For example to set Check interval to ten minutes enter 10m or 600s 11 Optional For Forced update interval type the amount of time to wait to force an update of the interface s IP address Allowed values are any number of weeks days hours minutes or seconds and take the format number w d h m s For exa...

Страница 237: ...bled by default To disable config network ddns new_ddns_instance enable false config network ddns new_ddns_instance 4 Set the interface for the Dynamic DNS instance a Use the to determine available interfaces config network ddns new_ddns_instance interface Interface The network interface from which to obtain the IP address to register with the dynamic DNS service Format defaultip defaultlinklocal ...

Страница 238: ... to the interface s IP address config network ddns new_ddns_instance domain domain_name config network ddns new_ddns_instance 8 Set the username to authenticate with the Dynamic DNS provider config network ddns new_ddns_instance username name config network ddns new_ddns_instance 9 Set the password to authenticate with the Dynamic DNS provider config network ddns new_ddns_instance password pwd con...

Страница 239: ...e is any number of weeks days hours minutes or seconds and takes the format number w d h m s For example to set retry_interval to ten minutes enter either 10m or 600s config network ddns new_ddns_instance retry_interval 600s config network ddns new_ddns_instance The default is 60s 13 Optional Set the number of times to retry a failed IP address update config network ddns new_ddns_instance retry_co...

Страница 240: ...anged by adjusting the VRRP priority of the IX20 device connected to the failing link This provides failover capabilities based on the status of connections behind the router in addition to the basic VRRP device failover For IX20 devices SureLink is used to probe network connections VRRP can be configured to probe a specified IP address by either sending an ICMP echo request ping or attempting to ...

Страница 241: ...is configured to 50 by default 8 For Priority type the priority for this router in the group The router with the highest priority will be used as the master router If the master router fails then the IP address of the virtual router is mapped to the backup device with the next highest priority If this device s actual IP address is being used as the virtual IP address of the VRRP pool then the prio...

Страница 242: ...nding on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Add a VRRP instance For example config add network vrrp VRRP_test config network vrrp VRRP_test 4 Enable the VRRP instance config network vrrp VRRP_test enable true config network vrrp VRRP_test 5 Set ...

Страница 243: ...used as the virtual IP address of the VRRP pool then the priority of this device should be set to 255 Allowed values are from 1 and 255 and it is configured to 100 by default config network vrrp VRRP_test priority int config network vrrp VRRP_test 8 Optional Set a password that will be used to authenticate this VRRP router with VRRP peers If the password length exceeds 8 characters it will be trun...

Страница 244: ...s are being monitored on the same device the VRRP priority will be adjusted only if all WAN interfaces fail SureLink tests l The amount that the VRRP priority will be modified when SureLink determines that the VRRP interface is not functioning correctly l Configure the VRRP interface s DHCP server to use a custom gateway that corresponds to one of the VRRP virtual IP addresses n Backup devices onl...

Страница 245: ...RRP master This parameter allows a backup VRRP device to monitor the master device and increase its priority when the master device is failing SureLink tests This can allow a device functioning as a backup device to promote itself to master 9 For Priority modifier type or select the amount that the device s priority should be decreased due to SureLink connectivity failure and increased when SureLi...

Страница 246: ... c For backup devices for Default Gateway type the IP address of the VRRP interface on the master device d Configure the VRRP interface s DHCP server to use a custom gateway that corresponds to one of the VRRP virtual IP addresses i Click to expand DHCP Server Advanced settings ii For Gateway select Custom iii For Custom gateway enter the IP address of one of the virtual IPs used by this VRRP inst...

Страница 247: ...e test target For example to configure SureLink to verify internet connectivity on the LAN by pinging my devicecloud com i For Test Type select Ping test ii For Ping host type my devicecloud com 11 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be present...

Страница 248: ...ween 1 and 254 The default is 10 Along with the priority settings for devices in this VRRP pool the amount entered here should be large enough to automatically demote a master device when SureLink connectivity fails For example if the VRRP master device has a priority of 100 and the backup device has a priority of 80 then weight should be set to an amount greater than 20 so that if SureLink fails ...

Страница 249: ... gateway 192 168 3 1 config c For backup devices enable and configure SureLink on the VRRP interface i Determine the VRRP interface Generally this should be a LAN interface VRRP will then monitor the LAN using SureLink to determine if the interface has network connectivity and promote a backup to master if SureLink fails config show network vrrp VRRP_test interface network interface eth2 config ii...

Страница 250: ...eth2 ipv4 surelink target 0 n dns Tests connectivity by sending a DNS query to the specified DNS server l Specify the DNS server Allowed value is the IP address of the DNS server config network interface eth2 ipv4 surelinktarget 0 dns_ server ip_address config network interface eth2 ipv4 surelinktarget 0 n dns_configured Tests connectivity by sending a DNS query to the DNS servers configured for t...

Страница 251: ...is considered to have failed config network interface eth2 ipv4 surelink target 0 interface_timeout value config network interface eth2 ipv4 surelink target 0 where value is any number of weeks days hours minutes or seconds and takes the format number w d h m s For example to set interface_timeout to ten minutes enter either 10m or 600s config network interface eth2 ipv4 surelink target 0 interfac...

Страница 252: ...figure device one master device WebUI Task 1 Configure VRRP on device one 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Network VRRP ...

Страница 253: ...ce ETH2 7 For Router ID leave at the default setting of 50 8 For Priority leave at the default setting of 100 9 Click to expand Virtual IP addresses 10 Click to add a virtual IP address 11 For Virtual IP type 192 168 3 3 Task 2 Configure VRRP on device one 1 Click to expand VRRP 2 Click Enable 3 Click to expand Monitor interfaces 4 Click to add an interface for monitoring 5 Select Interface Modem ...

Страница 254: ...art leave at the default of 100 3 For Lease range end type 199 4 Click to expand Advanced settings 5 For Gateway select Custom 6 For Custom gateway enter 192 168 3 3 7 Click Apply to save the configuration and apply the change Command line Task 1 Configure VRRP on device one 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be p...

Страница 255: ...ure VRRP on device one 1 Enable VRRP config network vrrp VRRP_test vrrp_plus enable true config network vrrp VRRP_test 2 Add the interface to monitor config network vrrp VRRP_test add vrrp_plus monitor_interface end network interface modem config network vrrp VRRP_test 3 Set the amount that the device s priority should be decreased or increased due to SureLink connectivity failure or success to 30...

Страница 256: ...ace eth2 ipv4 dhcp_server advanced gateway custom config 3 Set the custom gateway to 192 168 3 3 config network interface eth2 ipv4 dhcp_server advanced gateway_custom 192 168 3 3 config 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit t...

Страница 257: ...ce configuration is displayed 5 Click Enable 6 For Interface select Interface ETH2 7 For Router ID leave at the default setting of 50 8 For Priority type 80 9 Click to expand Virtual IP addresses 10 Click to add a virtual IP address 11 For Virtual IP type 192 168 3 3 Task 2 Configure VRRP on device two 1 Click to expand VRRP 2 Click Enable 3 Click to expand Monitor interfaces ...

Страница 258: ... 168 3 2 24 3 For Default gateway type the IP address of the VRRP interface on the master device configured above in Task 3 step 2 192 168 3 1 Task 4 Configure SureLink for ETH2 on device two 1 Click Network Interfaces ETH2 IPv4 SureLink 2 Click Enable 3 For Interval type 15s 4 Click to expand Test targets Test target 5 For Test Type select Ping test 6 For Ping host type my devicecloud com Task 5 ...

Страница 259: ...presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Create the VRRP instance config add network vrrp VRRP_test config network vrrp VRRP_test 4 Enable the VRRP instance config network vrrp VRRP_test enable true config network vrrp VRRP_test 5 Set the VRRP interface to ETH2 config network vrrp VRRP_t...

Страница 260: ...reased due to SureLink connectivity failure or success to 30 config network vrrp VRRP_test network vrrp VRRP_test vrrp_plus weight 30 config network vrrp VRRP_test Task 3 Configure the IP address for the VRRP interface ETH2 on device two 1 Type to return to the root of the config prompt config network vrrp VRRP_test config 2 Set the IP address for ETH2 config network interface eth2 ipv4 address 19...

Страница 261: ...rompt config network interface eth2 ipv4 surelink target 0 config 2 Set the start and end addresses of the DHCP pool to use to assign DHCP addresses to clients a Set the start address to 200 config network interface eth2 ipv4 dhcp_server lease_start 200 config b Set the end address to 250 config network interface eth2 ipv4 dhcp_server lease_end 250 config 3 Set the DHCP server gateway type to cust...

Страница 262: ...access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Status VRRP The Virtual Router Redundancy Protocol window is displayed Command line 1 Log into the IX20 command line as a user with Admin access Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin ...

Страница 263: ... VRRP instance at the Admin CLI prompt type show vrrp name name show vrrp name VRRP_test VRRP_test VRRP Status Enabled True Status Up Interface lan IPv4 Virtual IP address es 10 10 10 1 100 100 100 1 Current State Master Current Priority 100 Last Transition Tue Jan 1 00 00 39 2019 Became Master 1 Released Master 0 Adverts Sent 71 Adverts Received 4 Priority Zero Sent 0 Priority zero Received 0 ...

Страница 264: ...sed to securely connect two private networks together so that devices can connect from one network to the other using secure channels This chapter contains the following topics IPsec 265 OpenVPN 298 Generic Routing Encapsulation GRE 329 NEMO 349 IX20 User Guide 264 ...

Страница 265: ...imitations when using an authentication header because the IP addresses in the IP header cannot be translated for example with Network Address Translation NAT as it would invalidate the authentication hash value Internet Key Exchange IKE settings IKE is a key management protocol that allows IPsec to negotiate the security associations SAs that are used to create the secure IPsec tunnel Both IKEv1 ...

Страница 266: ...ce uses a private RSA key to authenticate with a remote peer that is using a corresponding public key Certificate based Authentication X 509 certificate based authentication makes use of private keys on both the server and client which are secured and never shared Both the server and client have a certificate which is generated with their respective private key and signed by a Certificate Authorit...

Страница 267: ...ng used n If using IPsec failover identify the primary tunnel during configuration of the backup tunnel n The Network Address Translation NAT keep alive time n The protocol either Encapsulating Security Payload ESP or Authentication Header AH n The management priority for the IPsec tunnel interface The active interface with the highest management priority will have its address reported as the pref...

Страница 268: ...sec 4 Optional Change the NAT keep alive time Allowed values are any number of weeks days hours minutes or seconds and take the format number w d h m s For example to set NAT keep alive time to ten minutes enter 10m or 600s The default is 40 seconds 5 Click to expand Tunnels 6 For Add IPsec tunnel type a name for the tunnel and click The new IPsec tunnel configuration is displayed ...

Страница 269: ...ll not fail over to a backup tunnel leave this option blank 9 Optional Enable Force UDP encapsulation to force the tunnel to use UDP encapsulation even when it does not detect that NAT is being used 10 For Zone select the firewall zone for the IPsec tunnel Generally this should be left at the default of IPsec 11 Select the Mode either n Tunnel The entire IP packet is encrypted and or authenticated...

Страница 270: ...e the Private key passphrase that is used to decrypt the private key Leave blank if the private key is not encrypted iii For Certificate paste the local X 509 certificate in PEM format iv For Peer verification select either l Peer certificate For Peer certificate paste the peer s X 509 certificate in PEM format l Certificate Authority For Certificate Authority chain paste the Certificate Authority...

Страница 271: ...il The ID will be interpreted as an RFC822 email address For RFC822 ID value type the ID in internet email address format n FQDN The ID will be interpreted as FQDN Fully Qualified Domain Name and sent as an ID_FQDN IKE identity For FQDN ID value type the ID as an FQDN n KeyID The ID will be interpreted as a Key ID and sent as an ID_KEY_ID IKE identity For KEYID ID value type the key ID 18 Click to...

Страница 272: ..._ID IKE identity For KEYID ID value type the key ID 19 Click to expand Policies Policies define the network traffic that will be encapsulated by this tunnel a Click to create a new policy The new policy configuration is displayed b Click to expand Local network c For Type select one of the following n Address The address of a local network interface For Address select the appropriate interface n N...

Страница 273: ...set Phase 1 lifetime to ten minutes enter 10m or 600s f For Phase 2 lifetime enter the amount of time that the IKE security association expires after a successful negotiation and must be rekeyed Allowed values are any number of weeks days hours minutes or seconds and take the format number w d h m s For example to set Phase 2 lifetime to ten minutes enter 10m or 600s g For Lifetime margin enter a ...

Страница 274: ... tunnel is idle c For Timeout type the number of seconds to wait for a response from a dead peer packet before assuming the tunnel has failed 22 Optional Click to expand NAT to create a list of destination networks that require source NAT a Click next to Add NAT destination b For Destination network type the IPv4 address and optional netmask of a destination network that requires source NAT You ca...

Страница 275: ...referred tunnel has failed It will continue to operate until the preferred tunnel returns to full operation status Format primary_ipsec_tunnel Optional yes Current value config vpn ipsec tunnel ipsec_example ipsec_failover b Set the primary IPsec tunnel config vpn ipsec tunnel ipsec_example ipsec_failover primary_ipsec_ tunnel config vpn ipsec tunnel ipsec_example 5 Optional Set the tunnel to use ...

Страница 276: ...authenticated The IP header is unencrypted The default is tunnel 8 Set the protocol config vpn ipsec tunnel ipsec_example type protocol config vpn ipsec tunnel ipsec_example where protocol is either n esp Encapsulating Security Payload Provides encryption as well as authentication and integrity n ah Authentication Header Provides authentication and integrity only The default is esp 9 Optional Set ...

Страница 277: ... the peer s public RSA key in PEM format config vpn ipsec tunnel ipsec_example auth peer_public_key key config vpn ipsec tunnel ipsec_example n x509 Uses private key and X 509 certificates to authenticate with the remote peer a For the private_key parameter paste the device s private RSA key in PEM format config vpn ipsec tunnel ipsec_example auth private_key key config vpn ipsec tunnel ipsec_exam...

Страница 278: ...auth_client enable true config vpn ipsec tunnel ipsec_example b Set the XAUTH client username config vpn ipsec tunnel ipsec_example xauth_client username name config vpn ipsec tunnel ipsec_example c Set the XAUTH client password config vpn ipsec tunnel ipsec_example xauth_client password pwd config vpn ipsec tunnel ipsec_example 12 Optional Enable MODECFG client functionality MODECFG client functi...

Страница 279: ...ipv4_id id config vpn ipsec tunnel ipsec_example n ipv6 The ID will be interpreted as an IPv6 address and sent as an ID_IPV6_ADDR IKE identity Set an IPv6 formatted ID This can be a fully qualified domain name or an IPv6 address config vpn ipsec tunnel ipsec_example local id ipv6_id id config vpn ipsec tunnel ipsec_example n rfc822 The ID will be interpreted as an RFC822 email address Set the ID i...

Страница 280: ...unnel ipsec_example remote id raw_id id config vpn ipsec tunnel ipsec_example n any Any ID will be accepted n ipv4 The ID will be interpreted as an IPv4 address and sent as an ID_IPV4_ADDR IKE identity Set an IPv4 formatted ID This can be a fully qualified domain name or an IPv4 address config vpn ipsec tunnel ipsec_example remote id ipv4_id id config vpn ipsec tunnel ipsec_example n ipv6 The ID w...

Страница 281: ...To disable config vpn ipsec tunnel ipsec_example ike initiate false config vpn ipsec tunnel ipsec_example c Set the IKE phase 1 mode config vpn ipsec tunnel ipsec_example ike mode value config vpn ipsec tunnel ipsec_example where value is either aggressive or main d Padding of IKE packets is enabled by default and should normally not be disabled except for compatibility purposes To disable config ...

Страница 282: ... takes the format number w d h m s For example to set lifetime_margin to ten minutes enter either 10m or 600s config vpn ipsec tunnel ipsec_example ike lifetime_margin 600s config vpn ipsec tunnel ipsec_example The default is nine minutes h Configure the types of encryption hash and Diffie Hellman group to use during phase 1 i Add a phase 1 proposal config vpn ipsec tunnel ipsec_example add ike ph...

Страница 283: ...fie Hellman group for the additional proposal iii Repeat to add more phase 1 proposals i Configure the types of encryption hash and Diffie Hellman group to use during phase 2 i Move back two levels in the schema config vpn ipsec tunnel ipsec_example ike phase1_proposal 0 config vpn ipsec tunnel ipsec_example ike ii Add a phase 2 proposal config vpn ipsec tunnel ipsec_example ike add ike phase2_pro...

Страница 284: ... for the additional proposal iii Repeat to add more phase 2 proposals 16 Optional Configure dead peer detection Dead peer detection is enabled by default Dead peer detection uses periodic IKE transmissions to the remote endpoint to detect whether tunnel communications have failed allowing the tunnel to be automatically restarted when failure occurs a Change to the root of the configuration schema ...

Страница 285: ...e root of the configuration schema config vpn ipsec tunnel ipsec_example nat 0 config b Add a policy config add vpn ipsec tunnel ipsec_example policy end config vpn ipsec tunnel ipsec_example policy 0 c Set the type of local network policy config vpn ipsec tunnel ipsec_example policy 0 local type value config vpn ipsec tunnel ipsec_example policy 0 where value is one of n address The address of a ...

Страница 286: ... interface For example config vpn ipsec tunnel ipsec_example policy 0 local network eth1 config vpn ipsec tunnel ipsec_example policy 0 n custom A user defined network Set the custom network config vpn ipsec tunnel ipsec_example policy 0 local custom value config vpn ipsec tunnel ipsec_example policy 0 where value is the IPv4 address and optional netmask The keyword any can also be used n request ...

Страница 287: ... and takes the format number w d h m s For example to set keep_alive to ten minutes enter either 10m or 600s config vpn ipsec advanced keep_alive 600s config The default is 40 seconds 20 Save the configuration and apply the change config save Configuration saved 21 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to...

Страница 288: ...tunnel WebUI 1 Configure the primary IPsec tunnel See Configure an IPsec tunnel for instructions 2 Create a backup IPsec tunnel See Configure an IPsec tunnel for instructions 3 During configuration of the backup IPsec tunnel identify the primary IPsec tunnel in the Preferred tunnel parameter 4 Click Apply to save the configuration and apply the change Command line 1 Configure the primary IPsec tun...

Страница 289: ...onnections to determine if the connection has failed and take remedial action You can also configure the IPsec tunnel to fail over to a backup tunnel See Configure IPsec failover for further information Required configuration items n A valid IPsec configuration See Configure an IPsec tunnel for configuration instructions n Enable IPsec active recovery n The behavior of the IX20 device upon IPsec f...

Страница 290: ... or select an existing one n To create a new IPsec tunnel see Configure an IPsec tunnel n To edit an existing IPsec tunnel click to expand the appropriate tunnel 5 After creating or selecting the IPsec tunnel click Active recovery 6 Enable active recovery 7 For Restart interface enable to configure the device to restart the interface when its connection is considered to have failed This is useful ...

Страница 291: ...of time that the device should wait for a response to a probe attempt before considering it to have failed Allowed values are any number of weeks days hours minutes or seconds and take the format number w d h m s For example to set Response timeout to ten minutes enter 10m or 600s The default is 15 seconds 13 Add a test target a Click to expand Test targets b For Add Test target click c Select the...

Страница 292: ...onsidered to have failed Allowed values are any number of weeks days hours minutes or seconds and take the format number w d h m s For example to set Initial connection time to ten minutes enter 10m or 600s The default is 60 seconds 14 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your d...

Страница 293: ...sec_example where value is any number of weeks days hours minutes or seconds and takes the format number w d h m s For example to set interval to ten minutes enter either 10m or 600s config vpn ipsec tunnel ipsec_example connection_monitor interval 600s config vpn ipsec tunnel ipsec_example The default is 15 minutes 8 Determine whether the interface should fail over based on the failure of one of ...

Страница 294: ...y sending an ICMP echo request to a specified hostname or IP address l Specify the hostname or IP address by using ping_host or ping_host6 config vpn ipsec tunnel ipsec_example connection_monitor target 0 ping_host host config vpn ipsec tunnel ipsec_example connection_monitor target 0 l Optional Set the size in bytes of the ping packet by using ping_size or ping_ size6 config vpn ipsec tunnel ipse...

Страница 295: ...example connection_monitor target 0 where value is any number of weeks days hours minutes or seconds and takes the format number w d h m s For example to set interface_down_time to ten minutes enter either 10m or 600s config ipsec tunnel ipsec_example connection_monitor target 0 interface_down_time 600s config ipsec tunnel ipsec_example connection_monitor target 0 The default is 60 seconds l Optio...

Страница 296: ...age appears 3 To view configuration details about an IPsec tunnel click the configuration icon in the upper right of the tunnel s status pane Command line 1 Log into the IX20 command line as a user with Admin access Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 To display details about all configured IPsec tunnels typ...

Страница 297: ...Private Networks VPN IPsec IX20 User Guide 297 4 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Страница 298: ...ubnet from the OpenVPN server and other OpenVPN clients OpenVPN clients use Network Address Translation NAT to route traffic from devices connected on its LAN interfaces to the OpenVPN server The manner in which the IP subnets are defined depends on the OpenVPN topology in use The IX20 device supports two types of OpenVPN topology OpenVPN Topology Subnet definition method net30 Each OpenVPN client...

Страница 299: ...rd interface configuration for example a standard DHCP server configuration l TAP Device only An alternate form of OpenVPN bridging mode in which the device rather than OpenVPN controls the interface configuration If this method is is the OpenVPN server must be included as a device in either an interface or a bridge n The firewall zone to be used by the OpenVPN server n The IP network and subnet m...

Страница 300: ...es that the OpenVPN server will provide to clients n The TCP UDP port to use By default the IX20 device uses port 1194 n Access control list configuration to restrict access to the OpenVPN server through the firewall n Additional OpenVPN parameters WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The C...

Страница 301: ...server will use when providing IP addresses to clients The default is from 80 to 99 7 Optional Set the VPN port that the OpenVPN server will use The default is 1194 8 For Server managed certificates determine the method of certificate management If enabled the server will manage certificates If not enabled certificates must be created externally and added to the server 9 If Server managed certific...

Страница 302: ...v6 address or network that can access the device s service type Allowed values are l A single IP address or host name l A network designation in CIDR notation for example 2001 db8 48 l any No limit to IPv6 addresses that can access the service type d Click again to list additional IP addresses or networks n To limit access to hosts connected through a specified interface on the IX20 device a Click...

Страница 303: ...d Also known as routing mode Each OpenVPN client is assigned a different IP subnet from the OpenVPN server and other OpenVPN clients OpenVPN clients use Network Address Translation NAT to route traffic from devices connected on its LAN interfaces to the OpenVPN server n TAP OpenVPN managed Also know as bridging mode A more advanced implementation of OpenVPN The IX20 device creates an OpenVPN inter...

Страница 304: ...e routes match a destination the route with the lowest metric will be used config vpn openvpn server name metric value config vpn openvpn server name where value is an interger between 0 and 65535 The default is 0 d Optional Set the range of IP addresses that the OpenVPN server will use when providing IP addresses to clients i Set the first address in the range limit config vpn openvpn server name...

Страница 305: ...uthentication type config vpn openvpn server name authentication value config vpn openvpn server name where value is one of n cert Uses only certificates for client authentication Each client requires a public and private key n passwd Uses a username and password for client authentication You must create an OpenVPN authentication group and user See Configure an OpenVPN Authentication Group and Use...

Страница 306: ...r example 192 168 1 0 24 l any No limit to IPv4 addresses that can access the service type Repeat this step to list additional IP addresses or networks n To limit access to specified IPv6 addresses and networks config vpn openvpn server name add acl address6 end value config vpn openvpn server name Where value can be l A single IP address or host name l A network designation in CIDR notation for e...

Страница 307: ...config vpn openvpn server name firewall zone Zones A list of groups of network interfaces that can be referred to by packet filtering rules and access control lists Additional Configuration any dynamic_routes edge external internal ipsec loopback setup config vpn openvpn server name Repeat this step to list additional firewall zones 9 Optional Set additional OpenVPN parameters a Enable the use of ...

Страница 308: ... from the device Configure an OpenVPN Authentication Group and User If username and password authentication is used for the OpenVPN server you must create an OpenVPN authentication group and user See Configure an OpenVPN server for information about configuring an OpenVPN server to use username and password authentication See IX20 user authentication for more information about creating authenticat...

Страница 309: ...group for example OpenVPN_Group and click The new authentication group configuration is displayed c Click OpenVPN access to enable OpenVPN access rights for users of this group d Click to expand the OpenVPN node e Click to add a tunnel f For Tunnel select an OpenVPN tunnel to which users of this group will have access g Repeat to add additional OpenVPN tunnels ...

Страница 310: ...word for the user This password is used for local authentication of the user You can also configure the user to use RADIUS or TACACS authentication by configuring authentication methods See User authentication methods for information d Click to expand the Groups node e Click to add a group to the user f Select a Group with OpenVPN access enabled 5 Click Apply to save the configuration and apply th...

Страница 311: ...for users of this group config auth group OpenVPN_Group acl openvpn enable true 5 Add an OpenVPN tunnel to which users of this group will have access a Determine available tunnels config auth group OpenVPN_Group vpn openvpn server Servers A list of openvpn servers Additional Configuration OpenVPN_server1 OpenVPN server config auth group OpenVPN_Group b Add a tunnel config auth group OpenVPN_Group ...

Страница 312: ...for the OpenVPN client n The login credentials for the OpenVPN client if configured on the OpenVPN server See Configure active recovery for OpenVPN for information about OpenVPN active recovery WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click VPN OpenVPN Cl...

Страница 313: ... be used 9 Optional For Username and Password type the login credentials as configured on the OpenVPN server 10 For OVPN file paste the content of the client ovpn file 11 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection...

Страница 314: ...e used config vpn openvpn client name metric value config vpn openvpn client name where value is an interger between 0 and 65535 The default is 0 6 Optional Set the login credentials as configured on the OpenVPN server config vpn openvpn client name username value config vpn openvpn client name password value config vpn openvpn client name 7 Paste the content of the client ovpn file into the value...

Страница 315: ...A certificate usually in a ca crt file l The Public key for example client crt l The Private key for example client key Additional configuration items n The route metric for the OpenVPN client n The login credentials for the OpenVPN client if configured on the OpenVPN server n Additional OpenVPN parameters See Configure active recovery for OpenVPN for information about OpenVPN active recovery WebU...

Страница 316: ... client 9 Optional Select the Metric for the OpenVPN client If multiple active routes match a destination the route with the lowest metric will be used 10 Optional For Username and Password type the login credentials as configured on the OpenVPN server 11 For VPN server IP type the IP address of the OpenVPN server 12 Optional Set the VPN port used by the OpenVPN server The default is 1194 13 Paste...

Страница 317: ...t the command line type config to enter configuration mode config config 3 At the config prompt type config add vpn openvpn client name config vpn openvpn client name where name is the name of the OpenVPN server The OpenVPN client is enabled by default To disable the client type config vpn openvpn client name enable false config vpn openvpn client name 4 The default behavior is to use an OVPN file...

Страница 318: ...gured on the OpenVPN server config vpn openvpn client name username value config vpn openvpn client name password value config vpn openvpn client name 9 Set the IP address of the OpenVPN server config vpn openvpn client name server ip_address config vpn openvpn client name 10 Optional Set the port used by the OpenVPN server config vpn openvpn client name port port config vpn openvpn client name Th...

Страница 319: ...figuration saved 16 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Configure active recovery for OpenVPN You can configure the IX20 device to regularly probe OpenVPN client connections to determine if the connection has failed and take remedial action Required configuration items n A ...

Страница 320: ...in access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click VPN OpenVPN Clients 4 Create a new OpenVPN client or select an existing one n To create a new OpenVPN client see Configure an OpenVPN client by using an ovpn file or Configure an OpenVPN client without using an ovpn file n To edit an existing OpenVPN client click...

Страница 321: ...il over based on the failure of one of the test targets or all of the test targets 11 For Attempts type the number of probe attempts before the WAN is considered to have failed 12 For Response timeout type the amount of time that the device should wait for a response to a probe attempt before considering it to have failed Allowed values are any number of weeks days hours minutes or seconds and tak...

Страница 322: ...to the interface before this test is considered to have failed Allowed values are any number of weeks days hours minutes or seconds and take the format number w d h m s For example to set Initial connection time to ten minutes enter 10m or 600s The default is 60 seconds 14 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full A...

Страница 323: ...ection_monitor interval value config vpn openvpn client openvpn_client1 where value is any number of weeks days hours minutes or seconds and takes the format number w d h m s For example to set interval to ten minutes enter either 10m or 600s config vpn openvpn client openvpn_client1 connection_monitor interval 600s config vpn openvpn client openvpn_client1 The default is 15 minutes 8 Determine wh...

Страница 324: ...itor target 0 test value config vpn openvpn client openvpn_client1 connection_monitor target 0 where value is one of n ping IPv4 or ping6 IPv6 Tests connectivity by sending an ICMP echo request to a specified hostname or IP address l Specify the hostname or IP address by using ping_host or ping_host6 config vpn openvpn client openvpn_client1 connection_monitor target 0 ping_host host config vpn op...

Страница 325: ...rface can be down before this test is considered to have failed config vpn openvpn client openvpn_client1 connection_monitor target 0 interface_down_time value config vpn openvpn client openvpn_client1 connection_monitor target 0 where value is any number of weeks days hours minutes or seconds and takes the format number w d h m s For example to set interface_down_time to ten minutes enter either ...

Страница 326: ...eb interface or the command line WebUI 1 Log into the IX20 WebUI as a user with Admin access 2 On the menu select Status OpenVPN Servers The OpenVPN Servers page appears 3 To view configuration details about an OpenVPN server click the configuration icon in the upper right of the OpenVPN server s status pane Command line 1 Log into the IX20 command line as a user with Admin access Depending on you...

Страница 327: ... Admin access 2 On the menu select Status OpenVPN Clients The OpenVPN Clients page appears 3 To view configuration details about an OpenVPN client click the configuration icon in the upper right of the OpenVPN client s status pane Command line 1 Log into the IX20 command line as a user with Admin access Depending on your device configuration you may be presented with an Access selection menu Type ...

Страница 328: ...rivate Networks VPN OpenVPN IX20 User Guide 328 4 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Страница 329: ...RE tunnel Configuring a GRE tunnel involves the following items Required configuration items n A GRE loopback endpoint interface n GRE tunnel configuration l Enable the GRE tunnel The GRE tunnels are enabled by default l The local endpoint interface l The IP address of the remote device peer Additional configuration items n A GRE key n Enable the device to respond to keepalive packets Task One Cre...

Страница 330: ...ending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Add the GRE endpoint interface For example to add an interface named gre_endpoint config add network interface gre_interface config network interface gre_interface 4 Set the interface zone to internal...

Страница 331: ...ration window is displayed 3 Click VPN IP Tunnels 4 For Add IP tunnel type a name for the GRE tunnel and click 5 Enable the tunnel New tunnels are enabled by default To disable or to enable if it has been disabled click Enable 6 For Local endpoint select the GRE endpoint interface created in Task One 7 For Remote endpoint type the IP address of the GRE endpoint on the remote peer 8 Optional For Ke...

Страница 332: ...tunnel gre_example 4 Set the local endpoint to the GRE endpoint interface created in Task One for example config vpn iptunnel gre_example local network interface gre_endpoint config vpn iptunnel gre_example 5 Set the IP address of the GRE endpoint on the remote peer config vpn iptunnel gre_example remote ip_address config vpn iptunnel gre_example 6 Optional Set a key that will be inserted in GRE p...

Страница 333: ...ulation GRE IX20 User Guide 333 config vpn iptunnel gre_example save Configuration saved 9 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Страница 334: ...iew information about currently configured GRE tunnels WebUI 1 Log into the IX20 WebUI as a user with Admin access 2 On the menu click Status IP tunnels The IP Tunnelspage appears 3 To view configuration details about a GRE tunnel click the configuration icon in the upper right of the tunnel s status pane ...

Страница 335: ... 0 2 32 2 Create an IPsec endpoint interface named ipsec_endpoint1 a Zone set to Internal b Device set to Ethernet Loopback c IPv4 Address set to the IP address of the local GRE tunnel 172 30 0 1 32 3 Create a GRE tunnel named gre_tunnel1 a Local endpoint set to the IPsec endpoint interface Interface ipsec_endpoint1 b Remote endpoint set to the IP address of the GRE tunnel on IX20 2 172 30 0 2 4 C...

Страница 336: ...dress of the GRE tunnel on IX20 1 172 30 0 1 4 Create an interface named gre_interface2 and add it to the GRE tunnel a Zone set to Internal b Device set to IP tunnel gre_tunnel2 c IPv4 Address set to a virtual IP address on the GRE tunnel 172 31 1 1 30 Configuration procedures Configure the IX20 1 device Task one Create an IPsec tunnel WebUI 1 Log into the IX20 WebUI as a user with full Admin acce...

Страница 337: ...stom network 13 For Address type the IP address and subnet of the local GRE tunnel 172 30 0 1 32 14 For Remote network type the IP address and subnet of the remote GRE tunnel 172 30 0 2 32 15 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented wit...

Страница 338: ..._gre1 policy 0 7 Set the local network policy type to custom config vpn ipsec tunnel ipsec_gre1 policy 0 local type custom config vpn ipsec tunnel ipsec_gre1 policy 0 8 Set the local network address to the IP address and subnet of the local GRE tunnel 172 30 0 1 32 config vpn ipsec tunnel ipsec_gre1 policy 0 local custom 172 30 0 1 32 config vpn ipsec tunnel ipsec_gre1 policy 0 9 Set the remote ne...

Страница 339: ...ernet loopback 5 Click to expand IPv4 6 For Address type the IP address of the local GRE tunnel 172 30 0 1 32 7 Click Apply to save the configuration and apply the change Command line 1 At the command line type config to enter configuration mode config config 2 Add an interface named ipsec_endpoint1 config add network interface ipsec_endpoint1 config network interface ipsec_endpoint1 ...

Страница 340: ...GRE tunnel 172 30 0 1 32 config network interface ipsec_endpoint1 ipv4 address 172 30 0 1 32 config network interface ipsec_endpoint1 6 Save the configuration and apply the change config vpn ipsec tunnel ipsec_endpoint1 policy 0 save Configuration saved Task three Create a GRE tunnel WebUI 1 Click VPN IP Tunnels 2 For Add IP Tunnel type gre_tunnel1 and click 3 For Local endpoint select the IPsec e...

Страница 341: ... local network interface ipsec_endpoint1 config vpn iptunnel gre_tunnel1 4 Set the remote endpoint to the IP address of the GRE tunnel on IX20 2 172 30 0 2 config vpn iptunnel gre_tunnel1 remote 172 30 0 2 config vpn iptunnel gre_tunnel1 5 Save the configuration and apply the change config vpn iptunnel gre_tunnel1 save Configuration saved Task four Create an interface for the GRE tunnel device Web...

Страница 342: ...ace gre_interface1 3 Set the zone to internal config network interface gre_interface1 zone internal config network interface gre_interface1 4 Set the device to the GRE tunnel created in Task three vpn iptunnel gre_tunnel1 config network interface gre_interface1 device vpn iptunnel gre_tunnel1 config network interface gre_interface1 5 Set 172 31 0 1 30 as the virtual IP address on the GRE tunnel co...

Страница 343: ...l WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click VPN IPsec Tunnels 4 For Add IPsec Tunnel type ipsec_gre2 and click 5 Click to expand Authentication 6 For Pre shared key type the same pre shared key that was configured for the IX20 1 testkey 7 Click to ex...

Страница 344: ...h full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Add an IPsec tunnel named ipsec_gre2 config add vpn ipsec tunnel ipsec_gre2 config vpn ipsec tunnel ipsec_gre2 4 Set the pre shared key to the same pre shared key that wa...

Страница 345: ... ipsec tunnel ipsec_gre2 policy 0 local custom 172 30 0 2 32 config vpn ipsec tunnel ipsec_gre2 policy 0 9 Set the remote network address to the IP address and subnet of the remote GRE tunnel 172 30 0 1 32 config vpn ipsec tunnel ipsec_gre2 policy 0 remote network 172 30 0 1 32 config vpn ipsec tunnel ipsec_gre2 policy 0 10 Save the configuration and apply the change config vpn ipsec tunnel ipsec_...

Страница 346: ...c_endpoint2 3 Set the zone to internal config network interface ipsec_endpoint2 zone internal config network interface ipsec_endpoint2 4 Set the device to network device loopback config network interface ipsec_endpoint2 device network device loopback config network interface ipsec_endpoint2 5 Set the IPv4 address to the IP address of the local GRE tunnel 172 30 0 2 32 config network interface ipse...

Страница 347: ...pply the change Command line 1 At the command line type config to enter configuration mode config config 2 Add a GRE tunnel named gre_tunnel2 config add vpn iptunnel gre_tunnel2 config vpn iptunnel gre_tunnel2 3 Set the local endpoint to the IPsec endpoint interface created in Task two network interface ipsec_endpoint2 config vpn iptunnel gre_tunnel2 local network interface ipsec_endpoint2 config ...

Страница 348: ...r Create an interface for the GRE tunnel device WebUI 1 Click Network Interfaces 2 For Add Interface type gre_interface2 and click 3 For Zone select Internal 4 For Device select the GRE tunnel created in Task three IP tunnel gre_tunnel2 5 Click to expand IPv4 6 For Address type 172 31 1 1 30 for a virtual IP address on the GRE tunnel 7 Click Apply to save the configuration and apply the change ...

Страница 349: ...e2 ipv4 address 172 31 1 1 30 config network interface gre_interface2 6 Save the configuration and apply the change config network interface gre_interface2 save Configuration saved 7 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device NEMO Network Mobility NEMO is a mobile networking techn...

Страница 350: ...ion lifetime This is provided by your cellular carrier n The local network interfaces that will be advertised on NEMO Additional configuration items n The home agent Software Parameter Index SPI n Path MTU discovery Path MTU discovery is enabled by default If it is disabled identify the MTU n Care of address the local network interface that is used to communicate with the peer l If set to Interfac...

Страница 351: ...he default setting of 256 unless your service provider indicates a different value 9 For Home agent registration lifetime in seconds type the number of seconds number of seconds until the authorization key expires This is provided by your cellular carrier 10 For MTU discovery leave enabled to determine the maximum transmission unit MTU size If disabled for MTU type the MTU size The default MTU siz...

Страница 352: ...Local Area Network LAN c Optional Repeat for additional interfaces 14 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mod...

Страница 353: ...vpn nemo nemo_example If disabled set the MTU size The default MTU size for LANs on the IX20 device is 1500 The MTU size of the NEMO tunnel will be smaller to take into account the required headers config vpn nemo nemo_example mtu integer config vpn nemo nemo_example Allowed values are any integer between 68 and 1476 9 Set the Security Parameter Index SPI value which is used in the authentication ...

Страница 354: ...k interface as the default route n interface If interface is used set the interface i Use the to determine available interfaces config vpn nemo nemo_example coaddress interface Interface Use the IP address of this network interface as this node s Care of Address Format defaultip defaultlinklocal eth1 eth2 loopback Current value config vpn nemo nemo_example coaddress interface ii Set the interface ...

Страница 355: ...faultlinklocal eth1 eth2 loopback Current value config vpn nemo nemo_example tun_local interface ii Set the interface For example config vpn nemo nemo_example tun_local interface eth1 config vpn nemo nemo_example The default is defaultroute 13 Configure one or more local networks to use as a virtual NEMO network interface Generally this will be a Local Area Network LAN a Add a local network to use...

Страница 356: ...configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 To display details about all configured NEMO tunnel type the following at the prompt show nemo NEMO Enable Status Address Agent CoAddress demo false test true up 1 2 3 4 4 3 2 1 10 10 10 1 3 To display details about a specific tunnel show nemo name test test NEMO Status Enabled true Status up Home...

Страница 357: ...Private Networks VPN NEMO IX20 User Guide 357 4 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Страница 358: ...authentication 375 Configure telnet access 378 Configure DNS 383 Simple Network Management Protocol SNMP 389 Configure the Modbus gateway 394 System time 409 Configure the system time 409 Network Time Protocol 412 Configure the device as an NTP server 412 Configure a multicast route 417 Ethernet network bonding 420 Enable service discovery mDNS 423 Use the iPerf service 426 IX20 User Guide 358 ...

Страница 359: ...inistration or SSH service See Firewall configuration for information on zones n See Set the idle timeout for IX20 users for information about setting the inactivity timeout for the web administration and SSH services To allow web administration or SSH for the External firewall zone Add the External firewall zone to the web administration service WebUI 1 Log into the IX20 WebUI as a user with full...

Страница 360: ...guration mode config config 3 Add the external zone to the web administration service config add service web_admin acl zone end external config 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Add the Extern...

Страница 361: ...te access for web administration and SSH IX20 User Guide 361 3 Click Configuration Services SSH Access Control List Zones 4 For Add Zone click 5 Select External 6 Click Apply to save the configuration and apply the change ...

Страница 362: ...ce by using the WebUI a browser based interface By default the web administration service is enabled and uses the standard HTTPS port 443 The default access control for the service uses the Internal firewall zone which means that only devices connected to the IX20 s LAN can access the WebUI If this configuration is sufficient for your needs no further configuration is required See Allow remote acc...

Страница 363: ...nfiguration The Configuration window is displayed 3 Click Services Web administration 4 Click Enable 5 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type ...

Страница 364: ...ick System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Services Web administration 4 Optional For Port enter the port number for the service Normally this should not be changed 5 Click Access control list to configure access control n To limit access to specified IPv4 addresses and networks a Click IPv4 Addresses b For Add Address click c For Addres...

Страница 365: ...n to allow access through additional firewall zones 6 Multicast DNS mDNS is enabled by default mDNS is a protocol that resolves host names in small networks that do not have a DNS server To disable mDNS or enable it if it has been disabled click Enable mDNS 7 For SSL certificate if you have your own signed SSL certificate type the certificate and private key in PEM format If SSL certificate is bla...

Страница 366: ...No limit to IPv4 addresses that can access the web administratrion service Repeat this step to list additional IP addresses or networks n To limit access to specified IPv6 addresses and networks config add service web_admin acl address6 end value config Where value can be l A single IP address or host name l A network designation in CIDR notation for example 2001 db8 48 l any No limit to IPv6 addr...

Страница 367: ...play a list of available firewall zones Type firewall zone at the config prompt config firewall zone Zones A list of groups of network interfaces that can be referred to by packet filtering rules and access control lists Additional Configuration any dynamic_routes edge external internal ipsec loopback setup config Repeat this step to list additional firewall zones 4 Optional If you have your own s...

Страница 368: ...o connect to the HTTPS session by using encryption protocols older than TLS 1 2 in addition to TLS 1 2 and later protocols This option is disabled by default which means that only TLS 1 2 and later encryption protocols are allowed with HTTPS connections To enable legacy encryption protocols config service web_admin legacy_encryption true config 8 Optional Disable legacy port redirection Legacy por...

Страница 369: ...cess n Configure access control for the SSH service Additional configuration items n Port to use for communications with the SSH service n Multicast DNS mDNS support n A private key to use for communications with the SSH service See Set the idle timeout for IX20 users for information about setting the inactivity timeout for the SSH service Enable or disable the SSH service The SSH service is enabl...

Страница 370: ...able or disable the SSH service n To enable the service config service ssh enable true config n To disable the sevice config service ssh enable false config 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device C...

Страница 371: ...etworks a Click IPv6 Addresses b For Add Address click c For Address enter the IPv6 address or network that can access the device s SSH service Allowed values are l A single IP address or host name l A network designation in CIDR notation for example 2001 db8 48 l any No limit to IPv6 addresses that can access the SSH service d Click again to list additional IP addresses or networks n To limit acc...

Страница 372: ...ration mode config config 3 Configure access control n To limit access to specified IPv4 addresses and networks config add service ssh acl address end value config Where value can be l A single IP address or host name l A network designation in CIDR notation for example 192 168 1 0 24 l any No limit to IPv4 addresses that can access the SSH service Repeat this step to list additional IP addresses ...

Страница 373: ... n To limit access based on firewall zones config add service ssh acl zone end value Where value is a firewall zone defined on your device or the any keyword Display a list of available firewall zones Type firewall zone at the config prompt config firewall zone Zones A list of groups of network interfaces that can be referred to by packet filtering rules and access control lists Additional Configu...

Страница 374: ...nable the mDNS protocol config service ssh mdns enable true config n To disable the mDNS protocl config service ssh mdns enable false config 6 Optional Set the port number for this service The default setting of 22 normally should not be changed config service ssh port 24 config 7 Save the configuration and apply the change config save Configuration saved 8 Type exit to exit the Admin CLI Dependin...

Страница 375: ... Linux host an SSH key pair is usually created automatically in the user s ssh directory The private and public keys are named id_rsa and id_rsa pub If you need to generate an SSH key pair you can use the ssh keygen application For example the following entry generates an RSA key pair in the user s ssh directory ssh keygen t rsa f ssh id_rsa The private key file is named id_rsa and the public key ...

Страница 376: ...when creating a new user See User authentication for information about creating a new user These instructions assume an existing user named temp_user 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configura...

Страница 377: ... Guide 377 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Страница 378: ...elnet service Additional configuration items n Port to use for communications with the telnet service n Multicast DNS mDNS support See Set the idle timeout for IX20 users for information about setting the inactivity timeout for the telnet service Enable the telnet service The telnet service is disabled by default To enable the service WebUI 1 Log into the IX20 WebUI as a user with full Admin acces...

Страница 379: ... to enter configuration mode config config 3 Enable the telnet service config service telnet enable true config 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Configure the service WebUI 1 Log into the IX2...

Страница 380: ...d networks a Click IPv6 Addresses b For Add Address click c For Address enter the IPv6 address or network that can access the device s telnet service Allowed values are l A single IP address or host name l A network designation in CIDR notation for example 2001 db8 48 l any No limit to IPv6 addresses that can access the telnet service d Click again to list additional IP addresses or networks n To ...

Страница 381: ...net acl address end value config Where value can be l A single IP address or host name l A network designation in CIDR notation for example 192 168 1 0 24 l any No limit to IPv4 addresses that can access the telnet service Repeat this step to list additional IP addresses or networks n To limit access to specified IPv6 addresses and networks config add service telnet acl address6 end value config W...

Страница 382: ...alue Where value is a firewall zone defined on your device or the any keyword Display a list of available firewall zones Type firewall zone at the config prompt config firewall zone Zones A list of groups of network interfaces that can be referred to by packet filtering rules and access control lists Additional Configuration any dynamic_routes edge external internal ipsec loopback setup config Rep...

Страница 383: ... caches the results This server is used within the device and cannot be disabled Use the access control list to restrict external access to this server Required configuration items n Configure access control for the DNS service Additional configuration items n Whether the device should cache negative responses n Whether the device should always perform DNS queries to all available DNS servers n Wh...

Страница 384: ...ick c For Address enter the IPv6 address or network that can access the device s DNS service Allowed values are l A single IP address or host name l A network designation in CIDR notation for example 2001 db8 48 l any No limit to IPv6 addresses that can access the DNS service d Click again to list additional IP addresses or networks n To limit access to hosts connected through a specified interfac...

Страница 385: ...ervers b For Add Server click c Optional Enter a label for the DNS server d For DNS server enter the IP address of the DNS server e Domain restricts the device s use of this DNS server based on the domain If no domain are listed then all queries may be sent to this server 10 Optional To add host names and their IP addresses that the device s DNS server will resolve a Click Additional DNS hostnames...

Страница 386: ...list additional IP addresses or networks n To limit access to hosts connected through a specified interface on the IX20 device config add service dns acl interface end value config Where value is an interface defined on your device Display a list of available interfaces Use network interface to display interface information config network interface Interfaces Additional Configuration defaultip Def...

Страница 387: ...ice dns cache_negative_responses false config 5 Optional Query all servers By default the device s DNS server queries all available DNS servers Disabling this option may improve performance on networks with transient DNS results when one or more DNS servers may have positive results To disable config service dns query_all_servers false config 6 Optional Rebind protection By default rebind protecti...

Страница 388: ... d Optional Set a label for this DNS server config service dns server 0 label label config service dns server 0 9 Optional Add host names and their IP addresses that the device s DNS server will resolve a Add a host config add service dns host end config service dns host 0 b Set the IP address of the host config service dns host 0 address ip addr config service dns host 0 c Set the host name confi...

Страница 389: ... device to receive SNMP packets you must configure the SNMP access control list to allow the device to receive the packets See Configure Simple Network Management Protocol SNMP Configure Simple Network Management Protocol SNMP Required configuration items n Enable SNMP n Firewall configuration using access control to allow remote connections to the SNMP agent n The user name and password used to c...

Страница 390: ... b For Add Address click c For Address enter the IPv6 address or network that can access the device s SNMP agent Allowed values are l A single IP address or host name l A network designation in CIDR notation for example 2001 db8 48 l any No limit to IPv6 addresses that can access the SNMP agent d Click again to list additional IP addresses or networks n To limit access to hosts connected through a...

Страница 391: ...tion and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Enable the SNMP agent config service snmp enable true config 4 Configure access contr...

Страница 392: ... interfaces Use network interface to display interface information config network interface Interfaces Additional Configuration defaultip Default IP defaultlinklocal Default Link local IP eth1 ETH1 eth2 ETH2 loopback Loopback modem Modem config Repeat this step to list additional interfaces n To limit access based on firewall zones config add service snmp acl zone end value Where value is a firewa...

Страница 393: ... port config 8 Optional Configure Multicast DNS mDNS mDNS is a protocol that resolves host names in small networks that do not have a DNS server For the SNMP agent mDNS is disabled by default To enable config service snmp mdns enable true config 9 Optional Set the authentication type Allowed values are MD5 or SHA The default is MD5 config service snmp auth_type SHA config 10 Optional Set the priva...

Страница 394: ...onfigure Simple Network Management Protocol SNMP for information about enabling and configuring SNMP support on the IX20 device 3 On the main menu click Status Under Services click SNMP The SNMP page is displayed 4 Click Download Configure the Modbus gateway Your IX20 supports the ability to function as a Modbus gateway to provide serial to Ethernet connectivity to Programmable Logic Controllers P...

Страница 395: ...determine if messages should be forwarded to a destination device Additional configuration items n Server configuration l The packet mode l The maximum time between bytes in a packet l If the connection type is set to socket o The port to use o The inactivity timeout o Access control list l If the connection type is set to serial o Whether to use half duplex two wire mode n Client configuration l ...

Страница 396: ...tion click Device Configuration The Configuration window is displayed 3 Click Services Modbus Gateway 4 Click Enable to enable the gateway 5 Click Debug to allow verbose logging in the system log Configure gateway servers 1 Click to expand Gateway Servers 2 For Add Modbus server type a name for the server and click The new Modbus gateway server configuration is displayed ...

Страница 397: ... second and take the format number ms s For example to set Packet idle gap to 20 milliseconds enter 20ms 7 If Connection type is set to Socket for Inactivity timeout type the amount of time to wait before disconnecting the socket when it has become inactive Allowed values are any number of minutes or seconds up to a maximum of 15 minutes and take the format number m s For example to set Inactivity...

Страница 398: ...t access to hosts connected through a specified interface on the IX20 device a Click Interfaces b For Add Interface click c For Interface select the appropriate interface from the dropdown d Click again to allow access through additional interfaces n To limit access based on firewall zones a Click Zones b For Add Zone click c For Zone select the appropriate firewall zone from the dropdown See Fire...

Страница 399: ...onnection type is set to Socket for Inactivity timeout type the amount of time to wait before disconnecting the socket when it has become inactive Allowed values are any number of minutes or seconds up to a maximum of 15 minutes and take the format number m s For example to set Inactivity timeout to ten minutes enter 10m or 600s 8 Optional If Connection type is set to Serial click Half duplex to e...

Страница 400: ... forwarded to a destination device If the Modbus address in the message matches one or more of the filters the message is forwarded If it does not match the filters the message is not forwarded 13 For Address or address range type a Modbus address or range of addresses Allowed values are 1 through 255 or a hyphen separated range For example to have this client filter for incoming messages that con...

Страница 401: ...k Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Enable the Modbus gateway config service modbus_gateway ...

Страница 402: ...t mode config service modbus_gateway server test_modbus_server socket packet_mode value config service modbus_gateway server test_modbus_server where value is either rtu or raw The default is rtu iv Set the maximum allowable time between bytes in a packet config service modbus_gateway server test_modbus_server socket idle_gap value config service modbus_gateway server test_modbus_server where valu...

Страница 403: ...ver ii Set the packet mode config service modbus_gateway server test_modbus_server serial packet_mode value config service modbus_gateway server test_modbus_server where value is either rtu or ascii The default is rtu iii Set the maximum allowable time between bytes in a packet config service modbus_gateway server test_modbus_server serial idle_gap value config service modbus_gateway server test_m...

Страница 404: ...nection type config service modbus_gateway client test_modbus_client connection_ type type config service modbus_gateway client test_modbus_client where type is either socket or serial The default is socket n If connection_type is set to socket i Set the IP protocol config service modbus_gateway client test_modbus_client socket protocol value config service modbus_gateway client test_modbus_client...

Страница 405: ...any number of minutes or seconds up to a maximum of 15 minutes and takes the format number m s For example to set inactivity_timeout to ten minutes enter either 10m or 600s config service modbus_gateway client test_modbus_client inactivity_timeout 600s config service modbus_gateway client test_modbus_client vi Set the hostname or IP address of the remote host on which the Modbus server is running ...

Страница 406: ...able half duplex two wire mode config service modbus_gateway client test_modbus_client serial half_duplex true config service modbus_gateway client test_modbus_client d Optional Enable the gateway to send broadcast messages to this client config service modbus_gateway client test_modbus_client broadcast true config service modbus_gateway client test_modbus_client e Set the maximum time to wait for...

Страница 407: ...es handled by this client should always be forwarded to a specific device use fixed_server_address to set the device s Modbus address config service modbus_gateway client test_modbus_client fixed_server_ address value config service modbus_gateway client test_modbus_client Leave at the default setting of 0 to allow messages that match the Modbus address filter to be forwarded to devices based on t...

Страница 408: ..._address set to 10 This will configure the gateway to deliver all messages that have the Modbus server address address of 20 to the device with address 10 i Repeat the above instructions for additional clients 6 Save the configuration and apply the change config save Configuration saved 7 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access sel...

Страница 409: ...figure the system time for details about changing the default configuration The IX20 device can also be configured to use Network Time Protocol NTP In this configuration the device serves as an NTP server providing NTP services to downstream devices See Network Time Protocol for more information about NTP server support Configure the system time This procedure is optional The IX20 device s default...

Страница 410: ...NTP servers If multiple servers are included servers are tried in the order listed until one succeeds Note This list is synchronized with the list of servers included with NTP server configuration and changes made to one will be reflected in the other See Configure the device as an NTP server for more information about NTP server configuration 6 Click Apply to save the configuration and apply the ...

Страница 411: ...cecloud com config del service ntp server 0 n To add the NTP server to the beginning of the list use the index value of 0 to indicate that it should be added as the first server config add service ntp server 0 time server com config n To add the NTP server to the end of the list use the index keyword end config add service ntp server end time server com config n To add the NTP server in another lo...

Страница 412: ...TP server is required Additional NTP servers can be configured If multiple servers are configured a number of time samples are obtained from each of the servers and a subset of the NTP clock filter and selection algorithms are applied to select the best of these See Configure the device as an NTP server for information about configuring your device as an NTP server Configure the device as an NTP s...

Страница 413: ...addresses and networks a Click IPv6 Addresses b For Add Address click c For Address enter the IPv6 address or network that can access the device s NTP service Allowed values are l A single IP address or host name l A network designation in CIDR notation for example 2001 db8 48 l any No limit to IPv6 addresses that can access the NTP service d Click again to list additional IP addresses or networks...

Страница 414: ... with the list of servers included with NTP client configuration and changes made to one will be reflected in the other See Configure the system time for more information about NTP client configuration 7 Optional Configure the system time zone The default is UTC a Click System Time b Select the Timezone for the location of your IX20 device 8 Click Apply to save the configuration and apply the chan...

Страница 415: ...bout NTP client configuration 5 Optional Configure the access control list to limit downstream access to the IX20 device s NTP service n To limit access to specified IPv4 addresses and networks config add service ntp acl address end value config Where value can be l A single IP address or host name l A network designation in CIDR notation for example 192 168 1 0 24 l any No limit to IPv4 addresses...

Страница 416: ...m config Repeat this step to list additional interfaces n To limit access based on firewall zones config add service ntp acl zone end value Where value is a firewall zone defined on your device or the any keyword Display a list of available firewall zones Type firewall zone at the config prompt config firewall zone Zones A list of groups of network interfaces that can be referred to by packet filt...

Страница 417: ...ts actions that occur at a specific time of day Format Africa Abidjan Africa Accra Africa Addis_Ababa config 7 Save the configuration and apply the change config save Configuration saved 8 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Configure a multicast route Multicast routing all...

Страница 418: ...s 10 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Add the multicast route For example to add a ro...

Страница 419: ...k interface defaultlinklocal network interface eth1 network interface eth2 network interface loopback Current value config service multicast test src_interface b Set the interface For example config service multicast test src_interface network interface eth1 config service multicast test 8 Set the destination interface that the IX20 device will use to send mutlicast packets config service multicas...

Страница 420: ...twork bonding The IX20 device supports bonding mode for the Ethernet network This allows you to configure the device so that Ethernet ports share one IP address When both ports are being used they act as one Ethernet network port Required configuration items n Enable Ethernet bonding n The mode either l Active backup Provides fault tolerance l Round robin Provides load balancing as well as fault t...

Страница 421: ... Alternates between bonded devices to provide load balancing as well as fault tolerance 6 Click to expand Devices 7 Add Ethernet devices a For Add device click b For Device select an Ethernet device to participate in the bond pool c Repeat for each appropriate Ethernet device 8 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with f...

Страница 422: ...hosen This mode provides for fault tolerance n round robin Alternates between bonded devices to provide load balancing as well as fault tolerance 5 Add Ethernet devices a Use the to determine available devices config network bond name network device Additional Configuration eth1 eth2 loopback config network bond name b Add a device config network bond name add device network device eth1 config net...

Страница 423: ...IPv4 Addresses b For Add Address click c For Address enter the IPv4 address or network that can access the device s mDNS service Allowed values are l A single IP address or host name l A network designation in CIDR notation for example 192 168 1 0 24 l any No limit to IPv4 addresses that can access the mDNS service d Click again to list additional IP addresses or networks n To limit access to spec...

Страница 424: ...ck Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Enable the mDNS service config service mdns enable true...

Страница 425: ...nfig Where value is an interface defined on your device Display a list of available interfaces Use network interface to display interface information config network interface Interfaces Additional Configuration defaultip Default IP defaultlinklocal Default Link local IP eth1 ETH1 eth2 ETH2 loopback Loopback modem Modem config Repeat this step to list additional interfaces n To limit access based o...

Страница 426: ...can handle This is useful when diagnosing network speed issues to determine for example whether a cellular connection is providing expected throughput The IX20 implementation of iPerf3 supports testing with both TCP and UDP Note Using iPerf clients that are at a version earlier than iPerf3 to connect to the IX20 device s iPerf3 server may result in unpredictable results As a result Digi recommends...

Страница 427: ...iate port number for the iPerf server listening port 6 Optional Click to expand Access control list to restrict access to the iPerf server n To limit access to specified IPv4 addresses and networks a Click IPv4 Addresses b For Add Address click c For Address enter the IPv4 address or network that can access the device s service type Allowed values are l A single IP address or host name l A network...

Страница 428: ...opdown See Firewall configuration for information about firewall zones d Click again to allow access through additional firewall zones 7 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Adm...

Страница 429: ...this step to list additional IP addresses or networks n To limit access to hosts connected through a specified interface on the IX20 device config add service iperf acl interface end value config Where value is an interface defined on your device Display a list of available interfaces Use network interface to display interface information config network interface Interfaces Additional Configuratio...

Страница 430: ...talled enter the following command iperf3 c device_ip where device_ip is the IP address of the IX20 device For example iperf3 c 192 168 2 1 Connecting to host 192 168 2 1 port 5201 4 local 192 168 3 100 port 54934 connected to 192 168 1 1 port 5201 ID Interval Transfer Bandwidth Retr Cwnd 4 0 00 1 00 sec 26 7 MBytes 224 Mbits sec 8 2 68 MBytes 4 1 00 2 00 sec 28 4 MBytes 238 Mbits sec 29 1 39 MByt...

Страница 431: ...Services Use the iPerf service IX20 User Guide 431 ID Interval Transfer Bandwidth Retr 4 0 00 10 00 sec 315 MBytes 264 Mbits sec 37 sender 4 0 00 10 00 sec 313 MBytes 262 Mbits sec receiver iperf Done ...

Страница 432: ...ice system restarts at specific intervals or at a specified time This chapter contains the following topics Configure applications to run automatically 433 Run a Python application at the shell prompt 439 Start an interactive Python session 441 Digidevice module 443 Use Python to access serial ports 464 Use the Paho MQTT python library 465 Stop a script that is currently running 468 Show script in...

Страница 433: ... At a specified interval l During system maintenance Additional configuration items n A label used to identify the application n The action to take if the Python application finishes The actions that can be taken are l None l Restart the script l Reboot the device n The arguments for the Python application n Whether to write the application output and errors to the system log n The memory availabl...

Страница 434: ... n hostname or ip is the hostname or ip address of the remote host n username is the name of the user on the remote host n remote path is the path and filename of the file on the remote host that will be copied to the IX20 device n local path is the location on the IX20 device where the copied file will be placed For example To upload a Python application from a remote host with an IP address of 1...

Страница 435: ... with care WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click System Scheduled tasks Custom scripts 4 For Add Script click The schedule script configuration window is displayed Scheduled scripts are enabled by default To disable click Enable to toggle off 5 O...

Страница 436: ...f Set Time is selected specify the time that the script should run in Run time using the format HH MM n During system maintenance The script will run during the system maintenance time window 7 For Commands enter the commands that will execute the script If the script begins with then the script will be invoked in the location specified by the path for the script command Otherwise the default shel...

Страница 437: ...le script 0 label value config system schedule script 0 where value is any string if spaces are used enclose value within double quotes 5 Set the mode that will be used to run the script config system schedule script 0 when mode config system schedule script 0 where mode is one of the following n boot The script will run once each time the device boots l If boot is selected set the action that wil...

Страница 438: ...et set the time that the script should run using the format HH MM config system schedule script 0 run_time HH MM config system schedule script 0 n maintenance_time The script will run during the system maintenance time window 6 Set the commands that will execute the script config system schedule script 0 commands filename config system schedule script 0 where filename is the path and filename of t...

Страница 439: ...running on config system schedule script 0 sandbox true config system schedule script 0 11 Save the configuration and apply the change config save Configuration saved 12 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Run a Python application at the shell prompt Python applications can...

Страница 440: ...presented with an Access selection menu Type admin to access the Admin CLI b At the command line use the scp command to upload the Python application script to the IX20 device scp host hostname or ip user username remote remote path local local path to local where n hostname or ip is the hostname or ip address of the remote host n username is the name of the user on the remote host n remote path i...

Страница 441: ...teractive Python session Use the python command without specifying any parameters to start an interactive Python session The Python session operates interactively using REPL Read Evaluate Print Loop to allow you to write Python code on the command line Note The Python interactive session is not available from the Admin CLI You must access the device shell in order to run Python applications from t...

Страница 442: ...442 NAME digidevice Digi device python extensions DESCRIPTION This module includes various extensions that allow Python to interact with additional features offered by the device 4 Use Ctrl D to exit the Python session You can also exit the session using exit or quit ...

Страница 443: ...vice module This section contains the following topics Use digidevice cli to execute CLI commands 444 Use digidevice datapoint to upload custom datapoints to Digi Remote Manager 445 Use digidevice config for device configuration 447 Use Python to respond to Digi Remote Manager SCI requests 449 Use digidevice runtime to access the runtime database 458 Use Python to upload the device name to Digi Re...

Страница 444: ...nteractive Python session python Python 3 6 10 default Jan 31 2020 08 45 19 GCC 8 3 0 on linux Type help copyright credits or license for more information 3 Import the cli submodule from digidevice import cli 4 Execute a CLI command using the cli execute command function For example to print the system status and statistics to stdout using the show system command response cli execute show system p...

Страница 445: ...lp copyright credits or license for more information 3 Import the cli submodule from digidevice import cli 4 Use the help command with cli execute help cli execute Help on function execute in module digidevice cli execute command timeout 5 Execute a CLI command with the timeout specified returning the results 5 Use Ctrl D to exit the Python session You can also exit the session using exit or quit ...

Страница 446: ... digidevice import datapoint import time 4 Upload the datapoints to Remote Manager datapoint upload Velocity 69 units mph datapoint upload Temperature 24 geo_location 54 409469 1 718836 129 datapoint upload Emergency_Door closed timestamp time time 5 Use Ctrl D to exit the Python session You can also exit the session using exit or quit Once the datapoints have been uploaded to Remote Manager they ...

Страница 447: ...sion You can also exit the session using exit or quit Use digidevice config for device configuration Use the config Python module to access and modify the device configuration Read the device configuration Use the get method to read the device configuration 1 Log into the IX20 command line as a user with shell access Depending on your device configuration you may be presented with an Access select...

Страница 448: ...o the IX20 command line as a user with shell access Depending on your device configuration you may be presented with an Access selection menu Type shell to access the device shell 2 At the shell prompt use the python command with no parameters to enter an interactive Python session python Python 3 6 10 default Jan 31 2020 08 45 19 GCC 8 3 0 on linux Type help copyright credits or license for more ...

Страница 449: ...config Help on module acl config in acl NAME acl config Python interface to ACL configuration libconfig 5 Use Ctrl D to exit the Python session You can also exit the session using exit or quit Use Python to respond to Digi Remote Manager SCI requests The device_request Python module allows you to interact with Digi Remote Manager by using Remote Manager s Server Command Interface SCI a web service...

Страница 450: ...handler Note Leave the interactive Python session active while completing task two below Once you have completed task two exit the interactive session by using Ctrl D You can also exit the session using exit or quit Task two Create and send an SCI request from Digi Remote Manager The second step in using the device_request module is to create an SCI request that Remote Manager will forward to the ...

Страница 451: ...er you will receive a response similar to the following sci_reply version 1 0 data_service device id 00000000 00000000 0000FFFF A83CF6A3 requests device_request target_name myTarget status 0 OK device_ request requests device data_service sci_request Example Use digidevice cli with digidevice device_request In this example we will use the digidevice cli module in conjunction with the digidevice de...

Страница 452: ...e request in Remote Manager to query both devices See Configure applications to run automatically for information about uploading Python applications to your device You can also create the script on the device by using the vi command when logged in with shell access 3 For both devices a Configure the device to automatically run the showsystem py application on reboot and to restart the application...

Страница 453: ...tem py ix Click Apply to save the configuration and apply the change Command line i Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI ii At the command line type config to enter configuration mode config config iii Add an application entry config add sys...

Страница 454: ...plication config system schedule script 0 commands python etc config scripts showsystem py config system schedule script 0 viii Save the configuration and apply the change config save Configuration saved b Run the showsystem py application You can run the application by either rebooting the device or by running it from the shell prompt n To reboot the device i From the WebUI i From the main menu c...

Страница 455: ...FFF A83CF6A3 device id 00000000 00000000 0000FFFF 485740BC targets requests device_request target_name myTarget my payload string device_request requests data_service sci_request 7 For the device_request element replace the value of target_name with showSystem This matches the target parameter of the device_request register function in the showsystem py application device_request target_name showS...

Страница 456: ...00000000 00000000 0000FFFF 485740BC requests device_request target_name showSystem status 0 Model Digi IX20 Serial Number IX20 000023 Hostname IX20 MAC 00 40 D0 26 79 1C Hardware Version 50001959 01 A Firmware Version 20 8 22 32 Bootloader Version 1 Firmware Build Date Fri 28 Aug 2020 9 25 12 Schema Version 461 Timezone UTC Current Time Fri 28 Aug 2020 9 25 12 CPU 1 1 Uptime 4 day 13 hours 43 minu...

Страница 457: ...n 3 Import the device_request submodule from digidevice import device_request 4 Use the help command with device_request help device_request Help on module digidevice device_request in digidevice NAME digidevice device_request APIs for registering device request handlers You can also use the help command with available device_request functions n Use the help command with device_request register he...

Страница 458: ...redits or license for more information 3 Import the runt submodule from digidevice import runt 4 Use start method to open the runtime database runt start 5 Display available keys in the runtime database print runt keys advanced drm firmware location manufacture metrics mm network pam serial system print runt keys system boot_count chassis cpu_temp cpu_usage disk load_avg local_time mac mcu model r...

Страница 459: ...abase runt stop 8 Use Ctrl D to exit the Python session You can also exit the session using exit or quit Help for using Python to access the runtime database Get help for reading and modifying the device runtime database by accessing help for digidevice runt 1 Log into the IX20 command line as a user with shell access Depending on your device configuration you may be presented with an Access selec...

Страница 460: ...ice based on the device name changing the name of the device may cause Remote Manager to automatically push a profile onto the device Together these two features allow you to swap one device for another by using the name submodule to change the device name while guaranteeing that the new device will have the same configuration as the previous one Note Because causing a profile to be automatically ...

Страница 461: ...5 Use Ctrl D to exit the Python session You can also exit the session using exit or quit Help for upload the device name to Digi Remote Manager Get help for uploading the device name to Digi Remote Managerby accessing help for digidevice name 1 Log into the IX20 command line as a user with shell access Depending on your device configuration you may be presented with an Access selection menu Type s...

Страница 462: ...Manager or Digi aView by using the digidevice sms module To use a script to send or receive SMS messages you must also enable the ability to schedule SMS scripting Enable the ability to schedule SMS scripting WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click...

Страница 463: ...guration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device See Configure applications to run automatically for more information about scheduling scripts Example digidevice sms code The following example code receives an SMS message and sends a response usr bin python3 6 import os...

Страница 464: ...g a serial port in Application mode To use Python to access serial ports 1 Log into the IX20 command line as a user with shell access Depending on your device configuration you may be presented with an Access selection menu Type shell to access the device shell 2 Determine the path to the serial port ls dev serial by id by path by usb port1 3 At the shell prompt use the python command with no para...

Страница 465: ...rics from runt Reporting DHCP clients Firmware update feature simple implementation read TODO in cmd_fwupdate import sys import time import paho mqtt client as mqtt import json from acl import runt config from http import HTTPStatus import urllib request import tempfile import os from digidevice import cli POLL_TIME 60 def cmd_reboot params print Rebooting unit try cli execute reboot 10 except pri...

Страница 466: ... def send_cmd_reply client cmd_path cid cmd status if not status or not cid return if cmd_path startswith PREFIX_CMD path cmd_path len PREFIX_CMD else print Invalid command path cannot send reply format cmd_path return reply cmd cmd status status client publish PREFIX_RSP path cid json dumps reply separators def on_connect client userdata flags rc print Connected to MQTT server client subscribe PR...

Страница 467: ...TED send_cmd_reply client msg topic cid cmd status def publish_dhcp_leases leases try with open etc config dhcp leases r as f for line in f elems line split if len elems 5 continue leases append mac elems 1 ip elems 2 host elems 3 if leases client publish PREFIX_EVENT leases json dumps leases separators except print Failed to open DHCP leases file def publish_system avg1 avg5 avg15 runt get system...

Страница 468: ...o MQTT server sys exit 1 while True publish_dhcp_leases publish_system time sleep POLL_TIME Stop a script that is currently running You can stop a script that is currently running by using the system script stop name command Command line 1 Log into the IX20 command line as a user with Admin access Depending on your device configuration you may be presented with an Access selection menu Type admin ...

Страница 469: ...tatus and statistics about location information from either the WebUI or the command line WebUI 1 Log into the IX20 WebUI as a user with Admin access 2 At the Status page click Scripts The Scripts page displays Command line 1 Log into the IX20 command line as a user with Admin access Depending on your device configuration you may be presented with an Access selection menu Type admin to access the ...

Страница 470: ...d_mgmt_intf_update pri runt get network mgmt log default if pri pri then default_net runt dump network route default grep m 1 o interface_ cut f2 d _ tr d if n default_net then default_intf runt get network interface default_net device runt set network mgmt log intf default_intf fi log runt log network mgmt log ...

Страница 471: ...ation IX20 User Guide 471 accns_log network_mgmt log type mgmt log fi 3 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Страница 472: ...ication methods 473 Authentication groups 480 Local users 490 Terminal Access Controller Access Control System Plus TACACS 502 Remote Authentication Dial In User Service RADIUS 510 LDAP 517 Disable shell access 524 Set the idle timeout for IX20 users 525 Example user configuration 528 IX20 User Guide 472 ...

Страница 473: ...ocal users Groups Associates access permissions for a group You can modify the released groups and create additional groups as needed for your site A user can be assigned to more than one group n admin Provides the logged in user with administrative and shell access n serial Provides the logged in user with access to serial ports Users Defines local users for the IX20 n admin Belongs to both the a...

Страница 474: ...tion Dial In User Service RADIUS for information about configuring RADIUS authentication n TACACS Users authenticated by using a remote TACACS server for authentication See Terminal Access Controller Access Control System Plus TACACS for information about configuring TACACS authentication n LDAP Users authenticated by using a remote LDAP server for authentication See LDAP for information about con...

Страница 475: ...nu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Authentication Methods 4 For Add Method click 5 Select the appropriate authentication type for the new method from the Method drop down Note Authentication methods are attempted in the order they are listed until the first successful authentication result is returned See Rearrange the posit...

Страница 476: ...d the new authentication method to the appropriate location in the list n To determine the current list of authentication methods a Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI b At the command line type config to enter configuration mode config con...

Страница 477: ... rearrange existing methods See Rearrange the position of authentication methods for information about how to reorder the authentication methods 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Delete an aut...

Страница 478: ...g 3 Use the show auth method command to determine the index number of the authentication method to be deleted config show auth method 0 local 1 radius 2 tacacs config 4 Delete the appropriate authentication method config del auth method n Where n is index number of the authentication method to be deleted For example to delete the TACACS authentication method as displayed by the example show comman...

Страница 479: ...he following configuration has Local users as the first method and RADIUS as the second To reorder these so that RADIUS is first and Local users is second 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click to expand the first Method 4 In the Method drop down select...

Страница 480: ... display current configuration config show auth method 0 local 1 radius config 4 Use the move command to rearrange the methods config move auth method 1 0 config 5 Use the show command again to verify the change config show auth method 0 radius 1 local config 6 Save the configuration and apply the change config save Configuration saved 7 Type exit to exit the Admin CLI Depending on your device con...

Страница 481: ...with Serial access have the ability to log into the IX20 device by using the serial console Preconfigured authentication groups The IX20 device has two preconfigured authentication groups n The admin group is configured by default to have full Admin access and Shell access Shell access is not available if the Allow shell parameter has been disabled See Disable shell access for more information abo...

Страница 482: ...o expand its configuration node 5 Click the box next to the following options as appropriate to enable or disable access rights for each n Admin access For groups assigned Admin access you can also determine whether the Access level should be Full access or Read only access l Full access provides users of this group with the ability to manage the IX20 device by using the WebUI or the Admin CLI l R...

Страница 483: ...e Admin CLI 2 At the command line type config to enter configuration mode config config 3 Enable or disable access rights for the group For example n Admin access l To set the access level for Admin access of the admin group config auth group admin acl admin level value config where value is either o full provides users of this group with the ability to manage the IX20 device by using the WebUI or...

Страница 484: ...le true config 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Add an authentication group Required configuration items n The access rights to be assigned to users that are assigned to this group Additional...

Страница 485: ...he following options as appropriate to enable or disable access rights for each n Admin access For groups assigned Admin access you can also determine whether the Access level should be Full access or Read only access where value is either l Full access full provides users of this group with the ability to manage the IX20 device by using the WebUI or the Admin CLI l Read only access read only prov...

Страница 486: ...Optional Enable users that belong to this group to query the device for Nagios monitoring by checking the box next to Nagios access 9 Optional Enable users that belong to this group to access the Bluetooth scanning service by checking the box next to Bluetooth scanner access 10 Optional Enable users that belong to this group to access the Wi Fi scanning service by checking the box next to Wi Fi sc...

Страница 487: ...cess config auth group test acl shell enable true config Shell access is not available if the Allow shell parameter has been disabled See Disable shell access for more information about the Allow shell parameter n Serial access config auth group test acl serial enable true config 5 Optional Configure captive portal access a Return to the config prompt by typing three periods config auth group test...

Страница 488: ... Fi scanning service config auth group group test acl wifi_scanner enable true config 9 Save the configuration and apply the change config save Configuration saved 10 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Delete an authentication group By default the IX20 device has two preco...

Страница 489: ...ghts Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 At the config prompt type config del auth group groupname 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your devi...

Страница 490: ... the device and is the most critical security feature for the device If you reset the device to factory defaults you must log in using the default user and password and you should immediately change the password to a custom password Before deploying or mounting the IX20 device record the default password so you have the information available when you need it even if you cannot physically access th...

Страница 491: ... Device Configuration The Configuration window is displayed 3 Click Authentication Users 4 Click the username to expand the user s configuration node 5 For Password enter the new password The password must be at least ten characters long and must contain at least one uppercase letter one lowercase letter one number and one special character You can also change the password for the active user by c...

Страница 492: ...one uppercase letter one lowercase letter one number and one special character 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Configure a local user Required configuration items n A username n A password T...

Страница 493: ...n over SSH telnet and the serial console l The verification type for two factor authentication Either time based or counter based l The security key l Whether to allow passcode reuse time based verification only l The passcode refresh interval time based verification only l The valid code window size l The login limit l The login limit period l One time use eight digit emergency scratch codes To c...

Страница 494: ...ick to toggle off Enable a For Lockout tries type the number of unsuccessful login attempts before the user is locked out of the device The default is 5 b For Lockout duration type the amount of time that the user is locked out after the number of unsuccessful login attempts defined in Lockout tries Allowed values are any number of minutes or seconds and take the format number m s For example to s...

Страница 495: ...me password n Counter based HOTP HMAC based One Time Password HOTP uses a counter to validate a one time password d Generate a Secret key i Click next to the field label and select Generate secret key ii To display the QR code for the secret key click next to the field label and select Show secret key QR code iii Copy the secret key or scan or copy the QR code for use with an application or mobile...

Страница 496: ...codes that may be used once at any time To add a scratch code i Click Scratch codes ii For Add Code click iii For Code enter the scratch code The code must be eight digits with a minimum of 10000000 iv Click again to add additional scratch codes 10 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depend...

Страница 497: ...and takes the format number m s For example to set duration to ten minutes enter either 10m or 600s config auth user new_user lockout duration 600s config auth user new_user The minimum value is 1 second and the maximum is 15 minutes The default is 15 minutes 6 Add groups for the user Groups define user access rights See Authentication groups for information about configuring groups a Add a group ...

Страница 498: ...gure two factor authentication for SSH telnet and serial console login a Change to the user s two factor authentication node config auth user new_user 2fa config auth user new_user 2fa b Enable two factor authentication for this user config auth user new_user 2fa enable true config auth user new_user 2fa c Configure the verification type Allowed values are n totp Time based One Time Password TOTP ...

Страница 499: ...ry when the clocks used by the server and client are not synchronized config auth user new_user 2fa window_size 3 config auth user new_user 2fa h Configure the login limit This represents the number of times that the user is allowed to attempt to log in during the Login limit period Set to 0 to allow an unlimited number of login attempts during the Login limit period config auth user new_user 2fa ...

Страница 500: ...atch codes use the add end code command again 9 Save the configuration and apply the change config auth user new 2fa scratch_code save Configuration saved 10 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Delete a local user To delete a user from your IX20 WebUI 1 Log into the IX20 We...

Страница 501: ...g on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 At the config prompt type config del auth user username 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuratio...

Страница 502: ...nd connection parameters to a TACACS server over TCP The TACACS server then authenticates the TACACS client requests and sends back a response message to the device When you are using TACACS authentication you can have both local users and TACACS users able to log in to the device To use TACACS authentication you must set up a TACACS server that is accessible by the IX20 device prior to configurat...

Страница 503: ... sudo gedit etc tacacs tac_plus conf 2 Add users to the file using the following format This example will create two users one with admin and serial access and one with only serial access user user1 name User1 for IX20 pap cleartext password1 service system groupname admin serial user user2 name User2 for IX20 pap cleartext password2 service system groupname serial The groupname attribute is optio...

Страница 504: ...ocally if the TACACS server is unavailable or if the user is not defined on the TACACS server then you should list the TACACS authentication method prior to the Local users authentication method See User authentication methods for more information about authentication methods If the TACACS servers are unavailable and the IX20 device falls back to local authentication only users defined locally on ...

Страница 505: ...file for example key testing123 e Optional Click again to add additional TACACS servers 5 Optional Enable Authoritative to prevent other authentication methods from being used if TACACS authentication fails Other authentication methods will only be used if the TACACS server is unavailable 6 Optional For Group attribute type the name of the attribute used in the TACACS server s configuration to ide...

Страница 506: ... 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Optional Prevent other authentication methods from being used if TACACS authentication fails Other authentication methods w...

Страница 507: ...ure TCP connection to the LDAP server on port 389 then sends a request to upgrade the connection to a secure TLS connection This is the preferred method for LDAP The default is off 7 If tls is set to on or start_tls configure whether to verify the server certificate config auth ldap verify_server_cert value config where value is either n true Verifies the server certificate with a known Certificat...

Страница 508: ...3 to 60 The default value is 3 13 Add an TACACS server a Add the server config add auth tacacs server end config auth tacacs server 0 b Enter the TACACS server s IP address or hostname config auth tacacs server 0 hostname hostname ip address config auth tacacs server 0 c Optional Change the default port setting to the appropriate port config auth tacacs server 0 port port config auth tacacs server...

Страница 509: ...uide 509 config add auth method end tacacs config 15 Save the configuration and apply the change config save Configuration saved 16 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Страница 510: ...erver over UDP The RADIUS server then authenticates the RADIUS client requests and sends back a response message to the device When you are using RADIUS authentication you can have both local users and RADIUS users able to log in to the device To use RADIUS authentication you must set up a RADIUS server that is accessible by the IX20 device prior to configuration The process of setting up a RADIUS...

Страница 511: ...ely if the user is also configured as a local user on the IX20 device and the RADIUS server authenticates the user but does not return any groups the local configuration determines the list of groups See Authentication groups for more information about authentication groups The Unix FTP Group Names attribute can contain one group or multiple groups in a comma separated list 3 Save and close the fi...

Страница 512: ... This section describes how to configure a IX20 device to use a RADIUS server for authentication and authorization Required configuration items n Define the RADIUS server IP address or domain name n Define the RADIUS server shared secret n Add RADIUS as an authentication method for your IX20 device Additional configuration items n Whether other user authentication methods should be used in additio...

Страница 513: ...RADIUS server to respond Allowed value is any integer from 3 to 60 The default value is 3 f Optional Click again to add additional RADIUS servers 5 Optional Enable Authoritative to prevent other authentication methods from being used if RADIUS authentication fails Other authentication methods will only be used if the RADIUS server is unavailable 6 Optional Click RADIUS debug to enable additional d...

Страница 514: ...the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Optional Prevent other authentication methods from being used if RADIUS authentication fails Other authentication methods will only be ...

Страница 515: ...on or start_tls configure whether to verify the server certificate config auth ldap verify_server_cert value config where value is either n true Verifies the server certificate with a known Certificate Authority n false Does not verify the certificate Use this option if the server is using a self signed certificate The default is true 8 Set the distinguished name DN that is used to bind to the LDA...

Страница 516: ...config auth radius server 0 hostname hostname ip address config auth radius server 0 c Optional Change the default port setting to the appropriate port config auth radius server 0 port port config auth radius server 0 d Enter the RADIUS server s shared secret This is configured in the secret parameter of the RADIUS server s client conf file For example config auth radius server 0 secret testing123...

Страница 517: ...ion and authorization management for users who connect to the device With LDAP support the IX20 device acts as an LDAP client which sends user credentials and connection parameters to an LDAP server The LDAP server then authenticates the LDAP client requests and sends back a response message to the device When you are using LDAP authentication you can have both local users and LDAP users able to l...

Страница 518: ...ng the following format dn uid john dc example dc com objectClass inetOrgPerson cn John Smith sn Smith uid john userPassword password ou admin serial n The value of uid and userPassword must correspond to the username and password used to log into the IX20 device n The ou attribute is optional If used the value must correspond to authentication groups configured on your IX20 Alternatively if the u...

Страница 519: ... server then you should list the LDAP authentication method prior to the Local users authentication method See User authentication methods for more information about authentication methods If the LDAP servers are unavailable and the IX20 device falls back to local authentication only users defined locally on the device are able to log in LDAP users cannot log in until the LDAP servers are brought ...

Страница 520: ...ange the default Port setting to the appropriate port Normally this should be left at the default setting of port 389 d Optional Click again to add additional LDAP servers 5 Optional Enable Authoritative to prevent other authentication methods from being used if LDAP authentication fails Other authentication methods will only be used if the LDAP server is unavailable 6 For TLS connection select th...

Страница 521: ...ns 10 For User search base type the distinguished name DN on the server to search for users This can be the root of the directory tree for example dc example dc com or a sub tree for example ou People dc example dc com 11 Optional For Group attribute type the name of the user attribute that contains the list of IX20 authentication groups that the authenticated user has access to See LDAP user conf...

Страница 522: ...n port 636 n start_tls Makes a non secure TCP connection to the LDAP server on port 389 then sends a request to upgrade the connection to a secure TLS connection This is the preferred method for LDAP The default is off 5 If tls is set to on or start_tls configure whether to verify the server certificate config auth ldap verify_server_cert value config where value is either n true Verifies the serv...

Страница 523: ...P server to respond config auth ldap timeout value config where value is any integer from 3 to 60 The default value is 3 11 Add an LDAP server a Add the server config add auth ldap server end config auth ldap server 0 b Enter the LDAP server s IP address or hostname config auth ldap server 0 hostname hostname ip address config auth ldap server 0 c Optional Change the default port setting to the ap...

Страница 524: ... shell access To prohibit access to the shell prompt for all authentication groups disable the Allow shell parameter This does not prevent access to the Admin CLI Note If shell access is disabled re enabling it will erase the device s configuration and perform a factory reset WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration clic...

Страница 525: ...er configuration mode config config 3 Set the allow_shell parameter to false config auth allow_shell false Note If shell access is disabled re enabling it will erase the device s configuration and perform a factory reset 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an...

Страница 526: ...that the active session can be idle before the user is automatically logged out Allowed values are any number of weeks days hours minutes or seconds and take the format number w d h m s For example to set Idle timeout to ten minutes enter 10m or 600s 5 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights De...

Страница 527: ...umber of weeks days hours minutes or seconds and takes the format number w d h m s For example to set idle_timeout to ten minutes enter either 10m or 600s config auth idle_timeout 600s config 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type q...

Страница 528: ...r rights who is authenticated locally on the device WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Authentication Users 4 In Add User enter a name for the user and click The user configuration window is displayed 5 Enter a Password for the user ...

Страница 529: ... i Click Authentication Methods ii Verify that Local users is one of the methods listed in the list If not i For Add Method click ii For Method select Local users 7 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu ...

Страница 530: ...dmin config auth user adminuser 8 Save the configuration and apply the change config auth user adminuser save Configuration saved 9 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Example 2 RADIUS TACACS and local authentication for one user Goal To create a user with administrator rig...

Страница 531: ... configuration IX20 User Guide 531 This example uses a FreeRadius 3 0 server running on ubuntu and a TACACS server running on ubuntu Server configuration may vary depending on the platforms or type of servers used in your environment ...

Страница 532: ... Group Names parameter c Save and close the users file 2 Configure a user on the TACACS server a On the ubuntu machine hosting the TACACS server open the etc tacacs tac_plus conf file sudo gedit etc tacacs tac_plus conf b Add a TACACS user to the tac_plus conf file user admin1 name Admin1 for TX64 pap cleartext password1 service system groupname admin In this example n The user s username is admin...

Страница 533: ...s b For Method select RADIUS c For Add Method click to add a new method d For the new method select TACACS e Click to add another new method f For the new method select Local users 6 Create the local user a Click Authentication Users b In Add User type admin1 and click c For password type password1 d Assign the user to the admin group i Click Groups ii For Add Group click ...

Страница 534: ...untu machine hosting the FreeRadius server open the etc freeradius 3 0 users file sudo gedit etc freeradius 3 0 users b Add a RADIUS user to the users file admin1 Cleartext Password password1 Unix FTP Group Names admin In this example n The user s username is admin1 n The user s password is password1 n The authentication group on the IX20 device admin is identified in the Unix FTP Group Names para...

Страница 535: ...LI 4 At the command line type config to enter configuration mode config config 5 Configure the authentication methods a Determine the current authentication method configuration config show auth method 0 local config This output indicates that on this example system only local authentication is configured b Add RADIUS authentication to the beginning of the list config add auth method 0 radius conf...

Страница 536: ... admin1 config add auth user admin1 config auth user admin1 b Assign a password to the user config auth user adminuser password password1 config auth user adminuser c Assign the user to the admin group config auth user adminuser add group end admin config auth user adminuser 8 Save the configuration and apply the change config auth user adminuser save Configuration saved 9 Type exit to exit the Ad...

Страница 537: ...his chapter contains the following topics Firewall configuration 538 Port forwarding rules 543 Packet filtering 551 Configure custom firewall rules 558 Configure Quality of Service options 560 IX20 User Guide 537 ...

Страница 538: ...way l Setup Used for interfaces involved in the initial setup of the device By default the firewall will only allow this zone to access administration services l IPsec The default zone for IPsec tunnels l Dynamic routes Used for routes learned using routing services n Port forwarding A list of rules that allow network connections to the IX20 to be forwarded to other servers by translating the dest...

Страница 539: ...ply the change See Configure the firewall zone for a network interface for information about how to configure network interfaces to use a zone Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter con...

Страница 540: ...e network interfaces to use a zone Configure the firewall zone for a network interface Firewall zones allow you to group network interfaces for the purpose of packet filtering and access control There are several preconfigured firewall zones and you can create custom zones as well The firewall zone that a network interfaces uses is selected during interface configuration This example procedure use...

Страница 541: ...config to enter configuration mode config config 3 At the config prompt type config network interface eth2 zone my_zone config 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Command line 1 Log into the IX2...

Страница 542: ...ing on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Delete a custom firewall zone You cannot delete preconfigured firewall zones To delete a custom firewall zone WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration wi...

Страница 543: ...ction menu Type quit to disconnect from the device Port forwarding rules Most computers are protected by a firewall that prevents users on a public network from accessing servers on the private network To allow a computer on the Internet to connect to a specific server on a private network set up one or more port forwarding rules Port forwarding rules provide mapping instructions that direct incom...

Страница 544: ...r IP address or firewall zone that are authorized to leverage this forwarding rule To configure a port forwarding rule WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Firewall Port forwarding 4 For Add port forward click The port forwarding rule configurat...

Страница 545: ...e forwarded 11 For To port type the port number of the port on the server to which traffic should be forwarded 12 Optional Click Access control list to create a white list of devices that are authorized to leverage this forwarding rule based on either the IP address or firewall zone n To white list IP addresses a Click Addresses b For Add Address enter an IP address and click c Repeat for each add...

Страница 546: ...o determine available interfaces config firewall dnat 0 interface Interface Network connections will only be forwarded if their destination address matches the IP address of this network interface Format defaultip defaultlinklocal eth1 eth2 loopback Current value config firewall dnat 0 interface b Set the interface For example config firewall dnat 0 interface eth1 config firewall dnat 0 5 Set the ...

Страница 547: ...tions must use for their traffic to be forwarded config firewall dnat 0 to_port port config firewall dnat 0 10 Optional To create a white list of devices that are authorized to leverage this forwarding rule based on either the IP address or firewall zone change to the acl node config firewall dnat 0 acl config firewall dnat 0 acl n To white list an IP address l For IPv4 addresses config firewall d...

Страница 548: ...1 Save the configuration and apply the change config save Configuration saved 12 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Delete a port forwarding rule To delete a port forwarding rule WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click Sy...

Страница 549: ...ith full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Determine the index number of the port forwarding rule you want to delete config show firewall dnat 0 acl no address no zone enable true interface ip_version ipv4 label...

Страница 550: ... bd63 bb12 9a6f 5569 4b53 c29a to_port 10003 config 4 To delete the rule use the index number with the del command For example config del firewall dnat 1 5 Save the configuration and apply the change config save Configuration saved 6 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Страница 551: ...figuration items n The action that the packet filtering rule will perform either Accept Reject or Drop n The source firewall zone Packets originating from interfaces on this zone will be monitored by this rule n The destination firewall zone Packets destined for interfaces on this zone will be accepted rejected or dropped by this rule Additional configuration requirements n A label for the rule n ...

Страница 552: ...n Reject Blocks matching network connections and sends an ICMP error if appropriate n Drop Blocks matching network connections and does not send a reply 6 Select the IP version 7 Select the Protocol 8 For Source zone select the firewall zone that will be monitored by this rule for incoming connections from network interfaces that are a member of this zone See Firewall configuration for more inform...

Страница 553: ...x number of the appropriate packet filtering rule config show firewall filter 0 action accept dst_zone any enable true ip_version any label Allow all outgoing traffic protocol any src_zone internal 1 action drop dst_zone internal enable true ip_version any label myfilter protocol any src_zone external config b Select the appropriate rule by using its index number config firewall filter 1 config fi...

Страница 554: ...ons from network interfaces that are a member of this zone See Firewall configuration for more information about firewall zones config firewall filter 1 src_zone my_zone config firewall filter 1 6 Set the destination firewall zone Packets destined for network interfaces that are members of this zone will either be accepted rejected or dropped by this rule See Firewall configuration for more inform...

Страница 555: ...election menu Type quit to disconnect from the device Enable or disable a packet filtering rule To enable or disable a packet filtering rule WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Firewall Packet filtering 4 Click the appropriate packet filtering ...

Страница 556: ...f the appropriate port forwarding rule config show firewall filter 0 action accept dst_zone any enable true ip_version any label Allow all outgoing traffic protocol any src_zone internal 1 action drop dst_zone internal enable true ip_version any label My packet filter protocol any src_zone external config 4 To enable a packet filtering rule use the index number with the enable true command For exa...

Страница 557: ...lete a packet filtering rule WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Firewall Packet filtering 4 Click the menu icon next to the appropriate packet filtering rule and select Delete 5 Click Apply to save the configuration and apply the change Comman...

Страница 558: ...rsion any label My packet filter protocol any src_zone external config 4 To delete the rule use the index number with the del command For example config del firewall filter 1 5 Save the configuration and apply the change config save Configuration saved 6 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect...

Страница 559: ...o override all preconfigured firewall behavior and rely solely on the custom firewall rules 6 For Rules type the shell command that will execute the custom firewall rules script 7 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access ...

Страница 560: ...nage the traffic performance of various services such as Voice over IP VoIP cloud computing traffic shaping traffic prioritizing and bandwidth allocation When configuring QOS you can only control the queue for outgoing packets on each interface egress packets not what is received on the interface packet ingress A QoS binding contains the policies and rules that apply to packets exiting the IX20 de...

Страница 561: ...ropriate for your network 8 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Enable one of the precon...

Страница 562: ...ue config firewall qos 0 interface b Set the interface For example config firewall qos 0 interface network interface eth1 config 5 Examine the remaining default settings and modify as appropriate for your network 6 Save the configuration and apply the change config save Configuration saved 7 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access ...

Страница 563: ... only match traffic that is being sent out on this interface 8 Optional For Interface bandwidth Mbit set the maximum egress bandwidth of the interface in megabits allocated to this binding Typically this should be 95 of the available bandwidth Allowed value is any integer between 1 and 1000 9 Create a policy for the binding At least one policy is required for each binding Each policy can contain u...

Страница 564: ...of packets A lower latency means that the packets will be scheduled more quickly for transmission f Select Default to identify this policy as a fall back policy The fall back policy will be used for traffic that is not matched by any other policy If there is no default policy associated with this binding packets that do not match any policy rules will be dropped g If Default is disabled you must c...

Страница 565: ...ddress will be matched ix Click to expand Destination address and select the Type n Any Traffic destined for anywhere will be matched n Interface Only traffic destined for the selected Interface will be matched n IPv4 address Only traffic destined for the IP address typed in IPv4 address will be matched Use the format IPv4_address netmask or use any to match any IPv4 address n IPv6 address Only tr...

Страница 566: ...ck Current value config firewall qos 2 interface b Set the interface For example config firewall qos 2 interface network interface eth1 config firewall qos 2 6 Optional Set the maximum egress bandwidth of the interface in megabits allocated to this binding config firewall qos 2 bandwidth int config firewall qos 2 where int is an integer between 1 and 1000 Typically this should be 95 of the availab...

Страница 567: ...he maximum delay before the transmission of packets A lower number means that the packets will be scheduled more quickly for transmission config firewall qos 2 policy 0 latency int config firewall qos 2 policy 0 where int is any integer 1 or greater The default is 100 f To identify this policy as a fall back policy config firewall qos 2 policy 0 default true config firewall qos 2 policy 0 The fall...

Страница 568: ...traffic matching criteria config firewall qos 2 policy 0 rule 0 srcport value config firewall qos 2 policy 0 rule 0 where value is the IP port number a range of port numbers using the format IP_port IP_port or any vii Set the destination port to define a destination matching criteria config firewall qos 2 policy 0 rule 0 dstport value config firewall qos 2 policy 0 rule 0 where value is the IP por...

Страница 569: ...sk or any to match any IPv4 address n address6 Only traffic from the IP address typed in IPv6 address will be matched Set the address that will be matched config network qos 2 policy 0 rule 0 src address6 value config network qos 2 policy 0 rule 0 where value uses the format IPv6_address prefix_length or any to match any IPv6 address n mac Only traffic from the MAC address typed in MAC address wil...

Страница 570: ...in IPv4 address will be matched Set the address that will be matched config network qos 2 policy 0 rule 0 src address value config network qos 2 policy 0 rule 0 where value uses the format IPv4_address netmask or any to match any IPv4 address n address6 Only traffic destined for the IP address typed in IPv6 address will be matched Set the address that will be matched config network qos 2 policy 0 ...

Страница 571: ...view device status 572 Configure system information 573 Update system firmware 575 Update cellular module firmware 579 Reboot your IX20 device 580 Reset the device to factory defaults 582 Configuration files 586 Schedule system maintenance tasks 591 IX20 User Guide 571 ...

Страница 572: ... system information use the show system command n Show basic system information 1 Log into the IX20 command line as a user with Admin access Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 Enter show system at the prompt show system Model Digi IX20 Serial Number IX20 000065 SKU IX20 Hostname IX20 MAC DF DD E2 AE 21 18 H...

Страница 573: ...ersion 715 Timezone UTC Current Time Fri 28 Aug 2020 9 25 12 0000 CPU 1 4 Uptime 6 days 6 hours 21 minutes 57 seconds 541317s Temperature 40C Disk Load Average 0 09 0 10 0 08 RAM Usage 127 843MB 1880 421MB 6 Disk etc config Usage 18 421MB 4546 371MB 0 Disk opt Usage 4523 46MB 549 304MB 822 Disk overlay Usage MB MB Disk tmp Usage 0 007MB 256 0MB 0 Disk var Usage 1 765MB 256 0MB 1 Configure system i...

Страница 574: ...t the command prompt 5 For Contact type the name of a contact for the device 6 For Location type the location of the device 7 For Banner type a banner message that will be displayed when users log into terminal services on the device 8 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your d...

Страница 575: ...iguration you may be presented with an Access selection menu Type quit to disconnect from the device Update system firmware The IX20 operating system firmware images consist of a single file with the following naming convention platform version bin For example IX20 20 8 22 32 bin Manage firmware updates using Digi Remote Manager If you have a network of many devices you can use Digi Remote Manager...

Страница 576: ... select the appropriate version of the device firmware 5 Click Update Firmware Update firmware from a local file 1 Download the IX20 operating system firmware from the Digi Support FTP site to your local machine 2 Log into the IX20 WebUI as a user with Admin access 3 On the main menu click System Under Administration click Firmware Update 4 Click Choose file 5 Browse to the location of the firmwar...

Страница 577: ...ion on the IX20 device where the copied file will be placed For example scp host 192 168 4 1 user admin remote home admin bin IX20 20 8 22 32 bin local etc config to local admin 192 168 4 1 s password adminpwd IX20 20 8 22 32 bin 100 36MB 11 1MB s 00 03 4 Verify that the firmware file has been successfully uploaded to the device ls etc config rw r r 1 root root 37511229 May 16 20 10 IX20 20 8 22 3...

Страница 578: ...ce n A copy of the firmware that was in use prior to your most recent firmware update When the device reboots it will attempt to use the current firmware version If the current firmware version fails to load after three consecutive attempts it is marked as invalid and the device will use the previous firmware version stored in the alternate memory bank If the device consistently looses power durin...

Страница 579: ...Update cellular module firmware You can update modem firmware by downloading firmware from the Digi firmware repository or by uploading firmware from your local storage onto the device WebUI This operation is available from the WebUI only There is no equivalent functionality at the CLI 1 Optional Download the appropriate modem firmware from the Digi repository to your local machine 2 Log into the ...

Страница 580: ...immediately or schedule a reboot for a specific time every day Note You may want to save your configuration settings to a file before rebooting See Save configuration to a file Reboot your device immediately WebUI 1 Log into the IX20 WebUI as a user with Admin access 2 From the main menu click System 3 Click Reboot 4 Click Reboot to confirm that you want to reboot the device Command line 1 Log int...

Страница 581: ...at the device should reboot using the format HH MM The device will reboot at this time every day If a value is set for Reboot time but the device is unable to synchronize its time with an NTP server the device will reboot after it has been up for 24 hours See System time for information about configuring NTP servers 5 Click Apply to save the configuration and apply the change Command line 1 Log in...

Страница 582: ...nfiguring NTP servers 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Reset the device to factory defaults Resetting the device to factory defaults performs the following actions n Clears all configuration ...

Страница 583: ...password printed on the bottom label of the device or the printed label included in the package When you first log into the WebUI or the command line you must change the password for the admin user See Change the default password for the admin user for instructions Additionally for Wi Fi enabled models when you first log into the WebUI or the command line you will be required the change the SSID a...

Страница 584: ...nstructions Additionally for Wi Fi enabled models when you first log into the WebUI or the command line you will be required the change the SSID and pre shared key password for the preconfigured Wi Fi access point See Reset default SSID and pre shared key for the preconfigured Wi Fi access point for instructions c Reset the default password for the admin account See Change the default password for...

Страница 585: ...ccess point See Reset default SSID and pre shared key for the preconfigured Wi Fi access point for instructions c Reset the default password for the admin account See Change the default password for the admin user for further information Reset the device with the revert command You can reset the device to the default configuration without removing scripts keys and logfiles by using the revert comm...

Страница 586: ...ation the changes are not automatically saved You must explicitly save configuration changes which also applies the changes If you do not save configuration changes the system discards the changes WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Make any necessar...

Страница 587: ... to a file You can save your IX20 device s configuration to a file and use this file to restore the configuration either to the same device or to similar devices WebUI This procedure creates a binary archive file containing the device s configuration certificates and keys and other information 1 Log into the IX20 WebUI as a user with Admin access 2 On the main menu click System Under Configuration...

Страница 588: ...iguration certificates and keys and other information l cli config Creates a text file containing only the configuration changes For example system backup etc config type archive 3 Optional Use scp to copy the file from your device to another host scp host hostname or ip user username remote remote path local local path to remote where n hostname or ip is the hostname or ip address of the remote h...

Страница 589: ...The configuration will be restored and the device will be rebooted Command line 1 Log into the IX20 command line as a user with Admin access Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 If the configuration backup is on a remote host use scp to copy the file from the host to your device scp host hostname or ip user u...

Страница 590: ...bin local etc config to local 3 Enter the following system restore path passphrase passphrase where n path is the location of configuration backup file on the IX20 s filesystem local path in the previous step n passphrase optional is the passphrase to restore the configuration backup if a passphrase was used when the backup was created For example system restore etc config ...

Страница 591: ...tion items n Custom scripts that should be run as part of the configuration check WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click System Scheduled tasks System maintenance 4 For Start time type the time of day that the maintenance window should start using...

Страница 592: ...Frequency select either Daily or Weekly for the frequency that the maintenance tasks should be run 7 Optional Click to enable Modem firmware update to instruct the system to look for any updated modem firmware during the maintenance window If updated firmware is found it will then be installed Modem firmware update looks for updated firmware both on the local device and over the network using eith...

Страница 593: ...f Set Time is selected specify the time that the script should run in Run time using the format HH MM n During system maintenance The script will run during the system maintenance time window e For Commands enter the commands that will execute the script If the script begins with then the script will be invoked in the location specified by the path for the script command Otherwise the default shel...

Страница 594: ...t time specified in the start time n If the duration length is set to 24 hours the start time is effectively obsolete and the maintenance tasks will be scheduled to run at any time Setting the duration length to 24 hours can potentially overstress the device and should be used with caution n If the duration length is set to any value other than to 0 or 24 hours the maintenance tasks will run at a ...

Страница 595: ...dule custom scripts a Add a script config add system schedule script end config system schedule script 0 Scheduled scripts are enabled by default To disable config system schedule script 0 enable false config system schedule script 0 b Optional Provide a label for the script config system schedule script 0 label value config system schedule script 0 where value is any string if spaces are used enc...

Страница 596: ...ript will be started at every interval regardless of whether the script is still running from a previous interval n set_time Runs the script at a specified time of the day l If set_time is set set the time that the script should run using the format HH MM config system schedule script 0 run_time HH MM config system schedule script 0 n maintenance_time The script will run during the system maintena...

Страница 597: ...ript only once at the specified time config system schedule script 0 once true config system schedule script 0 If once is enabled rebooting the device will cause the script to run again The only way to re run the script is to n Remove the script from the device and add it again n Make a change to the script n Disable once h Sandbox is enabled by default This option protects the script from acciden...

Страница 598: ...Monitoring This chapter contains the following topics intelliFlow 599 Configure NetFlow Probe 606 IX20 User Guide 598 ...

Страница 599: ...ta usage by service n Host data usage over time intelliFlow charts are dymanic at any point you can click inside the chart to drill down to view more granular information and menu options allow you to change various aspects of the information being displayed Note When intelliFlow is enabled it adds an estimated 50MB of data usage for the device by reporting the metrics to Digi Remote Manager Enabl...

Страница 600: ... IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Enable IntelliFlow config monitoring intelliflow enable true 4 Set the firewall zone Internal clients that are being monitored by IntelliF...

Страница 601: ...routes edge external internal ipsec loopback setup Default value internal Current value internal config b Set the zone to be used by IntelliFlow config monitoring intelliflow zone my_zone 5 Save the configuration and apply the change config save Configuration saved 6 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit ...

Страница 602: ... into the IX20 WebUI as a user with Admin access 2 If you have not already done so enable intelliFlow See Enable intelliFlow 3 From the menu click Status intelliFlow The System Utilisation chart is displayed n Display more granular information 1 Click and drag over an area in the chart to zoom into that area and provide more granular information 2 Release to display the selected portion of the cha...

Страница 603: ...Select the time period to be displayed n Save or print the chart 1 Click the menu icon 2 To save the chart to your local filesystem select Export to PNG 3 To print the chart select Print chart Use intelliFlow to display top data usage information With intelliFlow you can display top data usage information based on the following n Top data usage by host n Top data usage by server n Top data usage b...

Страница 604: ... the Top Data Usage by Server chart click Top Data Usage by Server n To display the Top Data Usage by Service chart click Top Data Usage by Service 5 Change the type of chart that is used to display the data a Click the menu icon b Select the type of chart 6 Change the number of top users displayed You can display the top five top ten or top twenty data users ...

Страница 605: ...Use intelliFlow to display data usage by host over time To generate a chart displaying a host s data usage over time WebUI 1 Log into the IX20 WebUI as a user with Admin access 2 If you have not already done so enable intelliFlow See Enable intelliFlow 3 From the menu click Status intelliFlow 4 Click Host Data Usage Over Time n Display more granular information a Click and drag over an area in the...

Страница 606: ...d configuration items n Enable NetFlow n The IP address of a NetFlow collector Additional configuration items n The NetFlow version n Enable flow sampling and select the flow sampling technique n The number of flows from which the flow sampler can sample n The number of seconds that a flow is inactive before it is exported to the NetFlow collectors n The number of seconds that a flow is active bef...

Страница 607: ...tFlow v9 Supports IPv4 and IPv6 n NetFlow v10 IPFIX Supports both IPv4 and IPv6 and includes IP Flow Information Export IPFIX The default is NetFlow v10 IPFIX 6 Enable Flow sampler by selecting a sampling technique Flow sampling can reduce flow processing and transmission overhead by providing a representative subset of all flows Available options are n None No flow sampling method is used Each fl...

Страница 608: ...imultaneously Allowed value is any number between 0 and 2000000 The default is 2000000 11 Add collectors a Click to expand Collectors b For Add Collector click c Optional Type a Label for the collector d For Address type the IP address of the collector e Optional For Port enter the port number used by the collector The default is 2055 Repeat to add additional collectors 12 Click Apply to save the ...

Страница 609: ... is the value of the flow sample population 5 If you are using a flow sampler set the number of flows for the sampler config monitoring netflow sampler_population value config where value is any number between 2 and 16383 The default is 100 6 Set the number of seconds that a flow can be inactive before sent to a collector config monitoring netflow inactive_timeout value config where value is any i...

Страница 610: ...ig monitoring netflow collector 0 d Optional Set a label for the collector config monitoring netflow collector 0 label This is a collector config monitoring netflow collector 0 Repeat to add additional collectors 10 Save the configuration and apply the change config monitoring netflow collector 0 save Configuration saved 11 Type exit to exit the Admin CLI Depending on your device configuration you...

Страница 611: ...ealth data and set the sample interval 618 Log into Digi Remote Manager 621 Use Digi Remote Manager to view and manage your device 623 Add a device to Digi Remote Manager 624 View Digi Remote Manager connection status 624 Use the Digi Remote Manager mobile app 625 Configure multiple devices using profiles 626 Learn more 626 IX20 User Guide 611 ...

Страница 612: ...ut Digi Remote Manager go to www digi com products cloud digi remote manager To learn more about Remote Manager features and functions see the Digi Remote Manager User Guide Configure Digi Remote Manager By default your IX20 device is configured to use central management using Digi Remote Manager Additional configuration options These additional configuration settings are not typically configured ...

Страница 613: ...Central management Configure Digi Remote Manager IX20 User Guide 613 ...

Страница 614: ...y interval to ten minutes enter 10m or 600s 8 Optional For Keep alive interval type the amount of time that the IX20 device should wait between sending keep alive messages to remote cloud services when using a non cellular interface The default is 60 seconds Allowed values are any number of hours minutes or seconds and take the format number h m s For example to set Keep alive interval to ten minu...

Страница 615: ...ion is disabled The default is disabled 13 Optional Enable Locally authenticate CLI to require a login and password to authenticate the user from the remote cloud services CLI If disabled no login prompt will be presented and the user will be logged in as admin The default is disabled 14 Optional Configure the IX20 device to communicate with remote cloud services by using SMS a Click to expand Sho...

Страница 616: ... ten seconds The default is 30 seconds config cloud drm retry_interval value where value is any number of hours minutes or seconds and takes the format number h m s For example to set the retry interval to ten minutes enter either 10m or 600s config cloud drm retry_interval 600s config 7 Optional Set the amount of time that the IX20 device should wait between sending keep alive messages to the Dig...

Страница 617: ... to wait before restarting the connection to the remote cloud services once the connection is down where value is any number of hours minutes or seconds and takes the format number h m s For example to set restart_timeout to ten minutes enter either 10m or 600s config cloud drm restart_timeout 600s config The minimum value is 30 minutes and the maximum is 48 hours If not set this option is disable...

Страница 618: ...e cloud services by using an HTTP proxy server a Enable the use of an HTTP proxy server config cloud drm proxy enable true config b Set the hostname of the proxy server config cloud drm proxy host hostname config c Optional Set the port number on the proxy server that the device should connect to The default is 2138 config cloud drm proxy port integer config 14 Save the configuration and apply the...

Страница 619: ...min access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Monitoring Device Health Device health data upload is enabled by default To disable click to toggle off Enable Device Health samples upload 4 For Health sample interval select the interval between health sample uploads 5 Only report changed values to Digi Remote...

Страница 620: ... to 60 minutes by default To change config monitoring devicehealth interval value config where value is one of 1 5 15 30 or 60 and represents the number of minutes between uploads of health sample data 5 By default the device will only report health metrics values to Digi Remote Manager that have changed health metrics were last uploaded This is useful to reduce the bandwidth used to report health...

Страница 621: ...parameter set its value to false For example to turn off all reporting for the serial port config monitoring devicehealth tuning all serial rx bytes enabled false config monitoring devicehealth tuning all serial tx bytes enabled false config 7 Save the configuration and apply the change config save Configuration saved 8 Type exit to exit the Admin CLI Depending on your device configuration you may...

Страница 622: ...r IX20 User Guide 622 1 If you have not already done so click here to sign up for a Digi Remote Manager account 2 Check your email for Digi Remote Manager login instructions 3 Go to remotemanager digi com 4 Log into your Digi Remote Manager account ...

Страница 623: ...o view and manage your device 1 If you have not already done so connect to your Digi Remote Manager account 2 Click Device Management to display a list of your devices 3 Use the Search bar to locate the device you want to manage 4 Select the device and click Properties to view general information for the device 5 Click the More menu to perform a task ...

Страница 624: ...your account and it appears in the Device Management view View Digi Remote Manager connection status To view the current Digi Remote Manager configuration WebUI 1 Log into the IX20 WebUI as a user with Admin access 2 The dashboard includes a Digi Remote Manager status pane Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration y...

Страница 625: ...let you can use the Digi Remote Manager mobile app to automatically provision a new devices and monitor devices in your account To download the mobile app n For iPhone go to the App Store n For Android phones go to Google Play To sign up for a new Digi Remote Manager account using the mobile app 1 From the menu click Log in or Sign Up 2 Click Sign up to create a new account 3 You ll receive an ema...

Страница 626: ...IX20 device in your Digi Remote Manager account 3 In Digi Remote Manager create a profile based on the configured IX20 4 Apply the profile to the IX20 devices you need to configure Digi Remote Manager provides multiple methods for applying profiles to registered devices You can also include site specific settings with a profile to override settings on a device by device basis Learn more n For info...

Страница 627: ...he IX20 local file system 628 Display directory contents 628 Create a directory 629 Display file contents 630 Copy a file or directory 630 Move or rename a file or directory 631 Delete a file or directory 632 Upload and download files 633 IX20 User Guide 627 ...

Страница 628: ...across reboots but are deleted if a factory reset of the system is performed See Reset the device to factory defaults for more information Display directory contents To display directory contents by using the WebUI or the Admin CLI WebUI 1 Log into the IX20 WebUI as a user with Admin access 2 On the menu click System Under Administration click File System The File System page appears 3 Highlight a...

Страница 629: ...ing the name of the directory For example 1 Log into the IX20 command line as a user with Admin access Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the Admin CLI prompt type mkdir path dir_name For example to create a directory named temp in etc config mkdir etc config temp 3 Verify that the directory was created ...

Страница 630: ...gr6ewr1yerHtXQdbafsatGswKg0YUm schema version 461 3 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Copy a file or directory This procedure is not available through the WebUI To copy a file or directory by using the Admin CLI use the cp command specifying the existing path and filename...

Страница 631: ...ripts to final py 1 Log into the IX20 command line as a user with Admin access Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the Admin CLI prompt type mv etc config scripts test py etc config scripts final py 3 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Acces...

Страница 632: ...t py in etc config scripts 1 Log into the IX20 command line as a user with Admin access Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the Admin CLI prompt type rm etc config scripts test py rm remove etc config scripts test py yes 3 Type exit to exit the Admin CLI Depending on your device configuration you may be p...

Страница 633: ...using the WebUI or from the command line by using the scp Secure Copy command or by using a utility such as SSH File Transfer Protocol SFTP or an SFTP application like FileZilla Upload and download files by using the WebUI Upload files 1 Log into the IX20 WebUI as a user with Admin access 2 On the menu click System Under Administration click File System The File System page appears 3 Highlight the...

Страница 634: ...s follows scp host hostname or ip user username remote remote path local local path to local where n hostname or ip is the hostname or ip address of the remote host n username is the name of the user on the remote host n remote path is the path and filename of the file on the remote host that will be copied to the IX20 device n local path is the location on the IX20 device where the copied file wi...

Страница 635: ... config support report 0040D0133536 20 08 28 9 25 12 bin Support report saved 2 Use the scp command to transfer the report to a remote host scp host 192 168 4 1 user admin remote home admin temp local etc config support report 00 40 D0 13 35 36 20 08 28 9 25 12 bin to remote admin 192 168 4 1 s password adminpwd support report 0040D0133536 20 08 28 9 25 12 bin Upload and download files using SFTP ...

Страница 636: ...File system Upload and download files IX20 User Guide 636 sftp ahmed 192 168 2 1 Password Connected to 192 168 2 1 sftp get test py Fetching test py to test py test py 100 254 0 3KB s 00 00 sftp exit ...

Страница 637: ...638 View system event logs 639 Configure syslog servers 644 Configure options for the event and system logs 646 Analyze network traffic 651 Use the ping command to troubleshoot network connections 663 Use the traceroute command to diagnose IP routing problems 663 IX20 User Guide 637 ...

Страница 638: ...ccess selection menu Type admin to access the Admin CLI 2 Use the system support report command to generate the report system support report etc config Saving support report to etc config support report 0040D0133536 20 08 28 9 25 12 bin Support report saved 3 Use the scp command to transfer the report to a remote host scp host 192 168 4 1 user admin remote home admin temp local etc config support ...

Страница 639: ...t configuring the information displayed in event and system logs View System Logs WebUI 1 Log into the IX20 WebUI as a user with Admin access 2 On the main menu click System Logs The system log displays 3 Limit the display in the system log by using the Find search tool 4 Use filters to configure the types of information displayed in the system logs ...

Страница 640: ...Diagnostics View system event logs IX20 User Guide 640 5 Click to download the system log ...

Страница 641: ... the most recent ten lines show log number 10 Timestamp Message Nov 26 21 54 34 IX20 netifd Interface interface_wan is setting up now Nov 26 21 54 35 IX20 firewalld 621 reloading status 4 Optional Use the show log filter value command to limit the number of lines that are displayed Allowed values are critical warning info and debug For example to limit the event list to only info messages show log...

Страница 642: ...er or scroll down to Events 4 Click Events to expand the event viewer 5 Limit the display in the event log by using the Find search tool 6 Click to download the event log Command line 1 Log into the IX20 command line as a user with Admin access Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 Use show event at the Admin ...

Страница 643: ...1 type ethernet rx 11332435 tx 5038762 Nov 26 21 42 35 status system local_time Thu 08 Aug 2019 21 42 35 0000 uptime 3 hours 0 minutes 48 seconds 4 Optional Use the show event table value command to limit the number of lines that are displayed Allowed values are error info and status For example to limit the event list to only info messages show event table info Timestamp Type Category Message Nov...

Страница 644: ...logs WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click System Log 4 Add and configure a remote syslog server a Click to expand Server list b For Add Server click The log server configuration window is displayed ...

Страница 645: ...n with the syslog server Available options are TCP and UPD The default is UPD 5 Click Apply to save the configuration and apply the change Command line 1 Log into the IX20 command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configu...

Страница 646: ...The default is 514 5 Set the IP protocol to use for communication with the syslog server config system log remote 0 protocol value config system log remote 0 where value is either tcp or udp The default is udp 6 Save the configuration and apply the change config save Configuration saved 7 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access sel...

Страница 647: ...or example to set Heartbeat interval to ten minutes enter 10m or 600s To disable the Heartbeat interval enter 0s 5 Optional To disable event categories or to enable them if they have been disabled a Click to expand Event Categories b Click an event category to expand c Depending on the event category you can enable or disable informational events status events and error events Some categories also...

Страница 648: ...new value The heartbeat interval determines the amount of time to wait before sending a heartbeat event if no other events have been sent config system log heartbeat_interval value config where value is any number of weeks days hours minutes or seconds and takes the format number w d h m s For example to set the heartbeat interval to ten minutes enter either 10m or 600s config system log heartbeat...

Страница 649: ...control restart Restart serial Serial sms SMS commands speed Speed stat Network statistics user User wireless WiFi wol Wake On LAN config system log event b Depending on the event category you can enable or disable informational events status events and error events Some categories also allow you to set the status interval which is the time interval between periodic status events For example to co...

Страница 650: ...config where value is any number of weeks days hours minutes or seconds and takes the format number w d h m s For example to set the status interval to ten minutes enter either 10m or 600s config system log event dhcpserver status_interval 600s config 6 Optional See Configure syslog servers for information about configuring remote syslog servers to which log messages will be sent 7 Save the config...

Страница 651: ... more detailed analysis you can download the captured data traffic from the device and view it using a third party application Note Data traffic is captured to RAM and the captured data is lost when the device reboots unless you save the data to a file See Save captured data traffic to a file This section contains the following topics Configure packet capture for the network analyzer 652 Example f...

Страница 652: ...ecified event or at a particular time l The events or time that will trigger the analyzer to run using this capture configuration l The amount of time that the analyzer session will run l The frequency with which captured events will be saved To configure a packet capture configuration WebUI 1 Log into the IX20 WebUI as a user with full Admin access rights 2 On the menu click System Under Configur...

Страница 653: ...figuration change is saved l If Interval is selected in Interval type the interval Allowed values are any number of weeks days hours minutes or seconds and take the format number w d h m s For example to set Interval to ten minutes enter 10m or 600s n Set time Runs the capture filter at a specified time of the day l If Set Time is selected specify the time that the capture filter should run in Run...

Страница 654: ...use the space bar autocomplete feature config network analyzer name add device end space network device eth1 network device eth2 network device loopback network bridge lan network interface defaultip network interface defaultlinklocal network interface eth1 network interface eth2 network interface loopback network interface modem config network analyzer name add interface end network Repeat to add...

Страница 655: ...config network analyzer name n set_time Runs the script at a specified time of the day If set_time is set set the time that the script should run using the format HH MM config network analyzer name run_time HH MM config network analyzer name n maintenance_time The script will run during the system maintenance time window c Set the amount of time that the scheduled analyzer session will run config ...

Страница 656: ...l for detailed information about BPF syntax Example IPv4 capture filters n Capture traffic to and from IP host 192 168 1 1 ip host 192 168 1 1 n Capture traffic from IP host 192 168 1 1 ip src host 192 168 1 1 n Capture traffic to IP host 192 168 1 1 ip dst host 192 168 1 1 n Capture traffic for a particular IP protocol ip proto protocol where protocol is a number in the range of 1 to 255 or one o...

Страница 657: ...ring Additional analyzer commands allow you to n Stop capturing packets n Save captured data traffic to a file n Clear captured data Required configuration items n A configured packet capture See Configure packet capture for the network analyzer for packet capture configuration information To start packet capture from the command line Command line 1 Log into the IX20 command line as a user with Ad...

Страница 658: ...ection menu Type admin to access the Admin CLI 2 Type the following at the Admin CLI prompt analyzer stop name capture_filter where capture_filter is the name of a packet capture configuration See Configure packet capture for the network analyzer for more information To determine available packet capture configurations use the analyzer stop name name Name of the capture filter to use Format test_c...

Страница 659: ...d on interface eth1 00 40 ff 80 01 20 b4 b6 86 21 b5 73 08 00 45 00 s E 00 28 3d 36 40 00 80 06 14 bc 0a 0a 4a 82 0a 0a 6 J 4a 48 cd ae 00 16 a4 4b ff 5f ee 1f d8 23 50 10 JH K _ P 08 02 c7 40 00 00 00 00 00 00 00 00 Ethernet Header Destination MAC Addr 00 40 D0 13 35 36 Source MAC Addr fb 03 53 05 11 2f Ethernet Type IP 0x0800 IP Header IP Version 4 Header Length 20 bytes ToS 0x00 Total Length 40...

Страница 660: ...a file use the analyzer save command Command line 1 Log into the IX20 command line as a user with Admin access Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 Type the following at the Admin CLI prompt analyzer save filename filename name capture_filter where n filename is the name of the file that the captured data wil...

Страница 661: ...cure copy file command WebUI 1 Log into the IX20 WebUI as a user with Admin access 2 On the menu click System Under Administration click File System The File System page appears 3 Highlight the analyzer directory and click to open the directory 4 Select the saved analyzer report you want to download and click download Command line 1 Log into the IX20 command line as a user with Admin access Depend...

Страница 662: ...10 2 s password eth0 pcpng 100 11KB 851 3KB s 00 00 Clear captured data To clear captured data traffic in RAM use the analyzer clear command Command line 1 Log into the IX20 command line as a user with Admin access Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 Type the following at the Admin CLI prompt analyzer clear ...

Страница 663: ...tion you may be presented with an Access selection menu Type quit to disconnect from the device Stop ping commands To stop pings when the number of pings to send the count parameter has been set to a high value enter Ctrl C Use the traceroute command to diagnose IP routing problems Use the traceroute command to diagnose IP routing problems This command traces the route to a remote IP host and disp...

Страница 664: ...ting hops were required to reach the host 1 Log into the IX20 command line as a user with Admin access Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the Admin CLI prompt use the traceroute command to view IP routing information traceroute 8 8 8 8 traceroute to 8 8 8 8 8 8 8 8 30 hops max 52 byte packets 1 192 168 8...

Страница 665: ...turning the equipment off and on the user is encouraged to correct the interference by one or more of the following measures n Reorient or relocate the receiving antenna n Increase the separation between the equipment and the receiver n Connect the equipment into an outlet that is on a circuit different from the receiver n Consult the dealer or an experienced radio TV technician for help Labeling ...

Страница 666: ...o a product the manufacturer must ensure compliance of the final product with articles 3 1a and 3 1b of the RE Directive Radio Equipment Directive A Declaration of Conformity must be issued for each of these standards and kept on file as described in the RE Directive Radio Equipment Directive Furthermore the manufacturer must maintain a copy of the product name user manual documentation and ensure...

Страница 667: ...regulatory and safety statements European Community CE Mark Declaration of Conformity DoC IX20 User Guide 667 account of the nature of the apparatus n The CE marking must be affixed visibly legibly and indelibly ...

Страница 668: ...nds Maximum transmit power 13 overlapping channels at 22 MHz or 40 MHz wide spaced at 5 MHz Centered at 2 412 MHz to 2 472 MHz 651 784 mW 165 overlapping channels at 22 MHz or 40 MHz or 80 MHz wide spaced at 5 MHz Centered at 5180 MHz to 5825 MHz 351 295 mW Innovation Science and Economic Development Canada IC certifications This digital apparatus does not exceed the Class B limits for radio noise...

Страница 669: ...ement n Changes or modifications not expressly approved by the party responsible for compliance could void the user s authority to operate the equipment Use only the accessories attachments and power supplies provided by the manufacturer connecting non approved antennas or power supplies may damage the router cause interference or create an electric shock hazard and will void the warranty n Do not...

Страница 670: ...ter in areas where guidelines posted in sensitive areas instruct users to switch off mobile phones Medical equipment may be sensitive to RF energy The operation of cardiac pacemakers other implanted medical equipment and hearing aids can be affected by interference from cellular terminals such as the wireless routers when places close to the device If in doubt about potential danger contact the ph...

Страница 671: ...uct MUST NOT be mixed with other commercial waste for disposal Check with the terms and conditions of your supplier for disposal information Digi International Ltd WEEE Registration number WEE HF1515VU DigiIX20 Certifications International EMC Electromagnetic Compatibility and safety standards This product complies with the requirements of the following Electromagnetic Compatibility standards Ther...

Страница 672: ... the web interface 674 Display help for commands and parameters 675 Auto complete commands and parameters 676 Available commands 678 Use the scp command 679 Display status and statistics using the show command 680 Device configuration using the command line interface 681 Execute configuration commands at the root Admin CLI prompt 682 Configuration mode 684 Command line reference 696 IX20 User Guid...

Страница 673: ...Configure the web administration service n SSH Configure SSH access n Telnet Configure telnet access Log in to the command line interface Command line 1 Connect to the IX20 device by using a serial connection SSH or telnet or the Terminal in the WebUI or the Console in the Digi Remote Manager See Access the command line interface for more information n For serial connections the default configurat...

Страница 674: ...xit exit 2 Depending on the device configuration you may be presented with another menu for example Access selection menu a Admin CLI s Shell q Quit Select access or quit admin Type q or quit to exit Execute a command from the web interface 1 Log into the IX20 WebUI as a user with Admin access 2 At the main menu click Terminal The device console appears IX20 login 3 Log into the IX20 command line ...

Страница 675: ...ne Ctrl E Move cursor to end of line Ctrl W Delete word under cursor until start of line or Ctrl R If the current input is invalid then characters will be deleted until a prefix for a valid command is found Ctrl left Jump cursor left until start of line or Ctrl right Jump cursor right until start of line or The question mark command When executed from the root command prompt displays available com...

Страница 676: ...rial Show serial statistics system Show system statistics version Show firmware version show Use the Tab key or the space bar to display abbreviated help When executed from the root command prompt pressing the Tab key or the space bar displays an abbreviated list of available commands Similar behavior is available with any command name config network interface space defaultip defaultlinklocal lan ...

Страница 677: ...etes the parameter as interface l system b Tab auto completes the parameter as backup n Parameter values where the value is one of an enumeration or an on off type for example config serial port1 enable t Tab auto completes to config serial port1 enable true Auto complete does not function for n Parameter values that are string types n Integer values n File names n Select parameters passed to comm...

Страница 678: ... for information about the help command ls Lists the contents of a directory mkdir Creates a directory modem Executes modem commands more Displays the contents of a file mv Moves a file or directory ping Pings a remote host using Internet Control Message Protocol ICMP Echo Request messages reboot Reboots the IX20 device rm Removes a file scp Uses the secure copy protocol SCP to transfer files betw...

Страница 679: ...e is being copied to a remote host from the IX20 device o The path and filename of the file on the IX20 device that will be copied to the remote host o The location on the remote host where the file will be copied Copy a file from a remote host to the IX20 device To copy a file from a remote host to the IX20 device use the scp command as follows scp host hostname or ip user username remote remote ...

Страница 680: ...port report 0040D0133536 20 08 28 9 25 12 bin Support report saved 2 Use the scp command to transfer the report to a remote host scp host 192 168 4 1 user admin remote home admin temp local etc config support report 00 40 D0 13 35 36 20 08 28 9 25 12 bin to remote admin 192 168 4 1 s password adminpwd support report 0040D0133536 20 08 28 9 25 12 bin Display status and statistics using the show com...

Страница 681: ...urrent Time Fri 28 Aug 2020 9 25 12 0000 CPU 1 4 Uptime 6 days 6 hours 21 minutes 57 seconds 541317s Temperature 40C show network The show network command displays status and statistics for network interfaces show network Interface Proto Status Address defaultip IPv4 up 192 168 210 1 24 defaultlinklocal IPv4 up 169 254 100 100 16 lan IPv4 up 192 168 2 1 lan IPv6 up 0 0 0 0 0 ffff c0a8 301 loopback...

Страница 682: ...able false The IX20 device s ssh service is now disabled Note When the config command is executed at the root prompt certain configuration actions that are available in configuration mode cannot be performed This includes validating configuration changes canceling and reverting configuration changes and performing actions on elements in lists See Configuration mode for information about using conf...

Страница 683: ...trol snmp SNMP ssh SSH telnet Telnet web_admin Web administration config service 3 Next display help for the config service ssh command config service ssh SSH An SSH server for managing the device Parameters Current Value enable true Enable key private Private key port 22 Port Additional Configuration acl Access control list mdns config service ssh 4 Lastly display the allowed values and other inf...

Страница 684: ...ple to disable the ssh service by entering the full command string at the config prompt config service ssh enable false config n Execute commands by moving through the configuration schema For example to disable the ssh service by moving through the configuration and then executing the enable false command 1 At the config prompt enter service to move to the service node config service config servi...

Страница 685: ...e configuration changes and to manage items and elements in lists The commands can be listed by entering a question mark at the config prompt The following actions are available Configuration actions Description cancel Discards unsaved configuration changes and exits configuration mode save Saves configuration changes and exits configuration mode validate Validates configuration changes revert Rev...

Страница 686: ... cloud Central management firewall Firewall monitoring Monitoring network Network serial Serial service Services system System vpn VPN config 2 You can then display help for the additional configuration commands For example to display help for the config service command use one of the following methods n At the config prompt enter service config service n At the config prompt a Enter service to mo...

Страница 687: ...ter service to move to the service node config service config service b Enter ssh to move to the ssh node config service ssh config service ssh c Enter to display help for the ssh node config service ssh Either of these methods will display the following information config service ssh SSH An SSH server for managing the device Parameters Current Value enable true Enable key private Private key port...

Страница 688: ...ay the following information config service ssh enable Enable Enable the service Format true false yes no 1 0 Default value true Current value true config service ssh enable Move within the configuration schema You can perform configuration tasks at the CLI by moving within the configuration n Move forward one node in the configuration by entering the name of an Additional Configuration option 1 A...

Страница 689: ...guration by entering three periods config service ssh acl zone config Manage elements in lists While in configuration mode you can use the add del and move action commands to manage elements in a list When working with lists these actions require an index number to identify the list item that will be acted on Add elements to a list When used with parameters that contains lists of elements the add ...

Страница 690: ...h user new user group config 2 Use the end keyword to add the admin group to the user s configuration config add auth user new user group end admin config 3 Use the show command again to verify that the admin group has been added to the user s configuration config show auth user new user group 0 admin config Delete elements from a list When used with parameters that contains lists of elements the ...

Страница 691: ... verify the change config show auth method 0 tacacs 1 local 2 radius config The revert command The revert command is used to revert changes to the IX20 device s configuration and restore default configuration settings The behavior of the revert command varies depending on where in the configuration hierarchy the command is executed and whether the optional path parameter is used After executing th...

Страница 692: ...bset of configuration changes to the default settings n Enter the revert command with the path parameter For example to revert all changes to the authentication methods configuration 1 Enter the revert command with the path set to auth method config revert auth method config 2 Save the configuration and apply the change config save Configuration saved 3 Type exit to exit the Admin CLI Depending on...

Страница 693: ...device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Enter strings in configuration commands For string parameters if the string value contains a space the value must be enclosed in quotation marks For example to assign a descriptive name for the device using the system command enter config system description Digi IX20 Example Create a new...

Страница 694: ...he auth node config auth config auth b Enter user to move to the user node config auth user config auth user c Create a new user with the username user1 config auth user add user1 config auth user user1 4 Configure a password for the user config auth user user1 password pwd1 config auth user user1 5 List available authentication groups config auth user user1 show group admin acl admin enable true ...

Страница 695: ...l enable false config auth user user1 6 Add the user to the admin group config auth user user1 add group end admin config auth user user1 7 Save the configuration and apply the change config auth user user1 save Configuration saved 8 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Страница 696: ...eference IX20 User Guide 696 Command line reference analyzer 697 cp 698 help 699 ls 700 mkdir 701 modem 702 modem puk status imei STRING name STRING 705 more 707 mv 708 ping 709 reboot 710 rm 711 scp 712 show 713 system 722 traceroute 724 ...

Страница 697: ...red traffic to a file Parameters filename The filename to save captured traffic to The file will be saved to the device s etc config analyzer directory Syntax STRING name Name of the capture filter to use Syntax STRING analyzer start name STRING Start a capture session of packets on this devices interfaces Parameters name Name of the capture filter to use Syntax STRING analyzer stop name STRING St...

Страница 698: ...STINATION Copy a file or directory Parameters source The source file or directory to copy Syntax STRING destination The destination path to copy the source file or directory to Syntax STRING force Do not ask to overwrite the destination file if it exists Syntax BOOLEAN Default False Optional True ...

Страница 699: ...Command line interface Command line reference IX20 User Guide 699 help Show CLI editing and navigation commands Parameters None ...

Страница 700: ...e 700 ls Directory listing command ls show hidden PATH List a directory Parameters path List files and directories under this path Syntax STRING show hidden Show hidden files and directories Hidden filenames begin with Syntax BOOLEAN Default False Optional True ...

Страница 701: ...Command line interface Command line reference IX20 User Guide 701 mkdir mkdir PATH Create a directory Parent directories are created as needed Parameters path The directory path to create Syntax STRING ...

Страница 702: ...ame of the modem to execute this CLI command on Syntax STRING Optional True modem at interactive imei STRING name STRING Start an AT command session on the modem s AT serial port Parameters imei The IMEI of the modem to execute this CLI command on Syntax STRING Optional True name The configured name of the modem to execute this CLI command on Syntax STRING Optional True modem pin PIN commands pin ...

Страница 703: ...Disable the PIN lock on the SIM card that is active in the modem Warning Attempting to use an incorrect PIN code may PUK lock the SIM Parameters pin The SIM s PIN code Syntax STRING imei The IMEI of the modem to execute this CLI command on Syntax STRING Optional True name The configured name of the modem to execute this CLI command on Syntax STRING Optional True pin enable imei STRING name STRING ...

Страница 704: ...e PUK locked when there are no remaining retries Parameters imei The IMEI of the modem to execute this CLI command on Syntax STRING Optional True name The configured name of the modem to execute this CLI command on Syntax STRING Optional True pin unlock imei STRING name STRING PIN Temporarily unlock the SIM card with a PIN code Set the PIN field in the modem interface s configuration to unlock the...

Страница 705: ...number of PUK unlock attempts remaining imei The IMEI of the modem to execute this CLI command on Syntax STRING Optional True name The configured name of the modem to execute this CLI command on Syntax STRING Optional True puk unlock imei STRING name STRING PUK NEW PIN Unlock the SIM with a PUK code from the SIM provider Parameters puk The SIM s PUK code Syntax STRING new pin The PIN code to chang...

Страница 706: ... CLI command on Syntax STRING Optional True name The configured name of the modem to execute this CLI command on Syntax STRING Optional True modem sim slot imei STRING name STRING SLOT Show or change the modem s active SIM slot This applies only to modems with multiple SIM slots Parameters slot The SIM slot to change to Syntax 1 2 show imei The IMEI of the modem to execute this CLI command on Synt...

Страница 707: ...Command line interface Command line reference IX20 User Guide 707 more path The file to view Syntax STRING ...

Страница 708: ...ry mv force SOURCE DESTINATION Parameters source The source file or directory to move Syntax STRING destination The destination path to move the source file or directory to Syntax STRING force Do not ask to overwrite the destination file if it exists Syntax BOOLEAN Default False Optional True ...

Страница 709: ...ax BOOLEAN Default False Optional True count The number of ICMP ping requests to send before terminating Syntax INT Minimum 1 Default 100 interface The network interface to send ping packets from when the host is reachable over a default route If not specified the system s primary default route will be used Syntax STRING Optional True ipv6 If a hostname is defined as the value of the host paramete...

Страница 710: ...Command line interface Command line reference IX20 User Guide 710 reboot Reboot the system Parameters None ...

Страница 711: ...mmand line reference IX20 User Guide 711 rm Remove a file or directory rm force PATH Parameters path The path to remove Syntax STRING force Force the file to be removed without asking Syntax BOOLEAN Default False Optional True ...

Страница 712: ...TRING local The file to copy to or from on the local device Syntax STRING port The SSH port to use to connect to the remote host Syntax INT Maximum 65535 Minimum 1 Default 22 remote The file to copy to or from on the remote host Syntax STRING to Copy the file from the local device to the remote host or from the remote host to the local device Syntax remote local user The username to use when conne...

Страница 713: ...IPV6 will be displayed Parameters ipv4 Display IPv4 routes If no IP version is specififed IPv4 and IPV6 will be displayed Syntax BOOLEAN Default False Optional True ipv6 Display IPv6 routes If no IP version is specififed IPv4 and IPV6 will be displayed Syntax BOOLEAN Default False Optional True verbose Display more information less concise more detail Syntax BOOLEAN Default False Optional True sho...

Страница 714: ...ncise more detail Syntax BOOLEAN Default False Optional True show event number INTEGER table STRING Show event list high level Parameters number Number of lines to retrieve from log Syntax INT Minimum 1 Default 20 table Type of event log to be displayed status error info Syntax status error info Optional True show hotspot ip STRING name STRING Show hotspot statistics Parameters ip IP address of a ...

Страница 715: ... STRING Optional True verbose Display status of one or all tunnels in plain text Syntax BOOLEAN Default False Optional True show location Show location information Parameters None show log filter STRING number INTEGER Show system log low level Parameters filter Filters for type of log message displayed critical warning info debug Note filters from the number of messages retrieved not the whole log...

Страница 716: ...se Optional True show modem verbose imei STRING name STRING Show modem status and statistics Parameters imei The IMEI of the modem to execute this CLI command on Syntax STRING Optional True name The configured name of the modem to execute this CLI command on Syntax STRING Optional True verbose Display more information less concise more detail Syntax BOOLEAN Default False Optional True show nemo na...

Страница 717: ...k interface Syntax STRING Optional True verbose Display more information less concise more detail Syntax BOOLEAN Default False Optional True show openvpn Show OpenVPN status and statistics openvpn client all name STRING Show OpenVPN client status statistics Parameters all Display all clients including disabled clients Syntax BOOLEAN Default False Optional True name Display more details and config ...

Страница 718: ... Syntax STRING Optional True show route ipv4 ipv6 verbose Show IP routing information Parameters ipv4 Display IPv4 routes Syntax BOOLEAN Default False Optional True ipv6 Display IPv6 routes Syntax BOOLEAN Default False Optional True verbose Display more information less concise more detail Syntax BOOLEAN Default False Optional True show scripts Show scheduled system scripts Parameters None show se...

Страница 719: ...rbose Display more information disk usage etc Syntax BOOLEAN Default False Optional True show usb Show USB information Parameters None show version verbose Show firmware version Parameters verbose Display more information build date Syntax BOOLEAN Default False Optional True show vrrp all verbose name STRING Show VRRP status and statistics Parameters all Display all VRRP instances including disabl...

Страница 720: ...None show show wifi Show Wi Fi status and statistics wifi ap all name STRING Display details for Wi Fi access points Parameters all Display all Wi Fi access points including disabled Wi Fi access points Syntax BOOLEAN Default False Optional True name Display more details for a specific Wi Fi access point Syntax STRING Optional True wifi client all name STRING Display details for Wi Fi client mode ...

Страница 721: ...e IX20 User Guide 721 name Display more details for a specific Wi Fi client mode connection Syntax STRING Optional True show wifi scanner Show Wi Fi scanner information wifi scanner log Show output log for the last update interval Parameters None ...

Страница 722: ... and dynamic DHCP lease information CLI configuration backups are a list of CLI commands used to build the device s configuration Syntax cli config archive Default archive system disable cryptography Erase the device s configuration and reboot into a limited mode with no cryptography available The device s shell will be accessible over Telnet port 23 at IP address 192 168 210 1 To return the devic...

Страница 723: ...archive or CLI commands file Parameters path The path to the backup file Syntax STRING passphrase Decrypt the archive with a passphrase Syntax STRING Optional True system script stop SCRIPT Stop an active running script Scripts scheduled to run again will still run again disable a script to prevent it from running again Parameters script Script to stop Syntax STRING system support report PATH Save...

Страница 724: ...h to trace the route packets for Syntax STRING bypass Bypass the normal routing tables and send directly to a host on an attached network Syntax BOOLEAN Default False Optional True debug Enable socket level debugging Syntax BOOLEAN Default False Optional True dontfragment Do not fragment probe packets Syntax BOOLEAN Default False Optional True first_ttl Specifies with what TTL to start Syntax INT ...

Страница 725: ... Syntax BOOLEAN Default False Optional True max_ttl Specifies the maximum number of hops max time to live value traceroute will probe Syntax INT Minimum 1 Default 30 nomap Do not try to map IP addresses to host names when displaying them Syntax BOOLEAN Default False Optional True nqueries Sets the number of probe packets per hop A value of 1 indicated Syntax INT Minimum 1 Default 3 packetlen Total...

Страница 726: ... Note that you must select the address of one of the interfaces By default the address of the outgoing interface is used Syntax STRING Optional True tos For IPv4 set the Type of Service ToS and Precedence value Useful values are 16 low delay and 8 high throughput Note that in order to use some TOS precedence values you have to be super user For IPv6 set the Traffic Control value A value of 1 speci...

Отзывы:

Нет отзывов

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды