MAGNUM DX FAMILY of ROUTERS Secure Web Management for Magnum DX Family of Routers

MAGNUM DX FAMILY OF ROUTERS Secure Web Management for Magnum DX family of Routers

MNS-DX Version 3.0.4

Administrator's Guide

Preface

This guide describes how to setup and use the Magnum DX family of routers. Some simple guidelines which will be useful for configuring and using the Magnum DX family of routers - . If you need further information or data sheets on GarrettCom Magnum DX family of routers, refer to the GarrettCom web links at:

http://www.garrettcom.com/routers.htm

Any feedback or comments can be sent to the GarrettCom Address shown below.

GarrettCom Inc. 47823 Westinghouse Drive Fremont, CA 94539-7437 Phone (510) 438-9071• Fax (510) 438-9072 Email – Tech support – [email protected] Email – Sales – [email protected] WWW – http://www.garrettcom.com/

Trademarks

GarrettCom Inc. reserves the right to change specifications, performance characteristics and/or model offerings without notice. GarrettCom, Magnum, S-Ring, MNS-DX, MNS-6K, Link-Loss-Learn, Converter Switch, Convenient Switch and Personal Switch are trademarks and Personal Hub is a registered trademark of GarrettCom, Inc.

NEBS is a registered trademark of Telcordia Technologies.

UL is a registered trademark of Underwriters Laboratories.

Ethernet is a trademark of Xerox Corporation.

Rights

Except as set forth in the Software License Agreement, GarrettCom makes no representation that software programs and practices described herein will not infringe on existing or future patent rights, copyrights, trademarks, trade secrets or other proprietary rights of third parties and GarrettCom makes no warranties of any kind, either express or implied, and expressly disclaims any such warranties, including but not limited to any implied warranties of merchantability or fitness for a particular purpose and any warranties of non- infringement.

The descriptions contained herein do not imply the granting of licenses to make, use, sell, license or otherwise transfer GarrettCom products described herein. GarrettCom disclaims responsibility for errors which may appear in this document, and it reserves the right, in its sole discretion and without notice, to make substitutions and modifications in the products and practices described in this document.

This manual may not be reproduced or disclosed in whole or in part by any means without the written consent of GarrettCom DynaStar is a trademark of GarrettCom. All other trademarks mentioned in this document are the property of their respective owners.

This document has been prepared to assist users of equipment manufactured by GarrettCom, and changes are made periodically to the information in this manual. Such changes are reflected in updates or are published in Software Release Notes. If you have

recently upgraded your software, carefully note those areas where new commands or procedures have been added. The material contained in this manual is supplied without any warranty of any kind. GarrettCom therefore assumes no responsibility and shall incur no liability arising from the supplying or use of this document or the material contained in it.

Paper Version Part Number: 4-62-2117-00_Rev AF

CD Part Number: 3-01-2117-00

PK-07162010

Table of Contents

1 – Conventions Followed ...... 28 Flow of the guide...... 29 Other Documentation ...... 31 2 – Getting Started ...... 32 Before starting...... 32 Console connection for CLI ...... 33 Console setup ...... 34 Console screen ...... 34 Logging in for the first time ...... 35 Setting the IP parameters ...... 35 Console connection - DX40 ...... 37 Web browser ...... 39 Administration menus ...... 43 User management ...... 43 Authentication ...... 44 Authentication: Policies ...... 44 Adding Users ...... 46 Creating Common Users among DX devices ...... 49 Deleting User ...... 52 Modify Password ...... 52 Suspending a User ...... 53 Locked Out User ...... 53

User sessions ...... 54 Policies ...... 55 Active Logins ...... 55 Login Banner ...... 56 Other Administrative Tasks ...... 56 System Information ...... 57 System Status ...... 57 System Time ...... 58 Time Zone and DST ...... 58 Time and Date ...... 60 Time Persistence...... 61 Adding License Keys ...... 61 Example – adding MNS-DX-SECURE license keys ...... 62 Exiting ...... 64 3 – IP Address and System Information ...... 65 IP Addressing ...... 65 Setting the IP address ...... 65 Switching ports ...... 66 Enabling Ethernet Ports ...... 67 Switching and Routing ports ...... 69 Enabling Ethernet Ports ...... 69 DHCP address ...... 73 DHCP and bootp ...... 73 Using SSH and Telnet ...... 75 SSH port forwarding ...... 77 Network time (SNTP Client) ...... 79 Upgrading MNS-DX ...... 82 Saving and loading configuration ...... 87 Erasing configuration ...... 88 Saving changes ...... 89 4 – Configuring Ethernet ...... 90

Assumptions ...... 90 Setting up Ethernet Ports ...... 90 Settings ...... 90 Status ...... 93 Summary Statistics ...... 94 Extended Statistics ...... 94 5 – Port Mirroring and Rate Limits ...... 98 Port Monitoring and Mirroring ...... 98 Port mirroring ...... 98 Rate Limits ...... 100 6 – Bridge Groups ...... 102 Bridging or Switching vs Routing ...... 102 Switch Ports ...... 102 MAC address aging ...... 102 Setting Switch Ports ...... 103 Static MACs ...... 103 Cache Entries ...... 105 7 – Rapid Spanning Tree Protocol (RSTP) ...... 106 RSTP Features and Operations ...... 106 RSTP Setup ...... 107 BPDUs ...... 107 Bridge Roles ...... 108 Port Roles ...... 108 Edge Ports and Point-to-Point Links ...... 108 Port States ...... 108 RSTP Normal Operation ...... 109 Design Considerations...... 109 Configuring RSTP – Bridge Settings ...... 109 RSTP – Port Settings ...... 110 RSTP – Bridge Status ...... 112 RSTP – Port Status ...... 112

8 – VLAN ...... 113 Why VLANs? ...... 113 Configuring VLANs ...... 114 VLANs – Design considerations ...... 114 Adding VLANs ...... 114 Importance of Tagging ...... 116 Importance of Filtering ...... 116 Enabling VLANs ...... 117 VLANs and IP Addresses ...... 117 VLANs and Serial Ports ...... 120 9 – DHCP Server ...... 121 Modes of Operation ...... 122 Technical Details ...... 123 DHCP Discovery ...... 123 DHCP Offers...... 124 DHCP Request ...... 124 DHCP Acknowledgement ...... 124 DHCP Information ...... 125 DHCP Release ...... 125 Client Configuration ...... 125 DHCP Server Configuration ...... 125 Design Consideration ...... 125 Define Networks ...... 126 Static Addresses ...... 126 Dynamic Addresses or DHCP Pools ...... 127 Managing Leases ...... 128 10 – Serial Connectivity ...... 129 Serial IO technologies...... 129 Serial Protocol Backgrounder ...... 129 Serial IO and Ethernet ...... 130 Terminal Services ...... 130

Serial Ports and Security ...... 130 Serial Ports and VLANs...... 130 Terminal Server ...... 131 Terminal Server Operations ...... 132 Passive Mode Channels ...... 132 Active Mode Channels ...... 132 Mixed Mode Channels ...... 133 Session Type ...... 133 Configuring Terminal Services ...... 134 Step 1 - Profiles ...... 134 Step 2 – Associate ports to profiles ...... 137 Step 3 – Setting TCP/IP parameters for Serial ports ...... 138 Troubleshooting Terminal Services ...... 140 Port Status ...... 141 Port Statistics ...... 141 Channel Status ...... 142 Connecting SCADA devices ...... 143 11 – Secure Serial Connectivity or Serial SSL ...... 147 Configuring Secure Serial Connectivity ...... 148 Troubleshooting Secure Serial Connectivity ...... 149 12 – Modbus ...... 152 Modbus overview ...... 152 Modbus on MNS-DX ...... 154 Serial and TCP variants ...... 155 Exception Handling ...... 156 TCP Connection Handling ...... 156 Configuring Modbus ...... 157 Configuring Local Masters ...... 157 Configuring Local Slaves ...... 159 Configuring Remote Slaves...... 160 Modbus active connections ...... 161

13 – Wide Area Network (WAN) ...... 163 DDS Circuits ...... 163 Configuring DDS ...... 163 DDS Port Status ...... 164 Configuring T1/E1 ...... 166 T1/E1 Port Status ...... 167 Configuring Frame Relay...... 170 Frame Relay Background ...... 170 LMI Protocol ...... 171 LMI Fragmentation Size ...... 171 LMI Types ...... 171 LMI Modes ...... 172 Configuring Frame Relay ...... 172 Frame Relay Applications ...... 173 Configuring DLCI ...... 173 Configuring EEK ...... 176 EEK Status ...... 177 Configuring DLCI based IP Routing ...... 178 Serial Tunnel Over Frame Relay ...... 181 Mapping Serial Ports to DLCI ...... 181 14 – Point to Point Protocol (PPP) ...... 184 PPP Overview...... 184 Configuring PPP ...... 185 PPP Profiles ...... 185 PPP Connections ...... 186 PPP Status ...... 187 PPP Statistics ...... 188 15 – Quality of Service (QoS) ...... 190 QoS Concepts ...... 190 DiffServ and QoS ...... 192 DiffServ Marking...... 193

DiffServ Processing ...... 193 WAN ports ...... 193 Configuring QoS ...... 195 DiffServ Configuration...... 195 802.1p configuration ...... 196 Ethernet Port configuration ...... 197 IP Flow configuration ...... 197 16 – RIP Routing ...... 200 Routing Concepts ...... 200 Routing Information Protocol (RIP) ...... 200 RIP – a brief history...... 201 RIP technical overview ...... 201 RIP Version 1 ...... 202 RIP Version 2 ...... 202 Configuring RIP ...... 202 Setting IP address ...... 202 Setting Static Routes ...... 203 Setting RIP Parameters ...... 204 Validating Routing Setup ...... 206 17 – OSPF Routing ...... 208 Open Shortest Path First (OSPF) ...... 208 OSPF Backgrounder ...... 208 OSPF Neighbor relationships ...... 209 OSPF Area types ...... 210 OSPF Backbone area ...... 210 OSPF Stub Area ...... 211 OSPF Not-So-Stubby Area ...... 211 Proprietary Extensions ...... 211 Configuring OSPF ...... 211 Setting IP Address ...... 211 Setting Static Routes ...... 212 Setting OSPF global parameters ...... 213

OSPF Area Settings ...... 214 OSPF Interface Settings ...... 215 OSPF Interface Profiles ...... 217 OSPF Area Aggregates ...... 218 OSPF Neighbor Status ...... 218 Validating Routing Setup ...... 219 18 – BGP Routing ...... 221 Border Gateway Protocol (BGP) ...... 221 BGP Backgrounder ...... 221 Configuring BGP ...... 222 Setting IP Address ...... 222 Setting Static Routes ...... 223 Setting BGP Global Parameters...... 224 Setting BGP Peer Settings...... 224 Setting BGP Filters ...... 225 Setting BGP Profiles ...... 226 Checking BGP Status ...... 227 Checking BGP RIB ...... 229 Checking BGP Statistics ...... 229 Validating routing setup ...... 230 19 – VRRP ...... 233 Configuring VRRP ...... 234 VRRP Status...... 235 20 – NAT and PAT ...... 237 NAT Background ...... 237 Protocol Address Translation (PAT) ...... 238 NAT/PAT and Security ...... 238 Configuring NAT and PAT ...... 238 Configuring NAT ...... 238 Configuring Port Forwarding ...... 239 Configuring Static Port Forwarding ...... 240

21 – Security Certificates ...... 243 Security Certificates ...... 243 Certificate Backgrounder ...... 243 RSA and Public Cryptography ...... 244 Digital Signatures...... 244 X.509 Certificates ...... 244 Certificate Authority ...... 244 MNS-DX Certificate Files ...... 245 MNS-DX Local Certificates ...... 245 MNS-DX CA Certificates ...... 247 22 – Other Security Considerations ...... 249 Ethernet Port Security ...... 249 Address Locking ...... 249 Link Locking ...... 250 Configuring Ethernet Security...... 250 Serial Port Security ...... 251 MNS-DX Web Server ...... 251 MNS-DX CLI Access ...... 253 RADIUS Authentication ...... 253 Configuring RADIUS ...... 254 Syslog ...... 256 Configuring Syslog ...... 257 23 – Firewall ...... 259 Firewall on MNS-DX ...... 259 Traffic Selectors ...... 259 Allowing Inbound Connections ...... 260 Allowing Outbound Connections ...... 261 Session Logging ...... 262 Configuring Firewall ...... 264 Global Settings...... 264 IP Interfaces ...... 265

Interface Groups ...... 266 Configuring Inbound Connections ...... 267 Configuring Outbound Connections ...... 267 24 – VPN ...... 269 VPN Backgrounder ...... 269 VPN - Brief History ...... 269 Key Management ...... 271 Peer Authentication ...... 271 Packet Integrity and Confidentiality ...... 271 Profiles ...... 271 Tunnels ...... 272 IKE ...... 272 Key Lifetimes ...... 272 VPN Example ...... 273 MNS-DX Stack ...... 274 IP Interface IN ...... 275 FW IN ...... 276 NAT IN ...... 276 IPSEC IN ...... 276 IP FWD ...... 276 IPSEC OUT ...... 277 NAT OUT ...... 277 FW OUT ...... 277 IP Interface OUT ...... 277 Firewall and VPN ...... 278 IKE ...... 278 ESP ...... 278 IP ...... 278 NAT and VPN ...... 280 IKE ...... 280 ESP ...... 280

NAT Bypass ...... 280 No Bypass ...... 281 Bypass Example...... 281 No Bypass Example ...... 282 Configuring VPN ...... 284 Global Settings...... 285 VPN Profiles ...... 285 IPSec Authentication ...... 287 VPN Tunnels ...... 288 VPN Status ...... 290 VPN Details ...... 290 RFC compliance ...... 291 25 – Monitoring events ...... 293 Alarms, Events and Logs ...... 293 Events ...... 294 Event Categories ...... 295 Event Descriptions ...... 296 The list below is a list of defined event id’s and their default values...... 300 Logging ...... 302 Configuring Events ...... 303 Configuring Logs ...... 304 Viewing Log Files ...... 305 Alarms ...... 305 26 – SNMP ...... 307 SNMP Concepts ...... 307 SNMP Standards ...... 309 SNMP on MNS-DX ...... 310 Configuring SNMP – Global Settings ...... 311 Configuring SNMP – Management Stations ...... 313 Configuring SNMP – Trap Receivers ...... 314 Configuring SNMP Users ...... 315

SNMP Statistics ...... 316 27 – Wizards ...... 321 Router Setup Wizard ...... 321 Step 1 – Router Configuration Wizard ...... 322 Step 2 – Router Configuration Wizard ...... 323 Step 3 – Router Configuration Wizard ...... 324 Step 3A – Router Configuration Wizard ...... 324 Step 4 – Router Configuration Wizard ...... 325 Step 5 – Router Configuration Wizard ...... 325 Certificate Creation Wizard ...... 326 Step 1 – Certificate Creation Wizard ...... 327 Step 2 – Certificate Creation Wizard ...... 327 Certificate Request for CA ...... 329 APPENDIX 1 – CLI Commands ...... 332 APPENDIX 2 – Browser Certificates ...... 414 Certificates ...... 414 Using Mozilla Firefox (ver. 3.x) ...... 415 Using Internet Explorer (ver 7.x or IE 8.x) ...... 420 Using Other Browsers ...... 420 APPENDIX 3 – Port and Type Reference ...... 421 Well Known TCP/UDP Network Ports ...... 421 ICMP Types ...... 424 APPENDIX 4 – Glossary ...... 425 APPENDIX 5 – Generating self signed certificates ...... 431 Step 1: Generate an RSA key and a certificate request for your CA ...... 431 Step 2: Generate a self-signed CA certificate from the request...... 432 Step 3: Create the CA’s Key File ...... 432 Step 4: Create an RSA key and a certificate request for your system ...... 432 Step 5: Create the system’s certificate and have it signed by the CA ...... 433 Step 6: Create the System Key File ...... 433 APPENDIX 6 – Third Party Licenses ...... 435

GNU LESSER GENERAL PUBLIC LICENSE ...... 435 Preamble ...... 435 TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION ...... 437 NO WARRANTY ...... 441 END OF TERMS AND CONDITIONS...... 442 How to Apply These Terms to Your New Libraries ...... 442 Index ...... 443

List of Figures

FIGURE 1 - HyperTerminal screen showing the serial settings and inlaid is the Putty settings for serial connectivity ...... 34 FIGURE 2 - Prompt showing the login via the console port ...... 35 FIGURE 3 – On the console, after logging in, enter the IP menu to setup the IP address ...... 36 FIGURE 4 – MNS-DX has help commands built in. In the above example, use the "?" key to get help. The "?" key shows all the relevant commands for the IP command sub menu. We next want to use the "set" command to set the IP address. To go about using it, use "set ?" and it shows the choices. The obvious choice to set the address is to use the "set address" option...... 36 FIGURE 5 – Using the "?" help feature of MNS-DX, the above example shows how the administrator can get assistance each step of the way. Here the administrator types in the appropriate values for the command till no more mandatory options are needed. The optional arguments for the command line are shown in "[" and "]" . Once the address is set, similarly, the help feature is used to determine if the address is set properly. Make sure you "save" the settings after setup ...... 37 FIGURE 6 – On power up, if the space key is held down, the menu appears on serial port S1 ...... 38 FIGURE 7 – Setting the IP address on DX40 ...... 38 FIGURE 8 – Security certificate – click “yes” to proceed ...... 39 FIGURE 9 – Login screen – Before the login screen is shown, a security banner is displayed. Click on "Continue" to get to the login screen, as shown below. This banner is shown if the MNS-DX-SECURE license key is installed. This banner can be disabled if needed...... 40 FIGURE 10 – Login with the proper user name and password. For the first time use manager as Login ID and manager as the Password ...... 40 FIGURE 11 – After a successful login the initial screen displaying the device ports is shown. This screen is called the Virtual Front Panel ...... 41 FIGURE 12 – Welcome screen (using the DX900 router). Note the different information provided on the screen and different areas. The menus are used to configure settings on the router ...... 42 FIGURE 13 - Administration Menus. At anytime, if the "+" symbol on the menus is clicked on, the menus associated with that function is exposed ...... 43 FIGURE 14 - Authentication menu allows for authentication of users. This includes adding users, setting policies for user passwords and authentication. Finally, it also allows adding users in bulk under the "Files" sub-menu ...... 43

FIGURE 15 - Authentication: Policies menu enables the administrator to set various time, event, and password limitations to enforce authentication ...... 44 FIGURE 16 - Adding users - select the accounts option ...... 46 FIGURE 17 – Adding a user with the login name "administrator". Once the fields are filled out, click on Apply settings...... 48 FIGURE 18 – Once the user is added, the user appears in the Existing User Accounts table ...... 48 FIGURE 19 – Adding different types of users ...... 49 FIGURE 20 – Importing users or exporting users ...... 49 FIGURE 21 – Exporting users ...... 50 FIGURE 22 – Descriptor for the user files. Note the version would reflect the MNS-DX version. In this example, a file from version 2.0.1 is displayed ...... 50 FIGURE 23 – XML file for all the users ...... 51 FIGURE 24 – Deleting users - select the "Delete" check box and then click on "Apply Settings" ...... 52 FIGURE 25 – Modifying passwords ...... 52 FIGURE 26 - Suspending a user. After clicking "No" in the "Suspended?" column, the suspended user is no longer suspended ...... 53 FIGURE 27 - Locked Out user. The column "Locked Out?" shows the user has been locked out. To unlock the user, change the "Yes" to a "No" and then click on "Apply Settings" ...... 53 FIGURE 28 - Viewing Logs. History of logs are kept. Here we view the current or the Active log ...... 54 FIGURE 29 - The log file shown the repeated unsuccessful login attempts on user administrator. After the 5th invalid attempt the account was suspended ...... 54 FIGURE 30 - Setting up user Session policies. In this example, if the user is idle for more than one hour, the session is ended automatically. Also the policy of whether the user sees the welcome banner or not is set here (Login Banner option) ...... 55 FIGURE 31 - Displaying all the active session ...... 55 FIGURE 32 - To force a user off the system, select the user under the “Delete” column and click “Apply Settings” as shown below ...... 56 FIGURE 33 - Customizing Login Banner. Type over the existing text and click Submit when done. It is a good idea to logout and login to ensure that the banner text appears properly ...... 56 FIGURE 34 – Updating the System Information via Administration  System  Information as shown above. Once the proper information is entered, click on Apply Settings ...... 57 FIGURE 35 – Status of the device ...... 58 FIGURE 36 – Updating Time Zone and DST information ...... 59 FIGURE 37 – Specifying Time Zone and Daylight Savings time ...... 60 FIGURE 37 – Updating Time and Date - enter in the time (24 hour format) and date as MM/DD/YYYY and click on Apply Settings ...... 60

FIGURE 38 – Time Persistence ...... 61 FIGURE 39 – Icons depicting the necessary functionality in this Manual ...... 62 FIGURE 40 – Adding the MNS-DX-SECURE License key. The feature key is covered in this example ...... 62 FIGURE 41 – After the upgrade, the license keys are displayed on the Virtual Front Panel ...... 63 FIGURE 42 – License keys are displayed on the Virtual Front Panel ...... 63 FIGURE 43 – Logout ...... 64 FIGURE 44 - The DX router Ethernet ports can be set up as a switch group allowing the DX to participate in a switched network. The IP address of the device is for accessing the management interface...... 66 FIGURE 45 - Enabling Ethernet Ports ...... 67 FIGURE 46 - Setting all Ethernet ports to the same Bridge group i.e. ensuring that the ports are switch ports. Note: the ports can be mixed and matched as switched and routed ports as needed ...... 67 FIGURE 47 - Set the IP address as needed. If necessary, change the IP address to match the IP address schema of the switched network. If the IP address is changed, please make sure the browser points to the new IP address to manage the DX device ...... 68 FIGURE 48 - Click on Other Options to ignore Link information on the interface ...... 68 FIGURE 49 - On the Ignore Link option, set that to "Yes" to ignore the link information to update the status etc...... 68 FIGURE 50 - In the above example, the DX device is routing between LAN1, LAN2, WAN and also participating on the switch network on the two ports. Firewall is also enabled on the device as shown, filtering traffic from the WAN port ...... 69 FIGURE 51 - Enabling Ethernet Ports ...... 70 FIGURE 52 - Two ports are set as Bridged ports (E3 and E4), while the others are non-bridged i.e. routed ports ...... 70 FIGURE 53 - Set the IP address as needed for the different interfaces ...... 71 FIGURE 54 - Click on Other Options to ignore Link information on the interface ...... 71 FIGURE 55 - On the Ignore Link option, set that to "Yes" to ignore the link information to update the status etc...... 71 FIGURE 56 - Once the Links are ignored, the status of the interface is changed ...... 72 FIGURE 57 - Enable routing on the device. More details on routing are covered in a separate chapter ...... 72 FIGURE 58 - Specify the interface for routing as well as if the routing interfaces are passive i.e. listen for route updates ...... 73 FIGURE 59 - Setting an interface for DHCP address ...... 74

FIGURE 60 - Once the IP address is acquired, the address is displayed and the status of the port changes to “Up”. The Virtual Front Panel (not shown) will also change to reflect the port now being active or “Up”...... 74 FIGURE 61 – Enabling or disabling telnet is done in the CLI mode. The default, SSH only, is currently set for the CLI mode. From the drop down, telnet can be enabled ...... 77 FIGURE 62 – Example of port forwarding. In this example, the DX router connects to the 6K switch. Since the connection is tunneled, the connection is securely sent on over the connection to the DX router and then the connection is unsecure or not encrypted from the DX to the 6K switch...... 78 FIGURE 63 – Enable SSH Port forwarding ...... 79 FIGURE 67 – SNTP parameters – set the global settings. See table below for different options ...... 80 FIGURE 68 – Adding or deleting SNTP Servers ...... 81 FIGURE 69 – Checking the status of the SNTP services ...... 82 FIGURE 70 – Software update process state diagram. Note that if the upgrade is unsatisfactory for whatever reason, the user can fall back to the older version ...... 83 FIGURE 71 – Upgrading MNS-DX. Note – on this screen, the 3.0 software was loaded. To do that, simply choose the MNS-DX file, and click on upload. Once the upload is done, reboot the router. Once the software is loaded, the old version can be deleted or can fall back to the old version ...... 84 FIGURE 72 – List the location and file name for the new image and click on “Upload” to load the new image ...... 84 FIGURE 74 – After the file is uploaded, the message is shown that MNS-DX is ready for upgrade. Click on Upgrade or Fallback ...... 85 FIGURE 75 – On Fallback the State “Fallback” is displayed. User is presented with the choice to delete the new image. Retry takes you back to the choice regarding whether the image should be upgraded or fallback (previous figure) ...... 85 FIGURE 76 – On successful upgrade, the router is rebooted and the new image is now the active image. After login, click on Finalize to use the new image ...... 86 FIGURE 77 – After successful upgrade, the State changes to “Upgraded”. Please delete the older version to load an subsequent release of MNS-DX ...... 86 FIGURE 78 – Multiple configuration files are stored on the MNS-DX routers. One of them is current. The other is associated with the fallback. To view the files, click on the file name ...... 87 FIGURE 79 – Config file. To save a config file, highlight the text and copy/paste that information in a text file. These files can be archived for tracking and history purposes...... 88 FIGURE 80 – Resetting the configuration values to factory default...... 89 FIGURE 81 – If the "Save" icon is orange - there have been configuration changes made on the switch ...... 89 FIGURE 84 – Configuring Ethernet parameters ...... 91

FIGURE 85 – Setting Ethernet Speed settings. Default is auto negotiate. In some situations, it may be necessary to set the port to a fixed speed setting. Supported speeds will vary depending on the port and technology. For example with 100Mbps fiber ports, only 100Mbps speeds will be supported as fiber ports cannot auto negotiate ...... 91 FIGURE 86 – Setting Ethernet Flow control – this allows to control the amount of ingress and egress packets which can be sent based on flow control information. Default setting is disabled ...... 91 FIGURE 87 – Administrative status. This turns an Ethernet port on or off. Admin status enabled allows traffic flow on the port. Disabled turns the Ethernet port off ...... 92 FIGURE 88 – Status Summary screen ...... 94 FIGURE 89 – Summary Statistics – shows the octets, bytes, errors and received on a specific ports ...... 94 FIGURE 90 – Extended Statistics – shows the octets, bytes, errors and received on a specific ports ...... 95 FIGURE 91 – Editing and enabling port mirroring. Default value is “None” i.e. port mirroring is disabled ...... 99 FIGURE 92 – In this setup, all traffic from port E1 is reflected on Port E2 ...... 99 FIGURE 93 – Setting the port Rate Limits ...... 100 FIGURE 94 – Types of incoming or ingress traffic on which rate limits can be set ...... 100 FIGURE 95 – The incoming traffic can be limited to the set values shown above ...... 101 FIGURE 96 – The outgoing traffic can be limited to the set values shown above ...... 101 FIGURE 97 – Setting the MAC address aging interval ...... 103 FIGURE 98 – Setting the Bridge group. In this example, ports E3 and E4 from the bridge group i.e. the two ports are switch ports. The ports E1 and E2 are routed ports ...... 103 FIGURE 99 – Setting a static MAC address associated with the port ...... 104 FIGURE 100 – Enter the MAC address associated with the port and click on “Apply Settings” as shown ...... 104 FIGURE 101 – Once the MAC address is assigned, it appears on the Static MACs screen as shown above. To delete a static MAC address, check the "Delete" box and click on “Apply Settings” ...... 105 FIGURE 102 – Viewing the MAC address and the ports associated with the MAC addresses. Note the Static entry added in the previous section ...... 105 FIGURE 103 – Port Roles in RSTP ...... 107 FIGURE 104 – Setting the RSTP parameters for all ports ...... 110 FIGURE 105 – RSTP Port Settings ...... 111 FIGURE 106 – Operational status of the RSTP Bridge. Note all the information discussed in earlier sections are displayed on this screen ...... 112

FIGURE 107 – Port status. The specific information on the state of the ports is displayed on this screen ...... 112 FIGURE 108 – VLAN as two separate collision domains. The top part of the figure shows two “traditional” Ethernet segments. Up to 16 VLANs can be defined per router. Traffic between VLANs is routed using MNS-DX ...... 113 FIGURE 109 – Assigning VLANs. For adding VLANs, specify the VLAN ID number (VID) and a logical name with it. VLAN 1 is the default VLAN and is always present on all MNS-DX devices ...... 115 FIGURE 110 – Setting Port E1 as a trunk port. In the above example, the native VLAN for the trunk will be 10 and VLANs 35 and 40 will be prohibited on this port ...... 115 FIGURE 111 – Port E3 is designated to be on VLAN 40. All traffic will be tagged with VID 40 as shown above. The port is an Access port i.e. only packets with the VID of 40 are allowed to pass through the port ...... 116 FIGURE 112 – Enabling VLANs. This menu is available as Ethernet  VLANs  Global Settings. After enabling, click on “Apply Settings” ...... 117 FIGURE 113 – After VLANs are added and enabled, each VLAN can have a unique IP address schema ...... 117 FIGURE 114 – Click on other options to ignore the fact that there may not be devices on the VLAN, showing the VLAN as being down, even though the VLAN services are running ...... 118 FIGURE 115 – Ignoring the link shows whether the VLAN services are functioning, irrespective whether there are devices on the VLAN ...... 119 FIGURE 116 – Ignoring link shows the port status to be up ...... 119 FIGURE 117 – DHCP Operation ...... 123 FIGURE 118 – Accessing DHCP Services. Define the networks as well as relevant information such as IP address of the Gateway, DNS servers and DNS suffix as shown above...... 126 FIGURE 119 – Assigning Static addresses. In the above example, the device with the MAC address of 00:00:80:21:35:54 will always be assigned the IP address of 10.1.5.10/24 ...... 127 FIGURE 120 – Assigning DHCP Pools or Dynamic Addresses ...... 127 FIGURE 121 – Managing IP addresses. In the above figure no IP addresses have been assigned...... 128 FIGURE 122 – Terminal Server vs local Serial connection ...... 131 FIGURE 123 – Terminal Server ...... 134 FIGURE 124 – Setting Profiles for the serial ports ...... 135 FIGURE 125 – Associating Profiles with Serial Ports ...... 137 FIGURE 126 – Associate the IP address and port number, along with other parameters for terminal services to function properly ...... 138

FIGURE 127 – Signals associated with serial ports after the ports are configured using the Serial Ports Settings menu ...... 141 FIGURE 128 – Statistics for the serial ports ...... 142 FIGURE 129 – Channel Status shows the status of active TCP/IP connections on the serial ports ...... 143 FIGURE 130 – Example network for connecting multiple SCADA Devices...... 144 FIGURE 131 – Setting up the DX800 where the SCADA Master is. Note the call connection directions are set to Out – allowing the SCADA Master to initiate the connections ...... 145 FIGURE 132 – Setup of the remote DX routers. Note the serial ports call direction is set to “In” allowing incoming connection requests. The TCP port number (socket number) matches the port number (socket number) of the serial ports on the DX device connected to the SCADA Master ...... 145 FIGURE 133 – Setting up specific ports for secure connectivity. The screen above is captured from a DX1000 device to show ports 1 and 6 are configure for secure serial connectivity ...... 148 FIGURE 134 - Modbus Communications stack ...... 153 FIGURE 135 - Interconnecting different Modbus devices ...... 153 FIGURE 136 - Modbus networks can be built out using Magnum family of products, including Magnum 6K family of switches and Magnum DX routers ...... 154 FIGURE 137 – Sample Modbus network using Magnum DX routers ...... 155 FIGURE 138 – Format of Modbus ASCII packet ...... 155 FIGURE 139 – Format of a Modbus RTU packet ...... 156 FIGURE 140 – Format of a TCP Modbus packet ...... 156 FIGURE 141 – Configuring Modbus Local Masters ...... 158 FIGURE 142 – Configuring Modbus local slaves ...... 159 FIGURE 143 – Configuring Modbus remote slaves ...... 160 FIGURE 144 – Viewing active Modbus connections ...... 161 FIGURE 145 – Configuration screen for DDS circuit for WAN port ...... 163 FIGURE 146 – Port Status of WAN port ...... 164 FIGURE 147 – Configuring T1/E1 ports ...... 166 FIGURE 148 – Port Status of WAN port ...... 168 FIGURE 149 – OSI Layers and respective functions of T1/E1, DDS, Frame Relay and Frame Relay applications ...... 171 FIGURE 150 – Configuring Frame Relay ...... 172 FIGURE 151 – Defining DLCI for Frame Relay Network ...... 173 FIGURE 152 – DLCI status screen ...... 175 FIGURE 153 – Properly configured DLCI network status ...... 176

FIGURE 154 – EEK settings ...... 177 FIGURE 155 – EEK status ...... 177 FIGURE 156 – Setting the IP addresses on DLCI’s defined earlier ...... 178 FIGURE 157 – Check to see if the IP segment defined for the DLCI appears in the routing table entries ...... 178 FIGURE 158 – Adding default gateway information for the router or for each IP segment ...... 179 FIGURE 159 – Setting the RIP settings ...... 180 FIGURE 160 – Define the interfaces on which the RIP protocol is active on ...... 180 FIGURE 161 – Verify the routing table is populated properly. Note the RIP discovered routes are shown as “RIP” under the Protocol column. The “Local” are local interfaces on the device – these could be VLANs, DLCIs or local interfaces. Management are static addresses on the router ...... 181 FIGURE 162 – Adding “Channels” or mapping a DLCI setting to the Serial port allowing asynchronous traffic to tunnel through the Frame Relay circuit ...... 182 FIGURE 163 – Check the status to see if the mapping of serial ports to DLCI is working properly ...... 183 FIGURE 164 – Setting up PPP Profiles ...... 185 FIGURE 165 – Setting up PPP Connections ...... 187 FIGURE 166 – Checking PPP status ...... 188 FIGURE 167 – Checking PPP statistics ...... 188 FIGURE 168 – Block diagram showing the interaction of QoS and DiffServ prioritization ...... 192 FIGURE 169 – ToS and DSCP ...... 192 FIGURE 170 – WAN QoS flow ...... 194 FIGURE 171 – Configuring Diffserv settings ...... 195 FIGURE 172 – Configuring 802.1p settings ...... 196 FIGURE 173 – Configuring Ethernet Port priority settings ...... 197 FIGURE 174 – Configuring priority for IP traffic flows ...... 198 FIGURE 175 – Setting IP addresses on the different interfaces ...... 203 FIGURE 176 – Setting static route including default route ...... 203 FIGURE 177 – Setting RIP parameters ...... 204 FIGURE 178 – Setting RIP interfaces ...... 206 FIGURE 179 – Routing Table entries ...... 207 FIGURE 180 – Setting IP addresses on the different interfaces ...... 212 FIGURE 181 – Setting static route including default route ...... 212 FIGURE 182 – Setting OSPF global parameters ...... 213

FIGURE 183 – Setting OSPF area settings ...... 215 FIGURE 184 – Setting OSPF interface settings ...... 216 FIGURE 185 – Defining OSPF interface profiles ...... 217 FIGURE 186 – OSPF Area Aggregates ...... 218 FIGURE 187 – OSPF Neighbor Status ...... 219 FIGURE 188 – Routing Table entries ...... 219 FIGURE 189 – Setting IP addresses on the different interfaces ...... 223 FIGURE 190 – Setting static route including default route ...... 223 FIGURE 191 – Setting BGP global settings, including enabling or disabling BGP ...... 224 FIGURE 192 – Setting BGP Peer Settings ...... 225 FIGURE 193 – Setting BGP Filters ...... 226 FIGURE 194 – Setting BGP Profiles ...... 227 FIGURE 195 – Checking the status of BGP setup ...... 228 FIGURE 196 – Checking the BGP RIB ...... 229 FIGURE 197 – Checking the BGP Statistics ...... 230 FIGURE 198 – Routing Table entries ...... 231 FIGURE 199 – VRRP services require two routers to provide redundancy. One router is always the primary default router...... 233 FIGURE 200 – When the primary or Master device fails, the secondary devices takes over ...... 234 FIGURE 201 – Configuring VRRP ...... 234 FIGURE 202 – Status of VRRP ...... 235 FIGURE 203 – Setting up NAT global parameters. The public interface has been changed from default to E2...... 239 FIGURE 204 – Setting up PAT or mapping socket numbers ...... 240 FIGURE 205 – Setting up static NAPT or mapping Network Addresses and Protocol Translations ...... 241 FIGURE 206 – Managing certificates on Magnum DX devices. Using this menu additional certificates can be loaded, viewed or deleted ...... 245 FIGURE 207 – A portion of the WEB_Cert.pem signature file ...... 246 FIGURE 208 – A portion of the WEB_Cert.pem signature file ...... 247 FIGURE 209 – A portion of the WEB_Cert.pem signature file ...... 248 FIGURE 210 – Ethernet port security ...... 250 FIGURE 211 – If an Ethernet port is locked out, it can be unlocked by changing the “Locked?” field from a “Yes” to a “No” ...... 251

FIGURE 212 – Configuring Web services for MNS-DX ...... 252 FIGURE 213 – Configuring CLI access ...... 253 FIGURE 214 – Configuring CLI access ...... 254 FIGURE 215 – Defining the RADIUS servers ...... 255 FIGURE 216 – Defining the Syslog settings ...... 257 FIGURE 217 – Defining the Syslog collectors ...... 258 FIGURE 218 – Firewall network example for inbound traffic...... 260 FIGURE 219 – Firewall configuration to map the inbound traffic example ...... 261 FIGURE 220 – Firewall network example for outbound traffic...... 262 FIGURE 221 – Firewall configuration to map the outbound traffic example ...... 262 FIGURE 222 – Firewall Global Settings ...... 264 FIGURE 223 – Enabling or disabling Firewall services on a specific interface ...... 266 FIGURE 224 – Group definitions for Firewall ...... 266 FIGURE 225 – Configure inbound connections...... 267 FIGURE 226 – Configure outbound connections ...... 268 FIGURE 227 – VPN example ...... 270 FIGURE 228 – Site-to-Site VPN ...... 270 FIGURE 229 – Format of a tunneled IP packet using Encapsulated Security Payload (ESP) ...... 271 FIGURE 230 – VPN Example ...... 273 FIGURE 231 – Tunnels settings for router DX1 in the example. Note the destination gateway should correspond to the public IP address of router DX2...... 274 FIGURE 232 – Tunnels settings for router DX2 in the example. Note the destination gateway should correspond to the public IP address of router DX1...... 274 FIGURE 233 – MNS-DX network stack. The stack is used to explain packet processing flow and how it impacts VPN, firewall and NAT interactions...... 275 FIGURE 234 – Firewall and VPN Network example ...... 278 FIGURE 235 – Defining Firewall rules ...... 279 FIGURE 236 – Firewall rules settings ...... 279 FIGURE 237 – Firewall rules settings with the “Security  VPN  Tunnels” menu item “Bypass FW/NAT?” set to “Yes” ...... 280 FIGURE 238 – Defining NAT rules ...... 282 FIGURE 239 – Defining VPN Tunnels ...... 282 FIGURE 240 – Defining VPN with no bypass option ...... 283

FIGURE 241 – Defining NAT rules to allow port 80 traffic ...... 283 FIGURE 242 – Defining VPN tunnel for the example ...... 284 FIGURE 243 – Defining NAT rules to allow port 80 traffic ...... 284 FIGURE 244 – VPN Global Settings ...... 285 FIGURE 245 – VPN Profiles ...... 286 FIGURE 246 – VPN Authentication ...... 288 FIGURE 247 – VPN Tunnels ...... 289 FIGURE 248 – VPN Status ...... 290 FIGURE 249 – VPN Details ...... 291 FIGURE 250 – Events Specifications menu. Only a partial screen capture is shown ...... 304 FIGURE 251 – Log file settings ...... 304 FIGURE 252 – Log files. To view the file, click on the file name ...... 305 FIGURE 253 – Enabling the Alarms and defining the relay closure time ...... 305 FIGURE 254 – Setting the individual trap actions ...... 306 FIGURE 255 – Setting the SNMP global settings ...... 312 FIGURE 256 – Adding Management Stations for SNMP ...... 314 FIGURE 257 – Adding Management Stations for SNMP ...... 315 FIGURE 258 – Defining SNMP users ...... 315 FIGURE 259 – Viewing SNMP Statistics ...... 317 FIGURE 260 – Accessing the Router Setup Wizard. Note – after this wizard all the existing setup and configuration is destroyed. Remember to save the configuration before using this wizard ...... 322 FIGURE 261 – Step 1 of the Router setup wizard. Here the choice is made on the choice of what the Ethernet ports will function as – a switch port group or a router port...... 323 FIGURE 262 – Step 2 of the Router setup wizard. Enter in a valid IP address for the default interface...... 324 FIGURE 263 – Step 3 of the Router setup wizard. Determine if the routing is enabled or not in this step...... 324 FIGURE 264 – Step 3A of the Router setup wizard. Determine if the router should be the Default Gateway or not...... 325 FIGURE 265 – Step 4 of the Router setup wizard. Determine if the firewall services should be started or not ...... 325 FIGURE 266 – Step 4 of the Router setup wizard. Determine if the firewall services should be started or not ...... 326 FIGURE 267 – Certificate creation wizard ...... 326

FIGURE 268 – Step 1 of self signed certificate wizard. Depending on the key size, the generation of the certificate may take a few minutes ...... 327 FIGURE 269 – Step 2 of self signed certificate wizard. Here the created certificate can be viewed, saved to a file or deleted...... 328 FIGURE 270 – A self signed certificate generated by Certificate Creation Wizard ...... 329 FIGURE 271 – Saving the certificate using the browser built in functionality ...... 329 FIGURE 272 – Certificate which can be sent to the certificate authority. Copy an paste the encrypted information in a file or email message. At this stage, the request becomes a pending message...... 330 FIGURE 273 – On finding a mismatch between the certificate and the accesses site, Mozilla Firefox pops the window. Note – the site was accessed using the IP address. Typically, sites accessed by their IP address will trigger this mismatch ...... 415 FIGURE 274 – Mozilla Firefox tries to warn the user again about the dangers of sites with improper certificates. This window may be different depending on the version of the browser you are using ...... 416 FIGURE 275 – Firefox forces you to get the certificate before it lets you access the site ...... 417 FIGURE 276 – Here, you can view the certificate, permanently make an exception and confirm the exception. The locations to do those are identified in this figure ...... 418 FIGURE 277 – Self signed certificate from GarrettCom Inc for MNS-6K switch. A similar certificate is available on MNS-DX ...... 419 FIGURE 278 – Using IE 7or IE 8 ...... 420

Chapter 1 1 – Conventions Followed

Conventions followed in the manual…

o best use this document, please review some of the conventions followed in the manual, including screen captures, interactions and commands with the router. T

Box shows interaction with the router command line or screen captures from the router or computer for clarity

Commands typed by a user will be shown in a different color and this font Router prompt – shown in Bold font, with a “# or >” at the end. For the document we will use MagnumDX# as the prompt.

Related Topics Related topics show that GarrettCom strongly recommends reading  about those topics. You may choose to skip those if you already have prior detailed knowledge on those subjects.

Tool box – Necessary software and hardware components needed (or recommended to have) as a perquisite. These include serial ports on a computer, serial cables, computer with a browser, TFTP or FTP software, serial terminal emulation software etc.

Caution or take notice – Things to watch out for in case of problems or

potential problems. This is also used to draw attention to a special issue, capability or fact.

28 MAGNUM DX ROUTERS – MNS- DX ADMINISTRATOR GUIDE

Terminology – Whenever the word PC is used it implies a UNIX, Linux, Windows or any other operating system based work station, computer, personal computer, laptop, notebook or any other computing device. Most of the manual uses Windows XP or Windows 7 based examples. While effort has been made to indicate other Operating System interactions, it is best to use a Windows-XP based machine when in doubt.

Supported MNS-DX Version – The documentation reflects features of MNS-DX version 3.0 or higher. If your router is not at the current version, GarrettCom Inc. recommends upgrading to the current version. Please refer to the GarrettCom Web site for information on upgrading the MNS-DX software on Magnum DX family of routers or contact GarrettCom Inc. on how to go about updating the software.

Product Family – this manual is for all the Magnum DX family of routers. Flow of the guide The manual is designed to guide the user through a sequence of events. Chapter 1 is a guide to this manual.

Chapter 2 is the basic setup as required by the Magnum DX family of routers. Chapter 2 is perhaps the most critical chapter in what needs to be done by the network administrator once the DX device is received. Adding license keys to unlock features in MNS-DX is also covered in this chapter.

Chapter 3 focuses on operational issues of the DX router. This includes time synchronization, IP Addressing, DHCP setup, erasing and saving configuration.

Chapter 4 focuses on setting up the Ethernet ports. All ports on the Magnum DX device are disabled by default - except one port. This chapter also covers those issues.

Chapter 5 builds on the pervious chapter and discusses Port Mirroring and rate limits for Ethernet.

Chapter 6 talks about how the Ethernet ports can be configured. In the Magnum DX devices, the Ethernet ports can be setup as switch ports or routed ports. Other issues such as Static MACs, ARP cache etc. are also discussed in this chapter.

Chapter 7 shows how RSTP can be used with ports setup as Bridge Groups.

Chapter 8 discusses VLANs and inter-VLAN routing.

Chapter 9 configures DHCP server to service DHCP requests from the various IP routable networks setup.

29 MAGNUM DX ROUTERS – MNS- DX ADMINISTRATOR GUIDE

Chapter 10 provides a lot of useful information for Serial connectivity. Serial ports are available with Magnum DX devices. Examples of how terminal services can be used along with some trouble shooting tips are also covered in this chapter.

Chapter 11 builds on Chapter 10 and shows how secure serial connectivity can be established using MNS-DX.

Chapter 12 discusses about Modbus protocols on Serial ports as well as Ethernet ports.

Chapter 13 discusses Wide Area Networking and how the different interfaces can be configured for WAN connectivity.

Chapter 14 configures PPP.

Chapter 15 discusses about QoS.

Chapters 16 through 18 focus on Routing.

Chapter 16 discusses RIP.

Chapter 17 discusses OSPF.

Chapter 18 focuses on BGP.

Chapter 19 show how redundancy can be introduced in routing using VRRP

Chapter 20 starts to introduce concepts on security with NAT and PAT.

Chapter 21 talks about Security Certificates.

Chapter 22 talks about Other Security consideration such as Address Locking, RADIUS and more.

Chapter 23 shows how Firewall services can be used to secure traffic flow.

Chapter 24 discusses how VPNs can be configured. This chapter includes several examples and also has a state diagram of MNS-DX stack to show the interaction of different modules (MNS-DX applications) on setup.

Chapter 25 discusses Events and notifications from MNS-DX and how they can be sent to various places.

Chapter 26 discusses SNMP and how SNMP can be configured and used.

30 MAGNUM DX ROUTERS – MNS- DX ADMINISTRATOR GUIDE

Chapter 27 Shows how some wizards included with MNS-DX can be used to ease configuration.

There are several Appendix's included as well.

If you find an error or have a helpful tip on the layout or informational content of this or any other GarrettCom manual please feel free to contact us via email with any problems or helpful information. All enquiries will be responded to with a correction or whatever resolution is required. Please make all comments to [email protected] or phone a support engineer at 510-438-9071.

Other Documentation

The DX installation guides can be found on their respective web pages. For example, the DX940 installation guide can be found at the www.garrettcom.com web site. Once on the web site navigate to Product and then to the router of choice - in this example, DX940. The URL in the example is http://www.garrettcom.com/dx940.htm - on that web page click on the URLs to download the necessary documents needed.

Chapter 2

2 – Getting Started

First few simple steps …

his section explains how the GarrettCom Magnum DX family of routers can be setup using the console port on the router. Some of the functionality includes setting up the IP address of T the router, securing the router with a user name and password, and more. Before starting Before you start, it is recommended that you acquire the software and necessary hardware listed below.

1) Make sure you are using the latest version of MNS-DX. 2) Make sure you know the IP address or the logical name of the router and can ping the router. If you do not know the IP address or cannot ping the switch, please follow the steps listed below in the section on Console connection. 3) Make sure you have a browser that supports secure socket connection 4) Should you need to configure the router using the Command Line interface (CLI) it may be necessary to use the serial connection. To use the serial port, follow the guidelines below.

• A new router from GarrettCom will have a static IP address of 192.168.1.2 with a netmask of 255.255.255.0 • Ethernet interface E2 is active for DX40 routers, E4 is active for DX800, DX900, E6 for DX940 routers and E5 is active for DX1000 routers. All other interfaces are disabled (except the console port).

Once a router is assigned a static IP address, a browser can be used to configure the router. Type in the URL https://192.168.1.2 to start using SWM. If a different IP address is used, please use the IP address accordingly.

32 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Console connection for CLI This section can be used to set the IP address initially for the router. The Command Line Interface (or CLI) is used to set as well as reset the IP address if needed.

The connection to the console is accessed through the serial port available as a DB-9 RS232 connector on the router marked as “console” on the Magnum DX family of routers. This interface provides access to the commands the router can interpret and is called the Command Line Interface (or CLI). This interface can be accessed by attaching a VT100 compatible terminal or a PC running a terminal emulation program (such as TeraTerm, HyperTerminal or PuTTY.)

For using the serial port, make sure you have the following 1) A male-female null modem cable. This cable should be included with most DX family of routers purchased. 2) Serial port – if your PC does not have a serial port, you may want to invest in a USB to serial converter. This is again available from LANstore or from GarrettCom Inc. Alternately a USB to serial cable can also be used. This cable is also available from LANstore or GarrettCom Inc. 3) A PC (or a workstation/computer) with a terminal emulation program such as HyperTerminal (included with Windows) or PuTTY, Teraterm-pro, minicom or other equivalent software. 4) Enough disk space to store and retrieve the configuration files as well as copy software files from GarrettCom. We recommend at least 15MB of disk space for this purpose 5) For access security – decide on a manager level account name and password 6) IP address, netmask, default gateway for the router being configured

You can use the CLI to configure the IP address for the router. Once the IP address is assigned, you can start using the Secure Web Management (SWM) on the GarrettCom Magnum DX family of routers.

Once the router is configured with an IP address, Command Line Interface (or CLI) is also accessible using ssh.

The Command Line Interface (CLI) enables local or remote unit installation and maintenance. The Magnum DX family of routers provides a set of system commands which allow effective monitoring, configuration and debugging of the devices on the network.

33 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Console setup Connect the console port on the router to the serial port on the computer using the serial cable listed above. The settings for the HyperTerminal software emulating a VT100 are shown in Figure 1 below. Make sure the serial parameters are set as shown (or bps = 38400, data bits=8, parity=none, stop bits=1, flow control=none).

FIGURE 1 - HyperTerminal screen showing the serial settings and inlaid is the Putty settings for serial connectivity Console screen Once the console cable is connected to the PC and the terminal emulation software configured, MNS-DX should provide a login prompt.

34 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 2 - Prompt showing the login via the console port

When the CLI prompts are shown, it will be shown as MagnumDX as this manual was documented on a Magnum DX900 router. Logging in for the first time

For the first time, use the default user name and passwords assigned by GarrettCom for the Magnum DX routers. They are:

Username – manager Password – manager

We recommend you login as manager for the first time to set up the IP address as well as change user passwords or create new users.

Setting the IP parameters The IP parameters can be set up from the web interface as well as the console interface. If the web interface is used, please make sure to point the browser to the new IP address once the address has been changed.

To setup the router, the new IP address and other relevant TCP/IP parameters have to be specified. Using the console interface is shown below.

35 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 3 – On the console, after logging in, enter the IP menu to setup the IP address

FIGURE 4 – MNS-DX has help commands built in. In the above example, use the "?" key to get help. The "?" key shows all the relevant commands for the IP command sub menu. We next want to use the "set" command to set the IP address. To go about using it, use "set ?" and it shows the choices. The obvious choice to set the address is to use the "set address" option

36 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 5 – Using the "?" help feature of MNS-DX, the above example shows how the administrator can get assistance each step of the way. Here the administrator types in the appropriate values for the command till no more mandatory options are needed. The optional arguments for the command line are shown in "[" and "]" . Once the address is set, similarly, the help feature is used to determine if the address is set properly. Make sure you "save" the settings after setup Console connection - DX40 Magnum DX40 does not have a dedicated console port. The serial port S1 doubles as a console port and serial port. To access the CLI on a DX40 follow the steps below: 1) Connect a serial port on your PC and port S1 on the DX40 with a serial cable 2) Start up a terminal emulator (Hyperterminal, Putty or other) configured as described above 3) Power up the DX40. If power to the DX40 is on, turn it off (that is, unplug the power cord) and restore power (plug the power cord back in) 4) As soon as the connection is made on the terminal emulator hold down the space bar on your keyboard until the MNS-DX boot menu appears 5) To set the IP address, use the proper option shown on the menu. In this case it is "2" 6) To boot with console port on serial port S1, use "c" and then Enter a. The device reboots with S1 set to a console port. b. On a reboot, the console port S1 is reset back to function as a serial port.

37 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

c. If any changes are made to the configuration using S1 as a serial port, do not forget to save the changes. All changes will be lost when the device reboots.

FIGURE 6 – On power up, if the space key is held down, the menu appears on serial port S1

FIGURE 7 – Setting the IP address on DX40

38 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Web browser

In the web browser, type in the following URL https://

Make sure you use HTTPS (secure HTTP) in the URL to ensure secure connectivity

If the IP address of the router is set to 192.168.5.254, the URL would be

https://192.168.5.254 Note - the default IP address is 192.168.1.2

If your site uses name services, you can use a name instead of the IP address. Please make sure that the name is resolved to the IP address assigned to the router.

FIGURE 8 – Security certificate – click “yes” to proceed

The secure site (in this case the router) issues a certificate check. Once you click “Yes” on the security certificate, the browser will prompt you to login.

39 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

For further information on Browser certificates, please refer to the appendix in this manual titled Browser Certificates.

FIGURE 9 – Login screen – Before the login screen is shown, a security banner is displayed. Click on "Continue" to get to the login screen, as shown below. This banner is shown if the MNS-DX-SECURE license key is installed. This banner can be disabled if needed.

For the first time, login with the name “manager” and password “manager”

FIGURE 10 – Login with the proper user name and password. For the first time use manager as Login ID and manager as the Password

40 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Port shown in red are not active

FIGURE 11 – After a successful login the initial screen displaying the device ports is shown. This screen is called the Virtual Front Panel

After a successful login, the welcome screen is shown. Note the information provided on the welcome screen.

41 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Menus or Navigation Area Uptime and MNS-DX version - includes Licenses IP + user + system (if set)

FIGURE 12 – Welcome screen (using the DX900 router). Note the different information provided on the screen and different areas. The menus are used to configure settings on the router

The menus and the operations will be consistent across the different routers in the Magnum DX family of routers. The welcome screen represents a snapshot of the operating state of the router as well as what the administrator would see if s/he were to be physically present in front of the router.

In the figure above, ports shown in red are not active. The status of the LED's are also reflected appropriately.

The ports are labeled as follows:

W1 (and / or W2) - indicates the WAN ports. Not all models have WAN ports on them. E1, E2, E3, E4 - indicates the Ethernet ports. DX1000 has E1 through E5 as Ethernet ports. DX40 has only two Ethernet ports. DX940 has Ethernet ports E3 through E6 as 10/100 ports and optionally E1 and E2 as 10/100/1000 ports. S1, S2, S3, S4 - Serial IO ports. DX1000 has 12 serial ports. DX40 has only two serial ports. DX800, DX900, DX940 has four serial ports. On DX940 the serial ports are optional. Console - shows the console port. Alarm - shows the alarm port for external alarm triggers. The rest of the chapter steps through the Administration menus.

42 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Administration menus The administration menus provides functions needed for proper administration of the system. This includes setting up the system parameters such as system name, location, time, time synchronization. Other administration functions such as those for software upgrades, falling back on a version, and system reboot. A synopsis of the menus is shown below

FIGURE 13 - Administration Menus. At anytime, if the "+" symbol on the menus is clicked on, the menus associated with that function is exposed

Moving forward, the relevant portion of the screen will only be shown for the router as displayed above. User management To manage users, the Authentication menu is used.

FIGURE 14 - Authentication menu allows for authentication of users. This includes adding users, setting policies for user passwords and authentication. Finally, it also allows adding users in bulk under the "Files" sub-menu

43 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Authentication Authentication is the process whereby the system confirms that a prospective user is the person he or she claims to be.

The authentication screens enable you to set system-wide security policies, add or delete user accounts, and maintains user account information.

Authentication: Policies The Authentication Policies enables the administrator to set various time, event, and password limitations to enforce authentication.

FIGURE 15 - Authentication: Policies menu enables the administrator to set various time, event, and password limitations to enforce authentication

The table below lists the functions of each of the menus, the default values, and also lists a recommended value.

44 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Table 1 - List of Administration : Authentication : Policies Menu Field Values

Bad login attempts The number of consecutive failed login attempts before a user is before lockout locked out. A user is locked out by setting the Locked Out? field in the user's account to “Yes" Default value = 5 Valid range = 1 - 5 Recommendation - based on the security policies of the organization, it is recommended to set the value to either 3 or 5. Lockout Time The amount of time a user account spends in the suspended state after being locked out. This parameter takes one of the following values: 5 minutes (default), 30 minutes or 1 hour. Recommendation - based on the security policies of the organization, it is recommended to set the value to at least 5 minutes. Enforce Secure Setting this value to 'Yes' forces secure passwords which have to Passwords comply to the following standards: • Length of 8 characters minimum • Must consist of at least 2 of the 3 character types * Alphabetic Numeric Printable Special characters Default value = No *Spaces are not allowed in any password, regardless of this setting Recommendation - unless the device is in a lab, enforcing strong passwords is recommended. Password Ageing Newly created accounts, that are not part of the administration group, (Days) can have their passwords expire by setting this value to the number of days a password is valid before a change is required. Once the number of days are exceeded, users are forced to change the password on the next login. Valid settings for this option are: None 30 Days 60 Days 90 Days Default value = None (which implies passwords are not aged) Recommendation - a good security policy ages passwords at least once every 90 days. Along with aging, secure passwords are enforced. Inactive User Newly created accounts that are not part of the administration group Expiration (Days) can be set to expire when they have been inactive (that is, no logins) for a number of days exceeding the value specified here. A setting of 0 (default) disables this feature, otherwise the number of days of inactivity before being locked out ranges from 1 to 255. Once the value is set, existing accounts will start the user expiration on the login attempt after this change is made. Recommendation - a good security policy expires unused accounts. Unused accounts minimally should expire every 60-90 days.

45 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Adding Users To add a user, use the Authentication : Accounts menu as shown below. This screen enables an administrator to add or delete users, perform maintenance tasks such as those for unlocking an account and more.

FIGURE 16 - Adding users - select the accounts option

There is one default account setup for MNS-DX with the login name "manager". As stated earlier, the default password is "manager".

Make sure to change the default password on the manager account

The table below lists all the menu items.

46 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Table 2 - List of Administration : Authentication : Accounts menus Menu Field Values

Login Name The name associated with this account. It must be entered along with the password in order to access the system’s user interface. Each login name on a given DX device must be a unique name of up to 40 printable characters. Group Name Use the drop-down list to assign this user to one of three privilege levels. The privilege levels are: • Admin: Members of this group may perform all functions including managing software, user accounts, and configuration files • Read-Write: Members of this group may perform all configuration functions with the exception of software, user account, and configuration file management • Read-Only: Members of this group are like Read-Write except they cannot change any parameters. Suspended? This flag determines whether or not a user is allowed to log in to the system. The suspended flag may be set or cleared at any time by an administrator. Locked Out? This flag also determines whether or not a user is allowed to log in to the system. The “Locked Out?” flag is set and cleared by the system based on the failed login attempts policy. This flag may also be manually cleared by an administrator. Unlike the “Suspended?” flag, it is not stored in non-volatile memory and therefore its state does not persist across resets. Password The password associated with this account. To create or change an account’s password enter the new password here. Characters in the password are masked out and echoed back as the bullet character. The field length minimum is 6 alphanumeric characters. Re-Type Password Confirm the initial password entry by re-typing it in this field.

Administrative This field contains arbitrary text up to 31 printable ASCII characters. Notes

Delete Set the Delete checkbox in a row and click Apply Settings to delete that account.

In the example below, we add a user with the login name administrator.

47 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 17 – Adding a user with the login name "administrator". Once the fields are filled out, click on Apply settings

The necessary fields are filled out as shown in the figure above. On proper completion, the screen will look as shown below

FIGURE 18 – Once the user is added, the user appears in the Existing User Accounts table We add additional users as shown below.

48 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 19 – Adding different types of users

Creating Common Users among DX devices Once users are created on a DX device, the user information can be saved. The saved information can be uploaded into another DX device, allowing bulk loading of users accross different devices. To do that, select the Administration : Authentication : Files Menu as shown below

FIGURE 20 – Importing users or exporting users

In the prior section, we added different users. Once the users are added, the "user.xml" file is updated. This xml file can be created manually or saved. To do that, click on the hyperlink users.xml as shown below.

49 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 21 – Exporting users

The screen below shows the XML file descriptor for adding users.

Start of the field to describe the user

User number 1 or userid #

Group or capabilities associated with the login name Whether the account has been suspended Encrypted password. This field can be copied once an account has been added

descriptor - max 31 characters

FIGURE 22 – Descriptor for the user files. Note the version would reflect the MNS-DX version. In this example, a file from version 2.0.1 is displayed

For the user ids created in the previous section the XML file would look as follows:

50 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 23 – XML file for all the users

This XML file can be copied and restored on another DX device to import all the users.

51 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Deleting User To delete a user, check the users to be deleted and click Apply Settings as shown below.

FIGURE 24 – Deleting users - select the "Delete" check box and then click on "Apply Settings"

Modify Password In the figure below, select the user whose password needs to be changed and simply type in the new password. Once the password is entered, click Apply Settings to update the password.

FIGURE 25 – Modifying passwords

52 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Suspending a User Sometimes it may be necessary to suspend a user due to absence or other reasons. This can be done as shown below.

FIGURE 26 - Suspending a user. After clicking "No" in the "Suspended?" column, the suspended user is no longer suspended

Locked Out User A repeated attempt to login into an account will lock the user out. The duration of lockout is determined by the Authentication Policies, as discussed earlier. When a user is locked out, a drop down box appears in the Locked Out? column as shown below.

FIGURE 27 - Locked Out user. The column "Locked Out?" shows the user has been locked out. To unlock the user, change the "Yes" to a "No" and then click on "Apply Settings"

To unlock the user, change the locked out field from Yes to No and click on Apply Settings.

53 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Note - once a locked out user is detected it is advised to see who was trying to login and with what kind of password. That information is available in the log files. To view the log files, select the menu as shown below.

FIGURE 28 - Viewing Logs. History of logs are kept. Here we view the current or the Active log

FIGURE 29 - The log file shown the repeated unsuccessful login attempts on user administrator. After the 5th invalid attempt the account was suspended

User sessions Once the users are setup, it is necessary to setup user session policies, see who is actively logged in and change the login banner if needed; policies such as when to logout a user if the user has been idle for sometime etc. This section covers these topics.

54 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Policies Session policies include policies of logging a user out if the user has been idle more than the specified time. Also the policy as to whether the user sees the login banner or not when they access the DX router can be setup by accessing Administration  Sessions  Policies

FIGURE 30 - Setting up user Session policies. In this example, if the user is idle for more than one hour, the session is ended automatically. Also the policy of whether the user sees the welcome banner or not is set here (Login Banner option)

Active Logins At other times it may be necessary to see all the users who are currently active on the device i.e. users who are actively logged in to the device. This can be viewed as shown below.

FIGURE 31 - Displaying all the active session To force a user off, select a user in the "Delete" column and click on "Apply Settings" as shown below.

55 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 32 - To force a user off the system, select the user under the “Delete” column and click “Apply Settings” as shown below After the above action, the user “administrator” is forced off.

Login Banner It may be necessary to customize the login Banner. This feature is available if the MNS- DX-SECURE license key is installed. To customize the banner, use Administration  Sessions  Login Banner menu as shown below.

FIGURE 33 - Customizing Login Banner. Type over the existing text and click Submit when done. It is a good idea to logout and login to ensure that the banner text appears properly

Other Administrative Tasks

There are several other administrative tasks the network administrator should perform. Some of them should be done at initial setup time. Others at a later date, for example, when an MNS-DX update is needed.

56 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

System Information System information allows the Administrator to define the following fields. Access System Information menus using Administration  System  Information as shown below.

FIGURE 34 – Updating the System Information via Administration  System  Information as shown above. Once the proper information is entered, click on Apply Settings

In the menu above System Name - logical name associated with the router. System Location - where the router resides. System Contact - person who should be contacted for issues related to the device.

System Status System status provides different resource utilization information. To access the System Status, use Administration  System Status as shown below.

57 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 35 – Status of the device

In the above menu

System CPU Utilization  The percentage of system CPU currently in use. System Memory Utilization  The percentage of dynamic system memory currently in use. Ethernet-CPU Buffer Utilization  The software maintains a fixed size queue of buffers for received Ethernet frames. This parameter is the percentage of these buffers currently holding a received frame that has not yet been processed by the IP stack or other network application. Ethernet-CPU Rx Drops  The number of Ethernet Frames that were dropped due to queue overflow.

WAN-CPU Buffer Utilization  The software maintains a fixed size queue of buffers for received WAN frames. This parameter is the percentage of these buffers currently holding a received frame that has not yet been processed by the IP stack or other network application.

Ethernet-CPU Rx Drops  The number of Ethernet Frames that were dropped due to queue overflow.

System Time It is important to update the system time. This time information is used for many purposes including time stamping log information. The steps involved in keeping the time accurate is to first set the time zone with any DST adjustments as needed, then set the time. Once the time is set, synchronize time using SNTP.

Time Zone and DST To set the Time Zone and DST rules, click on Administration  Time Zone and DST. In the menu,

58 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Standard Time = UTC +number or -number sets the UTC offset for the timezone. Daylight Savings Time (DST) can be enabled or disabled - depending whether the DST time rules are followed or not. The DST rules can be customized to include the start date and end date. If desired, predefined rules (e.g. rules for USA) are included.

Once the settings are entered, click on Apply Settings and then Save to make the changes permanent.

FIGURE 36 – Updating Time Zone and DST information

The Time Zone offset is specified and if the country uses Daylight Savings time, the rules for well known countries are built into MNS-DX. If the rules change or if the rules are not available, the start and stop dates can be specified. The options for the Time Zone are specified in the Table below.

Table 3 - List of Administration : Time : Time Zone and DST Field Name Field Value Standard Time=UTC Your offset from the UTC. Value is in hours:minutes. Range is from -12:59 to 12:59

Example: Eastern (US) Standard UTC Offset= -5; Daylight Saving Offset = -4 Daylight Saving Time If enabled, use the following fields to specify the period of the year during which daylight saving time will be in effect either by specifying the beginning and end date and time or by selecting a pre-defined national DST rule, which will automatically supply the beginning and ending values. System time will be automatically adjusted according to the specified dates.

59 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

If disabled, standard time will be used throughout the year. Starts the first... Specify the day, date, and time when DST begins. Ends the first... Specify the day, date, and time when DST ends. Copy DST rule of Select a pre-defined national DST rule from the drop-down list. This will automatically supply the beginning and ending values.

Time Zone Offset

Enable/Disable DST

Copy Rules of DST from well known countries. The Start / Stop dates will be modified accordingly

FIGURE 37 – Specifying Time Zone and Daylight Savings time

Once the time and Time Zone (and DST options) are set, it is important set the time and then to decide if the setting will be remembered on the internal clock or whether the time will be reset every time. This is the Persistence option on the Time menu. Time and Date To update the time and date information use Administration  Time  Time and Date as shown below.

FIGURE 38 – Updating Time and Date - enter in the time (24 hour format) and date as MM/DD/YYYY and click on Apply Settings

60 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Time is specified in 24 hour clock and Date is specified in mm/dd/yyyy format.

Time Persistence Time Persistence is used to support systems that do not have a clock with battery backup. When the power to these systems is cycled, the clock may come up in an undefined state. With persistence enabled the clock is set to the last known good time and date. This time and date clearly will not be correct but is likely to be close enough to the actual time and date, enabling the system to continue operating without difficulty.

This feature is useful in an environment where a DX router keeps its time and date current via an NTP server that it accesses through a VPN tunnel that uses certificates for authentication. If the power to the DX device is cycled and the time and date were to come up in an undefined state, it is likely that the VPN authentication would fail because the system's time and date would not match the valid dates on the VPN peer certificate. The system would then not be able to access the NTP server and would be permanently cut off from the network. However, if the time and date were set to some time and date from the recent past, the VPN authentication would succeed, the tunnel would be established, and the DX device would be able to resynchronize its time with the NTP server.

FIGURE 39 – Time Persistence

DX40 does not support a battery backup for the Real Time Clock.

Adding License Keys Software features can be added to MNS-DX by adding a license keys. The license keys available are as follows: MNS-DX-SECURE – adds security features to MNS-DX. These include features such as login banner, Firewall, RADIUS, VPN and more MND-DX-ADVAR – adds advanced routing features such as BGP and OSPF.

61 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Throughout the manual the features activated by the appropriate license keys are shown with the appropriate icons.

FIGURE 40 – Icons depicting the necessary functionality in this Manual

Example – adding MNS-DX-SECURE license keys To add the license keys, use the Administration  Software Features menu as shown below.

FIGURE 41 – Adding the MNS-DX-SECURE License key. The feature key is covered in this example

In the above menu, under the "Add License Key" menu, The "Module" name can be SECURE or ADVAR for the MNS-DX-SECURE and the MNS- DX-ADVAR license keys respectively. After the feature key is added, the router needs to be rebooted. After the reboot, the feature key is active. After the reboot the Virtual Panel shows the added feature.

62 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 42 – After the upgrade, the license keys are displayed on the Virtual Front Panel

After adding both the SECURE and ADVAR license keys, the front panel will look as shown below.

FIGURE 43 – License keys are displayed on the Virtual Front Panel

Note - License keys are retained when "return to factory defaults" is executed via the boot menu.

63 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Exiting To exit or logout – click on the “Logout” button.

FIGURE 44 – Logout

64 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Chapter 3

3 – IP Address and System Information

Few simple steps to follow…

his section explains how the DX devices can be setup as switch ports or routed ports and can be changed as needed. T IP Addressing It is assumed that the user has familiarity with IP addresses, classes of IP  addresses and related netmask schemas (e.g. class A, Class B and Class C addressing). Setting the IP address The default IP address of the device is 192.168.1.2 with a netmask of 255.255.255.0 - this allows the device to connect easily to any other device on the 192.168.1.x network. It is also important to note that only one interface of the device is active at a given time. For the different products, the following ports are active:

Device Port Number DX40 Ethernet Port E2 DX800, DX900 Ethernet Port E4 DX940 Ethernet Port E6 DX1000 Ethernet Port E5

Once connected, the device can be managed and configured using one of the following options:

• Use the web interface to manage the DX router. • Use ssh to access the CLI. • Use any SNMP Network Management software to manage the device.

65 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

To set the IP address using CLI, please refer to the section in Chapter 2 – Getting Started.

The DX Ethernet ports can be used as all switch ports (or belonging to the same switch group or a bridge group) or each port acting as a routed port, with a unique IP address.

If all ports are used as a switch group, the DX acts as a router routing packets between the default interfaces IP address and the switch ports on the DX device. The default IP address is used for management of the DX device only and in this case, the routing functions are between the WAN ports and the switch ports of the DX. If there are no WAN ports, the DX acts as a switch device participating as a Layer 2 switch.

FIGURE 45 - The DX router Ethernet ports can be set up as a switch group allowing the DX to participate in a switched network. The IP address of the device is for accessing the management interface.

Switching ports The example below shows how the DX Ethernet ports can be set up as switch ports or ports belonging to the same Bridge group.

66 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Enabling Ethernet Ports To enable Ethernet ports, set the Admin Status of the ports under the menu Ethernet  Ports  Settings menu to "Enabled" as shown below.

FIGURE 46 - Enabling Ethernet Ports

After the ports are active, make sure all the ports are in the same bridge group (usually determined by VLAN the port belongs to. In this example, there is only one VLAN - VLAN 1 - or the default VLAN. VLANs are discussed later in the chapter on VLANs.) This is done by using the menu Ethernet  Bridge  Port Settings as shown.

FIGURE 47 - Setting all Ethernet ports to the same Bridge group i.e. ensuring that the ports are switch ports. Note: the ports can be mixed and matched as switched and routed ports as needed

Finally - ensure that the IP address is set as needed.

67 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 48 - Set the IP address as needed. If necessary, change the IP address to match the IP address schema of the switched network. If the IP address is changed, please make sure the browser points to the new IP address to manage the DX device Many devices do not update the information unless there are other devices connected to the network or the Link status is up. To ignore that, click on Other Options as shown below.

FIGURE 49 - Click on Other Options to ignore Link information on the interface

FIGURE 50 - On the Ignore Link option, set that to "Yes" to ignore the link information to update the status etc.

Ignore Link, shown above, should be used with caution. In most situations Link Status is important. VLANs are shown to be down unless there is a member on the VLAN - which can only if reflected if Ignore Link is set to "No".

68 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Finally, do not forget to save the changes.

Switching and Routing ports The example below shows how the DX Ethernet ports can be setup as switch ports as well as routing ports. In this example, two ports corresponding to LAN1 and LAN2 are setup on E1 and E2. The switching ports are E3 and E4. The default IP address setup is used by the switching ports to access the device for management.

FIGURE 51 - In the above example, the DX device is routing between LAN1, LAN2, WAN and also participating on the switch network on the two ports. Firewall is also enabled on the device as shown, filtering traffic from the WAN port

To setup switch ports and routed ports, make sure Ethernet ports are enabled. Next setup the ports E1 and E2 as routed ports. Finally, enable routing (RIP-II) on all ports.

Enabling Ethernet Ports To enable Ethernet ports, set the Admin Status of the ports under the menu Ethernet  Ports  Settings menu to "Enabled" as shown below.

69 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 52 - Enabling Ethernet Ports

After the ports are active, make sure all the ports are in the same bridge group. This is done by using the menu Ethernet  Bridge  Port Settings as shown.

FIGURE 53 - Two ports are set as Bridged ports (E3 and E4), while the others are non-bridged i.e. routed ports

Apply settings after each change so that the changes take effect.

Finally - ensure that the IP address is set as needed.

70 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 54 - Set the IP address as needed for the different interfaces Many devices do not update the information unless there are other devices connected to the network or the link status is up. To ignore that, click on Other Options as shown below.

FIGURE 55 - Click on Other Options to ignore Link information on the interface

FIGURE 56 - On the Ignore Link option, set that to "Yes" to ignore the link information to update the status etc. After the Link is ignored, even though there is nothing plugged into E1 and E2, the interfaces will show as being up as the link is ignored as shown below. Again, as stated earlier, "Ignore Link"

71 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

function should be used with caution - usually for debugging purposes. It is recommended by GarrettCom to leave "Ignore Link" to "No" - which is the default setting.

FIGURE 57 - Once the Links are ignored, the status of the interface is changed

Click on Apply Settings for the changes to take effect.

FIGURE 58 - Enable routing on the device. More details on routing are covered in a separate chapter

72 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 59 - Specify the interface for routing as well as if the routing interfaces are passive i.e. listen for route updates

As always, click on Apply Settings for the changes to take effect. Finally, do not forget to save the changes. In the example above, E1, corresponding to LAN 1 will have the IP address of 192.168.15.254 / 24 and LAN 2 will have the IP address of 10.1.1.254 / 24 and the switch ports will be E3 and E4. The router can be accessed with any of the IP addresses as long as the segment and the router for the segment is updated on the network. DHCP address Besides manually assigning an IP address, the IP address of an interface on an MNS-DX device can be set automatically via DHCP. The two most common procedures are using DHCP and bootp. The IP address of an interface on an MNS-DX device can be set via DHCP.

MNS-DX has a DHCP client as well as DHCP server capabilities.

DHCP client assumes that there is a DHCP server available to assign it an IP address.

DHCP and bootp DHCP is commonly used for setting up addresses for computers, users and other  user devices on the network. bootp is the older cousin of DHCP and is used for setting up IP addresses of networking devices such as switches, routers, VoIP phones and more. Both of them can work independent of each other and are widely used in the industry. It is best to check with your network administrator regarding what protocol to use and what the related parameters are. DHCP and bootp require respective services on the network. DHCP and bootp can automatically assign an IP address. It is assumed that the reader knows

73 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

how to setup the necessary bootp parameters (usually specified on Linux/UNIX systems in /etc/boopttab1). DHCP today replaces bootp on most systems.

MNS-DX can be configured so that one of the ports can be configured via DHCP i.e. MNS-DX uses the DHCP client to acquire the IP address information from the DHCP server. The example below shows how this can be set. The interface E2 is configured for DHCP address. Note once the address is acquired, the address is displayed on the screen.

FIGURE 60 - Setting an interface for DHCP address

FIGURE 61 - Once the IP address is acquired, the address is displayed and the status of the port changes to “Up”. The Virtual Front Panel (not shown) will also change to reflect the port now being active or “Up”

Note – the DHCP client can be setup for one interface only.

1 Note – on Windows systems – the location of the file will vary depending on which software is being used.

74 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

The DHCP client updates the IP address, netmask, DNS servers and domain name. Like all DHCP clients it also keeps track of lease and expiry of lease, and renews the lease when the lease expires.

Using SSH and Telnet

Telnet and SSH are protocols (applications) commonly used to access the CLI interface of the router.

Telnet, rlogin, rcp, rsh commands have a number of security weakness: all communications are in clear text and no machine authentication takes place. These commands are open to eavesdropping and tcp/ip address spoofing. Secure Shell or SSH is a network protocol that allows data to be exchanged over a secure channel between two computers. SSH uses public/private key RSA authentication to check the identity of communicating peer machines, encryption of all data exchanged. The goal of SSH was to replace the earlier rlogin, Telnet and rsh protocols, which did not provide strong authentication or guarantee confidentiality.

In 1995, Tatu Ylönen, a researcher at Helsinki University of Technology, Finland, designed the first version of the protocol (now called SSH-1). In 1996, a revised version of the protocol, SSH- 2, was designed, incompatible with SSH-1. SSH-2 features both security and feature improvements over SSH-1. Better security, for example, comes through Diffie-Hellman key exchange and strong integrity checking via MACs. New features of SSH-2 include the ability to run any number of shell sessions over a single SSH connection. Since SSH-1 has inherent design flaws which make it vulnerable to, e.g., man-in-the-middle attacks, it is now generally considered obsolete and should be avoided by explicitly disabling fallback to SSH-1. While most modern servers and clients support SSH-2, some organizations still use software with no support for SSH- 2, and thus SSH-1 cannot always be avoided.

In all versions of SSH, it is important to verify unknown public keys before accepting them as valid. Accepting an attacker's public key as a valid public key has the effect of disclosing the transmitted password and allowing man-in-the-middle attacks.

SSH is most commonly used • With an SSH client that supports terminal protocols, for remote administration of the SSH server computer via terminal (character-mode) console--can be used as an alternative to a terminal on a headless server; • In combination with SFTP, as a secure alternative to FTP which can be set up more easily on a small scale without a public key infrastructure and X.509 certificates While there are other uses for SSH, the most common uses are described above and are relevant to this manual.

SSH uses port 22 as a default. Note – telnet uses port 23 as a default

port.

75 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

The SSH-2 protocol has a clean internal architecture (defined in RFC 4251) with well-separated layers. These are:

• The transport layer (RFC 4253). This layer handles initial key exchange and server authentication and sets up encryption, compression, and integrity verification. It exposes to the upper layer an interface for sending and receiving plaintext packets of up to 32,768 bytes each (more can be allowed by the implementation). The transport layer also arranges for key re-exchange, usually after 1 GB of data has been transferred or after 1 hour has passed, whichever is sooner.

• The user authentication layer (RFC 4252). This layer handles client authentication and provides a number of authentication methods. Authentication is client-driven, a fact commonly misunderstood by users; when one is prompted for a password, it may be the SSH client prompting, not the server. The server merely responds to client's authentication requests. Widely used user authentication methods include the following: o "password": a method for straightforward password authentication, including a facility allowing a password to be changed. This method is not implemented by all programs. o "publickey": a method for public key-based authentication, usually supporting at least DSA or RSA keypairs, with other implementations also supporting X.509 certificates. o "keyboard-interactive" (RFC 4256): a versatile method where the server sends one or more prompts to enter information and the client displays them and sends back responses keyed-in by the user. Used to provide one-time password authentication such as S/Key or SecurID. Used by some OpenSSH configurations when PAM is the underlying host authentication provider to effectively provide password authentication, sometimes leading to inability to log in with a client that supports just the plain "password" authentication method. This method is not supported. o GSSAPI authentication methods which provide an extensible scheme to perform SSH authentication using external mechanisms such as Kerberos 5 or NTLM, providing single sign-on capability to SSH sessions. These methods are usually implemented by commercial SSH implementations for use in organizations, though OpenSSH does have a working GSSAPI implementation. This method is not supported. • The connection layer (RFC 4254). This layer defines the concept of channels, channel requests and global requests over which SSH services are provided. A single SSH connection can host multiple channels simultaneously, each transferring data in both directions. Channel requests are used to relay out-of-band channel specific data, such as the changed size of a terminal window or the exit code of a server-side process. The SSH client requests a server-side port to be forwarded using a global request. Standard channel types include: o "shell" for terminal shells, SFTP and exec requests (including SCP transfers).

76 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

o "direct-tcpip" for client-to-server forwarded connections. o "forwarded-tcpip" for server-to-client forwarded connections.

SSH is enabled on MNS-DX by default. To enable connection via telnet, enable telnet for the CLI mode.

FIGURE 62 – Enabling or disabling telnet is done in the CLI mode. The default, SSH only, is currently set for the CLI mode. From the drop down, telnet can be enabled

SSH sessions cannot originate from the DX device to another device. A maximum of eight SSH session can be active at the same time.

If an ssh key is required or if a key needs to be regenerated, use "ssh keygen" from the CLI interface

SSH port forwarding SSH port forwarding requires MNS-DX-SECURE license key.

SSH port forwarding is a standard SSH feature that takes advantage of the general purpose security associated between an SSH client and an SSH server.

In addition to a standard shell session, SSH can also establish any number of TCP connections over the secure tunnel between the client and the server. SSH port forwarding allows the client and server to establish a secure tunnel that can pass data from TCP connections.

77 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

On the client side, the SSH client process establishes a secure tunnel with the SSH server and also spawns a new process that listens for TCP connections on a port specified by the client.

When an application makes a connection to this TCP port, a new session is established over the SSH tunnel. On the server side, a new TCP connection is established to a destination of the client's choice. Data sent to the client-side TCP connection is passed all the way through to the server-side TCP connection and vice versa.

FIGURE 63 – Example of port forwarding. In this example, the DX router connects to the 6K switch. Since the connection is tunneled, the connection is securely sent on over the connection to the DX router and then the connection is unsecure or not encrypted from the DX to the 6K switch.

SSH Port Forwarding is disabled by default on MNS-DX. To enable this feature, go to the Security  CLI menu.

A client establishing a port forwarding connection must authenticate to the SSH server in the same way as if it were establishing a typical SSH connection to the DX CLI. This means that the username and password of a user account on the DX must be used. Only admin and read-write users are allowed to establish port forwarding connections.

Here is an example using the OpenSSH command line client to forward connections to a remote server running at 192.168.2.100: ssh -N -L 11021:192.168.2.100:10201 [email protected]

The -N option suppresses the execution of the normal SSH shell process (in our case, the creation of a DX CLI session)

The -L option specifies, in order: 1) the local TCP port 2) the remote server address 3) the remote server port

78 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

The final argument is the normal username@ string. In this case, we are connecting to the SSH server at 192.168.1.99 and authenticating as the user "manager".

When an application makes a TCP connection to the client at port 11021, it is as if that application made a connection to the remote server. The operation of SSH port forwarding is transparent to the application. In reality, the application's data is being sent encrypted between the SSH client and the SSH server.

It is possible for the client to specify the SSH server address as the remote address. This allows connections to be forwarded to a local DX service such as the terminal server.

In MNS-DX, this capability can be disabled or enabled as shown below.

FIGURE 64 – Enable SSH Port forwarding

Maximum number of SSH port forwarding is limited to 256 sessions.

Network time (SNTP Client) Many networks synchronize the time using a Network time server. The network time server provides time to the different machines using the Simple Network Time Protocol (SNTP).

79 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Time synchronization will also be needed to ensure that VPN connectivity and reconnects are successful. To configure SNTP client services, the following needs to be done: 1) Define the clock or time synchronization source. Common ones used are time.nist.gov as well as time sources maintained by ntp.org. For North America, the one used commonly is north-america.pool.ntp.org. Internal clock sources can be used as well. Make a list of the IP addresses of these clock sources. 2) Define the polling interval i.e. how often should time be synchronized. Normally this is done once a few hours or once a minute for critical resources 3) Define the interface on which the SNTP queries should be sent out on. If not sure, use “Any” as the interface.

Configure the SNTP parameters using Administration  SNTP menu.

FIGURE 65 – SNTP parameters – set the global settings. See table below for different options

80 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Table 4 - List of Administration : SNTP : Global Settings Field Name Field Value Mode Indicates if and how the SNTP client should be used to set the system's time and date information. This parameter takes one of the following values: Active: - system time and date information is taken from a configured SNTP server. Passive - system time and date information is retrieved from SNTP information that is broadcast periodically from an SNTP server. Disabled - SNTP will not be used to acquire the current time. Polling Interval The frequency in seconds at which the SNTP server will be accessed to obtain the correct time when Active mode is selected. Default value = 60 (poll once per minute) Valid range = 15 – 86400 Local IP Available options are: Any – Packets will use any available Ethernet interface address. Specific IP address – Packets will use the source address selected from a dropdown list. This may be necessary for conformity with VPN or NAT configurations.

FIGURE 66 – Adding or deleting SNTP Servers

In the example above, two SNTP servers were added to the device. Finally, after the servers are added, it is a good idea to test if the services are working properly.

81 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 67 – Checking the status of the SNTP services

If your site has internet connectivity, there are a number of SNTP servers available on the Internet2. A quick search on the Internet will yield information about these servers. You should use the IP address of these servers (or add the information of their IP address in the host table. Refer to the section of the host table in this user guide.) Please make sure that the server can be reached by using the ping command. Also make sure the firewall allows port 123 to communicate with the time servers specified. Upgrading MNS-DX

MNS-DX software can be updated when needed. Please refer to the release notes for a specific release regarding changes and bug fixes for the release. GarrettCom recommends using the latest release of MNS-DX.

MNS-DX 3.x and beyond uses license keys to unlock features available in MNS- DX-SECURE and MNS-DX-ADVAR. Make sure these codes are available. Also make sure the configuration is backed up before the upgrade process.

Before the software is updated, it is recommended to save the configuration as well as have any of the security codes used to upgrade MNS-DX available.

MNS-DX allows the version to be upgraded. If the upgrade features are not satisfactory or for any reason causing other compatibility or networking issues, MNS-DX can fall back to the previous version easily. If the upgrade is successful, the user can finalize the upgrade, causing the router to boot from that version of the software whenever possible. This is explained below.

2 The most commonly used is the NIST time server time.nist.gov

82 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 68 – Software update process state diagram. Note that if the upgrade is unsatisfactory for whatever reason, the user can fall back to the older version

The upgrade states are summarized in the table below.

Table 5 – Software upgrade states State Action Ready to Upgrade Upgrade – This button is hidden if the previous version is still present. If the previous version of MNS-DX is not deleted, please use the finalize button or Fallback button. This button requires a new version of MNS-DX file is loaded first.

Upgrade OK? This is a decision point whether to continue use of the new version or fallback to the older version.

New Version in use Delete the old version and continue using the current version

Fallback Delete the new version and fallback to the old version. The system will reboot automatically in about a minute.

This update process is shown below.

83 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 69 – Upgrading MNS-DX. Note – on this screen, the 3.0 software was loaded. To do that, simply choose the MNS-DX file, and click on upload. Once the upload is done, reboot the router. Once the software is loaded, the old version can be deleted or can fall back to the old version

Once ready for the upgrade, click “Choose” to select the file and then “Upload” to load the file. If needed, the file name can be entered in the text box provided as well. This is shown below.

FIGURE 70 – List the location and file name for the new image and click on “Upload” to load the new image

After the image is copied, the choice is presented as to whether the MNS-DX image should be upgraded. Note also the message “Ready to Upgrade” is also displayed. See below.

84 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 71 – After the file is uploaded, the message is shown that MNS-DX is ready for upgrade. Click on Upgrade or Fallback

If the decision is to Fallback, click on “Fallback”. User can choose whether to delete the new image as shown below.

FIGURE 72 – On Fallback the State “Fallback” is displayed. User is presented with the choice to delete the new image. Retry takes you back to the choice regarding whether the image should be upgraded or fallback (previous figure)

85 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

On choosing upgrade, the router is rebooted and the new image is installed as shown below. Provide sufficient time for the image to be loaded and all services to be initialized. Once that is completed, the new image is ready for use. If the router is restarted or powered off during the upgrade process, MNS- DX aborts the upgrade process and falls back to the previous well known good image.

FIGURE 73 – On successful upgrade, the router is rebooted and the new image is now the active image. After login, click on Finalize to use the new image

Once the image is finalized, the Software upgrade screen is shown below. Please delete the older version to upgrade to the next subsequent release of MNS-DX.

FIGURE 74 – After successful upgrade, the State changes to “Upgraded”. Please delete the older version to load an subsequent release of MNS-DX

86 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Saving and loading configuration All software configurations are kept in an XML format. The XML format files are text based files and can be viewed easily by most browsers. From the XML file view the information can be copied into a text editor and the information can be changed.

To view configuration files, click on Administration  Configuration  Files menu as shown below.

FIGURE 75 – Multiple configuration files are stored on the MNS-DX routers. One of them is current. The other is associated with the fallback. To view the files, click on the file name

To save a config file, right click on the browser and use "Save Link As" function. Most browsers allow download of content from a web page. In this case, the same technique can be used to save the content of the config file.

To view the config file, simply click on the file name

Once the file is displayed, the XML format of the config file is shown and this can be copied into a text file for saving or for editing. This is another way to save the config file. Make sure the whole file is selected and copied across.

87 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 76 – Config file. To save a config file, highlight the text and copy/paste that information in a text file. These files can be archived for tracking and history purposes.

Erasing configuration The active configuration file can be reset to factory default values. This is done by selecting the Administration  Configuration  Defaults menu as shown below.

88 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 77 – Resetting the configuration values to factory default.

With the configuration reset, connectivity maybe lost. You may have to reset the IP address of the devices as shown earlier.

Saving changes Any changes to the configuration changes the color of the "Save" icon to orange as shown below.

FIGURE 78 – If the "Save" icon is orange - there have been configuration changes made on the switch

Clicking on the Save button will save the configuration. It is a good idea to save as frequently as possible.

89 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Chapter 4 4 – Configuring Ethernet

Use Ethernet ports...

his chapter explains how to setup the Ethernet ports. Ethernet ports can be setup as routed ports or switched ports. For switch ports, the RSTP configuration can be setup as well. Finally VLANs can be setup for use on the Ethernet ports. RSTP and VLANs will be covered in T separate chapters.

Assumptions It is assumed here that the user is familiar with IP addressing schemes and has other supplemental material on RSTP as well as VLANs. This user  guide assumes the user is familiar with these concepts.

Setting up Ethernet Ports There are several settings to be done for the Ethernet Ports. These are explained below. To access this menu, use Ethernet  Ports Settings Enabling Ethernet ports, setting their parameters such as speed etc. can be done using the Ethernet  Ports  Settings menu as shown below.

90 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 79 – Configuring Ethernet parameters

FIGURE 80 – Setting Ethernet Speed settings. Default is auto negotiate. In some situations, it may be necessary to set the port to a fixed speed setting. Supported speeds will vary depending on the port and technology. For example with 100Mbps fiber ports, only 100Mbps speeds will be supported as fiber ports cannot auto negotiate

FIGURE 81 – Setting Ethernet Flow control – this allows to control the amount of ingress and egress packets which can be sent based on flow control information. Default setting is disabled

91 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 82 – Administrative status. This turns an Ethernet port on or off. Admin status enabled allows traffic flow on the port. Disabled turns the Ethernet port off

The above settings are described in table below. Table 6 – Software upgrade states Name Value Port ID Physical Port Identifying information. Port Name User configurable name. The name is restricted to 16 printable characters. The default name is Ethernet-nn – where nn corresponds to port number.

92 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Name Value Media Type Enables you to force a speed and duplex setting on an Ethernet port or set the port to auto-negotiate mode. Only speed/duplex settings appropriate for the particular interface type are allowed. These are:

Auto (10/100BaseTX) (default for 10/100T) 10T Half (10/100BaseTX) 10T Full (10/100BaseTX) 100TX Half (10/100BaseTX) 100TX Full (10/100BaseTX) 100FX Full (100BaseFX) (default for 100FX) 1000TX Half (10/100/1000BaseTX) 1000TX Full (10/100/1000BaseTX) 1000FX Full (1000BaseFX) (default for Gb Fiber modules

Flow Control This parameter applies to full duplex ports only. Flow control is optionally implemented using the 802.3x specification for PAUSE packets. When congested, the switch will send PAUSE packets to attached devices to request temporary suspension of transmission of further frames. The following values may be selected: Enabled Disabled Default value = Disabled FEFI When selected, this feature will send an alarm signal to the far end transmitter of an optical port if the near-end receiver detects loss of signal. Also, if an alarm signal is received from a far-end transmitter, the near-end port will report its link status as down (even though it is receiving a good optical signal). The intent is to report a full duplex optical link as down even when a signal failure (for example, a fiber cut) occurs in only one direction. This is useful for automatic link recovery procedures. This parameter is ignored for copper ports. Admin Status Enables you to set the activity status of the port. A setting of Disabled completely turns off the port’s transmit and receive functions. By factory default all ports except the last Ethernet port (E2 on the DX40, E4 on the DX800, DX 900 and DX940 and E5 on DX1000) are disabled.

Status Status menu displays the status of the Ethernet ports, including those which are up or down. The Status screen also displays a quick summary of the different Ethernet port settings as shown below.

93 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 83 – Status Summary screen

Summary Statistics Summary statistics shows the amount of Transmitted and received packets, octets (bytes) and errors. These counters can be zeroed out for measurements. The screen can also be refreshed to show the most current information.

FIGURE 84 – Summary Statistics – shows the octets, bytes, errors and received on a specific ports

Extended Statistics Extended statistics shows the extended or detailed statistics of the Ethernet Ports, as shown below.

94 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 85 – Extended Statistics – shows the octets, bytes, errors and received on a specific ports The fields are summarized in table below.

95 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Table 7 – Extended Statistics Name Value Tx Unicast The total number of good packets transmitted that were directed to a unicast address. Tx Multicast The total number of packets transmitted that were directed to a multicast address. Note that this number does not include packets directed to the broadcast address. Tx Pause Total number of PAUSE frames transmitted. This is used with Flow Control. Tx 64 Octets The total number of packets transmitted that were exactly 64 octets in length (excluding framing bits but including FCS octets). Tx 65 to 127 The total number of packets transmitted that were between 65 and 127 octets in length inclusive (excluding framing bits but including FCS octets). Tx 128 to 255 The total number of packets transmitted that were between 128 and 255 octets in length inclusive (excluding framing bits but including FCS octets). Tx 256 to511 The total number of packets transmitted that were between 256 and 511 octets in length inclusive (excluding framing bits but including FCS octets). Tx 511 to1023 The total number of packets transmitted that were between 511 and 1023 octets in length inclusive (excluding framing bits but including FCS octets). Tx 1023 to Max The total number of packets transmitted that were between 1023 and 1518 octets in length inclusive (excluding framing bits but including FCS octets). CRC Errors The total number of packets received that had a length (excluding framing bits, but including FCS octets) of between 64 and 1518 octets, inclusive but had a bad Frame Check Sequence (FCS) with an integral number of octets. Alignment Errors The total number of packets received that had a length (excluding framing bits, but including FCS octets) of between 64 and 1518 octets, inclusive but had a a bad FCS with a non integral number of octets. Undersized The total number of packets received that were less than 64 octets long (excluding frame bits, but including FCS octets) and were otherwise well formed. Oversized The total number of packets received that were longer than 1518 octets (excluding frame bits, but including FCS octets) and were otherwise well formed. Fragments The total number of packets received that were less than 64 octets in length (excluding framing bits, but including FCS octets) and had either a bad FCS with an integral number of octets (FCS Error) or a bad FCS with a non-integral number of octets (Alignment Error). Jabbers The total number of packets received that were longer than 1518 octets (excluding framing bits, but including FCS octets), and had either a bad Frame Check Sequence (FCS) with an integral number of octets (FCS Error) or a bad FCS with a non integral number of octets (Alignment Error). Filtered The total number of valid frames received that are not forwarded to a destination port.

96 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Name Value Discards The total number of valid frames that were discarded due to lack of buffer space. Collisions The total number of collisions on this Ethernet segment. Excessive The total number of frames not transmitted because the frame experienced too many transmission attempts and was discarded. Single The total number of successfully transmitted frames that experienced exactly one collision. Multiple The total number of successfully transmitted frames that experienced more than one collision. Late The total number of times a collision is detected later than 512 bit-times into the transmission of a frame. Deferred The total number of successfully transmitted frames that are delayed because the medium was busy during the first attempt.

Chapter 5

5 – Port Mirroring and Rate Limits

Setup the ports for network monitoring….

he previous chapter explained how individual characteristics of a port on the GarrettCom Magnum DX Routers were setup. For monitoring a specific port, the traffic on a port can be mirrored on another port and viewed by protocol analyzers. This is useful for diagnostics and T other purposes.

Port Monitoring and Mirroring An Ethernet switch sends traffic from one port to another port. Unlike a  switch, a hub, or a shared network device, the traffic is “broadcast” on each and every port. Capturing traffic for protocol analysis or intrusion analysis can be impossible on a switch unless all the traffic from a specific port is “reflected” on another port, typically a monitoring port. This process - when traffic from one port is reflecting to another port - is called port mirroring. The monitoring port is also called a “sniffing” port. Port monitoring becomes critical for trouble shooting as well as for intrusion detection. Port mirroring Monitoring a specific port can be done by port mirroring. Mirroring traffic from one port to another port allows analysis of the traffic on that port. To enable port mirroring as well as setting up the ports to be “sniffed” use Ethernet  Ports  Mirroring as shown below.

98 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 86 – Editing and enabling port mirroring. Default value is “None” i.e. port mirroring is disabled

FIGURE 87 – In this setup, all traffic from port E1 is reflected on Port E2

DX40 does not support port mirroring The mirrored port shows both incoming as well as outgoing traffic

99 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Rate Limits Rate limits are set to prevent a network congestion due to excessive traffic or to prevent traffic bursts which may cause network disruption. The rate limit feature limits the ingress and egress throughput on a port. On ingress, various classes of packets can be limited. The user may choose to limit only broadcast packets, broadcast and multicast packets, all flooded packets (which includes unicast packets with destinations not found in the station cache), or all packets. On egress, all packet types are limited. Rate limits are configured as pre-defined value as shown below.

FIGURE 88 – Setting the port Rate Limits

FIGURE 89 – Types of incoming or ingress traffic on which rate limits can be set

100 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 90 – The incoming traffic can be limited to the set values shown above

FIGURE 91 – The outgoing traffic can be limited to the set values shown above

Once these limits are set, click on “Apply Settings” and then “Save” to save the changes.

101

Chapter 6

6 – Bridge Groups

Switching or Routing?

He previous chapter explained how individual characteristics of a port on the GarrettCom Magnum DX Routers were setup. For many network designs, not all Ethernet ports on the Magnum DX device need be routed ports. Sometimes, switch ports may be needed to T participate, for example, in a RSTP network for resiliency and quick recovery from faults on the network.

Bridging or Switching vs Routing An Ethernet switch, like a bridge, sends traffic from one port to another  port based on MAC address information. A hub or a shared network device “broadcasts” or replicates the traffic on each and every port. A router needs protocol specific information for the device to function. For example, a switch can send a Ethernet XNS packet from one port to another without any issues. A router will not be able to “route” an XNS packet from one router port to another unless there is specific knowledge of the XNS protocol built into the router. Further, not all protocols are routable. For example, one of the older protocols such as LAT (from DEC, now part of Compaq/HP) was a non routable protocol. In this case the router had to behave as a switch i.e. switch the packet from one port to another based on the MAC address information. In order to optimize use of the network, it is important to mix and match ports on a device as a switch port or a routed port. Switch Ports Switching ports need to learn MAC addresses for the switch ports to work correctly. In addition, all switch ports have a common IP address which addresses these group of ports. This section describes how these can be managed.

MAC address aging MAC addresses need to be refreshed as per a predefined interval for the switch ports to function properly. This is done using the Ethernet  Bridge  Global Settings Menu. This screen displays the aging interval applied to MAC addresses learned by the bridge and enables you to edit that setting, as shown below.

102 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 92 – Setting the MAC address aging interval

Setting Switch Ports The Bridge group can be set using the Ethernet  Bridge  Port Settings menu as shown below.

FIGURE 93 – Setting the Bridge group. In this example, ports E3 and E4 from the bridge group i.e. the two ports are switch ports. The ports E1 and E2 are routed ports

Static MACs A MAC address can be assigned to a specific port instead of learning it. Once the static MAC address is assigned, it is also not aged as per the Global Settings described above. This is done using the Ethernet  Bridge  Static MACs menu as shown below.

103 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 94 – Setting a static MAC address associated with the port

FIGURE 95 – Enter the MAC address associated with the port and click on “Apply Settings” as shown

104 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 96 – Once the MAC address is assigned, it appears on the Static MACs screen as shown above. To delete a static MAC address, check the "Delete" box and click on “Apply Settings”

Cache Entries The MAC entries can be viewed by using Ethernet  Bridge  Station Cache Menu as shown below.

FIGURE 97 – Viewing the MAC address and the ports associated with the MAC addresses. Note the Static entry added in the previous section To purge MAC entries, click on “Purge Dynamic Entries” – only dynamic entries are purged. Static entries have to be deleted as described earlier. After all the changes, do not forget to save the changes.

105

Chapter 7

7 – Rapid Spanning Tree Protocol (RSTP)

Create and manage alternate paths to the network

apid Spanning Tree Protocol is designed to avoid loops in an Ethernet network and recover from faults in the network quickly, providing resiliency. An Ethernet network using switches and routers can have redundant paths – however, this may cause loops. To R prevent the loops MNS-DX software uses Rapid Spanning Tree Protocol or RSTP. STP, a predecessor of RSTP is defined by the IEEE 802.1d protocol and is a standard of IEEE. Rapid Spanning Tree Protocol (RTSP), like STP, is defined by IEEE 802.1w, and is designed to avoid loops in an Ethernet network. IEEE standard IEEE 802.1D-2004 provides extensions to RSTP and incorporates all of the functions of RSTP and obsoletes STP.

RSTP Features and Operations When the Ethernet ports are configured as a Bridge group, it uses the  IEEE 802.1D-2004 Rapid Spanning Tree Protocol (RSTP). When RSTP is enabled, it ensures that only one path at a time is active between any two nodes on the network. In networks where more than one physical path exists between two nodes, RSTP ensures that only a single path is active by blocking all redundant paths. Enabling RSTP is necessary to avoid loops and duplicate messages. This duplication leads to a “broadcast storm” or other erratic behavior that can bring down the network.

The Magnum DX family of routers use single-instance RSTP. This means a single spanning tree is created to make sure there are no network loops associated with any of the connections in the network. VLANs and single-instance RSTP cannot usually be used safely together because VLAN trunking configurations may create multiple virtual topologies that RSTP is unaware of.

The RSTP implementation on MNS-DX automatically senses port type and defines port cost and priority for each type. The MNS-DX software allows an administrator to adjust the cost, priority, mode for each port as well as the global RSTP parameter values for the switched ports on the router.

106 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

While allowing only one active path through a network at any time, RSTP retains any redundant physical path to serve as a backup (blocked) path in case the existing active path fails. Thus, if an active path fails, RSTP automatically activates (unblocks) an available backup to serve as the new active path for as long as the original active path is down.

RSTP Setup

When first configured with RSTP the bridges in a system exchange messages with one another to elect a root bridge and to discover the shortest path from each bridge to the root bridge. The ports that enable the shortest paths are put into forwarding mode. All other ports are assigned backup or alternate roles. When a stable tree has been established and traffic is being transmitted the system is said to have achieved convergence.

FIGURE 98 – Port Roles in RSTP

BPDUs The messages exchanged by the bridges are special data frames called Bridge Protocol Data Units (BPDUs). The BPDUs contain identifying information and information about the root path cost. The best path from a bridge to the root has the lowest path cost. (The measurement takes into account the bandwidth on intervening segments.) When the spanning tree is being calculated, the bridges exchange configuration BPDUs. Other types of BPDUs are exchanged during normal operation.

107 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Bridge Roles Each configured spanning tree has a single root bridge. All other bridges active in the system are designated bridges. For each segment the connected bridge that provides the shortest path to the root bridge is that segment’s designated bridge.

Port Roles After convergence each port in the tree is assigned one of four roles:

1. Root: Each bridge (except the root bridge) has a single root port. This is the port with the lowest root path cost (the best way to the root.). All traffic to and from the root bridge passes through the root port of the designated bridge.

2. Designated: Each bridge has at least one designated port. If only one port is connected to the segment, it is the designated port. If more than one port is connected to the segment then the port with the best priority value in its ID is the designated port for the segment. Any port on the root bridge that is connected to a segment is a designated port. All Traffic to and from a specific segment passes through the designated port of the designated bridge.

3. Backup: A port on a designated bridge that is connected to the same segment as the designated port on that bridge. In the event of failure in the designated port the backup port would become the designated port. A backup port is blocked (inactive).

4. Alternate: A port that connects to a different segment than the root port on the same bridge. An alternate port provides an alternate path to the root that is inferior to the path provided by the root port. In the event of failure in the root port, the alternate port would become the root port. An alternate port is blocked (inactive).

Edge Ports and Point-to-Point Links There are two other ways of classifying ports that can enable a quick transfer to the forwarding state and thus faster convergence:

1. Edge Port – This is a port that connects directly to an end station. Since it connects to a single host it is incapable of forming loops, so it may be safely placed in a forwarding state without going through the listening and learning stages.

2. Point-to-Point Links – When a port connects directly to another switch it can safely be placed in forwarding mode.

Port States The MNS-DX implementation of RSTP supports four operational states for a port: 1. Blocking – The port does not transmit or receive data frames, but the port does continue to receive BPDUs.

108 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

2. Listening – The port can send and receive BPDUs, but it is not learning MAC addresses or forwarding data frames. 3. Learning – The port is receiving BPDUs and is learning MAC addresses but it is not forwarding data frames. 4. Forwarding – The port is sending and receiving all packets.

Once the RSTP network is functioning, all traffic is by definition handled by the ports in the forwarding state.

RSTP Normal Operation After initial configuration, RSTP functions by circulating BPDUs through the system. When these BPDUs indicate a change in the topology, such as failure of a link or the addition of a new node, the system is reconfigured.

System maintenance is carried out by the traffic information carried by the BPDUs among the bridges. Overall operation is managed under the constraints of:

• Hello Time – The amount of time between the transmission of configuration BPDUs on any port. Valid Range = 1-10 seconds. Default value = 2 seconds. A connection is considered to be lost if hellos are not received for three consecutive times (by default this is six seconds). • Forward Delay – Controls how long the bridge waits after any state or topology change before forwarding the information to the network. The valid Range = 4-30 seconds. The default value = 15 seconds. • Maximum Age – The length of time a configuration BPDU remains valid before it is discarded.

Design Considerations The RSTP protocol can make network decisions automatically. In fact, in the absence of manual intervention, the protocol will completely configure the network; however, you may want to specify the settings for some or all of your bridges and ports. For instance, you may want to ensure that a particular bridge is the root bridge or that a certain port on a bridge is the designated port.

Note that you should use the Port: Settings screen to ensure that ports connecting to end stations are specified as edge ports, and that ports that connect to other bridges using RSTP are specified as Point ports (also known as Point-to-Point ports).

Configuring RSTP – Bridge Settings To configure RSTP, click on Ethernet  RSTP menu options. The Bridge setting options are available via Ethernet  RSTP  Bridge Settings and are listed below:

109 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 99 – Setting the RSTP parameters for all ports In the menu above Mode  Any bridge active in the system must have the Disabled/Enabled value set to Enabled. Default value is disabled. Priority  The default priority value is 32768 (in a valid range of 0-65535). If a specific device is designated as a root bridge, then set this value on that bridge low - lower than any other bridge in the system. An alternate root bridge can also be explicitly designated to take over in the event of failure of the original root bridge, by giving it a priority value only slightly higher than that of the root bridge. When there are more than one bridge connecting to the same LAN you can determine which bridge will become the designated bridge by setting its priority value low. Hello Time  The default Hello Time value is 2 seconds (in a valid range of 1-10 seconds). The manually configurable Hello Time value applies to the root bridge. A smaller Hello Time value will result in quicker detection of topology changes but it will also result in increased traffic on the system. Designated bridges use a Hello Time learned from BPDUs sent from the root bridge. Forward Delay  The default Forward Delay value is 15 seconds (in a valid range of 4-30 seconds). A shorter Forward Delay may result in quicker adaptation to topology changes. Designated bridges use a Forward Delay learned from BPDUs sent from the root bridge. Maximum Age  The default Maximum Age value is 20 seconds (in a valid range of 6-40 seconds). In a network that includes some slow links it could be useful to set a higher value for Maximum Age. Cost Style  Specifies whether 16-bit (STP-style) or 32-bit (RSTP-style) path cost values are used.

RSTP – Port Settings The RSTP Port setting options are available via Ethernet  RSTP  Port Settings and are listed below:

110 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 100 – RSTP Port Settings

The values for the port settings are as follows:

Port ID  Uniquely identifies an Ethernet interface. Mode  The mode the switch will use on this port for RSTP operation. This parameter can take one of the following values: • Legacy – The port uses STP only. • Auto – The port automatically determines the correct mode based on received BPDUs. This is the default setting. • Edge – The port uses RSTP and is connected to an end system where no loops are possible. • Point – The port uses RSTP and is connected to another switch (that runs RSTP) over a point-to-point link where loops may be possible. • None – Disable RSTP on this port. Priority  RSTP protocol will select root, designated, and backup ports from among redundant ports on a bridge based on the port ID and the priority settings. To force the selection of a specific port as the root port, give it a low priority value. Default value = 128 Valid range = 0 - 240 Numerically lower values indicate higher priorities. Auto Path Cost?  Specify whether or not path cost will be set automatically. If “Yes” is specified the path cost will be set automatically based on link speed and the “Cost Style” setting specified in the Ethernet  RSPT  Bridge Settings (discussed in previous section) If “No” is specified the path cost used will be the value specified in the “Path Cost” field (below). Path Cost  Specify a path cost value in the range 1 - 200000000. Default value = 10

111 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

RSTP – Bridge Status The RSTP Bridge Status can be queried via Ethernet  RSTP  Bridge Status and is shown below:

FIGURE 101 – Operational status of the RSTP Bridge. Note all the information discussed in earlier sections are displayed on this screen

RSTP – Port Status The RSTP Port Status can be queried via Ethernet  RSTP  Port Status and is shown below:

FIGURE 102 – Port status. The specific information on the state of the ports is displayed on this screen

Finally, after configuring RSTP, please click on the save button to save the changes.

112

Chapter 8

8 – VLAN

Create separate network segments (collision domains)

hort for virtual LAN (VLAN), a VLAN creates separate collision domains or network segments that can span multiple Magnum DX routers and Magnum 6K switches. A VLAN is a group of ports designated by the device as belonging to the same broadcast domain. The IEEE S 802.1Q specification establishes a standard method for inserting VLAN membership information into Ethernet frames.

Why VLANs? VLANs provide the capability of having two (or more) Ethernet segments  co-existing on common hardware. The reason for creating multiple segments in Ethernet is to isolate collision domains. VLANs can isolate groups of users, or divide up traffic for security, bandwidth management, etc. VLANs are widely used today and are here to stay. VLANs need not be in one physical location. They can be spread across geography or topology. VLAN membership information can be propagated across multiple Ethernet switches and routers.

FIGURE 103 – VLAN as two separate collision domains. The top part of the figure shows two “traditional” Ethernet segments. Up to 16 VLANs can be defined per router. Traffic between VLANs is routed using MNS-DX

A group of network users (ports) assigned to a VLAN form a broadcast domain. Packets are forwarded only among ports that are designated for the same VLAN. Cross-domain

113 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

broadcast traffic in the router is eliminated and bandwidth is saved by not allowing packets to flood out on all ports.

Configuring VLANs MNS-DX supports tagged VLANs as per IEEE 802.1Q specifications. Up to 16 VLANs can be configured on MSN-DX. Each VLAN is associated with a VLAN ID or VID and a logical name. The VIDs are in the range 1 through 4094 (the value 4095 is reserved), subject to the following limitations: • VID 1 is the default VLAN • VID 0 is defined as the NULL VID that is used in priority-tagged frames

VLANs – Design considerations It is possible to lock yourself out of the network when VLANs are enabled. To prevent that from happening, it is a good idea to plan the VLAN strategy for the network properly. General steps for using VLANs are 1) Plan your VLAN strategy and create a map of the logical topology that will result from configuring VLANs. Include consideration for the interaction between VLANs across devices on the network. 2) Configure at least one VLAN in addition to the default VLAN. 3) Assign the desired ports to the VLANs. 4) Decide on trunking strategy – include factors such as how will the VLAN information be propagated from one switch to another and also what VLAN information will be propagated across. 5) Check to see if the routing between the VLANs is “working” by pinging stations on different VLANs. Once this information is planned, the necessary VLANs should be added. After the VLANs are added, start the VLANs. VLANs are off by default. If there are issues and you are locked out, power cycle the router OR login via the console port and disable the VLANs.

Adding VLANs To define the VLANs, click on Ethernet  VLANs  VIDs menu item as shown below.

114 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 104 – Assigning VLANs. For adding VLANs, specify the VLAN ID number (VID) and a logical name with it. VLAN 1 is the default VLAN and is always present on all MNS-DX devices

To delete a specific VLAN, click on the check box in the delete column and click on “Apply Settings”.

Once the VLANs are defined, it is important to assign the port functionality to each of the ports. For example, Ethernet port E1 will be tagged and will be a trunk port. On that trunk port, only VLANs 1- 30 will be allowed to pass through. All other VLANs will be blocked. Also for port E1, the native VLAN traffic will be on VLAN 10. This is done by selecting the Ethernet  VLANs  Port Settings as shown below.

FIGURE 105 – Setting Port E1 as a trunk port. In the above example, the native VLAN for the trunk will be 10 and VLANs 35 and 40 will be prohibited on this port

115 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 106 – Port E3 is designated to be on VLAN 40. All traffic will be tagged with VID 40 as shown above. The port is an Access port i.e. only packets with the VID of 40 are allowed to pass through the port

Importance of Tagging Tagging defines what VLAN information is propagated through the port. Tagging is set as shown above and explained below.

Tagged Field Set to No When a port has its “Tagged?” field set to “No”, the VLAN tag information in an Ethernet packet is ignored. The port will: • Admit all untagged or priority-tagged frames and mark them with the port's PVID. • Admit tagged frames if and only if the tagged VID matches the port's PVID. All other tagged frames will be dropped. • Strip all tag information (including VID and priority fields) from the frame before transmission.

Tagged Field Set to Yes When a port has its “Tagged?” field set to “Yes”, that port will: • Admit untagged or priority-tagged frames and mark them with the port’s PVID. • Admit tagged frames if and only if the tagged VID matches the port's PVID or one of the VLANs assigned to that port. All other tagged frames will be dropped. • Transmit all frames with an appropriate VLAN tag.

Importance of Filtering An Ethernet port can be designated a "Trunk" port or an "Access" port. By default a trunk port is a member of all VLANs. It may optionally prohibit traffic from a list of VLANs which is shown above. By controlling access to different VLANs on different devices, network “zones” can be created so that users can be isolated on that network. This enhances the overall security of the network. An access port only passes traffic associated with its native VLAN.

116 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Enabling VLANs To enable VLANs, select the menu Ethernet  VLANs  Global Settings and change the drop down box to Enabled. Click on Apply Settings after that as shown below.

FIGURE 107 – Enabling VLANs. This menu is available as Ethernet  VLANs  Global Settings. After enabling, click on “Apply Settings”

VLANs and IP Addresses After VLANs are activated or enabled, each VLAN interface appears as an interface. Each VLAN segment can have its own unique IP address. DHCP server built into MNS-DX, for example, can assign IP addresses not only to the specific physical interfaces, but also to each of the VLAN interfaces defined and is covered in DHCP server. This interface can be accessed using the Routing  IP-Address menu as shown below.

FIGURE 108 – After VLANs are added and enabled, each VLAN can have a unique IP address schema

117 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Notice that in the above image capture it appears that the VLANs are down. The VLANs appear to be down as there are no devices plugged into the network. In some cases this is needed to reflect the proper state of the network. In other cases it could be confusing as to why the VLANs are down (when they were just enabled.) To ignore the fact that there may not be other devices on the VLAN, click on the “Other Options” as shown below.

FIGURE 109 – Click on other options to ignore the fact that there may not be devices on the VLAN, showing the VLAN as being down, even though the VLAN services are running

Ignore Link should be used with caution and in some special cases only (e.g. debugging VLANs etc.) Enable the “Ignore Link?” option as shown below.

118 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 110 – Ignoring the link shows whether the VLAN services are functioning, irrespective whether there are devices on the VLAN After this the Port or VLAN Interface status is changed to up.

FIGURE 111 – Ignoring link shows the port status to be up

119 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

The interface will always appear to be down if the IP address for the interfaces are not defined.

Ignore link should be used with caution - only for debugging or network trouble shooting purposes.

VLANs and Serial Ports This section describes the concept of Serial VLANs, a network design in which SCADA traffic is segregated from other network traffic by placing it on a separate VLAN.

Magnum DX products offer the capability of segregating serial traffic from other network traffic using VLANs. Because the terminal server application encapsulates serial traffic in IP packets, it cannot directly assign serial ports to a VLAN. Instead, IP addresses are assigned to VLANs (creating virtual IP interfaces) and serial ports are in turn associated with local and/or remote IP addresses.

Serial IP packets transmitted by Magnum DX will include an 802.1q VLAN tag if the following two conditions are met: 1. To reach a particular remote host, an IP packet must be sent over a virtual IP interface. 2. The selected physical transmission port (chosen based on VLAN assignments and MAC learning) is configured for VLAN tagging.

Finally – do not forget to save the changes after the configuration is completed.

120

Chapter 9

9 – DHCP Server

IP Access to other devices on the network….

his section explains how DHCP services can be provided for devices on the network for IPv4 networks. MNS-DX can provide DHCP services. Network administrators use Dynamic Host Configuration Protocol (DHCP) servers to administer IP addresses and T other configuration information to IP devices on the network. This automation provides better control, allows better utilization of IP addresses and finally reduces the maintenance burden. Using DHCP, non active IP address can be reused.

The DHCP client uses the DHCP protocol to obtain IP addresses and other parameters such as the default gateway, subnet mask, and IP addresses of DNS servers from a DHCP server. The DHCP protocol provides a framework for passing configuration information to hosts on a TCP/IP network and is defined by several RFCs. DHCP was a natural evolution from the Bootstrap Protocol (BOOTP), adding the capability of expiration of IP addresses (a lease), automatic allocation, reuse of network addresses and additional configuration options. DHCP captures the behavior of BOOTP relay agents, and DHCP participants can interoperate with BOOTP participants. The DHCP server ensures that all IP addresses are unique3, e.g., no IP address is assigned to a second client while the first client's assignment is valid (its lease has not expired).

DHCP emerged as a standard protocol in October 1993. DHCP evolved from the older BOOTP protocols, where IP address leases were given for infinite time. As networks evolved, BOOTP faced a restriction regarding additional information needed to support different options for proper operation of network devices. Due to the backward compatibility of DHCP, very few networks continue to use only BOOTP. RFC 2131 (March 1997) provides the most commonly implemented DHCP definition. This implementation is widely used and has proven to be interoperable across multiple vendor platforms and operating systems. There are other definitions of the protocol as defined in RFC 3315 (dated July 2003), which describes DHCPv6 (DHCP in an IPv6 environment). New RFC’s such as RFC 3396 and RFC 4391 enhance the capabilities of DHCP. Some of these options are not widely implemented.

3 To keep the unique IP address assignment, network administrators must ensure no manual IP addresses are set and there is only one DHCP server on the network (or on a VLAN.)

121 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

As described earlier, the Dynamic Host Configuration Protocol (DHCP) automates the assignment of IP addresses, subnet masks, default gateway, DNS servers, and other IP parameters. When a DHCP configured machine boots up or regains connectivity after a power outage or network outage, the DHCP client sends a query requesting necessary information from a DHCP server. The DHCP server listens for such requests and responds back to the client providing information such as the default gateway, the domain name, the DNS servers, other servers such as time servers, extent of the lease, and more. The query is typically initiated immediately after booting up and must be completed before the client can initiate IP-based communication with other hosts. The DHCP server replies to the client with an IP address, subnet mask, default gateway, and other requested information such as DNS server, etc.

Modes of Operation

DHCP provides three modes for allocating IP addresses. The best-known mode is dynamic, in which the client is provided a "lease" on an IP address for a period of time. Depending on the stability of the network, this could range from hours (a wireless network at an airport or guest access in an office) to months (for desktops in a lab or in an office). At any time before the lease expires, the DHCP client can request renewal of the lease on the current IP address. A properly- functioning client will use the renewal mechanism to maintain the same IP address throughout its connection to a single network. Maintaining the same IP address is important to correct functioning of higher-layer protocols and applications. However, if the lease actually expires, the client must initiate a new negotiation of an IP address from the server's pool of addresses. As part of the negotiation, it can request its expired IP address, but there are no guarantees that it will get the same IP address. Many ISP’s today provide internet connectivity to the home over DSL or cable modems using the DHCP protocol to better utilize the IP space. The DSL router or the cable modem follows the same principles to allocate and reuse the IP address described above.

The second mode for allocation of IP addresses is automatic (also known as DHCP Reservation), in which the address is “permanently” assigned to a client. In this mode an IP address is “reserved” based on the MAC address of the device. When the lease expires, the same IP address is allocated back to the client as long as the MAC address matches. This guarantees the same IP address even after a power outage or a reboot4. The network administrators need to change the MAC address should they want to reallocate the IP address to a different device. This reservation method is widely used to allocate IP addresses to a specific zone or a subnet.

The third mode for allocation is manual, in which the address is selected at the client (manually by the user or by some other means) and the DHCP protocol messages are used to inform the server that the address has been allocated. The manual mode is rarely used as it requires human intervention. Most administrators prefer to use static IP addresses (which are allocated out for such purposes) instead of using the manual mode.

4 This is true as long as the DHCP server is accessible and responds to the query

122 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Allocating specific IP address for specific networks or VLANs also aids in securing the network.

Technical Details

Since the DHCP client evolved from BOOTP, the DHCP protocol uses the same two IANA assigned ports as BOOTP: 67/UDP for the server side, and 68/UDP for the client side. For DHCP to function across a firewall (including those on PCs or end devices) it is important to “unblock” or “allow” these ports to be used by the device.

DHCP operations fall into four basic operations. These operations are 1) IP lease request 2) IP lease offer 3) IP lease selection and 4) IP lease acknowledgement.

These operations are shown in the figure below.

FIGURE 112 – DHCP Operation DHCP Discovery

The client broadcasts on the physical subnet to find available servers. Network administrators can configure a local router to forward DHCP packets to a DHCP server on a different subnet. This client-implementation creates a UDP packet with the broadcast destination of 255.255.255.255 or subnet broadcast address.

123 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

A client can also request its last-known IP address. If the client is still in a network where this IP is valid, the server might grant the request. Otherwise, it depends on whether the server is set up as authoritative or not. An authoritative server will deny the request, making the client ask for a new IP immediately. A non-authoritative server simply ignores the request, leading to an implementation dependent time out for the client to give up on the request and ask for a new IP.

DHCP Offers

When a DHCP server receives an IP lease request from a client, it extends an IP lease offer. This is done by reserving an IP address for the client and sending a DHCPOFFER message across the network to the client. This message contains the client's MAC address, followed by the IP address that the server is offering, the subnet mask, the lease duration, and the IP address of the DHCP server making the offer. The server determines the configuration, based on the client's hardware address as specified in the CHADDR field. The server specifies the IP address in the YIADDR field.

DHCP Request

When the client PC receives an IP lease offer, it must tell all the other DHCP servers that it has accepted an offer. To do this, the client broadcasts a DHCPREQUEST message containing the IP address of the server that made the offer. When the other DHCP servers receive this message, they withdraw any offers that they might have made to the client. They then return the address that they had reserved for the client back to the pool of valid addresses that they can offer to another computer. Any number of DHCP servers can respond to an IP lease request, but the client can only accept one offer per network interface card. DHCP Acknowledgement

When the DHCP server receives the DHCPREQUEST message from the client, it initiates the final phase of the configuration process. This acknowledgement phase involves sending a DHCPACK packet to the client. This packet includes the lease duration and any other configuration information that the client might have requested. At this point, the TCP/IP configuration process is complete. The server acknowledges the request and sends the acknowledgement to the client. The system as a whole expects the client to configure its network interface with the supplied options.

124 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

DHCP Information The client sends a request to the DHCP server: either to request more information than the server sent with the original DHCP ACK; or to repeat data for a particular application. Such queries do not cause the DHCP server to refresh the IP expiry time in its database.

DHCP Release

The client sends a request to the DHCP server to release the DHCP and the client releases its IP address as well. The DHCP protocol does not define the sending of DHCP Release as mandatory, as the release of IP address is up to the client.

Client Configuration

A DHCP server can provide optional configuration parameters to the client. RFC 2132 defines the available DHCP options, which are summarized here. Defined by Internet Assigned Numbers Authority (IANA) - DHCP and BOOTP PARAMETERS

DHCP Server Configuration

MNS-DX implements the DHCP server capabilities. In this example, we will define groups to match the VLANs setup in the earlier chapter.

Design Consideration For setting up DHCP services, Follow these simple guidelines: 1. Define the networks which need the DHCP services. Typically this will map to the VLAN plan discussed in the chapter on VLANs. a. For each network define the Gateway, DNS servers and DNS suffix the users should get. b. For each network define which device will perform the DHCP services. Ensure there is one DHCP server for that network. 2. For each of the networks, define if there are any devices which should be defined as static devices i.e. a specific device (with a specific MAC address) always gets the same IP address when a DHCP request is made.

125 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

3. For each network, define the pool of IP address the server manages. Define the start address and the end address. Along with the address define the maximum lease time and the default lease time.

Once the planning is done, the DHCP services are added as shown below.

Define Networks Define the networks or Host Parameters as shown below

FIGURE 113 – Accessing DHCP Services. Define the networks as well as relevant information such as IP address of the Gateway, DNS servers and DNS suffix as shown above

Static Addresses Setting up Static Addresses is done as shown below.

126 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 114 – Assigning Static addresses. In the above example, the device with the MAC address of 00:00:80:21:35:54 will always be assigned the IP address of 10.1.5.10/24

Dynamic Addresses or DHCP Pools Setting up Dynamic Addresses is done as shown below.

FIGURE 115 – Assigning DHCP Pools or Dynamic Addresses

127 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Managing Leases Once the IP addresses are leased, it may be necessary to view associations between MAC address and IP addresses as well as delete address (occasionally). To view the leases, click on Routing  DHCP Server  Leases as shown below.

FIGURE 116 – Managing IP addresses. In the above figure no IP addresses have been assigned.

To delete a lease, select the Delete box and click on “Apply Settings”. Once the IP address is deleted, it is put back in the DHCP pool.

A maximum of 16 dynamic address ranges can be defined for the DHCP server. A maximum of 100 static addresses can be defined for the DHCP server. The total number of reserved addresses (both static and dynamic) cannot exceed 100.

128

Chapter 10 10 – Serial Connectivity

Connecting many different types of devices….

his chapter explains how serial ports available on the Magnum DX devices can be configured and used. Even today, many devices, offer a serial port for connectivity. This serial port could be used for sending data from a sensor or an RTU. In other cases, the serial port can be used T as a console port for switches, card readers etc. Serial ports require local access and is limited by the cable length or the access distance. Using the serial to TCP/IP gateway capabilities, these limits are overcome.

Serial IO technologies It is assumed here that the user is familiar with concepts of RS232 and RS485 etc. For example, DTE and DCE devices and what the different  devices are. Cable level trouble shooting or creating cables to ensure that the user can send serial IO data across is not covered in this chapter. Serial Protocol Backgrounder There are many techniques for passing serial binary data between two or more digital systems. A number of popular methods based on standards published by the ITU-T are commonly referred to as "serial" protocols. Two of the most popular of these interfaces are EIA-232 (also known as RS-232) and EIA-485 (also known as RS-485). Interfaces that support RS-232 (or some subset of the standard) are ubiquitous and found on nearly all personal computers. They also appear on many embedded computing devices where they are used to carry streaming data or provide access to a user console. An RS-232 link provides full-duplex data and asymmetric control. One device on the link is defined as the DTE (Data Terminal Equipment) and the other device is defined as the DCE (Data Communications Equipment). Traditionally, a DTE was a computer system and a DCE was a communications device such as a modem. Handshaking signals provide for flow control as well as valid link detection. Data rates typically range from 150bps to 115Kbps over distances up to 10 meters. Interfaces that support RS-485 are often used in Industrial Networking with protocols such as Modbus; however, RS485 has a number of advantages over RS-232. RS-485 can be configured as a 4-wire, full duplex channel or a 2-wire, half duplex channel. It may also be operated in point-to- point or multi-point topologies (RS-232 only supports point-to-point). Because the standard uses

129 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

differential signaling over twisted pair, it can run over long distances, up to a kilometer. Maximum theoretical data transmission speeds are also higher than RS-232, up to 30Mbps over short distances. Serial IO and Ethernet Serial data transfer standards like RS-232 and RS-485 are generally insufficient for implementing modern digital communication networks. In the past, these networks have been constructed using a number of available technologies but industrial applications are increasingly shifting toward running the Internet Protocol (IP) over Ethernet-based technologies. This enables the deployment of highly interoperable, reliable, and secure high-speed networks at extremely low cost. Terminal Services A Terminal Server, such as the Magnum DX1000TS, allows data to pass between a standard serial protocol link and an IP-based network. The Terminal Server functionality implemented in the family of Magnum DX routers provides a service that encapsulates asynchronous serial data in a TCP/IP packet or stream. The capabilities and services offered by the terminal services makes the Magnum DX router ideal for those situations where serial data may need to be captured or viewed over an TCP/IP network. This includes Modbus based serial devices, console ports on remote devices, RTUs, sensors etc. These can all be accessed by users over a TCP/IP network using the Magnum DX devices. Serial Ports and Security Most terminal servers do not bother with security. They depend on the network manager to ensure the TCP/IP network is secure. However, sensitive data, especially data from sensors in critical facilities such as water treatment plants, power stations, nuclear plants etc. could flow over a public network. In many situations, it is necessary to transfer this securely over the network. MNS-DX provides SSL encryption capabilities to transfer data securely over the TCP/IP networks. Serial Ports and VLANs As discussed earlier, VLANs separate traffic. Network managers use VLANs not only to manage traffic congestion, but also to manage traffic flow i.e. which portions of the network can access specific devices. This is done using access rules in firewalls or other filtering rules which allows traffic to flow or be blocked from one network to another. Serial ports can be associated with specific interface as well as specific VLANs. Using this feature, network managers can manage and control traffic flow from serial devices without having to worry about the specifics of the serial devices. The serial device is treated as an device on the VLAN segment. By controlling the access policies to the VLANs, the security access rules are automatically enforced on the serial devices as well.

130 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Terminal Server A Terminal Server is a device or software application that can pass data between a standard serial protocol link and an Ethernet-based network. Terminal servers offer many advantages over a locally accessed serial connection. This includes

• The distance between the computer system and the end device is increased significantly. The effective maximum range of an RS-232 link is about 10 meters. With a terminal server, the computer system connects to the device over a network and the effective maximum range is limited only by the latency requirements of the communicating end systems. • Multiple computer systems can communicate with a single RS-232 device. This would be impossible using just an RS-232 link because it only operates in point-to-point topologies. The terminal server performs a multiplexing function that passes data from multiple endpoints over the single RS-232 link. • Connections between relatively large numbers of communicating end systems are supported over a common cabling infrastructure. Without a terminal server, limitations imposed by the RS-232/485 standards would likely require many dedicated lines between end systems.

FIGURE 117 – Terminal Server vs local Serial connection

131 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Terminal Server Operations The Magnum DX offers a terminal server function that transports serial characters over a TCP/IP network. A flexible set of connection options allows the user to configure each serial port for a different mode of operation. The terminal server functionality is organized into serial communication channels that may be added or deleted from the system. Each channel is associated with a particular serial port and operates either in passive or active mode. Passive Mode Channels When a terminal server channel operates in passive (server) mode, it waits for incoming TCP connection requests. When a request is received it is accepted if the following criteria are met: • serial port operational state is UP. • maximum number of incoming connections will not be exceeded. After a connection request is accepted, the TCP connection becomes active and serial data may be transmitted and received on the channel. A terminal server channel operates in passive mode if the “Call Direction” parameter is set to “In." The following configuration parameters also affect the operation of the port in passive mode: • Local IP – the IP address at which the server listens for connections. If the system has only a single assigned IP address, this parameter defaults to the system IP address and cannot be changed. If the system has multiple assigned IP addresses, this parameter can be set to any of those addresses. In this case, the software will only accept connections destined for the configured IP address. The port will not be reachable using other IP addresses, even if they are assigned to the system. • Local TCP – the TCP port at which the server listens for connections. The TCP port may be in the range 1000 to 65535. It is invalid to assign the same TCP port to multiple terminal server serial ports. • Maximum Connections – the maximum number of incoming connections that will be accepted for the terminal server serial port. Up to 5 simultaneous incoming connections are supported per serial port.

Active Mode Channels When a terminal server port operates in active (client) mode, it actively attempts to connect to a specified remote host whenever the serial port operational state is UP. After an outgoing connection request is accepted by the remote host, the TCP connection becomes active and serial data may be transmitted and received on the channel. A terminal server port operates in active mode if the “Call Direction” parameter is set to “OUT".

132 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

The following configuration parameters also effect the operation of the port in active mode: • Local IP - the IP address to which the channel binds before making an outgoing connection. This is the address used in a transmitted packet's source address IP header field. • Local TCP– the TCP port to which the channel binds before making an outgoing connection. The TCP port may be in the range 1000 to 65535. This is the port number used in a transmitted packet's source port TCP header field. It is invalid to assign the same TCP port to multiple terminal server channels. When a channel is configured in active mode, it is also valid to assign a value of '0' for the Local TCP port. This tells the system that it can select any unused port number as the local TCP port for this connection. • Remote IP – the IP address to which the terminal server attempts to connect. • Remote TCP – the TCP port to which the terminal server attempts to connect. • Retry Time – when a connection attempt fails (for any reason), this is the minimum amount of time the terminal server will wait before re-trying the attempt.

Mixed Mode Channels When a terminal server port is configured to operate in a mixed mode, it simultaneously acts as both a passive server and an active client. This is accomplished by adding an "IN" channel as well as at least one "OUT" channel that uses the port. In general, this mode should be used with care. If both sides of a connection are configured as a mixed mode it can produce redundant TCP connection. Session Type Sessions can be defined as “Raw” or as telnet session. Telnet session use the telnet protocol for communicating. The telnet session is available for situations which need a telnet connection to establish the serial connectivity (usually called reverse telnet session.) By default, MNS-DX enables the “Raw” sessions. The figure below shows a typical terminal server connection.

133 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 118 – Terminal Server

When using terminal services, please ensure that the proper serial cable is used. Sometimes a gender changer or null modem connectors may be needed for proper connectivity. When connecting to devices such as Magnum 6K switches, make sure the parameter “Ignore DSS” is set to “Yes”

Configuring Terminal Services For configuring terminal services the following three steps need to be followed. They are 1. Define the Profiles associated with the different types of serial devices. Each serial device uses different baud rates, start-stop bits, flow control etc. These characteristics are defined with the profile of the serial devices. 2. Associate the serial port on the MNS-DX device with the profile defined. 3. Setup the TCP/IP parameters – this defines the IP address and socket numbers to use for each of the serial ports to send and receive the serial data over the TCP/IP network.

Step 1 - Profiles Profiles determine the serial IO characteristics of a group of serial devices. All MNS-DX devices ship with a profile of “Default.” The profile menu is accessed using the Serial  Ports  Profiles menu as shown below.

134 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 119 – Setting Profiles for the serial ports

Table 8 – Profile Parameters Name Value Profile Name User defined name for the Profile. New Profiles are defined in the “Add New Profile” menu. Profiles which are defined are accessed in the “Existing Profiles” menu. Once added, Profiles are available via a drop down menu item in the “Existing Profiles” menu Interface Standard The physical interface standard used by the port. This parameter may take one of three values: • RS232 (RTS always asserted) • RS232 Half (RTS asserted only when transmitting) • RS485 2-wire (half duplex operation) • RS485 4-wire (full duplex operation) Default value = RS232 Speed The baud rate of the port. This parameter may take one of the listed values: 300, 600, 1200, 2400, 4800, 9600, 19200, 28800, 33600, 38400, 57600, 115200, 230400 Default value = 9600 Data Bits The total number of bits in a character. This parameter may be 7 bits or 8 bits. Default value = 8

135 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Name Value Stop Bits The duration of the MARK condition on the line after character transmission is complete. This parameter may take one of the following values: • 1 • 1.5 • 2 Default value = 1 Parity The parity bit allows error detection. This parameter may take one of the following values: • None • Odd • Even Default value = None Ignore DSS This parameter takes one of the following values: • No – The Oper State of the port is UP if the DSR or DCD handshake signal is on and the Admin State is ENABLED. • Yes – The Oper State of the port is UP if the Admin State is ENABLED. Default value = No Note – using terminal services to access console ports on the Magnum 6K switches or other switches, ensure that the value is changed to “Yes” Flow Control The type of flow control implemented. This parameter may take one of the following values: • None • XON/XOFF – Software flow control. Unit will stop transmitting if an XOFF (19) character (CTL-S) is detected in the received stream and will start when an XON (17) character (CTL-Q) is detected. • RTS/CTS – Hardware flow control. Unit will stop transmitting if CTS is de-asserted. Default value = None Packet Character This parameter defines a special character in the data stream that forces an (Pkt Char) end of packet event. This parameter may take any value from 0 to 255. If this parameter is set to the label “None” the end of packet event will not occur based on a received character. Default value = None Packet Time (Pkt This parameter defines a timeout value in milliseconds. If an additional Time) ms character is not received before the timer expires, an end of packet event occurs. The value 0 disables the end of packet even timer. Default value = 200 Valid range = 10 – 1000 ms

136 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Name Value Maximum Packet This parameter defines a maximum packet size. When the number of Size (Max Pkt Size) received characters reaches this maximum, an end of packet event occurs. bytes Default value = 1024 Valid range = 32 - 1024. (Note that this means no packet will hold more than 1024 serial characters. The actual packet size will be larger than this when network headers and encryption overhead are taken into account.) Turnaround Time This parameter defines a turnaround time for the serial port. The turnaround (T/A Time) ms time is an enforced minimum delay between received network packets that are sent out the serial port. The purpose of the minimum delay is to give legacy RTUs a chance to recover from the previous packet reception. Default value = 0 (off) Valid range = 0 - 1000 ms Delete Checking the box in the delete column allows defined profiles to be deleted. Click on “Apply Settings” after the box is selected to delete the profile.

Once the Profiles are defined, the next step is to associate the serial ports with the profiles.

Step 2 – Associate ports to profiles Associating a profile with the serial port sets the baud rate and other serial parameters for the port. The same menu also allows the serial port to be enabled or disabled. The ports to profiles association can be done using the Serial  Ports  Settings menu as shown below.

FIGURE 120 – Associating Profiles with Serial Ports

137 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

The menu options are: Port ID  Defines the physical serial port number. Port Name  Allows the user to associate a logical port name for the serial port. Profile  Associate the profile with the serial port. Admin Status  Defines whether the port is enabled or disabled.

After the ports are enabled and the necessary profiles associated with the ports, the next step is to associate the IP parameters to the serial port.

Step 3 – Setting TCP/IP parameters for Serial ports Next step is to verify the Terminal Server screen settings are set properly. The Terminal Server screen associates the IP-Address and Port Number with the serial port, along with other parameters as shown below.

FIGURE 121 – Associate the IP address and port number, along with other parameters for terminal services to function properly

138 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Table 9 – Terminal Server parameters Name Value Port ID Defines the serial port number. S1 = Serial port 1, S2 = Serial port 2 etc. Call Direction The direction in which the TCP connection will be established. This parameter takes one of the following values: • In – The port acts like a passive TCP server, listening at the configured Local TCP port. • Out – The port acts like an active TCP client and attempts to connect out to the server specified by the Remote IP and Remote TCP parameters.

You can add multiple "Out" channels to a single serial port; however, you can have only a single "In" channel assigned to a serial port. You cannot assign two channels the same Local Address and Local Port. This is done using the “Add New Channel” Menu on the top of the Existing Channels menus. Default value = In Session Type This parameter takes one of the following values: • Raw – Provides a transparent pipe for serial data. • Telnet – Enables basic Telnet negotiation and control character processing (ECHO and BINARY modes supported). Default value = Raw Priority (DiffServ) Each IP packet generated on this port will be assigned a DiffServ Code Point (DSCP) based on the priority set by the user. The priorities are: • Default – Best Effort Service (DSCP 0). This is normal queuing. • Expedited – Expedited Forwarding (DSCP 0x2E) (RFC 2598). This will also result in data from this port having a higher priority on WAN ports. Local IP The local IP address upon which the server listens for connections when the direction is set to “In”. These addresses are set by defining the IP address to VLANs or to interfaces defined. The default value of “Any” provides the most flexible configuration i.e. connection from any IP address defined for the router. Default value = Any Local TCP The TCP port number associated with the serial port upon which the server listens for connection requests on a TCP/IP network. This parameter may be set to any value between 1000 and 65535. Note: No two rows in the table may have the same Local IP and Local TCP combination as the serial port is uniquely identified with the IP address + port combination. For “Out” ports, there can be multiple Out ports defined, as mentioned earlier. Yet each port should have a unique IP address (can be any if needed) and port number association. Default values start at 10201 and increment by one for each serial port

139 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Name Value Remote IP The remote IP address that the client attempts to connect to when the direction is set to “Out”. This parameter may be set to any IP address or 0.0.0.0 Default value = 0.0.0.0 (Any) Remote TCP The remote TCP port to which the client attempts to connect. This parameter may be set to any value between 0 and 65535. Default value = 0 (any port) Maximum The maximum number of incoming TCP connections to accept for this serial Connections port. This parameter may be set to a value ranging from 1 to 16. Default value = 5 Retry Time The number of seconds the client waits for a connection to succeed before timing out and retrying. Default value = 30 Delete Checking the box in the delete column deletes the profile when the settings are applied using the “Apply Settings” button

Thus in summary, to enable terminal services, follow the steps listed below: • Define the Profile. • Set the profile associated with the port. • Set the TCP/IP parameters for the serial port.

Troubleshooting Terminal Services As mentioned in the previous section, the terminal server is set using the following three steps:

• Define the Profile. • Set the profile associated with the port. • Set the TCP/IP parameters for the serial port.

After each step, it may be necessary to confirm that the settings were set properly. This is done by reviewing the status screen associated with each setting. For the Profiles, the Profiles definition screen provides the list of all profiles defined. There is no separate screen to review status of the profiles. Each of the profiles can be edited if needed by using the drop down menus defined for each of the profiles.

Before you start, it is always a good idea to ensure the remote device is reachable. To test that, a simple “ping” test can assure there is end-to-end connectivity. After the end-to-end connectivity is established, follow the steps below.

140 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Port Status Port Status provides the signal status on each of the serial ports as shown below.

FIGURE 122 – Signals associated with serial ports after the ports are configured using the Serial Ports Settings menu The screen provides information as follows: Port ID  Serial port number DCD  The current state of the Data Carrier Detect signal CTS  The current state of the Clear to Send signal DSR  The current state of the Data Set Ready signal Oper State  The actual status of the port and reflects the state of the port. • If the Admin Status is set to Disabled, the Oper Status will always be Disabled. • If the Admin Status is set to Enabled and the port is ready to send and receive data, the Oper Status will be Up. • If the Admin Status is set to Enabled and the port is not ready to send and receive data, the Oper Status will be Down.

Port Statistics After the signals on the serial ports are verified, verify whether the serial ports are “seeing” traffic i.e. is there traffic being sent and received by each of the serial ports and are there errors noticed on those ports. This is done by using the Serial Ports Statistics settings as shown below.

141 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 123 – Statistics for the serial ports The screen provides information as follows: Port ID  Serial port number Tx Chars  Number of characters transmitted (since the last restart or clear) Rx Chars  Number of characters received (since the last restart or clear) Breaks  The number of times a break was detected in the middle of receiving a character. A break is detected when an all-zero character with no stop bit is received Parity Errors  The number of times the calculated parity of a character did not match the configured parity mode. (Note: character will be dropped.) Framing Errors  The number of times a character without a valid stop bit was detected Overruns  The number of times a received character was dropped because it could not be buffered Channel Status Finally, at this stage, we have verified that the Profiles are set and that the serial ports are enabled as well as sending and receiving traffic. Next, it would be important to verify if the TCP/IP parameters are set properly. Sometimes, while the serial ports maybe showing traffic on the port, the TCP/IP parameters may preclude communications as there may be firewall or other filtering elements preventing traffic from propagating through the network. This is shown below:

142 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 124 – Channel Status shows the status of active TCP/IP connections on the serial ports

The screen provides information as follows: Port ID  Serial port number Call Direction  Refer to Table “Terminal Server Parameters” as shown above Local IP  Refer to Table “Terminal Server Parameters” as shown above Remote IP  Refer to Table “Terminal Server Parameters” as shown above

Connecting SCADA devices SCADA devices are typically connected locally using a serial cable. When the SCADA master needs to connect to several devices over longer devices, Magnum DX routers can be deployed to connect to these devices. This section shows how this can be done.

Three GarrettCom Magnum DX devices are used to connect three serial devices over a TCP/IP network. One of the serial devices is a SCADA master and the other two are slaves. The DX800 (connected to the master) is configured to make one active connection to each of the DX40s (each connected to one slave device). This example network is shown below.

143 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 125 – Example network for connecting multiple SCADA Devices

The serial Master shown in the example is a DX800 router. Any of the Magnum DX devices can be used. To configure the device shown with the IP address 192.168.1.2, the following should be kept in mind: 1) Configure the serial ports as shown in the section “Configuring Terminal Services”. Follow both the step in configuring serial ports as shown in Step 1 and Step 2 in that section. 2) Configure the IP addresses to match the network shown in the picture above. Here are the few details to pay attention to: a. On the DX800 shown above with the IP address 192.168.1.2, the direction of the serial connection is set to “Out”. The remote IP addresses are set to 192.168.1.3 and 192.168.1.4 respectively. b. On the DX40 shown above with the IP address 192.168.1.3, the direction of the serial connection is set to “In” with the remote IP set to 192.168.1.2 or any (0.0.0.0 – which is the one shown below.) c. The same settings are applied to other remote devices. On the DX40 shown above with the IP address 192.168.1.4, the direction of the serial connection is set to “In” with the remote IP set to 192.168.1.2 or any (0.0.0.0 – which is the one shown below.)

This is shown in the screen captures below.

144 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 126 – Setting up the DX800 where the SCADA Master is. Note the call connection directions are set to Out – allowing the SCADA Master to initiate the connections

FIGURE 127 – Setup of the remote DX routers. Note the serial ports call direction is set to “In” allowing incoming connection requests. The TCP port number (socket number) matches the port number (socket number) of the serial ports on the DX device connected to the SCADA Master

145 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

For trouble shooting the connections and the services, follow the guidelines shown in the section “Troubleshooting Terminal Services”.

Finally do not forget to save the configuration once the changes are made.

146

Chapter

11 11 – Secure Serial Connectivity or Serial SSL

Secure connectivity to critical infrastructure devices ….

his chapter builds on the previous chapter and shows how serial data can be transmitted securely. Many critical infrastructure monitoring devices, such as SCADA devices at power utilities and power sub stations, nuclear plants, water treatment plants etc. require that all data T sent over the network is securely transmitted. This is done using secure serial connectivity options available in MNS-DX.

To use the capabilities described in this chapter, MNS-DX-SECURE is required. MNS-DX can be upgraded to MNS-DX-SECURE by adding a license key.

MNS-DX supports the ability to carry serial data over authenticated, encrypted TCP connections using the SSL protocol (SSLv3 or TLSv1). RSA public key cryptography and X.509 certificates are used to verify the authenticity of a connecting entity. Once a connection has been established, any of a number of encryption algorithms may be employed including DES, 3DES, AES (128 or 256 bit), or RC-4 (128 bit). Either MD5 or SHA-1 may be used for generating message authentication codes.

SSL is a cryptographic protocol that creates a secure data transfer session over a standard TCP connection. It provides both authentication and privacy and supports a large number of cryptographic algorithms.

When an SSL connection is first established, a handshake protocol is executed. The handshake accomplishes the following: • negotiates connection parameters. • optionally authenticates the peer. • determines a shared master secret. If the handshake succeeds, data transferred over the connection is now encrypted using the negotiated encryption algorithm and the shared master secret.

Each terminal server connection on a Magnum DX product may be authenticated and encrypted using SSL. MNS-DX supports SSLv3 and TLSv1. SSLv2 has many known issues and vulnerabilities and is not supported by MNS-DX.

147 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS) are cryptographic protocols to protect traffic on the Internet. SSL and non-SSL access to the web server is always available. The system is shipped with a default web server key and certificate. We recommend that you generate and install a new key file. You can do this by uploading the file to the keys screen and then selecting the new key on the web server configuration screen. No reboot is necessary for the change to take effect. MNS-DX supports RSA public key encryption and X.509 certificates. Configuring Secure Serial Connectivity Setup the ports for serial connectivity as described in the section “Configuring Terminal Services”. After the ports are configured, set the specific ports needed for security. Not all ports need to be configured for security. Specific ports can be configured as needed for secure serial connectivity. This configuration is done using the Security  Serial/SSL menu as shown below. In the screen capture below, the screen capture from a DX1000 device is shown to accentuate the fact that any port can be configured for security as needed.

FIGURE 128 – Setting up specific ports for secure connectivity. The screen above is captured from a DX1000 device to show ports 1 and 6 are configure for secure serial connectivity

In the figure above, the respective fields are described below: Port Id  Serial port number

Enable Security  “Yes” enables SSL security on the port. “No” disables SSL security. Default is “No”

Allowed Ciphers  This parameter specifies the cipher suites to be allowed on a port. One of the following options can be selected: • SSL_RSA_WITH_RC4_128_MD5 • SSL_RSA_WITH_RC4_128_SHA

148 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

• SSL_RSA_WITH_DES_CBC_SHA • SSL_RSA_WITH_3DES_EDE_CBC_SHA • TLS_RSA_WITH_RC4_128_MD5 • TLS_RSA_WITH_RC4_128_SHA • TLS_RSA_WITH_DES_CBC_SHA • TLS_RSA_WITH_3DES_EDE_CBC_SHA • TLS_RSA_WITH_AES_128_CBC_SHA • TLS_RSA_WITH_AES_256_CBC_SHA In addition, the following groups, which are combinations of the standard cipher suites, may be specified: • ANY - any supported cipher suite • ANY_STRONG - any supported cipher suite with at least 128 bit keys • ANY_STRONG_SSL - any strong cipher suite that uses SSLv3 • ANY_STRONG_TLS - any strong cipher suite that uses TLSv1 • ANY_AES - any cipher suite that uses AES

Require Authentication  If this option is set to "Yes", the connected SSL peer must provide a valid and trusted certificate or the SSL handshake will fail.

Local Certificate  The name of an X.509 local certificate to use during the SSL handshake / negotiation.

Troubleshooting Secure Serial Connectivity Once the security settings are set, it is a good idea to test the connectivity. If the connectivity fails, unset or disable the SSL security and test for connectivity. If the connectivity fails, use the steps described in Troubleshooting Terminal Services to troubleshoot serial connectivity.

Once the serial connectivity is established, enable secure SSL on the port. Then test for connectivity. If the connectivity fails, there could be several issues which may need debugging. See table below for possible causes and resolution.

149 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Table 10 – Secure SSL troubleshooting (Note – 192.168.1.2 is the remote unit in this table) Symptom Possible Problem Potential Resolution Connection is not made and no The local DX unit is not Verify that the serial port is events appear in the event log attempting to connect out or the enabled and in the UP serial ports may be disabled operational state. A connection will not be attempted from a serial port that is DOWN or DISABLED. Note: Enabling a serial port and setting “Ignore DSS” to TRUE will force a serial port into the UP state. Event: "Serial port S1 reports that The local DX unit attempted to Verify that the remote unit is the host at 192.168.1.2 is connect to the remote unit but it reachable by logging into the unreachable" was unreachable or the TCP port Command Line Interface (CLI) is not open or blocked by some and using the ping command. Event: "Serial port S1 reports that device. the host at 192.168.1.2 is down" Verify that the specified port is open / available on the remote Event: "Serial port S1 reports that unit by using a PC to telnet to the the connection to the host at port. If the connection is refused, 192.168.1.2 (10201) was refused" your remote unit is probably not configured properly. Ensure the remote unit is set to accept telnet connections. Verify that the operational state of the remote serial port is UP. A connection will not be accepted on a port that is in the DOWN or DISABLED state. Event: "Serial port S1 The SSL handshake could not Check your configuration. Make experienced a problem complete because the peer is sure that both sides of the (unsupported protocol) while attempting to use a protocol that connection allow compatible connecting to the remote host at MNS-DX does not support. cipher suites. 192.168.1.2 (10210)” Event: "Serial port S1 The SSL handshake could not Check your configuration. Make experienced a problem (no shared complete because no shared sure that both sides of the cipher) while connecting to the cipher was available. connection allow compatible host at 192.168.1.2 (10201)" ciphers suites.

150 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Symptom Possible Problem Potential Resolution Event: "Serial port S1 reports that The SSL handshake failed during Make sure your system's time and the certificate presented by the certificate verification because the date is set properly. host at 192.168.1.2 (10201) was current day and time are not Check the certificate on the other invalid (certificate has expired)" within the peer certificate's valid system and make it has date range Event: "Serial port S1 reports that appropriate "notBefore" and the certificate presented by the "notAfter" dates. host at 192.168.1.2 (10201) was invalid (certificate is not yet valid)" Event: "Serial port S1 received a The SSL handshake failed during Make sure the other system’s time notification (sslv3 alert certificate certificate verification because and date are set properly. expired) from the host at your certificate has expired. Check your key file and make 192.168.1.2 (10201)" sure that the enclosed certificate file has appropriate “notBefore” and “notAfter” dates. Event: "Serial port S1 reports that The SSL handshake failed during Make sure that you have installed the certificate presented by the certificate verification because an the peer’s root CA certificate and host at 192.168.1.2 (10201) was untrusted self-signed certificate have marked it as trusted. invalid (self signed certificate in was found in the chain. certificate chain)" Event: “SSL: Message from peer The SSL handshake failed during Make sure that you are presenting on channel SX (tlsv1 alert certificate verification because a valid certificate chain (that is, unknown ca)." you presented an un-trusted self- each certificate in a valid chain is signed certificate in your signed by the next certificate in certificate chain. the chain, except for the final certificate, which is a self-signed root CA certificate). Make sure that the other system has installed your CA’s certificate and marked it as trusted.

Finally, after all the configuration is completed, please save the work.

151

Chapter 12

12 – Modbus

Connecting Industrial Devices via Modbus

here are several features built into the Magnum DX family of routers with MNS-DX for Modbus connectivity. Unlike most devices which provide a view into Modbus memory settings and how the values change, a Magnum DX router provides full gateway T functionality between TCP/IP networks and Modbus devices, allowing Modbus devices to operate over TCP/IP networks.

Modbus overview

Modbus is an application layer messaging protocol, positioned at level 7 of the OSI model, which provides client/server communication between devices connected on different types of buses or networks. PLC controllers can communicate with each other and with other devices over a variety of networks. The common language used by most PLC controllers is the Modbus protocol. This Modbus protocol defines a message structure that controllers will recognize and use, regardless of the type of networks over which they communicate. It describes the process a controller uses to request access to another device, how it will respond to requests from the other devices, and how errors will be detected and reported. It establishes a common format for the layout and contents of message fields. Modbus is a request/reply protocol and offers services specified by function codes. Modbus function codes are elements of Modbus request/reply PDUs. The Modbus protocol thus operates at the layer 7 of the OSI 7 layer stack. Additional information on Modbus can be found at http://www.modbus.org and other related sites.

Modbus is an application layer messaging protocol for client/server communication between devices connected on different types of buses or networks. It is currently implemented using: • TCP/IP over Ethernet. This implementation is found on Magnum 6K Switches as well as in Magnum DX routers

152 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

• Asynchronous serial transmission over a variety of media (wire : EIA/TIA-232-E, EIA- 422, EIA/TIA-485-A; fiber, radio, etc.) This implementation is found on the Magnum DX routers on the serial interfaces

FIGURE 129 - Modbus Communications stack The Modbus protocol allows communications on all different types of devices. An example of that, using the Magnum Product family is shown below.

FIGURE 130 - Interconnecting different Modbus devices Architecturally, the above can be simplified as

153 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 131 - Modbus networks can be built out using Magnum family of products, including Magnum 6K family of switches and Magnum DX routers

RFC 1122 - Requirements for Internet Hosts -- Communication Layers - defines how Modbus packets can be carried over a TCP/IP transport and how PLC controllers and devices can communicate over a TCP/IP network. As per this RFC, the Modbus communications take place on TCP port 502. Please make sure the network security devices do not block port 502. If port 502 is blocked, which is the normal case with many firewall and other security devices, the communications between two Modbus devices over a TCP/IP network will not succeed. If the PLC devices using Modbus are on the same LAN segment, and a firewall is not traversed, then this is not an issue.

Modbus on MNS-DX Magnum DX supports client (master) and server (slave) modes of operation for the Modbus/TCP protocol as per the March 29, 1999 (Release 1.0) Open Modbus/TCP Specification written by Andy Swales of Schneider Electric.

154 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 132 – Sample Modbus network using Magnum DX routers

Modbus devices (masters and slaves) are connected to Magnum DX industrial routers at the edge of the network. In addition, Modbus/TCP clients and servers may be connected directly to the IP network over an Ethernet link. The Modbus serial devices are connected to the DX units via RS-232 and/or RS-485 single or multi-drop interfaces. The serial Modbus masters initiate requests to the slaves. These requests are encapsulated and forwarded by the Modbus / TCP client software to the appropriate Modbus/TCP server. At the server, the request is de-encapsulated, analyzed, and sent over the appropriate serial port to the serial Modbus slave. When the slave device responds, the response is encapsulated and sent back to the Modbus / TCP client that in turn de-encapsulates and forwards the response to the Modbus master. Device tables are kept on each DX that describe the locally connected Modbus serial devices as well as how to reach each remote device.

Serial and TCP variants For serial data both the Modbus ASCII and the Modbus RTU protocol variants are supported. Modbus ASCII uses ASCII message encoding with a longitudinal redundancy check (LRC). Each message begins with a ':' character and end with a CRLF character sequence.

FIGURE 133 – Format of Modbus ASCII packet Modbus RTU uses binary message encoding with a cyclic redundancy check (CRC). Each message begins with a silent interval of at least 3.5 characters times and ends with a similar silent interval. This is shown in the figure below.

155 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 134 – Format of a Modbus RTU packet

The Modbus/TCP format strips the message framing and LRC / CRC from the normal Modbus packet and precedes a Modbus/TCP header consisting of a 2-byte Transaction ID (set by the client and echoed by the server), a 2-byte Protocol ID (always 0-0), and a 2-byte length. The device-address byte (now referred to as the unit identifier) and the function-byte are preserved and are followed by a variable amount of data. This information is then delivered as the payload of a TCP/IP packet. The Modbus LRC/CRC is not included because it is redundant with the CRC provided by the link layer (that is, Ethernet).

FIGURE 135 – Format of a TCP Modbus packet

Exception Handling The Modbus/TCP client and server on Magnum DX can optionally generate and forward Modbus exception codes when certain communication or configuration failures occur. Specifically, the client will generate a GATEWAY PATH UNAVAILABLE exception message (exception code 0x0A) and pass it back to the master device if a remote address has not been configured for the destination device. The server will generate a similar message if a local device entry has not been configured for the destination device address. The message is sent to the client, which then forwards the exception to the Modbus master device.

In addition the server will generate a GATEWAY TARGET DEVICE FAILED TO RESPOND exception message (exception code 0x0B) when the destination device does not respond to a request within a user-configured interval. This message is sent to the client, which then forwards the exception to the Modbus master device.

TCP Connection Handling When the Modbus/TCP client software receives a request from an attached serial Modbus master it analyzes the packet and determines the destination device address. It checks to see if it already has an open TCP connection for the destination. If not, the client attempts to open a new TCP connection to the appropriate Modbus/TCP server. Once a connection is

156 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

established the request message is sent and the client waits for a response. After the response is received it is forwarded back to the master.

After the transaction is complete, the TCP connection remains open in anticipation of a subsequent request. If another request is not made within the user-configured idle time the TCP connection is closed and will be re-opened when a new request is received. The client may also be configured so that it immediately makes a connection for a configured device and keeps that connection open indefinitely. This mode eliminates the latency associated with making the TCP connection for the initial request.

If a response is not received the Modbus/TCP client will time out after a user-configured interval. After a timeout, the TCP connection is closed to eliminate the possibility of receiving an unexpected late response. In addition the GATEWAY TARGET DEVICE FAILED TO RESPOND (exception code 0x0B) exception message is sent to the Modbus Master, which can then make the decision regarding whether or not to retry. If the client is configured to hold connections open indefinitely a new connection will be established with the remote server immediately following the timeout; otherwise, the client waits for the next Modbus request before re-opening the connection. The Modbus/TCP server process always listens for connections on TCP port 502.

TCP connection handling performed by Magnum DX complies with the implementation guidelines spelled out in Appendix A of the Open Modbus/TCP Specification.

Configuring Modbus To configure the Modbus network, define the Local Masters, Local Slaves and remote slaves. Make sure all the remote Magnum DX devices are reachable before configuring the Modbus network. Configuring Local Masters The Serial  Modbus  Local Masters screen configures the local serial Modbus Masters that act as Modbus/TCP clients. Use this menu to define the directly connected Modbus Master devices.

157 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 136 – Configuring Modbus Local Masters The fields are defined as follows: Port ID  Serial port number Protocol Variant  Specify a serial transmission mode. Valid options are: • RTU – Messages are binary encoded with CRC and begin with a silent interval of 3.5 character times. • ASCII – messages are ASCII encoded with LRC and begin with a ':' character and end with a CRLF sequence. Default value = RTU Priority (DiffServ)  Each IP packet generated by this device will be assigned a DiffServ Code Point (DSCP) based on the priority set by the user. The factory-supplied priority profiles are: • Default – Best Effort Service (DSCP 0). This is normal queuing. • Expedited – Expedited Forwarding (DSCP 0x2E) (RFC 2598). This will also result in data from this port having a higher priority on WAN ports. Custom priority profiles can be set using the DiffServ menus defined in the QoS chapter Forward Gateway Exceptions  Specify whether or not the attached master understands Modbus exception messages. In some cases Modbus devices do not support the exception function codes and will be confused by them if received. This option allows you to disable exception forwarding to the master device Delete  Click on the check box in the Delete column and then “Apply Settings” to delete the selection

158 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Configuring Local Slaves The Serial  Modbus  Local Slaves screen configures the local serial Modbus slaves that that will be accessible via the Modbus/TCP server. Use this screen to define the directly connected Modbus devices. Use this menu to define the directly connected Modbus slave devices.

FIGURE 137 – Configuring Modbus local slaves The fields are defined as follows: Port ID  Serial port number Device Address  Modbus TCP unique unit identifier assigned to the device. Valid range 1- 247 Protocol Variant  Specify a serial transmission mode. Valid options are: • RTU – Messages are binary encoded with CRC and begin with a silent interval of 3.5 character times. • ASCII – messages are ASCII encoded with LRC and begin with a ':' character and end with a CRLF sequence. Default value = RTU Priority (DiffServ)  Each IP packet generated by this device will be assigned a DiffServ Code Point (DSCP) based on the priority set by the user. The factory-supplied priority profiles are: • Default – Best Effort Service (DSCP 0). This is normal queuing.

159 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

• Expedited – Expedited Forwarding (DSCP 0x2E) (RFC 2598). This will also result in data from this port having a higher priority on WAN ports. Custom priority profiles can be set using the DiffServ menus defined in the QoS chapter Response Timer  The amount of time to wait for a response from this device before giving up and sending back a Modbus exception message. Valid range = 10 - 10000 Forward Gateway Exceptions  Specify whether or not the attached master understands Modbus exception messages. In some cases Modbus devices do not support the exception function codes and will be confused by them if received. This option allows you to disable exception forwarding to the master device Delete  Click on the check box in the Delete column and then “Apply Settings” to delete the selection

Configuring Remote Slaves The Serial  Modbus  Remote Slaves screen configures forwarding table used to map Modbus slave device addresses to remote IP addresses. Use this screen to add mapping between a Modbus device address and the IP address of a remote Modbus / TCP server.

FIGURE 138 – Configuring Modbus remote slaves Port ID  Serial port number Remote IP Address  IP address of the remote DX device

160 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Idle Time (sec)  The TCP connection for this device is torn down if the idle time (time between messages) exceeds the value specified here. This parameter allows multiple successive requests to the same remote device to re-use a single TCP connection, thereby reducing latency. As a special case, if this value is set to 0, a TCP connection is immediately made to the remote (that is, the client does not wait for a request) and it is always kept open. This special mode eliminates the connection latency associated with the initial Modbus request. Default value = 10 Valid range = 1 – 604800 Response Time  The client will wait this amount of time before giving up on a request. If the client times out, it closes down the current TCP connection for the remote device. Default value = 1000 Valid range = 10 - 10000 Delete  Click on the check box in the Delete column and then “Apply Settings” to delete the selection

Modbus active connections The Serial  Modbus  Connections screen displays all the active Modbus connections. To clear the statistics or counters, click on “Clear Counters”. To terminate a connection, delete the connection as described below.

FIGURE 139 – Viewing active Modbus connections The items displayed are: Connection Mode  Indicates whether this connection was established in client or server mode Local Address  The IP address of the local Modbus/TCP client/server Local Port  The TCP port of the local Modbus/TCP client/server Remote Address  The IP address of the remote Modbus/TCP client/server Remote Port  The TCP port of the remote Modbus/TCP client/server Requests  The number of requests generated (if client) or number of requests received (if server).

161 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Responses  The number of responses received (if client) or number of responses generated (if server) Tx Octets  The total number of octets (bytes) transmitted on this connection Rx Octets  The total number of octets received on this connection Delete  Click on the check box in the Delete column and then “Apply Settings” to delete the selection

Finally, do not forget to Save the changes made.

162

Chapter 13

13 – Wide Area Network (WAN)

Connecting TCP/IP networks over large distances

here are several options available in the Magnum DX family of routers for WAN connectivity. These include T1/E1 as well as DDS circuits. These circuits can be configured for Frame Relay as well. T DDS Circuits A T1 circuit is a dedicated line that consists of 24 channels that can run at 56Kbps  or 64Kbps for a total of up to 1.544Mbps. Most of us today are familiar with a T1 circuit (or an E1 circuit). A DDS circuit is a dedicated line that consists of only one channel that can run at either 56Kbps or 64Kbps. The term DDS is an acronym for either the transport method, Digital Data System, or the name of the AT&T service itself, Data- phone Digital Service. In either case, it describes a North American digital transmission method that was initially deployed in the mid-1970s. Up until 1984, when T1 facilities were tariffed, 56 KBPS DDS facilities were about the fastest digital systems commercially available. DDS facilities typically include rates of 2.4, 4.8, 9.6 and 56 KBPS. Configuring DDS If your DX device is supplied with a DDS interface the Wide Area Network  Port Settings screen will appear as shown below.

FIGURE 140 – Configuration screen for DDS circuit for WAN port

163 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

The screen enables you to give a name to the WAN port circuit. This could be the actual circuit number, for example DDS-147658A12, or simply a name that is easy to remember, such as WAN1. Other options include the circuit speed (normally 56K), clock source (usually Received), and the option to administratively enable the port.

The menu options are as follows: Port ID  Determines the physical port being configured. Port Name  the logical name assigned to the physical port defined by Port ID. The name can be a maximum of 16 characters long. By default the field is left blank. Speed  The clocking rate. By default this is 56Kbps. 64Kbps is supported only if the clocking is provided externally. Clock  Source of clocking. Default is set to “Received” i.e. external clocking. For internal clocking, use “Local” as the setting. Admin Status  By default the setting is set to “Disabled” i.e. all transmit and receive functions are turned off. “Enabled” enables all transmit and receive functions.

Some options are available for use if the DDS circuit is part of a TDM network operated by the user rather than a "Carrier" leased circuit, or if the circuit is just a bare copper connection not terminated by any other equipment. When operating over a dedicated point-to-point link one unit is nominated as the "clock source" or "Local" and the other end "clock receive" or "Received". It does not matter which end is which, so long as one is "Local" and the other "Received".

DDS Port Status After the DDS parameters are set, it is a good idea to check the status of the connection and see if there is any traffic flowing on the circuit. This is done by Wide Area Network  Port Status screen as shown below.

FIGURE 141 – Port Status of WAN port The fields are common, irrespective of the type of circuit – DDS or T1/E1 being configured. These are shown in the table below.

164 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Table 11 – WAN Port Status Name Value Port ID Status of the physical port Line State Possible values for DDS: • OK – The line has link and is functioning properly • Rx Inactive – The receiver is inactive (possibly because it is being reset) • Loss of Sig – The signal has been lost or the signal has dropped more than 6dB • Excess BPVs – Excessive occurrence of invalid Bipolar Violation events • Data Idle – Receiving Data Mode Idle • Cm Idle – Receiving Control Mode Idle • Out of Service – Receiving out of Service code • Out of Frame – An error has been reported in the framing pattern • DSU Loopback – The line is in local DSU loopback. (Looping back what this interface is trying to transmit. Diagnostic only.) • CSU Loopback – The line is in CSU loopback. (Looping back what is on the wire. Diagnostic only.)

Possible values for T1/E1 • OK – The line has link and is functioning properly • Carrier Loss – No signal received • Blue Alarm – Also known as Alarm Indication Signal (AIS) or an “all ones” alarm • Loss of Sync – The line is not synchronized to the received data stream. • Yellow Alarm – Also known as a Remote Alarm indication (RAI). This indicates that a remote interface is encountering a problem with a signal from this interface. This could result from an equipment problem or from incompatible configurations • Red Alarm – The incoming signal is corrupted (wrong frame type or errors in framing) • Loop Up – The line is looping back received data LMI State Possible values for the Local Management Interface (LMI) state are: • Disabled – The LMI has been disabled. • Down – The LMI is enabled but is down. • Up – The LMI has successfully established communication with its peer • Suspend – The LMI has been suspended due to sequence number mismatches. • Resume – The LMI is resuming after being suspended. This is a transient state Rx Packets Number of packets received Rx Octets Number of bytes (octets) received Tx Packets Number of Packets transmitted Tx Octets Number of bytes (octets) transmitted

165 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Configuring T1/E1 If your DX device is supplied with a T1/E1 interface the Wide Area Network  Port Settings screen will appear as shown below.

FIGURE 142 – Configuring T1/E1 ports

The fields are as follows: Port ID  Determines the physical port being configured. Port Name  The logical name assigned to the physical port defined by Port ID. The name can be a maximum of 16 characters long. By default the field is left blank. Timeslot Bandwidth  The data rate. By default this is 56Kbps. 64Kbps is also supported – usually used with E1 circuits. Clock  Source of clocking. Default is set to “Received” i.e. external clocking. For internal clocking, use “Local” as the setting. On most T1/E1 circuits, this has to be set depending on what the carrier provides. For a private line, one side is set to Received, and the other to Local. Admin Status  By default the setting is set to “Disabled” i.e. all transmit and receive functions are turned off. “Enabled” enables all transmit and receive functions. Mode  By default, this is set to T1 i.e. the WAN port will understand T1 framing sequences. For E1 circuits, set this to E1. Time Slots  Specifies the time slots to use with the T1 or E1 circuit. For specific channels, use single slot numbers separated by commas or a range separated by a hyphen. Example: 1, 3, 5-8 Frame Types  Determines the Frame types for this port. For T1 mode the following values may be selected: • ESF – Extended Super Framing format, consisting of 24 consecutive 193 bit frames. • D4 – A framing format also known as SF (Super Frame), consisting of 12 consecutive 193 bit frames. Default value = ESF

For E1 mode the following values may be selected: • FAS – Frame Alignment Signaling.

166 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

• CAS – Channel Associated Signaling. A method that “robs” some bits of each frame to transmit synchronization information. Line Codes  Determines the Line codes for this port. The line code for this port. For T1 mode the following values may be selected: • AMI – Alternate Mark Inversion line coding. • B8ZS – Bipolar With 8 Zero Substitution line coding. Default value = B8ZS

For E1 mode the following values may be selected: • AMI – Alternate Mark Inversion line coding. • HDB3 – High Density Bipolar 3 line coding. Line Build Out  Compensates for the loss based on distance from the device to the first repeater in the circuit. A longer distance from the device to the repeater requires that the signal strength on the circuit be boosted to compensate for loss over that distance. This information is provided in decibel or in feet. Contact your service provider for details on this information. Possible choices are: • 0 to 133 – distance from 0 feet to 133 ft • 133 to 266 – distance from 133+ ft to 266 ft • 266 to 399 – distance from 266+ ft to 399 ft • 399 to 533 – distance from 399+ ft to 533 ft • 533 to 655 – distance from 533+ ft to 655 ft • -7.5dB – a signal loss of 7.5dB • -15dB – a signal loss of 15dB • -22.5dB – a signal loss of 22.5dB

For T1/E1 circuits, the Frame Types and Line Codes are normally specified by the carrier.

T1/E1 Port Status After the T1/E1 parameters are set, it is a good idea to check the status of the connection and see if there is any traffic flowing on the circuit. This is done by WAN  Port Status screen as shown below.

167 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 143 – Port Status of WAN port

Most of the fields are common, irrespective of the type of circuit – DDS or T1/E1 being configured. These are shown in the table below.

168 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Table 12 – WAN Port Status Name Value Port ID Status of the physical port Line State Possible values for DDS: • OK – The line has link and is functioning properly • Rx Inactive – The receiver is inactive (possibly because it is being reset) • Loss of Sig – The signal has been lost or the signal has dropped more than 6dB • Excess BPVs – Excessive occurrence of invalid Bipolar Violation events • Data Idle – Receiving Data Mode Idle • Cm Idle – Receiving Control Mode Idle • Out of Service – Receiving out of Service code • Out of Frame – An error has been reported in the framing pattern • DSU Loopback – The line is in local DSU loopback. (Looping back what this interface is trying to transmit. Diagnostic only.) • CSU Loopback – The line is in CSU loopback. (Looping back what is on the wire. Diagnostic only.)

169 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Name Value LMI Rx The number of LMI Packets received on this interface since the counter was reset or device started LMI Tx The number of LMI Packets transmitted on this interface since the counter was reset or device started TxDrops The number of packets that could not be transmitted out this interface due to resource limitations since the counter was last reset CRCs The number of packets received that had a CRC mismatch since the counter was last reset Short The number of short frames (frames smaller than 6 bytes) received since the counter was last reset Long The number of long frame (a frame over 1600 bytes) errors received since the counter was last reset No Buffer The number of times the interface ran out of buffers since the counter was last reset Bad Address The number of packets received that were destined for an non configured DLCI since the counter was last reset

Configuring Frame Relay Frame Relay can be provisioned on any MNS-DX device.

Frame Relay Background Many DX products provide WAN port support. In provisioning a new WAN circuit it is helpful to make reference to the OSI 7 layer model. The sections that follow will guide you through the Frame Relay provisioning by configuring your DX device from the bottom up with respect to the OSI model: The Physical Layer – Your software will automatically detect whether you have a DDS or a T1/E1 connection. You complete the physical layer configuration with the Wide Area Network  Port Settings menus as shown earlier in this chapter. The Data Link Layer – Use the Frame Relay Configuration screen, discussed in this section Network, Transport, and other layers of the OSI model are addressed by configuring the respective functions such as routing etc. This is shown in the figure below.

170 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 144 – OSI Layers and respective functions of T1/E1, DDS, Frame Relay and Frame Relay applications

LMI Protocol Provisioning at the Frame Relay (OSI Data Link) layer is only required if you want to employ the Frame Relay Standard Link Management Protocol (LMI) as part of the overall application or if you want to use end-to-end fragmentation. The Local Management Interface (LMI protocol) provides minimal management visibility into a Frame Relay connection between the DX device with a WAN port and the other end of a local connection. It adds a "ping" type function across the local connection, that is, an LMI status of "Up" confirms a local connection, and it also provides local information about available Frame Relay PVC circuits (DLCIs). LMI Fragmentation Size The Frame Relay standard supports data fragmentation so that circuits that share this Frame Relay interface can have more consistent end-to-end response times. This is especially important when you have applications that have different message sizes. The type of fragmentation configurable in the Wide Area Network: Frame Relay screen is the End-to-End fragmentation defined in FRF.12. The fragmentation size applies to all configured IP DLCIs (RFC 1490), but not to non-IP DLCIs (used for serial over Frame). Supported fragment sizes range from 8 to 1600 bytes. The default is no fragmentation LMI Types For historical reasons the "standardization" of this protocol has resulted in three variants or "Types." In North America the original version (designated "LMI") is the most common, although the ANSI standard is also used. The CCITT type is the more frequently used outside North America. You must know the specific LMI type in use for a specific application and select it from the dropdown menu in the LMI column of the Wide Area Network  Frame Relay menus. Carrier-provided Frame Relay services typically require use of the LMI protocol.

171 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

LMI Modes The second part of the LMI protocol configuration is the specification of a Mode. The mode specification describes which peer-to-peer side of the protocol the DX device should use. The end point of the Frame Relay network is usually defined as the "User." In most cases this will be the DX device but in configurations employing a private network or bare copper circuit the DX device may be designated "Network." As a rule of thumb: in a system using a carrier provided Frame Relay service the DX should be selected as "User" and over a dedicated private wire system with two DX devices directly connected back-to-back select one end as "User" and the other end as "Network". The Network-to-Network (NNI) option will not be employed in any configuration considered in this document. Configuring Frame Relay To configure Frame Relay options, use the menus defined by Wide Area Network  Frame Relay as shown below.

FIGURE 145 – Configuring Frame Relay

Where Port ID  Determines the physical port being configured.

Fragmentation Size  The maximum bytes in a frame relay fragment. The default, 1600, is the maximum transmission unit (MTU) setting, plus frame relay overhead, for the DLCI IP interfaces. Clearing this field turns off end-to-end fragmentation. If fragmentation is not enabled the transmission of large IP packets on one Permanent Virtual Circuit (PVC) can obstruct traffic for other PVCs on the same line and significantly increase latency. MNS-DX supports end-to-end fragmentation only; that is fragmentation is done at the packet’s point of origin on the PVC and reassembly is done at the packet’s termination point on the PVC, regardless of the number of links intervening.

LMI Type  Specify the Local Management Interface (LMI) type. The values may be selected from None, LMI, CCITT, ANSI. Default value = None. Note: many

172 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Cisco routers use the default setting of CCITT for LMI type when configured for Frame Relay services.

LMI Mode  Specify the Local Management Interface (LMI) mode. The values may be selected from User, Network, NNI (Network to Network interface). Default value = User After Frame Relay is configured, it is a good idea to check the WAN Port Status as described earlier. Next step would be to provision the Frame Relay Applications.

Frame Relay Applications

Two commonly used applications used over Frame Relay are: 1) IP applications (routing mainly). 2) Serial Tunnel over Frame Relay where a Serial port is dedicated to send traffic over the Frame Relay network.

Configuring DLCI To configure routing over Frame Relay networks, first specify the Data Link Connection Identifier (DLCI) settings. Once the DLCI setting are defined, define the IP address and routing parameters. To configure DLCI, use the Wide Area Network  DLCI Setting menu as shown below.

FIGURE 146 – Defining DLCI for Frame Relay Network

173 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Add a new entry by specifying a DLCI in the range 1-1022 (this would normally match the circuit number given to you by a Service Provider or defined within your organization) and mark the IP box "Yes" for IP applications. Specify a CIR value.

A Committed Information Rate (CIR) is a "Leaky Bucket" mechanism that controls how much of the overall WAN bandwidth this DLCI is allowed to use. The CIR is expressed in bits per second. This is useful in making sure one or more DLCIs cannot starve other DLCIs sharing the same WAN interface. If this parameter is left blank then the CIR is defined as the bandwidth of the WAN port physical settings.

In the screen above, the menu items are as follows:

Port ID  Port identifier to indicate which port is being used. DLCI  A number to uniquely identify the Data Link Connection Identifier. Valid Range is from 1 to 1022 CIR  Committed information Rate in bits per second. If no value is specified, the bit rate is the bit rate of the port. IP  Indicates whether or not this DLCI will carry IP traffic. If the DLCI carries IP traffic, it becomes an IP interface and must be assigned an IP address. Select “Yes” to make the DLCI an IP interface (RFC 1490). The IP can be configured using the Routing  IP Address menus. Select “No” to specify that the DLCI is to be used by the terminal server so that raw serial data will be transmitted to/from a serial port to the DLCI. Configure the port with the Serial Frame Relay menu. EEK  A DLCI can be placed in one of the five EEK modes. • None – EEK is disabled. • Bidirectional – the device sends EEK requests and also responds to received EEK requests. • Request – The device only sends EEK requests. It does not respond to received. EEK requests. Note if one side is set to Request – the other end must be set to Reply. • Reply – The device only replies to received EEK requests. It does not send EEK requests. Note if one side is set to Reply – the other end must be set to Request. • Passive-Reply – The device only responds to received EEK requests. It does not set any timers or keep track of any events.

As soon as the DLCI settings are defined, the next step is to check the status of the DLCI Status and then setting the IP routing information for the DLCI’s defined. The status is checked by going to the Wide Area Network  DLCI Status screen as shown below.

174 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 147 – DLCI status screen In the above screen,

Port ID  Port identifier to indicate which port is being used. DLCI  A number to uniquely identify the Data Link Connection Identifier. Valid Range is from 1 to 1022. State  Shows the DLCI state as “Active” or “Passive”. In addition, the EEK states can be timed out (EEK TO) as shown above. Time out could happen due to a bad or a dirty circuit (circuit with errors) or Frame Fragmentation size being too large (set under WAN  Frame Relay menu) Rx Packets  Received packets. Rx Octets  Received bytes or octets. Tx Packets  Transmitted packets. Tx Octets  Transmitted bytes or octets. Tx Drops  Number of packets which could not be transmitted. A properly configured DLCI network would looks as follows:

175 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 148 – Properly configured DLCI network status

Configuring EEK EEK implements a keep-alive mechanism that uses a simple request and response model. Either side or both sides can be configured to send EEK requests. When an EEK request is received, an EEK response is sent.

EEK settings are defined by the end-to-end keep alive parameters used in a circuit. Since EEK is a poll based mechanism (much like SNMP), the following information has to be defined: 1. Request Timer – The number of seconds to wait before sending the next EEK request. 2. Receive Timer – The number of seconds to wait for an EEK request before adding a receive error event to the EEK window. 3. Window – The size of a sliding window containing the total number of EEK events that will be examined to determine if an end-to-end path is up or down. 4. Errors – The number of error events in the EEK window that cause the path to be marked as down. 5. Successes – The number of consecutive successful events required to mark the path as up. This is done using the WAN  EEK Settings menus as shown below.

176 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 149 – EEK settings

EEK Status Once EEK is configured, its status is displayed as WAN  EEK Status as shown below.

FIGURE 150 – EEK status In the above screen,

Port ID  Port identifier to indicate which port is being used. DLCI  A number to uniquely identify the Data Link Connection Identifier (DLCI) defined earlier. State  Shows the EEK state being up or down. Total Send Events  Number of send requests. Total Receive Events  Number of events received. Note if the number of sent events is not the same as received, the poll back from the last event has not been received yet. The window timeout has to occur before the event counter is updated. Send Error Event  Number of sent events which were in error.

177 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Receive Error Event  Number of received events which were in error. Consec Send Successes  Consecutive send events which were successfully sent. Consec Receive Successes  Consecutive receive events which were successfully received.

Configuring DLCI based IP Routing To configure routing on the DLCI interfaces defined earlier, use the Routing  IP Address menu to configure the IP addresses. Note – only the DLCI’s defined with IP = “Yes” will appear on this screen.

FIGURE 151 – Setting the IP addresses on DLCI’s defined earlier Once the IP addresses are defined, use the Routing  Table screen to check if the IP subnet was added to the routing table entries of the DX device.

FIGURE 152 – Check to see if the IP segment defined for the DLCI appears in the routing table entries

178 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Final step is to ensure that the default gateway (next hop default gateway) information for the router and turn on the routing protocol (usually RIP).

To define a Static Route entry use Routing  Static Routes screen to define a default gateway. A default gateway is a static route where the route destination is defined as 0.0.0.0 and Mask 0.0.0.0, representing any IP address. The next hop is the IP address at the other end of the Frame Relay connection; for example, 100.1.1.1 in the example above. (not the local IP address, 100.1.1.2). Instead of defining a catch all next hop gateway, specific entries for each IP segment can be added. With MNS-DX the user can specify as many specific entries as required in the Add Static Route form, applying settings after each entry. Check the Routing  Table screen to confirm that each new route is present. Static entries are shown as Management under the Protocol column. Dynamic entries are added as Local entries.

FIGURE 153 – Adding default gateway information for the router or for each IP segment

Finally, enable RIP on the DLCI interfaces. This is done using Routing  RIP  Global Settings menu.

RIP protocol has several MNS-DX settings, including: • RIP – RIP version 1. • RIP-II – RIP version 2 with subnet broadcast (uses the subnet broadcast address). • RIP-II multi – RIP version 2 with multicast. • RIP-II Local – RIP version 2 with local broadcast (uses the local broadcast address. Sometimes this is needed for compatibility with older devices.)

RIP is disabled by default.

179 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 154 – Setting the RIP settings This screen also allows you to advertise or not advertise the presence of a default gateway within the RIP message and to change the generic RIP timers. After the Global Settings are defined, it is important to define the interfaces on which the RIP protocol is active on. This is also covered in more detail in the chapter on RIP. To set the routing interfaces using RIP, use the Routing  RIP  Interface Settings as shown below.

FIGURE 155 – Define the interfaces on which the RIP protocol is active on After enabling RIP, ensure that the routing information is populated. This may take a few minutes in some cases. To check the routing table entries use the menu Routing  Table as shown below.

180 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 156 – Verify the routing table is populated properly. Note the RIP discovered routes are shown as “RIP” under the Protocol column. The “Local” are local interfaces on the device – these could be VLANs, DLCIs or local interfaces. Management are static addresses on the router After this configuration, devices should be able to access the IP services over a Frame Relay network. Do not forget to save the changes made.

Serial Tunnel Over Frame Relay Using Frame Relay, one can map a serial port to allow asynchronous data streams from the local serial ports and encapsulate, or "tunnel," the stream through a Frame Relay (WAN) connection without the IP application.

To accomplish this, follow the two steps listed below: 1) Define the DLCI interfaces. This is described earlier in the section “Configuring DLCI”. 2) Map the serial port to the DLCI defined.

Mapping Serial Ports to DLCI After configuring the DLCIs the next step is to map these new DLCIs directly to serial ports using the Add New Channel form of the Serial  Frame Relay  Channel Settings screen as shown below. At least one non-IP DLCI must be defined for this setup.

181 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 157 – Adding “Channels” or mapping a DLCI setting to the Serial port allowing asynchronous traffic to tunnel through the Frame Relay circuit To add a new channel 1) Match a Serial Port ID with the appropriate DLCI Circuit ID.

2) Select Default or Expedited priority. The priority specification controls the queuing of frames from this port on this channel at the WAN port. Selections are: a. Default – Frames from this channel are handled by the low priority queue at the WAN port. They will be forwarded only when there are no frames in the high priority queue. b. Expedited – Frames from this channel are handled by the high priority queue at the WAN port. They will be forwarded before any frames in the low priority queue.

3) Set Payload Offset to Yes or No. This option formats Frame Relay messages with or without a 3-byte offset between the Frame Relay header and the data bytes. Choices are: “Yes” – Include the 3-byte offset between the header and the data portion of the message. “No” – Begin the data portion of each Frame Relay message immediately after the 2-byte Frame Relay header. To interoperate with GarrettCom Dynastar DS products this value should be set to Yes.

Click on “Apply Settings” when done. After the channels are added, ensure that the Channel Status screen is checked for proper operation as shown below.

182 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 158 – Check the status to see if the mapping of serial ports to DLCI is working properly The items displayed are Port ID  Port identifier to indicate which port is being used. Circuit ID  Circuits defined in the DLCI screen. Tx Octets  Transmitted bytes or octets. Rx Octets  Received bytes or octets. Tx Drops  Number of packets which could not be transmitted. Rx Drops  Number of packets which could not be received.

Finally after making the changes, save the settings.

183

Chapter 14 14 – Point to Point Protocol (PPP)

Point-to-point connections

ackup connections are established using asynchronous dial up modems. Asynchronous dial up modems provide the capability to connect to serial ports. Serial Ports on the Magnum DX routers can leverage this with PPP to create a point-to-point connection. B PPP Overview PPP stands for Point-to-Point Protocol, a data link protocol commonly used to  establish a direct connection between two networking nodes. It can provide authentication, encryption, and compression. PPP is commonly used to act as a data link layer protocol for connection over synchronous and asynchronous circuits. PPP is used over many types of physical networks including serial cable, phone line, trunk line, cellular telephone, specialized radio links, or fiber optic links such as SONET. Most Internet service providers (ISPs) use PPP for customer dial-up access to the Internet.

Link Control Protocol (LCP) is an integral part of PPP. LCP provides automatic configuration of the interfaces at each end (such as setting datagram size, escaped characters, and magic numbers) and for selecting optional authentication. The LCP protocol runs on top of PPP and therefore a basic PPP connection has to be established before LCP is able to configure it.

PPP provides the following features: Authentication - Peer routers exchange authentication messages. Two authentication choices are Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP). Authentication is explained in the next section. Compression - Increases the effective throughput on PPP connections by reducing the amount of data in the frame that must travel across the link. The protocol decompresses the frame at its destination. Error detection - Identifies fault conditions. The Quality and Magic Number options help ensure a reliable, loop-free data link. The Magic Number field helps in detecting links that are in a looped-back condition. Until the Magic-Number Configuration Option has been successfully negotiated, the Magic-Number must be transmitted as zero. Magic numbers are generated randomly at each end of the connection.

184 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Configuring PPP The current DX implementation of PPP only supports passive operation as a remote access server. PPP clients can authenticate and connect to the DX over a phone line or serial link, but it is not possible at this time to connect a DX to another router over a PPP link.

To configure PPP the following steps need to be followed: 1) Define the Profiles i.e. the attributes associated with each connection. 2) Associate the Profiles with the Serial ports. This associates the Profile attributes with the serial port or in case of DDS circuits with a WAN port. 3) Check the connectivity and the statistics to ensure the connection is working properly.

PPP Profiles A profile is a group of PPP parameters that can be applied to multiple PPP connections. There must always be at least one profile. An initial Default profile is supplied with the system’s factory defaults.

FIGURE 159 – Setting up PPP Profiles The items shown in the screen above are: Name  A name associated with the PPP profile. The name can be a maximum of 32 characters.

185 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

LCP Echo Interval (sec)  The frequency in seconds of LCP (Link Control Protocol) keep alive exchanges. More frequent exchanges reduce the time to detect a down link but use more bandwidth. Default value = 30 seconds. Valid range = 3 – 36000 seconds. Authentication Type  Specify the type of authentication. Possible values are: • None – Do not authenticate the client. • CHAP – MD5 protected challenge/response. • PAP – username and password sent in the clear. • CH/PAP – PAP or CHAP depending on the client’s preference. Default value = CHAP. Assign IP to client  if checked, the PPP process will use the Internet Protocol Control Protocol (IPCP) to assign an IP address to the remote PPP client. Default value = checked. Use Hayes Modem  if checked, the serial port will attempt to initialize using the Hayes Modem command sets and answer incoming dial-in calls. Default value = checked. Compress TCP Headers  if checked, PPP will attempt to negotiate Van Jacobson TCP header compression with the remote client. Default value = checked. Modem Init String  A string of up to 31 printable characters. While the modem is in the "listening" state, this string is periodically sent to the modem over the serial port. Consult your modem documentation for the initialization string for the modem attached to the serial port. Delete  Delete the profile settings by checking the box and “Apply Settings” after that.

PPP Connections A PPP Connection associates a serial port with the profile and allows definition of the username and password to use to authenticate the PPP connection requests.

186 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 160 – Setting up PPP Connections The items shown in the screen above are: Port ID  The serial port associated with the connection (and the profile). In case of a DDS circuit, the WAN interface can also be used besides the serial ports. Profile  The profile associated with the serial port. Username  Specify a PAP or CHAP username. A device attempting a PAP or CHAP PPP connection to the DX on this port must use the username defined here. Password  Specify a PAP or CHAP password. A device attempting a PAP or CHAP PPP connection to the DX on this port must use the password defined here. Delete  Delete the connection settings by checking the box and “Apply Settings” after that.

PPP Status PPP Status shows the status of the PPP connections.

187 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 161 – Checking PPP status The items shown in the screen above are: Port ID  The serial port associated with the connection (and the profile) Oper Status  The operational state of the connection. Possible values are: • Down – The PPP connection has not yet been established. • Up – The PPP connection has been established. Modem Status  The status of the modem. Possible values are: • Not Present – The user indicated that there is no modem connected to the serial port or the modem • Initialization failed. • Listening – The modem was successfully initialized. • Answering – The modem is currently answering a call. • Connected – The modem has successfully connected to the remote modem. Uptime  Shows the uptime of the connection Disconnect  Force disconnect of the current session by checking the box and “Apply Settings” after that.

PPP Statistics PPP Statistics shows the PPP performance statistics.

FIGURE 162 – Checking PPP statistics The items shown in the screen above are:

188 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Port ID  The serial port associated with the connection. Tx Frames  Number of frames transmitted since last reset or restart. Tx Octets  Number of octets (bytes) transmitted since last reset or restart. Rx Frames  Number of frames received since last reset or restart. Rx Octets  Number of octets (bytes) received since last reset or restart. Connect Count  The number of connections made to this PPP connection. Auth Failures  The number of connections which failed due to an authentication problem.

Finally after making the changes, save the settings.

189

Chapter 15

15 – Quality of Service (QoS)

Prioritize traffic in a network

uality of Service (QoS) refers to the capability of a network to provide different priorities to different types of traffic. Not all traffic in the network has the same priority. Being able to differentiate different types of traffic and allowing this traffic to Q accelerate through the network improves the overall performance of the network. It also provides the necessary quality of service demanded by different users and devices. The primary goal of QoS is to provide priority including dedicated bandwidth.

QoS Concepts The Magnum DX routers support QoS as per IEEE 802.1p and IEEE  802.1q standards. QoS is important in network environments where there are time-critical applications, such as voice transmission or video conferencing, which can be adversely effected by packet transfer delays or other latency in a network.

Most switches today implement buffers to queue incoming packets as well as outgoing packets. In a typical queue mechanism, the packet which comes in first leaves first (FIFO) and all the packets are serviced accordingly. Imagine if each packet had a priority assigned to it. If a packet with a higher priority were to arrive in a queue, the packet would be given a precedence and moved to the head of the queue and would go out as soon as possible. The packet is thus preempted from the queue and this method is called preemptive queuing.

IEEE 802.1p defines and uses eight levels of priorities. The eight levels of priority are enumerated 0 to 7, with 0 the lowest priority and 7 the highest.

Magnum DX family of routers (except Magnum DX40) supports four distinct priority queues for each Ethernet port. Note that the DX40 will NOT support priority queues. When a packet is received it is assigned one of four internal priority levels. It is then copied to some number of output ports (according to the switch's bridging rules) and placed in the queue that matches its priority level. The queuing discipline is implemented in hardware and is a fixed weighted fair queuing algorithm that services a certain number of packets from each queue and then moves on to the next queue. The weighting is 8-4-2-

190 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

1, meaning that up to 8 priority-1 packets are sent, followed by up to 4 priority-2 packets, followed by up to 2 priority-3 packets, followed by a single priority-4 packet. In this way, low priority packets still have a chance (albeit at a lower rate) to egress the port when there is a heavy stream of higher priority traffic.

When tagged packets enter an Ethernet port, the Magnum DX device responds by placing the packet into one of the four queues, and depending on the precedence levels the queue could be rearranged to meet the QoS requirements.

The block diagram below depicts the QoS model used by Magnum DX products. Each block represents a process or function that operates on a packet. The behavior of some blocks is defined through user configuration, represented by text in an attached box with dashed lines.

DX Network DX Applications Network Stack

Choose a DSCP to be applied Choose a default to specific packet types or priority Q DiffServ flows on the “QoS : IP Flows” for each port on Tagging page. the “QoS : (optional) Ethernet Port” page. This priority is used when the Choose an 802.1p priority packet contains Map DiffServ Tag value to apply to the ethernet no tag or when to 802.1p Tag frame based on the packet’s port-based priority (optional) DiffServ Tag on the “QoS : is configured. DiffServ” page.

Use DiffServ Tag to assign priority Q 8-4-2-1 Weighted Fair Queues

4 Priority Queue 3 Ethernet Classification Controller Ethernet Rx-n 2 Tx-n

Choose a priority Define the mappings between tags and assignment method for priority queues: each port on the “QoS : - 802.1p to priority queue (on the “QoS : Ethernet Port” page: 802.1p” page) - Use Default Priority - DiffServ to priority queue (on the “QoS : (port-based priority) DiffServ” page) - Use 802.1p Tag - Use DiffServ Tag - Prefer 802.1p Tag - Prefer DiffServ Tag

191 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 163 – Block diagram showing the interaction of QoS and DiffServ prioritization DiffServ and QoS QoS refers to the level of preferential treatment a packet receives when it is being sent through a network. QoS allows time sensitive packets such as voice and video, to be given priority over time insensitive packets such as data. Differentiated Services (DiffServ or DS) are a set of technologies defined by the IETF (Internet Engineering Task Force) to provide quality of service for traffic on IP networks.

DiffServ is designed for use at the edge of an Enterprise where corporate traffic enters the service provider environment. DiffServ is a layer-3 protocol and requires no specific layer-2 capability, allowing it to be used in the LAN, MAN, and WAN. DiffServ works by tagging each packet (at the originating device or an intermediate switch) for the requested level of service it requires across the network.

IP Header

Protocol DMAC SMAC ToS Data FCS Type

Diffserv Code Points (DSCP) Unused

FIGURE 164 – ToS and DSCP

DiffServ inserts a 6-bit DiffServ code point (DSCP) in the Type of Service (ToS) field of the IP header, as shown in the picture above. Information in the DSCP allows nodes to determine the Per Hop Behavior (PHB), which is an observable forwarding behavior for each packet. Per hop behaviors are defined according to: • Resources required (e.g., bandwidth, buffer size) • Priority (based on application or business requirements) • Traffic characteristics (e.g., delay, jitter, packet loss)

Nodes implement PHBs through buffer management and packet scheduling mechanisms. This hop-by-hop allocation of resources is the basis by which DiffServ provides quality of service for different types of communications traffic.

192 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

DiffServ Marking DiffServ markings may be applied to any packet that is generated by the DX (for example, terminal server traffic, routed traffic, etc.). This is accomplished through the use of configurable rules that map DiffServ code-points to particular packet types or flows. When an IP packet is sent from the stack (either due to IP forwarding or because the packet was sourced by the DX management process) it is compared with the configured filters. If a match is found, the code-point associated with that filter is applied to the packet. This code-point overrides any code-point that was applied by an application (for example, the DiffServ marking applied by the terminal server process).

DiffServ Processing The system can optionally be configured to assign packets to priority queues based on their DiffServ marking. If a received packet has an unknown marking (i.e. one that is not explicitly configured and mapped to a priority), the packet is treated as if it were marked as Best Effort. The mapping of DiffServ markings to priority queues is configurable by the user. Packets generated by the DX are always assigned a priority based on their DiffServ marking. When an IP packet is generated by the DX, the DiffServ marking may optionally be used to map to an Ethernet priority. The mapping between DiffServ code-points and priorities is configurable by the user.

All Ethernet frames processed by the switch may optionally be assigned to a priority queue based on the frame's priority. Whether or not the priority is used for mapping and the mapping of priorities to queues is configurable by the user. WAN ports 8-4-2-1 Weighted Fair Queuing (WFQ) is also implemented on each WAN port and packets are classified based on their DiffServ marking (if IP-over-frame) or the configured channel priority (if Serial-over Frame Relay) as shown in the figure below.

193 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

DX Network DX Applications Network Stack

Serial-to-Frame Choose a DSCP to be applied Application DiffServ to specific packet types or Tagging flows on the “QoS : IP Flows” (optional) page.

Choose a channel priority on the “Serial : Frame Relay : Channel Settings” page. Use DiffServ Tag to assign priority Q 8-4-2-1 Weighted Fair Queues

4 Queue Controller 3 WAN Tx-n 2

FIGURE 165 – WAN QoS flow

WAN QoS is controlled by the combination of Differential Services (DiffServ - RFC 2474) information in IP packets being forwarded out of a frame relay port and the settings of the fragment size for the port and CIR of the DLCI. The DiffServ value may be configured directly for a Terminal Server connection to any configured DiffServ code point. Factory default code points include Default ("Best Effort" forwarding) as well as Expedited Forwarding (EF), as per RFC 2598, which requires a Per Hop forwarding Behavior (PHB) that yields low-loss, low-latency, low-jitter, and assured bandwidth (given by the CIR). Packets marked EF will be queued for forwarding out the WAN port ahead of default packets. Also, large packets are fragmented according to the settings of the port. This ensures that EF packets do not have to wait for an entire large packet with some lower priority DiffServ value to finish transmission when started before the EF packet is queued, but must wait only for a fragment of the other to be sent. Note that the network must be designed so that only EF packets will be forwarded on any DLCI where any EF packet is forwarded, since the fragmentation standard does not permit interleaving of fragments from different packets over the same DLCI.

Not all packets received on a port have high priority. IGMP and BPDU packets have high priority by default.

194 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Configuring QoS To configure QoS, use the QoS menus on MNS-DX. As with any network configuration, proper planning of the priority settings and traffic flows is important.

DiffServ Configuration The configuration for DiffServ queues on MNS-DX is 8-4-2-1 weighted. The priority mapping applies to all IP packets transmitted by the system (regardless of whether they were generated by the DX, routed, or bridged). If a received packet has a DSCP marking that is not defined in this table the packet is treated as if its marking is Best Effort. The table is pre- configured with two profiles (one for Best Effort and one for Expedited per-hop behavior). Diffserv supplies QoS at layer 3 by using the IP type of service (TOS) header field.

To set the Diffserv settings, use the QoS  Diffserv menus as shown below.

FIGURE 166 – Configuring Diffserv settings In the menu above, the fields are: Name  A user-assigned name for a specific code point. Code Point  The value of a 6-bit DiffServ Code Point. Valid values are 0-63. The higher the value, the higher the priority. Priority  The queuing priority of a packet tagged with this DSCP. (The higher the priority value the more urgent the priority.)

195 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

802.1p Marking  When an IP packet is generated by the DX it is assigned a DSCP (by default, Best Effort 0x00 is used).The packet may optionally be assigned an 802.1p priority based on the DSCP as specified by this field. This field can take the value 0-7 or the special value “None,” meaning that no mapping between DSCP and 802.1p priority is implemented and thus no 802.1p marking is made. This field has no effect when the IP packet being processed is not an Ethernet frame. Note: The mapping is performed only for packets generated by the DX. Bridged packets retain whatever markings they had when they were received. Delete  Delete the connection settings by checking the box and “Apply Settings” after that.

802.1p configuration The 802.1p standard supplies QoS at layer 2 by using the 3-bit user_priority header field. The 802.1p standard defines eight classes of service. The QoS  802.1p menus configure Ethernet frames marked with a specific 802.1p priority into the four available priority queues as shown below.

FIGURE 167 – Configuring 802.1p settings In the menu above, the fields are

Ingress 802.1p Tag  Tag value associated with the Ethernet packet Priority  The queuing priority assignments. The priority is assigned as follows: • Priority 1 – 802.1p 0 and 1 (Lowest). • Priority 2 – 802.1p 2 and 3. • Priority 3 – 802.1p 4 and 5. • Priority 4 – 802.1p 6 and 7 (Highest).

196 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Ethernet Port configuration To choose how an Ethernet port assigns a priority to an incoming frame, it maps a Port ID to a default priority from one of the four available switch priority queues. It also allows you to specify whether incoming packets will be assigned that default priority or another priority, depending on the presence or absence of DiffServ or 802.1p information.

FIGURE 168 – Configuring Ethernet Port priority settings In the menu above, the fields are

Port ID  The physical Ethernet Port number. Priority Assignment Rule  A rule for assigning the priority of packets that are received by the specified port: • Default – always use the Default Priority for the port (Default). • DiffServ – use the DSCP if it is present, otherwise use the Default Priority. • 802.1p – use the 802.1p tag if it is present, otherwise use the Default Priority. Default Priority  The Default Priority for a port. See above for when the default priority is used. Default value = 3

IP Flow configuration To assign differing priorities to different types of IP traffic, use IP flows to configure the priorities. A unique flow is defined by its source address, its destination address, and its protocol type. When a packet is sent by the DX, its header fields are checked against the defined flows. If a match is found, the specified DiffServ marking is applied. This marking overrides any markings created by specific applications such as the terminal server. The configuration menu is shown below and is accessed by QoS  IP Flows.

197 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 169 – Configuring priority for IP traffic flows The menu represents screen to determine the Source  Destination traffic flows by IP address, protocol type and the associated prioritization associated with the traffic. Blank field indicates a wild card and all traffic flows as per the specification of the blank field.

The menus associated are: Source Address  The source address of IP packets in the flow. If this field is blank it acts as a wildcard, that is, any source address is accepted. Source Mask  Netmask to define the IP address range for the Source Address. If this field is blank and the source address field is not blank, then only one source address matches the flow. Destination Address  The destination address of IP packets in the flow. If this field is blank it acts as a wildcard, that is, any source address is accepted. Destination Mask  Netmask to define the IP address range for the Destination Address. If this field is blank and the destination address field is not blank then only one source address matches the flow. Protocol/dir  This parameter takes one of the following values which determine the meaning of the TCP or UDP Ports or ICMP Types: • TCP/dest. – TCP destination ports in the flow. • TCP/source – TCP source ports in the flow. • UDP/dest. – UDP destination ports in the flow. • UDP/source – UDP source ports in the flow. • ICMP/type – ICMP types in the flow. • IPsec-ESP – IPsec ESP packets (IP protocol 50) in the flow. • IPsec-AH – IPsec AH packets (IP protocol 51) in the flow. • OSPF – OSPF traffic in the flow (requires MNS-DX-ADVAR). • VRRP – VRRP traffic in the flow.

198 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

TCP or UDP Ports or ICMP Types  The port numbers or traffic flow types. If left blank the port number is ignored. DiffServ  The DiffServ code point defined earlier. Delete  Delete the connection settings by checking the box and “Apply Settings” after that.

Finally do not forget to save the configuration after the changes have been made.

199

Chapter 16

16 – RIP Routing

Routing traffic in a network

outing is a critical service in a TCP/IP network. Routing is the process of selecting paths in a network along which to send network traffic. Routing is performed for many kinds of networks, including the telephone network, electronic data networks such as the R Internet, and transportation networks. Routing is a Layer 3 function in the seven layer OSI model.

Routing Concepts The Magnum DX routers support many routing protocols. The Routing  Information Protocol (RIP) is a dynamic routing protocol used in local and wide area networks. As such it is classified as an interior gateway protocol (IGP). It uses the distance-vector routing algorithm. It was first defined in RFC 1058 (1988). The protocol has since been extended several times, resulting in RIP Version 2 (RFC 2453). Open Shortest Path First (OSPF) is included in MNS-DX-ADVAR and is usually used to enhance the capabilities offered by RIP. Many large organizations use OSPF protocol instead of RIP. Border Gateway Protocol or BGP is commonly used by ISP’s as well as large organizations to better manage their Wide Area Network routing interfaces. BGP is included in MNS-DX- ADVAR.

Routing Information Protocol (RIP) The Routing Information Protocol (RIP) is a dynamic routing protocol used in local and wide area networks. As such it is classified as an interior gateway protocol (IGP). It uses the distance-vector routing algorithm. It was first defined in RFC 1058 (1988). The protocol has since been extended several times, resulting in RIP Version 2 (RFC 2453). Both versions are still in use today.

200 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

RIP – a brief history The Bellman-Ford routing algorithm was the basis for RIP and was first deployed in a computer network in 1967, as the initial routing algorithm of the ARPANET.

The earliest version of the specific protocol that became RIP was the Gateway Information Protocol, part of the PARC Universal Packet internetworking protocol suite, developed at Xerox PARC. A later version, named the Routing Information Protocol, was part of Xerox Network Systems (XNS) and included in the XNS protocol suites.

A version of RIP which supported the Internet Protocol (IP) was later included in the Berkeley Software Distribution (BSD) of the Unix operating system. It was known as the routing daemon (routed). There were many other flavors and modifications provided by various implementations of Unix and Linux. RFC 1058 unified the various implementations under a single standard.

RIP technical overview RIP is a distance-vector routing protocol, which uses hop count as a routing metric. A distance-vector routing protocol requires that a router inform its neighbors of topology changes periodically and, in some cases, when a change is detected in the topology of a network. RIP prevents routing loops by implementing a limit on the number of hops allowed in a path from the source to a destination. The maximum number of hops allowed for RIP is set to 15. This hop limit also limits the size of networks that RIP can support. A hop count of 16 is considered an infinite distance and used to flush out inaccessible, inoperable, or otherwise undesirable routes in the route tables.

RIP implements the split horizon, route poisoning and hold down mechanisms to prevent incorrect routing information from being propagated. These are some of the stability features of RIP. It is also possible to use the so called RIP-MTI algorithm to cope with the count to infinity problem. With its help, it is possible to detect every possible loop with a very small computation effort.

Originally each RIP router was designed to transmit full updates every 30 seconds. In the early deployments, routing tables were small enough that the traffic was not significant. However, as networks grew in size, it became evident there could be a massive traffic burst every 30 seconds, even if the routers had been initialized at random times. It was thought, as a result of random initialization, the routing updates would spread out in time, but this was not true in practice. Sally Floyd and Van Jacobson showed in 1994 that without slight randomization of the update timer, the timers synchronized over time. In most large environments, RIP interoperates with other distance vector protocols such EIGRP or with link state protocols such as OSPF, or IS-IS. RIP is easy to use and configure. RIP is also still included in most Linux systems and is relatively well understood. RIP is implemented on top of the User Datagram Protocol as its transport protocol. It is assigned the reserved port number 520.

201 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

RIP Version 1 The original specification of RIP is defined in RFC 1058. The periodic routing updates do not carry subnet information, lacking support for variable length subnet masks (VLSM). This limitation makes it impossible to have different-sized subnets inside of the same network class. In other words, all subnets in a network class must have the same size. There is also no support for router authentication, making RIP vulnerable to various attacks. The RIP version 1 works when there are only 16 hop counts (0-15). If there are more than 16 hops between two routers it fails to send data packets to the destination address as the distance is considered infinite. This route is eliminated from the route tables.

RIP Version 2 Due to the deficiencies of the original RIP specification, RIP version 2 (RIPv2) was developed in 1993 and standardized in 1998. It included the ability to carry subnet information, thus supporting Classless Inter-Domain Routing (CIDR). To maintain backward compatibility, the hop count limit of 15 remained. RIPv2 has facilities to fully interoperate with the earlier specification of RIP version 1. In addition, a compatibility switch feature allows fine-grained interoperability adjustments. In an effort to avoid unnecessary load on hosts that do not participate in routing, RIPv2 multicasts the entire routing table to all adjacent routers at the address 224.0.0.9, as opposed to RIPv1 which uses broadcast. Unicast addressing is still allowed for special applications. (MD5) authentication for RIP was introduced in 1997. RIPv2 is Internet Standard STD-56. Route tags were also added in RIP version 2. This functionality allows for routes to be distinguished from internal routes to external redistributed routes from EGP protocols. Configuring RIP To configure RIP, ensure the following: 1) Determine the interfaces which need to participate in routing. This includes WAN interfaces, LAN interfaces as well as VLAN interfaces. Set the IP addresses for these interfaces. 2) Determine which interfaces which need to actively broadcast routes to other routers or be passive listeners for broadcast updates. This will depend on the network architecture. 3) Add static routes e.g. default gateway – usually the router on the outside which can resolve routing issues 4) Configure RIP Options. 5) Validate the routing setup is working properly by viewing routing tables.

Setting IP address Setting IP address is described in the sections on WAN and Frame Relay, Configuring the Magnum DX device and VLANs earlier.

For clarity, the menu where the IP addresses are defined on the interfaces is repeated below. The VLAN and DLCI interfaces are also shown.

202 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 170 – Setting IP addresses on the different interfaces

Setting Static Routes Setting Static Routes allows routers to work in networks where subnets are either “hidden” from general view or a default route or a router of last resort i.e. when a route to a network is unknown, the packet is routed to this router to resolve the routing issues. In the example below, the router of last resort is defined by the IP address 0.0.0.0 (any) and netmask of 0.0.0.0. To configure it use Routing  Static Routes menu.

FIGURE 171 – Setting static route including default route

203 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Once the static routes are defined, it is a good idea to check to see if the routers can be reached by use of the ping utility.

Setting RIP Parameters To set the RIP parameters, use the Routing  RIP  Global Setting parameters. This is shown below.

FIGURE 172 – Setting RIP parameters The different parameters available are: Mode  This parameter can take one of the following values: • Disabled. • RIP – RIP version 1. • RIP-II – RIP version 2 with subnet broadcast (uses the subnet broadcast address). • RIP-II multi – RIP version 2 with multicast. • RIP-II local – RIP version 2 with local broadcast (Uses the local broadcast address, 255.255.255.255. This is sometimes needed for compatibility with older devices.) Default value = Disabled. RIP-1 Compatible  You can specify one of two values for this parameter: • No – RIP routes with CIDR masks will be propagated and learned as per RIP-2. • Yes – will enforce the restrictions necessary for RIP-1 and RIP-2 routers to operate correctly in the same network as described in section 3.2 of RFC 1058 and section 3.3 of RFC 1723. Routes to portions of a logical network (including host routes) will be limited to routers within that network. Updates sent outside that network will only include a single entry representing the entire network. That entry

204 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

will subsume all subnets and host-specific routes. If supernets are used, the entry will advertise the largest class-based portion of the supernet reachable through the connected interface. Default (and recommended) value = No. Gateway  If this parameter is set to Yes the router advertises itself as a default gateway. Default value = No. Import OSPF Routes  Specify whether or not OSPF routes are redistributed by this router into the RIP network. • No – OSPF routes are not redistributed into the RIP network by this router. • Yes – OSPF routes are redistributed into the RIP network by this router. Default value = No. Default OSPF Route Metric  Select a fixed hop count that will be used for all OSPF routes imported into the RIP routing domain. Default value = 1. Valid range = 1 - 15. Import BGP Routes  Specify whether or not BGP routes are redistributed by this router into the RIP network. • No – BGP routes are not redistributed into the RIP network by this router. • Yes – BGP routes are redistributed into the RIP network by this router. Default value = No. Default BGP Route Metric  Select a fixed hop count that will be used for all BGP routes imported into the RIP routing domain. Default value = 1. Valid range = 1 - 15. Expire Time (secs)  This parameter tells RIP the number of seconds between updates before a route is invalidated. An invalidated route is not used, but it is not deleted immediately. It is retained for the length of time you specify with the Flush Time parameter. If confirmation arrives before the route flush timer expires, the route is re-marked as valid. Valid range = 1 - 600 seconds. Default value = 180 seconds. Flush Time (secs)  This parameter tells RIP the number of additional seconds to wait after a route expires before that route is deleted entirely from the routing table. Valid range = 1 - 600 seconds. Default value = 120 seconds. Administrative Distance  Administrative distance is the measure select the best path when there are two or more different routes to the same destination from two different routing protocols. Administrative distance defines the reliability of a routing protocol. Each routing protocol is prioritized in order of most to least reliable (believable) using an administrative distance value. A lower numerical value is preferred, e.g. an OSPF route with an administrative distance of 110 will be chosen over a RIP route with an administrative distance of 120. RIP has a default value of 120 (same as the default value in MNS-DX.) An administrative distance of 255 is a faulty route and is ignored and deleted.

205 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Once the Global parameters are set, the next step is to setup which interfaces participate in RIP routing and whether they are passive – i.e. listen for routing updates only or active i.e. actively exchange routing information with other networks.

FIGURE 173 – Setting RIP interfaces The different parameters available are: IP Interfaces  This parameter shows all the interfaces with an IP addressable subnet available. This includes VLANs, Ethernet interfaces, WAN circuits etc. Enabled?  This parameter sets whether the interface participates in routing. Passive?  This parameter sets whether the interface listens for route information. “Yes” set a listen only mode. “No” indicates the interface will exchange routing information. It is recommended to leave the setting for Passive to be “Yes” when not sure. Default “Yes”.

Validating Routing Setup Once the routing parameters are setup, make sure the routing function is working properly. This is done by reviewing the routing tables in the MNS-DX device. To view the routing table entries, use the menu Routing  Table as shown below.

206 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 174 – Routing Table entries The information provided by the table is as follows:

Route Destination  The destination IP address for this IP route. Note: the Route Destination 127.0.0.1 is the localhost address; that is, the loopback interface for the DX device currently being used. It is included in the routing table for internal purposes. Route Mask  Along with Route Destination determines the subnet being routed Next Hop  The IP address of the destination in the next hop. Administrative Distance  Determines whether the connection distance. A distance of “0” indicates the interface is local to the router. Metric  Hop count used as a metric. Metric has a different meaning depending on the Protocol. For RIP the metric is the number of hops to the destination. For OSPF and BGP, the metric is an administratively configured cost to the destination. Age  Age of the route in seconds. Type  Specifies the source of the route. This may take the following values: • BGP – A route learned by the BGP routing protocol. • Management – A static route. • Local – A route to a directly connected subnet. • OSPF – A route learned by the OSPF routing protocol. • RIP – A route learned by the RIP routing protocol. • VPN – A route to a private network associated with a VPN tunnel.

Finally, after all configuration is complete, do not forget to save the settings.

207

Chapter

17 – OSPF Routing

Routing traffic in a large network using OSPF

pen Shortest Path First or OSPF is one of the widely used protocols for routing TCP/IP traffic. Routing, as discussed earlier, is a critical service in a TCP/IP network. Routing is the process of selecting paths in a network along which to send network O traffic. Unlike RIP, OSPF is a link state routing protocol. OSPF requires MNS-DX- ADVAR capabilities.

Open Shortest Path First (OSPF) Open Shortest Path First (OSPF) is a dynamic routing protocol for use in Internet Protocol (IP) networks. Specifically, it is a link-state routing protocol and falls into the group of interior gateway protocols, operating within a single autonomous system (AS). It is defined as OSPF Version 2 in RFC 2328 (1998) for IPv4.

OSPF Backgrounder OSPF is an interior gateway protocol that routes Internet Protocol (IP) packets solely within a single routing domain (autonomous system). It gathers link state information from available routers and constructs a topology map of the network. The topology determines the routing table presented to the Internet Layer which makes routing decisions based solely on the destination IP address found in IP datagrams. OSPF was designed to support variable-length subnet masking (VLSM) or Classless Inter-Domain Routing (CIDR) addressing models.

OSPF detects changes in the topology, such as link failures very quickly and converges on a new loop-free routing structure within seconds. It computes the shortest path tree for each route using a method based on Dijkstra's algorithm, a shortest path first algorithm.

The link-state information is maintained on each router as a link-state database (LSDB) which is a tree-image of the entire network topology. Identical copies of the LSDB are periodically updated through flooding on all OSPF routers.

208 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

The OSPF routing policies to construct a route table are governed by link cost factors (external metrics) associated with each routing interface. Cost factors may be the distance of a router (round-trip time), network throughput of a link, or link availability and reliability, expressed as simple unit-less numbers. This provides a dynamic process of traffic load balancing between routes of equal cost.

An OSPF network may be structured, or subdivided, into routing areas to simplify administration, and optimize traffic and resource utilization. Areas are identified by 32-bit numbers, expressed either simply in decimal, or often in octet-based dot-decimal notation, familiar from IPv4 address notation.

By convention, area 0 (zero) or 0.0.0.0 represents the core or backbone region of an OSPF network. The identifications of other areas may be chosen at will, often, administrators select the IP address of a main router in an area as the area's identification. Each additional area must have a direct or virtual connection to the backbone OSPF area. Such connections are maintained by an interconnecting router, known as area border router (ABR). An ABR maintains separate link state databases for each area it serves and maintains summarized routes for all areas in the network.

OSPF does not use a TCP/IP transport protocol (UDP, TCP), but is encapsulated directly in IP datagram with protocol number 89. This is in contrast to other routing protocols, such as the Routing Information Protocol (RIP), or the Border Gateway Protocol (BGP). OSPF handles its own error detection and correction functions.

OSPF uses multicast addressing for route flooding on a broadcast network link. For non- broadcast networks special provisions for configuration facilitate neighbor discovery. OSPF multicast IP packets never traverse IP routers; they never travel more than one hop. OSPF reserves the multicast addresses 224.0.0.5 for IPv4 or FF02::5 for IPv6 (all SPF/link state routers, also known as AllSPFRouters) and 224.0.0.6 for IPv4 or FF02::6 for IPv6 (all Designated Routers, AllDRouters), as specified in RFC 2328 and RFC 5340.

For routing multicast IP traffic, OSPF supports the Multicast Open Shortest Path First protocol (MOSPF) as defined in RFC 1584. Neither Cisco nor Juniper Networks include MOSPF in their OSPF implementations. PIM (Protocol Independent Multicast) in conjunction with OSPF or other IGPs, (Interior Gateway Protocol), is widely deployed.

The OSPF protocol, when running on IPv4, can operate securely between routers, optionally using a variety of authentication methods to allow only trusted routers to participate in routing.

OSPF Neighbor relationships Routers in the same broadcast domain or at each end of a point-to-point telecommunications link form adjacencies when they have detected each other. This detection occurs when a router identifies itself in a hello OSPF protocol packet. This is called a two-way state and is the most basic relationship. The routers in an Ethernet or frame relay network select a

209 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

designated router (DR) and a backup designated router (BDR) which act as a hub to reduce traffic between routers. OSPF uses both unicast and multicast to send "hello packets" and link state updates.

As a link state routing protocol, OSPF establishes and maintains neighbor relationships in order to exchange routing updates with other routers. The neighbor relationship table is called an adjacency database in OSPF. Provided that OSPF is configured correctly, OSPF forms neighbor relationships only with the routers directly connected to it. In order to form a neighbor relationship between two routers, the interfaces used to form the relationship must be in the same area. An interface can only belong to a single area.

OSPF Area types An OSPF domain is divided into areas that are labeled with 32-bit area identifiers. The area identifiers are commonly, but not always, written in the dot-decimal notation of an IPv4 address. However, they are not IP addresses and may duplicate, without conflict, any IPv4 address. While most OSPF implementations will right-justify an area number written in a format other than dotted decimal format (e.g., area 1), it is wise to always use dotted-decimal formats. Most implementations expand area 1 to the area identifier 0.0.0.1, but some have been known to expand it as 1.0.0.0.

Areas are logical groupings of hosts and networks, including their routers having interfaces connected to any of the included networks. Each area maintains a separate link state database whose information may be summarized towards the rest of the network by the connecting router. Thus, the topology of an area is unknown outside of the area. This reduces the amount of routing traffic between parts of an autonomous system.

OSPF defines several area types. These are listed below. Some vendors also implement extensions to OSPF area types.

OSPF Backbone area The backbone area (also known as area 0 or area 0.0.0.0) forms the core of an OSPF network. All other areas are connected to it, and inter-area routing happens via routers connected to the backbone area and to their own associated areas. It is the logical and physical structure for the 'OSPF domain' and is attached to all nonzero areas in the OSPF domain.

The backbone area is responsible for distributing routing information between area routers. The backbone must be contiguous, but it does not need to be physically contiguous; backbone connectivity can be established and maintained through the configuration of virtual links.

All OSPF areas must connect to the backbone area. This connection, however, can be through a virtual link. For example, assume area 0.0.0.1 has a physical connection to area 0.0.0.0. Further assume that area 0.0.0.2 has no direct connection to the backbone, but this

210 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

area does have a connection to area 0.0.0.1. Area 0.0.0.2 can use a virtual link through the transit area 0.0.0.1 to reach the backbone. To be a transit area, an area has to have the transit attribute, so it cannot be stubby in any way.

OSPF Stub Area A stub area is an area which does not receive route advertisements external to the autonomous system (AS) and routing from within the area is based entirely on a default route. This reduces the size of the routing databases for the area's internal routers.

Modifications to the basic concept of stub areas exist in the not-so-stubby area (NSSA).

OSPF Not-So-Stubby Area A not-so-stubby area (NSSA) is a type of stub area that can import autonomous system external routes and send them to other areas, but still cannot receive AS external routes from other areas. NSSA is an extension of the stub area feature that allows the injection of external routes in a limited fashion into the stub area.

Proprietary Extensions Several vendors, (Cisco, Juniper, Huawei, Quagga), now implement many extensions to stubs and NSSA areas and although not covered by RFC they are depended for proper network functionality. This locks the network user to the vendor proprietary extensions.

Configuring OSPF To configure OSPF, ensure the following: 1) Determine the interfaces which need to participate in routing. This includes WAN interfaces, LAN interfaces as well as VLAN interfaces. Set the IP addresses for these interfaces. 2) Determine which interfaces which need to actively broadcast routes to other routers or be passive listeners for broadcast updates. This will depend on the network architecture. 3) Add static routes e.g. default gateway – usually the router on the outside which can resolve routing issues. 4) Configure OSPF Options. 5) Validate the routing setup is working properly by viewing routing tables.

Setting IP Address Setting IP address is described in the sections on WAN and Frame Relay, Configuring the Magnum DX device and VLANs earlier.

211 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

For clarity, the menu where the IP addresses are defined on the interfaces is repeated below. The VLAN and DLCI interfaces are also shown.

FIGURE 175 – Setting IP addresses on the different interfaces

FIGURE 176 – Setting static route including default route

212 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Once the static routes are defined, it is a good idea to check to see if the routers can be reached by use of the ping utility.

Setting OSPF global parameters To set the OSPF parameters, use the Routing  OSPF  Global Setting parameters. This is shown below.

FIGURE 177 – Setting OSPF global parameters The different parameters available are: Enabled?  This parameter can take one of the following values: • No – default value – OSPF is not enabled. • Yes – when set (with “Apply Settings”) enables OSPF on router. Router ID  A 32-bit integer that is unique within the OSPF Autonomous System (AS). It is written in standard dotted decimal notation but it is not an IP address; however, it is standard practice to use one of the router’s IP addresses for the Router ID value to guarantee uniqueness. AS Border Router  Specifies whether or not this router sits at the border between two autonomous systems. Note: The router must be configured as an AS Border Router in order to import RIP or static routes into OSPF. This is because RIP and static routes are treated as external routes. Import BGP Routes  Specify whether or not BGP routes are redistributed by this router into the RIP network.

213 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

• No – BGP routes are not redistributed into the RIP network by this router. • Yes – BGP routes are redistributed into the RIP network by this router. Default value = No Default BGP Route Metric  Select a fixed hop count that will be used for all BGP routes imported into the RIP routing domain. Default value = 1. Valid range = 1 - 15 Import RIP Routes  Specify whether or not RIP routes are redistributed by this router into the OSPF network. • No – RIP routes are not redistributed into the OSPF network by this router. • Yes – RIP routes are redistributed into the OSPF network by this router. Default value = No. Default RIP Route Metric  Select a fixed hop count that will be used for all RIP routes imported into the OSPF routing domain. Default value = 20. Import Static Routes  Specify whether or not static routes are redistributed by this router into the OSPF network. • No – static routes are not redistributed into the OSPF network by this router. • Yes – static routes are redistributed into the OSPF network by this router. Default value = No. Default Static Route Metric  Select a fixed hop count that will be used for all static routes imported into the OSPF routing domain. Default value = 20. Administrative Distance  Administrative distance is the measure to select the best path when there are two or more different routes to the same destination from two different routing protocols. Administrative distance defines the reliability of a routing protocol. Each routing protocol is prioritized in order of most to least reliable (believable) using an administrative distance value. A lower numerical value is preferred. OSPF has a default value of 110 (same as the default value in MNS-DX.)

OSPF Area Settings Once the global settings are defined, the next step is to define the area settings for OSPF. This is done using Routing  OSPF  Area Settings as shown below.

214 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 178 – Setting OSPF area settings

The parameters are as follows: Area ID  A 32-bit integer (in dotted decimal notation) that uniquely identifies an area. Import AS  Indicates how routers in this area import information about networks outside of the area. • External – Import routing information for all networks, including those outside the AS. • No External – Import routing information for all networks within the AS. • Not So Stubby Area – External routing information is allowed to flow from the NSSA toward the backbone but not in the other direction. Summary?  Whether or not routers in this area receive summary Link State Advertisements (LSAs) for networks outside of this area. Delete  Delete the connection settings by checking the box and “Apply Settings” after that.

OSPF Interface Settings Interface settings allow the administrator to determine the interfaces which participate as part of the OSPF network. This is shown below

215 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 179 – Setting OSPF interface settings

The different parameters available are: IP Interfaces  This parameter shows all the interfaces with a IP addressable subnet available. This includes VLANs, Ethernet interfaces, WAN circuits etc. Enabled?  This parameter sets whether the interface participates in routing. Passive?  This parameter sets whether the interface listens for route information. “Yes” set a listen only mode. “No” indicates the interface will exchange routing information. It is recommended to leave the setting for Passive to be “Yes” when not sure. Default “Yes”. Area ID  The area to which this interface belongs. Type  The media type of the interface. Possible types are: • Broadcast – a broadcast media such as an Ethernet LAN. • NBMA – non-broadcast multiple access. • Point to Point – a point-to-point line such as a frame relay link or a full duplex Ethernet link with only two endpoints. • Point to Multipoint – multiple point-to-point links. Metric  An integer in the range 0-66335 that indicates the relative cost of passing traffic over this interface. This is used by the shortest path algorithm to select optimal routes. Router Priority  An integer in the range 0-255 that specifies a priority for this router. This value is used in electing a designated router on a broadcast network. The greater the value the higher the priority, and the greater the likelihood that this router will be elected the designated router.

216 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Profile  Specify a profile to apply to this interface. Each profile contains a set of OSPF configuration parameters.

OSPF Interface Profiles Interface Profiles are a group of settings which can be applied to OSPF interfaces. These are defined by Routing  OSPF  Interface Profiles and is shown below.

FIGURE 180 – Defining OSPF interface profiles

The different parameters available are: Profile Name  A unique name associated with the Profile. This name can be up to 16 characters long. Transit Delay  Estimated number of seconds it takes to transmit a link state update packet over this interface. Retrans. Interval  Estimated number of seconds between link state advertisement retransmissions for adjacencies belonging to this interface. Hello Interval  Specify the frequency (in seconds) with which hello packets will be sent from the interface. Valid range = 1 – 65535 Dead Interval  The number of seconds that must elapse with no receipt of hello packets from a neighbor before OSPF concludes that neighbor is unavailable. Authentication Type  Specify a type of authorization to be used with neighbors. • None – No authorization is performed between neighbors. • Simple – An authorization key is sent in the clear. • MD5 – An authorization key is used along with MD5 to sign OSPF packets. Receiving routers check the signature to verify authorization.

217 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Authentication Key  The authorization secret shared between neighboring routers. The secret is an alphanumeric string of 1-16 characters. Authentication Key ID  An integer in the range 1-255 that uniquely identifies this authorization key. Delete  Delete the connection settings by checking the box and “Apply Settings” after that.

OSPF Area Aggregates Area aggregates subnet addresses within an OSPF area can be aggregated and represented with a single address. This can significantly reduce the size of routing tables and link-state databases. This is done using Routing  OSPF  Area Aggregates as shown below.

FIGURE 181 – OSPF Area Aggregates The different parameters available are: Area ID  The OSPF Area identifier. This is usually set by the network architect. Net and Mask  The Net and Mask combination show the subnet schema associated with the Area ID Effect  Indicates whether the information is advertised outside of the Area or not. Delete  Delete the connection settings by checking the box and “Apply Settings” after that.

OSPF Neighbor Status This is an information only screen showing the information of the OSPF neighbors found by the router. This can be accessed using Routing  OSPF  Neighbor Status as shown below.

218 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 182 – OSPF Neighbor Status

FIGURE 183 – Routing Table entries The information provided by the table is as follows:

219 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Administrative Distance  Determines whether the connection distance. A distance of “0” indicates the interface is local to the router. Metric  hop count used as a metric. Metric has a different meaning depending on the Protocol. For RIP the metric is the number of hops to the destination. For OSPF and BGP, the metric is an administratively configured cost to the destination. Age  Age of the route in seconds. Type  Specifies the source of the route. This may take the following values: • BGP – A route learned by the BGP routing protocol. • Management – A static route. • Local – A route to a directly connected subnet. • OSPF – A route learned by the OSPF routing protocol. • RIP – A route learned by the RIP routing protocol. • VPN – A route to a private network associated with a VPN tunnel.

Finally, after all configuration is complete, do not forget to save the settings.

220

Chapter

18 – BGP Routing

Core routing protocol for the Internet

order Gateway Protocol or BGP is one of the widely used protocols for routing TCP/IP traffic in large organizations as well as on the Internet. Routing, as discussed earlier, is a critical service in a TCP/IP network. Routing is the process of selecting paths in a B network along which to send network traffic. Unlike RIP, BGP is a link state routing protocol. BGP requires MNS-DX-ADVAR capabilities.

Border Gateway Protocol (BGP) The Border Gateway Protocol (BGP) is the core routing protocol of the Internet. It maintains a table of IP networks or 'prefixes' which designate network reachability among autonomous systems (AS). It is described as a path vector protocol. BGP does not use traditional Interior Gateway Protocol (IGP) metrics, but makes routing decisions based on path, network policies and/or rule sets. BGP Backgrounder BGP was created to replace the Exterior Gateway Protocol (EGP) routing protocol to allow fully decentralized routing in order to allow the removal of the NSFNet Internet backbone network. This allowed the Internet to become a truly decentralized system. Since 1994, version four of the BGP has been in use on the Internet. All previous versions are now obsolete. The major enhancement in version 4 was support of Classless Inter-Domain Routing and use of route aggregation to decrease the size of routing tables. Since January 2006, version 4 is defined in RFC 4271, which obsoletes RFC 1771 version 4. The RFC 4271 version corrected a number of errors, clarified ambiguities, and also brought the RFC much closer to industry practices.

Most Internet users do not use BGP directly. However, since most Internet service providers must use BGP to establish routing between one another (especially if they are multi-homed), it is one of the most important protocols of the Internet. Very large private IP networks use BGP internally. An example would be the joining of a number of large Open Shortest Path First (OSPF) networks where OSPF by itself would not scale to size. Another reason to use

221 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

BGP is multi-homing a network for better redundancy either to multiple access points of a single ISP (as per RFC 1998) or to multiple ISPs. BGP neighbors, or peers, are established by manual configuration between routers to create a TCP session on port 179. A BGP speaker will periodically send 19-byte keep-alive messages to maintain the connection (every 60 seconds by default). Among routing protocols, BGP is unique in using TCP as its transport protocol.

When BGP is running inside an autonomous system (AS), it is referred to as Internal BGP (IBGP or iBGP or Interior Border Gateway Protocol). When it runs between autonomous systems, it is called External BGP (EBGP or eBGP or Exterior Border Gateway Protocol). Routers on the boundary of one AS, exchanging information with another AS, are called border or edge routers. IBGP routes have an administrative distance of 200, which is less preferred than either external BGP or any interior routing protocol.

Configuring BGP To configure BGP, ensure the following: 1) Determine the interfaces which need to participate in routing. This includes WAN interfaces, LAN interfaces as well as VLAN interfaces. Set the IP addresses for these interfaces. 2) Determine which interfaces which need to actively broadcast routes to other routers or be passive listeners for broadcast updates. This will depend on the network architecture. 3) Add static routes e.g. default gateway – usually the router on the outside which can resolve routing issues. 4) Configure BGP Options. 5) Validate the routing setup is working properly by viewing routing tables.

Setting IP Address Setting IP address is described in the sections on WAN and Frame Relay, Configuring the Magnum DX device and VLANs earlier.

For clarity, the menu where the IP addresses are defined on the interfaces is repeated below. The VLAN and DLCI interfaces are also shown.

222 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 184 – Setting IP addresses on the different interfaces

FIGURE 185 – Setting static route including default route Once the static routes are defined, it is a good idea to check to see if the routers can be reached by use of the ping utility.

223 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Setting BGP Global Parameters To set the BGP parameters, use the Routing  BGP  Global Settings as shown below

FIGURE 186 – Setting BGP global settings, including enabling or disabling BGP The different parameters available are:

BGP Mode  This parameter can take one of the following values: • Disabled – default value – BGP is not enabled. • Enabled – when set (with “Apply Settings”) enables BGP on router. AS Number  An identifying number for this AS. This will be included in the router’s BGP Hello packet. Valid range = 0 – 65535. Router ID  The IP address of the router you are configuring for BGP. eBGP Admin Distance  The priority assigned to eBGP messages. This is usually set to 20 and should be changed only to match the network architecture. iBGP Admin Distance  The priority assigned to iBGP messages. This is usually set to 200 and should be changed only to match the network architecture.

Setting BGP Peer Settings To set the BGP Peer Settings use Routing  BGP  Peer Settings as shown below.

224 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 187 – Setting BGP Peer Settings

The different parameters available are:

BGP Name  A user-supplied BGP reference name of up to 15 characters. Peer IP Address  The IP address of the router to which BGP traffic will be sent. If no value is specified a value of 0 is used to signify that the system will accept whatever value the remote end supplies. Local IP Address  The IP address of the router being configured. Peer AS  An identifying number for the AS of the peer. This will be included in the router’s BGP Hello packet. Valid range = 0 - 65535 Local AS  An identifying number for a local AS to override the AS specified in the Routing: BGP: Global Settings screen. The router will use this AS value only for this connection. This will be included in the router’s BGP Hello packet. Valid range = 0 - 65535. Hold Timer (sec)  Specify the frequency (in seconds) with which this router will send Keep Alive packets to its peers. Profile  The name of the profile used by the peer. Input Filter  Filter parameters for input. See next section on BGP Filters. Output Filter  Filter parameters for output. See next section on BGP Filters. MD5 Password  Authentication password. Delete  Delete the connection settings by checking the box and “Apply Settings” after that.

Setting BGP Filters To set the BGP Peer Settings use Routing  BGP  Filters as shown below.

225 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 188 – Setting BGP Filters

The different parameters available are:

Filter Name  A user-supplied BGP reference name of up to 15 characters. Filter Order  The order in which the filter is applied. Source ASN (0=Any) The source Autonomous System Network number. 0 indicate any ASN. IP Address Start  Start of the IP address. IP Address End  End IP address. This IP address range can span multiple address ranges if needed. Action  Determine the accept or reject action i.e. allow the information to flow through or be discarded. Delete  Delete the connection settings by checking the box and “Apply Settings” after that.

Setting BGP Profiles To set the BGP Profiles use Routing  BGP  Profiles as shown below.

226 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 189 – Setting BGP Profiles

The different parameters available are:

Profile Name  A user-supplied BGP profile name of up to 15 characters. Default Router  If “Yes” specifies that the router using this profile is the default router. Redist Static  If “Yes” include static route information from this router in BGP Update messages. Redist RIP  If “Yes” include RIP route information from this router in BGP Update messages. Redist OSPF  If “Yes” include OSPF route information from this router in BGP Update messages. Redist BGP  If “Yes” include BGP route information from this router in BGP Update messages. Weight  A priority value in the range 0 - 4294967295. Private AS  If “Yes” private AS numbers are redistributed. Local Pref  A priority value assigned to a route that is local to this AS. Default value = 100 Valid range = 0 – 4294967295 TCP Passive  If “Yes” this router will not initiate a TCP connection but will wait for one to be initiated by a peer. Delete  Delete the connection settings by checking the box and “Apply Settings” after that.

Checking BGP Status To check the BGP status use Routing  BGP  Status as shown below.

227 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 190 – Checking the status of BGP setup

The different parameters available are:

Neighbor  The IP address of the neighbor configured to exchange BGP data. If the Packets Sent and Packets received number is greater than zero, the neighbor is exchanging information with the device. Version  The BGP version running on this connection. AS#  The AS number of the router whose IP address is displayed under Neighbor in this row of the table. BGP State  The state of the connection with this neighbor. Possible values are: • Established – can exchange UPDATE and KEEPALIVE messages with its peer. • Active – trying to acquire a peer by listening for, and accepting, a TCP connection. • Idle – passively waiting to receive. • Connect – waiting for the TCP connection to be completed. • OpenSent – connection has sent an OPEN message and is waiting for an OPEN message from its peer. • OpenConfirm – connection has sent an OPEN message, has received an OPEN message, and is waiting for a KEEPALIVE message. Nets Rcvd  The number of subnets received from this peer. Pkts Sent  Count of the number of HELLO, KEEPALIVE, NOTIFICATION, and UPDATE packets sent by this neighbor since BGP Open was initiated. Pkts Rcvd  Count of the number of HELLO, KEEPALIVE, NOTIFICATION, and UPDATE packets received by this neighbor since BGP Open was initiated. Session  The TCP session status. Possible values are: • Idle • Listening • Connecting • Connect Reset  Use the dropdown list to specify the type of reset. Possible values are: • None

228 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

• Soft Reset- send a BGP route refresh message. • Hard Reset - reset TCP connection.

Checking BGP RIB To check the BGP Routing Information Base (RIB) use Routing  BGP  RIB as shown below.

FIGURE 191 – Checking the BGP RIB

The different parameters available are:

Prefix  An IP address prefix to be followed by a specified number of bits. Bits The number of bits used in the prefix. Source Peer #  The IP address of source peer. Source AS #  The AS number of the source peer. Number Hops  The number of AS hops between peer and this system. Weight  A priority value for the peer specified by “Prefix.” Origin  The origin attribute of the Network Layer Reachability Information (NLRI): • 0 – IGP, interior to the originating AS. • 1 – BGP, learned via the EGP protocol. • 2 – Other, learned by some other means. Local Pref  A priority specification distributed among internal peers only. eBGP / iBGP  Whether prefix came through an iBGP or an eBGP connection.

Checking BGP Statistics To check the BGP Statistics use Routing  BGP  Statistics as shown below.

229 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 192 – Checking the BGP Statistics

The different parameters available are:

Prefix  Address of BGP peer. Sent: Hellos  The number of BGP Hello messages sent from the address listed under “Prefix.” Keep Alives  The number of BGP Keepalive messages sent from the address listed under “Prefix.” Updates  The number of BGP Update messages sent from the address listed under “Prefix.” Route Refresh  The number of BGP Route Refresh messages sent from the address listed under “Prefix.” Notifies  The number of BGP Notification messages sent from the address listed under “Prefix.” Received: Hellos  The number of BGP Hello messages received from the address listed under “Prefix.” Keep Alives  The number of BGP Keepalive messages received from the address listed under “Prefix.” Updates  The number of BGP Update messages received from the address listed under “Prefix.” Route Refresh  The number of BGP Route Refresh messages received from the address listed under “Prefix.” Notifies  The number of BGP Notification messages received from the address listed under “Prefix.”

Validating routing setup Once the routing parameters are setup, make sure the routing function is working properly. This is done by reviewing the routing tables in the MNS-DX device. To view the routing table entries, use the menu Routing  Table as shown below.

230 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 193 – Routing Table entries

The information provided by the table is as follows:

Route Destination  The destination IP address for this IP route. Note: the Route Destination 127.0.0.1 is the localhost address; that is, the loopback interface for the DX device currently being used. It is included in the routing table for internal purposes. Route Mask  Along with Route Destination determines the subnet being routed Next Hop  The IP address of the destination in the next hop Administrative Distance  Determines whether the connection distance. A distance of “0” indicates the interface is local to the router. Metric  hop count used as a metric. Metric has a different meaning depending on the Protocol. For RIP the metric is the number of hops to the destination. For OSPF and BGP, the metric is an administratively configured cost to the destination. Age  Age of the route in seconds Type  Specifies the source of the route. This may take the following values: • BGP – A route learned by the BGP routing protocol. • Management – A static route. • Local – A route to a directly connected subnet. • OSPF – A route learned by the OSPF routing protocol. • RIP – A route learned by the RIP routing protocol. • VPN – A route to a private network associated with a VPN tunnel.

231 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Finally, after all the configuration is completed, do not forget to save the settings.

232

Chapter 19

19 – VRRP

Default route backed up by redundant routers

efault routes are defined in most computers as the means to provide connectivity in a TCP/IP network. In many networks, the designated default router is usually a single device connected to other parts of the network. In some situations the default router D can also be a Layer 3 switch.

Virtual Router Redundancy Protocol (VRRP) eliminates the single point of failure inherent in the static default routed environment. This is explained below.

FIGURE 194 – VRRP services require two routers to provide redundancy. One router is always the primary default router.

The virtual router is a group of two or more physical routers sharing certain identifying information on the same network. One of these routers is configured with the IP address that will be used as the VRIP. When the primary router fails for whatever reason, the secondary router takes over as shown below. This router is the “owner” of the VRIP and will serve the master role so long as it is operational. The devices that are included in a virtual router communicate with one another with a frequency specified by the value of the advertising interval.

233 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 195 – When the primary or Master device fails, the secondary devices takes over When a device serving the master role has not been heard from for a length of time that exceeds three times the advertising interval then that device is presumed to be non-functioning and priority values are used to elect a new master router from the remaining members of the virtual router.

The Virtual Router Redundancy Protocol (VRRP) is specified in RFC 2338.

Configuring VRRP To configure the VRRP settings, use the Routing  VRRP  Groups settings as shown below.

FIGURE 196 – Configuring VRRP In the screen above:

234 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

VRID  Virtual Router ID is a unique number associated with a router. The valid range is from 1 to 255. VRIP  Virtual Router’s IP address. This is the IP address associated with the virtual router. For the “Master” or the main router, the VRIP should be the same as the IP address of the routed interface (physical interface or a VLAN interface). Priority  This is the relative priority associated with the routers. The higher the number, the higher the priority. The Master router has the priority of 255. The backup router has the priority of 100. The Master router over writes whatever priority value that was assigned in the configuration menu. Adver Interval  The advertisement interval in seconds. This determines how often the Master router will send VRRP advertisements. Default value is 1. Valid range is 1- 60. Preemption  If this flag is set to yes, this router will take the master role over from another router that has a lower priority. Default value = yes. Delete  Delete the connection settings by checking the box and “Apply Settings” after that.

VRRP Status To check the status of VRRP, use the Routing  VRRP  Status menu.

FIGURE 197 – Status of VRRP

In configuring VRRP example, we had set the VRID 1 with the same IP address as the IP address on the physical interface E3. VRID 2 was another router on the network. Note that when we

235 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

check the status, the Priority has changed to 255 indicating the router is a Master. The other router has the priority of 100 indicating it is the backup router.

Finally, after all the configuration is completed, do not forget to save the settings.

236

Chapter 20

20 – NAT and PAT

Modifying network addresses….

odifying network addresses is one method commonly used by networking devices to map local IP addresses to one assigned IP address. This method is known as Network Address Translation or NAT. A similar technique is further extended when protocol M ports are mapped to other ports or sockets. This is called Protocol Address Translation or PAT. Both NAT and PAT are looked at in more detail in this chapter.

NAT Background In the late 1990’s it became clear that the IPv4 address space could be exhausted unless a better method was found to manage the IP addresses assigned. RFC 1918 defines IP addresses which can be used by anyone for their own private use. The method was called IP address allocation for private networks and defined. The Internet Assigned Numbers Authority (IANA) has reserved three blocks of the IP address schema for private network use. This is defined in RFC 1918.

As more and more individuals and businesses connected to the network, it became imperative to map the private network IP addresses to IANA assigned IP addresses, usually assigned by an ISP. This translation method was done in a managed or stateful manner and is defined in RFC 1631. Even within a private network, NAT is used extensively to map IP addresses behind a routed or a firewalled segment to IP addresses used within the corporate or business environment. These IP address are usually controlled and assigned by the Information Technology (IT) group within the company.

In summary, Network Address Translation allows a single device, such as a Magnum DX router, to act as an agent between the Internet (or "public network") and a local (or "private") network. This means that only a single, unique IP address is required to represent an entire group of computers or IP addresses.

NAT in common parlance is also called IP masquerading

237 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Protocol Address Translation (PAT) PAT is a subset of NAT, and is closely related to the concept of NAT. PAT is also commonly known as NAT overload. In PAT, both the sender's private IP and port number are modified; the PAT device chooses the port numbers which will be seen by hosts on the public network.

Using PAT could introduce additional complexity in configuring the firewall. Since the inside addresses are all disguised behind one publicly-accessible address, it is impossible for outside machines to initiate a connection to a particular inside machine without special configuration on the firewall to forward connections to a particular port. This has a considerable impact upon applications such as VOIP, videoconferencing, and other peer-to-peer applications – e.g. to initiate an inbound call.

NAT/PAT and Security Since the Magnum DX router maps the internal IP addresses to an externally available one, the internal addresses are usually not well known and hence not prone to targeted attacks.

Configuring NAT and PAT For configuring NAT and PAT, it is recommended to plan out the following steps: 1) Determine the “Public” interface as described earlier. 2) Determine if outside access to inside servers is required. Map those protocol address translations by adding NAT port forwarding rules. 3) Test the settings. Configuring NAT To configure NAT, access the menus under Routing  NAT  Global Settings. This is shown below.

238 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 198 – Setting up NAT global parameters. The public interface has been changed from default to E2.

In the screen above:

Dynamic NAPT  Allows the NAT services to be enabled or disabled. The choices are: • Disabled – No dynamic NAT functionality is enabled. Static translations will still be applied if they are configured. • Enabled – Dynamic NAT functionality is enabled. IP address masquerading occurs for all TCP/UDP sessions initiated to a host on the public network. Selecting Enabled in the Routing: NAT: Global Settings screen is all that is necessary to support IP masquerading in sessions initiated on the private network. No sessions are allowed to be initiated from the public network to a private host unless a specific port forwarding rule has been defined. Default value = Disabled.

Public Interface  This selects the “Public” interface. Other interfaces are considered private. Configuring Port Forwarding It may be necessary to map traffic originating from the public network to be mapped to another port (socket number) as it traverses the device to the private network.

To map the port number, determine what type of traffic (i.e. traffic originating from hosts on specific socket numbers e.g. web traffic on port 80) and what port number should it be mapped to.

239 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 199 – Setting up PAT or mapping socket numbers Private Address  The address of a server reachable from one of the router's private interfaces. Protocol  The protocol (TCP or UDP or both) to forward. Private TCP or UDP Port  The port or socket number on which the service is accessible on the private server. Public TCP or UDP Port  The port or socket number on which the server is accessible by hosts on the public network. Delete  Delete the connection settings by checking the box and “Apply Settings” after that. Configuring Static Port Forwarding Static translations do not affect NAT settings. Static Port translations cannot be used with a public interface. To map the IP address and port numbers use Routing  NAT  Static Translations as shown below.

240 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 200 – Setting up static NAPT or mapping Network Addresses and Protocol Translations Again, it is important to note that static translations cannot be used on the NAT public interface. They can only be used on other interfaces.

The various items displayed on the Routing  NAT  Static Translations menu are:

Interface  The interface on which the translation occurs. Translation Type  The type of translation which takes place. Possible values are: • NAT – Translate the address only. • NAPT - TCP – Network Address Protocol Translation for TCP traffic i.e. translate the address and TCP port. • NAPT - UDP – Network Address Protocol Translation for UDP traffic i.e. translate the address and UDP port. Original Address  The IP address from which the traffic was received from private network. Original Port  The port number or socket number used by the traffic on the private network. Translated Address  If a match occurs to the Original Address and Original Port number as discussed above, the original address is replaced with the translated address. Reply packets have the reverse translation applied automatically when they are sent back out the interface. Translated Port  If a match occurs to the Original Address and Original Port number as discussed above, the original port number is replaced with the translated port number. Reply packets have the reverse translation applied automatically when they are sent back out the interface. Delete  Delete the connection settings by checking the box and “Apply Settings” after that.

241 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Finally, after all the configuration is completed, do not forget to save the settings.

242

Chapter 21

21 – Security Certificates

Security is a process…

ecurity is a process backed up by secure products. MNS-DX offers many security options. These options are explored in this chapter. Not all options require MNS-DX-SECURE license key. Features which are enable with the MNS-DX-SECURE license key will be S indicated as such.

Security Certificates An X.509 certificate is an electronic document in Privacy Enhanced Mail (PEM) format used to publish a public key. These certificates consist of an RSA private key and a matching X.509 certificate. Certificate Backgrounder In cryptography, two keys are needed to validate the encrypted message. One of the key is publicly known and is called a public key. The other key is privately held and is called a private key. A public key certificate (also known as a digital certificate or identity certificate) is an electronic document which uses a digital signature to bind together a public key with an organization (name, address etc.) or identity. The binding and validation of the public certificate, (whether the certificate is real or faked) can be used to verify that a public key belongs to that organization or individual.

In a typical public key infrastructure (PKI) scheme, this authentication and issuance is done by certificate authority (CA). In a web of trust scheme, the signature is of either the user (a self- signed certificate) or other users ("endorsements"). In either case, the information or signatures on a certificate are endorsements by the certificate signer that the identity information and the public key belong together.

For certificates to work the signing authority (self or a CA) and recognized encryption methods need to be agreed upon. MNS-DX supports RSA public key encryption and x.509 certificates. RSA is a widely used algorithm for public key encryption. X.509 is an International Telecommunication Union Telecommunication Standardization Sector (ITU-T)

243 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

standard for public key infrastructure (PKI). MNS-DX uses keys and certificates encoded using the Privacy enhanced Mail (PEM) format. These files conventionally use the .pem extension. A PEM file containing both a valid X.509 certificate chain and a valid RSA private key is treated as a certificate file. It is critical to be able to generate certificates easily and manage the generated certificates i.e. mapping devices to certificates in use.

Certificates are temporal in nature i.e. they expire after the designated date.

RSA and Public Cryptography RSA public key cryptography is the most popular of the so-called asymmetric cryptography algorithms. Unlike symmetric cryptography, which uses a single key for encryption and decryption operations, asymmetric cryptography uses a pair of keys. One of the keys is published and well-known while the other is private and is known only to its owner. Information encrypted by the public key can only be decrypted by the private key and vice versa. This special property is what allows us to use asymmetric cryptography as a way of creating digital signatures.

Digital Signatures Digital signatures provide a way of verifying that an electronic document was generated by a certain entity. Digital signatures protect electronic documents against tampering and forgery. Digital signatures may be created using RSA public key cryptography. The basic technique involves creating a message digest of a plaintext document and then encrypting the result with the author’s private key. The original plain text document and the digested/encrypted version (the signature) are passed to a recipient who then decrypts the signature using the author’s public key and compares the result to the message digest of the original plaintext document. If there is a match, the signature is valid. SSL authentication involves validating the digital signature on an electronic document known as an X.509 certificate. X.509 Certificates An X.509 certificate is an electronic document used to publish a public key. It generally contains additional information that describes the certificate owner’s name, organization, and contact information. The certificate is digitally signed by a trusted third-party to prove its authenticity. Certificates may be chained, with each certificate in the chain holding the RSA public key of the entity that signed the previous certificate. In this way, a “chain of trust” is established from the entity being authenticated to a mutually trusted third party known as a Certificate Authority. Certificate Authority A Certificate Authority (CA) is usually a well-known, trusted entity that issues signed certificates for entities that wish to distribute their RSA public key. Think of a CA as the equivalent of notary public for the Internet.

244 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

A CA has its own RSA public and private key pair that it uses to sign X.509 certificates. It publishes its public key in a root X.509 certificate that is self-signed. This means that there is no way to digitally verify the authenticity of a root CA certificate. You must choose which root CA certificates to trust. Often, root CA certificates are distributed “out-of-band” or bundled with software that uses SSL. MNS-DX Certificate Files MNS-DX does not come with any bundled or pre-installed root CA certificates. A CA file needs to be generated or acquired. These certificate files then needs to be installed on each unit. A self-signed certificated is one that is generated by the user and therefore its authenticity cannot be verified by an independent external agency. MNS-DX only understands X.509 certificates that are encoded in the Privacy Enhanced Mail (PEM) format. This is an ASCII text format that is easy to cut and paste into files or email messages. A self signed certificate can be generated and is discussed in Appendix 5: Generating Self Signed Certificates or by using the Certificate Wizard in MNS-DX

MNS-DX Local Certificates MNS-DX can manage and install locally generated certificates. To upload X.509 certificates in the PEM format or to view or delete certificates, use the Security  Certificates  Local menu as shown below.

FIGURE 201 – Managing certificates on Magnum DX devices. Using this menu additional certificates can be loaded, viewed or deleted The menu box allows the user to choose a certificate file on the local computer. Once the file or certificate is located using the “Choose” button, it is uploaded to MNS-DX using the “Upload” button. Once all the certificates are uploaded, the list of certificates is shown on the “Existing Local Certificates” menu. Certificates can be deleted by selecting the “Delete” check box and then clicking on “Apply Settings”.

245 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Local certificates can be created using the Certificate Creation Wizard described in the Wizards chapter. Appendix 5 also shows how a certificate can be created

on a Linux system.

All MNS-DX devices come with WEB_CERT.pem certificate. To view a certificate, click on the hyperlink linking the certificate name. A portion of the WEB_CERT.pem certificate is shown below.

FIGURE 202 – A portion of the WEB_Cert.pem signature file

246 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

MNS-DX CA Certificates MNS-DX can install and manage CA certificates. To upload X.509 certificates in the PEM format or to view or delete certificates, use the Security  Certificates  CAs menu as shown below.

CAs are not contained in the system's configuration file. They are part of the non-volatile system state; therefore, the installed keys will not change if a new configuration file is selected or the system configuration is reset to default values.

CA certificates can be created using Certificate Creation Wizard and described in the Wizard Chapter later in the manual.

FIGURE 203 – A portion of the WEB_Cert.pem signature file

The menu box allows the user to choose a certificate file on the local computer. Once the file or certificate is located using the “Choose” button, it is uploaded to MNS-DX using the “Upload” button. Once all the certificates are uploaded, the list of certificates is shown on the “Existing Local Certificates” menu. Certificates can be deleted by selecting the “Delete” check box and then clicking on “Apply Settings”. To indicate whether or not the certificate is a trusted CA certificate, click on the “Trusted” box and then click on “Apply Settings”.

If the certificates uploaded are not valid certificates, MNS-DX prints an error message as shown below.

247 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 204 – A portion of the WEB_Cert.pem signature file

Finally, after all the configuration is completed, do not forget to save the settings.

248

Chapter 22

22 – Other Security Considerations

Security is a process…

ecurity is a process backed up by secure capabilities. Each layer has to be secured to create an overall secure environment. Items which require MNS-DX-SECURE are indicated as such next to each topic. S

Ethernet Port Security MNS-DX-SECURE offers the ability to disable Ethernet ports upon access by an unauthorized station. Each port may be placed in either of two different security modes: address locking or link locking.

Address Locking In address locking mode a port detects an unauthorized station by comparing the source MAC address in the frames that it receives to a list of authorized MACs. If the source MAC is not in the authorized list the port is locked out, which effectively disables the port by electrically isolating its PHY. Once a port is locked out it will not be re-enabled until it is explicitly unlocked by an administrator. Lock-outs persist across resets.

When static MAC addresses have been configured on a port by an administrator those addresses are treated as the list of authorized MACs. If no static MAC addresses are configured, the port will "learn" the source address of the first frame it receives and treat that MAC address as the single authorized MAC for the port. Learned authorized MACs persist across resets. If a static MAC is configured after a port has learned an authorized MAC, the learned MAC is forgotten and the configured static MACs are treated as the list of authorized MACs. If all static MACs are removed from a port, the port will learn a new authorized MAC.

249 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Link Locking In link locking mode a port is locked out if it loses link. Note that if a port is configured for link locking while it is down it is not automatically locked out. It waits for the link to go up and then down before locking out.

Configuring Ethernet Security Security  Ethernet Port configures the Ethernet Security as shown below.

FIGURE 205 – Ethernet port security

The various items displayed on the Security  Ethernet Port menu are:

Port  Ethernet port number being configured. Security Type  What type of security is needed. Possible values are: • None – (default). • Address – This port will be locked out if a frame is received with a Source Address other than one of the authorized MACs for this port, either a configured static MAC or a learned authorized MAC. (A learned authorized MAC is the first dynamic MAC address learned on the port after address-based port security is enabled for the port.) A port that is locked out is effectively disabled. • Link – This port will be locked out the next time the operational state of the link changes from UP to DOWN. A port that is locked out is effectively disabled. Locked out?  Indicates whether the port has been disabled by the port security settings. Possible values are: No – Port is not locked out.

250 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Yes – Port is locked out and is disabled. If the port is locked out, change the “Yes” to a “No” (as shown below) and click on “Apply Settings” .

FIGURE 206 – If an Ethernet port is locked out, it can be unlocked by changing the “Locked?” field from a “Yes” to a “No”

Serial Port Security MNS-DX-SECURE offers the ability to carry serial data over authenticated, encrypted TCP connections using the SSL protocol (SSLv3 or TLSv1). This is covered in more detail in the section titled “Secure Serial Connectivity”

MNS-DX Web Server MNS-DX offers the ability to secure the access to the configuration menus or the web services. For example, administrators can choose whether secure HTTP access is only permitted or unsecure HTTP access is also allowed. On unsecure HTTP address, any user login names or passwords are transmitted in clear text.

To access the menus to configure the web services use Security  Web Server as shown below.

251 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 207 – Configuring Web services for MNS-DX

The various items displayed on the Security  Web Server menu are:

Mode  Indicates if the MNS-DX web services will accept non secure HTTP requests. Possible values are: • Allow HTTP – The server accepts request on port 80 (http://) or on port 443 (https://). • SSL Only – The server allows connection on port 443 only (https://). Any requests made on port 80 are automatically redirected to the secure port 443 connection. This is also the factory default setting for MNS-DX. Cipher  Specify the type of encryption to support on the server. This parameter takes the following values: • ANY (RC4, 3DES, AES128, or AES256). • RC4 (factory default). • 3DES. • AES128. • AES256. Local Certificate  This is the certificate used by the web server when running over SSL (that is, when a browser accesses the server through the https:// URL and/or on port 443). When this parameter is set to Default, a default certificate is presented to a browser during an SSL handshake. The default certificate is self-signed and valid until the year 2038. It is highly recommended that users install or generate their own local certificate for use with the web server. If valid local certificates are installed on the system you can select one of these files via the dropdown. Once the “Apply Settings” button is pressed the web server is restarted and will begin using the certificate present in the new file.

252 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

MNS-DX CLI Access MNS-DX offers the ability to secure the access to the CLI settings from the network. By default SSH is only allowed. If both telnet and SSH are need, this can be changed using the Security  CLI menu and changing the CLI Mode settings as shown below.

FIGURE 208 – Configuring CLI access

SSH Port Forwarding is covered earlier in this manual.

RADIUS Authentication MNS-DX-SECURE offers the ability to authenticate administrators configuring Magnum DX routers using the RADIUS protocol. Note this capability is for allowing access to configure the Magnum Devices only and not user access to the network using the RADIUS supplicant schemas.

The IEEE 802.1x standard, Port Based Network Access Control, defines a mechanism for port-based network access control that makes use of the physical access characteristics of IEEE 802 LAN infrastructure. It provides a means of authenticating and authorizing devices attached to LAN ports that have point-to-point connection characteristics. It also prevents access to that port in cases where the authentication and authorization fails. Although 802.1x is mostly used in wireless networks, this protocol is also implemented in LANs.

253 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Remote Authentication Dial-In User Service or RADIUS is a server that has been traditionally used by many Internet Service Providers (ISP) as well as Enterprises to authenticate dial in users. Today, many businesses use the RADIUS server for authenticating users connecting into a network. For example, if a user connects PC into the network, whether the PC should be allowed access or not provides the same issues as to whether or not a dial in user should be allowed access into the network. A user has to provide a user name and password for authenticated access. A RADIUS server is well suited for controlling access into a network by managing the users who can access the network on a RADIUS server.

MNS-DX-SECURE uses RADIUS to authenticate users accessing the MNS-DX web services.

Configuring RADIUS To configure RADIUS use Security  RADIUS menus.

In the Security  RADIUS  Global Settings menu set the global settings as shown below.

FIGURE 209 – Configuring CLI access The various items displayed on the Security  RADIUS  Global Settings menu are:

Local IP  Indicates the IP address or interface to use to access the RADIUS services. • Any – Packets will use any or their actual egress interface address as a source address. • Specific IP Address – packets will use the specified interface to access the RADIUS service. This may be needed for accessing services for VPN or NAT connectivity. Authentication Port  The UDP port used to communicate to the RADIUS server. Default port is 1812. Valid range is 0-65535.

254 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Challenge Type  Indicates the IP address or interface to use to access the RADIUS services. • PAP – Username and password is sent is clear. (Default setting). • CHAP – uses challenge and MD5 hash. User Authentication Control  Determines whether the system uses the local user database or the RADIUS Server. • Local Database – use the local user database (default). • RADIUS – use a RADIUS server defined. Default Privilege Level  Determines the default privilege level assigned to the user when a RADIUS server cannot provide the vendor specific attributes associated with privileges. Allowed values are: • No Access (default). • Read-Only. • Read-Write. • Administrator. Local Fallback  Indicates whether the local user database can be used in case the RADIUS Server is not accessible. Default is “Yes”. “No” will only allow user access via the RADIUS authentication. To define the RADIUS servers, use the Security  RADIUS  Servers settings as shown below.

FIGURE 210 – Defining the RADIUS servers A maximum of three servers can be defined. At least one server should be the primary server. The other servers have to be secondary servers. The various items displayed are: IP Address  IP Address of the RADIUS Server. Authentication Port  The UDP port used to communicate to the RADIUS server. Default port is 1812. Accounting servers use port 1813. Use of the legacy port 1645 is not

255 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

recommended as it conflicts with other services (e.g. Datametrics services). Valid range is 0-65535. Request Retry limit  The number of times the client (in this case MNS-DX-SECURE) will retry a request in the event a server is not responding or is slow to respond. Request Timeout  The time in seconds the client will wait for each retry attempt. Shared Secret  The plain text shared secret used to communicate with the RADIUS server. Re-Type Shared Secret  Repeat the shared secret Role  Defines the order in which servers are accessed. If the primary is down, the system attempts to contact the secondary server. Delete  Delete the connection settings by checking the box and “Apply Settings” after that.

Syslog Logs are available on MNS-DX as well as MNS-DX-SECURE. Syslog functionality is a feature of MNS-DX-SECURE.

All events occurring on the Magnum DX routers are logged. These logs are in

compliance with the definitions of RFC 3164, though not all the nuances of the syslog are implemented as specified by the RFC. As to what is done with each individual message, to quote the RFC, it will depend on individual companies policies.

“An administrator may want to have all messages stored locally as well as to have all messages of a high severity forwarded to another device. They may find it appropriate to also have messages from a particular facility sent to some or all of the users of the device and displayed on the system console.

However the administrator decides to configure the disposition of the event messages, the process of having them sent to a syslog collector generally consists of deciding which facility messages and which severity levels will be forwarded, and then defining the remote receiver. For example, an administrator may want all messages that are generated by the mail facility to be forwarded to one particular event message collector. Then the administrator may want to have all kernel generated messages sent to a different syslog receiver while, at the same time, having the critically severe messages from the kernel also sent to a third receiver. It may also be appropriate to have those messages displayed on the system console as well as being mailed to some appropriate people, while at the same time, being sent to a file on the local disk of the device. Conversely, it may be appropriate to have messages from a locally defined process only displayed on the console but not saved or forwarded from the device. In any event, the rules for this will have to be generated on the device. Since the administrators will then know which types of messages will be received on

256 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

the collectors, they should then make appropriate rules on those syslog servers as well.” – RFC 3164

In MNS-DX each event type has the following attributes associated with it: • Severity level (0-7) • Remote Logging Mode: Disabled, Syslog • Local Logging Mode: Disabled, Volatile, Persistent • Local Target Log

Event severity levels match the levels defined for Syslog as shown: 0 – emergencies 1 – alerts 2 – critical 3 – errors 4 – warnings 5 – notifications 6 – information 7 - debugging

If Remote Logging is enabled for a particular event type, when that event is generated it will be sent to all configured Syslog collectors.

The events are defined under Events  Specifications menu and the syslog severity levels can be changed in the menus.

Configuring Syslog To configure Events use Security  Syslog menus.

In the Events  Syslog  Global Settings menu set the global settings as shown below.

FIGURE 211 – Defining the Syslog settings The various items displayed are:

257 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Mode  Can be “Enabled” or “Disabled” indicating whether Syslog services are running or not. By default, Syslog services are disabled. Local IP  Indicates the IP address or interface to use to access the RADIUS services. • Any – Packets will use any or their actual egress interface address as a source address. • Specific IP Address – packets will use the specified interface to access the RADIUS service. This may be needed for accessing services for VPN or NAT connectivity. To define the Syslog collectors, use the Events  Syslog  Collectors menu as shown below.

FIGURE 212 – Defining the Syslog collectors In the menu “Add Collector” Collector IP  Set the IP address of the Syslog server. A maximum of four syslog servers can be defined. In the “Existing Collectors”, the defined Syslog servers are listed. Delete  Delete the connection settings by checking the box and “Apply Settings” after that.

Finally, after all the configuration is completed, do not forget to save the settings.

258

Chapter

23 – Firewall

A technology barrier to keep unwanted traffic out

ire wall is designed to block unauthorized access while permitting authorized communications. It is a device or set of devices which is configured to permit or deny computer applications based upon a set of rules and other criteria. Firewalls are frequently F used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially internal secure networks or intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.

Firewall on MNS-DX The default state of the MNS-DX Firewall is that packet filtering is disabled for each IP interface. The user may enable packet filtering on any or all of the configured IP interfaces. After packet filtering is enabled on an interface, the default behavior of the firewall on that interface is: • REJECT all inbound IP packets • PERMIT all outbound IP packets

The firewall can then be further configured to permit selected TCP, UDP, and ICMP traffic to flow through specific firewalled interfaces. Permitted traffic flows may be selected based on source IP address, destination IP address, protocol type, and port numbers. The rules for selecting permitted traffic flows are split into Inbound Connection Rules and Outbound Connection Rules.

Traffic Selectors When specifying a Inbound or Outbound Connection Rule, traffic selectors must be chosen. The specific selectors are as follows: • Source IP Address

259 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

• Source Mask • Destination IP Address • Destination Mask • Protocol/direction • TCP or UDP Ports or ICMP Types

At a minimum, a Protocol/direction must be chosen. For TCP, UDP, and ICMP protocols, at least one TCP/UDP port or ICMP type must also be specified. Ports and types are specified as comma-delimited ranges (e.g. “22-25,80,443”). For stateless IP protocols like IPsec, OSPF, and VRRP the port/type field is not applicable. Some limited wildcarding of the address information is supported. Subnets and super-nets can be specified using appropriate IP address and mask combinations. Host addresses can be defined by either leaving the mask field blank or setting it to 255.255.255.255. If both the address and mask fields are left blank, the rule will match any IP address. Allowing Inbound Connections By definition, an inbound connection (or session) is initiated from “outside” the firewall. In other words, the initial packet for the session is received by the firewalled interface. In the case of TCP, this packet would be a SYN. In the case of UDP or ICMP, the packet will often be some sort of request message, e.g. an SNMP query or a ping. This sort of traffic can be permitted to pass through the firewalled interface by defining an Inbound Connection Rule. The traffic selectors in the rule should match the values expected in the initial received packet (i.e. the first packet in the selected flow). For example, suppose you have the following network:

FIGURE 213 – Firewall network example for inbound traffic The DX is acting as a firewall between the outside network (“192.168.1.0/24”) attached to the routed port E1 and the inside network (“192.168.2.0/24”) attached to the Default IP interface (VLAN 1). In this scenario, since E1 is the outside interface, that is where the firewall should be enabled by the user. Once the firewall is enabled on E1, all packets from the host at 192.168.1.10 will be rejected and the Client is unable to access the Server.

260 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Now suppose we would like to allow HTTP access from the Client to the Server. We would set up an Incoming Connection rule for interface E1 specifying this permitted traffic flow as follows:

FIGURE 214 – Firewall configuration to map the inbound traffic example

This rule permits HTTP connections initiated by the client at 192.168.1.10 to the server at 192.168.2.20.

Allowing Outbound Connections By definition, an outbound connection (or session) is initiated from “inside” the firewall. In other words, the initial packet for the session is transmitted out a firewalled interface. In the case of TCP, this packet would be a SYN. In the case of UDP or ICMP, the packet will often be some sort of request message, e.g. an SNMP query or a ping. By default, all packets are allowed to pass out of a firewalled interface but the return traffic will be rejected after it is received at the firewalled interface. Return traffic can be allowed, thus permitting outbound connection initiation, by defining an Outbound Connection Rule. The traffic selectors in the rule should match the values expected in the initial packet transmitted out the firewalled interface (i.e. the first packet of the selected flow).

For example, suppose you have the following network:

261 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 215 – Firewall network example for outbound traffic The DX is acting as a firewall between the outside network (“192.168.1.0/24”) attached to the routed port E1 and the inside network (“192.168.2.0/24”) attached to the Default IP interface (VLAN 1). In this scenario, since E1 is the outside interface, that is where the firewall should be enabled by the user. Once the firewall is enabled on E1, the Client on the inside network can send packets out onto the “outside” network, but any response packets will be rejected after they are received on E1. Now suppose we would like to allow HTTP access from the Client to the Server. We would an Outgoing Connection rule for interface E1 specifying this permitted traffic flow as follows:

FIGURE 216 – Firewall configuration to map the outbound traffic example This rule permits HTTP connections initiated by the client at 192.168.2.20 to the server at 192.168.1.10.

Session Logging Each Incoming and Outgoing Connection rule has the option to be logged. When a valid connection is permitted by a rule with logging enabled, connection state events are generated and sent to configured loggers (e.g. log file, syslog). In the examples below Source Packet is

262 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

designated SP and Destination Packet is designated DP. Source address is S.S.S.S and destination address is D.D.D.D (IPv4 addressing schema.) The specific events are: If the TCP handshake for a permitted connection is started but never finished: TCP S.S.S.S (SP)  D.D.D.D (DP), Session started. If the TCP handshake for a permitted connection is started and completed: TCP S.S.S.S (SP)  D.D.D.D (DP), Session established. If activity was detected on the connection during the TCP timeout interval, an update is generated: TCP Update S.S.S.S (SP)  D.D.D.D (DP), X packets. If activity was not detected on the connection during the TCP timeout interval, the current TCP flow state for the connection is silently discarded. If the TCP connection is explicitly closed by one side or the other: TCP S.S.S.S (SP)  D.D.D.D (DP), Session closed. If the first packet of a permitted UDP session is detected: UDP Start S.S.S.S (SP)  D.D.D.D (DP), Session started. If activity was detected on the UDP flow during the UDP timeout interval, an update is generated: UDP Update S.S.S.S (SP)  D.D.D.D (DP), X packets. If activity was not detected on the session during the UDP timeout interval, the current UDP flow state for the session is silently discarded. If the first packet of a permitted ICMP flow is detected: ICMP Start S.S.S.S (T)  D.D.D.D, Session started. If activity was detected on the ICMP flow during the ICMP timeout interval, an update is generated: ICMP Update S.S.S.S (T)  D.D.D.D, X packets. If activity was not detected on the session during the ICMP timeout interval, the current ICMP flow state for the session is silently discarded. Logging of packet rejections can be globally enabled or disabled. When enabled, the following events are generated. When the first packet belonging to a particular TCP flow is rejected: TCP Denied S.S.S.S (SP)  D.D.D.D (DP), First packet. When subsequent packets in the same TCP flow are rejected: TCP Denied S.S.S.S (SP)  D.D.D.D (DP), number of packets in number of seconds. When the first packet belonging to a particular UDP flow is rejected: UDP Denied S.S.S.S (SP)  D.D.D.D (DP), First packet. When subsequent packets in the same UDP flow are rejected: UDP Denied S.S.S.S (SP)  D.D.D.D (DP), number of packets in number of seconds. When the first packet belonging to a particular ICMP flow is rejected: ICMP Denied S.S.S.S (T)  D.D.D.D, First packet. When subsequent packets in the same ICMP flow are rejected: ICMP Denied S.S.S.S (T)  D.D.D.D, number of packets in number of seconds.

263 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

The maximum number of denied flows that can be tracked at one time is configurable by the user (there is also a hard maximum dictated by system resources). When the denied flow cache is full: Warning: Maximum denied flows (with a number) are being tracked. The maximum number of permitted flows that can be tracked at one time is configurable by the user (there is also a hard maximum dictated by system resources). When the permitted flow cache is full: Warning: Maximum permitted flows (with a number) are being tracked. Configuring Firewall The default state of the MNS-DX Firewall is that packet filtering is disabled for each IP interface. The user may enable packet filtering on any or all of the configured IP interfaces. Further groups can be defined for the interfaces enabling easier configurations. Global Settings Global settings allows the administrator to set parameters that affect the overall operation of the Firewall. These include timeouts and other operational parameters. To access global settings, use the Security  Firewall  Global Settings menu.

FIGURE 217 – Firewall Global Settings In the menu above: Maximum Connections  Defines the maximum number of connections the firewall will track. Valid range is from 10 to 200. Default is set at 100 connections. TCP Timeout (sec)  Defines the maximum TCP session timeout. The longer the timeout, the longer the firewall will wait for hung or incomplete sessions, making the network appear sluggish in some case. It is recommended to keep this timer

264 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

relatively small (1-2 minutes) especially if the traffic is on a LAN. Valid range is from 2 to 86400 seconds. Default is set at 120 seconds. UDP Timeout (sec)  Same as TCP timeout but for UDP traffic. Default is set at 10 seconds. Valid range is from 2 to 86400 seconds. ICMP Timeout (sec)  Same as TCP timeout but for ICMP traffic. Default is set at 5 seconds. Valid range is from 2 to 86400 seconds. Maximum Tracked Rejects  Defines the maximum number of rejects tracked by the firewall. Valid range is from 10 to 200. Default is set at 100 connections. Tracked Reject Timeout (sec)  Timeout for a reject which is tracked. Default is set at 120 seconds. Valid range is from 2 to 86400 seconds. Log Rejects?  “Yes” logs all the rejects. “No” ignores the rejects and does not log them.

IP Interfaces IP Interfaces menu enables or disables firewall services on specific interfaces. To configure this, the menu is accessed using the Security  IP Interfaces menu as shown below.

265 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 218 – Enabling or disabling Firewall services on a specific interface In the menu above: IP Interface  Defines the interface over which packets can be routed or packets can flow. This can be physical interfaces, WAN interfaces, Frame Relay DLCI settings or VLAN interfaces as shown above. Firewall Status  Shows whether the firewall services are enabled or disabled on the Firewall. Group  Logical grouping name for the interfaces.

Interface Groups Defines a logical map between IP interfaces and Firewall services. To access this menu use Security  Firewall  Interface Groups as shown below.

FIGURE 219 – Group definitions for Firewall

In the Add Group Menu, simply add the group name. Then in the Security  Firewall  Interface Groups menu, assign the interface to the group name defined as shown in the figure

266 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

above. Once that is done, the Security  Firewall  Interface Groups menu is updated to reflect the logical interface groups as shown above. To delete a group, first unassociate all the groups from the interfaces by using the Security  Firewall  IP Interfaces menu. Once that is done, check the delete box and delete the interfaces as needed by clicking on the “Apply Settings” button.

Configuring Inbound Connections To configure inbound connections use the Security  Firewall  Inbound Connections menu as shown below.

FIGURE 220 – Configure inbound connections New connections are defined in the Add Allowed Connection menu. Allowed Connections menu shows the connections which have been added. For more details on this, refer to the section on Allowing Inbound Connections earlier in this chapter.

Configuring Outbound Connections To configure inbound connections use the Security  Firewall  Outbound Connections menu as shown below.

267 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 221 – Configure outbound connections New connections are defined in the Add Allowed Connection menu. Allowed Connections menu shows the connections which have been added. For more details on this, refer to the section on Allowing Outbound Connections earlier in this chapter.

Finally, after all the configuration is completed, do not forget to save the settings.

268 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Chapter

24 24 – VPN

Secure connections over a public network

irtual Private Network or VPN provides a secure connection or a tunnel over a public or a private network. VPN’s are used to send sensitive data over an unsecure network, where the information could be compromised as other users may have access to the V information, unless the information is encrypted. All traffic is still transmitted over the unsecure network. All traffic is encrypted using VPN. VPN not only encrypts the data, it also ensures that the site which it is connecting to (and connected from) is also valid or authenticated.

VPN aims to avoid an expensive system of owned or leased lines that can only be used by one organization. The goal of a VPN is to provide the organization with the same, secure capabilities, but at a much lower cost.

VPN functionality requires MNS-DX-SECURE license key.

VPN Backgrounder VPN technology evolved in the late 1990’s as Internet connectivity increased and business adopted emails and other communications over the Internet. VPN - Brief History Until the end of the 1990s the computers were connected through leased lines and/or dial-up phone lines. These leased lines were either too slow or too expensive to use. As the Internet connectivity became easily available, usually at a lower cost through ISP’s and new technologies such as cable modems, DSL etc., a lower cost alternative was sought to access corporate facilities over a secure connection. VPN technologies made that possible.

MNS-DX supports the creation of Virtual Private Networks (VPN) over a public network infrastructure using IPsec tunnels. Through the configuration of a security policy, an authenticated, encrypted tunnel can be established between two devices over a public IP network as shown in the figure below.

269 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 222 – VPN example Devices at Remote Site A can communicate securely with devices at Remote Site B by forwarding their traffic through the DX routers. This connection is also called a site-to-site VPN (as opposed to a Remote access VPN.) Remote access VPN allows a remote user, say from a hotel room, to access the resources over a secure connection. Remote access VPN usually needs a VPN client on the end user devices to establish the connection using VPN.

Tunnels may be established to multiple endpoints. For example, in the figure below, hosts at Remote Site A can communicate securely with hosts at both site B and C.

FIGURE 223 – Site-to-Site VPN There are many issues to consider when setting up VPNs. These are listed below.

270 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Key Management MNS-DX supports the automatic generation of shared encryption keys using the IKEv1 protocol specified in RFC 2409. Diffie-Hellman (DH) Groups 1, 2, 5, and 14 are supported. Perfect forward secrecy (PFS), which is the use of a DH exchange during phase 2, is always enabled in MNS-DX.

Peer Authentication Peer authentication is achieved through the use of administratively configured pre-shared keys (PSK) or X.509 certificates. If the PSKs configured on each end of the tunnel do not match, the tunnel will not be established. If the authenticity of an X.509 certificate sent by a DX to its peer cannot be verified, the tunnel will not be established.

Packet Integrity and Confidentiality MNS-DX uses Encapsulating Security Payload (ESP) protocol (RFC 2406) in tunnel mode to implement secure VPN functionality. Transport mode is not supported.

When an IP packet is forwarded through a tunnel, it is encapsulated in a new packet having the structure shown in the figure below. ESP encrypts and authenticates the entire content (header and payload) of the original IP packet, but it does not afford any protection to the new, outer IP header.

FIGURE 224 – Format of a tunneled IP packet using Encapsulated Security Payload (ESP)

Profiles As defined in RFC 2401, MNS-DX VPN uses a security policy database (SPD) to configure IPsec tunnels. MNS-DX simplifies the management of the SPD by implementing the concept of a profile. Each profile is a labeled set of options that specify cryptography and security protocol parameters such as encryption and hash algorithms, key lifetimes, and the strength of DH key exchanges. These profiles can then be assigned to new tunnels as they are created. The software comes shipped with a single default profile that is likely to match common customer applications.

271 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Supported encryption algorithms include DES, 3DES, AES128, AES256, and BlowFish.

Supported hash algorithms include MD5, SHA-1, SHA-256, and SHA-512.

Security association lifetimes (Phase 1 and Phase 2) can range from 120 seconds to 24 hours.

Tunnels An IPsec tunnel in MNS-DX is configured by defining a source IP address (or subnet), a destination IP address (or subnet), a gateway IP address, a profile, and an authentication method. This tunnel specification is added to the underlying SPD as a new IPsec policy.

The source and destination IP addresses may be specified as an exact host address or as a subnet. When a non-IPsec packet is received, its source and destination IP addresses are matched against the source and destination IP address configured for the tunnel. If a match occurs, the software looks to see if an appropriate tunnel (i.e. security association) already exists. If not, IKE is used to establish the tunnel. Once a tunnel exists, the packet is encapsulated according to the parameters in the assigned profile and it is sent to the gateway address found in the matching entry. When an IPsec packet is received, if it belongs to a valid tunnel, the packet is de-encapsulated and sent to its next hop as determined by the device’s routing table. IKE In IPsec, each tunnel is defined by a set of security associations (SA). Each SA defines a secure, unidirectional communication channel between two entities. The SAs are established via a two-phase process defined by the IKE protocol. During Phase 1 (in MNS-DX, this is always a Main Mode exchange, Aggressive Mode is not supported), the entities establish an initial secure channel. This exchange includes an authentication step that either uses PSK or X.509 certificates. The encrypted, authenticated Phase 1 channel is then used for communication during Phase 2 (in MNS-DX, this is a Quick Mode exchange), where the entities establish the keys that are actually used to encrypt the traffic that flows through the tunnel. Key Lifetimes MNS-DX allows the user to set the lifetime of Phase 1 (IKE) keys as well as Phase 2 (ESP) keys. When the lifetime expires, the peers are forced to perform a new Phase 1 or Phase 2 exchange to refresh the keying material generated in that phase. In MNS-DX, the configurable lifetime is the “hard” lifetime. When this timer expires, the security association is deleted. For phase 2 security associations, there is also the concept of a “soft” lifetime. This is the amount of time a phase 2 security association will exist before an attempt is made to refresh the tunnel by regenerating its keys (i.e. “rekeying”). The “soft” lifetime is chosen automatically by the software in order to guarantee that a new phase 2 SA is available when the old one reaches the end of its “hard” life. Phase 1 security associations do not have a “soft” lifetime. They are simply deleted when their lifetime expires and are re-created on demand when a phase 2 negotiation is required.

272 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

VPN Example In this example, one site is a customer’s operations center while the other site is a remote substation where SCADA devices are connected to a number of DX routers. One DX acts as a security gateway as shown in the figure below.

FIGURE 225 – VPN Example Assume that DX-1 and DX-2 have been configured with two IP interfaces. DX-1 acts as a security gateway for the Substation while DX-2 acts as a security gateway for the Operations Center. Substation nodes are configured to use 192.168.1.1 as their default gateway. Operations Center nodes are configured to use 192.168.2.1 as their default gateway.

On the “Security  VPN  Tunnels” menus on DX-1, the entry would be added as shown below. Note in this example default Authentication and encryption methods are used.

273 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 226 – Tunnels settings for router DX1 in the example. Note the destination gateway should correspond to the public IP address of router DX2. Similarly on the “Security  VPN  Tunnels” menus on DX-2, the entry would be added as shown below. Note in this example default Authentication and encryption methods are used.

FIGURE 227 – Tunnels settings for router DX2 in the example. Note the destination gateway should correspond to the public IP address of router DX1.

More examples on VPNs follow.

MNS-DX Stack This section describes the MNS-DX Network Stack in terms of the flow diagram in the figure below:

274 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

MNS-DX APPS

Packet discarded Port forwarding, static Packet received unless explicitly from network permitted by rule or translations, and by state allowed responses IP Non-ESP Interface FW NAT Packets IP IN IN IN FWD Decrypted Packet: Bypass ESP Packets IPsec IN

Decrypted Packet: No Bypass ESP Packets Packet sent Outgoing Source Address to network connection Masquerading and tracking static translations

IP Interface FW NAT IPsec OUT OUT OUT OUT

FIGURE 228 – MNS-DX network stack. The stack is used to explain packet processing flow and how it impacts VPN, firewall and NAT interactions.

IP Interface IN By the time a packet reaches the IP IFC IN stage, the packet has been received from the network and has been mapped to a particular configured IP interface. Possible IP interfaces are: • The “Default” interface: When VLANs are disabled, this is the single IP interface associated with all layer 2 bridged Ethernet ports. When VLANs are enabled, this is the IP interface associated with VLAN 1 (i.e. the default VLAN). • An unbridged port (“routed”) interface: Ethernet ports may be isolated (i.e. conceptually removed from the rest of the layer 2 bridge functionality) by making them “unbridged” or “routed”. When a port is configured in this way, it becomes its own IP interface. • A frame relay DLCI interface: If a frame relay DLCI is configured to run RFC 1490 encapsulation, that circuit is associated with its own IP interface. • A PPP interface: If a PPP connection is configured, it is associated with its own IP interface.

275 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FW IN This is the DX Firewall Input stage. When a packet is received on a firewalled interface, that packet is discarded unless it is explicitly permitted by rule or by connection state. A permitted packet may be part of a permitted and tracked Inbound or Outbound Connection. There are also a number of permitted packet types that are not a part of a tracked connection or session. These types include IPsec ESP, IPsec AH, OSPF, and VRRP. While these packets are not part of a tracked connection, they are nevertheless configured as rules in the Inbound Connection table.

NAT IN This is the DX NAT Input stage. This stage performs a number of possible translations:

• Port Forwarding: If a packet header matches a configured Port Forwarding rule, the destination address and port are translated. • Static Translations: If a packet header matches a configured Static Translation rule, the destination address and port are translated. • Reversing Source Address Masquerading: When dynamic NAPT is enabled on an interface, packets sent from that interface will have their source address and port translated in order to hide the internal addressing scheme. Return packets must have this translation reversed.

IPSEC IN This is the DX IPsec Input stage. If an ESP tunneled packet is received, it is eventually passed to this stage for IPsec processing. Once the packet is decrypted there is a choice. The original, inner packet can be re-inserted into the stack flow, causing the firewall and NAT stages to be re-executed on the original packet, or it can be bypassed directly to the IP FWD stage. The decision to bypass is user-configurable (“Bypass FW/NAT?”) when specifying the VPN tunnel.

IP FWD This is the IP FWD stage. This is the point at which forwarding decisions are made in the IP stack. A packet may be sent to a waiting DX application process or it may be passed to a different IP interface for transmission. Packets sent by DX application processes are also first passed to this stage to determine the appropriate output interface based on a routing table lookup.

276 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

IPSEC OUT This is the DX IPsec Output stage. Packets that match the traffic selectors for a configured VPN tunnel are encrypted and encapsulated in an ESP packet. The resultant ESP packets are then re-inserted into the IP FWD stage. Packets that do not match VPN traffic selectors are passed through to the next stage.

Since ESP packets never match VPN traffic selectors, they are simply passed through to the next stage.

NAT OUT This is the DX NAT Output stage. This stage performs a number of possible translations:

• Reverse Port Forwarding. If an incoming packet had its destination address and port translated by a port forwarding rule, the reverse process must be applied to return packets, which means their source address and port are translated in order to hide the internal addressing scheme. • Reverse Static Translations. This translation performs the reverse of the incoming static translation. That is, if a rule is matched, the source address and port are translated in order to hide the internal addressing scheme. • Source Address Masquerading. When dynamic NAPT is enabled on an interface, this stage translates the packets source address and port in order to hide the internal addressing scheme.

Since ESP packets are always sourced from the DX public interface, no NAT output processing is ever applied to VPN packets.

FW OUT This is the DX Firewall Output stage. This stage tracks configured Outgoing Connections. Packets for permitted connections tracked by this stage are allowed by the FW IN stage.

Since ESP packets cannot be tracked by the Stateful Firewall, no Firewall output processing is ever applied to VPN packets.

IP Interface OUT This is the IP interface upon which the packet is ultimately sent.

277 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Firewall and VPN In this scenario (shown in the image below), the DX Stateful Firewall is used to keep intruders out of the private substation LAN while allowing legitimate access via an encrypted VPN tunnel.

FIGURE 229 – Firewall and VPN Network example IKE MNS-DX IPsec uses the Internet Key Exchange (IKE) protocol to set up security associations. This protocol runs over UDP on port 500. If IKE is to run over a firewalled interface, a specific permit rule must be defined for it in the firewall’s Inbound Connection table. This rule can be as general or specific as required by the network application being implemented (e.g. the rule might only allow IKE sessions from specific IP addresses), but it must specify the UDP protocol with a destination port of 500.

ESP MNS-DX IPsec uses tunnel-mode ESP for encrypting data packets. ESP is a special IP protocol with protocol number 50. An Inbound Connection rule is required that permits ESP packets to flow through the firewalled interface. Again, this rule can be as general or specific (with respect to IP addressing) as desired as long as it specifies the ESP protocol type.

IP After ESP packets are decrypted, the original tunneled IP packet may be passed directly to the IP forwarding stage or optionally re-injected into the IP stack and passed back through the FW IN stage. If “Security  VPN  Tunnels” menu item “Bypass FW/NAT?” is set to “Yes” in the VPN tunnel configuration, the original inner packet is forwarded directly. However, if “Security  VPN  Tunnels” menu item “Bypass FW/NAT?” is set to “No” the original inner packet flow must be explicitly covered in the firewall rules. You may use an Incoming or Outgoing Connection rule (whichever is more applicable) to specify that the

278 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

original inner IP packet flow is to be permitted to pass through the firewalled interface. Setting “Bypass FW/NAT?” to “Yes” effectively allows all VPN tunneled traffic to pass through the firewall.

Suppose you have the following network.

192.168.3.3/24 192.168.1.20/24

192.168.2.3/24

E1 Default

Security Server Appliance

192.168.1.2/24 192.168.2.2/24

FIGURE 230 – Defining Firewall rules

The DX interface E1 is firewalled. In addition, a VPN is running between DX and a FW / VPN Concentrator at a central site. HTTP requests generated by hosts on the 192.168.3.0 destined for the 192.168.1.0 network should be encrypted and passed through the tunnel.

If “Security  VPN  Tunnels” menu item “Bypass FW/NAT?” is set to “No”, the following firewall rules are required to allow all of the IPsec related traffic to pass.

FIGURE 231 – Firewall rules settings

279 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

If “Security  VPN  Tunnels” menu item “Bypass FW/NAT?” is set to “Yes”, only the first two rules are required:

FIGURE 232 – Firewall rules settings with the “Security  VPN  Tunnels” menu item “Bypass FW/NAT?” set to “Yes”

NAT and VPN In this scenario, the DX Dynamic NAPT is enabled on the public interface. This keeps intruders out of the private substation LAN while allowing legitimate access via en encrypted VPN tunnel. The Dynamic NAPT should be used when connecting the DX to the Internet or in any other situation where the private LAN addresses must be hidden from the rest of the network.

IKE The operation of IKE is unaffected by the NAT. This is because all IKE traffic is sent and received on the dynamic NAPT public interface. The dynamic NAPT only affects traffic that passes between the public interface and a private interface.

ESP The operation of ESP is unaffected by the NAT for the same reason that IKE traffic is unaffected. In tunnel-mode ESP, the packets do not pass between the public interface and a private interface. Instead, they terminate at the public interface, are decrypted and de- encapsulated, and then the original packet is re-injected into the stack at the NAT IN stage.

NAT Bypass It is recommended that you always set the “Bypass FW/NAT?” option to “Yes” in your VPN tunnel configuration when using Dynamic NAPT. This will allow traffic flowing through the VPN tunnel to be automatically forwarded to your local private LAN.

280 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Configurations that use Dynamic NAPT and VPN without setting “Security  VPN  Tunnels” menu item “Bypass FW/NAT?” to “Yes” are possible but are very rarely the desired configuration. The next section describes how to use Dynamic NAPT and VPN with “Security  VPN  Tunnels” menu item “Bypass FW/NAT?” set to “No.”

No Bypass Address translations are only performed on the original packets. The rules for translations apply directly to the original inner packet traffic just as if the VPN did not exist. This has two important consequences when defining your port forwarding rules and VPN tunnel specifications when “Security  VPN  Tunnels” menu item “Bypass FW/NAT?” is set to “No”:

• When packets leave the IPsec tunnel, the unencrypted original inner packet will be processed by the NAT. This means that a port forwarding rule must be defined to allow that packet to be translated and passed to the private network, just as you would normally do if you were only using NAT.

• The addressing scheme used on the private network (i.e. the network “behind” the NAT) is still hidden by the DX NAT functionality. Hosts at the “outside”, e.g. at the remote VPN location, must still address their packets to the DX NAPT public interface address. In addition, due to Source Address Masquerading, packets received by outside hosts via the VPN tunnel will appear as if they were sent directly from the NAPT public interface. Therefore, the VPN tunnel must terminate at the DX public interface rather than the private LAN sitting behind the DX.

Bypass Example In this example, the private network at 192.168.1.0 is hidden behind the DX NAT. Interface E1 is configured as the NAPT public interface. Interface Default is considered to be the private interface. Connections can be made out of the private network to anywhere on the public network. In addition, port forwarding rules can be configured to allow specific connections to be made through the NAT from the public to the private network. Finally, packets between hosts on the 192.168.3.0 network and the server on the private network (192.168.1.0) are tunneled via IPsec.

281 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

192.168.3.3/24 192.168.1.20/24

192.168.2.3/24

E1 Default

Security Appliance Server 192.168.1.2/24 192.168.2.2/24

FIGURE 233 – Defining NAT rules

To implement this scenario, simply enable Dynamic NAPT on interface E1 and create a VPN tunnel on the DX with the following specification:

FIGURE 234 – Defining VPN Tunnels

No Bypass Example This example is similar to the “Bypass” case. The major difference here is where the VPN tunnel terminates (i.e. the “destination address” of the tunnel) and the port forwarding rules that are required to open access to servers behind the DX.

282 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

192.168.3.3/24 192.168.1.20/24

192.168.2.3/24

E1 Default

Security Server Appliance

192.168.1.2/24 192.168.2.2/24

FIGURE 235 – Defining VPN with no bypass option

First, we want to allow HTTP packets to pass through the NAT to the server at 192.168.1.20. First we choose a public port for our HTTP access. Since 80 is already used for DX management, we choose a new port, e.g. 10080. We then create a port forwarding rule that maps all public accesses to port 10080 to the server at 192.168.1.20, port 80, as shown below.

FIGURE 236 – Defining NAT rules to allow port 80 traffic

Next, we create a VPN tunnel on the DX with the following specification:

283 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 237 – Defining VPN tunnel for the example

Once these two rules (port forwarding and VPN) have been configured, all client access from the 192.168.3.0 network to 192.168.2.2 (port 10080) will be sent encrypted through the tunnel, translated at the DX, and then passed unencrypted to the server at 192.168.1.20 (port 80).

Note that this setup would allow other outside hosts to access the server via the port forwarding process at 192.168.2.2 (port 10080). This access could be denied by enabling the firewall on E1 and specifying the appropriate rules to only allow VPN access coming from the 192.168.3.0 network. An example set of firewall rules to accomplish this is as follows:

FIGURE 238 – Defining NAT rules to allow port 80 traffic

Configuring VPN The various menus for configuring VPN are discussed below. To access the VPN menus, select Security  VPN.

284 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Global Settings Configuring Global settings is done using the Security  VPN Global Setting s menu as shown below.

FIGURE 239 – VPN Global Settings In the menu above:

Send Initial Contact  Specifies whether MNS-DX initiates the initial contact. “Yes” sets the system up to send an initial contact when it initiates an IKE handshake with a peer for the first time, e.g. after a reboot. “No” does not initiate the initial message. This option works best with most peer types. Default – “No”. Automatic VPN Routes  Adds routes to the routing table once the VPN tunnel is established. Default is “Yes”. If “No” is selected, static routes may have to be added to allow routing to function properly. Default – “Yes”. Administrative Distance  Sets administrative timeouts and other parameters. It is recommended to leave the value to the default value of 10.

VPN Profiles Once the global settings are defined, it is necessary to define profiles which can be used in setting up encryption methods, time outs etc. This is done using Security  VPN  Profiles as shown below.

285 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 240 – VPN Profiles In the menu above: Name  Defines a logical name for the Profile. IKE Encryption  Encryption algorithm to use for Phase 1 and Phase 2 exchanges. Possible values are: • AES – Uses the AES encryption using 128 bit encryption. • AES256 – Uses the AES encryption using 256 bit encryption. • 3DES – Uses the triple DES encryption standard using 192 bit encryption (default). • DES – Uses Data Encryption Standard (DES) – 56 bits. • BLOWFISH – uses the BLOWFISH encryption methods using 448 bit encryption. IKE Hash  The hashing encryption to use for Phase 1 and Phase 2 exchanges. Possible values are: • MD5 – Message Digest algorithm 5 – see RFC 1321. • SHA – Secure Hashing Algorithm – 160 bit hash function. • SHA256 – uses 32 bits words and implements the SHA256 methods. • SHA512 – uses 64 bit words and implements the SHA512 methods. IKE Lifetime (sec)  The lifetime for the keys exchanged in Phase 1. Default value is 28800 seconds (8 hours). Valid range is 90-64800 seconds (1.5 minutes to 18 hours). ESP Encryption  The encryption algorithm to use for encrypting tunneled IP traffic. Possible values are: • AES – Uses the AES encryption using 128 bit encryption. • AES256 – Uses the AES encryption using 256 bit encryption. • 3DES – Uses the triple DES encryption standard using 192 bit encryption (default).

286 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

• DES – Uses Data Encryption Standard (DES) – 56 bits. • BLOWFISH – uses the BLOWFISH encryption methods using 448 bit encryption. ESP Hash  The encryption algorithm to use for encrypting tunneled IP traffic. Possible values are: • MD5 – Message Digest algorithm 5 – see RFC 1321. • SHA – Secure Hashing Algorithm – 160 bit hash function. • SHA256 – uses 32 bits words and implements the SHA256 methods. • SHA512 – uses 64 bit words and implements the SHA512 methods. ESP Lifetime (sec)  The lifetime for the keys exchanged in Phase 1. Default value is 3600 seconds (1 hour). Valid range is 90-64800 seconds (1.5 minutes to 18 hours). DH Group  The size of the Diffie-Hellman Modulus. • 1 = 768 bits. • 2 = 1024 bits. • 5 = 1536 bits. • 14 = 2048 bits. DPD Poll Time (sec)  The time to wait before the device send out a Dead Peer Detection (DPD) message. Default value is 30 seconds. Valid range is 0 - 600 seconds. A poll time of 0 is an instruction on not to use DPD. Delete  Delete the profile settings by checking the box and “Apply Settings” after that.

IPSec Authentication To set IPSec authentication methods, use the Security  VPN  Authentication menu as shown below.

287 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 241 – VPN Authentication In the menu above: Name  Defines a logical name for the authentication profile. Valid names are 1-15 characters long. Type  The authentication type. The choices are: • PSK – pre-shared keys (password required for this). PSK is the default setting. • Certificate – RSA keys with X.509 certificate. Preshared Key  The authentication password string to use when the Authentication method is PSK. The key can be up to 16 characters long. All characters typed in are masked and are not shown after the key has been added. Preshared Key Verify  Verify the key by typing it in again. Local Certificate  Specify the local certificate to use for authentication. Delete  Delete the authentication settings by checking the box and “Apply Settings” after that.

VPN Tunnels A tunnel establishes encrypted communication between a source IP address (or range of addresses) and a destination IP address (or range of addresses). To set VPN tunnels, use the Security  VPN  Tunnels menu as shown below.

288 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 242 – VPN Tunnels In the menu above: ID  Identifier number. This is usually the sequence in which the Tunnel information has been entered. Source Address and Source Mask  Defines the source network or the network from which the information originates. Destination Address and Destination Mask  Defines the destination network. Profile  Use the profile as defined earlier. See VPN Profiles above. Authentication  Use the Authentication profiles created earlier. See IPSec Authentication above. Bypass FW NAT  Used to define if NAT conversion should be bypassed if there is a security appliance in the path. See examples in this chapter on VPN for detailed examples on how this is used. • "No". The packet forwarding from the tunnel continues to work as it did in previous releases. That is, once a packet is decrypted and de-encapsulated, it is passed completely through the stack again. Thus, NAT and Firewall rules will be applied to the packet as if it were actually received on an external IP interface. This means that the NAT and firewall must be configured to deal appropriately with the decrypted packet as it emerges from the IPsec tunnel. • "Yes". This is a new forwarding behavior that allows the decrypted and de- encapsulated packet to simply continue its processing in the IP stack. The packet is NOT passed back through the stack and therefore bypasses the typical NAT and Firewall input processing. This effectively allows the router to filter unwanted packets coming from the public network while implicitly allowing all traffic that was sent through the tunnel. Delete  Delete the tunnel settings by checking the box and “Apply Settings” after that.

289 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

VPN Status When a packet that needs to be tunneled is received, IKE will negotiate and set up the required IPsec parameters. To check the status of the VPN on the "Security  VPN  Status" menus as shown below.

FIGURE 243 – VPN Status In the menu above: Source Address and Source Mask  Defines the source network or the network from which the tunnel originates. Status  Shows the Status of the VPN tunnel. Time Remaining  Time remaining after which the connection is torn down. Restart  Restart the connection settings by checking the box and “Apply Settings” after that.

VPN Details When a packet that needs to be tunneled is received, IKE will negotiate and set up the required IPsec parameters. To check the status of the VPN on the “Security  VPN  Status menus as shown below.

290 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 244 – VPN Details In the menu above: Source Address  Defines the source network or the network from which the tunnel originates. Destination Address  Defines the destination network for the source network. Inbound SPI and Outbound SPI  Shows the inbound and outbound Security Policy Index (SPI). Time Remaining  Time remaining after which the connection is torn down. Inbound Packets and Outbound Packets  Shows the count of inbound and outbound packets (sent and received).

RFC compliance GarrettCom’s implementation of secure VPNs using IPsec provides full implementations of all of the RFCs and supporting code for every feature that is released into product. The list of the RFCs are listed below.

• RFC 2401, Security Architecture for the Internet Protocol • RFC 2403/RFC 4303, The Use of HMAC-MD5-96 within ESP and AH • RFC 2404, The Use of HMAC-SHA-1-96 within ESP and AH • RFC 2405/RFC 4305, The ESP DES-CBC Cipher Algorithm With Explicit IV • RFC 2406/RFC 4305, IP Encapsulating Security Payload (ESP) • RFC 2407, The Internet IP Security Domain of Interpretation for ISAKMP • RFC 2408, Internet Security Association and Key Management Protocol (ISAKMP) • RFC 2409, The Internet Key Exchange (IKE) • RFC 2451, The ESP CBC-Mode Cipher Algorithms • RFC 3706, A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers

291 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

• RFC 4868: Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with IPsec

Finally, after all the configuration is completed, do not forget to save the settings.

292 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Chapter 25

25 – Monitoring events

Monitoring events of interest….

onitoring events on a device is important to verify whether the device is functioning properly, no errors are occurring, preview which users are logging in to view the configuration etc. etc. M Event logs can be centralized using Syslog as discussed earlier in the section on Syslog. Some of the Syslog information is repeated here for clarity. Events can also be viewed by looking at the event log file. The files are stored locally and can be displayed. This is discussed in the section on locked out user. The locked out user was used as an example to see why log files are important and how the logs can be viewed.

Alarms and their definition as well as SNMP have not been discussed in the manual so far. Traps, events and logs will be covered in this chapter. SNMP will be covered in a separate chapter.

Alarms, Events and Logs All Magnum DX routers, except the DX40, have an alarm port. The alarm port is a DB9 connector and has got 3 pins. They are 1. Common (C) 2. Normally Open (NO) 3. Normally Closed (NC) These pins are wired by the customer depending on whether their downstream alarm system expects normally open or normally closed operation. Software toggles the alarm port from the normal state to the abnormal state in order to raise an alarm. The following system events can be configured to cause a momentary toggling of the relay state on the unit’s alarm port: 1) Cold Start 2) Warm Start 3) Link Up

293 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

4) Link Down 5) Authentication Failure 6) STP/RSTP Reconfigured

The momentary alarm can be enabled or disabled for each event. The amount of time the contact remains open is configurable by the user. Alarm contact parameters can be set by the user via the web interface or the command line interface. Events Each event type generated by the system now has a unique identifier that consists of an event category and an event number within that category. When an Event ID is displayed to or referenced by a user, it has the form X-Y, where X is the event category and Y is the event number within the category. Each event type has following attributes association with it: • Severity level (0-7) • Remote Logging Mode: Disabled, Syslog • Local Logging Mode: Disabled, Volatile, Persistent • Local Target Log

Event severity levels match the levels defined for Syslog as shown: • 0 – emergencies • 1 – alerts • 2 – critical • 3 – errors • 4 – warnings • 5 – notifications • 6 – information • 7 - debugging

If Remote Logging is enabled for a particular event type, when that event is generated it will be sent to all configured Syslog collectors. If Local Logging is set to Volatile or Persistent, when that event is generated it will be written to the active log file (in RAM) for the configured Target Log. If Local Logging is set to Persistent, when generated, that particular event will additionally be written to a temporary RAM log buffer associated with the Target Log. If at any time the current log file is closed so that a new log file can be opened, the temporary log buffer is written to a new file in flash memory. Files written in this way will have their status marked as “Saved” and will survive system reboots and power-cycles. As an example, when a “warm start” event is logged by the Syslogger, the text will have the following form:

294 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

<2>Jun 13 10:20:34 2010 90.0.0.1 %WARM_START-1-2: Warm start, software version: 3.0.1, config: 'config0.xml'

When the same event is logged to a file, the IP address is omitted:

<2>Jun 13 10:21:24 2010 %WARM_START-1-2: Warm start, software version: 3.1.1, config: 'config0.xml'

Event Categories The list below is a list of event categories

• SYSTEM • POWER SUPPLY • LOG MANAGEMENT • SOFTWARE MANAGEMENT • CONFIGURATION MANAGEMENT • AUTHENTICATION • SESSIONS • PHYSICAL LINK • IP INTERFACE • PORT SECURITY • FIREWALL • TERMINAL SERVER • RSTP • OSPF • BGP • VRRP • PPP • VPN • CERTIFICATE MANAGEMENT

The event descriptions follow.

295 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Event Descriptions The list below is a list of event categories.

EVENT EVENT_TAG EXAMPLE DESCRIPTIVE TEXT _ID 1-1 COLD_BOOT Cold start, software version: 2.1.0, config: 'config0.xml' 1-2 WARM_BOOT Warm start, software version: 2.1.0, config: 'config0.xml' 2-1 PS_DOWN Power Supply PS1 is down. 2-2 PS_UP Power Supply PS2 is up. 3-1 LOG_CREATE Log file 'Default-20090819-154502.log' was created. 3-2 LOG_DELETE Log file ‘Default-20090819-154502.log' was deleted by user ‘manager’. 3-3 LOG_AUTO_DELETE Log file 'Default-20090819-154502.log' was automatically deleted. 4-1 SOFTWARE_UPLOAD Software image version 2.1.0 uploaded by user ‘manager’. 4-2 SOFTWARE_FINALIZED Upgrade finalized by user ‘manager’, current version: 2.1.0, fallback: 2.0.1 5-1 CONFIG_SWITCH Config switched to ‘config1.xml’ by user ‘manager’. 5-2 CONFIG_UPLOAD Config ‘config10.xml’ uploaded by user ‘manager’. 5-3 CONFIG_DELETE Config ‘config10.xml’ was deleted by user ‘manager’. 5-4 CONFIG_AUTO_DELET Config ‘config15.xml’ was automatically deleted. E 5-5 CONFIG_SAVE Config ‘config20.xml’ was saved by user ‘manager’. 5-6 CONFIG_CHANGE Current config table ‘Ethernet/PortSettingsTable’ was changed by user ‘manager’. 5-7 CONFIG_RESTORE Config was restored to defaults by user ‘manager’. 6-1 PASSWORD_CHANGE Password was changed for user ‘maint1’. 6-2 USER_DELETE User ‘maint1’ was deleted. 6-3 MAX_USERS Maximum number of users reached. 6-4 NEW_USER New user ‘tech’ was created. 6-5 USER_SUSPENDED User ‘tech’ was suspended. 6-6 SUSPENSION_LAPSED Suspension timeout has elapsed for user ‘tech’. 6-7 PASSWORD_EXPIRED User ‘maint1’ password expired. 6-8 INVALID_USERNAME Login attempt via SSH with invalid username ‘trythisuser”. 6-9 INVALID_PASSWORD Login attempt via TELNET with username ‘someuser’ and invalid password ‘password123’. 6-10 HACKING_ATTEMPT Possible hacking attempt, 20 failed login attempts in 5 minutes.

296 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

EVENT EVENT_TAG EXAMPLE DESCRIPTIVE TEXT _ID 7-2 LOGOUT User ‘manager’ logged out via HTTPS (192.168.1.42). 7-3 IDLED_OUT User ‘manager’ idled out via HTTPS. 7-4 CONSOLE_DISCONNEC User ‘manager’ disconnected from CONSOLE and T was logged out. 8-1 ETHERNET_DOWN Ethernet port E2 is down. 8-2 ETHERNET_UP Ethernet port E2 is up. 8-3 SERIAL_DOWN Serial port S3 is down. 8-4 SERIAL_UP Serial port S3 is up. 8-5 WAN_DOWN WAN port W1 is down. 8-6 WAN_UP WAN port W2 is up. 9-1 INTERFACE_DOWN IP interface Default is down. 9-2 INTERFACE_UP IP interface E3 is up. 10-1 PORT_LOCKED Ethernet port E4 has been locked out by port security. 11-1 MAX_PERMIT_FLOWS Warning – Maximum permitted flows (100) are being tracked. 11-2 MAX_DENIED_FLOWS Warning – Maximum denied flows (100) are being tracked. 11-3 TCP_START TCP ()  (), Session started. 11-4 TCP_ESTAB TCP ()  (), Session established. 11-5 TCP_UPDATE TCP ()  (), update (number of packets). 11-6 TCP_END TCP ()  (), Session closed. 11-7 TCP_DENIED TCP denied ()  (), TCP for first packet 11-8 TCP_DENIED_UPDATE TCP Denied ()  (), # of packets in # seconds interval. 11-9 UDP_START UDP ()  () Session started. 11-10 UDP_UPDATE UDP ()  (), # of packets. 11-11 UDP_DENIED UDP Denied ()  (), First packet. 11-12 UDP_DENIED_UPDATE UDP Denied ()  (), # of packets in # seconds. 11-13 ICMP_START ICMP ()  (), Session started

297 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

EVENT EVENT_TAG EXAMPLE DESCRIPTIVE TEXT _ID 11-14 ICMP_UPDATE ICMP ()  (), # of packets. 11-15 ICMP_DENIED ICMP Denied ()  (), First packet. 11-16 ICMP_DENIED_UPDAT ICMP Denied ()  (), 16 packets in 60 seconds. 12-2 TS_HOST_DOWN Serial port S1 reports that the host at is down. 12-3 TS_CONN_REFUSED Serial port S1 reports that the connection to the host at () was refused. 12-4 TS_LOST_CONNECTIO Serial port S1 lost connection with host at N (). 12-5 TS_NO_SSL Serial port S1 reports that the host at () did not respond to the SSL handshake. 12-6 TS_SSL_NOTICE Serial port S1 received a notification () from the host at (). 12-7 TS_SSL_PROBLEM Serial port S1 experienced a problem () while connecting to the host at (). 12-8 TS_SSL_CERT_INVALID Serial port S1 reports that the certificate presented by the host at ()was invalid. 13-1 RSTP_NON_EDGE_DO RSTP link down on non-edge port. WN 13-2 RSTP_SENT_TCN RSTP sent topology change notice. 14-1 OSPF_NBR_2WAY OSPF neighbor transitioned to 2WAY. 14-2 OSPF_NBR_FULL OSPF neighbor transitioned to FULL. 14-3 OSPF_NBR_DOWN OSPF neighbor transitioned to DOWN. 15-1 BGP_PEER_ESTAB BGP setting state to ESTAB for . 15-2 BGP_KA_TIMEOUT BGP keepalive timeout disconnect for . 16-1 VRRP_MASTER VRRP 2 transitioned to MASTER. 16-2 VRRP_BACKUP VRRP 2 transitioned to BACKUP. 17-1 PPP_HANGUP PPP PPP-S2 is hanging up. 17-2 PPP_CONNECT PPP PPP-S2 has connected. 17-3 PPP_SPEED_CHANGE PPP PPP-S2 changing serial speed to 1200. 18-1 VPN_PHASE_1_SUCCESS VPN Src: Dst: IKE Phase I Success. 18-2 VPN_PHASE_2_SUCCESS VPN Src: Dst: IKE Phase II Success. 18-3 VPN_DEAD_PEER VPN detected dead peer:

298 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

EVENT EVENT_TAG EXAMPLE DESCRIPTIVE TEXT _ID 19-1 CERT_CREATE Certificate ‘newcert.pem’ was created by user ‘manager’. 19-2 CERT_DELETE Certificate ‘newcert.pem’ was deleted by user ‘manager’. 19-3 CERT_UPLOAD Certificate ‘newcert.pem’ was uploaded by user ‘manager’. 19-4 CERT_TRUST Certificate ‘mycert.pem’ was marked as trusted by user ‘manager’. 19-5 CERT_UNTRUST Certificate ‘mycert.pem’ was marked as untrusted by user ‘manager’. 20-1 DHCPC_TIMEOUT DHCP Client timed out 20-2 DHCPC_CONFLICT DHCP client noticed a conflict - reports the conflict 21-1 SFP_NOT_PRESENT SFP hardware is missing 21-2 SFP_SPEED_MISMATCH SFP speed cannot handshake or there is a speed mismatch - e.g. 100Mbps SFP is plugged into a Gbps SFP slot or vice-versa. 21-3 SFP_NO_EEPROM_OC3 Could not read the SFP information from EEPROM 21-4 SFP_OK SFP is working as expected 22-1 WAN_LOOP_UP WAN Loop is up 22-2 WAN_LOOP_DOWN WAN loop is down

(Intentionally left blank)

299 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Event Defaults

The list below is a list of defined event id’s and their default values. EVENT_ EVENT_TAG DEFAULT DEFAULT DEFAULT ID SEVERITY TARGET VOLATILITY LOG 1-1 COLD_BOOT 2 DEFAULT NV 1-2 WARM_BOOT 2 DEFAULT NV 2-1 PS_DOWN 1 DEFAULT NV 2-2 PS_UP 2 DEFAULT NV 3-1 LOG_CREATE 5 DEFAULT NV 3-2 LOG_DELETE 4 DEFAULT NV 3-3 LOG_AUTO_DELETE 4 DEFAULT NV 4-1 SOFTWARE_UPLOAD 6 DEFAULT NV 4-2 SOFTWARE_FINALIZED 5 DEFAULT NV 5-1 CONFIG_SWITCH 4 DEFAULT NV 5-2 CONFIG_UPLOAD 6 DEFAULT NV 5-3 CONFIG_DELETE 4 DEFAULT NV 5-4 CONFIG_AUTO_DELETE 5 DEFAULT NV 5-5 CONFIG_SAVE 4 DEFAULT NV 5-6 CONFIG_CHANGE 4 DEFAULT NV 5-7 CONFIG_RESTORE 4 DEFAULT NV 6-1 PASSWORD_CHANGE 4 SECURITY NV 6-2 USER_DELETE 2 SECURITY NV 6-3 MAX_USERS 3 SECURITY NV 6-4 NEW_USER 2 SECURITY NV 6-5 USER_SUSPENDED 2 SECURITY NV 6-6 SUSPENSION_LAPSED 4 SECURITY NV 6-7 PASSWORD_EXPIRED 5 SECURITY NV 6-8 INVALID_USERNAME 1 SECURITY NV 6-9 INVALID_PASSWORD 1 SECURITY NV 6-10 HACKING_ATTEMPT 1 SECURITY NV 7-1 LOGIN 2 SECURITY NV 7-2 LOGOUT 2 SECURITY NV 7-3 IDLED_OUT 2 SECURITY NV 7-4 CONSOLE_DISCONNECT 2 SECURITY NV 8-1 ETHERNET_DOWN 2 DEFAULT NV 8-2 ETHERNET_UP 2 DEFAULT NV 8-3 SERIAL_DOWN 2 DEFAULT NV 8-4 SERIAL_UP 2 DEFAULT NV 8-5 WAN_DOWN 2 DEFAULT NV 8-6 WAN_UP 2 DEFAULT NV 9-1 INTERFACE_DOWN 2 DEFAULT NV 9-2 INTERFACE_UP 2 DEFAULT NV 10-1 PORT_LOCKED 2 DEFAULT NV

300 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

EVENT_ EVENT_TAG DEFAULT DEFAULT DEFAULT ID SEVERITY TARGET VOLATILITY LOG 11-2 MAX_DENIED_FLOWS 2 FIREWALL V 11-3 TCP_START 5 FIREWALL NV 11-4 TCP_ESTAB 5 FIREWALL NV 11-5 TCP_UPDATE 5 FIREWALL NV 11-6 TCP_END 5 FIREWALL NV 11-7 TCP_DENIED 2 FIREWALL V 11-8 TCP_DENIED_UPDATE 2 FIREWALL V 11-9 UDP_START 5 FIREWALL NV 11-10 UDP_UPDATE 5 FIREWALL NV 11-11 UDP_DENIED 2 FIREWALL V 11-12 UDP_DENIED_UPDATE 2 FIREWALL V 11-13 ICMP_START 5 FIREWALL NV 11-14 ICMP_UPDATE 5 FIREWALL NV 11-15 ICMP_DENIED 2 FIREWALL V 11-16 ICMP_DENIED_UPDATE 2 FIREWALL V 12-1 TS_HOST_UNREACH 4 DEFAULT NV 12-2 TS_HOST_DOWN 4 DEFAULT NV 12-3 TS_CONN_REFUSED 4 DEFAULT NV 12-4 TS_LOST_CONNECTION 3 DEFAULT NV 12-5 TS_NO_SSL 4 DEFAULT NV 12-6 TS_SSL_NOTICE 5 DEFAULT NV 12-7 TS_SSL_PROBLEM 3 DEFAULT NV 12-8 TS_SSL_CERT_INVALID 3 DEFAULT NV 13-1 RSTP_NON_EDGE_DOWN 2 DEFAULT NV 13-2 RSTP_SENT_TCN 2 DEFAULT NV 14-1 OSPF_NBR_2WAY 5 DEFAULT NV 14-2 OSPF_NBR_FULL 5 DEFAULT NV 14-3 OSPF_NBR_DOWN 2 DEFAULT NV 15-1 BGP_PEER_ESTAB 5 DEFAULT NV 15-2 BGP_KA_TIMEOUT 2 DEFAULT NV 16-1 VRRP_MASTER 4 DEFAULT NV 16-2 VRRP_BACKUP 4 DEFAULT NV 17-1 PPP_HANGUP 2 DEFAULT NV 17-2 PPP_CONNECT 5 DEFAULT NV 17-3 PPP_SPEED_CHANGE 5 DEFAULT NV 18-1 VPN_PHASE_1_SUCCESS 5 DEFAULT NV 18-2 VPN_PHASE_2_SUCCESS 5 DEFAULT NV 18-3 VPN_DEAD_PEER 2 DEFAULT NV 19-1 CERT_CREATE 5 DEFAULT NV 19-2 CERT_DELETE 4 DEFAULT NV 19-3 CERT_UPLOAD 5 DEFAULT NV 19-4 CERT_TRUST 4 DEFAULT NV 19-5 CERT_UNTRUST 4 DEFAULT NV

301 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

EVENT_ EVENT_TAG DEFAULT DEFAULT DEFAULT ID SEVERITY TARGET VOLATILITY LOG 20-1 DHCPC_TIMEOUT 4 DEFAULT NV 20-2 DHCPC_CONFLICT 3 DEFAULT NV 21-1 SFP_NOT_PRESENT 4 DEFAULT V 21-2 SFP_SPEED_MISMATCH 2 DEFAULT V 21-3 SFP_NO_EEPROM_OC3 2 DEFAULT V 21-4 SFP_OK 6 DEFAULT NV 22-1 WAN_LOOP_UP 4 DEFAULT NV 22-2 WAN_LOOP_DOWN 4 DEFAULT NV

Logging The user may configure multiple logs and different event types may be targeted to different logs. Support for multiple logs allows the user to partition the log space so that an abundance of high frequency / low importance events do not overwhelm (or kick out) a few low frequency / high importance events. Events can also be logged according to their function. For example, a separate firewall log can be created to separate those events from general system events. Each log has the following attributes associated with it: • Create new file: daily, weekly, monthly. • Max files: maximum number of files to maintain for the log. • Max file size: a new log file is created once this limit is reached. • Overwrite old: if set, old log files are deleted to make room for new log files. • Rate Limit: number of events to log per second, over the limit are dropped.

All events configured as volatile or non-volatile are logged to files stored in RAM. There is a total of 1 MB reserved to store volatile logs. Log file names follow the convention “--.log” where logname is the configured name of the log, date is when the log was created in YYMMDD format and the time is the when the log was created in HHMMSS format. When an event needs to be logged in RAM, the following procedure is followed to determine whether a new file should be created: • If there is no current log file, a new file is created • If there is a current log file: If the “Create new file” attribute is set to daily and the last event was logged on the previous day, create a new file. If the “Create new file” attribute is set to weekly and the last event was logged during the previous week, create a new file.

302 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

If the “Create new file” attribute is set to monthly and the last event was logged during the previous month, create a new file. If the “Max file size” for the current file has been reached, create a new file.

The following procedure is followed to manage the “circular” nature of an event log: If the maximum number of files exists: If the “Overwrite old” attribute is set to no, do not create a new file. If the “Overwrite old” attribute is set to yes, delete the oldest file in that log and then create the new file. Otherwise create the new file.

If an event needs to be logged and there is no more room left: If the “Overwrite old” attribute is set to no, do not log the event. If the “Overwrite old” attribute is set to yes, delete the oldest file in that log and then log the event.

Each log also maintains a temporary buffer where persistent events are stored. When a new log file is created in RAM, the temporary buffer containing all of the persistent events that were logged in the previously active RAM file are written to an identically named log file in the flash file system. When a persistent log file needs to be written to the flash file system and there is no more room left: If the “Overwrite old” attribute is set to no, do not log the event. If the “Overwrite old” attribute is set to yes, delete the oldest file in that log and then create the new persistent file.

When an old log file needs to be automatically removed by the system to make room for a new file, both the RAM and flash file system version of the file are deleted. Log files stored in the flash file system will persist across system reboots and power cycles. When the system starts back up, these files will be available as “Saved” log files. Log files stored in RAM will be lost on a reboot. Configuring Events The user may configure events by using the Events menu. Specifications for events are done using Events  Specifications as shown below.

303 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 245 – Events Specifications menu. Only a partial screen capture is shown

Note - the severity can be changed to match the severity settings for your network.

Configuring Logs Logs are configured using the Events  Logs menu. To configure the Log Files, use Events  Logs  File Settings menu as shown below.

FIGURE 246 – Log file settings The log file settings options are explained in detail in the section on Logging in this chapter.

Two default entries are created for MNS-DX – one is labeled “Default” and the other one is labeled “Firewall” for the different Firewall logs.

304 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Viewing Log Files This is discussed in the section on locked out user. The locked out user was used as an example to see why log files are important and how the logs can be viewed. The screen is repeated here for clarity and continuity.

FIGURE 247 – Log files. To view the file, click on the file name

Alarms With Alarms, the menus offered allow a user to configure the Alarm port settings and actions to take with the software alarm.

To configure the Alarm Port settings use the Events  Alarms  Port Settings menu as shown below.

FIGURE 248 – Enabling the Alarms and defining the relay closure time To configure the individual traps, click on Events  Alarms  Actions as shown below.

305 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 249 – Setting the individual trap actions

Finally, after all the configuration is completed, do not forget to save the settings.

306 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Chapter 26

26 – SNMP

Monitoring events using SNMP….

imple Network Management Protocol or SNMP is widely used for managing networks and monitoring devices. Using SNMP managers, the monitoring and reporting of devices and reporting them can be automated. S SNMP enables management of the network. There are many software packages which provide a graphical interface and a graphical view of the network and its devices. These graphical interfaces and views would not be possible without SNMP. SNMP is the building block for network management.

MNS-DX supports different versions of SNMP.

SNMP Concepts SNMP provides the protocol to extract the necessary information from a  networked device and display the information. The information is defined and stored in a Management Information Base (MIB). MIB is the “database” of the network management information.

SNMP has evolved over the years (since 1988) using the RFC process. Several RFC’s today define the SNMP standards. The most common standards for SNMP are SNMP v1 (the original version of SNMP); SNMP v2 and finally SNMP v3.

SNMP is a poll-based mechanism. SNMP manager polls the managed device for information and display the information retrieved in text or graphical manner. Some definitions related to SNMP are:

Authentication – The process of ensuring message integrity and protection against message replays. It includes both data integrity and data origin authentication.

Authoritative SNMP engine – One of the SNMP copies involved in network communication designated to be the allowed SNMP engine which protects against message replay, delay, and redirection. The security keys used for authenticating and encrypting SNMPv3 packets are generated as a function of the authoritative SNMP engine's engine ID and user passwords. When

307 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

an SNMP message expects a response (for example, get exact, get next, set request), the receiver of these messages is authoritative. When an SNMP message does not expect a response, the sender is authoritative.

Community string – A text string used to authenticate messages between a management station and an SNMP v1/v2c engine.

Data integrity – A condition or state of data in which a message packet has not been altered or destroyed in an unauthorized manner.

Data origin authentication – The ability to verify the identity of a user on whose behalf the message is supposedly sent. This ability protects users against both message capture and replay by a different SNMP engine, and against packets received or sent to a particular user that uses an incorrect password or security level.

Encryption – A method of hiding data from an unauthorized user by scrambling the contents of an SNMP packet.

Group – A set of users belonging to a particular security model. A group defines the access rights for all the users belonging to it. Access rights define what SNMP objects can be read, written to, or created. In addition, the group defines what notifications a user is allowed to receive.

Notification host – An SNMP entity to which notifications (traps and informs) are to be sent.

Notify view – A view name (not to exceed 64 characters) for each group that defines the list of notifications that can be sent to each user in the group.

Privacy – An encrypted state of the contents of an SNMP packet where they are prevented from being disclosed on a network. Encryption is performed with an algorithm called CBC-DES (DES- 56).

Read view – A view name (not to exceed 64 characters) for each group that defines the list of object identifiers (OIDs) that are accessible for reading by users belonging to the group.

Security level – A type of security algorithm performed on each SNMP packet. The three levels are: noauth, auth, and priv. noauth authenticates a packet by a string match of the user name. auth authenticates a packet by using either the HMAC MD5 algorithms. priv authenticates a packet by using either the HMAC MD5 algorithms and encrypts the packet using the CBC-DES (DES-56) algorithm.

Security model – The security strategy used by the SNMP agent.

Simple Network Management Protocol (SNMP) – A network management protocol that provides a means to monitor and control network devices, and to manage configurations, statistics collection, performance, and security.

308 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Simple Network Management Protocol Version 2c (SNMPv2c) – The second version of SNMP, it supports centralized and distributed network management strategies, and includes improvements in the Structure of Management Information (SMI), protocol operations, management architecture, and security.

SNMP engine – A copy of SNMP that can either reside on the local or remote device.

SNMP group – A collection of SNMP users that belong to a common SNMP list that defines an access policy, in which object identification numbers (OIDs) are both read-accessible and write- accessible. Users belonging to a particular SNMP group inherit all of these attributes defined by the group.

SNMP user – A person for which an SNMP management operation is performed. The user is the person on a remote SNMP engine who receives the information.

SNMP view – A mapping between SNMP objects and the access rights available for those objects. An object can have different access rights in each view. Access rights indicate whether the object is accessible by either a community string or a user.

Write view – A view name (not to exceed 64 characters) for each group that defines the list of object identifiers (OIDs) that are able to be created or modified by users of the group.

SNMP Standards There are several RFC’s defining SNMP. MNS-DX supports the following RFC’s and standards

SNMPv1 standards: • Security via configuration of SNMP communities. • Event reporting via SNMP. • Managing the switch with an SNMP network management tool Supported Standard MIBs include: o SNMP MIB-II (RFC 1213) o Bridge MIB (RFC 1493) (ifGeneralGroup, ifRcvAddressGroup, ifStackGroup) • Version 1 traps (Warm Start, Cold Start, Link Up, Link Down, Authentication Failure, Rising Alarm, Falling Alarm)

SNMPv2 standards are described in RFC 1901 through RFC 1908. SNMPv3 standards are described in RFC 2271 through RFC 2275. Some of these are described below.

• RFC 1901, Introduction to Community-Based SNMPv2. SNMPv2 Working Group. • RFC 1902, Structure of Management Information for Version 2 of the Simple Network Management Protocol (SNMPv2). SNMPv2 Working Group. • RFC 1903, Textual Conventions for Version 2 of the Simple Network Management

309 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Protocol (SNMPv2). SNMPv2 Working Group. • RFC 1904, Conformance Statements for Version 2 of the Simple Network Management Protocol (SNMPv2). SNMPv2 Working Group. • RFC 1905, Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2). SNMPv2 Working Group. • RFC 1906, Transport Mappings for Version 2 of the Simple Network Management Protocol (SNMPv2). • RFC 1907, Management Information Base for Version 2 of the Simple Network Management Protocol (SNMPv2). SNMPv2 Working Group. • RFC 1908, Coexistence between Version 1 and Version 2 of the Internet-standard Network Management Framework. SNMPv2 Working Group. • RFC 2104, Keyed Hashing for Message Authentication. • RFC 2271, An Architecture for Describing SNMP Management Frameworks. • RFC 2272, Message Processing and Dispatching for the Simple Network Management Protocol (SNMP). • RFC 2273, SNMPv3 Applications. • RFC 2274, User-Based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3). • RFC 2275, View-Based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP).

SNMP on MNS-DX MNS-DX supports SNMP v1, v2c, and v3. The intent of SNMPv3 support is to provide a secure (authenticated and encrypted) channel for managing the device using common SNMP-based tools. Therefore, SNMPv3 support is limited to the User-based Security Model (USM) as defined in RFC 2574. The more complicated View-based Access Control Model (VACM) defined in RFC 2575 is not supported at this time.

SNMP can be disabled or enabled for MNS-DX. By default SNMP is disabled. When SNMP is enabled, MNS-DX starts the SNMP services and the SNMP agent will accept SNMP v1 or v2c PDUs, or accepts SNMP v3 PDUs. When configured for v1/v2c operation, access to the MIB is controlled via community string. When configured for v3 operation, access to the MIB is controlled on a per-user basis. The total number of user accounts is limited to a maximum of 32. Each user account can be configured to require authentication and/or data encryption. User authentication can be configured to use either the SHA-1 or the MD5 hash algorithm. Data encryption options are limited to DES. For simplicity, each user account is assigned a single password that is used to create both the "authKey" and the "encryptKey" as defined in RFC 2574. The SNMP v3 agent implementation also includes a configurable engine ID, a nonvolatile boot count, and a counter that indicates the number of seconds since the last boot. These variables are used to provide some level of protection against message delay and message replay attacks.

MNS-DX supports the following MIBs: • MIB-II

310 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

• TARGET-MIB • SNMP-NOTIFICATION-MIB • SNMP-USER-BASED-SM-MIB • DX ENTERPRISE MIB

All MIBs are read-only.

MNS-DX supports the following standard SNMP traps: • LINK UP • LINK DOWN • WARM START • COLD START

SNMP is an administrative task and is available under the Administration menu.

Configuring SNMP – Global Settings The SNMP menus are available under Administrator  SNMP. To configure SNMP on MNS- DX, the following steps are recommended:

1) Setup global parameters such as enabling SNMP, community strings and finally the management interface over which SNMP traffic can flow. 2) After the global parameters are defined, define the Management stations, trap receivers and users who can access SNMP. 3) Save the settings.

To configure the Global Parameters, use the menus available on Administrator  SNMP  Global Settings as shown below.

311 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 250 – Setting the SNMP global settings In the menu above: Source Address  Enable or disable SNMP agent. The values can be: • Disabled – agent does not respond to queries. This is the default value. • V1/V2 Enabled – agent only responds to v1 or v2c PDUs. • V3 Enabled – agent only responds to v3 PDUs. Local IP  Defines the management interface for SNMP traffic. The values can be: • Any – i.e. SNMP traffic can flow on any routing interface – including VLANs, Ethernet ports and DLCI interfaces. This is the default setting. • Specific IP address – most networks designate a management VLAN or a management interface. This interface can be picked from the list. Write Access  Allows the agent to change the values in the MIB or disables that capability. The values can be: • Disabled – Agent does not allow write access to the MIB. This is the default setting. • Enabled - Agent allows write access to the MIB. Traps  Enable or disable the sending of traps to configured trap stations. Traps are event notifications sent by the agent to a trap station. • Disabled – Agent does not send traps to the trap stations defined. This is the default setting.

312 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

• Enabled - Agent sends traps to the defined trap stations. Note – if the trap station is not defined, no traps are sent. Read Community String  An arbitrary text string of up to 15 printable ASCII characters. The community string sent by the SNMP client must match this text for the MIB to be accessible for reading. Default community string is “public”. For security considerations, it is recommended to change this community string. Write Community String  An arbitrary text string of up to 15 printable ASCII characters. The community string sent by the SNMP client must match this text for the MIB to be accessible for writing. Default community string is “private”. For security considerations, it is recommended to change this community string. Engine ID  A unique identifier assigned to this SNMP agent. This string can be modified to suit your network needs. The engine ID is a string which is a maximum of 50 characters long. Default engine ID is a 12-byte string. The default ID is a unique value combining the enterprise ID followed by MAC address or IP Address or plain text. The default engine ID for a MNS-DX device is as follows: • The first four octets contain the Enterprise ID (39cd). • The fifth octet is a format identifier, which is 03 for MAC address. • Six to eleven octets of MAC address. • The remainder (up to the twelfth octet) is filled by zeroes. Engine Boots  The number of times the system was booted since the current engine ID was set. Engine Time (sec)  The number of seconds elapsed since the engine ID was changed or the system booted, whichever occurred most recently.

Configuring SNMP – Management Stations The management stations authorized to poll the MNS-DX station for SNMP parameters are set using Administration  SNMP  Management Stations menu as shown below.

313 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 251 – Adding Management Stations for SNMP A maximum of four management stations can be added as shown above. To enter the management station, enter in the IP address in the “Add Station” menu and click on “Apply Settings.” To delete a station, check the delete box in the “Existing Stations” menu and click on “Apply Settings”.

Configuring SNMP – Trap Receivers The trap receivers or trap stations authorized to receive traps generated from MNS-DX are set using Administration  SNMP  Trap Stations menu as shown below.

314 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 252 – Adding Management Stations for SNMP A maximum of four trap stations can be added. To enter the trap station, enter in the IP address and a name (usually a logical name or DNS name) in the “Add Trap Station” menu and click on “Apply Settings.” To delete a station, check the delete box in the “Existing Trap Stations” menu and click on “Apply Settings”.

Configuring SNMP Users To define authorized users for SNMP within MNS-DX use Administration  SNMP  Users menu as shown below.

FIGURE 253 – Defining SNMP users

315 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

In the menu above: User Name  Define a user name. User names are maximum of 16 characters. Security Mode  Define the encryption method for their password. The allowed encryption methods are: • None – no encryption or authentication. This is the default. • MD5 – MD-5 authentication. No encryption. • SHA – SHA authentication. No encryption. • MD5-DES – MD-5 authentication with DES encryption. • SHA-DES – SHA authentication with DES encryption. Auth Password  Password for authentication. The password should be between 8 to 40 characters long. Retype Password  Retype the Auth Password for validation. Privacy Password  Password for privacy i.e. encryption keys. The password should be between 8 to 40 characters long. Retype Password  Retype the Privacy keys for validation. Delete  Delete the tunnel settings by checking the box and “Apply Settings” after that.

SNMP Statistics To view the SNMP traffic information, view the SNMP statistics at Administration  SNMP  Statistics as shown below.

316 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 254 – Viewing SNMP Statistics In the above menu: In Packets  The total number of messages delivered to the SNMP protocol entity from the transport service. Bad Versions The total number of SNMP messages which were delivered to the SNMP protocol entity and were for an unsupported SNMP version. In Bad Community Names  The total number of SNMP messages delivered to the SNMP protocol entity which used an SNMP community name not known to the entity. In Bad Community Uses  The total number of SNMP messages delivered to the SNMP protocol entity which represented an SNMP operation not allowed by the SNMP community named in the message. In ASN Parse Errors  The total number of Abstract Syntax Notation One (ASN.1) or Basic Encoding Rules (BER) errors encountered by the SNMP protocol entity when decoding received SNMP Messages. Enable Auth Traps  Indicates whether the SNMP agent process is permitted to generate authentication-failure traps. The value of this object overrides any configuration

317 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

information; thus, it provides a means whereby all authentication-failure traps may be disabled. Out Packets  The total number of SNMP Messages which were passed from the SNMP protocol entity to the transport service. In Bad Types  The total number of SNMP PDUs which were delivered to the SNMP protocol entity and for which the value of the error-status field is “badType.” In Too Bigs  The total number of SNMP PDUs which were delivered to the SNMP protocol entity and for which the value of the error-status field is “tooBig.” Out Too Bigs  The total number of SNMP PDUs which were generated by the SNMP protocol entity and for which the value of the error-status field is “tooBig.” In No Such Names  The total number of SNMP PDUs which were delivered to the SNMP protocol entity and for which the value of the error-status field is “noSuchName.” Out No Such Names  The total number of SNMP PDUs which were generated by the SNMP protocol entity and for which the value of the error-status is “noSuchName.” In Bad Values  The total number of SNMP PDUs which were delivered to the SNMP protocol entity and for which the value of the error-status field is “badValue.” Out Bad Values  The total number of SNMP PDUs which were generated by the SNMP protocol entity and for which the value of the error-status field is “badValue.” In Read Onlys  The total number valid SNMP PDUs which were delivered to the SNMP protocol entity and for which the value of the error-status field is “readOnly.” Out Read Onlys  The total number valid SNMP PDUs which were generated by the SNMP protocol entity and for which the value of the errorstatus field is “readOnly.” In Gen Errors  The total number of SNMP PDUs which were delivered to the SNMP protocol entity and for which the value of the error-status field is “genErr.” Out Gen Errors  The total number of SNMP PDUs which were generated by the SNMP protocol entity and for which the value of the error-status field is “genErr.” In Get Requests  The total number of SNMP Get-Request PDUs which have been accepted and processed by the SNMP protocol entity. Out Get Requests  The total number of SNMP Get-Request PDUs which have been generated by the SNMP protocol entity. In Get Nexts  The total number of SNMP Get-Next PDUs which have been accepted and processed by the SNMP protocol entity. Out Get Nexts  The total number of SNMP Get-Next PDUs which have been generated by the SNMP protocol entity.

318 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

In Set Requests  The total number of SNMP Set-Request PDUs which have been accepted and processed by the SNMP protocol entity. Out Set Requests  The total number of SNMP Set-Request PDUs which have been generated by the SNMP protocol entity. In Get Responses  The total number of SNMP Get-Response PDUs which have been accepted and processed by the SNMP protocol entity. Out Get Responses  The total number of SNMP Get-Response PDUs which have been generated by the SNMP protocol entity. In Traps  The total number of SNMP Trap PDUs which have been accepted and processed by the SNMP protocol entity. Out Traps  The total number of SNMP Trap PDUs which have been generated by the SNMP protocol entity. In Total Req Vars  The total number of MIB objects which have been retrieved successfully by the SNMP protocol entity as the result of receiving valid SNMP Get-Request and Get-Next PDUs. In Total Set Vars  The total number of MIB objects which have been altered successfully by the SNMP protocol entity as the result of receiving valid SNMP Set-Request PDUs. Silent Drops  The total number of GetRequest PDUs, GetNextRequest PDUs, GetBulkRequest PDUs, SetRequest PDUs, and InformRequest PDUs delivered to the SNMP entity which were silently dropped because the size of a reply containing an alternate Response PDU with an empty variable-bindings field was greater than either a local constraint or the maximum message size associated with the originator of the request. Proxy Drops  The total number of GetRequest PDUs, GetNextRequest PDUs, GetBulkRequest PDUs, SetRequest PDUs, and InformRequest PDUs delivered to the SNMP entity which were silently dropped because the transmission of the (possibly translated) message to a proxy target failed in a manner (other than a time-out) such that no Response PDU could be returned. Unknown Security Models  The total number of packets received by the SNMP engine which were dropped because they referenced a securityModel that was not known to or supported by the SNMP engine. Invalid Messages  The total number of packets received by the SNM engine which were dropped because there were invalid or inconsistent components in the SNMP message, for example, noauth / priv. MNS-DX allows noauth / nopriv, auth / nopriv, and auth / priv but does not allow noauth / priv. Unknown Contexts  The total number of packets received by the SNMP engine which were dropped because the context contained in the message was unknown. Unavailable Contexts  The total number of packets received by the SNMP engine which were dropped because the context contained in the message was unavailable.

319 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

Unknown PDU Handlers  The total number of packets received by the SNMP engine which were dropped because the PDU contained in the packet could not be passed to an application responsible for handling the PDU-Type, for example, no SNMP application had registered for the proper combination of the contextEngineID and the PDU-Type. Unsupported Security Levels  The total number of packets received by the SNMP engine which were dropped because they requested a security Level that was unknown to the SNMP engine or otherwise unavailable. Not In Time Windows  The total number of packets received by the SNMP engine which were dropped because they appeared outside of the authoritative SNMP engine's window. Unknown Usernames  The total number of packets received by the SNMP engine which were dropped because they referenced a user that was not known to the SNMP engine. Unknown Engine IDs  The total number of packets received by the SNMP engine which were dropped because they referenced an snmpEngineID that was not known to the SNMP engine. Wrong Digests  The total number of packets received by the SNMP engine which were dropped because they didn't contain the expected message digest value. Decryption Errors  The total number of packets received by the SNMP engine which were dropped because they could not be decrypted

Finally, after all the configuration is completed, do not forget to save the settings.

320

Chapter 27

27 – Wizards

Step by step configuration

izards are self-documenting processes that guide you through the steps to accomplish a configuration goal. A series of questions and answers step you through the configuration goal. W There are two wizards in MNS-DX. The Router setup wizard steps though the steps of setting up a router initially. The wizard sets up the Ethernet interfaces, assigns a default IP address, setups RIP routing and finally enables firewall.

The Certificate Creation wizard creates a CA signature which can be submitted to the CA for a valid certificate which can be uploaded. The Certificate Creation wizard can also create a self signed certificate.

Router Setup Wizard To use the Router Setup Wizard, use the Wizards  Router Setup menu as shown below.

321 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 255 – Accessing the Router Setup Wizard. Note – after this wizard all the existing setup and configuration is destroyed. Remember to save the configuration before using this wizard This wizard assumes a “green field” deployment i.e. all existing configuration is destroyed after the wizard is completed. Remember to save the configuration if you want to use the wizard. To start the wizard, click on “Start” above. This starts the wizard and shows the first step in the configuration process.

Step 1 – Router Configuration Wizard Step one of the wizard is to set the ports as bridge or switched ports or routed ports. The wizard identifies the type of device and displays the proper ports to be configured as switch ports or routed ports as shown below. The choices are made via a drop down box. The choice of:

• No Bridging, IP forwarding only  This port is setup as a routed port

• Bridging and IP forwarding  This port is setup as a bridge group

See screen image below for an example. Click on “Next” to move on to next step.

322 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 256 – Step 1 of the Router setup wizard. Here the choice is made on the choice of what the Ethernet ports will function as – a switch port group or a router port

Step 2 – Router Configuration Wizard Step two of the wizard is to set the IP address. The IP address is set for the “default” interface only in the router. Enter in a valid IP address and a netmask as shown below.

323 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 257 – Step 2 of the Router setup wizard. Enter in a valid IP address for the default interface.

Step 3 – Router Configuration Wizard Step three of the wizard is to enable routing. It is a good idea to disable routing and enable it after the necessary interfaces have been defined properly. This is discussed in more detail in the chapter on the various routing protocols (RIP, OSPF and BGP). This is shown below. Click on “Next” to move to the next step.

FIGURE 258 – Step 3 of the Router setup wizard. Determine if the routing is enabled or not in this step.

Step 3A – Router Configuration Wizard Step three of the wizard continues the proper setup for routing. At this stage, the question is to determine whether the device should be the default gateway. It is a good idea not to enable this function and to enable it only after the necessary interfaces have been defined properly. This is discussed in more detail in the chapter on the various routing protocols (RIP, OSPF and BGP). This is shown below. Click on “Next” to move to the next step.

324 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 259 – Step 3A of the Router setup wizard. Determine if the router should be the Default Gateway or not.

Step 4 – Router Configuration Wizard Step four of the wizard is related to firewall settings. At this stage, the question is whether the firewall setting are enabled or not. Again, it is a good idea not to enable firewall settings at this stage. Firewall settings can be enabled at a later time. This is discussed in more detail in the chapter on Firewalls.

FIGURE 260 – Step 4 of the Router setup wizard. Determine if the firewall services should be started or not

Step 5 – Router Configuration Wizard At the final step the wizard asks if the configuration is correct. Once you click yes, the configuration is applied to the router.

325 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 261 – Step 4 of the Router setup wizard. Determine if the firewall services should be started or not

After the configuration is applied, bear in mind that the prior configuration is erased. If the IP address is changed, you may need to redirect the browser to the new IP address. Certificate Creation Wizard Certificates play an important role in Security. It is necessary sometimes to create a self signed certificate or create a certificate which the CA can issue. Both these capabilities are possible using the certificate creation wizard as shown below.

FIGURE 262 – Certificate creation wizard

326 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

In this example, we will create a self signed certificate. The process for CA signed certificate is similar and involves an interaction with the CA. Keys which are pending and not enrolled can be viewed or deleted using this wizard as well.

Step 1 – Certificate Creation Wizard The wizard asks organizational questions as well as key size (768 bits or 1024 bits) and authentication algorithm (SHA or MD5). In the fields, the example for GarrettCom North Andover office in the state of MA (USA) is shown below.

FIGURE 263 – Step 1 of self signed certificate wizard. Depending on the key size, the generation of the certificate may take a few minutes

Click “Next” to generate the certificate. This may take a few minutes. There is no indicator that the router is busy and working. Do not keep clicking on “Next”.

Step 2 – Certificate Creation Wizard Once the certificate is created, it can be viewed, saved or deleted. This is shown below.

327 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 264 – Step 2 of self signed certificate wizard. Here the created certificate can be viewed, saved to a file or deleted.

To view the certificate, click on the URL as shown above. The certificate will look as shown below.

To delete the certificate, check the delete box and click on “Apply Settings”

Certificate: Data: Version: 3 (0x2) Serial Number: 95:4b:d1:93:39:5c:37:09 Signature Algorithm: md5WithRSAEncryption Issuer: C=US, ST=MA, L=North Andover, O=GarrettCom Inc, OU=Information Technology Security, CN=GarrettCom Validity Not Before: Jul 4 04:31:06 2010 GMT Not After : Dec 31 04:31:05 2010 GMT Subject: C=US, ST=MA, L=North Andover, O=GarrettCom Inc, OU=Information Technology Security, CN=GarrettCom Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (768 bit) Modulus (768 bit): 00:be:d8:fe:0b:20:3f:30:2a:86:61:d5:a8:ca:5f: 0e:f8:b1:d6:bd:bb:0e:9d:f4:e5:af:7c:49:7c:2a: 16:67:45:6c:24:46:69:5d:8d:85:30:53:0b:39:48: 98:18:d9:20:52:97:1f:a4:b6:9a:41:9e:c6:90:9c: d0:33:80:92:fe:4a:ef:0e:b7:78:63:20:e9:a8:b9: a7:e8:bc:53:f9:ae:5f:5c:8e:46:af:9f:c5:4b:12: e4:c4:79:4a:60:3a:67 Exponent: 65537 (0x10001) Signature Algorithm: md5WithRSAEncryption ad:53:ad:bc:f1:83:6d:d6:b7:f6:11:e2:d4:0f:4d:90:29:b5: de:5c:f7:09:b9:86:97:55:09:bd:4e:b9:4c:7b:a9:d2:a5:f2: 50:41:e1:10:2c:7b:54:25:88:0d:e0:2c:8b:7c:50:d9:80:9a: 83:c8:82:2b:cd:b3:23:92:36:1e:a4:8a:19:5f:e8:3e:8a:bc: fd:44:8f:0f:a5:91:88:d4:3f:13:5f:4e:f0:00:7d:3f:38:a6: fc:7f:4e:fd:8e:b3

328 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 265 – A self signed certificate generated by Certificate Creation Wizard To save the certificate, use the function within your browser to save the content of the link as shown below. The browser used in this example was Mozilla Firefox version 3.6.6.

FIGURE 266 – Saving the certificate using the browser built in functionality

Certificate Request for CA After filling out the necessary details for generating a certificate, the hash is generated and can be copied and sent to the CA as shown below.

329 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

FIGURE 267 – Certificate which can be sent to the certificate authority. Copy an paste the encrypted information in a file or email message. At this stage, the request becomes a pending message.

330 MAGNUM DX – MNS- DX ADMINISTRATOR GUIDE

(Intentionally left blank)

331

Appendix 1

APPENDIX 1 – CLI Commands

Keyboard Navigation in CLI Key Function Enter the question mark character at the MagnumDX# prompt or a ? MagnumDX(basic_command)# prompt to view a list of available options. While monitoring is in progress press the Escape key to abort the Esc Protocol Monitor. During monitoring the Enter key is a Pause/Resume toggle. Press the Enter Enter key to pause monitoring; press again to resume monitoring. The CLI program keeps a record of the commands you have entered. Use the Up Arrow key to move back in this command history and select a command you have previously issued. After you have moved back in the command history you can move forward toward the most recently issued command using the Down Arrow key.

CLI Global commands - take no parameters and can be entered from any prompt in CLI Command Description When you are in a basic command mode, such as exit MagnumDX(firewall)#, the exit command returns you to the main CLI prompt - MagnumDX#. help (or ?) Display options available in current mode. logout Log out of the system and display the Login prompt. reboot Shutdown and restart the system. revert Undo changes since last save. save Save current configuration. service Customer service access.

332 CLI COMMANDS

whoami Show current user information.

Basic and Specific Commands: Type a ? at the MagnumDX# prompt to see a list of global and basic commands and a brief description of each: alarm – alarm management auth – authentication and authorization bgp – border gateway protocol bridge – ethernet bridge management cert – x.509 certificates config – configuration file management dhcp – dynamic host configuration protocol ethernet – ethernet port management firewall – ip filtering services fr – frame relay management ip – internet protocol management log – event log management modbus – modbus/tcp monitor – traffic monitoring and analysis nat – network address translation ospf – open shortest path first password – password maintenance ping – ping network utility ppp – point-to-point protocol qos – quality of service radius – remote access dial-in user service rip – routing information protocol rstp – rapid spanning tree protocol s2f – serial-to-frame encapsulation serial – serial ports session – user sessions snmp – simple network management protocol sntp – simple network time protocol ssh – secure shell management sw – software upgrade syslog – syslog system – system information terminal – terminal settings time – time and date ts – terminal server vlan – virtual local area networking vpn – virtual private network vrrp – virtual router redundancy protocol wan – wide area networking web – embedded web server exit – exit intermediate mode (global) help – help system (global)

333 CLI COMMANDS

logout – log off this system (global) reboot – reset the system (global) revert – undo changes since last save (global) save – save current configuration (global) service – customer service access (global) whoami – show current user info (global)

CLI "alarm" command - alarm management Command Synopsis Description Configure alarm parameters for your DX device. The available parameters are: • action event select – Where event is the specification of an event that will trigger an alarm and select specifies whether to trigger an alarm (momentary) or take no action (disabled). Possible values for event are: -cold – A cold start event is detected. -warm – A warm start event is detected. -linkup – A link up event is detected. set action | port -linkdown – A link down event is detected. set param... -authfail – An authentication failure event is detected. -rstp – An RSTP/STP reconfiguration event is detected. • port mode|relay-closure n – Configure the alarm port. Possible values are: -mode enabled|disabled – Enable or disable the alarm port. -relay-closure n – Specify the number of seconds the relay is kept in the abnormal state for momentary alarm actions. The default value is 3 and the valid range is 1 - 10. Display information about alarm configuration. Possible values are: • action – Display the momentary/disabled show show action | port selection for each programmable alarm. • port – Display the enabled state and closure time for the alarm port.

334 CLI COMMANDS

CLI auth command - authentication management Command Synopsis Description Create a new user where the parameters are: • name loginname – A login name of up to 40 printable characters. • group privilegelevel – One of three privilege levels. (See the edit user command below for details.) add user add user parameter • notes textstring – Optional arbitrary text of up to 31 printable ASCII characters.

After you have fully specified a new user the system will prompt for a password and a password confirmation. delete user delete user UserID Delete an existing user specified by UserID. Change the password or edit the user information of the user specified by UserID. Note: UserID is not the loginname. It is the integer associated with a user, which can be obtained by viewing the results of the show user command. When changing the password enter: edit password UserID and press Return. The CLI interface will display a prompt at which you can enter the new password. After you enter Return a second prompt is presented at which you must repeat the password. To edit user information follow the edit user UserID edit password | user edit command with one of these parameters: UserID • name loginname – A unique name of up to 40 printable characters. • group privilegelevel – One of three privilege levels: -admin – Members of this group may perform all functions including managing software, user accounts, and configuration files. -read-write – Members of this group may perform all configuration functions with the exception of software, user account, and configuration file management. -read-only – Members of this group are like Read-Write except they cannot change any parameters.

335 CLI COMMANDS

• suspend y|n – Specify user suspension state with one of two parameters: -y – This user is permitted to log on to the system. -n– This user is not permitted to log on to the system. • notes textstring – Arbitrary text of up to 31 printable ASCII characters. Where parameters can be any of the following: • expire – Newly created accounts that are not part of the administration group can be set to expire when they have been inactive (that is, no logins) for a number of days exceeding the value specified here. A setting of 0 (default) disables this feature, otherwise the duration of inactivity before being locked out ranges from 1 to 255 days. • lockout n – Where n is the amount of time (in minutes) a user account spends in the suspended state after being locked out. This parameter takes one of the following values: -5 (default) -30 -60 • login-attempts n – Where n is the number of consecutive failed login attempts before a user is locked out. The default value is 5 and the set set parameters valid range is 1 - 5. • password-aging n – Where n is the duration of the password until replacement. Newly created accounts that are not part of the administration group can optionally expire passwords by setting this value to the number of days a password is valid before a change is required. Accounts that attempt to log in prior to the expiration date may change the password to reset the counter. Accounts that exceed this setting without a password change will be forced to change the password prior to accessing any other configuration screens. Valid settings (in days) for this option are: -None (default) -30 -60 -90

336 CLI COMMANDS

• secure-enforce y|n – Setting this value to forces password changes to comply to the following standards: -Length of 8 characters minimum -Must consist of at least 2 of the 3 character types Alphabetic Numeric Printable Special characters -Default value = No Where parameters can be: • file – Prints the contents of the current user definition file to the screen. show show parameters • policies – Display the current values that are controlled by the auth set command. • user – Display the current values that are controlled by the auth user command. Enable user UserID, who has been locked out, to regain access to the system. (A list of unlock user unlock user UserID configured UserID values can be viewed by executing the show user command.) Enter a user definition file in correct XML format (see Section 3.2.5.3.) This command write write XMLtext enables the pasting of valid user definition files from other sources.

337 CLI COMMANDS

CLI bgp command - Border Gateway Protocol management

Command Synopsis Description Add a BGP peer or a BGP profile. To add a BGP peer follow the add peer command with the following required parameters; • name – A user-supplied BGP reference name of up to 15 characters. • x.x.x.x – The IP address of the router to which BGP traffic will be sent. • y.y.y.y – The IP address of the router you are configuring for BGP. • as_number – The Autonomous System (AS) number of the peer, in a range of 1 - 65535. If no value is specified a value of 0 is used to signify that the system will accept whatever value the remote end supplies. And any of the following optional parameters: • local-as n – An Autonomous System (AS) number of the local system, in a range of 1 - 65535. Specify an AS value here to override the value specified with the bgp set as- add peer | profile number command (below). add params.. • hold-timer secs – The frequency (in seconds) with which this router will send Keepalive packets to its peers. • profile profname – The name of the profile used by this peer. To add a BGP profile follow the with one or more of the following commands: • profname – Supply a name for the profile in up to 15 characters. This is the only required parameter. You may enter only add profile profname and accept defaults for all other values. • default-router y|n – If y specifies that the router using this profile is the default router. • redistribute-static y|n – If y include static route information from this router in BGP Update messages. • redistribute-rip y|n – If y include RIP route information from this router in BGP Update messages. • redistribute-bgp y|n – If y include BGP

338 CLI COMMANDS

route information from this router in BGP Update messages. • weight – A priority value in the range 0- 4294967295. • private-as y|n – If y private AS numbers are redistributed. • local-pref – A priority value assigned to a route that is local to this AS. The default value is 100. The valid range is 0-4294967295. • tcp-passive y|n – If y this router will not initiate a TCP connection but will wait for one to be initiated by a peer. Delete a configured BGP peer or BGP profile: • delete peer peername – Delete the BGP delete peer | profile delete peer specified by peername. name • delete profile profname – Delete the BGP profile specified by profname. Change a value or values of a configured BGP peer or BGP profile: • edit peer peername key newval – Where peername is the name of a configured BGP peer, key is a keyword for one of the parameters configurable with the bgp add edit peer | profile peer command (see above), and newval is the edit params... new value for key. • edit peer profname key newval – Where profname is the name of a configured BGP peer, key is a keyword for one of the parameters configurable with the bgp add profile command (see above), and newval is the new value for key. Reset a BGP neighbor, where x.x.x.x is the neighbor’s IP address. Enter this command reset reset neighbor x.x.x.x with no parameter to produce the default soft reset. Enter reset neighbor x.x.x.x hard to produce a hard reset. Configure global BGP parameters, where param can be: • as-number n – The Autonomous System (AS) number for this DX in a range of 1- set set param... 65535. • mode enabled|disabled – Enable or disable BGP on this DX. • router-id x.x.x.x – The IP address of the router you are configuring for BGP.

339 CLI COMMANDS

Display information about BGP configuration, where param can be: • peer – Display BGP peer configurations. • profile – Display BGP profile configurations. • rib – Display BGP peer configurations. show show param • settings – Display the contents of the Routing Information Base (RIB). • statistics – Display BGP performance statistics for configured peers. • status – Display BGP neighbor status.

340 CLI COMMANDS

CLI bridge command - control devices to be included or excluded from the bridge

Command Synopsis Description Add the device specified by the MAC add add mac x.x.x.x.x.x Ex address x.x.x.x.x.x at the port specified by Ex. Delete the device specified by the MAC delete delete mac x.x.x.x.x.x address x.x.x.x.x.x. Port Ex is specified as not bridged; that is, the port does not participate in the Ethernet bridge. If a packet is sent to the router's exclude port Ex exclude MAC address, the packet may be forwarded at Layer 3 if a route to the packet's destination is known. Delete the contents of the bridge station flush cache flush cache. Port Ex is specified as bridged; that is, the port participates in the Ethernet bridge and include port Ex include frames may be forwarded between this port and other bridged ports at Layer 2. Set the aging interval to the number of seconds specified by n. Entries (MAC addresses) learned by the bridge are deleted from the cache after they have been in the set set age n cache for the specified aging interval without another packet arriving with the same source address. The default value is 300 seconds (5 minutes) and the valid range is 15 seconds - 1,800 seconds (30 minutes). Display bridge information, where param can be: • addresses – Display the contents of the station cache. show param show • port – Display the bridged/not bridged status of each Ethernet port. • settings – Display the configured aging interval.

341 CLI COMMANDS

CLI cert command - X.509 certificate creation and management

Command Synopsis Description This command starts the self-documenting create create Certificate Creation Wizard. delete delete filename Delete the certificate file specified by filename. dump dump filename Print the contents of filename to the screen. Display the names of either local certificates show local | cas show or of certificate authorities (cas). Designate the ca specified by filename as trust filename trust trusted. Remove the trusted designation from the ca untrust untrust filename specified by filename. Specify a filename and designate it either local or ca. The system responds with the following message: write ca | trusted Enter PEM encoded X.509 certificate write filename and private key. Use two blank lines to finish. This command provides a convenient means to paste and save the contents of a certificate.

342 CLI COMMANDS

CLI config command - system configuration Command Synopsis Description Delete the configuration file specified by delete delete filename filename. Display the entire contents of the dump dump filename configuration file filename to the screen. Restore system defaults. Note: Default values do not necessarily mean "factory default" values. While most parameters will take on their factory defaults the following exceptions apply: restore restore • System IP Address and Mask – Set to the IP address/mask configured in the boot menu. • Default Gateway – Set to the default gateway configured in the boot menu. Make the system's current settings those of revert revert the saved configuration file. save save Save the system’s current settings. saveas filename Save the system’s current settings to a saveas configuration file specified by filename. Display the names, versions, and status of show show configuration files. Switch from the current configuration file to switch switch filename the configuration file specified by filename. Create a new configuration file named filename. After entering write filename Return you are write write filename prompted to enter an XML configuration. Enter a valid configuration and press Return twice to write the new configuration file to disk.

343 CLI COMMANDS

CLI dhcp command - DHCP Dynamic Host Configuration Protocol management Command Synopsis Description Add an address, range of addresses for allocation, or a host parameters group, where params are: • dynamic-address-range rangeparams – Specify a range of IP addresses that can be dynamically allocated to DHCP clients; where rangeparams are: -startIPaddress – The start of a range of IP addresses available for dynamic allocation. -endIPaddress – The end of a range of IP addresses available for dynamic allocation. -netmask – The subnet mask that applies to the address range delimited by startIPaddress and endIPaddress. -max-lease n (optional) – The maximum allowable lease duration for a dynamically allocated address. If a DHCP client requests a duration longer than the default, the server add add params... offers the maximum length lease as configured by this parameter. The valid range is 0-65535 days. -default-lease n (optional) – If a client does not request a specific lease duration, the default lease time is assigned. The valid range is 0-65535 days. -param-group groupname (optional) – The name of a previously defined host parameter group. • param-group groupname groupparams – Add the host parameters group specified by groupname, where the optional groupparams are: -gateway gateIP – The address of the default gateway router to be used by the DHCP client. -primary-dns primdnsIP – The address of the primary DNS server to be used by the DHCP client.

344 CLI COMMANDS

-secondary-dns secdnsIP – The address of the secondary DNS server to be used by the DHCP client. -domain domainsfx – A domain name suffix of up to 32 characters that will be appended to any local names by the DHCP client before making a DNS query. • static-address IPaddress staticparams – Add the static address specified by IPaddress, where staticparams are: -netmask – A network mask to apply to IPaddress. -macaddress – The MAC address of the device at IPaddress. -param-group groupname (optional) – The name of a host parameters group to which this static address belongs. Delete previously configured DHCP values, where param are: • dynamic-address-range rangeID – The range of allocatable addresses specified by rangeID. rangeID is a system-supplied ID delete delete param... displayed with the show dynamic- address-ranges command. • param-group groupname – The host parameters group specified by groupname. • static-address IPaddress – A configured static IP address. Edit any of the configurable DHCP values. View these parameters with the show command (below) and see the add command (above) for details. param can be: • dynamic-address-range rangeID params – Where rangeID is a range of allocatable edit edit param... addresses. Params can be any of the following configurable values: -start-address IPaddress -end-address IPaddress -mask netmask -max-lease n -default-lease n -param-group groupname

345 CLI COMMANDS

• param-group groupname params – Where groupname is a host parameters group and params can be: -gateway gateIP -primary-dns primdnsIP -secondary-dns secdnsIP -domain domainsfx • static-address IPaddress params – Where IPaddress is a configured IP address and params can be: -mask netmask -mac macaddress -param-group groupname Display DHCP configuration, where param can be: • dynamic-address-range – Ranges of IP addresses that can be dynamically allocated to DHCP clients. show show param... • lease – The IP address, MAC address and expiration time of allocated leases. • param-group – Configured host parameter groups. • static-address – Configured static IP addresses.

346 CLI COMMANDS

CLI ethernet command - monitor ethernet ports Command Synopsis Description Clear the statistics for the port specified by clear clear statistics portnum portnum Set one or more several Ethernet properties, where params can be. • mirror spnum tpnum – Forward incoming and outgoing packets from the source port, spnum, to the target port, tpnum, for monitoring and/or analysis. • port portnum portparams – Where portnum is the ID of a port in the format E1, E2..., and portparams can be -admin enabled|disabled – Enable or disable the port. -fefi enabled|disabled – Enable or disable far end fault indication (fefi). -flow enabled|disabled – Enable or disable flow control. -media – Specify media type from among the following options: auto – autonegotiate (10/100BaseTX) (default for 10/100T) set set params... 10half – (10/100BaseTX) 10full – (10/100BaseTX) 100half – (10/100BaseTX) 100full – (10/100BaseTX) • name – Supply a name for the port in up to 15 printable characters. • rate-limit Ex type dir lim – Limit the traffic rate on port Ex by specifying the type of traffic, type, the direction of the traffic, dir, and a maximum rate, lim. where type can be: -ingress-type traf – where traf can be: broadcast multicast flooded all and dir can be: ingress-rate egress-rate and lim can be: unlimited

347 CLI COMMANDS

128K 256K 1M 2M 4M 8M -egress- type traf – where traf can be any of the values specified above for ingress-type. • security Ex – Specify a type of security for port Ex. The allowable types are: -None – (default) -Address – This port will be locked out if a frame is received with an unauthorized source address. -Link – This port will be locked out the next time the link goes from UP to DOWN. Display the current Ethernet settings, where params can be: • mirror Ex – Display any mirroring assignment on port Ex. • port Ex – Display the properties controlled by the set port command (above) on port Ex. • rate-limit Ex – Display the properties show params... show controlled by the set rate-limit command (above) on port Ex. • security Ex – Display the properties controlled by the set security command (above) on port Ex. • statistics Ex – Display extended statistics for port Ex. • status Ex – Display status information for port Ex. Unlock a port. Where portnum is the ID of a unlock port portnum unlock port in the format E1, E2, etc.

348 CLI COMMANDS

CLI license command – add features to MNS-DX Command Synopsis Description This command adds features to upgrade license add MNS-DX to MNS-DX-SECURE and MNS- add DX-ADVAR. MNS-DX-ADVAR adds BGP and OSPF protocols. MNS-DX-SECURE adds many security features. show license show This command displays the feature keys

349 CLI COMMANDS

CLI firewall command - monitor firewall Command Synopsis Description Add a filter, a stateful filter, or a group to the system. The param arguments to the add inbound command specify the types of information to be included. • interface interface_ID – Specify an IP interface (or group of interfaces) to which to apply the filter. • src-address ipaddress – Specify the source address of allowed IP packets. • src-mask netmask – The source network mask of allowed IP packets. • dst-addr ipaddress – Specify the destination address of allowed IP packets. • dst-mask netmask – The destination network mask of allowed IP packets. • protocol protospec – Specify a protocol type and direction where protospec can be: -icmp – allowed ICMP types -tcpdst – allowed TCP destination ports add inbound param | -tcpsrc – allowed TCP source ports add outbound param | group -udpdst – allowed UDP destination groupname ports -udpsrc – allowed UDP source ports -esp – allow IPsec ESP packets (IP protocol 50) -ah – allow IPsec AH packets (IP protocol 51) -ospf – allow OSPF packets (IP protocol 89) -vrrp – allow VRRP packets (IP protocol 112) • ports portlist – The list of allowed logical protocol port numbers. These are dependent on the value of the Protocol/dir parameter, for instance 80 and 443 for HTTP and HTTPS. The groupname argument to the add group command is a user-supplied group name of up to 15 printable characters. The param arguments to the add outbound command specify the types of information to be included.

350 CLI COMMANDS

• interface interface_ID – Specify an IP interface (or group of interfaces) to which to apply the filter. • src-address ipaddress – Specify the source address of allowed IP packets. • src-mask netmask – The source network mask of allowed IP packets. • dst-addr ipaddress – Specify the destination address of allowed IP packets. • dst-mask netmask – The destination network mask of allowed IP packets. • protocol protospec – Specify a protocol type and direction where protospec can be: -icmp – allowed ICMP types -tcpdst – allowed TCP destination port -tcpsrc – allowed TCP source ports -udpdst – allowed UDP destination ports -udpsrc – allowed UDP source ports • ports portlist – The list of allowed logical protocol port numbers. These are dependent on the value of the Protocol/dir parameter, for instance 80 and 443 for HTTP and HTTPS. • logging y|n – If y is selected, matching TCP connections will be written to the event log. delete inbound ID | Delete the inbound or outbound rules delete outbound ID | group identified by ID or the group identified by group-name group-name. Edit the inbound rule identified by filter ID, or the outbound rule identified by outbound ID. Any of the values described under the add command (above) can be modified in an existing filter, where • key – Is the keyword for a parameter, such as protocol or logging. edit inbound | outbound edit • newval – Is the new value for the parameter ID key newval specified by key. Note: A given ID can be learned by using the show all filters command. The filter ID is necessarily displayed in the CLI. This value is not used in the graphical interface but the system will assign a filter ID to a filter created in the graphical interface. set icmp-timeout value | For each of the commands the value can be

351 CLI COMMANDS

set interface param | log- as shown below rejects value | max- • icmp-timeout - value in seconds - valid connections value | reject- range 2 to 86400 seconds timeout value | tcp- • interface - the first paramter to specify is timeout value | udp- the routing interface. This can be physical timeout value interfaces, DLCIs or VLANs defined. The second parameter to specify is optional or can be status [enabled |disabled] or group the interface belongs to [none | groupname] • log-rejects - whether the log rejects are logged or not. Value can be [y|n] • max-connections - value between 10 to 200 • max-rejects - value between 10 to 200 • reject-timeout - value in seconds - valid range 2 to 86400 seconds • tcp-timeout - value in seconds - valid range 2 to 86400 seconds • udp-timeout - value in seconds - valid range 2 to 86400 seconds Where the possible values for params are: • inbound ID – The inbound command with no argument displays all configured filters. With the ID spec supplied it displays only the rule identified by ID. • group – Display information on all groups. • interface ID – The interface command show param... show with no argument displays all configured interfaces. With the ID spec supplied it displays only the interface identified by ID • outbound ID – The outbound command with no argument displays all configured rules. With the ID spec supplied it displays only the outbound filter identified by ID.

352 CLI COMMANDS

CLI fr command - Frame Relay configuration and monitoring Command Synopsis Description Add a DLCI (Data Link Connection Identifier) to the specified port. The required parameters are: • portID – Where portID identifies a logical WAN port that corresponds to a physical, labeled interface on the exterior of the product chassis. • dlciID – Where dlciID is the Data Link Connection Identifier in a range 16-1022. Optional parameters are: add dlci add dlci param... • cir cirvalue – Where cirvalue is the Committed Information Rate in bits per second. The valid range is 1-2097152. If no value is specified the bit rate of the port is the CIR. • ip y | n – Specify y to make the DLCI an IP interface (RFC 1490). Specify n to direct that the DLCI is to be used by the terminal server so that raw serial data will be transmitted to/from a serial port to the DLCI. The default value is y. Delete the specified DLCI. The required parameters are: • portID – Where portID identifies a logical WAN port that corresponds to a physical, labeled interface on the exterior of the delete dlci delete dlci param... product chassis. • dlciID – Where dlciID is the Data Link Connection Identifier of an existing DLCI associated with the port specified in portID. Modify existing DLCI settings. Required parameters are: • port portID – Where portID identifies a logical WAN port that corresponds to a physical, labeled edit dlci edit dlci param... interface on the exterior of the product chassis. • id dlciID – Where dlciID is the Data Link Connection Identifier of an existing DLCI associated with the port specified in portID. Optional parameters are:

353 CLI COMMANDS

• cir cirvalue – Where cirvalue is the Committed Information Rate in bits per second. The valid range is 1-2097152. If no value is specified the bit rate of the port is the CIR. • ip y | n – Specify y to make the DLCI an IP interface (RFC 1490). Specify n to direct that the DLCI is to be used by the terminal server so that raw serial data will be transmitted to/from a serial port to the DLCI. Configure DLCI settings for the specified port. Required parameter is: • port portID – Where portID identifies a logical WAN port that corresponds to a physical, labeled interface on the exterior of the product chassis. Optional parameters are: • frag fragvalue – Where fragvalue is an integer in the range 8-1600 that represents the maximum bytes in a frame relay fragment. The default, 1600, is the maximum transmission unit (MTU) setting, plus frame relay overhead, for the set port param... set port DLCI IP interfaces. • lmitype type – Where type is the LMI (Local Management Interface) type and may take one of the following values: -none -lmi -ccitt -ansi • lmimode mode – Where mode may take one of the following values: -network -user -nni Configure EEK settings for the WAN port or the DLCI’s configured. Options are: • W1 – configure eek on WAN port #1 set eek port param | eek (in this example) set eek parameters… • request-timer <1-255> - change request time value from 1-255 seconds

354 CLI COMMANDS

• receive-timer <1-255> - change the receive timer information from 1-255 seconds • window <1-32> - change the number of events which define a eek events window • errors <1-32> - change the number of error events • successes <1-32> change number of success events Display information about Frame Relay settings or status. The params to follow show dlci can be:

• settings ID – The dlci settings command with no argument displays all DLCIs. The ID parameter may specify a WAN port or a circuit identifier to display information on a specified DLCI. • status ID – The dlci status command with no argument displays the status of all show dlci params | port DLCIs. The ID spec may specify a WAN show params port or a circuit identifier to display status on a specified DLCI. The params to follow show port can be: • settings ID – Display information configured with the fr set port command. The port settings command used with no argument displays information on all WAN ports. The ID parameter identifies a specific WAN port. • statistics ID – Display performance information for the WAN port specified by ID. Displays EEK settings or status. Parameters are show eek params… • settings – display the EEK settings. show Use “fr set eek” to adjust the settings • status – displays the EEK status.

355 CLI COMMANDS

CLI ip command - IP address management Command Synopsis Description Possible parameters are: • route parameters to add a static IP route; where parameters can be: -IPaddress – A valid destination IP address. add add route parameters -subnetmask – A valid route mask. -nexthop – A valid IP address for the next hop on this route. The “Next Hop” must be reachable via an attached LAN. Clear the address and netmask specifications clear address clear address interface for the interface identified by interface. Delete a static route where destinationnw is the delete delete route destinationnw IP address of the destination network to be deleted. Clear the ARP table. This forces the flush arp flush arp software to re-execute an ARP for all hosts. Set a variety of IP management values. The available parameters are: • address interface ipaddress netmask remoteIP – Assign a valid IP address, a network mask and the IP address of a remote host to the specified interface. set param... set • option y|n – Select y to ignore this interface when advertising routes. Select n to treat this interface normally with respect to RIP • system interface – Specify an interface to serve as the default (or system) interface. Display specified information. The available parameters are: • addresses – Display information about all configured IP addresses. • arp – Display the ARP table. show param... • options – Display option selection for show each interface. • routes – Display the contents of the routing table. • static routes – Display configured static routes.

356 CLI COMMANDS

CLI log command - event log management Command Synopsis Description delete delete filename Delete the log file specified by filename. Display the contents of the log file specified dump dump filename by filename. Configure global logging settings, where param can be: • mode enabled|disabled – Specify whether or not to record events in the system log. • create freq – Specify the frequency with which to create new log files. Options are daily, weekly and monthly. • files n – Specify the maximum number of log files to be preserved at any one time, where n is an integer in the range of 1-100. set set param The default value is 14. • size n – Specify the maximum size, in KB, of any log file, where n is an integer in the range of 1-128. The default value is 32KB. • overwrite y|n – Indicates whether or not old log files should be deleted when the maximum number of log files is reached and a new log file must be created. If you do not specify the deletion of old files no new log files will be created after the Max Log Files value is reached. List the filenames, sizes, and status of show show available log files.

357 CLI COMMANDS

CLI modbus command - Modbus management Command Synopsis Description Where param specifies a modbus device. param can be: • local-slave lslaveparams – Where lslaveparams can be: -port Sn – Where Sn is s1, s2, etc. A unique identifier for the serial port to which the device is connected. -device n – Where n, the Modbus/TCP unit identifier assigned to the device, is an integer in the range 1-247. -variant rtu|ascii – Specify an RTU or an ASCII transmission mode. The default is RTU. -priority default|expedited – Specify the default or expedited priority. (Use the qos show profiles command to display configured priority profiles.) -response n – Where n is an integer in the range 10-10000 specifying the amount of time in msec to wait for a response from this device before add add param... giving up and sending back a Modbus exception message. -exceptions y|n – Specify whether or not to send Modbus/TCP exception codes. • master mastparams – Where mastparams can be: -port Sn – Where Sn is S1, S2, etc. A unique identifier for the serial port to which the device is connected. -variant rtu|ascii – Specify an RTU or an ASCII transmission mode. The default is RTU. -priority DSprofile – Specify the DiffServ priority. (Use the qos show profiles command to display configured priority profiles.) -exceptions y|n – Specify whether or not to send Modbus/TCP exception codes. • remote-slave rslaveparams – Where rslaveparams can be:

358 CLI COMMANDS

-device n – Where n, the Modbus/TCP unit identifier assigned to the device, is an integer in the range 1-247. -address IPaddress – The IP address of the remote Modbus/TCP server. -idle n (optional) – Where n is an integer specifying the number of seconds (in a range of 1 -604800) of idle time that can elapse before the TCP connection for this device is torn down. The default value is 10. -response n (optional) – Where n is an integer specifying the number of milliseconds (in a range of 10 -10000) that the client will wait before giving up on a request. If the client times out, it closes down the current TCP connection for the remote device. The default value is 1000. Where c can be: • local-slave device n – Where n specifies the device number of the local slave. delete delete param... • master Sn – Where Sn specifies the port to which the master is attached. •remote-slave device n – Where n specifies the device number of the remote slave. Edit any of the values that can be configured with the add command, where:

• dev – is the device (local-slave, master, remote-slave), followed by the port edit dev key val edit designation. • key – is the name of the parameter to be edited (variant, priority, etc.). • val – is the new value of the parameter.

Display information about all configured IP addresses • connection – Display statistics for configured modbus connections.

show param... show • local-slave – Display local slave device configuration. • master – Display master device configuration. • remote-slave – Display remote slave

359 CLI COMMANDS

device configuration.

Protocol Monitor command - configuring and operating Protocol Monitor Command Synopsis Description The param arguments to the filter command specify the types of information to be included. Only one filter may be configured on a single command line. In addition, only a single filter of each type may be specified. • dlci circID – Display packets that have the matching DLCI circuit ID in the header. cicrID is a unique identifier for the DLCI. In most cases, the identifier includes the WAN port and the DLCI on that port, for example, W1-DLCI 104. • dstip` ipaddr – Display packets that have the matching destination IP address in the IP header. The IP address is specified in standard dotted notation, for example,192.168.1.1. • dstmac macaddr – Display packets that have the matching destination MAC address in the Ethernet header. The MAC filter filter [no] param... address is specified as hex octets separated by colons, for example, 00:20:61:54:3A:CD. • dstport portnum – Display packets that have the matching destination port in the TCP or UDP header. The port is specified as an integer between 1 and 65535. • ip ipaddr – Display packets that have the matching IP address in either the source or the destination address field of the IP header. • mac macaddr – Display packets that have the matching MAC address in either the source or the destination address field of the IP header. • port portnum – Display packets that have the matching port number as either the destination or the source port in the TCP or UDP header. • srcip ipaddr – Display packets that have the matching source IP address in the IP

360 CLI COMMANDS

header. • srcmac macaddr – Display packets that have the matching source MAC address in the Ethernet header. • srcport portnum – Display packets that have the matching source port in the TCP or UDP header. • protocol icmp | tcp | udp – Display packets that have the matching protocol specified in the IP header. To cancel a previously specified filtering option recede the specification with no. For example: MagnumDX(monitor)# filter no destip Where the possible values for property are: • display param – Specify a type of information to be displayed from among the following possible values of param: -ethernet – The Ethernet header is parsed into fields and the payload is displayed as a raw hex dump. -ip – The Ethernet header is ignored and the IP header is parsed into fields. The payload is displayed as a raw hex dump -ipfull – The Ethernet header is ignored and the IP header is parsed into fields. In addition, an attempt is made to parse additional fields in the payload based on its type. set property param set -raw – No analysis is performed. The entire packet is displayed as a raw hex dump -tcp – The Ethernet header is ignored and part of the IP header is parsed into fields. In addition, TCP fields such as sequence number, acknowledgement number, and window size are displayed. • format hex | ascii – In terse mode the ascii option causes the packet payload to be dumped in ASCII. This is especially useful for textual protocols such as HTTP. • framenum enabled | disabled – When this property is enabled sequence numbers are applied to each packet.

361 CLI COMMANDS

• lines n – Limits the total number of payload lines displayed for a packet. If set to zero, the entire packet is displayed. N can be an integer value from 0 to 10. • mode terse | verbose – Verbose mode changes the display formatting so that more white-space is used. Payloads are also automatically dumped in both hex and ASCII format. In some cases it may make the monitor output more readable at the expense of more transmitted characters per packet. • timestamp diff | none | rel – Apply a timestamp to each packet. When diff (differential) is specified The timestamp on the current packet corresponds to how much time elapsed between this packet and the packet before it. When rel (relative) is specified the timestamp on the current packet corresponds to how much time has elapsed since the monitor was first started. Display the current monitor configuration for the port being monitored. This show show command prints all of the configured formatting options as well as any configured filters for the port. Begin monitoring. Once the command has been issued, packets will be displayed. You start can pause the display by pressing the Enter start key. You can abort the monitor and return to the CLI by pressing the ESC key:

362 CLI COMMANDS

CLI nat command - Network Address Translation management Command Synopsis Description Add a port forwarding rule or a static translation, where param can be: • port-forwarding pfparams – where pfparams can be: -IPaddress – The address of a server reachable from one of the router's private interfaces. -tcp|udp – The protocol to forward. -privportn – An integer in the range 1- 65535 that specifies the port at which the service is accessible on the private server. -pubportn – An integer in the range 1- 65535 that specifies the port at which the server is accessible by hosts on the public network using the address of the router's public interface. • static-translation stparams – where stparams can be: -type typeparam – The type of translation. The possible values are: add add param nat – Translate the address only. tcp – Translate the address and TCP port. udp – Translate the address and UDP port. -interfaceID – The interface upon which the translation occurs. -origIPaddress – The original destination address of a packet received on this interface. -original-port portn – Where portn is an integer in the range 1-65535 that specifies the original destination port of a packet received on this interface (ignored for NAT translation type). -transIPaddress – If a match occurs this is the address that is substituted for the original address. Reply packets have the reverse translation applied automatically when they are sent back

363 CLI COMMANDS

out the interface -translated-port portn – If a match occurs this is the port that is substituted for the original port (ignored for NAT translation type). Reply packets have the reverse translation applied automatically when they are sent back out the interface. The valid range is 1-65535. Delete a port forwarding rule or a static translation, where param • port-forwarding ruleID_n – Where ruleID_n is the system-supplied identifying number. (Use show port-forwarding to delete param delete display Rule ID.) • static-translation ruleID_n – Where ruleID_n is the system-supplied identifying number. (Use show static-translation to display Rule ID.) Edit a value or values in a configured port forwarding rule or a static translation. port-forwarding | static-translation ruleID_n param newvalue – Where: • ruleID_n is the system-supplied identifying number. (Use show port-forwarding | static-translation to display Rule ID.) • param is the name of the configured parameter to be edited. Valid names for port-forwarding are: private-address edit param edit protocol private-port public-port Valid names for static-translation are: type interface original-address original-port translated-address translated-port • newvalue is the value to replace the previously configured value. Enable NAT and specify a public interface, set param where param can be: set • dynamic-napt enabled | disabled –

364 CLI COMMANDS

Enable or disable Network Address and Port Translation. • public-interface IFname – Where IFname specifies the public interface where the translation will take place. Display information about any of the three possible configured values for param: show param • port-forwarding show • settings • static-translation

Some of the ospf commands are shown below.

365 CLI COMMANDS

CLI ospf add command - Open Shortest Path First management

Command: ospf add aggregate Synopsis: ospf add aggregate IDspec parameters Aggregate subnet addresses within an OSPF area to be represented with a single address, where IDspec is the OSPF area the address aggregate is to be found within and parameters can be: Description: -net – The IP address of the net or subnet indicated by the range. -mask – The subnet mask that pertains to the net or subnet. -effect advertise|do-not-advertise – Indicates whether or not the aggregate is advertised outside the area.

Example: ospf add aggregate 0.0.0.5 192.168.1.2 255.255.255.0 effect advertise

Command: ospf add area Synopsis: ospf add areaID parameters Add an OSPF area, where areaID is a 32-bit integer (in dotted decimal notation) that uniquely identifies an area and parameters can be any of the following: • import-as – Indicates how routers in this area import information about networks outside of the area. import-as must be modified with one of the following three parameters: -external – Import routing information for all networks, including those outside the AS. -no-external – Import routing information for all networks within the Description: AS. -nssa – (Not So Stubby Area) External routing information is allowed to flow from the NSSA toward the backbone but not in the other direction. • summary – Whether or not routers in this area receive summary Link State Advertisements (LSAs) for networks outside of this area. summary must be modified with one of the following two parameters: -y – Routers in this area will receive summary LSAs. -n – Routers in this area will not receive summary LSAs.

Example: ospf add 0.0.0.4 import-as nssa

366 CLI COMMANDS

Command: ospf add profile Synopsis: ospf add profilename parameters Add an OSPF profile, where profilename is a name for this profile. The name is a user-supplied alphanumeric string of 1-16 characters and parameters can be any of the following: • transit-delay transdelayvalue – Where transdelayvalue is the estimated number of seconds it takes to transmit a link state update packet over this interface. The valid range is 1-4294967295. •retrans-interval retransintervalue – Where retransintervalue is the estimated number of seconds between link state advertisement retransmissions for adjacencies belonging to this interface. The valid range is 1- 4294967295. • hello-interval hellointervalue – Specify (in seconds) the frequency with which hello packets will be sent from the interface. hellointervalue is an integer in the range 1-4294967295. Description: • dead-interval deadintervalue – The number of seconds that must elapse with no receipt of hello packets from a neighbor before OSPF concludes that that neighbor is unavailable. deadintervalue is an integer in the range 1-4294967295. • auth-type authtypevalue – Specify a type of authorization to be used with neighbors. Possible values for authtypevalue are: -None – No authorization is performed between neighbors. -Simple – An authorization key is sent in the clear. -MD5 – An authorization key is used along with MD5 to sign OSPF packets. Receiving routers check the signature to verify authorization. • key keyvalue – The authorization secret shared between neighboring routers where keyvalue is an alphanumeric string of 1-16 characters. • id keyid – An authorization key ID where keyid is an integer in the range 1-255 that uniquely identifies this authorization key. ospf add station1 transit-delay 5 retrans-interval 10 hello-interval 120 Example: auth-type MD5 key ffl3 id 33

367 CLI COMMANDS

CLI ospf delete command Command: ospf delete Synopsis: ospf delete aggregate|area|profile Delete specified OSPF configurations: • aggregate IDspec net mask – Delete the specified OSPF aggregate. Description: • area areaID – Delete the OSPF area specified by areaID. • profile profilename – Delete the OSPF profile specified by profilename. Example: ospf delete aggregate 0.0.1.1 192.168.2.0 255.255.255.0

CLI ospf edit command Command: ospf edit aggregate Synopsis: ospf edit aggregate area-id net mask effect advertise | do-not-advertise Toggle the advertise/do not advertise attribute of a configured OSPF aggregate, where: • area-id net mask – Together identify a configured OSPF aggregate. (See Description: the add ospf aggregate command, above, for details.) • effect advertise | do-not-advertise – Indicates whether or not the aggregate is advertised outside the area.

Example: ospf edit aggregate 0.0.0.0 2.3.4.0 255.255.255.0 effect advertise

Command: ospf edit area Synopsis: ospf edit area area-id parameters Edit the configured OSPF area configuration specified by area-id, where parameters can be: Description: • import-as external|no-external|nssa – See the ospf add area command, above, for details. • summary y|n – See the ospf add area command, above, for details.

Example: ospf edit area 0.0.2.2 summary n

368 CLI COMMANDS

Command: ospf edit profile Synopsis: ospf edit profile profile-name parameters Edit the configured OSPF profile configuration specified by profile-name, where parameters can be (See the ospf add profile command, above, for details.): • transit-delay retrans-interval Description: hello-interval dead-interval auth-type key id

Example: ospf edit profile Profile1 auth-type md5

CLI ospf set command

Command: ospf set as-border-router Synopsis: ospf set as-border-router yes|no Specifies whether or not this router sits at the border between two autonomous systems. as-border router must be modified with one of the following two parameters: Description: • yes – This router is located at the border between two autonomous systems. • no – This router is not located at the border between two autonomous systems.

Example: ospf set as-border-router yes

Command: ospf set enabled Synopsis: ospf set enabled yes|no Specifies whether or not the unit should use OSPF as its routing protocol. enabled must be modified with one of the following two parameters: Description: • yes – OSPF is enabled on this unit. • no – OSPF is not enabled on this unit.

Example: ospf set enabled yes

369 CLI COMMANDS

Command: ospf set import-rip-routes Synopsis: ospf set import-rip-routes yes|no Specify whether or not RIP routes are redistributed by this router into the OSPF network. import-rip-routes must be modified with one of the following two parameters: Description: • yes – RIP routes are redistributed into the OSPF network by this router. • no – RIP routes are not redistributed into the OSPF network by this router.

Example: ospf set import-rip-routes yes

Command: ospf set import-static-routes Synopsis: ospf set import-static-routes yes|no Specify whether or not static routes are redistributed by this router into the OSPF network. import-static-routes must be modified with one of the following two parameters: Description: • yes – Static routes are redistributed into the OSPF network by this router. • no – Static routes are not redistributed into the OSPF network by this router. Example: ospf set import-static-routes yes

Command: ospf set interface Synopsis: ospf set interface parameters Where parameters can be any of the following: • enabled – Specify whether or not to enable OSPF on this interface. enabled must be modified with one of the following two parameters: -Yes – This interface is included in the OSPF protocol. -No – OSPF does not run on this interface and OSPF will not advertise this subnet • area areaID – The OSPF area to which this interface belongs. • priority priorityvalue – An integer in the range 0-255 that specifies a Description: priority for this router. This value is used in electing a designated router on a broadcast network. The greater the value the higher the priority and the greater the likelihood that this router will be elected the designated router. • profile profilename – Specify a profile to apply to this interface. Each profile contains a set of OSPF configuration parameters. Profiles are defined with the set (or add) ospf profile command and can be viewed with the show ospf profile command.

370 CLI COMMANDS

• type typespec – The media type of the interface. Possible types are: broadcast, nbma, point-to-point, point-to-multipoint. • metric n – Where n is an integer in the range 0-66335 that indicates the relative cost of passing traffic over this interface.

Example: ospf set import-static-routes y

Command: ospf set rip-route-metric Synopsis: ospf set rip-route-metric n Specify a specific OSPF cost metric that will be used for all RIP routes Description: imported into the OSPF routing domain. The default value is 20 and the valid range is 0-16777214.

Example: ospf set rip-route-metric 100

Command: ospf set router-id Synopsis: ospf set router-id X.X.X.X Where X.X.X.X is a 32-bit integer that is unique within the OSPF Description: Autonomous System (AS). It is written in standard dotted decimal notation.

Example: ospf set router-id 1.1.1.1

Command: ospf set static-route-metric Synopsis: ospf set static-route-metric n Specify a specific OSPF cost metric that will be used for all static routes Description: imported into the OSPF routing domain. The default value is 20 and the valid range is 0-16777214.

Example: ospf set static-route-metric 1000

371 CLI COMMANDS

CLI ip show ospf command Command: show ospf Synopsis: show ospf [parameters] Where show ospf (without parameters) displays basic OSPF configuration information. parameters can be any of the following: • aggregate – Displays information about configured OSPF aggregates. • area – Displays information about configured OSPF areas. Description: • interface – Displays information about configured OSPF interfaces. • neighbor – Displays information about OSPF neighbors. • profile – Displays information about configured OSPF profiles. • settings – Displays information about OSPF global settings.

Example: ip show ospf interfaces

372 CLI COMMANDS

CLI password command - password management Command Synopsis Description Change the current password to a new password. After you enter the change command and press Return you are asked to respond to three prompts. (Note that for security reasons your input is not visible on the screen): • Old Password: – Enter the current change change password. • New Password: – Enter the new password. • Retype Password: – Repeat the new password. After these three steps are completed the new password is in effect.

CLI ping command - ping Command Synopsis Description Test the accessibility of another device at ping ping ipaddress ipaddress.

373 CLI COMMANDS

CLI ppp command - Point-to-Point management Command Synopsis Description Add PPP configurations, where params can be: • connection connspecs – Add a PPP connection, where connspecs can be: -Sx – A serial port identifier (S1, S2, etc.). -profile profname – The name of a PPP profit to use on this connection. -username namespec – Specify a PAP or CHAP username of up to 32 characters. A device attempting a PAP or CHAP PPP connection to the DX on this port must use the username defined here. • profile profspecs – add a PPP profile, where profspecs can be: -profname – A user-supplied name of up to 16 characters for this profile. -lcp-echo-interval secs – Where secs is the add params... add frequency in seconds of LCP (Link Control Protocol) keep-alive exchanges. The default value is 30 and the valid range is 3-3600. -authentication-type authspec – Specify an authentication type where authspec can be one of: none, chap, pap, chpap. -assign-ip y|n – if y the PPP process will use the Internet Protocol Control Protocol (IPCP) to assign an IP address to the remote PPP client. -use-modem y|n – if y the serial port will attempt to initialize a connected Hayes Modem and answer incoming dial-in calls. -tcp-compression y|n – if y PPP will attempt to negotiate Van Jacobson TCP header compression with the remote client. delete connection Sx Delete the PPP connection specified by Sx delete | profile profname or the PPP profile specified by profname. Edit configured PPP values, where params edit params... edit can be:

374 CLI COMMANDS

• connection Sx key val – Where Sx is the port number of a PPP connection, key is a keyword for a value, such as profile, and val is the new value. • profile profname key val – Where profname is the name of a PPP profile, key is a keyword for a value, such as assign-ip, and val is the new value. See the ppp add command (above) for details of keywords and values. Restart the PPP connection on the port restart restart connection Sx specified by Sx. Display information PPP configuration, where param can be: • connection – Display information about configured PPP connections. • profile – Display information about show param show configured PPP profiles. • statistics – Display PPP performance statistics. • status – Display information about the status of configured PPP connections.

375 CLI COMMANDS

CLI qos command - Quality of Service management Command Synopsis Description Add QoS management configurations, where params can be: • flow flowparams – Where flowparams can be: -diffserv diffservprofile – Where diffservprofile specifies a diffserv profile to associate with this flow. If no diffserv profile is specified on the command line the first profile in the diffserv profiles table will be used. (Use the show profile command to view the diffserv profile table.) -src-address IPaddress (optional) – The sourcemaddress of IP packets in the flow. If no source address is specified this value is a wildcard, that is, any source address is accepted. -src-mask mask (optional) – The source network mask. This field allows a flow to be described in terms of an entire subnet. If no source mask is specified add add params... and the source address field is specified then only one source address matches the flow. -dst-addr address (optional) – The destination address of IP packets in the flow. If no destination address is specified this value is a wildcard, that is, any destination address is accepted. -dst-mask mask (optional) – The destination network mask. This field allows a flow to be described in terms of an entire subnet. If no destination mask is specified and the destination address field is specified then only one destination address matches the flow. -protocol prottype (optional) – prottype can be one of seven values which determine the meaning of the TCP or UDP Ports or ICMP Types: ah IPsec AH packets (IP protocol 51) in the flow

376 CLI COMMANDS

esp IPsec ESP packets (IP protocol 50) in the flow icmp ICMP types in the flow tcpdst TCP destination ports in the flow tcpsrc TCP source ports in the flow udpdstUDP destination ports in the flow udpsrcUDP source ports in the flow -ports portlist – A list of virtual port numbers or ICMP types in the flow. List port numbers in ascending order,separated by commas. For a partial list of Well Known Port numbers see Section B.1, “Well Known TCP/UDP Network Ports”. For a list of ICMP types see Section B.2, “ICMP Types”. • profile name – A user-assigned name of up to 40 printable characters. -code c – Where c is the value of a 6-bit DiffServ Code Point (DSCP). Valid values are 0-63. -priority p – Where p is the queuing priority of a packet tagged with the DSCP specified with code c. (The higher the priority value the more urgent the priority.) The valid range is 1-4. -tag t – When an IP packet is generated by the DX it is assigned a DSCP (by default, Best Effort 0x00 is used).The packet may optionally be assigned a priority based on the DSCP as specified by this field. The tag value t can be 0-7 or the special value “None,” meaning that no mapping between DSCP and priority is implemented and thus no marking is made. This field has no effect when the IP packet being processed is not an Ethernet frame. Note: The mapping is performed only for packets generated by the DX. Bridged packets retain whatever

377 CLI COMMANDS

markings they had when they were received. Delete a configured flow or profile, where params can be: • flow flowID – Delete the flow specified by x. (Use the show all flows command to delete params delete display flow IDs.) • profile name – Delete the profile specified by name. (Use the show profiles command to display profile names.) Edit parameters of configured flows or profiles, where params can be: • flow flowID param editvalue – Where, -flowID is the ID of the flow to be edited -param is one of the configurable flow parameters. (See the add command above for details.) -editvalue is the new value for this edit params... edit parameter. • profile name param editvalue – Where, -name is the name of the profile to be edited -param is one of the configurable profile parameters. (See the add command above for details.) -editvalue is the new value for this parameter. Determine how an Ethernet port assigns a priority to an incoming frame. It maps a Port ID to a default priority from one of the four available switch priority queues. It also allows you to specify whether incoming packets will be assigned that default priority or another priority, depending on the presence or absence of DiffServ or information. set param... set The parameters are: • port En params – Where En specifies an Ethernet port (E1, E2, etc.) and params can be: -rule rulespec– Where rulespec is a rule for assigning the priority of packets that are received by the specified port. rulespec may be any of the following: Default – Always use the Default

378 CLI COMMANDS

Priority for the port (default). DiffServ – Use the DSCP if it is present, otherwise use the Default Priority. 802p – Use the 802.1p tag if it is present, otherwise use the Default Priority. -priority – The Default Priority for port En. See above for when the default priority is used. The valid range is 1-4, a higher value representing a higher priority. The default value is 3. • tag int1 priority int2 – Assign a priority where int1 is an 802.1p tag in the range 1-7 and int2 is a switch priority queue value in the range 1-4. The 802.1p value specified by int1 will be equated with the priority queue value specified by int2. Display information about QoS configuration, where param can be: • flow show show param • flow flowID • port • profile • tag

379 CLI COMMANDS

CLI radius command - Remote Authentication Dial-In User Service management Command Synopsis Description Add a RADIUS server to query specified by IPaddress, and where params can be: • port p – The UDP port used to send requests, where p is an integer in the range 0-65535. Authentication servers use UDP port 1812. Accounting servers use port 1813. It is not recommended to use the legacy port 1645 where it conflicts with “Datametrics” service. The default value is 1812. add server iPaddress add • retries r – The number of times the client params... will retry a request in the event a server is not responding or is slow to respond. r is one of the following integers: 1, 3, 5, 10. The default value is 3. • timeout t – The time in seconds the client will wait for each retry attempt. t is one of the following integers: 1, 2, 3, 4, 5, 10, 15, 20, 30. The default value is 3. • role primary|secondary – This parameter defines the order in which servers are accessed. If the primary is down, the system attempts to contact the secondary server. The default value is primary. Delete the configured RADIUS server delete delete server IPaddress specified by IPaddress. Edit the specified RADIUS parameter, where params can be: • secret IPaddress – Where IPaddress is the IP address of a configured RADIUS server. After you enter Return the system will prompt for the new secret text string. edit edit params... • server IPaddress radiusparams – Where IPaddress is the IP address of a configured RADIUS server and radiusparams can be any of the following (see the add command, above, for details): -port -retries

380 CLI COMMANDS

-timeout -role Specify global settings for your RADIUS service, where params can be: • auth-control cont – This parameter determines whether the system uses its own local user database or a RADIUS server for authentication. cont can take the following values: -local – Use the local user database (default). -radius – Use a configured RADIUS server. • auth-port portn – Where portn is an integer in the range 0-65535. This is the UDP port used to communicate to the RADIUS server that is configured for authentication. The default value of portn is 1812. • challenge prot – Where prot is the protocol to be used when validating user credentials. It can take the following values: -PAP – Username/password sent in the clear (default). set set params... -CHAP – Uses challenge and MD5 hash. • default-level lvl – This parameter determines the default privilege level assigned to a user when a RADIUS server does not provide vendor- specific attributes. It can take the following values: -noaccess (default) -readonly -readwrite -admin • local-address LocalIP – Available options for LocalIP are: -Any – Packets will use their actual egress interface address as a source address. -x.x.x.x – Packets will use the source address specified by x.x.x.x. This may be necessary for conformity with VPN or NAT configurations. show show servers | settings Display information about:

381 CLI COMMANDS

• Configured RADIUS servers. This option displays the parameters configured with the add command. • Configured global parameters. This option displays the parameters configured with the set command.

382 CLI COMMANDS

CLI rip command - Routing Information Protocol management Command Synopsis Description Set a range of RIP values, where param can be: • compatible y|n – If y RIP will assume classful addressing in order to be compatible with RIP-1 routers. If n RIP routes with CIDR masks will be propagated and learned as per RIP-2. • expire nsec - where nsec is the number of seconds between updates before a route is invalidated. (The route is temporarily invalidated but is not deleted until expiration of the flush timer. See below.) Valid range = 1 to 600 seconds Default value = 180 • flush nsec - where nsec is the number of additional seconds to wait after a route expires (as specified with the expire set set param... parameter, see above) before that route is deleted entirely from the routing table. Valid range = 1 to 600 seconds Default value = 120. • gateway y|n – If this parameter is set to y the router advertises itself as a default gateway. • import-ospf-routes y|n – If set to y OSPF routes are redistributed into the RIP network by this router. • interface name enabled|disabled – Enable or disable the interface specified by name. • mode disabled|v1|v2|v2multi| v2local – Specify a RIP mode. • ospf-route-metric hops – Where hops is a fixed hop count that will be used for all OSPF routes imported into the RIP routing domain. Display the names and status of configured show show interface | settings interfaces or show RIP global settings.

383 CLI COMMANDS

CLI rstp command - Rapid Spanning Tree Protocol functionality Command Synopsis Description Specify RSTP settings for a bridge or port, where portnum is an Ethernet port designated E1, E2, etc. The available bridge parameters are: • age n – Specify the maximum age of STP information before discard in a range of 6 - 40 seconds. • cstyle 16-bit | 32-bit – Specify 16-bit (STP) cost style or 32-bit (RSTP) cost style. • delay n – Specify a delay (in seconds) before forwarding state or topology change information in. n is an integer in the range of 4 - 30. • hello n – Specify interval (in seconds) between transmission of configuration BPDUs. n is an integer in the range of 1 - 10. • mode enabled | disabled – Enable or disable RSTP on this bridge. • priority n – Specify a priority value for set bridge | set this bridge in the range of 0 (highest port_params... priority) to 61440. The available port parameters are: • mode spec – Where spec specifies one of the following modes: -auto – The port automatically determines the correct mode based on received BPDUs. -edge – For an RSTP-enabled port connected to an end system. -legacy – For a port that uses STP only. -point – For an RSTP-enabled port connected to another switch. -none – Disable RSTP on this port. • priority– A priority value in the range 0- 240. Numerically lower values indicate higher priorities. • auto-cost y|n – If y path cost will be determined automatically. If n the path cost used will be the value specified with the

384 CLI COMMANDS

cost parameter (below). The default value is y. • cost – Optionally specify a path cost value in the range 1 - 200000000. Display information about the settings or status of the bridge or ports. The available parameters are: • bridge settings – Display information about bridge RSTP settings. show show param... • bridge status – Display information about bridge RSTP status. • port settings – Display information about the RSTP settings of all ports. • port status – Display information about the mRSTP status of all ports.

385 CLI COMMANDS

CLI s2f command - serial Frame Relay traffic management Command Synopsis Description Add a channel where the required parameters are: • Sx – A serial port designation in the form S1, S2, etc. • Wx – A WAN port designation - W1 or W2. • dlcinum – A Data Link Connection Identifier (DLCI) in the range 1-1022. And where the optional parameters are: • priority default|expedited – Select a priority queue (high or low) at the WAN port for processing on this channel: -default – Use the low priority queue. add channel params add -expedited – Use the high priority queue. • offset y|n – Specify whether or not to use a payload offset: -If y is selected include the 3-byte offset between the header and the data portion of the message. (Required to interoperate with the Garrettcom DS product line.) -If n is selected begin the data portion of each Frame Relay message immediately after the 2-byte Frame Relay header. Delete the channel defined by the following 2 values: delete delete channel params • Wx – A WAN port designation. • dlcinum – A DLCI number. Edit values in the channel defined by Wx, a WAN port designation, and dlci, a DLCI number. edit channel Wx dlci Possible params are: edit params • priority default|expedited • offset y|n See the add channel command (above) for details. Display information about serial to Frame Relay configuration, where params can be: show channel params show • connection – Display performance statistics about configured s2f connections.

386 CLI COMMANDS

• settings – Display the values that have been set with the add channel command (below).

387 CLI COMMANDS

CLI serial command - manage serial ports Command Synopsis Description Add a serial port profile named profname (a user-supplied string of up to 32 characters), where params can be: • interface IFtype – Specify an interface types where valid values for IFtype are rs232, rs232half, rs4852wire, rs4854wire. • speed rate – Specify a baud rate where valid values for rate are 300, 600, 1200, 2400, 4800, 9600, 19200, 28800, 33600, 38400, 57600, 1152K, 230K. • data 7|8 – Select 7 or 8 bits/character. The default value is 8. • stop 1|1point5|2 – Specify stop bits. The default value is 1. • parity none|even|odd – Specify parity. The default value is none. • ignore-dss y|n – Specify whether or not to ignore DSS. -y – The Oper State of the port is UP if the Admin State is ENABLED. -n – The Oper State of the port is UP if add profile profname add the DSR or DCD handshake signal is params on and the Admin State is ENABLED. • flowcontrol contype – Specify the type of flow control where valid values for contype are none, xonxoff (software flow control), and rtscts (hardware flow control). The default value is none. • pktchar char – Where char is either none or a character that will force packetization. The default value is none. • pkttime timer – Where timer defines a timeout value in milliseconds. If an additional character is not received before the timer expires, a packetization event occurs. The special value 0 disables the packetization timer. The default value is 200 and the valid range is 10-1000.

388 CLI COMMANDS

• pktsize maxsize – Where maxsize defines a maximum packet size. The default value is 1024 and the valid range is 32-1024. • tatime turnt – Where turnt defines a turnaround time, an enforced minimum delay between received network packets that are sent out the serial port. The default value is 0 (off) and the valid range (in milliseconds) is 0-1000. Clear the performance statistics for the port clear clear statistics Sx designated by Sx. delete delete profile name Delete the profile specified by name. Edit the configured profile specified by name, where key is a keyword for one of the edit profile name key edit parameters configurable with the add profile newval command, such as speed, data, etc., and newval is the new value for that parameter. Administer port settings or Secure Socket Layer (SSL) functionality, where Sx designates a serial port. • port Sx params – Where params can be: -name string – Where string is a user- supplied name of up to 32 characters. -admin enabled|disabled – Enable or disable the port. set port Sx | ssl Sx -profile name – Where name is the name set params of a configured profile. • ssl Sx params – Where params can be: -enabled y|n – Specify y to enable SSL. -cipher spec – Specify a cipher (see Section 3.10.3, “Serial/SSL” for details) -auth y|n – specify y to require authentication. -cert name – Where name is the name of a local certificate. Display information about serial port configuration, where param can be: show show param • port Sx – Display configuration information about the port designated by

389 CLI COMMANDS

Sx. • profile name – Display configuration information about the profile designated by name. • ssl – Display SSL configuration for all ports. • statistics Sx – Display performance statistics for the port designated by Sx. • status Sx – Display status for the port designated by Sx.

390 CLI COMMANDS

CLI session command - session management Command Synopsis Description Delete the session specified by sessionID. delete sessionID delete Specify the amount of time a user session may be idle before it is automatically deleted set set timeout dur by the system. Possible values for dur are none, 5min, 30min, 1hour, 24hours. show active|policies Display information on active sessions or show display the timeout setting.

391 CLI COMMANDS

CLI snmp command - Simple Network Management Protocol Command Synopsis Description Where params can be: • station IPaddress – Where IPaddress is the IP address of a management station that is allowed to query the SNMP agent. • trap-station IPaddress – Where IPaddress is the IP address of the trap station. You can specify up to 4 trap stations. A trap station is a destination to which SNMP traps are sent. • user name modespec – Where name is a name for the trap station in up to 40 printable characters and modespec is one of the following: -none – No authentication or encryption -md5 – MD-5 authentication, no encryption -sha – SHA-1 authentication, no add params... add encryption -md5-des – MD-5 authentication, DES encryption -sha-des – SHA-1 authentication, DES encryption Note: After you have supplied name and modespec and entered Return the system will prompt you for the following two passwords: • Authentication password authpwd – Where authpwd is a string to be used for generating the\authentication keys. Allowed password length is 8 to 40 characters. • Privacy password privpwd – Where privpwd is a string to be used for generating the encryption keys. Allowed password length is 8 to 40 characters. Delete a configured station, trap station, or user, where param can be: • station IPaddress – Where IPaddress is the delete param delete IP address of a configured management station. • trap-station IPaddress – Where IPaddress is

392 CLI COMMANDS

the IP address of a configured trap station. • user ID – Where ID is the system- supplied ID of a configured user. (Use the snmp show users command to view user IDs.) Edit a configured trap station or user value, where params can be: • auth-password userID – Edit the authentication password of the user identified by userID. • priv-password userID – Edit the privacy password of the user identified by userID. • trap-station IPaddress securname – Where IPaddress is the IP address of a configured edit edit param trap station and securname is a new community or v3 security name for that trap station. • user ID key newval – Where ID is the system- supplied ID of a configured user and the key newval combination can be: -name username – A new user name value. -mode securmode – A new security mode value. Configure global SNMP parameters where params can be: • engine-id id – where id is unique identifier assigned to this SNMP agent. You can configure an engine ID that is a string 32 characters long. If you do not configure an engine ID a 12-byte string will be assigned as the default ID. The default ID is a unique3value combining the enterprise ID followed by MAC address or IP Address or plain text. The default engine ID for a set params... set MNS-DX device is as follows: -The first four octets contain the Enterprise ID (39cd). -The fifth octet is a format identifier, which is 03 for MAC address. -Six to eleven octets of MAC address. -The remainder (up to the twelfth octet) is filled by zeroes. • local-address addr – Where addr can be: -any -a configured IP address

393 CLI COMMANDS

• mode modeval – Enable or disable SNMP agent, where modeval can be: -disabled – agent does not respond to queries (default). -v1v2 – agent only responds to v1 or v2c PDUs. -V3 – agent only responds to v3 PDUs. • read-comm commstring – Where commstring is an arbitrary text string of up to 16 printable ASCII characters. The community string sent by the SNMP client must match this text for the MIB to be accessible for reading. • traps disabled|enabled – Enable or disable the sending of traps to configured trap stations. Traps are event notifications sent by the agent to a trap station. • write-access disabled|enabled – Enable or disable write access to the MIB • write-comm commstring – Where commstring is an arbitrary text string of up to 16 printable ASCII characters. The community string sent by the SNMP client must match this text for the MIB to be accessible for writing. Display information about SNMP configuration, where param can be: • settings show show param • station • statistics • trap-station • user

394 CLI COMMANDS

CLI sntp command - Simple Network Time Protocol management Command Synopsis Description Add the SNTP server specified by IPaddress. Up to 3 servers may be added. If a server is add add server IPaddress down, the software will try the next configured server when retrieving the current time and date. Delete the configured SNTP server specified delete delete server IPaddress by IPaddress. Configure global SNTP settings, where params can be: • local-address localIP – Where localIP can be, -any – Packets will use their actual egress interface address as a source address. -specific IP address – Packets will use the source address selected from a list of eligible addresses. This may be necessary for conformity with VPN or NAT configurations. To see available addresses use the set ? command. • mode modeval – Indicates if and how the SNTP client should be used to set the set set params... system's time and date information. modeval takes one of the following values: -disable – SNTP will not be used to acquire the current time -active – system time and date information is taken from a configured SNTP server -passive – system time and date information is retrieved from SNTP information that is broadcast periodically from an SNTP server • polling-interval p – Where p is an integer in the range 15- 86400 that specifies the frequency in seconds at which the SNTP server will be accessed to obtain the correct time in active mode. The default value is 60. Display information about configured SNTP show server | settings show servers or

395 CLI COMMANDS

settings.

CLI ssh command - Secure Shell functionality Command Synopsis Description Generate a Digital Signature Algorithm keygen keygen (DSA) key. This must be done once to start the SSH server. You can use the set command to specify the security mode of then command line interface or to enable or disable SSH port forwarding. The available commands are: • mode sec – Where sec can be: -telnet – Allow port 23 (telnet) and port 22 (SSH) connections. -sshonly – Allow only SSH connections. set mode sec | pfmode If a client attempts a telnet connection set able the server will send a message indicating that telnet access is not allowed and then shut down the connection. • pfmode able – Where able can be: -Enable – Allow SSH port forwarding from a client to this server. -Disable – Do not allow SSH port forwarding from a clientbto this server. Show current SSH server setting and state: • CLI Mode–Possible values are Allow Telnet and SSH Only. • SSH Server State – Possible values are No Key and Running. No Key is seen only when no Digital Signature show show Algorithm (DSA) key has been generated for the SSH server with the ssh keygen command or when a complete reformat of the DX flash has eliminated a previously generated key. • SSH Port Forwarding – Possible values are Enabled and Disabled.

396 CLI COMMANDS

CLI sw command - software upgrade management Command Synopsis Description When the sw show command displays an Upgrade State of READY TO UPGRADE sw fallback fallback or UPGRADING, entering the sw fallback command cancels the upgrade. When the sw show command displays an Upgrade State of UPGRADING, entering finalize sw finalize the sw finalize command approves the upgrade to the software version marked Current. When the sw show command displays an Upgrade State of FALLBACK enter sw retry sw retry retry to attempt the upgrade process again (move to the READY TO UPGRADE state). Display current and previous software sw show show versions and upgrade state. When the sw show command displays an Upgrade State of READY TO UPGRADE, upgrade sw upgrade entering the sw upgrade command reboots the system and loads the new software image.

397 CLI COMMANDS

CLI syslog command - syslog management Command Synopsis Description Where IPaddr is the IP address of a server to add collector IPaddr add which syslog messages will be sent. Delete the syslog collector specified by delete delete collector IPaddr IPaddr. Configure global syslog settings, where param can be: • local-address localIP – Where localIP can be, -any – Packets will use their actual egress interface address as a source address. -specific IP address – Packets will use the source address selected from a list of eligible addresses. This may be necessary for conformity with VPN set param... set or NAT configurations. To see available addresses use the set ? command. • mode modeval – Where modeval indicates whether or not events should be sent as Syslog messages. The available modeval values are: -enabled – Send a syslog message for each event. -disabled – Do not send syslog messages (default). Display information about configured syslog show collector | settings show collectors or settings.

398 CLI COMMANDS

CLI system command - basic system information management Command Synopsis Description The available parameters are: • name sysname – Where sysname is a name of up to 256 characters for the system under configuration. • location placename – Where placename is a set name | location | name of up to 256 characters of the place set contact where the system under configuration is located. • contact identinfo – Where identinfo is a name or contact information for a person responsible for management of the system under configuration, in up to 256 characters. Display basic system information: • info – Displays identity information, show show info | status • info – Displays system memory and performance information.

399 CLI COMMANDS

CLI terminal command - terminal settings Command Synopsis Description Control the display of the CLI terminal. Available parameters are: • lines n – Where n is a number in the range of 1 - 100. This is the maximum number of lines to display in the terminal window on execution of a CLI command. Default value = 24 • paging y|n – Control scrolling in the CLI terminal window: set lines | paging set -If y is specified output will display one "page" at a time; that is the scrolling of information will pause at the number of lines specified by the lines parameter and resume after a key is pressed. -If n is specified output will scroll to the screen without pausing until command output is complete. show show Show lines and paging settings.

400 CLI COMMANDS

CLI time command - time and date management Command Synopsis Description Set the date and time and optional variables, where params, can be:. • clock hms – Where hms is the current time of day in, the 24-hour HH:MM:SS format. • date mdy – Where mdy is the current date in the format-mm/dd/yyyy. • dst dstparams– Set Daylight Saving Time, where dstparams can be: -country cntryname – Use the daylight saving rule of the country specified by cntryname. (Use the set dst ? command to display available country names.) -custom-rule descr – Where descr is a description of a custom daylight saving time rule built on the following parameters: sf where sf is either day (meaning any day of the week) or a three-letter abbreviation for the name of a day of the week set set params... to begin dst. sm where sm is a three-letter abbreviation for the name of a month. sd where sd is an integer in the range of 1-31 specifying "on or after this date." st where st is a starting time expressed as hour and minute in the format HH:MM. ef where ef is either day (meaning any day of the week) or a three-letter abbreviation for the name of a day of the week to end dst. em where em is a three-letter abbreviation for the name of a month. ed where ed is an integer in the range of 1-31 specifying "on or after this date." et where et is an ending time

401 CLI COMMANDS

expressed as hour and minute in the format HH:MM. -mode disabled|enabled – Enable to enforce daylight saving time by one of the methods above. Disable to use standard time throughout the year. • persistence disabled|enabled – The persistence feature supports systems such as DX40 that do not have a clock with battery backup. When the power to these systems is cycled, the clock may come up in an undefined state. With persistence enabled the clock is set to the last known good time and date. • utc-offset hm – Where hm is your offset from Universal Coordinated Time (UTC). The value is in HH:MM format. The range is from -12:59 to +12:59 show show Display configured time and date settings.

402 CLI COMMANDS

CLI ts command - terminal server configuration Command Synopsis Description Add a channel at the serial port designated by Sx , where params can be: • direction in|out – Specify call direction: -In – The port acts like a passive TCP server, listening at the configured Local TCP port. -Out – The port acts like an active TCP client and attempts to connect out to the server specified by the Remote IP and Remote TCP parameters. • session-type raw|telnet – Specify a session type: -Raw – Provides a transparent pipe for serial data. -Telnet – Enables basic Telnet negotiation and control character processing (ECHO and BINARY modes supported). • priority diffserv-profile – Specify a diffserv profile. • local-address any|X.X.X.X – Specify the add add channel Sx params local IP address upon which the server listens for connections when the direction is set to “In”. The default value of any provides the most flexible configuration; however if you have configured filtering or pattern matching parameters elsewhere to expect a specific IP address you can specify that address here. • local-tcp n – The local TCP port upon which the server listens. • remote-address X.X.X.X – Specify the remote IP address that the client attempts to connect to. • remote-tcp n – Specify the remote TCP port to which the client attempts to connect. • max-conn maxn – Specify the maximum number of incoming TCP connections to accept for this serial port, where maxn is an integer in the range 1-16. The default value is 5. • retry-time secs – Where secs is number of

403 CLI COMMANDS

seconds the client waits for a connection to succeed before timing out and retrying. The valid range 1-90. The default value is 30. delete delete channel chanID Delete the channel specified by chanID. Edit the parameters of the channel at serial port Sx, where key is a keyword for a terminal server channel parameter, such as edit edit channel Sx key val direction or max-conn, and val is the new value for that parameter. See the ts add channel command (above) for details. Display information about terminal server configuration, where param can be: show show param • channel chanID • connection • status chanID

404 CLI COMMANDS

CLI vlan command - view and manage VLANs Command Synopsis Description Add a VLAN with VID n (a number in the add add n vlan_name range 1 - 4094) and the name vlan_name (up to 24 printable characters). delete delete n Delete the VLAN identified by VID n. Change the name of the VLAN identified by n to the name specified in new_name (up to edit n name new_name edit 24 printable characters). Enable or disable VLAN functionality and/or configure a port, where param can be: • mode enable | disable – Enable or disable VLAN awareness on the switch. • port Ex portparams – Set VLANzproperties on the Ethernet port identified by Ex, where portparams can be: -mode access | trunk – An access port is typically connected to an end station and supports a single VLAN. A trunk port is typically connected to another switch and by default supports all configured VLANs. set set param... -pvid n – Where n is the ID number of the native VLAN assigned to this port. -tagged y|n – If y, the port ensures that a VLAN tag is present in a frame before transmission. If n, the port strips all VLAN tags before transmitting frames. -prohibit list – Where list is a list of VLANs to prohibit from a Trunk port. Enter the VID numbers of prohibited VLANs separated by commas. A continuous range of VIDs can be indicated by a dash. For example: 4, 6-8, 12, 15. Display information about VLAN configuration, where param can be: show show param • mode – Whether VLAN awareness is enabled or disabled on the switch. • port Ex – VLAN settings of the port

405 CLI COMMANDS

identified by Ex. • vid n – Settings of the VLAN identified by vid n.

406 CLI COMMANDS

CLI vpn command - Virtual Private Network management Command Synopsis Description Where params can be: • cert authmethod xxcert.pem – Select a local X.509 certificate as an authentication method, where authmethod is the name of an authentication method in up to 32 characters and xxcert.pem is a valid X.509 certificate. • profile profname profparams – Create a VPN profile with the name profname. Configure it by specifying the following profparams or omitting them to accept the defaults: -ike-enc des|3des|aes – Specify an encryption algorithm to use for Phase 1 and Phase 2 exchanges. The default value is 3des. -ike-hash md5|sha – Specify a hashing algorithm to use for Phase 1 and Phase 2 exchanges. The default value is sha. -ike-lifetime n – Specify a lifetime (n) add add params... in the range 90-64800 seconds for the keys exchanged in phase 1 negotiations. The default value is 21600. -esp-enc des|3des|aes – Specify an encryption algorithm to use for encrypting tunneled IP traffic. The default value is 3des. -esp-hash md5|sha – Specify a hashing algorithm to use for authenticating tunneled IP traffic. The default value is sha. -esp-lifetime n – Specify a lifetime (n) in the range 90-64800 seconds for the keys exchanged in phase 2 negotiations before re-keying is required. The default value is 21600. -dhgroup 1|2– The size of the Diffie- Hellman modulus: -1 – 768 bits -2 – 1024 bits (default)

407 CLI COMMANDS

-dpd-poll-time polln – Where polln is the length of time in seconds for this device to wait before sending a Dead Peer Detection (DPD) message. DPD messages are sent only when a device has not exchanged IPSec traffic with a peer for the prescribed interval.The default vaue is 30 seconds. The valid range is 0-600. A dpd-poll-time value of 0 is an instruction not to use DPD. • psk authname – Select a pre-shared key as an authentication method, where authname is the name of an authentication method in up to 32 characters. Enter Return after authmethod and the system will prompt for the key. • tunnel defins – Define a VPN tunnel, where defins is comprised of the following required parameters: -sIPaddr – where sIPaddr is a source IP address on this device or on the subnet supported by this device. -smask – where smask is a subnet mask to apply to the source IP address. -dIPaddr – where dIPaddr is a destination IP address. -dmask – where dmask is a subnet mask to apply to the destination IP address. -gIPaddr – where gIPaddr is the IP address of the gateway router to be used to access the destination address. And the following optional parameters: -profile profname – where profname is the security profile to bind to this tunnel. (Use the show profiles command to view configured profiles.) -authentication authmethod – where authmethod is the authentication method to use for this tunnel. (Use the show authentication command to view configured authentication methods. Use the add cert name or

408 CLI COMMANDS

add psk name commands to configure authentication methods.) Delete configured VPN values, where params can be: • cert authmethodname – Where authmethodname is the name an authentication method. • profile profname – Where profname is the delete params... delete name of a configured VPN profile. • psk authmethodname – Where authmethodname is the name an authentication method. • tunnel tunnelID – Where tunnelID is the system-supplied ID of a configured tunnel. Change a configured value in a VPN profile or tunnel definition, where params can be: • profile profname param newvalue – Where profname is the name of a configured VPN profile, param is a parameter in the profile description, and newvalue is the new value for param. See the add profile command, edit params... edit above, for details. • tunnel tunnelID param newvalue – Where tunnelID is the system-supplied ID of a VPN tunnel, param is a parameter in the tunnel definition, and newvalue is the new value for param. See the add tunnel command, above, for details. Cause the tunnel specified by tID to be restart tunnel tID restart renegotiated (starting with Phase 1) Specify whether or not this system will initiate contact: • y – The system will send an initial contact informational message when it initiates an set send-initial-contact IKE handshake with a peer for the first set y|n time (for example, after a reboot). • n – The system will not send an initial contact message. This option works with most peer types. The default value is n. show authentication | Display information about the specified show details | profiles | VPN configuration feature. settings | status | tunnels Display diagnostic information about trace trace operating VPNs.

409 CLI COMMANDS

CLI vrrp command - Virtual Router Redundancy Protocol management Command Synopsis Description Add a VRRP group. The required parameters are: • n – Where n is an integer in the range 1- 255 to serve as an ID for this virtual router. • IPaddress – The virtual router IP address. If this address matches the IP address assigned to a local; interface, this router is considered to be the "owner" of that IP and is always the Master if it is available. Otherwise, the router is considered a backup. The optional parameters (that is, if these parameters are not specified default values will be used) are: • priority pval – Where pval is an integer in add add router params... the range 1-254 specifying the configured relative priority of backup routers (that is, routers that do not "own" the virtual router IP). The router with the\highest priority will take over if the master fails. Default value if master is 255, if backup,100. • adver-interval advval – Where advval is an integer in the range 1-60 specifying the frequency in seconds with which the master will send VRRP advertisements. The default value is 1. • preemption y|n – If this flag is set to y this router will take the master role over from another router that has a lower priority. The default value is y. Delete delete router IDn Delete the VRRP group specified by IDn. Edit one or more of the configured values of the VRRP group specified by IDn, where key is a keyword for a VRRP parameter, such as Edit edit router IDn key val priority or preemption, and val is the new value for that parameter. See the vrrp add router command (above) for details Display information about VRRP group show groups | status Show configurations or about group status.

410 CLI COMMANDS

CLI wan command - Wide Area Network port management Command Synopsis Description Configure parameters on the WAN port specified by Wx, where param can be: The possible parameters for either a DDS or T1/E1 connection are: • admin enabled | disabled – Specify the administrative status of this port. • bandwidth 56k | 64k – Specify a connection speed of either 56k (typical for carrier-supplied connections) or 64k (available for private networks and all E1 circuits). • clock local | received – Specify the source of the data clock. (Default value is received.) • name portname – Where portname is a user- supplied name of up to 15 printable characters for this WAN port. Possible set port Wx param... set parameters for T1/E1 connections only are: • code codespec – Where codespec specifies the line code for this port, -for T1: ami or b8zs (default). -for E1: ami or hdb3. • frame frtype – Where frtype specifies the frame type for this port, -for T1: esf (default) or d4. -for E1: fas or cas. • mode t1|e1 – Specify whether this connection is T1 or E1. • timeslots slotlist – Specify which available time slots are used by this port. Separate single slot numbers with commas and specify a range of slots with a hyphen. For example: 1,3, 5-6. Display information about the configuration show port Wx | status show of the WAN port specified by Wx or the Wy status of the WAN port specified by Wy.

411 CLI COMMANDS

CLI web command - configure security settings on the embedded web server Command Synopsis Description Configure security settings on the system's embedded web server: • cert certname – Where certname is the name of the certificate used by the web server when running over SSL (that is, when a browser accesses the server through the https:// URL and/or on port 443). • cipher ciphval – Where ciphval specifies the type of encryption to support on the server. This parameter takes the following values: -any (3des, aes128, aes256, or rc4 set cert certname cipher (factory default) set ciphval | mode http|ssl -3des -aes128 -aes256 -rc4 • mode http|ssl – Indicates if the server accepts non-secure HTTP requests. This parameter takes the following values: -http – The server accepts requests on port 80 (http://) or on port 443 (https://) (default). -ssl – The server will only allow connections over SSL. Any requests sent to port 80 (http://) will be redirected to the https://URL. Display the current security setting of the show show embedded web server.

412

(intentionally left blank)

413 BROWSER CERTIFICATES APPENDIX 2

APPENDIX 2 – Browser Certificates

You shouldn't overestimate the I.Q. of crooks — NYT: Stuart A. Baker, General Counsel for the NSA

There is no security on this earth. Only opportunity. – Douglas MacArthur Certificates Certificates are means for authenticating the validity of sites, servers or other devices user can connect to for services. These include web servers, print servers, data services and more. Normally, users encounter the certificates when they sign on to web services.

One of the common methods of compromising the security is to create phishing sites. Phishing sites look like the real web site and extract information from a valid user which them compromises the security of the user (typically impersonating the individual to access information or money or other services faking their identity). This is commonly used to compromise security (and hence the quotes at the beginning of this appendix….)

Many devices as well as web sites, today use secure methods to communicate via the web. Once secure web communications are required, the browsers look at the certificate and match the URL information to the certificate information. If the information does not match, the browser flags the site as a compromised site.

Certificates allow a user accessing a web site to authenticate whether they are in fact on the proper web site. To do that, there are Certificate Authorities who validate the authenticity of the site and can issue a public certificate. This process usually costs money and time in validation etc.

Many devices use self signed certificates. Self signed certificates allow a vendor to insert in a “signature” to identify their device and other parameters. Many times, the user accessing the device will find that the device they are accessing and the self signed certificate do not match. The browser will typically catch that and will warn a user about accessing the site. The rest of the sections below will describe how to use the browsers with GarrettCom self signed certificates.

414 BROWSER CERTIFICATES

Using Mozilla Firefox (ver. 3.x) Mozilla Firefox version 3.x ensures that the user validate the certificate before it allows the user to proceed to the site when the address (URL) does not match the information in the self signed certificate.

FIGURE 268 – On finding a mismatch between the certificate and the accesses site, Mozilla Firefox pops the window. Note – the site was accessed using the IP address. Typically, sites accessed by their IP address will trigger this mismatch

Make sure you click on the URL pointed to in the figure above.

415 BROWSER CERTIFICATES

FIGURE 269 – Mozilla Firefox tries to warn the user again about the dangers of sites with improper certificates. This window may be different depending on the version of the browser you are using

Once the “Add Exception” button is displayed, make sure you click on it.

416 BROWSER CERTIFICATES

FIGURE 270 – Firefox forces you to get the certificate before it lets you access the site

Notice that the browser points out that valid sites such as banks, online web stores, government sites, secure sites etc. will not ask you to do that. Since the GarrettCom MNS-DX is a self signed authenticated “site”, it is a good idea to proceed with this step and click on “Get Certificate” as shown above.

417 BROWSER CERTIFICATES

FIGURE 271 – Here, you can view the certificate, permanently make an exception and confirm the exception. The locations to do those are identified in this figure

The self signed certificate from GarrettCom is shown in the next figure.

418 BROWSER CERTIFICATES

FIGURE 272 – Self signed certificate from GarrettCom Inc for MNS-6K switch. A similar certificate is available on MNS-DX

Once accepted, the user does not need to go through these steps again.

419 BROWSER CERTIFICATES

Using Internet Explorer (ver 7.x or IE 8.x) Internet Explorer version 7.x as well as IE 8.x provides a warning when the certificates do not match. There is no mechanism to create a permanent exception using IE 7 or with IE 8.

When the exception is pointed out by IE 7 or IE 8, click on Continue as shown below.

FIGURE 273 – Using IE 7or IE 8

Using Other Browsers There are many other browsers such as Opera, Safari which are also widely used. There are similar mechanisms built into these browsers to inspect the certificate and create an exception. Please refer to their respective documentation for help.

420

APPENDIX 3

APPENDIX 3 – Port and Type Reference

Well Known TCP/UDP Network Ports

Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) are members of the Internet Protocol Suite. They enable the transmission of data among networked computers by directing traffic to ports associated with specific functions.

TCP is a connection-oriented protocol; that is, it creates an identified connection from client to server for the transmission of data. TCP provides a very reliable interface to a specified port. UDP is a simpler message-based connectionless protocol; that is, UDP simply sends a packet of data to a specified address and port. UDP does not provide the reliability of TCP but it can deliver data with less overhead.

Network port numbers are assigned to specific uses by the Internet Assigned Numbers Authority (IANA). Port numbers 0-1023 are called Well Known Ports and have standard uses, such as port 80 for HTML traffic. Port numbers 1024-49151 are reserved for Registered Ports, and port numbers 49152 -65535 are the dynamic ports which can be put to any use. (These are the ports called "Public" in Section 3.8.9.3, “NAT: Static Translations”.) Comprehensive lists of the conventional uses of all Well Known and Registered ports are available on the internet and in publications. Table B-1 is a partial list of official Well Known ports.

421 PORT AND TYPE REFERENCE

Well Known Ports Port Description 0/TCP,UDP Reserved 1/TCP,UDP TCPMUX (TCP port service multiplexer) 5/TCP,UDP RJE (Remote Job Entry) 7/TCP,UDP ECHO protocol 9/TCP,UDP DISCARD protocol 13/TCP,UDP DAYTIME protocol 17/TCP,UDP QOTD (Quote of the Day) protocol 18/TCP,UDP Message Send Protocol 19/TCP,UDP CHARGEN (Character Generator) protocol 20/TCP,UDP FTP - data port 21/TCP,UDP FTP - control (command) port 22/TCP,UDP SSH (Secure Shell) 23/TCP,UDP Telnet protocol 25/TCP,UDP SMTP 37/TCP,UDP TIME protocol 38/TCP,UDP Route Access Protocol 39/TCP,UDP Resource Location Protocol 41/TCP,UDP Graphics 42/TCP,UDP Host Name Server 43/TCP WHOIS protocol 49/TCP,UDP TACACS Login Host protocol 53/TCP,UDP DNS (Domain Name System) BOOTP (BootStrap Protocol) server; also used by DHCP (Dynamic Host 67/UDP Configuration Protocol) 68/UDP BOOTP client; also used by DHCP 69/UDP TFTP (Trivial File Transfer Protocol) 70/TCP Gopher protocol 79/TCP Finger protocol 80/TCP HTTP (HyperText Transfer Protocol) 88/TCP Kerberos - authenticating agent 110/TCP POP3 (Post Office Protocol version 3) 113/TCP ident 118/TCP,UDP SQL Services 119/TCP NNTP (Network News Transfer Protocol)

123/UDP NTP (Network Time Protocol) 135/TCP,UDP EPMAP / Microsoft RPC Locator Service 137/TCP,UDP NetBIOS Name Service 138/TCP,UDP NetBIOS Datagram Service 118/TCP,UDP SQL Services 119/TCP NNTP (Network News Transfer Protocol)

422 PORT AND TYPE REFERENCE

123/UDP NTP (Network Time Protocol) 135/TCP,UDP EPMAP / Microsoft RPC Locator Service 137/TCP,UDP NetBIOS Name Service 138/TCP,UDP NetBIOS Datagram Service 139/TCP,UDP NetBIOS Session Service 143/TCP,UDP IMAP4 (Internet Message Access Protocol 4) 156/TCP,UDP SQL Service 161/TCP,UDP SNMP (Simple Network Management Protocol) 162/TCP,UDP SNMPTRAP 179/TCP BGP (Border Gateway Protocol) 194/TCP IRC (Internet Relay Chat) 213/TCP,UDP IPX 369/TCP,UDP Rpc2portmap 371/TCP,UDP ClearCase albd 389/TCP,UDP LDAP (Lightweight Directory Access Protocol) 401/TCP,UDP UPS Uninterruptible Power Supply 427/TCP,UDP SLP (Service Location Protocol) 443/TCP,UDP HTTPS - HTTP Protocol over TLS/SSL (encrypted transmission) Microsoft-DS (Active Directory, Windows shares, Sasser worm, Agobot, 445/TCP Zobotworm) 445/UDP Microsoft-DS SMB file sharing 464/TCP,UDP Kerberos Change/Set password 500/TCP,UDP ISAKMP, IKE-Internet Key Exchange 514/UDP syslog protocol 520/UDP Routing - RIP 524/TCP,UDP NCP (NetWare Core Protocol) 530/TCP,UDP RPC 540/TCP UUCP (Unix-to-Unix Copy Protocol) 542/TCP,UDP commerce (Commerce Applications) 554/TCP,UDP RTSP (Real Time Streaming Protocol) 563/TCP,UDP NNTP protocol over TLS/SSL (NNTPS) 587/TCP email message submission (SMTP) (RFC 2476) 591/TCP FileMaker 6.0 Web Sharing (HTTP Alternate, see port 80) 593/TCP,UDP HTTP RPC Ep Map 636/TCP,UDP LDAP over SSL (encrypted transmission) 691/TCP MS Exchange Routing 873/TCP rsync File synchronization protocol 989/TCP,UDP FTP Protocol (data) over TLS/SSL 990/TCP,UDP FTP Protocol (control) over TLS/SSL 992/TCP,UDP Telnet protocol over TLS/SSL 993/TCP IMAP4 over SSL (encrypted transmission) 995/TCP POP3 over SSL (encrypted transmission)

423 PORT AND TYPE REFERENCE

ICMP Types

The internet Control Message Protocol (ICMP) is a core protocol of the Internet protocol suite. It is mainly used to send error messages. Unlike TCP and UDP, ICMP is usually not used by network applications (with the exception of the ping application).

ICMP Types Port Description 0 Echo Reply 1 Unassigned 2 Unassigned 3 Destination Unreachable 4 Source Quench 5 Redirect 6 Alternate Host Address 7 Unassigned 8 Echo 9 Router Advertisement 10 Router Selection 11 Time Exceeded 12 Parameter Problem 13 Timestamp 14 Timestamp Reply 15 Information Request 16 Information Reply 17 Address Mask Request 18 Address Mask Reply 19 Reserved (for Security) 20-29 Reserved (for Robustness Experiment) 30 Traceroute 31 Datagram Conversion Error 32 Mobile Host Redirect 33 IPv6 Where-Are-You 34 IPv6 I-Am-Here 35 Mobile Registration Request 36 Mobile Registration Reply 37 Domain Name Request 38 Domain Name Reply 39 SKIP 40 Photuris 41-255 Reserved

424

APPENDIX 4

APPENDIX 4 – Glossary

This glossary contains brief explanations of acronyms and terms used in the manual. Term Definition Triple Data Encryption Standard (DES). A more secure version of the DES 3DES standard in which data is encrypted three times. An IEEE standard that provides Quality of Service (QoS) at the layer 2

802.1p level. Advanced Encryption Standard. A NIST-standard cryptographic cipher hat

AES uses a block length of 128 bits and key lengths of 128, 192 or 256 bit. ANSI American National Standards Institute. Address Resolution Protocol. Enables discovery of a device’s MAC address

ARP when only its IP address is known. Autonomous System. A set of routers under a single technical administration

AS with an apparently coherent interior routing plan. ASCII American Standard Code for Information Interchange. Border Gateway Protocol. a Protocol for routing traffic between

BGP autonomous systems (AS). BPV Bipolar violation. Bridge Protocol Data Units. Message units that carry the Spanning Tree BPDU Protocol information. Core Based Trees. One of the communications protocols of the Internet CBT Protocol Suite. Builds and maintains a shared delivery tree for a multicast group. Comité consultatif international téléphonique et télégraphique. An institution to coordinate telecommunication standards. Although the CCITT acronyms

CCITT is still widely used the institution has been known since 1992 as ITU Telecommunication Standardization Sector (ITU-T). Challenge-Handshake Authentication Protocol. A method of authentication CHAP of remote clients used by Point to Point Protocol (PPP) servers and based on a shared secret. Classless Inter-Domain Routing. A CIDR address is written with a forward CIDR slash preceding a suffix indicating the number of bits in the prefix length, such as 192.168.0.0/16. CIR Committed Information Rate. A guaranteed data rate negotiated with a

425 GLOSSARY

carrier. CFX Configuration XML File. CRC Cyclic Redundancy Check. A method of detecting errors in transmitted data. Clear-to-Send. On an RS-232 interface, a DCE’s signal granting a DTE CTS permission to transmit. Data Carrier Detect. On an RS-232 interface, a DCE’s signal that a

DCD connection has been established. Data Communications Equipment. Typically a communication device such

DCE as a modem. In an RS-232 link a DCE communicates with a DTE. Digital Data Service. A private line digital service from carriers other than

DDS AT&T. Data Encryption Standard (DES). A NIST-standard cryptographic cipher

DES that uses a 56-bit key. DHCP Dynamic Host Configuration Protocol. DiffServ DIFFerentiated SERVices. A type of Quality of Service (QoS) functionality. Data Link Connection Identifier. An identifying number for a private or

DLCI switched virtual circuit in a frame relay network. Dead Peer Detection. A method of determining that an IKE peer (that is, a

DPD networked server) is inoperative. Digital Signature Algorithm. A United States Federal Government standard

DSA for verifying digital signatures. Differentiated Services Code Point. A value in the DiffServ portion of an IP

DSCP packet header used for classification purposes. Data Set Ready/Data Terminal Ready. RS-232 handshake signals sent from DSR/DTR the modem to the terminal (DSR) or from the terminal to the modem (DTR) indicating readiness to accept data. Data Terminal Equipment. Typically a computer system. In an RS-232 link a

DTE DTE communicates with a DCE. DTR See DSR/DTR. E1 See T1/E1. EGP Exterior Gateway Protocol. An internet routing protocol. Encapsulation Security Payload. An IPSec header extension for supporting

ESP security services. Frame Check Sequence. Extra characters added to a Frame for error FCS detection and correction. Far End Fault Indication. A feature of optical ports that detects an FEFI unresponsive link and shuts down transmission from the port. Gateway to Gateway Protocol. One of the communications protocols of the

GGP Internet Protocol Suite. Used mainly for routing datagrams. Human Machine Interface. The device that enables a person to monitor and

HMI control a machine. Typically the HMI is a computer. HTTP HyperText Transfer Protocol. The Internet Control Message Protocol. One of the communications ICMP protocols of the Internet Protocol Suite. Chiefly used to convey error messages.

426 GLOSSARY

IDRP Inter-Domain Routing Protocol. A microprocessor-based device that controls power system equipment such

IED as circuit breakers and voltage regulators. IEEE Institute of Electrical and Electronics Engineers IGP Interior Gateway Protocols. A set of routing protocols used within a system. Internet Group Management Protocol. One of the communications IGMP protocols of the Internet Protocol Suite. Used to manage membership in multicast groups. Internet Key Exchange. The protocol used to set up a Security Association IKE in the IPsec protocol suite. IP Internet Protocol. Internet Protocol Control Protocol. IResponsible for configuring, enabling,

IPCP and disabling the IP protocol modules on both ends of a Point-to-Point link. IP in IP encapsulation. One of the communications protocols of the IPIP Internet Protocol Suite. Encloses an inner IP header with an outer header for tunneling. ISO-IP ISO Internetworking Protocol. A network layer protocol in an OSI network. ITU-T See CCITT. A computer network covering a small geographic area, like a home, office, LAN or group of buildings. Compare to WAN. Link Control Protocol. A part of the Point-to-Point Protocol by which LCP communicating devices exchange LCP packets to determine standards of transmission. Local Management Interface. A signaling standard used between routers and

LMI frame relay switches. Longitudinal Redundancy Check. A method of detecting errors in LRC transmitted data. Link State Advertisement. An OSPF data structure that describes a portion LSA of an OSPF network. LSC Last Schema Change. Media Access Control. A MAC address is a unique identifier attached to MAC most forms of networking equipment. MD5 Message-Digest algorithm 5. A common cryptographic hash function. Management Information Base. A database used by SNMP to manage

MIB devices such as switches and routers in a network. A communications protocol using master/slave architecture. A commonly Modbus available means of connecting industrial electronic devices. NAPT See NAT. Network Address Port Translation. A method of using a single public IP

NAT address to provide internet access to multiple private IP addresses. NNI Network to Network Interface. Not So Stubby Area is an OSPF area with a limited ability to import external

NSSA routes and transmit them to the OSPF backbone. Open Shortest Path First. A routing protocol to determine the best path for

OSPF traffic over a TCP/IP network.

427 GLOSSARY

Password Authentication Protocol. An authentication protocol using PAP unencrypted ASCII passwords over a network. A Spanning Tree parameter that measures how close bridges are to one

Path Cost another. It takes into account the bandwidth of the links between bridges. Privacy Enhanced Mail File format. A standard for secure e-mail on the

PEM Internet. Perfect Forward Secrecy. A property of public key cryptography whereby the

PFS compromise of one key does not lead to the compromise of any other keys. Power over Ethernet. A technology for delivering power (along with data) to

PoE remote devices over the twisted pair cabling of an Ethernet network. Point-to-Point Protocol. A data link protocol to establish a direct connection PPP between two networking nodes, commonly used for A point-to-point connection that is established before its first use and PVC maintained regardless of the level of activity. Port VID. A user configurable parameter that associates a native PVID VLAN with a port. Each port is assigned exactly one PVID. By default, each port is assigned PVID 1. Quality of Service. Technology and techniques, such as prioritization, QoS to ensure the predictable handling of specified kinds of traffic. Remote Authentication Dial-In User Service. An AAA (authentication, RADIUS authorization and accounting) protocol using a challenge/response method for authentication. RC4 A stream cipher commonly used with SSL and in wireless networks. Routing Information Base. A database on a BGP router that

RIB accumulates information about routes to reachable destinations. Routing Information Protocol. An Interior Gateway Protocol (IGP) routing protocol used on internal networks. It determines a route based RIP on the smallest hop count between source and destination. It has a limit of 15 hops. A popular standard for passing serial binary data point-to-point

RS-232 between digital systems. Also known as EIA-232. Compare to RS-485. A standard for passing serial data in point-to-point or multipoint RS-485 configurations among digital data systems. Also known as EIA-485. Less common but more versatile than RS-232. Rivest-Shamir-Adleman key. A two-part key. The private key is kept by

RSA the owner; the public key is published. Rapid Spanning Tree Protocol. RSTP is a protocol that prevents loops in bridged LAN environments. It also provides for fast recovery from

RSTP link failures. This product supports RSTP as specified in IEEE 802.1D (2004). Resource reSerVation Protocol. One of the communications protocols RSVP of the Internet Protocol Suite. Used to support Quality of Service (QoS) flows. Request to Send/Clear to Send. RS-232 flow control signals sent by

RTS/CTS transmitting stations (RTS) and receiving stations (CTS).

428 GLOSSARY

Remote Terminal Unit. A device that collects data from data acquisition RTU equipment and sends it to the main system over a network. Security Association. In IPSec an SA defines a secure, unidirectional

SA communication channel between two entities. Security Association Database. An IPSec database containing security

SADB information specific to particular connections. Compare to SPD. Supervisory Control And Data Acquisition. A process control

SCADA application that collects data from networked devices. Small Form-factor Pluggable Transceiver. A full-duplex serial interface SFP converter that converts electrical signals to optical signals to run over fiber. SHA-1 Secure Hash Algorithm 1. A common cryptographic hash function. Simple Network Management Protocol. A network monitoring and SNMP control protocol. SNTP Simple Network Time Protocol. Synchronous Optical Networking. A multiplexing protocol for use over SONET optical fiber. Security Policies Database. An IPSec database containing security SPD policies general to the device. Compare to SADB. Security Parameters Index. A value added to the header in IPSec

SPI tunneling that identifies a session and its encryption properties. Secure SHell. A network protocol using public key cryptography to

SSH provide secure remote login. Secure Socket Layer. A cryptographic protocol that creates a secure

SSL data transfer session over a standard TCP connection. A database maintained by the Ethernet bridge that tracks MAC Station Cache addresses of stations on the network and the ports associated with them. A protocol for sending event messages over an IP network to remote

Syslog servers called "event message collectors." T1 is a widely-used T-carrier telecommunications standard capable of T1/E1 transmitting 1.544 Mbits/second. The T1 designation is used in North America. The analogous system outside of North America is called E1. TCP Transmission Control Protocol. TLS Transport Layer Security. User Datagram Protocol. One of the communications protocols of the UDP Internet Protocol Suite. Replaces TCP when a reliable delivery is not required. URL Uniform Resource Locator. VID VLAN Identifier. Virtual Local Area Network. A logical subgroup within a local area VLAN network that is created with software rather than by physically manipulating cables. Virtual Router Redundancy Protocol. A protocol for specifying a

VRRP backup router to be used in case of failure of a master router.

429 GLOSSARY

Wide Area Network. A computer network that crosses metropolitan, WAN regional, or national boundaries. Compare to LAN. Weighted Fair Queueing. A packet scheduling technique that enables

WFQ several data flows to use the same link. An X.509 certificate is a message that contains an entity's credentials. X.509 Information such as the entity's name, organization, and contact information are included. XML eXtensible Markup Language. A software flow control protocol in which a receiver sends an XOFF XON/XOFF character to a transmitter to signal that it is unable to receive data and an XON character to signal that it is able to receive data.

430

APPENDIX 5 APPENDIX 5 – Generating self signed certificates

MNS-DX does not come with any bundled or pre-installed root CA certificates. A CA file needs to be generated or acquired. These certificate files then needs to be installed on each unit. A self- signed certificated is one that is generated by the user and therefore its authenticity cannot be verified by an independent external agency. MNS-DX only understands X.509 certificates that are encoded in the Privacy Enhanced Mail (PEM) format. This is an ASCII text format that is easy to cut and paste into files or email messages. The example in this Appendix uses the OpenSSL command line tool, which is freely available software that runs under Linux, MAC OS-X, and Cygwin for Microsoft Windows. For more information on OpenSSL, see the following reference: Viega, John. Messier, Matt. Pravir, Chandra. Network Security with OpenSSL, O’Reilly Media Inc., ISBN 0-596-00270-X. The steps to generate the certificate and the CA are listed below. The example below is for a Linux System using the openssl command.

Step 1: Generate an RSA key and a certificate request for your CA $ openssl req -newkey rsa:1024 -nodes -sha1 -keyout cakey.pem -out careq.pem Generating a 1024 bit RSA private key ...... ++++++ ...... ++++++ (Here the computer is working to generate the encrypted keys…)

writing new private key to 'cakey.pem'

You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, if you enter '.', the field will be left blank.

Country Name (2 letter code) [AU]:US

431 GENERATING SELF SIGNED CERTIFICATES

State or Province Name (full name) [Some-State]:MA

Locality Name (eg, city) [ ]:North Andover

Organization Name (eg, company) [Internet Widgits Pty Ltd]: GarrettCom, Inc.

Organizational Unit Name (eg, section) [ ]:Technical Services

Common Name (eg, YOUR name) [ ]:Support

Email Address [ ]:[email protected]

Please enter the following 'extra' attributes to be sent with your certificate request

A challenge password [ ]:

An optional company name [ ]:

Step 2: Generate a self-signed CA certificate from the request

$ openssl x509 -req -in careq.pem -sha1 -signkey cakey.pem -out cacert.pem

Signature ok

subject=/C=US/ST=MA/L=North Andover/O=GarrettCom, Inc./OU=Technical Services/ CN=Support/[email protected]

Getting Private key $

Step 3: Create the CA’s Key File $ cat cacert.pem cakey.pem > ca.pem

Step 4: Create an RSA key and a certificate request for your system $ openssl req -newkey rsa:1024 -nodes -sha1 -keyout syskey.pem -out sysreq.pem

Generating a 1024 bit RSA private key .++++++ ...... ++++++

432 GENERATING SELF SIGNED CERTIFICATES

writing new private key to 'syskey.pem'

You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank. For some fields there will be a default value. If you enter '.', the field will be left blank.

Country Name (2 letter code) [AU]:US

State or Province Name (full name) [Some-State]:MA

Locality Name (eg, city) [ ]:North Andover

Organization Name (eg, company) [Internet Widgits Pty Ltd]:GarrettCom, Inc.

Organizational Unit Name (eg, section) [ ]:Network Planning

Common Name (eg, YOUR name) [ ]:Planner

Email Address [ ]:[email protected]

Please enter the following 'extra' attributes to be sent with your certificate request

A challenge password [ ]:

An optional company name [ ]:

Step 5: Create the system’s certificate and have it signed by the CA $ openssl x509 -req -in sysreq.pem -sha1 -CA ca.pem –CA key ca.pem –CA createserial -out syscert.pem

Signature ok

subject=/C=US/ST=MA/L=North Andover/O=GarrettCom, Inc./OU=Network Planning/CN=Planner/ [email protected]

Getting CA Private Key $

Step 6: Create the System Key File

$ cat syscert.pem syskey.pem cacert.pem > sys.pem

433 GENERATING SELF SIGNED CERTIFICATES

At this stage the sys.pem file is ready for installation in MNS-DX.

434

APPENDIX 6

APPENDIX 6 – Third Party Licenses

This appendix contains the texts of required licenses for third party software.

GNU LESSER GENERAL PUBLIC LICENSE Version 2.1, February 1999 Copyright (C) 1991, 1999 Free Software Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public Licenses are intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users.

This license, the Lesser General Public License, applies to some specially designated software packages-- typically libraries--of the Free Software Foundation and other authors who decide to use it. You can use it too, but we suggest you first think carefully about whether this license or the ordinary General Public License is the better strategy to use in any particular case, based on the explanations below.

When we speak of free software, we are referring to freedom of use, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish); that you receive source code or can get it if you want it; that you can change the software and use pieces of it in new free programs; and that you are informed that you can do these things.

To protect your rights, we need to make restrictions that forbid distributors to deny you these rights or to ask you to surrender these rights. These restrictions translate to certain responsibilities for you if you distribute copies of the library or if you modify it.

For example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights that we gave you. You must make sure that they, too, receive or can get the source code. If you link other code with the library, you must provide complete object files to the recipients, so that they can relink them with the library after making changes to the library and recompiling it. And you must show them these terms so they know their rights.

435 THIRD PARTY LICENSES

We protect your rights with a two-step method: (1) we copyright the library, and (2) we offer you this license, which gives you legal permission to copy, distribute and/or modify the library.

To protect each distributor, we want to make it very clear that there is no warranty for the free library. Also, if the library is modified by someone else and passed on, the recipients should know that what they have is not the original version, so that the original author's reputation will not be affected by problems that might be introduced by others.

Finally, software patents pose a constant threat to the existence of any free program. We wish to make sure that a company cannot effectively restrict the users of a free program by obtaining a restrictive license from a patent holder. Therefore, we insist that any patent license obtained for a version of the library must be consistent with the full freedom of use specified in this license.

Most GNU software, including some libraries, is covered by the ordinary GNU General Public License. This license, the GNU Lesser General Public License, applies to certain designated libraries, and is quite different from the ordinary General Public License. We use this license for certain libraries in order to permit linking those libraries into non-free programs.

When a program is linked with a library, whether statically or using a shared library, the combination of the two is legally speaking a combined work, a derivative of the original library. The ordinary General Public License therefore permits such linking only if the entire combination fits its criteria of freedom. The Lesser General Public License permits more lax criteria for linking other code with the library.

We call this license the "Lesser" General Public License because it does Less to protect the user's freedom than the ordinary General Public License. It also provides other free software developers Less of an advantage over competing non-free programs. These disadvantages are the reason we use the ordinary General Public License for many libraries. However, the Lesser license provides advantages in certain special circumstances.

For example, on rare occasions, there may be a special need to encourage the widest possible use of a certain library, so that it becomes a de-facto standard. To achieve this, non-free programs must be allowed to use the library. A more frequent case is that a free library does the same job as widely used non-free libraries. In this case, there is little to gain by limiting the free library to free software only, so we use the Lesser General Public License.

In other cases, permission to use a particular library in non-free programs enables a greater number of people to use a large body of free software. For example, permission to use the GNU C Library in non- free programs enables many more people to use the whole GNU operating system, as well as its variant, the GNU/Linux operating system.

Although the Lesser General Public License is Less protective of the users' freedom, it does ensure that the user of a program that is linked with the Library has the freedom and the wherewithal to run that program using a modified version of the Library.

The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a "work based on the library" and a "work that uses the library". The former contains code derived from the library, whereas the latter must be combined with the library in order to run.

436 THIRD PARTY LICENSES

TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

This License Agreement applies to any software library or other program which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Lesser General Public License (also called "this License"). Each licensee is addressed as "you".

A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables.

The "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law: that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".)

"Source code" for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library.

Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does.

1. You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and distribute a copy of this License along with the Library.

You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.

2. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:

a) The modified work must itself be a software library.

b) You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change.

c) You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License.

d) If a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is

437 THIRD PARTY LICENSES

invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful.

(For example, a function in a library to compute square roots has a purpose that is entirely well- defined independent of the application. Therefore, Subsection 2d requires that any application- supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.)

These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.

Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library.

In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.

3. You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices.

Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy.

This option is useful when you wish to copy part of the code of the Library into a program that is not a library.

4. You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange.

If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code.

5. A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License.

438 THIRD PARTY LICENSES

However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables.

When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law. If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6..

Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself.

6. As an exception to the Sections above, you may also combine or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications.

You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things:

a) Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-readable "work that uses the Library", as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.)

b) Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that (1) uses at run time a copy of the library already present on the user's computer system, rather than copying library functions into the executable, and (2) will operate properly with a modified version of the library, if the user installs one, as long as the modified version is interface- compatible with the version that the work was made with.

c) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution.

439 THIRD PARTY LICENSES

d) If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place.

e) Verify that the user has already received a copy of these materials or that you have already sent this user a copy.

For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the materials to be distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute.

7. You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things:

a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above.

b) Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work.

8. You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

9. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it.

10. Each time you redistribute the Library (or any work based on the Library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties with this License.

11. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all

440 THIRD PARTY LICENSES

those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library.

If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances.

It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.

This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.

12. If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.

13. The Free Software Foundation may publish revised and/or new versions of the Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.

Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation.

14. If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.

NO WARRANTY

15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE

441 THIRD PARTY LICENSES

LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERE INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

END OF TERMS AND CONDITIONS.

How to Apply These Terms to Your New Libraries

If you develop a new library, and you want it to be of the greatest possible use to the public, we recommend making it free software that everyone can redistribute and change. You can do so by permitting redistribution under these terms (or, alternatively, under the terms of the ordinary General Public License).

To apply these terms, attach the following notices to the library. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found.

One line to give the library's name and an idea of what it does. Copyright (C) year name of author

This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version.

This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.

You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA

442 INDEX

Index

3DES, 147, 149, 252, 272, 286, 425 Bypass, 276, 278, 279, 280, 281, 282, 289 802.1d, 106 CA, i, 151, 243, 244, 245, 247, 321, 326, 327, 329, 431, 432, 433 802.1p, 190, 196, 197, 378, 425 CAS, 167 802.1Q, 113 CCITT, 171, 172, 425, 427 Adding Users, 46 Certificate, 149, 243, 244, 245, 246, 247, address locking, 249 252, 288, 299, 321, 326, 327, 328, Address Resolution Protocol, 425 329, 330, 342, 414, 417 AES, 147, 149, 286, 425 certificate authority. See CA AES128, 252, 272 certificates, 61 AES256, 252, 272, 286 CHAP, 184, 186, 187, 255, 374, 381, 425 AMI, 167 CIR, 174, 194, 353, 425 Area Aggregates, 218 CLI, 32, 33, 35, 37, 65, 66, 75, 77, 78, 150, Area Settings, 214 253, 254, 332, 334, 335, 338, 341, 342, 343, 344, 347, 349, 350, 351, AS, 208, 211, 213, 215, 221, 222, 224, 225, 353, 356, 357, 358, 362, 363, 366, 227, 228, 229, 338, 339, 366, 371, 368, 369, 372, 373, 374, 376, 380, 425, 441, 442 383, 384, 386, 388, 391, 392, 395, ASCII, 47, 155, 158, 159, 245, 313, 335, 396, 397, 398, 399, 400, 401, 403, 358, 361, 393, 425, 428, 431 405, 407, 410, 411, 412 ASN.1, 317 community string, 308 authentication, 425, 428 config file, 87, 88 Authentication, 44, 307 CRC, 96, 155, 156, 158, 159, 170, 426 B8ZS, 167 cryptography, 428 BER, 317 D4, 166 BGP, 30, 61, 200, 205, 207, 209, 213, 214, DCE, 129, 426 220, 221, 222, 224, 225, 226, 227, DDS, 163, 164, 165, 168, 169, 170, 171, 228, 229, 230, 231, 295, 298, 301, 185, 187, 411, 426 324, 338, 339, 340, 349, 423, 425, 428 default user, 35 BlowFish, 272 default user name, 35 bootp, 73 Deleting User, 52 BOOTP, 121 DES, 147, 149, 272, 286, 287, 291, 308, 310, 316, 392, 425, 426 Bridge, 425 DH, 271, 287

443 INDEX

DHCP, 73, 121, 122, 123, 124, 125, 426 GSSAPI, 76 Differentiated Services. See Diffserv HDB3, 167 Diffie-Hellman, 75, 271, 287, 407 help, 332 DiffServ, 139, 158, 159, 160, 192, 193, 194, Helsinki University of Technology, 75 195, 197, 358, 376, 378, 426 HTTP, 426 digital signatures, 426 ICMP, 198, 199, 259, 260, 261, 263, 265, Digital signatures, 244 297, 298, 301, 350, 376, 424, 426 DLCI, 170, 172, 173, 174, 175, 176, 177, IEEE, 106, 113, 190 178, 179, 181, 182, 183, 194, 202, IEEE 802.1p, 190 212, 222, 266, 275, 312, 353, 354, 355, 360, 386, 426 IEEE 802.1q, 190 DPD, 426 IETF, 192 DS. See Diffserv IGMP, 30, 194, 414, 421, 425, 431, 435 DSA, 76 IKE, 272, 278, 280, 285, 286, 290, 291, 298, 409, 423, 426, 427 DSCP, 139, 158, 159, 160, 192, 195, 196, 197, 376, 378, 426 Importing users, 49 DST, 58 IP addresses, 427 DTE, 129, 426 IP parameters, 35 EEK, 174, 175, 176, 177, 354, 355 IPsec, 198, 260, 269, 271, 272, 276, 277, 278, 279, 281, 289, 290, 291, 292, EIA-232, 129, 428 350, 376, 427 EIA-485, 129, 428 IPv6, 90 Encryption, 425, 426 ISAKMP, 291, 423 ESF, 166 ISP, 254 ESP, 198, 271, 272, 276, 277, 278, 280, Kerberos, 76 286, 287, 291, 350, 376, 426 LAN, 427 Ethernet segments, 113 LCP, 184, 186, 374, 427 Exporting users, 50 link locking, 249, 250 Fallback, 83, 85, 255 LMI, 165, 169, 170, 171, 172, 173, 354, 427 FAS, 166 Local Certificates, 245, 247 FIFO, 190 Locked Out, 53 Frame, 426 lockout, 53 frame relay, 426, 427 Login Banner, 55, 56 Frame Relay, 163, 170, 171, 172, 173, 174, 175, 179, 181, 182, 193, 202, 211, logout, 64 222, 266, 353, 355, 386 LRC, 155, 156, 158, 159, 427 Gateway, 425, 426, 427 MAC address, 427

444 INDEX

Management Information Base. See MIB PIM, 209 MD5, 147, 148, 149, 186, 202, 217, 225, PKI, 243, 244 255, 272, 286, 287, 291, 308, 310, Port, 98 316, 327, 367, 381, 427 port mirroring, 98, 99 MIB, 307, 427 port VLANs, 114 Mirroring, 98 PPP, 30, 184, 185, 186, 187, 188, 189, 275, MNS-DX-ADVAR, 62, 82, 198, 200, 208, 221, 295, 298, 301, 374, 375, 425, 428 349 priority, 190 MNS-DX-SECURE, 40, 56, 61, 62, 82, 147, 243, 249, 251, 253, 254, 256, 269, PSK, 271, 272, 288 349 public keys, 75 Modbus, 30, 129, 130, 152, 153, 154, 155, QoS, 190, 191, 192, 425, 426 156, 157, 158, 159, 160, 161, 358, 427 RADIUS, 30, 61, 253, 254, 255, 256, 258, 380, 381, 428 Modify Password, 52 Rate limits, 100 NAPT, 239, 241, 276, 277, 280, 281, 282, 427 RC-4, 147 NAT, 30, 81, 237, 238, 239, 240, 241, 254, rcp, 75 258, 275, 276, 277, 278, 279, 280, RFC 1058, 200, 201, 202, 204 281, 282, 283, 284, 289, 363, 364, 381, 395, 398, 421, 427 RFC 1122, 154 Neighbor Status, 218, 219 RFC 1213, 309 netmask, 32, 33, 65, 203, 212, 223, 323, RFC 1321, 286, 287 344, 345, 350, 356 RFC 1490, 171, 174, 275, 353 NTLM, 76 RFC 1493, 309 NTP, 61 RFC 1631, 237 OpenSSH, 76 RFC 1723, 204 OSI, 152, 170, 171, 200, 427 RFC 1771, 221 OSPF, 61, 198, 200, 201, 205, 207, 208, RFC 1901, 309 209, 210, 211, 213, 214, 215, 216, 217, 218, 219, 220, 221, 227, 231, RFC 1902, 309 260, 276, 295, 298, 301, 324, 349, RFC 1903, 309 350, 366, 367, 368, 369, 370, 371, 372, 383, 427 RFC 1904, 310 PAM, 76 RFC 1905, 310 PAP, 184, 186, 187, 255, 374, 381, 428 RFC 1906, 310 PAT, 30, 237, 238, 240 RFC 1907, 310 PEM, 428 RFC 1908, 309, 310 PHB, 192, 194 RFC 1918, 237

445 INDEX

RFC 2104, 310 RFC 4305, 291 RFC 2131, 121 RFC 4391, 121 RFC 2132, 125 RFC 4868, 292 RFC 2271, 309, 310 RIP, 69, 179, 180, 181, 200, 201, 202, 204, 205, 206, 207, 208, 209, 213, 214, RFC 2272, 310 220, 221, 227, 231, 321, 324, 338, RFC 2273, 310 356, 370, 371, 383, 423, 428 RFC 2274, 310 rlogin, 75 RFC 2275, 309, 310 RS-232, 129, 130, 131, 155, 426, 428 RFC 2328, 208, 209 RS-485, 129, 130, 155, 428 RFC 2338, 234 RSA, 75, 76, 147, 148, 149, 243, 244, 245, RFC 2401, 271, 291 288, 328, 428, 431, 432 RFC 2403, 291 rsh, 75 RFC 2404, 291 RSTP, 29, 90, 102, 106, 107, 108, 109, 110, 111, 112, 294, 295, 298, 301, 334, RFC 2405, 291 384, 385, 428 RFC 2406, 271, 291 RTSP, 106 RFC 2407, 291 RTU, 129, 155, 156, 158, 159, 358, 429 RFC 2408, 291 SCADA, 120, 143, 144, 145, 147, 273, 429 RFC 2409, 271, 291 Secure Shell. See SSH RFC 2451, 291 security certificate, 39 RFC 2453, 200 set, 34, 35, 66 RFC 2474, 194 SFTP, 77 RFC 2598, 139, 158, 160, 194 SHA, 147, 148, 149, 272, 286, 287, 291, RFC 3164, 256 292, 310, 316, 327, 392, 429 RFC 3315, 121 SHA-1, 147, 272, 291, 310, 392, 429 RFC 3396, 121 SHA256, 286, 287 RFC 3706, 291 SHA-256, 272 RFC 4251, 76 SHA-256, 292 RFC 4252, 76 SHA512, 286, 287 RFC 4253, 76 SHA-512, 272 RFC 4254, 76 SHA-512, 292 RFC 4256, 76 show, 28 RFC 4271, 221 SNMP, 30, 65, 176, 260, 261, 293, 307, 308, 309, 310, 311, 312, 313, 314, 315, RFC 4303, 291 316, 317, 318, 319, 320, 392, 393, 394, 423, 427, 429

446 INDEX

SNMP engine, 309 227, 228, 229, 233, 239, 240, 241, 251, 259, 260, 261, 263, 264, 265, SNMP group, 309 297, 301, 338, 350, 358, 360, 361, SNMP user, 309 363, 374, 376, 403, 421, 422, 423, SNMPv2c, 309 424, 427, 429 SNTP, 58, 79, 80, 82 telnet, 75, 77, 133, 150, 253, 396, 403 SONET, 184, 429 Telnet, 75 SPD, 271, 272, 429 Time, 58 S-Ring, i, 190 Time Persistence, 61 SSH, 75, 76, 77, 78, 79, 253, 296, 396, 422, Time Zone, 58 429 ToS, 192 SSH client, 75 TOS, 195 SSH-1, 75 UDP, 123, 198, 199, 209, 239, 240, 241, SSH-2, 75 254, 255, 259, 260, 261, 263, 265, 278, 297, 301, 350, 360, 363, 376, SSL, 130, 147, 148, 149, 150, 151, 244, 245, 380, 381, 421, 422, 423, 424, 429 251, 252, 298, 301, 389, 412, 423, 428, 429 USM, 310 Static Routes, 179, 203, 212, 214, 223 VACM, 310 status, 57 variable length subnet masks. See VLSM STP, 106, 107 Virtual Front Panel, 41 suspend, 53 virtual LAN, 113 Syslog, 256, 257, 258, 293, 294, 398, 429 VLAN, 113, 114 system, 426, 427 VLANs, 29, 67, 68, 90, 106, 113, 114, 115, 116, 117, 118, 120, 123, 125, 130, System Contact, 57 139, 181, 202, 206, 211, 216, 222, System Information, 57 275, 312, 405 System Location, 57 VLSM, 202, 208 System Name, 57 VPN, 61, 80, 81, 207, 220, 231, 254, 258, 269, 270, 271, 273, 274, 275, 276, System Status, 57 277, 278, 279, 280, 281, 282, 283, system time, 58 284, 285, 286, 287, 288, 289, 290, 291, 295, 298, 301, 381, 395, 398, T1/E1, 163, 164, 165, 166, 167, 168, 169, 407, 409 170, 171, 411, 426, 429 VPN authentication, 61 Tatu Ylönen, 75 VPN tunnel, 61 TCP, 35, 77, 78, 79, 121, 124, 129, 130, 132, 133, 134, 138, 139, 140, 142, VRRP, 30, 198, 233, 234, 235, 260, 276, 143, 145, 147, 150, 152, 154, 155, 295, 298, 301, 350, 410, 429 156, 157, 159, 160, 161, 163, 186, WAN, 30, 42, 66, 69, 139, 158, 160, 163, 198, 199, 200, 208, 209, 221, 222, 164, 165, 166, 167, 168, 169, 170,

447 INDEX

171, 173, 174, 175, 176, 177, 181, Write view, 309 182, 185, 187, 192, 193, 194, 202, X.509, 75, 76, 147, 148, 149, 243, 244, 245, 206, 211, 216, 222, 266, 297, 300, 271, 272, 288, 342, 407, 430, 431 353, 354, 355, 360, 386, 411, 427, 430 XML, 50, 51, 87, 337, 343, 426, 430 Weighted Fair Queuing. See WFQ XML file, 50 WFQ, 193, 430

448