* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Magnum Network Software – DX
Survey
Document related concepts
Remote Desktop Services wikipedia , lookup
Computer network wikipedia , lookup
Airborne Networking wikipedia , lookup
Internet protocol suite wikipedia , lookup
Distributed firewall wikipedia , lookup
Serial port wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Network tap wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Spanning Tree Protocol wikipedia , lookup
Parallel port wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Transcript
Magnum Network Software – DX Administrator’s Guide Version 2.0 GarrettCom, Inc. 25 Commerce Way #1 North Andover, MA 01845 Phone: 978.688.8807 Fax: 978.688.8771 $25.00 USD Declarations DOCUMENT NOTICE Copyright Copyright 2009 by GarrettCom. Printed in the US. All rights reserved. This manual may not be reproduced or disclosed in whole or in part by any means without the written consent of GarrettCom DynaStar is a trademark of GarrettCom. All other trademarks mentioned in this document are the property of their respective owners. This document has been prepared to assist users of equipment manufactured by GarrettCom, and changes are made periodically to the information in this manual. Such changes are reflected in updates or are published in Software Release Notes. If you have recently upgraded your software, carefully note those areas where new commands or procedures have been added. The material contained in this manual is supplied without any warranty of any kind. GarrettCom therefore assumes no responsibility and shall incur no liability arising from the supplying or use of this document or the material contained in it. Rights Except as set forth in the Software License Agreement, GarrettCom makes no representation that software programs and practices described herein will not infringe on existing or future patent rights, copyrights, trademarks, trade secrets or other proprietary rights of third parties and GarrettCom makes no warranties of any kind, either express or implied, and expressly disclaims any such warranties, including but not limited to any implied warranties of merchantability or fitness for a particular purpose and any warranties of noninfringement. The descriptions contained herein do not imply the granting of licenses to make, use, sell, license or otherwise transfer GarrettCom products described herein. GarrettCom disclaims responsibility for errors which may appear in this document, and it reserves the right, in its sole discretion and without notice, to make substitutions and modifications in the products and practices described in this document. Part Number Information Paper Version Part Number: 3-01-2117-00 Rev. AE CD Part Number: 3-01-2115-00 Magnum Network Software - DX Administrator’s Guide i Warranty Revision History Release Date Document Revision Software Release Change Note October, 2006 01 1.1 New product release, Hardware and Software. January, 2007 02 1.2 New product release, Hardware and Software. February, 2007 AA 1.2 New product release, Hardware and Software. June, 2007 AB 1.3 Added support for Modbus, WAN, VPN, NAT, SSH. New chapter structure. September, 2007 AC 1.3.4 Added support for WAN port functionality. April, 2008 AD 1.4 Added virtual front panel and support for OSPF, port rate limiting, stateful firewall, proprietary enterprise MIB, sftp, sw CLI command. February, 2009 AE 2.0 Added official DX1000 support, full CLI support, PPP and Hayes modem control, alarm contact port, VRRP, BGP, IPsec DPD, SSH port forwarding, configurable default metrics for routes imported into OSPF, configurable default hop count for routes imported into RIP, global enable/ disable for Modbus, ability to dump a subsection of the XML config via the CLI, ability for monitor to filter on both the source and dest header info, added IKE lifetime to VPN tunnel profile. WARRANTY GarrettCom warrants equipment manufactured by it to be free from defects in materials and workmanship for a period of one (1) year from date of shipment. If within the warranty period the purchaser discovers such item was not as warranted above and promptly notifies GarrettCom in writing, GarrettCom shall repair or replace the items at the company's option. This warranty shall not apply to: (a) equipment not manufactured by GarrettCom; (b) equipment which shall have been repaired or altered by anyone other than GarrettCom; (c) equipment which shall have been subjected to negligence, accident, or damage by circumstances beyond GarrettCom control, or to improper operation, maintenance or storage, or to other than normal use or service. With respect to equipment sold but not manufactured by GarrettCom, the warranty obligation of GarrettCom shall, in all aspects, conform and be limited to the warranty actually extended to GarrettCom by its supplier. The foregoing warranties do not cover reimbursement for labor, transportation, removal, installation, or other expenses that may be incurred in connection with repair or replacement. THE FOREGOING WARRANTIES ARE EXCLUSIVE AND IN LIEU OF ALL OTHER EXPRESS AND IMPLIED WARRANTIES EXCEPT WARRANTIES OF TITLE, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Magnum Network Software - DX Administrator’s Guide ii Limitation Of Liability LIMITATION OF LIABILITY Anything to the contrary herein contained notwithstanding, GarrettCom, ITS CONTRACTORS AND SUPPLIERS OF ANY TIER, SHALL NOT BE LIABLE IN CONTRACT, IN TORT (INCLUDING NEGLIGENCE OR STRICT LIABILITY) OR OTHERWISE FOR ANY SPECIAL, INDIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES WHATSOEVER. The remedies of the purchaser set forth herein are exclusive where so stated and the total cumulative liability of GarrettCom its contractors and suppliers of any tier, with respect to this contract or anything done in connection therewith, such as the use of any product covered by or furnished under the contract, whether in contract, in tort (including negligence or strict liability) or otherwise, shall not exceed the price of the product or part on which such liability is based. Unless otherwise agreed to in writing by an authorized official of GarrettCom, products sold hereunder are not intended for use in or in connection with a nuclear facility or activity. If so used, GarrettCom disclaims all liability for nuclear damage, injury or contamination, and purchaser shall indemnify GarrettCom against any such liability, whether as a result of breach of contract, warranty, tort (including negligence) or otherwise. PATENTS As to equipment proposed and furnished by GarrettCom, GarrettCom shall defend any suit or proceeding brought against purchaser so far as based on a claim that said equipment constitutes an infringement of any patent of the United States, if notified promptly in writing and given authority, information, and assistance at GarrettCom's expense for the defense of the claim. In event of a final award of costs and damages from such a suit, GarrettCom shall pay such award. In event the use of said equipment by purchaser is enjoined in such a suit, GarrettCom shall, at its own expense, and at its sole option either (a) procure for purchaser the right to continue using equipment, (b) modify said equipment to render it non-infringing, (c) replace said equipment with non-infringing equipment, or (d) refund the purchase price (less depreciation) and transportation and installation costs of said equipment. GarrettCom will not be responsible for any compromise or settlement made without its written consent. The foregoing states the entire liability of GarrettCom for patent infringement, and in no event shall GarrettCom be liable if the infringement charge is based on the use of GarrettCom equipment for a purpose other than that for which it was sold by GarrettCom As to any equipment furnished by GarrettCom to purchaser and manufactured in accordance with designs proposed by purchaser, purchaser shall indemnify GarrettCom against any award made against GarrettCom for patent, trademark, or copyright infringement. RETURN OF EQUIPMENT No equipment may be returned without purchaser first obtaining GarrettCom's written Return Material Authorization (RMA). An RMA can be obtained by contacting Sales at 978.688-8807. Equipment accepted for credit, not involving a GarrettCom error, shall be subject to all the terms of the original purchase contract and to a service charge. Returned equipment must be of current manufacture, unused, and in reasonable condition, securely packed to reach GarrettCom without damage, shipped F.O.B. GarrettCom facility with transportation charges paid, and labeled with Return Material Authorization (RMA) number. Any cost incurred by GarrettCom to put equipment in first class condition will be charged to purchaser. Magnum Network Software - DX Administrator’s Guide iii Compliance Notices COMPLIANCE NOTICES FCC Part 15 This device complies with part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation. Note: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his/her own expense. In order to maintain compliance with FCC regulations shielded cables must be used for electrical I/O with this equipment. Operation with non-approved equipment or unshielded cables may result in interference to radio and television reception. Changes or modifications could void the user’s authority to operate the equipment. The user is cautioned not to change or modify this product. IC CS03 (Industry Canada) This digital apparatus does not exceed the Class A limits for radio noise emissions from digital apparatus set out in the interference-causing equipment entitled “Digital Apparatus”, ICES-003 of the department of Communications (Cet appareil numérique respecte les limites bruits radioélectriques applicables aux appareils numériques de Class A prescrites dans la norme sur le materiel brouilleur: “Appareils Numériques”, NMB-003 édictée par le ministre des Communications). EN55022 Warning: This is a Class A product. In a domestic environment this product may cause radio interference, in which case the user may be required to take adequate measures. SAFETY WARNING: Service to this unit can be made only by factory authorized personnel. Failure to observe this caution can result in malfunction to the unit as well as electrocution to personnel. Avertissement: Cet appareil ne peut être examiné ou réparé que par un employé autorisé du fabricant. Si cette consigne n’est pas respectée, il y a risque de panne et d’électrocution. Vorsicht: Dieses Gerät darf nur durch das bevollmächtigte Kundendienstpersonal der fabrik instandgehalten werden. Die Nichtbeachtung dieser Vorschrift kann zu Fehlfunktionen des Gerätes führen und das Personal durch Stromschläge gefährden. Magnum Network Software - DX Administrator’s Guide iv Safety Table 2-1. Industry Canada Warnings Avis d’Industrie Canada Notice: Avis: Before installing this equipment, users should ensure that it is permissible to be connected to the facilities of the local telecommunications company. The equipment must also be installed using an acceptable method of connection. The customer should be aware that compliance with the above conditions may not prevent degradation of service in some situations. Avant d’installer ce matériel, l’utilisateur doit s’assurer qu’il est permis de le raccorder aux installations de l’entreprise locale de télécommunication. Le matériel doit également être installé en suivant une méthode acceptée de raccordement. L’abonné ne doit pas oublier qu’il est possible que la conformité aux conditions énoncées ci-dessus n’empêche pas la dégradation du service dans certaines situations. Repairs to certified equipment should be coordinated by a representative designated by the supplier. Any repairs or alterations made by the user to this equipment, or equipment malfunctions, may give the telecommunications company cause to request the user to disconnect the equipment. Users should ensure for their own protection that the electrical ground connections of the power utility, telephone lines, and internal metallic water pipe system, if present, are connected together. The precaution may be particularly important in rural areas. Les réparations de matériel homologué doivent être coordonnées par un représentant désigné par le fournisseur. L’entreprise de télécommunications peut demander à l’utilisateur de débrancher un appareil à la suite de réparations ou de modifications effectuées par l’utilisateur ou à cause de mauvais fonctionnement. Pour sa propre protection, l’utilisateur doit s’assurer que tous les fils de mise à la terre de la source d’énergie électrique, des lignes téléphoniques et des canalisations d’eau métalliques, s’il y en a, sont raccordés ensemble. Cette précaution est particulièrement importante dans les régions rurales. Service Personnel Warning The DX series devices may be AC or DC powered. Remove all power connections at the circuit panel before removing the unit. The installation of this product must comply with all applicable codes and practices specified by the country, city, and operating company in which it is installed. Grounding All units requiring grounding use a grounding wire a with minimum size of 14 AWG at a maximum length of five feet. The DX40 is equipped with an external grounding screw (6-32 pan head). The grounding screw should be torqued to 10 inch pounds (1.1 Nm). The DX800 and DX900 are equipped with an external grounding bolt (#10/32 UNF-2B). The ground lug bolt should be torqued to 32 inch pounds (3.6 Nm). Magnum Network Software - DX Administrator’s Guide v Contacting GarrettCom Utility Networks CONTACTING GARRETTCOM UTILITY NETWORKS By Mail: GarrettCom Utility Networks 25 Commerce Way #1 North Andover, MA 01845 Telephone: 978.688-8807 Fax: 978.688-8771 Website: www.garrettcom.com Email: [email protected] Customer support representatives are available during normal business hours, 8–5pm EST. Magnum Network Software - DX Administrator’s Guide vi TABLE OF CONTENTS Preface About This Manual ........................................................................................................................... xv Conventions .................................................................................................................................... xvi Related Documents......................................................................................................................... xvi Web Access .................................................................................................................................... xvi Your Comments .............................................................................................................................. xvi CHAPTER 1: OVERVIEW 1.1 Features and Benefits ....................................................................................................................... 1 1.1.1 Magnum DX40 Industrial Router ........................................................................................ 1 1.1.2 Magnum DX800 Industrial Router ...................................................................................... 1 1.1.3 Magnum DX900 Industrial Router ...................................................................................... 1 1.1.4 Magnum DX1000 Industrial Router .................................................................................... 2 1.1.5 GarrettCom-hardened ........................................................................................................ 2 1.1.6 Features Summary ............................................................................................................. 2 1.2 Applications/Topologies – Magnum DX800 ...................................................................................... 8 1.2.1 Integrated Substation Network ........................................................................................... 8 1.2.2 Standalone Local Communications Platform ...................................................................... 9 1.2.3 Remote Network Concentration ....................................................................................... 10 1.2.4 Distributed Local Network using Ethernet ........................................................................ 11 1.2.5 Distributed Regional Fiber-optic Network ......................................................................... 12 1.3 Applications/Topologies – Magnum DX900 .................................................................................... 13 1.4 Applications/Topologies – Magnum DX40 ...................................................................................... 13 1.4.1 Linking WAN and Remote Site ......................................................................................... 14 1.4.2 Fiber-based Extension of WAN to Serial Devices. ........................................................... 14 1.4.3 Daisy Chain Topology ...................................................................................................... 15 1.4.4 Paired Point-to-Point ........................................................................................................ 15 CHAPTER 2: GETTING STARTED 2.1 Hardware Installation ....................................................................................................................... 17 2.2 Software Management .................................................................................................................... 17 2.2.1 Configuring a New IP Address ......................................................................................... 17 2.3 The Administrator Interface Overview ............................................................................................. 19 2.3.1 Navigation Tree ................................................................................................................ 21 CHAPTER 3: SYSTEM ADMINISTRATION 3.1 Virtual Front Panel ........................................................................................................................... 27 3.2 Administration Tasks ....................................................................................................................... 28 3.2.1 System ............................................................................................................................. 28 3.2.1.1 System Information .............................................................................................. 28 3.2.1.2 System Status ..................................................................................................... 29 Magnum Network Software - DX Administrator’s Guide vii CONTENTS 3.2.2 Time .................................................................................................................................. 30 3.2.2.1 Time: Time and Date ........................................................................................... 30 3.2.2.2 Time: Zone and DST ............................................................................................ 31 3.2.2.3 Time: Persistence ................................................................................................ 33 3.2.3 SNTP ................................................................................................................................ 34 3.2.3.1 SNTP: Global Settings ......................................................................................... 34 3.2.3.2 SNTP: Servers ..................................................................................................... 35 3.2.4 SNMP ................................................................................................................................ 37 3.2.4.1 SNMP: Global Settings ........................................................................................ 37 3.2.4.2 SNMP: Management Stations .............................................................................. 39 3.2.4.3 SNMP: Trap Stations ........................................................................................... 40 3.2.4.4 SNMP: Users ....................................................................................................... 41 3.2.4.5 SNMP: Statistics .................................................................................................. 43 3.2.5 Authentication ................................................................................................................... 47 3.2.5.1 Authentication: Policies ........................................................................................ 47 3.2.5.2 Authentication: Accounts ..................................................................................... 50 3.2.5.3 Authentication: Files ............................................................................................. 52 3.2.6 Sessions ........................................................................................................................... 53 3.2.6.1 Sessions: Policies ................................................................................................ 53 3.2.6.2 Sessions: Active Logins ....................................................................................... 53 3.2.7 Change Password ............................................................................................................. 54 3.2.8 Software Upgrade ............................................................................................................. 55 3.2.8.1 Software Upgrade States ..................................................................................... 55 3.2.9 Configuration ..................................................................................................................... 60 3.2.9.1 Configuration: Files ..............................................................................................60 3.2.9.2 Configuration: Defaults ........................................................................................ 61 3.2.10 System Reboot ................................................................................................................. 62 3.3 Events Tasks ................................................................................................................................... 63 3.3.1 Logs .................................................................................................................................. 63 3.3.1.1 Logs: Global Settings ........................................................................................... 67 3.3.1.2 Logs: Files ............................................................................................................69 3.3.2 Syslog ............................................................................................................................... 70 3.3.2.1 Syslog: Global Settings ........................................................................................ 70 3.3.2.2 Syslog: Collectors ................................................................................................ 71 3.3.3 Alarms ............................................................................................................................... 72 3.3.3.1 Alarms: Port Settings ........................................................................................... 72 3.3.3.2 Alarms: Actions .................................................................................................... 73 3.4 Ethernet Tasks ................................................................................................................................. 74 3.4.1 Ports .................................................................................................................................. 74 3.4.1.1 Ports: Settings ...................................................................................................... 74 3.4.1.2 Ports: Status ........................................................................................................ 76 3.4.1.3 Ports: Summary Statistics .................................................................................... 77 3.4.1.4 Ports: Extended Statistics .................................................................................... 78 3.4.1.5 Ports: Mirroring .................................................................................................... 81 3.4.1.6 Ports: Rate Limits ................................................................................................. 82 3.4.2 Bridge ................................................................................................................................ 84 3.4.2.1 Bridge: Global Settings ........................................................................................ 85 3.4.2.2 Bridge: Port Settings ............................................................................................ 86 3.4.2.3 Bridge: Static MACs ............................................................................................. 87 3.4.2.4 Bridge: Station Cache .......................................................................................... 88 3.4.3 RSTP ................................................................................................................................ 90 3.4.3.1 RSTP: Bridge Settings ......................................................................................... 90 3.4.3.2 RSTP: Port Settings ............................................................................................. 91 Magnum Network Software - DX Administrator’s Guide viii CONTENTS 3.4.4 3.4.3.3 RSTP: Bridge Status ........................................................................................... 93 3.4.3.4 RSTP: Port Status ............................................................................................... 94 VLAN ................................................................................................................................ 96 3.4.4.1 VLAN: Global Settings ......................................................................................... 96 3.4.4.2 VLAN: VIDs ......................................................................................................... 97 3.4.4.3 VLAN: Port Settings ............................................................................................. 98 3.5 Serial Tasks ................................................................................................................................... 100 3.5.1 Ports ............................................................................................................................... 100 3.5.1.1 Ports: Profiles .................................................................................................... 100 3.5.1.2 Ports: Settings ................................................................................................... 104 3.5.1.3 Ports: Status ...................................................................................................... 105 3.5.1.4 Ports: Statistics .................................................................................................. 106 3.5.2 Terminal Server .............................................................................................................. 108 3.5.2.1 Terminal Server: Channel Settings .................................................................... 108 3.5.2.2 Terminal Server: Channel Status ...................................................................... 110 3.5.2.3 Terminal Server: Connections ........................................................................... 112 3.5.3 Frame Relay ................................................................................................................... 113 3.5.3.1 Frame Relay: Channel Settings ......................................................................... 113 3.5.3.2 Frame Relay: Connections ................................................................................ 115 3.5.4 Modbus ........................................................................................................................... 116 3.5.4.1 Modbus: Local Masters ..................................................................................... 116 3.5.4.2 Modbus: Local Slaves ....................................................................................... 117 3.5.4.3 Modbus: Remote Slaves ................................................................................... 119 3.5.4.4 Modbus: Connections ........................................................................................ 120 3.6 WAN Tasks ................................................................................................................................... 121 3.6.1 Port Settings (DDS) ........................................................................................................ 121 3.6.2 Port Settings (T1/E1) ...................................................................................................... 122 3.6.3 Port Status ...................................................................................................................... 124 3.6.4 Frame Relay ................................................................................................................... 126 3.6.5 DLCI Settings ................................................................................................................. 128 3.6.6 DLCI Status .................................................................................................................... 129 3.7 PPP Tasks ..................................................................................................................................... 130 3.7.1 Profiles ........................................................................................................................... 130 3.7.2 Connections ................................................................................................................... 132 3.7.3 Status ............................................................................................................................. 133 3.7.4 Statistics ......................................................................................................................... 134 3.8 Routing Tasks ............................................................................................................................... 135 3.8.1 IP Addresses .................................................................................................................. 135 3.8.1.1 The Other Options Link ..................................................................................... 136 3.8.2 Static Routes .................................................................................................................. 137 3.8.2.1 Specifying a Default Gateway ........................................................................... 138 3.8.3 Table .............................................................................................................................. 139 3.8.4 ARP Table ...................................................................................................................... 140 3.8.5 RIP ................................................................................................................................. 141 3.8.5.1 RIP: Global Settings .......................................................................................... 141 3.8.5.2 RIP: Interface Settings ....................................................................................... 143 3.8.6 OSPF .............................................................................................................................. 144 3.8.6.1 OSPF: Global Settings ...................................................................................... 144 3.8.6.2 OSPF: Area Settings ......................................................................................... 146 3.8.6.3 OSPF: Interface Settings ................................................................................... 147 3.8.6.4 OSPF: Interface Profiles .................................................................................... 148 Magnum Network Software - DX Administrator’s Guide ix CONTENTS 3.8.6.5 OSPF: Area Aggregates ....................................................................................149 3.8.6.6 OSPF: Neighbor Status .....................................................................................150 3.8.7 BGP ................................................................................................................................151 3.8.7.1 BGP: Global Settings .........................................................................................152 3.8.7.2 BGP: Peer Settings ............................................................................................153 3.8.7.3 BGP: Profiles .....................................................................................................154 3.8.7.4 BGP: Status .......................................................................................................155 3.8.7.5 BGP: RIB ...........................................................................................................157 3.8.7.6 BGP: Statistics ...................................................................................................158 3.8.8 VRRP ..............................................................................................................................159 3.8.8.1 VRRP: Groups ...................................................................................................159 3.8.8.2 VRRP: Status .....................................................................................................160 3.8.9 NAT .................................................................................................................................161 3.8.9.1 NAT: Global Settings .........................................................................................162 3.8.9.2 NAT: Port Forwarding ........................................................................................163 3.8.9.3 NAT: Static Translations ....................................................................................164 3.8.10 DHCP Server ..................................................................................................................166 3.8.10.1DHCP Server: Host Parameters ........................................................................166 3.8.10.2DHCP Server: Static Addresses ........................................................................167 3.8.10.3DHCP Server: Dynamic Addresses ...................................................................168 3.8.10.4DHCP Server: Leases ........................................................................................169 3.9 QoS Tasks .....................................................................................................................................171 3.9.1 DiffServ ...........................................................................................................................171 3.9.2 802.1p .............................................................................................................................173 3.9.3 Ethernet Port ...................................................................................................................174 3.9.4 IP Flows ..........................................................................................................................175 3.10 Security Tasks ...............................................................................................................................177 3.10.1 Certificates ......................................................................................................................177 3.10.1.1Certificates: Local ..............................................................................................177 3.10.1.2Certificates: CAs ................................................................................................178 3.10.2 Ethernet Port ...................................................................................................................179 3.10.3 Serial/SSL .......................................................................................................................181 3.10.4 Web Server .....................................................................................................................183 3.10.5 CLI ..................................................................................................................................184 3.10.6 Firewall ............................................................................................................................186 3.10.6.1IP Interface Groups in General ..........................................................................186 3.10.6.2Firewall: IP Interfaces ........................................................................................186 3.10.6.3Firewall: Interface Groups ..................................................................................187 3.10.6.4Firewall: IP Filters ..............................................................................................188 3.10.6.5Firewall: Stateful IP Filters .................................................................................190 3.10.7 Radius .............................................................................................................................191 3.10.7.1RADIUS: Global Settings ...................................................................................192 3.10.7.2RADIUS: Servers ...............................................................................................193 3.10.8 VPN .................................................................................................................................194 3.10.8.1VPN: Global Settings .........................................................................................195 3.10.8.2VPN: Profiles ......................................................................................................196 3.10.8.3VPN: Authentication ...........................................................................................198 3.10.8.4VPN: Tunnels .....................................................................................................199 3.10.8.5VPN: Status .......................................................................................................200 3.10.8.6VPN: Details .......................................................................................................201 3.11 Wizards ..........................................................................................................................................203 3.11.1 The Router Setup Wizard ...............................................................................................203 3.11.2 The Certificate Creation Wizard ......................................................................................203 Magnum Network Software - DX Administrator’s Guide x CONTENTS CHAPTER 4: THE CLI AND PROTOCOL MONITOR 4.1 CLI Access .................................................................................................................................... 205 4.1.1 MNS-DX support for SFTP ............................................................................................. 206 4.2 CLI Functionality ............................................................................................................................ 208 4.2.1 Keyboard Navigation in the CLI ...................................................................................... 208 4.2.2 Global Commands .......................................................................................................... 209 4.2.3 Basic and Specific Commands ....................................................................................... 209 4.2.3.1 Obtaining Help on CLI Commands .................................................................... 212 4.2.3.2 The alarm Command ......................................................................................... 213 4.2.3.3 The auth Command ........................................................................................... 214 4.2.3.4 The bgp Command ............................................................................................ 218 4.2.3.5 The bridge Command ........................................................................................ 221 4.2.3.6 The cert Command ............................................................................................ 222 4.2.3.7 The config Command ........................................................................................ 223 4.2.3.8 The dhcp Command .......................................................................................... 224 4.2.3.9 The ethernet Command ..................................................................................... 227 4.2.3.10The firewall Command ....................................................................................... 230 4.2.3.11The fr Command ................................................................................................ 233 4.2.3.12The ip Command ............................................................................................... 236 4.2.3.13The log Command ............................................................................................. 238 4.2.3.14The modbus Command ..................................................................................... 239 4.2.3.15The monitor Command ...................................................................................... 241 4.2.3.16Protocol Monitor Output Example ...................................................................... 245 4.2.3.17The nat Command ............................................................................................. 246 4.2.3.18The ospf Command ........................................................................................... 249 4.2.3.19The password Command .................................................................................. 256 4.2.3.20The ping Command ........................................................................................... 256 4.2.3.21The ppp Command ............................................................................................ 257 4.2.3.22The qos Command ............................................................................................ 259 4.2.3.23The radius Command ........................................................................................ 263 4.2.3.24The rip Command .............................................................................................. 266 4.2.3.25The rstp Command ............................................................................................ 268 4.2.3.26The s2f Command ............................................................................................. 270 4.2.3.27The serial Command ......................................................................................... 272 4.2.3.28The session Command ...................................................................................... 274 4.2.3.29The snmp Command ......................................................................................... 275 4.2.3.30The sntp Command ........................................................................................... 278 4.2.3.31The ssh Command ............................................................................................ 280 4.2.3.32The sw Command ............................................................................................. 281 4.2.3.33The syslog Command ........................................................................................ 286 4.2.3.34The system Command ...................................................................................... 287 4.2.3.35The terminal Command ..................................................................................... 288 4.2.3.36The time Command ........................................................................................... 289 4.2.3.37The ts Command ............................................................................................... 291 4.2.3.38The vlan Command ........................................................................................... 293 4.2.3.39The vpn Command ............................................................................................ 295 4.2.3.40The vrrp Command ............................................................................................ 298 4.2.3.41The wan Command ........................................................................................... 299 4.2.3.42The web Command ........................................................................................... 301 Magnum Network Software - DX Administrator’s Guide xi CONTENTS CHAPTER 5: OPERATIONAL GUIDE 5.1 Frame Relay ..................................................................................................................................303 5.1.1 Wide Area Network Ports ................................................................................................303 5.1.2 Data Link Channel Identifiers ..........................................................................................303 5.2 Quality of Service ...........................................................................................................................304 5.2.1 QoS Model ......................................................................................................................304 5.2.1.1 Priority Queues ..................................................................................................305 5.2.1.2 DiffServ Marking ................................................................................................306 5.2.1.3 DiffServ Processing ...........................................................................................306 5.2.1.4 WAN ports ..........................................................................................................306 5.3 IP Addressing and Routing ............................................................................................................308 5.3.1 Default Configuration ......................................................................................................308 5.3.2 Router Interfaces ............................................................................................................308 5.3.3 VLAN Interfaces ..............................................................................................................308 5.3.4 IP Address Table ............................................................................................................308 5.3.5 Routing Table ..................................................................................................................309 5.3.6 Routing Services .............................................................................................................309 5.4 DHCP Server .................................................................................................................................309 5.5 SNMP ............................................................................................................................................309 5.5.1 Supported Versions and Features ..................................................................................310 5.6 RSTP .............................................................................................................................................310 5.6.1 RSTP Setup ....................................................................................................................311 5.6.1.1 BPDUs ...............................................................................................................312 5.6.1.2 Bridge Roles ......................................................................................................312 5.6.1.3 Port Roles ..........................................................................................................312 5.6.1.4 Edge Ports and Point-to-Point Links ..................................................................313 5.6.1.5 Port States .........................................................................................................313 5.6.2 RSTP Normal Operation .................................................................................................313 5.6.3 Design Considerations ....................................................................................................314 5.6.3.1 Configuring Bridge Settings ...............................................................................314 5.6.3.2 Configuring Port Settings ...................................................................................315 5.7 VLAN .............................................................................................................................................315 5.7.1 Adding VLANs .................................................................................................................315 5.7.1.1 VLAN IDs ...........................................................................................................315 5.7.2 Configuring Ports for VLAN Membership ........................................................................316 5.7.2.1 Port VLAN IDs ....................................................................................................316 5.7.2.2 Tagging ..............................................................................................................316 5.7.2.3 Filtering ..............................................................................................................316 5.7.2.4 Frame Classification and Forwarding ................................................................317 5.7.3 VLANs and Serial Ports ..................................................................................................318 5.7.3.1 Example Scenario ..............................................................................................318 5.8 Security ..........................................................................................................................................320 5.8.1 Ethernet Port Security .....................................................................................................320 5.8.1.1 Address Locking ................................................................................................321 5.8.1.2 Link Locking .......................................................................................................321 5.8.2 Serial Port Security .........................................................................................................321 5.8.2.1 Serial Data Over SSL .........................................................................................321 5.8.2.2 MNS-DX SSL Version Support ..........................................................................322 5.8.2.3 Secure Web Server using HTTP over SSL (https://) ..........................................322 5.8.3 Keys and Certificates ......................................................................................................322 5.8.3.1 RSA Public Key Cryptography ...........................................................................323 Magnum Network Software - DX Administrator’s Guide xii CONTENTS 5.8.4 5.8.5 5.8.6 5.8.7 5.9 5.8.3.2 Digital Signatures .............................................................................................. 323 5.8.3.3 X.509 Certificates .............................................................................................. 323 5.8.3.4 Certificate Authority ........................................................................................... 323 5.8.3.5 MNS-DX Certificate Files ................................................................................... 324 5.8.3.6 MNS-DX Key Files ............................................................................................. 324 5.8.3.7 Key Exchange ................................................................................................... 326 5.8.3.8 Peer Authentication ........................................................................................... 326 5.8.3.9 Certificate and Key File Generation ................................................................... 326 5.8.3.10Certificate and Key File Installation ................................................................... 328 IP Firewall ....................................................................................................................... 329 5.8.4.1 IP Filters ............................................................................................................ 329 5.8.4.2 Stateful Firewall ................................................................................................. 330 5.8.4.3 Filter Rules ........................................................................................................ 332 Network Address Translation ......................................................................................... 332 5.8.5.1 IP Masquerading ............................................................................................... 333 5.8.5.2 Port Forwarding ................................................................................................. 333 5.8.5.3 Static Translations ............................................................................................. 333 5.8.5.4 Firewall/NAT Interaction .................................................................................... 334 RADIUS Support ............................................................................................................ 335 DX-Series Cipher Support .............................................................................................. 335 VPN ............................................................................................................................................... 336 5.9.1 Key Management ........................................................................................................... 337 5.9.2 Peer Authentication ........................................................................................................ 337 5.9.3 Packet Integrity and Confidentiality ................................................................................ 337 5.9.4 Profiles ........................................................................................................................... 338 5.9.5 Tunnels ........................................................................................................................... 338 5.9.6 IKE .................................................................................................................................. 338 5.9.6.1 Tunnel Lifetimes ................................................................................................ 339 5.9.7 Configuring a VPN .......................................................................................................... 339 5.10 SSH ............................................................................................................................................... 340 5.11 Modbus .......................................................................................................................................... 340 5.11.1 Network Topologies ........................................................................................................ 340 5.11.2 Serial Protocol Variants .................................................................................................. 341 5.11.3 Network Protocol ............................................................................................................ 342 5.11.4 Exception Handling ......................................................................................................... 342 5.11.5 TCP Connection Handling .............................................................................................. 343 5.12 User Account Management ........................................................................................................... 344 5.12.1 User Groups ................................................................................................................... 344 Appendix A:Terminal Server Application Notes A.1 What is a Terminal Server? ........................................................................................................... 345 A.1.1 Serial Protocol Standards ............................................................................................... 345 A.1.2 Networking Standards .................................................................................................... 345 A.2 Bridging the Gap between Serial and Network Communication ................................................... 346 A.3 Terminal Server Operation ............................................................................................................ 347 A.3.1 Passive Mode Channels ................................................................................................. 347 A.3.2 Active Mode Channels .................................................................................................... 348 A.3.3 Mixed Mode .................................................................................................................... 348 A.3.4 Session Type .................................................................................................................. 348 A.4 Application #1: Device Console Access ........................................................................................ 349 Magnum Network Software - DX Administrator’s Guide xiii CONTENTS A.5 Application #2: Serial-over-TCP/IP Tunnel ...................................................................................351 A.6 Application #3: Multipoint SCADA .................................................................................................353 A.7 Using MNS-DX Secure Serial Ports ...............................................................................................355 A.8 Application #4: Serial-over-Secure-TCP Tunnel ............................................................................355 A.9 Troubleshooting Terminal Server SSL Connections ......................................................................358 Appendix B:Port and Type Reference B.1 Well Known TCP/UDP Network Ports ............................................................................................361 B.2 ICMP Types ...................................................................................................................................364 Appendix C:Frame Relay Provisioning C.1 Introduction ....................................................................................................................................367 C.2 DDS Interface Configuration ..........................................................................................................368 C.3 T1/E1 Interface Configuration ........................................................................................................371 C.4 Frame Relay Configuration ............................................................................................................373 C.4.1 The LMI Protocol .............................................................................................................374 C.4.1.1 Fragmentation Size.............................................................................................374 C.4.1.2 LMI Types ...........................................................................................................374 C.4.1.3 LMI Modes ..........................................................................................................374 C.5 Provisioning Frame Relay Applications. ........................................................................................376 C.5.1 IP Applications ................................................................................................................376 C.5.1.1 DLCI configuration ..............................................................................................376 C.5.1.2 Configuring IP Router-Related Items ..................................................................378 C.5.2 Serial Tunnel over FR (Direct to Frame) Applications ....................................................381 C.5.2.1 Define Additional DLCIs......................................................................................381 C.5.2.2 Map DLCI Circuits to Serial Ports .......................................................................382 Appendix D:Third Party Licenses D.1 GNU LESSER GENERAL PUBLIC LICENSE ...............................................................................385 Glossary .................................................................................................................................................391 Index ..........................................................................................................................................................399 Magnum Network Software - DX Administrator’s Guide xiv Preface ABOUT THIS MANUAL This manual provides the Administrator with instructions on how to use the Magnum Network Software – DX (MNS-DX) to configure, manage, and monitor the Magnum DX family of products.This manual contains: a basic description of the MNS-DX, the basics of using the DXOS and the hierarchical menu structure, and instructions for configuring the MNS-DX for specific applications. The chapters and appendices are presented as follows: Chapter 1, “Overview” - This chapter describes the specific features of the MNS-DX. Chapter 2, “Getting Started” - This chapter describes the initial setup of MNS-DX, explains its user interface, and provides an annotated and hyperlinked map of useraccessible screens. Chapter 3, “System Administration” - This chapter provides a detailed field-by-field guide to the screens of the user interface. Chapter 4, “The CLI and Protocol Monitor” - This chapter describes the protocol monitor and command line configuration functionality. Chapter 5, “Operational Guide” - This chapter provides detailed information on a number of DX features to broaden understanding and suggest some guidelines for making configuration decisions. Appendix A, “Terminal Server Application Notes” - This appendix provides a detailed explanation of how to implement terminal server functionality on a DX. Appendix B, “Port and Type Reference” - This appendix provides a table of well known TCP/UDP network ports and a table of ICMP types. Appendix C, “Frame Relay Provisioning” - This appendix provides a detailed explanation of how to configure a DX for Frame Relay support. Appendix D, “Third Party Licenses” - This appendix contains the legally-required text of licenses for third party software. Glossary - A list of acronyms and other technical terms used in this manual. Magnum Network Software - DX Administrator’s Guide xv - CONVENTIONS Graphically distinctive alerts labeled either “Note” or “Caution” (illustrated below) are interspersed throughout this manual. These alerts call your attention to useful information related to the text immediately following the alert. Notes provide supplemental information or provide a point of emphasis. Cautions warn you of the risk of poor system performance or of system failure. 8 NOTE: Notes provide you with helpful information about an upcoming step or action. If you do not use the information contained in a Note there is no risk of harm to the system, but using the information will improve performance and/or increase your understanding. CAUTION: A caution warns you that you should take some action to avoid poor system performance or system failure. RELATED DOCUMENTS • • • • • Magnum DX40 Industrial Router Installation Guide Magnum DX800 Industrial Router Installation Guide Magnum DX900 Industrial Router Installation Guide Magnum DX900 Industrial Router Installation Guide Magnum Network Software–DX Software Release Notes WEB ACCESS All of the MNS-DX manuals are also available in .pdf format on the GarrettCom website, www.garrettcomun.com. YOUR COMMENTS If you find an error or have a helpful tip on the layout or informational content of this or any other Garrettcom manual please feel free to contact us via email with any problems or helpful information. All enquiries will be responded to with a correction or whatever resolution is required. Please make all comments to [email protected] or phone a support engineer at 978.688-8807. Magnum Network Software - DX Administrator’s Guide xvi Chapter 1 Overview 1.1 Features and Benefits MNS-DX is the operating system that supports the DX series of networking devices that provides secure multiprotocol networking in compact, rugged packages purpose-built for power utility substations and other harsh environments. Cyber-security protection is assured by encrypted per-connection SSL and IPsec VPN capabilities, IP Firewall, and port security features. The series includes the Magnum DX40 Industrial Router and the Magnum DX800, DX900, and DX1000 Industrial Routers. 1.1.1 Magnum DX40 Industrial Router The DX40's dual-serial, dual-Ethernet configuration supports several flexible configurations. In addition to serving as an IP router it provides resilient dual fiber-based extension from a core Ethernet network to serial devices distributed across a large facility. It serves as a multiprotocol concentration and access point for a fiber-based Ethernet wide area network connection to a small site. Encrypted per-connection SSL and IPsec VPN capabilities, along with other IP Firewall and port security features, assure cyber-security protection will extend cost effectively all the way to end point devices and throughout small facilities. 1.1.2 Magnum DX800 Industrial Router The DX800 combines the capabilities of an Ethernet Switch, an Async-to-TCP/IP Terminal Server and an IP Router in a single integrated device. Dual fiber Ethernet connectivity coupled with Rapid Spanning Tree and IP routing capabilities ensure resilient backbone communications. The DX800 provides full perimeter protection with IP Firewall and IPsec VPN features when used as an edge router/terminal server at remote critical facilities. Per-session encrypted SSL capabilities permit fine-grained security extended to end-point connections when the device is used as a distributed terminal server in larger installations. 1.1.3 Magnum DX900 Industrial Router The DX900 Industrial Router provides most of the functionality of the DX800 Industrial Router. In addition it enables remote network connectivity to substations, transportation systems and other remote industrial sites using Digital WAN services such as DDS, T1/ E1, frame relay, TDM, IP and MPLS-based VPN services. Magnum Network Software - DX Administrator’s Guide 1 CHAPTER 1 - Overview Features and Benefits 1.1.4 Magnum DX1000 Industrial Router The DX1000 Industrial Router most of the functionality of the DX800 and the DX900 and also provides 12 serial and 5 Ethernet ports. It is available in two variations: • • The DX1000-TS, for terminal server applications not requiring WAN ports or true routing capacity. The DX1000-IR, which provides the option of two WAN ports and supports such routing sevices as RIP, RIP-II, OSPF, BGP, and VRRP. 1.1.5 GarrettCom-hardened The DX family of devices are multi-function, multi-protocol networking platforms that are purpose-built for distributed industrial automation applications such as Supervisory Control and Data Acquisition (SCADA) systems.They support a wide range of communications interfaces used by industrial devices, enabling multiple generations of remote devices and support systems to be consolidated onto a single integrated network infrastructure. The DX devices also operate effectively in extremely harsh environmental conditions such as those within power utility substations, pumping stations, treatment plants, transportation systems, pipelines and wind farms. This robustness is primarily due to extended-range specifications in areas such as electromagnetic interference, temperature, and electrical surges. Most other networking products will fail when facing these conditions. DX series devices have been rigorously tested to extreme industrial specifications for temperature, electrical surge protection and immunity. They are packaged in steel or steel and aluminum cases with no fans or moving parts and have been subjected to manufacturing test and control processes that include temperature cycling and prolonged product burn-in to ensure reliability delivered to the field. Physical product reliability is complemented by advanced network resiliency features that enable redundant and dualrouted network designs that protect network availability despite facility/element failures. 1.1.6 Features Summary Table 1-1 summarizes the hardware features of the DX series of products. Table 1-1. Hardware Features Summary Feature Details Connectivity DX40 • 2 Ethernet ports — 2 100FX multi/single mode SFP OR — 1 100FX multi/single mode SFP and 1 10/100 BaseT, RJ45 Auto-Negotiation and Auto-MDIX • 2 programmable RS232/485 serial ports Magnum Network Software - DX Administrator’s Guide 2 CHAPTER 1 - Overview Features and Benefits Table 1-1. Hardware Features Summary Feature Details DX800 • 4 Ethernet ports — — 2 100FX multi/single mode SFP 2 10/100 BaseT, RJ45 Auto-Negotiation and Auto-MDIX • 4 programmable RS232/485 serial ports DX900 • 1 DDS or T1/E1 WAN port • 4 Ethernet ports (10/100 BaseT, RJ45 Auto-Negotiation and Auto-MDIX) • 4 programmable RS232/485 serial ports DX1000-TS • 5 Ethernet ports (10/100 BaseT, RJ45 Auto-Negotiation and Auto-MDIX) • 12 programmable RS232/485 serial ports DX1000-IR • 2 DDS or T1/E1 WAN ports (optional) • 5 Ethernet ports 5 10/100 BaseT, RJ45 Auto-Negotiation and Auto-MDIX OR — 3 10/100 BaseT, RJ45 and 2 100FX multi/single mode SFP — • 12 programmable RS232/485 serial ports Power Options • High (90 -250 VAC or VDC) • Low (24-48 VDC) Mounting Options • Panel • DIN-rail • 19” rack (DX800, DX900, DX1000) Compliance • IEEE 1613/IEC 61850-3 requirements for power utility substations. • EN55022A, FCC Part 15A emissions standards • NERC / CIP Cyber-security mandates Magnum Network Software - DX Administrator’s Guide 3 CHAPTER 1 - Overview Features and Benefits Table 1-2 summarizes the features of the MNS-DX. Table 1-2. Software Features Summary Feature Serial Port Management Details • Up to 8 serial profiles • Serial data statistics • RS-232 (Full/Half) & RS-485 (Full/Half) supported via software selection • Data rates from 300 baud to 230 kbps • 7 or 8 data bits • 1, 1.5, or 2 stop bits • Even, Odd, or No Parity • Hardware and Software (XON/XOFF) Flow Control • Packetization options Forward on specific character, idle time, or packet size — Turnaround timer — Terminal Server • Active, passive, and mixed connection modes • Telnet and raw TCP sessions • Multiple incoming and outgoing connections per serial port WAN Port Management • DDS: 56 kbps • T1/E1: 1.544 Mbps / 2.048 Mbps G.703; • Full rate and fractional (N*56/64kbps) • Integral CSU/DSU • Frame relay, IP • Local Management Interface (LMI) type: LMI, CCIT, ANSI, or None • LMI mode: User or Net • End-to-End fragmentation Ethernet Port Management • Supported media types include 10/100BaseTX and 100FX • 10, 100, or Auto speed selections for 10/100BaseTX Auto-Negotiation and Auto-MDIX • Half or full duplex operation for 10/100BaseTX • Ethernet frame statistics • Port Rate Limiting based on packet type (broadcast, multicast, flood, all) • Port Mirroring Magnum Network Software - DX Administrator’s Guide 4 CHAPTER 1 - Overview Features and Benefits Table 1-2. Software Features Summary Feature Ethernet Switching Details • Maximum Station Cache capacity of 1,024 random MAC addresses • Up to 64 static MAC addresses • Purge Dynamic Cache Entries • 802.1D-compliant Learning Bridge IP Routing • Supports distinct IP addresses for each physical and virtual switch interface • Up to 64 Static IP Routes • RIP/RIP2 • OSPFv2 • BGP • VRRP Rapid Spanning Tree Protocol (RSTP)) • STP VLANs • Up to 16 different VLANs • RSTP • Tagged and untagged operation • VLAN security (tag-based filtering) • Optional egress tag stripping QoS • Flexible flow-based DiffServ marking for all routed packets • Configurable mapping of DiffServ marking to priority tag for all routed packets • 4-Level priority queueing for Ethernet switching on DX800, 900, and 1000 based on IEEE tag, IP DiffServ marking, or ingress port. • 4-Level priority queueing for WAN ports on DX900 and 1000 based on DiffServ marking Magnum Network Software - DX Administrator’s Guide 5 CHAPTER 1 - Overview Features and Benefits Table 1-2. Software Features Summary Feature Security Details • Secure Web Server using HTTP over SSL (https://) • SSH security (with port forwarding support) on the command line interface • User authentication via RADIUS • Authenticated and encrypted terminal server connections over SSL • RSA public key and X.509 certificate management and generation • Web-based upload of new keys and certificates • Supports a number of SSL and TLS cipher suites that include support for RSA public keys, 3DES/AES/RC4 encryption, and MD5/SHA1 hashing • Firewall filters IP packets per-interface based on source IP, destination IP, IP protocol, and TCP/UDP port and/or ICMP message type • Stateful Firewall automatically opens holes in the firewall to allow ICMP, UDP, and TCP reply packets • TCP connections allowed by the Stateful Firewall can be optionally logged (to local file system and/or Syslog) IPsec VPNs • Supports IKE negotiation on all interfaces • Diffie-Hellman Groups 1 & 2 • Peer authentication with pre-shared key (PSK) or RSA/X.509 certificates • ESP tunnel-mode encapsulation using 3DES, AES, MD5, and/or SHA-1 • Up to 32 tunnels can be established DX-to-DX, subnet-tosubnet, or DX-to-subnett • Dead Peer Detection (DPD) at configurable interval Embedded Web Server (HTTP/HTTPS) • Primary User Interface User Account Management • Configurable security policies • Compatible with standard web browsers (such as Internet Explorer or Firefox) • Up to 16 user accounts • Stored passwords are hashed using MD5 Configuration File Management • XML Configuration Files • Web-based Upload/Download • Multiple configurations stored in Flash File System Software Image Management • Software upgrade with revert capability • Web-based upload of new software images Magnum Network Software - DX Administrator’s Guide 6 CHAPTER 1 - Overview Features and Benefits Table 1-2. Software Features Summary Feature Time and Date Management Details • Real-time clock support • Active or passive-mode SNTP client • Time offsets, time zone and Daylight Saving Time support • Up to 3 SNTP servers can be specified for redundancy Event Logging • Flexible logging options • Log files stored in flash file system • SYSLOG capability • Up to 5 remote collectors may be specified SNMP v1/v2c/v3 Agent • Supports User-based Security Model (USM) when v3 is enabled • MIB-II and SNMPv2 Traps • Up to 4 remote management/trap destinations may be specified • Proprietary Enterprise MIB Modbus/TCP • Modbus/TCP to Modbus/RTU or Modbus/ASCII encapsulation • Support for multiple masters and slaves • Maps Modbus device addresses to configurable remote IP addresses • Enables multi-master access to slaves on a single bus by serializing Modbus requests at the server, a capability not possible in normal serial Modbus Network Address and Port Translation (NAT) • Maps public (outside) IP addresses and ports to private (inside) IP addresses and ports • Manual configuration of address/port translations going from the public to a private interface • Dynamic translations going from a private to the public interface • Static translation rules can be specified on any interface Dynamic Host Configuration Protocol (DHCP) Server • Manual and dynamic address allocation • Up to 100 reserved addresses may be specified • Each address range or manual address may be assigned distinct host parameters such as default gateway, DNS server, and DNS suffix Protocol Monitor • Sniffs ingress and egress packets on any port • Filter by MAC address, IP address, TCP port, or protocol • Displays frame addresses, ports, protocol identifier, and data payload Magnum Network Software - DX Administrator’s Guide 7 CHAPTER 1 - Overview Applications/Topologies – Magnum DX800 1.2 Applications/Topologies – Magnum DX800 The DX800 combines the capabilities of an Ethernet switch, an Async-to-TCP/IP terminal server and an IP router in a single integrated device. This feature set, depicted in Figure 1-1, enables several important applications, each building on the ability to combine Serial-and Ethernet-based industrial devices on a common communications network. Wide Area Wide Area Ethernet Ethernet Network Network Wide Area Wide Area Ethernet Ethernet Network Network Core Ethernet Router/Firewall Ethernet Switch IED IED IED Ethernet IEDs Terminal Server IED IED IED Serial IEDs IED IED IED Ethernet IEDs IED IED IED IED Serial IEDs Figure 1-1. Device Consolidation in a DX800 1.2.1 Integrated Substation Network The Integrated Substation Network (depicted in Figure 1-2) is GarrettCom’s vision of an Ethernet-based infrastructure interconnecting substations and central operations systems, providing a communications solution for power utility substations encompassing both serial- and Ethernet-based devices. Numerous Intelligent Electronic Devices (IEDs) such as relays, sensors, meters and Remote Terminal Units (RTUs), as well as surveillance cameras, VOIP phones and other devices are connected in a substation Local Area Network (LAN); serial protocol devices are connected via GarrettCom routers or terminal servers, and various Ethernet devices are directly connected to DX Series devices. The substation LAN connects to a GarrettCom Wide Area Network (WAN) router to transmit data to central operations systems and centers for processing and storage. Magnum Network Software - DX Administrator’s Guide 8 CHAPTER 1 - Overview Applications/Topologies – Magnum DX800 SCADA / EMS RTU Management & Provisioning PBX GW Host Site Video Monitoring Wide Area Network Video VOIP HMI RTUs Alarms Video VOIP HMI RTUs Video VOIP HMI Alarms RTUs Alarms Figure 1-2. Integrated Substation Network 1.2.2 Standalone Local Communications Platform The DX800 provides a complete, local communications network within an industrial location, as depicted in Figure 1-3. The DX800 consolidates connections from a variety of industrial devices having differing communications interfaces, including async serial connections at connections rates of 300 bps to 230.4 Kbps and IP-oriented Ethernet connections at 10 or 100 Mbps. This interface capability covers most RTUs, PLCs, Intelligent Electrical Devices (IEDs), industrial servers and other devices with digital data connectivity. An operator may use a Human Machine Interface (HMI) application to locally connect to all the devices within the site from a common connection point. The DX800 provides Ethernet switching of IP sessions directly among Ethernet-connected devices. TCP/IP based applications, such as the HMI, may also connect directly to serial devices, with the DX800 providing async-to-TCP/IP terminal services. Magnum Network Software - DX Administrator’s Guide 9 CHAPTER 1 - Overview Applications/Topologies – Magnum DX800 Hardened Industrial Site E1 HMI E2 S1 En S2 Ethernet Devices Relay S3 Sn PLC Serial Devices Figure 1-3. DX800 Standalone Local Communications Platform Topology 1.2.3 Remote Network Concentration When combined with a wide-area network access device, the DX800 provides an integrated point of interconnection of a number of devices in a remote industrial site. There are several wide area network options. Figure 1-4 depicts a wide area network and a wireless network. Since the DX800 provides an integrated IP Router capability, remote networks do not require a separate IP router device. The DX800 connects to a centralized system over a routed IP network, accessed using only a physical layer interface device such as a wireless modem or other WAN device. Digital Wireless Connection Hardened Industrial Site Central Systems and Centers Wide Area Network E2 S1 Relay S3 HMI En Ethernet Devices S2 Sn PLC Serial Devices Figure 1-4. Remote Network Concentration Magnum Network Software - DX Administrator’s Guide 10 CHAPTER 1 - Overview Applications/Topologies – Magnum DX800 1.2.4 Distributed Local Network using Ethernet In addition to stand-alone deployments, multiple DX800s can form a distributed network within an industrial site using an Ethernet backbone. Typically the Ethernet backbone network is a resilient selfhealing ring configuration. More complex configurations may combine multiple DX800s with larger scale Ethernet switching systems (such as GarrettCom's Ethernet Switch System - ESS) and/or with wide-area network gateways (such as GarrettCom's Industrial Frame Router - IFR). Figure 1-5 depicts an industrial site with multiple DX800s, each collecting a mix of serial and Ethernet traffic types. The backbone of this network is a resilient Ethernet ring. Rapid Spanning Tree Protocol (RSTP) and tag-based Virtual Local Area Networks (VLANs) combine to provide highreliability, application-specific security and performance management capabilities that enable multiple diverse applications to effectively share a common network infrastructure. In this example, a GarrettCom Industrial Frame Router provides IP-over-frame relay network access and an integrated DDS or T1 CSU/DSU for interconnecting to carrierprovided wide area network services. Eth Ser Ser Eth Ser Eth IFR Ser Ser Eth Ser Eth Eth Figure 1-5. Distributed Local Network using Ethernet Magnum Network Software - DX Administrator’s Guide 11 Wide Area Network CHAPTER 1 - Overview Applications/Topologies – Magnum DX800 1.2.5 Distributed Regional Fiber-optic Network The optional extended-range fiber-optic network interfaces of the DX800 enable interconnection of a number of distributed industrial sites. The ring configurations and multi-application security and performance features described above for intra-site Ethernet connectivity all extend over inter-site single mode fiber-optic links at 100 Mbps. Figure 1-6 shows several sites interconnected on a resilient Ethernet ring using standalone DX800s connected to a GarrettCom Industrial Frame Router, such as a DS2000IFR. Eth Ser Eth Ser Eth Ser IFR Ser Ser Eth Ser Eth Wide Area Network Eth Figure 1-6. Distributed Regional Fiber-optic Network Magnum Network Software - DX Administrator’s Guide 12 CHAPTER 1 - Overview Applications/Topologies – Magnum DX900 1.3 Applications/Topologies – Magnum DX900 The DX900 provides all of the connectivity of the DX800, with the exception of the fiber optic ports option. In addition the DX900’s WAN port supports IP or Frame Relay traffic over a DDS or T1/E1 connection. Figure 1-7 depicts DX900s in support of a typical Frame Relay application. Distributed Industrial Site Eth Ser Eth DD S (or T1/ E Management Site 1) Frame Relay Network DD Ser r T1 /E 1 ) Ser DDS (or T1/E1) Eth S (o Distributed Industrial Site Figure 1-7. Typical Frame Relay Network Topology 1.4 Applications/Topologies – Magnum DX40 The DX40 provides a rugged and secure solution for extending fiber-based connectivity to remote devices in harsh environments such as power utility substations. The DX40's dual-serial, dual-Ethernet configuration supports several flexible configurations. Magnum Network Software - DX Administrator’s Guide 13 CHAPTER 1 - Overview Applications/Topologies – Magnum DX40 1.4.1 Linking WAN and Remote Site The DX40 serves as a multi-protocol concentration and access point for a fiber-based Ethernet wide area network connection to a small site. Ser IED IP/Ethernet WAN Ser IED Ethernet IED / HMI Figure 1-8. Fiber-based extension of WAN to Serial Devices. 1.4.2 Fiber-based Extension of WAN to Serial Devices. The DX40 provides resilient dual fiber-based extension from a core Ethernet network to serial devices distributed across a large facility. Ser Ser Ser IFR Ser Ser Wide Area Network Ser Figure 1-9. Fiber-based Extension of WAN to Serial Devices. Magnum Network Software - DX Administrator’s Guide 14 CHAPTER 1 - Overview Applications/Topologies – Magnum DX40 1.4.3 Daisy Chain Topology The DX40 is readily adaptable to an Ethernet “bus” (daisy chain, dead end) configuration suitable for wind farm or pipeline applications. Ethernet Core Ser Ser Ser Ser Ser Ser Figure 1-10. Daisy Chain 1.4.4 Paired Point-to-Point The DX40 can also be used as a Dymec Links replacement in situations where it is necessary to use fiber optics because of extended distances or because of the need to provide electrical isolation. As a links replacement the DX40 has additional advantages, including full management capabilities and security features. Figure 1-11. Point-to-Point Magnum Network Software - DX Administrator’s Guide 15 CHAPTER 1 - Overview Applications/Topologies – Magnum DX40 Magnum Network Software - DX Administrator’s Guide 16 Chapter 2 Getting Started 2.1 Hardware Installation Make power, ground, Ethernet, and serial connections to your DX device according to the instructions provided in your Installation Guide. Note that complete configuration is done through the web interface operating over an Ethernet connection between your local terminal and one of the Ethernet ports on the DX device. The configuration screens are listed in Section 2.3.1. The interface is documented in detail in Chapter 3, “System Administration”. Many configuration tasks can also be carried out with the command line interface (CLI) operating over a serial or Ethernet connection. The CLI is documented in Chapter 4, “The CLI and Protocol Monitor”. 2.2 Software Management MNS-DX is implemented by an easily upgradeable software image and by configuration files. Software images can be maintained and upgraded with the Administration: Software Upgrade screen (see Section 3.2.8, “Software Upgrade”), which loads an executable software image into non-volatile memory. Configuration files can be maintained and upgraded with the Administration: Configuration: Files screen (see Section 3.2.9, “Configuration”). The DX device comes with a factory-supplied software image and configuration file. After you have completed the hardware installation you need only replace the default IP address with another that places your PC and the DX device on the same subnet. You can then access the DX’s supervisory software and begin to configure your system. 2.2.1 Configuring a New IP Address Your DX is delivered with the default IP address 192.168.1.2. You must change this address to one that is valid on your network, but to communicate with the DX to make the IP address change with your internet browser you must first change the IP address of the network card on your PC that communicates with the device to an address in the 192.168.1.x network. The following example uses a fictional network card at IP address 223.223.223.2 and specifies a new address of 223.223.223.1 for the DX. Replace these values with the actual address of your network card and your preferred address for the DX. Magnum Network Software - DX Administrator’s Guide 17 CHAPTER 2 - Getting Started Software Management 1. Using your PC system software change the IP address of your PC’s network card from 223.223.223.2 to 192.168.1.3. 2. With your internet browser go to HTTP://192.168.1.2. The Magnum DX Web Management Logon screen will appear. Figure 2-1. Logon Screen 3. Login with username manager, password manager. 4. In the Navigation Area of the browser screen click on Routing: IP Addresses. 5. In the Default Address field replace 192.168.1.2 with 223.223.223.1. 6. Click Apply Settings. 7. Using your PC system software reset your PC’s Ethernet card to 223.223.223.2. 8. With your internet browser go to HTTP://223.223.223.1. The Magnum DX Web Management Logon screen will appear. You are now communicating with the DX on your own network. Magnum Network Software - DX Administrator’s Guide 18 CHAPTER 2 - Getting Started The Administrator Interface Overview 2.3 The Administrator Interface Overview The MNS-DX Administrator Interface enables you to view and edit system parameters through your web browser. Figure 2-2 is an illustration of a typical administrator screen. Table 2-1 explains the functionality of the areas marked in the illustration. Interaction Area Navigation Area Global Area Figure 2-2. MNS-DX Administrator Interface Table 2-1. The Administrator Interface Area Name Navigation Area Function The Navigation area contains a menu tree that can be expanded or collapsed to show all of the available interaction screens. Clicking on a leaf of the menu tree brings up the corresponding screen in the Interaction area. Magnum Network Software - DX Administrator’s Guide 19 CHAPTER 2 - Getting Started The Administrator Interface Overview Table 2-1. The Administrator Interface Area Name Area Function Interaction The Interaction area contains an HTML form where you can configure some aspect of the system. This area can also be used to display read-only information such as port statistics or event logs. Global The Global area contains controls that have a global effect on the current session. • Click the Revert button to undo any unsaved changes to the system's configuration. • Click the Save button to save the current system configuration in the active configuration file. • Click the Save As button to save the current system configuration in a new configuration file. • Click the Logout button to end the current session. This area also displays text identifying the user name of the current user, the user-configurable system name of the node being managed, and the IP address of the node. The screen displayed at start-up is the “System Information” screen (see Figure 3-2.) 8 NOTE: The descriptions of the visual display of the MNS-DX Administrator employ the terms “screen,” “form,” “table,” and “button.” These terms have the following meanings. • • • • Screen – the whole meaningful content of your browser, not including browser tool bars, status bars, and the like. Form – a portion of the screen whose primary purpose is to enable the entering of user-supplied information. A form contains fields that you can fill with keyboard input, by selecting from drop-down menus, or by browsing to select a file on your local system. A form may also contain some read-only information. Table – a portion of the screen whose primary purpose is to provide the user with information, such as lists of addresses, installed configurations, status reports, etc. A table may or may not contain editable fields. A table often includes a checkbox to enable you to delete the contents of a row in the table. Buttons – labeled, clickable areas of the screen. Clicking a button performs the action described in its label. Most screens include buttons labeled Apply Settings, to save any changes you have made, and Reset Settings, to undo any changes you have made that have not yet been applied. Magnum Network Software - DX Administrator’s Guide 20 CHAPTER 2 - Getting Started The Administrator Interface Overview 2.3.1 Navigation Tree The menu tree supported in this release is as follows: Table 2-2. Menu Tree Screen Virtual Front Panel Function An animated view of the device’s ports and LEDs. This is the initial screen displayed when you start MNS-DX. Administration Tasks System System Information View and edit identifying information. System Status View memory and buffer utilization and queue overflow. Time Time: Time and Date Set the system’s time and date. Time: Zone and DST Specify standard time and daylight savings time for your system. Time: Persistence On reset use the last known good time and date (for device clocks without battery backup). SNTP SNTP: Global Settings Configure mode and frequency of time synchronization. SNTP: Servers Designate servers that will provide the correct time. SNMP SNMP: Global Settings Configure network management (enable SNMP agent, control MIB access). SNMP: Management Stations Specify address(es) of station(s) to query SNMP agents. SNMP: Trap Stations Specify address(es) of station(s) to receive SNMP traps. SNMP: Users Manage user security provisions. SNMP: Statistics Monitor 43 measures of SNMP performance. Authentication Authentication: Policies Set number of failed logins before lockout and duration of lockout. Authentication: Accounts Maintain user accounts (names, passwords, etc.) Authentication: Files Upload new user definitions. Sessions Sessions: Policies Set the length of time a login session can be idle before it is automatically terminated. Sessions: Active Logins View IDs and uptime of active login sessions. Change Password Change current user’s password. Magnum Network Software - DX Administrator’s Guide 21 CHAPTER 2 - Getting Started The Administrator Interface Overview Table 2-2. Menu Tree Screen Software Upgrade Function Install a newer version of software. Configuration Configuration: Files View and manage available configuration files. Configuration: Defaults Restore the system’s default configuration. System Reboot Shut down and restart the system. Events Tasks Logs Logs: Global Settings Enable logging of events and control logfile number and size. Logs: Files Displays hyperlinks to available log files. Syslog Syslog: Global Settings Enable/disable syslog protocol functionality. Syslog: Collectors Specify IP addresses of syslog event collectors. Alarms Alarms: Port Settings Enable alarms and specify a relay closure time. Alarms: Actions Specify events that will trigger alarms. Ethernet Tasks Ports Ports: Settings Enable and disable Ethernet ports and set and view configurations (media type, flow control, FEFI). Ports: Status Check capabilities and operational status of each Ethernet port. Ports: Summary Statistics View basic performance statistics for each Ethernet port. Ports: Extended Statistics View detailed performance statistics for each Ethernet port. Ports: Mirroring Forward packets from one port on a DX800 to another for analysis. Ports: Rate Limits Specify limits on the throughput of certain types of packets. Bridge Bridge: Global Settings View or set the aging interval for learned MAC addresses. Bridge: Port Settings Specify whether a port is routed or is part of the bridge. Bridge: Static MACs Add or remove static MAC addresses in the bridge MAC address table. Bridge: Station Cache View a table of MAC addresses and the ports that access them. Magnum Network Software - DX Administrator’s Guide 22 CHAPTER 2 - Getting Started The Administrator Interface Overview Table 2-2. Menu Tree Screen Function RSTP RSTP: Bridge Settings Configure RSTP settings for the bridge. RSTP: Port Settings Associate specific Ethernet ports with RSTP values (mode, priority). RSTP: Bridge Status View RSTP counters and status for the bridge. RSTP: Port Status View RSTP counters and status for specific Ethernet ports. VLAN VLAN: Global Settings Enable/disable VLAN functionality. VLAN: VIDs Assign VLAN IDs and view properties (tagged/untagged) of existing VIDs. VLAN: Port Settings Assign ports to VLANs and set properties (mode, tagged/untagged) Serial Tasks Ports Ports: Profiles Create a profile (10 attributes) for later assignment to a serial port. Ports: Settings Enable and disable serial ports and assign profiles. Ports: Status Check the status of a serial port. Ports: Statistics Monitor the performance of a serial port. Terminal Server Terminal Server: Channel Settings Add or remove terminal server channels. Terminal Server: Channel Status View the status of configured terminal server channels. Terminal Server: Connections Check status of currently active TCP/IP connections. Frame Relay Frame Relay: Channel Settings Configure "direct-to-frame" serial channels. Frame Relay: Connections View the status of the current frame relay connections carrying serial traffic. Modbus Modbus: Local Masters Configure a Modbus local master. Modbus: Local Slaves Configure a Modbus local slave. Modbus: Remote Slaves Configure a Modbus remote slave. Modbus: Connections Monitor Modbus connections. Magnum Network Software - DX Administrator’s Guide 23 CHAPTER 2 - Getting Started The Administrator Interface Overview Table 2-2. Menu Tree Screen Function WAN Tasks (for those devices with WAN ports) Port Settings (DDS) Configure the system’s WAN ports to support a DDS connection. Port Settings (T1/E1) Configure the system’s WAN ports to support a T1 or E1 connection. Port Status View the current status of each WAN port in the system. Frame Relay Configure the frame relay function of the system's WAN ports. DLCI Settings Add and delete DLCIs. DLCI Status View the status of existing DLCIs. PPP Tasks Profiles Configure a PPP profile to apply to a PPP connection. Connections Define a PPP connection (port ID, profile, authentication). Status View the status of PPP ports. Statistics View performance statistics for PPP connections. Routing Tasks IP Addresses Configure IP addresses for VLANs and routed ports Static Routes Specify new and view existing static IP routes. Table View the routing table. ARP Table View and flush the Address Resolution Protocol (ARP) table. RIP RIP: Global Settings Enable RIP and specify version and certain parameters. RIP: Interface Settings Specify whether the RIP interface is not bridged (routed). OSPF OSPF: Global Settings Configure OSPF global settlings (enabling, router spec. etc.) OSPF: Area Settings Define OSPF areas. OSPF: Interface Settings Configure OSPF on specific interfaces. OSPF: Interface Profiles Configure profiles that can apply OSPF parameters to interfaces. OSPF: Neighbor Status View the status of OSPF neighbors. BGP BGP: Global Settings Enable BGP and provide identifying information. BGP: Peer Settings Specify settings for communication with a BGP peer. BGP: Profiles Configure a BGP profile to apply to a BGP connection. Magnum Network Software - DX Administrator’s Guide 24 CHAPTER 2 - Getting Started The Administrator Interface Overview Table 2-2. Menu Tree Screen Function BGP: Status View the status of BGP configurations. BGP: RIB View the Routing Information Base (RIB). BGP: Statistics View performance statistics for BGP connections. VRRP VRRP: Groups Define a router’s membership in a Virtual Router Redundancy (VRRP) group. VRRP: Status Display this router’s VRRP status. NAT NAT: Global Settings Enable dynamic Network Address Translation (NAT) on the public IP interface. NAT: Port Forwarding Create a rule to forward specified traffic from a public to a private port. NAT: Static Translations Manage the static network address and port translations DHCP Server DHCP Server: Host Parameters Configure and assign groups of host parameters. DHCP Server: Static Addresses Manually configure IP addresses for particular DHCP clients. DHCP Server: Dynamic Addresses Configure ranges of addresses for dynamic assignment. DHCP Server: Leases View the status of DHCP leases. QoS Tasks DiffServ Configure DiffServ Code Point (DSCP) priorities. 802.1p Assign Ethernet frames to priority queues based on markings. Ethernet Port Assign a priority rule to a specific Ethernet port. IP Flows Associate specific IP packet flows with DiffServ markings. Security Tasks Certificates Certificates: Local Upload X.509 certificates. Certificates: CAs Upload and mark as trusted Certificate Authorities (CAs). Ethernet Port Configure conditions for a security lockout on an Ethernet port. Serial/SSL Configure Secure Sockets Layer for a serial port. Web Server Configure HTTP or SSL preference and SSL key. CLI Configure SSH security on the command line interface. Magnum Network Software - DX Administrator’s Guide 25 CHAPTER 2 - Getting Started The Administrator Interface Overview Table 2-2. Menu Tree Screen Function Firewall Firewall: IP Interfaces Assign IP interfaces to groups and enable IP filtering on an interface. Firewall: Interface Groups Configure interface groups for filtering. Firewall: IP Filters Specify filtering criteria. Firewall: Stateful IP Filters Specify a filter that automatically accommodates responses. Radius RADIUS: Global Settings Configure remote authentication. RADIUS: Servers Configuration authentication servers. VPN VPN: Global Settings Specify an IP address for IKE transactions. VPN: Profiles Name and configure a set of encryption properties for a VPN tunnel. VPN: Authentication Configure IPsec authentication methods. VPN: Tunnels Link two IP addresses and assign a profile to create a VPN tunnel. VPN: Status View the status of existing VPN security associations. VPN: Details View tunnel error history. Wizards The Router Setup Wizard Automate configuration of routing features. The Certificate Creation Wizard Automate the creation of RSA keys and certificates. Magnum Network Software - DX Administrator’s Guide 26 Chapter 3 System Administration This chapter describes the specific functionality of the MNS-DX supervisory software. For an overview of the interface features see Section 2.3, “The Administrator Interface Overview”. For a list of all the available screens organized by function see Section 2.3.1, “Navigation Tree”. 3.1 Virtual Front Panel The Virtual Front Panel is displayed when you first log on to MNS-DX. This screen provides an animated, pseudo-real time view of the device’s ports and LEDs. The status of the ports and LEDs is updated once per second. Figure 3-1. Virtual Front Panel The table located beneath the graphical depiction of the front panel provides a summary of information related to identifying the device (name, location, address) as well as the current uptime.These fields are read-only. To modify any of the user-configurable parameters go to the appropriate editable screen, for instance, to change the system IP address go to the IP Addresses screen, described in Section 3.8.1. Magnum Network Software - DX Administrator’s Guide 27 CHAPTER 3 - System Administration Administration Tasks 3.2 Administration Tasks The following subsections describe the tasks that you can perform using the screens of the Administration branch. 3.2.1 System You can view identifying information about your system in the System Information screen and monitor system status in the System Status screen. 3.2.1.1 System Information This screen enables you to view and edit information that identifies the system under management. Figure 3-2. Administration: System: Information Table 3-1 describes the information that can be entered in the fields of the System: Information screen. Each field can contain up to 256 printable ASCII characters. Table 3-1. Administration: System: Information Field Name Field Value System Name: Configurable MIB-II system name of up to 256 printable characters. System Location: Configurable MIB-II system location of up to 256 printable characters. System Contact: Configurable MIB-II system contact of up to 256 printable characters. System Description: The system model number and current software version. Magnum Network Software - DX Administrator’s Guide 28 CHAPTER 3 - System Administration Administration Tasks Table 3-1. Administration: System: Information Field Name Field Value Upgrade State: The current software upgrade state. (See Section 3.2.8 for an explanation of upgrade states.) IP Address: The system IP address. This may be changed from the IP Addresses screen, described in Section 3.8.1. MAC Address: The System MAC Address. This address is defined at the factory. You cannot change this address. All packets sourced from the management and terminal server functions use this MAC address as the Ethernet Source Address (SA). The system will also respond to ARP requests using this MAC address. In certain cases, an Ethernet port may be assigned its own Port MAC Address. This MAC address is calculated by taking the System MAC Address, adding the port number to the least significant octet, and performing any necessary carries into the more significant octets. For example, if the System MAC Address is “00:20:61:5A:92:FE” then port E4’s MAC address would be “00:20:61:5A:93:02”. A Port MAC Address is used when an Ethernet Port is configured as a routed port. In addition, a Port MAC Address is used as the Ethernet SA when sending BPDUs. Free Space (KB): Number of KB free in the non-volatile file system. Uptime: The time elapsed since the last system boot. 3.2.1.2 System Status This screen enables you to view system status information. Figure 3-3. Administration: System: Status (DX40/DX800) Magnum Network Software - DX Administrator’s Guide 29 CHAPTER 3 - System Administration Administration Tasks Table 3-2 describes the fields displayed in the System: Status screen. Table 3-2. Administration: System: Status Field Name Field Value System Memory Utilization: The percentage of dynamic system memory currently in use. Ethernet-CPU Buffer Utilization: The software maintains a fixed size queue of buffers for received Ethernet frames. This parameter is the percentage of these buffers currently holding a received frame that has not yet been processed by the IP stack or other network application. Ethernet-CPU Rx Drops: The number of Ethernet frames that were dropped due to queue overflow. WAN-CPU Buffer Utilization: (For systems with WAN ports only) The software maintains a fixed size queue of buffers for received WAN frames. This parameter is the percentage of these buffers currently holding a received frame that has not yet been processed by the IP stack or other network application. WAN-CPU Rx Drops: (For systems with WAN ports only) The number of WAN frames that were dropped due to queue overflow. 3.2.2 Time The following screens enable you to configure and preserve accurate time on your system. 3.2.2.1 Time: Time and Date This screen enables you to configure the system time and date. Figure 3-4. Administration: Time: Time and Date Table 3-3 specifies the values that can be entered in the Time and Date screen. Magnum Network Software - DX Administrator’s Guide 30 CHAPTER 3 - System Administration Administration Tasks Table 3-3. Administration: Time: Time and Date Field Name Field Value Time: The current time of day in the 24-hour hh:mm:ss format. Date: The current date in the format mm/dd/yyyy. Note the following features of the time and date functionality: • • • • 3.2.2.2 When the system is first powered up, the time and date is undefined. The DX40 has an onboard real-time clock (RTC) with ride-through (capacitor backup) capability. The RTC may preserve the current time and date for up to 4 minutes under certain conditions. If the time and date persistence feature is enabled (see Section 3.2.2.3), the time and date will be set to the last saved time and date when the system power is cycled. The DX800, DX900, and DX1000 also have onboard RTC with full battery backup.The RTC will preserve the current time and date for the life of the battery. If SNTP is enabled and a server is reachable, the system time and date will be refreshed from the server upon power up. Time: Zone and DST This screen enables you to specify the standard time for your location as an offset from Universal Coordinated Time (UTC) and to specify the part of the year during which Daylight Savings Time (DST) will be in effect. Figure 3-5. Administration: Time: Zone and DST Magnum Network Software - DX Administrator’s Guide 31 CHAPTER 3 - System Administration Administration Tasks Table 3-4 describes the parameters you can view and edit in the Time: Zone and DST screen. Table 3-4. Administration: Time: Zone and DST Field Name Standard Time=UTC: Field Value Your offset from the UTC. Value is in hours:minutes. Range is from -12:59 to 12:59 Examples: UTC Offsets Daylight Saving Time: Zone Standard Daylight Saving Eastern (US) -5 -4 Pacific (US) -8 -7 UK 0 +1 If enabled use the following fields to specify the period of the year during which daylight saving time will be in effect either by specifying the date and time of its beginning and end or by selecting a pre-defined national DST rule, which will automatically supply the beginning and ending values. System time will be automatically adjusted according to the specified dates. If disabled standard time will be used throughout the year. Starts the first...: Ends the first...: Copy DST rule of: Specify the day, date, and time when DST begins. Specify the day, date, and time when DST ends. Select a pre-defined national DST rule from the drop-down list. This will automatically supply the beginning and ending values. Magnum Network Software - DX Administrator’s Guide 32 CHAPTER 3 - System Administration Administration Tasks 3.2.2.3 Time: Persistence This screen enables you to set the time and date persistence feature (similar to the “Save Time Interval” feature offered by other manufacturers). This is used to support systems such as DX40 that do not have a clock with battery backup. When the power to these systems is cycled, the clock may come up in an undefined state. With persistence enabled the clock is set to the last known good time and date. This time and date clearly will not be correct but is likely to be close enough to the actual time and date that the system will be able to continue operating without difficulty. This feature is useful in an environment where a DX40 keeps its time and date current via an NTP server that it accesses through a VPN tunnel that uses certificates for authentication. If the power to the DX40 is cycled and the time and date were to come up in an undefined state, it is likely that the VPN authentication would fail because the system's time and date would not match the valid dates on the VPN peer certificate. The system would then not be able to access the NTP server and would be permanently cut off from the network. However, if the time and date were set to some time and date from the recent past, the VPN authentication would succeed, the tunnel would be established, and the DX40 would be able to resynchronize its time with the NTP server. Figure 3-6. Administration: Time: Persistence Table 3-5 specifies the parameter that you can set in the Time: Persistence screen. Table 3-5. Administration: Time: Persistence Field Name Mode: Field Value Set to Enabled to use the persistence feature. Magnum Network Software - DX Administrator’s Guide 33 CHAPTER 3 - System Administration Administration Tasks 3.2.3 SNTP The SNTP (Simple Network Time Protocol) screens enable you to maintain the correct time on your system by specifying and configuring SNTP servers. 3.2.3.1 SNTP: Global Settings This screen enables you to configure Simple Network Time Protocol (SNTP) functionality to obtain the correct time from an SNTP server. Figure 3-7. Administration: SNTP: Global Settings Table 3-6 specifies the values that can be entered in the fields of the SNTP: Global Settings screen to set up the SNTP client. Table 3-6. Administration: SNTP: Global Settings Field Name Mode: Field Value Indicates if and how the SNTP client should be used to set the system's time and date information.This parameter takes one of the following values: • Active – system time and date information is taken from a configured SNTP server. (SNTP servers are added and deleted with the SNTP: Servers screen.) • Passive – system time and date information is retrieved from SNTP information that is broadcast periodically from an SNTP server. • Disabled – SNTP will not be used to acquire the current time. Magnum Network Software - DX Administrator’s Guide 34 CHAPTER 3 - System Administration Administration Tasks Table 3-6. Administration: SNTP: Global Settings Field Name Polling Interval: Field Value The frequency in seconds at which the SNTP server will be accessed to obtain the correct time when Active mode is selected. Default value = 60 (poll once per minute) Valid range = 15 - 86400 Local IP: Available options are: • Any – Packets will use their actual egress interface address as a source address. • Specific IP address – Packets will use the source address selected from a drop-down list. This may be necessary for conformity with VPN or NAT configurations. If multiple SNTP servers are configured, the device will attempt to query the first SNTP server address. If the query is successful, it will acquire the time from that SNTP server. If the query is unsuccessful it will try the second configured server. If that is unsuccessful it will try the third. At the next polling interval, the device will again attempt to query the first SNTP server, followed by the second if necessary, then the third if necessary. 3.2.3.2 SNTP: Servers This screen allows you to add and delete SNTP servers. Figure 3-8. Administration: SNTP: Servers Magnum Network Software - DX Administrator’s Guide 35 CHAPTER 3 - System Administration Administration Tasks Table 3-7 describes the fields of the SNTP: Servers screen. Table 3-7. Administration: SNTP: Servers Field Name Field Value Add Server Form Server IP: Enter the IP address of an SNTP server to be accessed. Click Apply Settings to add this server to the Existing SNTP Servers Table. Up to 3 servers may be added. If a server is down, the software will try the next configured server when retrieving the current time and date. Existing Servers Table Server IP: Lists the IP address of any SNTP servers already configured. Delete: Set the Delete checkbox in a row and click Apply Settings to delete that server. Magnum Network Software - DX Administrator’s Guide 36 CHAPTER 3 - System Administration Administration Tasks 3.2.4 SNMP The SNMP (Simple Network Management Protocol) screens enable you to specify up to four SNMP management stations and to maintain and view information in the system’s MIB (Management Information Base). For more information see Section 5.5, “SNMP”. 3.2.4.1 SNMP: Global Settings The SNMP: Global Settings screen enables you to set up the system’s SNMP V1/V2 or V3 agent. Figure 3-9. Administration: SNMP: Global Settings Magnum Network Software - DX Administrator’s Guide 37 CHAPTER 3 - System Administration Administration Tasks Table 3-8 describes the parameters you can view and configure in the SNMP: Global Settings screen. Table 3-8. Administration: SNMP: Global Settings Field Name Mode: Field Value Enable or disable SNMP agent. • Disabled – agent does not respond to queries. • V1/V2 Enabled – agent only responds to v1 or v2c PDUs. • V3 Enabled – agent only responds to v3 PDUs. Default value = Disabled Local IP: Available options are: • Any – Packets will use their actual egress interface address as a source address. • Specific IP address – Packets will use the source address selected from a drop-down list. This may be necessary for conformity with VPN or NAT configurations. Write Access: Enable or disable write access to the MIB. • Disabled – agent does not allow write access to the MIB. • Enabled – agent allows write access to the MIB. Default value = Disabled Traps: Enable or disable the sending of traps to configured trap stations. Traps are event notifications sent by the agent to a trap station. • Disabled – agent does not send traps to the configured trap stations. • Enabled – agent sends traps to the configured trap stations. Default value = Disabled Read Community String: An arbitrary text string of up to 15 printable ASCII characters. The community string sent by the SNMP client must match this text for the MIB to be accessible for reading. Write Community String: An arbitrary text string of up to 15 printable ASCII characters. The community string sent by the SNMP client must match this text for the MIB to be accessible for writing. Magnum Network Software - DX Administrator’s Guide 38 CHAPTER 3 - System Administration Administration Tasks Table 3-8. Administration: SNMP: Global Settings Field Name Engine ID: Field Value A unique identifier assigned to this SNMP agent. You can configure an engine ID that is a string 50 characters long. If you do not configure an engine ID a 12-byte string will be assigned as the default ID. The default ID is a unique value combining the enterprise ID followed by MAC address or IP Address or plain text. The default engine ID for a MNS-DX device is as follows: • The first four octets contain the Enterprise ID (39cd). • The fifth octet is a format identifier, which is 03 for MAC address. • Six to eleven octets of MAC address. • The remainder (up to the twelfth octet) is filled by zeroes. Engine Boots: The number of times the system has booted since the current engine ID was set. Engine Time (secs): The number of seconds elapsed since the engine ID was changed or the system booted, whichever occurred most recently. 3.2.4.2 SNMP: Management Stations The SNMP: Management Stations screen enables you to add and delete SNMP management stations. Figure 3-10. Administration: SNMP: Management Stations Magnum Network Software - DX Administrator’s Guide 39 CHAPTER 3 - System Administration Administration Tasks Table 3-9 describes the parameters you can view and configure in the SNMP: Management Stations screen. Table 3-9. Administration: SNMP: Management Stations Field Name Field Value Add Station Form IP Address: Enter the IP address of a management station that is allowed to query the SNMP agent. Click Apply Settings to add this address to the Existing Stations table. You can specify up to four management stations. Existing Stations Table IP Address: This table lists the IP addresses of management stations that have been configured in the system. Delete: Set the Delete checkbox in a row and click Apply Settings to delete that management station. 3.2.4.3 SNMP: Trap Stations This screen enables you add trap stations (up to a total of 4) and to view and edit the parameters of existing trap stations. A trap station is a destination to which SNMP traps are sent. Figure 3-11. Administration: SNMP: Trap Stations Magnum Network Software - DX Administrator’s Guide 40 CHAPTER 3 - System Administration Administration Tasks Table 3-10 describes the parameters you can view and edit in the SNMP: Trap Stations screen. Table 3-10. Administration: SNMP: Trap Stations Field Name Field Value IP Address: The Internet Protocol address of the trap station. You can specify up to 4 trap stations. Security Name: The content of this field depends on which version (v2 or v3) is enabled: • When the agent is enabled for v2 mode this is the trap community string for the trap destination. • When the agent is enabled for v3 mode this is the name of an SNMP user. The trap will be sent with security mode and auth/priv passwords of that user. Delete: 3.2.4.4 Set the Delete checkbox in a row and click Apply Settings to delete that trap station. SNMP: Users This screen enables you to view and edit SNMP security provisions for individual users. Figure 3-12. Administration: SNMP: Users Magnum Network Software - DX Administrator’s Guide 41 CHAPTER 3 - System Administration Administration Tasks Table 3-11 specifies the parameters you can view and edit in the SNMP: Users screen. Table 3-11. Administration: SNMP: Users Field Name Field Value User Name: A unique security name of up to 32 printable characters for an SNMP user. Security Mode: level of security that the user is allowed. There are five types of security: • None – No authentication or encryption • MD5 – MD-5 authentication, no encryption • SHA – SHA-1 authentication, no encryption • MD5-DES – MD-5 authentication, DES encryption • SHA-DES – SHA-1 authentication, DES encryption Auth Password: Enter a password to be used for generating the authentication keys. Allowed password length is 8 to 40 characters. Retype Password: Re-type the authentication password to confirm it. Privacy Password: Enter a password to be used for generating the encryption keys. Allowed password length is 8 to 40 characters. Retype Password: Re-type the privacy password to confirm it. Delete: Set the Delete checkbox in a row and click Apply Settings to delete that user. Magnum Network Software - DX Administrator’s Guide 42 CHAPTER 3 - System Administration Administration Tasks 3.2.4.5 SNMP: Statistics This screen enables you to view detailed SNMP performance statistics. Figure 3-13. Administration: SNMP: Statistics Magnum Network Software - DX Administrator’s Guide 43 CHAPTER 3 - System Administration Administration Tasks Table 3-12 describes the values you can view in the SNMP: Statistics screen. Table 3-12. Administration: SNMP: Statistics Field Name Field Value In Packets: The total number of messages delivered to the SNMP protocol entity from the transport service. Bad Versions: The total number of SNMP messages which were delivered to the SNMP protocol entity and were for an unsupported SNMP version. In Bad Community Names: The total number of SNMP messages delivered to the SNMP protocol entity which used an SNMP community name not known to the entity. In Bad Community Uses: The total number of SNMP messages delivered to the SNMP protocol entity which represented an SNMP operation not allowed by the SNMP community named in the message. In ASN Parse Errors: The total number of Abstract Syntax Notation One (ASN.1) or Basic Encoding Rules (BER) errors encountered by the SNMP protocol entity when decoding received SNMP Messages. Enable Auth Traps: Indicates whether the SNMP agent process is permitted to generate authentication-failure traps. The value of this object overrides any configuration information; thus, it provides a means whereby all authentication-failure traps may be disabled. Out Packets: The total number of SNMP Messages which were passed from the SNMP protocol entity to the transport service. In Bad Types: The total number of SNMP PDUs which were delivered to the SNMP protocol entity and for which the value of the error-status field is “badType.” In Too Bigs: The total number of SNMP PDUs which were delivered to the SNMP protocol entity and for which the value of the error-status field is “tooBig.” Out Too Bigs: The total number of SNMP PDUs which were generated by the SNMP protocol entity and for which the value of the error-status field is “tooBig.” In No Such Names: The total number of SNMP PDUs which were delivered to the SNMP protocol entity and for which the value of the error-status field is “noSuchName.” Out No Such Names: The total number of SNMP PDUs which were generated by the SNMP protocol entity and for which the value of the error-status is “noSuchName.” In Bad Values: The total number of SNMP PDUs which were delivered to the SNMP protocol entity and for which the value of the error-status field is “badValue.” Out Bad Values: The total number of SNMP PDUs which were generated by the SNMP protocol entity and for which the value of the error-status field is “badValue.” Magnum Network Software - DX Administrator’s Guide 44 CHAPTER 3 - System Administration Administration Tasks Table 3-12. Administration: SNMP: Statistics Field Name Field Value In Read Onlys: The total number valid SNMP PDUs which were delivered to the SNMP protocol entity and for which the value of the error-status field is “readOnly.” Out Read Onlys: The total number valid SNMP PDUs which were generated by the SNMP protocol entity and for which the value of the errorstatus field is “readOnly.” In Gen Errors: The total number of SNMP PDUs which were delivered to the SNMP protocol entity and for which the value of the error-status field is “genErr.” Out Gen Errors: The total number of SNMP PDUs which were generated by the SNMP protocol entity and for which the value of the error-status field is “genErr.” In Get Requests: The total number of SNMP Get-Request PDUs which have been accepted and processed by the SNMP protocol entity. Out Get Requests: The total number of SNMP Get-Request PDUs which have been generated by the SNMP protocol entity. In Get Nexts: The total number of SNMP Get-Next PDUs which have been accepted and processed by the SNMP protocol entity. Out Get Nexts: The total number of SNMP Get-Next PDUs which have been generated by the SNMP protocol entity. In Set Requests: The total number of SNMP Set-Request PDUs which have been accepted and processed by the SNMP protocol entity. Out Set Requests: The total number of SNMP Set-Request PDUs which have been generated by the SNMP protocol entity. In Get Responses: The total number of SNMP Get-Response PDUs which have been accepted and processed by the SNMP protocol entity. Out Get Responses: The total number of SNMP Get-Response PDUs which have been generated by the SNMP protocol entity. In Traps: The total number of SNMP Trap PDUs which have been accepted and processed by the SNMP protocol entity. Out Traps: The total number of SNMP Trap PDUs which have been generated by the SNMP protocol entity. In Total Req Vars: The total number of MIB objects which have been retrieved successfully by the SNMP protocol entity as the result of receiving valid SNMP Get-Request and Get-Next PDUs. In Total Set Vars: The total number of MIB objects which have been altered successfully by the SNMP protocol entity as the result of receiving valid SNMP Set-Request PDUs. Magnum Network Software - DX Administrator’s Guide 45 CHAPTER 3 - System Administration Administration Tasks Table 3-12. Administration: SNMP: Statistics Field Name Field Value Silent Drops: The total number of GetRequest PDUs, GetNextRequest PDUs,GetBulkRequest PDUs, SetRequest PDUs, and InformRequest PDUs delivered to the SNMP entity which were silently dropped because the size of a reply containing an alternate Response PDU with an empty variable-bindings field was greater than either a local constraint or the maximum message size associated with the originator of the request. Proxy Drops: The total number of GetRequest PDUs, GetNextRequest PDUs,GetBulkRequest PDUs, SetRequest PDUs, and InformRequest PDUs delivered to the SNMP entity which were silently dropped because the transmission of the (possibly translated) message to a proxy target failed in a manner (other than a time-out) such that no Response PDU could be returned. Unknown Security Models: The total number of packets received by the SNMP engine which were dropped because they referenced a securityModel that was not known to or supported by the SNMP engine. Invalid Messages: The total number of packets received by the SNM engine which were dropped because there were invalid or inconsistent components in the SNMP message, for example, noauth/priv. MNS-DX allows noauth/nopriv, auth/nopriv, and auth/priv but does not allow noauth/priv. Unknown Contexts: The total number of packets received by the SNMP engine which were dropped because the context contained in the message was unknown. Unavailable Contexts: The total number of packets received by the SNMP engine which were dropped because the context contained in the message was unavailable. Unknown PDU Handlers: The total number of packets received by the SNMP engine which were dropped because the PDU contained in the packet could not be passed to an application responsible for handling the pduType, for example, no SNMP application had registered for the proper combination of the contextEngineID and the pduType. Unsupported Security Levels: The total number of packets received by the SNMP engine which were dropped because they requested a securityLevel that was unknown to the SNMP engine or otherwise unavailable. Not In Time Windows: The total number of packets received by the SNMP engine which were dropped because they appeared outside of the authoritative SNMP engine's window. Unknown Usernames: The total number of packets received by the SNMP engine which were dropped because they referenced a user that was not known to the SNMP engine. Unknown Engine IDs: The total number of packets received by the SNMP engine which were dropped because they referenced an snmpEngineID that was not known to the SNMP engine. Magnum Network Software - DX Administrator’s Guide 46 CHAPTER 3 - System Administration Administration Tasks Table 3-12. Administration: SNMP: Statistics Field Name Field Value Wrong Digests: The total number of packets received by the SNMP engine which were dropped because they didn't contain the expected message digest value. Decryption Errors: The total number of packets received by the SNMP engine which were dropped because they could not be decrypted. 3.2.5 Authentication Authentication is the process whereby the system confirms that a prospective user is the person he or she claims to be. The authentication screens enable you to set system-wide security policies, to add or delete user accounts, and to maintain user account information. 3.2.5.1 Authentication: Policies The Authentication: Policies form enables you to set various time, event, and password limitations to enforce authentication. Figure 3-14. Administration: Authentication: Policies Magnum Network Software - DX Administrator’s Guide 47 CHAPTER 3 - System Administration Administration Tasks Table 3-13 describes the parameters you can configure in configuring authentication security policies. Note: Violations of security settings such as: failed login attempts or inactive user expiration result in a "lock out" state. Only administrators may clear this state. Table 3-13. Administration: Authentication: Policies Field Name Bad login attempts before lockout: Field Value The number of consecutive failed login attempts before a user is locked out. A user is locked out by setting the Locked Out? field in the user's account to “Yes" Default value = 5 Valid range = 1 - 5 Lockout Time: The amount of time a user account spends in the suspended state after being locked out. This parameter takes one of the following values: • 5 minutes (default) • 30 minutes • 1 hour Enforce Secure Passwords: Setting this value to 'Yes' forces password changes to comply to the following standards: • Length of 8 characters minimum • Must consist of at least 2 of the 3 character types * Alphabetic Numeric Printable Special characters Default value = No *Spaces are not allowed in any password, regardless of this setting. Magnum Network Software - DX Administrator’s Guide 48 CHAPTER 3 - System Administration Administration Tasks Table 3-13. Administration: Authentication: Policies Field Name Password Ageing (Days): Field Value Newly created accounts that are not part of the administration group can optionally expire passwords by setting this value to the number of days a password is valid before a change is required. Accounts that attempt to log in prior to the expiration date may change the password to reset the counter. Accounts that exceed this setting without a password change will be forced to change the password prior to accessing any other configuration screens. Valid settings for this option are: • None • 30 Days • 60 Days • 90 Days Default value = None Existing accounts will start the password ageing on the login attempt after this change is made. Inactive User Expiration (Days): Newly created accounts that are not part of the administration group can be set to expire when they have been inactive (that is, no logins) for a number of days exceeding the value specified here. A setting of 0 (default) disables this feature, otherwise the number of days of inactivity before being locked out ranges from 1 to 255. Existing accounts will start the user expiration on the login attempt after this change is made. Magnum Network Software - DX Administrator’s Guide 49 CHAPTER 3 - System Administration Administration Tasks 3.2.5.2 Authentication: Accounts The Authentication: Accounts screen enables an administrator to add and delete users and to maintain certain account information. Figure 3-15. Administration: Authentication: Accounts By factory default there is a single administrator account with the login name “manager” and password “manager”. The Authentication: Accounts screen is available only to the administrator. Table 3-14 describes the parameters you can configure in creating a new account or editing an existing account. Table 3-14. Administration: Authentication: Accounts Field Name Field Value User ID: A unique ID for a user. This read-only value is assigned by the system. Login Name: The name associated with this account. It must be entered along with the password in order to access the system’s user interface. Note that each login name on a given DX device must be a unique name of up to 40 printable characters. Magnum Network Software - DX Administrator’s Guide 50 CHAPTER 3 - System Administration Administration Tasks Table 3-14. Administration: Authentication: Accounts Field Name Group Name: Field Value Use the drop-down list to assign this user to one of three privilege levels. The privilege levels are: • Admin: Members of this group may perform all functions including managing software, user accounts, and configuration files. • Read-Write: Members of this group may perform all configuration functions with the exception of software, user account, and configuration file management. • Read-Only: Members of this group are like Read-Write except they cannot change any parameters. Suspended?: This flag determines whether or not a user is allowed to log in to the system. The suspended flag may be set or cleared at any time by an administrator. Locked Out? This flag also determines whether or not a user is allowed to log in to the system. The “Locked Out?” flag is set and cleared by the system based on the failed login attempts policy. This flag may also be manually cleared by an administrator. Unlike the “Suspended?” flag, it is not stored in non-volatile memory and therefore its state does not persist across resets. Password: The password associated with this account. To create or change an account’s password enter the new password here. Characters in the password are always echoed back as the bullet character ( ). The field length minimum is 6 alphanumeric characters. Re-Type Password: Confirm the initial password entry by re-typing it in this field. Administrative Notes: This field contains arbitrary text up to 31 printable ASCII characters. Delete: Set the Delete checkbox in a row and click Apply Settings to delete that account. Magnum Network Software - DX Administrator’s Guide 51 CHAPTER 3 - System Administration Administration Tasks 3.2.5.3 Authentication: Files The Authentication: Files screen enables you to upload new user definition files. User definition files are .xml files that contain such information as user name, group membership, suspension status, etc. You can examine the contents of a user definition file by clicking on the hyperlinked .xml file name and viewing it in your browser. The Upload feature of this screen enables you to import user definition files from other systems. Figure 3-16. Administration: Authentication: Files Table 3-15. Administration: Authentication: Files Field Name Browse: Field Value To install a new user definition file: 1. Browse to a file on you local system, or enter the full path name of a user definition file. 2. Click Upload. Uploading a new file will be successful if the following conditions are met: 1. The uploaded file contains valid XML formatting consisting of • Only one instance of the UserAccountTable tag • Only one instance per tag in each UserAccountEntry • Only one instance of each login 2. The number of users contained in the file does not exceed the maximum number of supported users. 3. Files containing no users are valid, the default login account will be created. 4. If more than 0 accounts are specified, at least one account in the new configuration file is an unsuspended administrator. Magnum Network Software - DX Administrator’s Guide 52 CHAPTER 3 - System Administration Administration Tasks 3.2.6 Sessions The sessions screens enable you to set login session policies and to monitor active logins. 3.2.6.1 Sessions: Policies This screen enables you to configure the maximum idle time for a session. Figure 3-17. Administration: Sessions: Polices Table 3-16 describes the parameter you can configure in the Sessions: Polices screen. Table 3-16. Administration: Sessions: Policies Field Name Maximum Idle Time: Field Value The amount of time a user session may be idle before it is automatically deleted by the system. Possible values are: • None (Sessions never time out) • 5 minutes • 30 minutes • 1 hour • 24 hours 3.2.6.2 Sessions: Active Logins This screen enables you to view the active login sessions on the device. Figure 3-18. Administration: Sessions: Active Logins Magnum Network Software - DX Administrator’s Guide 53 CHAPTER 3 - System Administration Administration Tasks Table 3-17 describes the information displayed in the Sessions: Active Logins screen. Table 3-17. Administration: Sessions: Active Logins Field Name Field Value Session: A unique identifier for a session. Username: The username that is logged in to the session described in this table row. Client Host: The IP address of the remote client. Login Time: The time at which the user logged in to the system. Last Activity: The last time the user was active in the session. Delete: Set the Delete checkbox in a row and click Apply Settings to disconnect that active session. Note: the last saved administrator account is always preserved. 3.2.7 Change Password This screen enables you to change your password. The administrator can also change any user’s password from the Authentication: Accounts screen, described in Section 3.2.5.2. Figure 3-19. Administration: Change Password Table 3-18 describes the parameters you can configure in the Change Password screen. Table 3-18. Administration: Change Password Field Name Old Password: Field Value Enter the old password. Magnum Network Software - DX Administrator’s Guide 54 CHAPTER 3 - System Administration Administration Tasks Table 3-18. Administration: Change Password Field Name Field Value Password: Enter the new password here. Characters in the password are always echoed back as the bullet character ( ). The field length minimum is 6 alphanumeric characters. Re-Type Password: Confirm the initial password entry by re-typing it in this field. 3.2.8 Software Upgrade The Administration: Software Upgrade screen enables you to perform software upgrades or to return to a previous software image. The upgrade will be done via the protocol you first used in connecting to the interface, either HTTP or HTTPS. Use the following procedure to install a software upgrade: 1. Browse to a file on you local system, or enter the full path name of a configuration file and click Upload. When the new configuration file is successfully uploaded it will appear in the “Existing Images” window as “New” and a “Ready to Upgrade” message will appear. 2. Click the Upgrade button. The system will reboot. Reconnect your browser to the system and return immediately to the Administration: Software Upgrade window. Click the Finalize button. TIP: Remember that a successful upgrade requires the clicking of three buttons: Upload, Upgrade, and after a reboot, Finalize. Because some time passes while the system reboots and you reconnect your browser it is easy to overlook the third step. Don’t Forget to Finalize! 3.2.8.1 Software Upgrade States Figure 3-20 and Table 3-19 describe the entire software upgrade finite state machine. Magnum Network Software - DX Administrator’s Guide 55 CHAPTER 3 - System Administration Administration Tasks Figure 3-20. Software Upgrade State Machine Table 3-19. Upgrade States and User Actions Event Description New Software User copies a valid software image. Reboot User reboots the system. Upgrade User clicks Upgrade button. Finalize User clicks Finalize button, approving upgrade. Fallback User clicks the Fallback button. Next system reboot loads the Fallback image. Retry User clicks the Retry button. Magnum Network Software - DX Administrator’s Guide 56 CHAPTER 3 - System Administration Administration Tasks Figure 3-21 depicts an Administration: Software Upgrade window after a successful upgrade. Figure 3-21. Administration: Software Upgrade Magnum Network Software - DX Administrator’s Guide 57 CHAPTER 3 - System Administration Administration Tasks Table 3-20 describes the parameters you can view and configure in the Software Upgrade screen. Table 3-20. Administration: Software Upgrade Field Name Field Value Install Form File: To install a new software image: 1. Browse to a file on you local system, or enter the full path name of a configuration file. 2. Click Upload. The system checks to make sure that the uploaded software is valid for this hardware and that it appears to be a good image (not corrupt). If it is valid, then: 1. The filename is added to the Existing Images Table and is given the designation “new” in the Use column. 2. The status reported in the Software Upgrade process state table is changed to “READY TO UPGRADE.” Existing Images Table Filename: This table displays either one or two filenames. If the value displayed in the Software Upgrade process state table is “INITIAL” then this is the initial software installation and only one filename is displayed. In all other cases two filenames are displayed. Version: The version number of the software described in this table row. Use: The values displayed in the Use column depend on the state of the system. (See Table 3-21.) Software Upgrade Table State: This field reports the state of the upgrade process. (See Table 321.) Button: The buttons displayed below the State field enable you to initiate a change in the state of the software upgrade. The number and purpose of the buttons displayed depends on the state of the software. Magnum Network Software - DX Administrator’s Guide 58 CHAPTER 3 - System Administration Administration Tasks Table 3-21describes the options available to you depending on the State and Use of the software images. Table 3-21. Software Upgrade States State Button INITIAL none READY TO UPGRADE Upgrade: Click this button to reboot the system and load the new image. (Note that an upgrade by any means other than clicking the Upgrade button in this screen will also result in the loading of the new image.) UPGRADING Finalize: Click this button to approve the upgrade. (Note that if the system reboots for any reason while in the UPGRADING state it will fall back to the previous image.) UPGRADED Fallback: Click this button to reboot with the previous image. FALLBACK Retry: Click this button to attempt the upgrade process again (move to the READY TO UPGRADE state). The system will automatically reboot during the transition from UPGRADING to FALLBACK and the transition from READY TO UPGRADE to UPGRADING because a new software image needs to be loaded in order to complete these transitions. Magnum Network Software - DX Administrator’s Guide 59 CHAPTER 3 - System Administration Administration Tasks 3.2.9 Configuration The Configuration: Files and the Configuration: Defaults screens enable you to make system-wide changes by installing a new system configuration file or by returning to factory defaults. 3.2.9.1 Configuration: Files This screen enables you to install and manage configuration files. When the system is shipped from the factory, it contains a single current configuration file with factory default values called "config0.xml". Subsequent configuration files will contain the administrator’s saved settings. Figure 3-22. Administration: Configuration: Files Table 3-22 describes the tasks you can perform in the Configuration Files screen. Table 3-22. Administration: Configuration: Files Field Name Field Value The Install Form File: To install a configuration file: 1. Browse to a file on your local system, or enter the full path name of a configuration file. 2. Click Upload. Browse: Browse to select a configuration file on your local system. Upload: Click this button to make the file specified in File: field the “Current” configuration file. If the configuration is valid the system is reconfigured according to the contents of the file. Magnum Network Software - DX Administrator’s Guide 60 CHAPTER 3 - System Administration Administration Tasks Table 3-22. Administration: Configuration: Files Field Name Field Value The Configurations Table Filename: This column lists all configuration files present in the system. Version: This value identifies the software version that was running when the system wrote this configuration file. Fallback: “Yes” identifies the Fallback configuration file. This file is used to save a copy of the configuration during initialization when the software upgrade state is UPGRADING. The "Fallback" file is designated "Current" when you tell the system to go to the FALLBACK state of software upgrade. Current: The selected radio button identifies the current configuration file This is the file to which the current configuration data is written when you save it. This is also the file used for configuration when the software starts up. Delete: Set the Delete checkbox in a row in the Configurations table and click Apply Settings to delete that configuration file. You may encounter error messages when creating or saving configuration files if the uploaded file: • • • • 3.2.9.2 Specifies a version beyond the current software version. Specifies a model other than the current system. Contains syntactically invalid XML code. Has the same name as an existing file on the system. Configuration: Defaults This screen enables you to restore the system configuration to default values. 8 NOTE: Default values do not necessarily mean "factory default" values. While most parameters will take on their factory defaults, the following exceptions apply: • System IP Address and Mask – Set to the IP address/mask configured in the boot menu. • Default Gateway – Set to the default gateway configured in the boot menu. Magnum Network Software - DX Administrator’s Guide 61 CHAPTER 3 - System Administration Administration Tasks Figure 3-23. Administration: Configuration: Defaults Click the Restore button to restore system defaults. 3.2.10 System Reboot This Reboot screen enables you to shut down and restart the system. Figure 3-24. Administration: System Reboot Click the Reboot button to reset the system. Magnum Network Software - DX Administrator’s Guide 62 CHAPTER 3 - System Administration Events Tasks 3.3 Events Tasks Events are a specified set of actions or attempted actions that are recorded in log files or sent to a visual display to enable a system administrator to monitor system activity. MNS-DX specifies a set of events (see Table 3-23) that are recorded in log files on the management server. These log files are configured with the Logs: Global Settings screen described in Section 3.3.1.1, and user access to these log files is provided by the Logs: Files screen, described in Section 3.3.1.2. MNS-DX also supports the syslog protocol for collecting event information and delivering it to a remote device. For more on syslog see Section 3.3.2. 3.3.1 Logs The following system events are logged by MNS-DX in the log files on the management server described in Section 3.3.1.2: Table 3-23. Logged Events Event Login Description User loginname logged in. A user with login name loginname logged into the system through the web interface. Logout User loginname logged out. A user with login name loginname logged out of the system through the web interface. Maximum Users Maximum number of users reached. The maximum number of user accounts has already been reached and an administrator has tried to add an additional user to the system. New Account New user loginname created in group groupname. An administrator created a new user named loginname and assigned that user to permission group groupname. Password Change Password for user loginname has been changed. A user’s password was changed. This may be due to the user updating the password or to an administrator setting a new password for the user in the Authentication: Accounts screen. Failed Login User loginname failed to authenticate. Someone attempted to log in to the system using the user name loginname, but the login was rejected due to a bad password. When the consecutive number of failed logins equals the number set in the Authentication: Policies screen the Account Lockout event is launched (see below). Magnum Network Software - DX Administrator’s Guide 63 CHAPTER 3 - System Administration Events Tasks Table 3-23. Logged Events Event Account Lockout Description Account loginname has been locked out for bad logins. A user account, with login name loginname, was suspended because the user entered a password incorrectly too many times in a row. Lockout Ended Suspension timeout has elapsed for user loginname. A user who had been automatically suspended by the system for bad logins has been moved out of the locked out state by the system because the lockout timer (set in the Authentication: Policies screen) expired. Suspension Cleared Account lockout cleared for user loginname (UID nn). An administrator manually moved an account out of the suspended state. Account Deleted User loginname (UID uid) was deleted. A user account was deleted by an administrator. Expired Account User loginname expired. A user account expired due to inactivity (that is, no logins over a specified time period). Suspended Account User loginname was suspended. A user was suspended by an administrator. Hacking Attempt Possible hacking attempt: n failed login attempts in m minutes. A number of unsuccessful logins have occurred within some time interval. This pattern is recognized by the system and logged as a warning to administrators. Ethernet Link Up Ethernet port Ex is up. Link was detected on Ethernet port Ex. Serial Link Up Serial port Sx is up. Link was detected on Serial port Sx. Ethernet Link Down Ethernet port Ex is down. Link was lost on Ethernet port Ex. This could be because the link was physically lost or because the port was administratively disabled. Serial Link Down Serial port Sx is down. Link was lost on Serial port Sx. This could be because the RS-232 handshake signals are off or because the port was administratively disabled. Unable to Connect Could not connect to remote host ipaddr (tcpport) on channel Sx. The terminal server channel for Serial port Sx is configured to call out to a remote host at IP address ipaddr and TCP port tcpport, but that host is either unreachable or actively refused the connection. Magnum Network Software - DX Administrator’s Guide 64 CHAPTER 3 - System Administration Events Tasks Table 3-23. Logged Events Event Host Unreachable Description Serial port Sx reports that the host at ipaddr is unreachable. The terminal server channel for Serial port Sx is configured to call out to a remote host at IP address ipaddr but the system has no route to the destination address. Connection Refused Serial port Sx reports that the connection to the host at ipaddr (tcpport) was refused. The terminal server channel for Serial port Sx is configured to call out to a remote host at IP address ipaddr and TCP port tcpport, but the host actively refused the connection. Lost Connection Lost connection with host ipaddr (tcpport) on channel Sx. The terminal server channel for Serial port Sx was connected but the system lost contact with the remote host. The remote host may have actively torn down the connection or the connection may have been flagged as dead due to lack of response to TCP keep-alive messages. Handshake Failed Serial port Sx reports that the host at ipaddr (tcpport) did not respond to the SSL handshake. The terminal server channel for Serial port Sx is configured for SSL security. During the authentication phase of the SSL handshake, the peer did not respond. This is likely because the connection was made to a non-SSL enabled host. See the SSL troubleshooting section (Section A.9) for more information. Handshake Problem Serial port Sx experienced a problem (problemdescription) while connecting to the host at ipaddr (tcpport). The terminal server channel for Serial port Sx is configured for SSL security. During the authentication phase of the SSL handshake, a problem occurred and the handshake did not complete. Possible problems include: • unknown protocol • no shared cipher Certificate Problem Serial port Sx reports that the certificate presented by the host at ipaddr (tcpport) was invalid (problemdescription). The terminal server channel for Serial port Sx is configured for SSL security. During the authentication phase of the SSL handshake, the peer certificate could not be validated. Possible reasons include: • certificate expired • certificate is not yet valid • self signed certificate in certificate chain See the SSL troubleshooting section (Section A.9) for more information. Magnum Network Software - DX Administrator’s Guide 65 CHAPTER 3 - System Administration Events Tasks Table 3-23. Logged Events Event SSL Alert Message Description Serial port Sx received a notification (notification) from the host at ipaddr (tcpport). The terminal server channel for Serial port Sx is configured for SSL security. During the SSL handshake the peer detected a problem and sent an alert message. Possible alerts include: • certificate expired • certificate is not yet valid • unknown ca See the SSL troubleshooting section (Section A.9) for more information. RADIUS Server Unreachable Unable to contact any of the configured RADIUS servers. Boot Complete Warm start. The system is configured to contact a RADIUS server to perform user authentication but none of the configured servers are reachable over the network. The system rebooted. SPD Packet Discard Packet(s) discarded for not matching SPD rules. Check the source and destination IP address setup and tunnel state at both ends. IKE Packet Discard Packet(s) discarded due to tunnel Phase II incomplete. This state is usually temporary as the tunnel transitions to Phase II. IKE Phase I Fail Phase I negotiation failed, most likely due to parameter mismatching of authentication or Diffie Hellman information. IKE Phase I Success IKE Phase 1 negotiation completed successfully. IKE Phase II Fail Phase II negotiation failed. VPN Up IKE Phase 2 negotiation completed successfully and the tunnel is carrying traffic. Sequence Number Overflow IPsec sequence numbers have exceeded the boundary. This event is informational and should cause the tunnel to re-key. Soft Life Time Expired The soft life time for the tunnel has expired. The tunnel will re-key the next time a packet is received that must go through the tunnel. This is part of the normal operation of the tunnel. Hard Life Time Expired The hard lfe time for the tunnel has expired. The tunnel state will be deleted and must be re-negotiated. Magnum Network Software - DX Administrator’s Guide 66 CHAPTER 3 - System Administration Events Tasks 3.3.1.1 Logs: Global Settings This screen enables you to specify the frequency of creation, the number, and the size of log files. Figure 3-25. Events: Logs: Global Settings Table 3-24 specifies the valid values for fields of the Logs: Global Settings form. Table 3-24. Events: Logs: Global Settings Field Name Mode: Field Value The available values are: • Enabled – record events in the system log. • Disabled – do not record events in the system log. Default value = disabled Create New Log File: Indicates how often a new log file should be started, regardless of the size of the current file. This parameter takes one of the following values: • Daily: start a new log file at the beginning of each day (default). • Weekly: start a new log file at the beginning of each week. • Monthly: start a new log file at the beginning of each month. When logging begins, a new file is created with the name “YYYYMMDDHHMMSS.log”. Max Log Files: Specify the maximum number of log files to be preserved at any one time. Default value = 14 Valid range = 1 - 100 Magnum Network Software - DX Administrator’s Guide 67 CHAPTER 3 - System Administration Events Tasks Table 3-24. Events: Logs: Global Settings Field Name Max Log File Size (KB): Field Value Specify the maximum size, in KB, of any log file. If the current log file becomes full, a new log file is created. Default value = 32KB. Delete Old Files: Indicates whether or not old log files should be deleted when the maximum number of log files is reached and a new log file must be created. If you do not specify the deletion of old files no new log files will be created after the Max Log Files value is reached. Default value = Yes. Use the Create New Log File, Max Log Files, Max Log File Size, and Delete Old Files parameters to structure your view of the history of events on the system. The total amount of available space on the system is now displayed on the System Information screen. Choose the values for these parameters based on the size of your system, the number of users, and the level of activity. This will take some experimentation. If, for instance, you want to create daily log files so that all the events for one 24-hour period will be included in a single file, it would be wise to specify a high Max Log File value at first, then observe the actual file size produced by routine operations and adjust the specification accordingly. Your observation of daily performance can be used as a basis for specifying the parameters appropriate to longer intervals; that is, a weekly log file ought to be have a Max Log File Size about seven times greater than that of a correctly-sized daily log file. When choosing the amount of space to allocate for logs keep in mind that space should be allowed for system files to grow (for example, software images, configuration files, PEM files, internal system files, etc.). We suggest allocating a maximum of 2 MB for logs. Note that if you do not set the Delete Old Files to Yes (the default) MNS-DX will stop creating log files when the Max Log Files value is reached. Magnum Network Software - DX Administrator’s Guide 68 CHAPTER 3 - System Administration Events Tasks 3.3.1.2 Logs: Files This screen enables you to view a particular log by clicking on its hyperlinked file name. This will open the log file in the text editor configured for the .log suffix on your system. You can also delete a log file by checking the appropriate Delete box and pressing the Apply Settings button. Figure 3-26. Events: Logs: Files Table 3-25 explains how to use the fields in the Logs: Files table. Table 3-25. Events: Logs: Files Field Name Field Value Filename: The names and sizes of log files available for viewing. The log file that is currently active for writing is also flagged under the Status column. Click a hyperlinked file name to display a plain text version of the log file. Delete: Set the Delete checkbox in a row and click Apply Settings to delete that log file. Log files are written as ASCII text in syslog format. For example: <6>Jan <6>Jan <6>Jan <6>Jan <6>Jan 22 22 22 22 22 08:18:35 08:18:40 08:18:54 08:34:23 09:38:58 2007 2007 2007 2007 2007 192.168.1.2 192.168.1.2 192.168.1.2 192.168.1.2 192.168.1.2 Magnum Network Software - DX Administrator’s Guide 69 Ethernet port E2 is down. Ethernet port E4 is up. Ethernet port E2 is up. User 'manager' logged in. User 'manager' idled out. CHAPTER 3 - System Administration Events Tasks 3.3.2 Syslog Syslog is a protocol for sending event messages over an IP network to remote servers called "event message collectors." The syslog protocol is defined in RFC 3164. You enable syslog functionality with the Syslog: Global Settings screen, described in Section 3.3.2.1. You specify the IP addresses of the remote devices that will serve as syslog collectors in the Syslog: Collectors screen, described in Section 3.3.2.2. If syslog functionality is enabled, MNS-DX will deliver notification of syslog events to the specified collector(s). How that information is stored and displayed on the collector is a function of the software running on the collector. There are many freely available software products to manage this task. 3.3.2.1 Syslog: Global Settings This screen enables you to enable syslog functionality. Figure 3-27. Events: Syslog: Global Settings Table 3-26 describes the parameters you can configure in the Syslog: Global Settings screen. Table 3-26. Events: Syslog: Global Settings Field Name Mode: Field Value Indicates whether or not events should be sent as Syslog messages. The available values are: • Enabled – Send a syslog message for each event. • Disabled – Do not send syslog messages (default). Local IP: Available options are: • Any – Packets will use their actual egress interface address as a source address. • Specific IP address – Packets will use the source address selected from a drop-down list. This may be necessary for conformity with VPN or NAT configurations. Magnum Network Software - DX Administrator’s Guide 70 CHAPTER 3 - System Administration Events Tasks 3.3.2.2 Syslog: Collectors This screen enables you to specify the IP addresses of up to five syslog collectors. Figure 3-28. Events: Syslog: Collectors Table 3-27 describes the parameters you can edit in the Syslog: Collectors screen Table 3-27. Events: Syslog: Collectors Field Name Field Value Add Collector Form Collector IP: The IP address of a server to which syslog messages will be sent. Existing Collector Table Collector IP: This column lists the addresses of existing configured collectors. The maximum number of collectors is 5. By default no collectors are configured. Delete Set the Delete checkbox in a row and click Apply Settings to delete that collector. Magnum Network Software - DX Administrator’s Guide 71 CHAPTER 3 - System Administration Events Tasks 3.3.3 Alarms MNS-DX can toggle the alarm port from the normal state to a momentarily abnormal state in order to raise an alarm when certain system events are encountered. 3.3.3.1 Alarms: Port Settings This screen enables you to enable or disable alarms on your DX device. Figure 3-29. Events: Alarms: Port Settings Table 3-28 describes the parameters you can view and edit in the Events: Alarms: Port Settings screen. Table 3-28. Events: Alarms: Port Settings Field Name Mode: Field Value Specify whether or not the alarm relay state is toggled. There are two possible values: • Enabled – Set relay state based on configured alarm actions. • Disabled – Keep relay in normal state at all times. Default value = Disabled Relay Closure Time (sec): The number of seconds the relay is kept in the abnormal state for momentary alarm actions. Default value =3 Valid range = 1 - 10 Magnum Network Software - DX Administrator’s Guide 72 CHAPTER 3 - System Administration Events Tasks 3.3.3.2 Alarms: Actions This screen enables you to configure alarms on your DX device. There are six events which can be set to activate an alarm. There are two options for each of these: • • Disabled – Take no action. Momentary – put the relay into the abnormal state for the relay closure time specified in the Alarms: Port Settings screen and then back to the normal state. Figure 3-30. Events: Alarms: Actions Table 3-29 describes the parameters you can view and edit in the Events: Alarms: Actions screen. Table 3-29. Events: Alarms: Actions Field Name Field Value Cold Start: Select Disabled or Momentary when a Cold Start event is detected. Warm Start: Select Disabled or Momentary when a Warm Start event is detected. Link Up: Select Disabled or Momentary when a Link Up event is detected. Link Down: Select Disabled or Momentary when a Link Down event is detected. Authentication Failure: Select Disabled or Momentary when an Authentication Failure event is detected. RSTP/STP Reconfiguration: Select Disabled or Momentary when an RSTP/STP Reconfiguration event is detected. Magnum Network Software - DX Administrator’s Guide 73 CHAPTER 3 - System Administration Ethernet Tasks 3.4 Ethernet Tasks The following subsections describe the tasks that you can perform using the screens of the Ethernet Switching branch. 3.4.1 Ports The Ports screens enable you to configure Ethernet ports and to view port status and statistics. 3.4.1.1 Ports: Settings This screen enables you to configure the system’s Ethernet ports. Figure 3-31. Ethernet: Ports: Settings Table 3-30 describes the fields you can view and edit in the Ports: Settings form. Table 3-30. Ethernet: Ports: Settings Field Name Field Value Port ID: Uniquely identifies a physical, labeled interface on the exterior of the product chassis. The Port ID string should exactly match the physical labeling scheme. Port Name: A user-configurable name for the port. This may be any arbitrary text string up to 16 printable ASCII characters. This field is “Ethernet-X” by factory default. Magnum Network Software - DX Administrator’s Guide 74 CHAPTER 3 - System Administration Ethernet Tasks Table 3-30. Ethernet: Ports: Settings Field Name Media Type: Field Value Enables you to force a speed and duplex setting on an Ethernet port or set the port to auto-negotiate mode. Only speed/duplex settings appropriate for the particular interface type are allowed: • Auto (10/100BaseTX) (default for 10/100T) • 10T Half (10/100BaseTX) • 10T Full (10/100BaseTX) • 100TX Half (10/100BaseTX) • 100TX Full (10/100BaseTX) • 100FX Full (100BaseFX) (default for 100FX) Flow Control: This parameter applies to full duplex ports only. Flow control is optionally implemented using the 802.3x specification for PAUSE packets. When congested, the switch will send PAUSE packets to attached devices to request temporary suspension of transmission of further frames. The following values may be selected: • Enabled • Disabled Default value = Disabled FEFI: When selected, this feature will send an alarm signal to the farend transmitter of an optical port if the near-end receiver detects loss of signal. Also, if an alarm signal is received from a far-end transmitter, the near-end port will report its link status as down (even though it is receiving a good optical signal). The intent is to report a full duplex optical link as down even when a signal failure (for example, a fiber cut) occurs in only one direction. This is useful for automatic link recovery procedures. This parameter is ignored for copper ports. Admin Status: Enables you to set the activity status of the port. A setting of Disabled completely turns off the port’s transmit and receive functions. By factory default all ports except the last Ethernet port (E2 on the DX40, E4 on the DX800) are disabled. The following values may be selected: • Enabled • Disabled Magnum Network Software - DX Administrator’s Guide 75 CHAPTER 3 - System Administration Ethernet Tasks 3.4.1.2 Ports: Status This screen enables you to quickly determine the capabilities and current status of each Ethernet port in the system. Figure 3-32. Ethernet: Ports: Status Table 3-31 describes the information displayed in the fields of the Ports: Status screen. Table 3-31. Ethernet: Ports: Status Field Name Field Value Port ID: Uniquely identifies a logical Ethernet port that corresponds to a physical, labeled interface on the exterior of the product chassis. Interface Type: A read-only field that indicates what interface is physically installed for the port specified in the Port ID column. This parameter is based on the product model and can be one of the following: • 10/100BaseT • 100BaseFX Speed: A read-only field that indicates the actual speed of the communication channel. If you selected a particular Media Type in the Ports: Settings screen (Section 3.4.1.1), the displayed speed will match that selection. If you selected “Auto” this field will display the actual negotiated speed. This parameter may take one of the following values: • 10 • 100 Magnum Network Software - DX Administrator’s Guide 76 CHAPTER 3 - System Administration Ethernet Tasks Table 3-31. Ethernet: Ports: Status Field Name Field Value A read-only field that indicates the actual duplex of the communication channel. If you selected a particular Media Type in the Ports: Settings screen (Section 3.4.1.1), the displayed duplex value will match that selection. If you selected “Auto” this field will display the actual negotiated duplex value. This parameter may take one of the following values: Duplex: • Half • Full A read-only field that indicates the current operational status of the port. This parameter may take one of the following values: Oper Status: • Up – the port is enabled and a link is detected. • Down – the port is enabled but there is no link. • Disabled – the port is administratively disabled. 3.4.1.3 Ports: Summary Statistics This screen displays basic counters for each Ethernet port in the system. All of the statistics for a port are grouped into a table. You can reload the statistics by clicking the Refresh button. The Summary Statistics screen is illustrated in Figure 3-33. Figure 3-33. Ethernet: Ports: Summary Statistics Table 3-32 describes the parameters viewable in the Ports: Summary Statistics screens. Table 3-32. Ethernet: Ports: Summary Statistics Field Name Field Value Port ID: Uniquely identifies an Ethernet interface. Rx Packets: The total number of packets, including bad packets, broadcast packets, and multicast packets, received. Magnum Network Software - DX Administrator’s Guide 77 CHAPTER 3 - System Administration Ethernet Tasks Table 3-32. Ethernet: Ports: Summary Statistics Field Name Field Value Rx Octets: The total number of octets of data, including those in bad packets, received on the network, excluding framing bits but including Frame Check Sequence (FCS) octets. Tx Packets: The total number of packets, including broadcast packets and multicast packets, transmitted. Tx Octets: The total number of octets of data transmitted on the network, excluding framing bits but including FCS octets. CRC Errors: The total number of packets received that had a length, excluding framing bits but including FCS octets, of between 64 and 1518 octets, inclusive, but had a bad Frame Check Sequence (FCS) with an integral number of octets. All Errors: The total number of errors detected 3.4.1.4 Ports: Extended Statistics The Ports: Extended Statistics screen displays a detailed set of counters for each Ethernet port in the system. Statistics for each port are contained in separate tables. Scroll down to see the statistics for all ports. The statistics may be re-loaded by clicking the Refresh button. Figure 3-34. Ethernet: Ports: Extended Statistics Magnum Network Software - DX Administrator’s Guide 78 CHAPTER 3 - System Administration Ethernet Tasks Table 3-33 describes the parameters viewable in both the Main and the Ports: Extended Statistics screens. Table 3-33. Ethernet: Ports: Extended Statistics Field Name Field Value Rx Octets: The total number of octets of data (including those in bad packets) received on the network (excluding framing bits but including FCS octets). Rx Packets: The total number of packets (including bad packets, broadcast packets, and multicast packets) received. Rx Broadcast: The total number of good packets received that were directed to the broadcast address. Note that this number does not include packets directed to a multicast address. Rx Unicast The total number of good packets received that were directed to a unicast address. Rx Multicast: The total number of good packets received that were directed to a multicast address. Note that this number does not include packets directed to the broadcast address. Rx Pause: Total number of PAUSE frames received. Rx 64 Octets: The total number of packets (including bad packets) received that were exactly 64 octets in length (excluding framing bits but including FCS octets). Rx 65 to127: The total number of packets (including bad packets) received that were between 65 and 127 octets in length inclusive (excluding framing bits but including FCS octets). Rx 128 to 255: The total number of packets (including bad packets) received that were between 128 and 255 octets in length inclusive (excluding framing bits but including FCS octets). Rx 256 to 511 The total number of packets (including bad packets) received that were between 256 and 511 octets in length inclusive (excluding framing bits but including FCS octets). Rx 511 to1023: The total number of packets (including bad packets) received that were between 511 and 1023 octets in length inclusive (excluding framing bits but including FCS octets). Rx1023 to Max: The total number of packets (including bad packets) received that were between 1024 and 1518 octets in length inclusive (excluding framing bits but including FCS octets). Tx Octets: The total number of octets of data transmitted on the network (excluding framing bits but including FCS octets). Tx Packets: The total number of packets (including broadcast packets and multicast packets) transmitted. Tx Broadcast: The total number of packets transmitted that were directed to the broadcast address. Note that this number does not include packets directed to a multicast address. Magnum Network Software - DX Administrator’s Guide 79 CHAPTER 3 - System Administration Ethernet Tasks Table 3-33. Ethernet: Ports: Extended Statistics Field Name Field Value Tx Unicast The total number of good packets transmitted that were directed to a unicast address. Tx Multicast: The total number of packets transmitted that were directed to a multicast address. Note that this number does not include packets directed to the broadcast address. Tx Pause: Total number of PAUSE frames transmitted. Tx 64 Octets: The total number of packets transmitted that were exactly 64 octets in length (excluding framing bits but including FCS octets). Tx 65to127: The total number of packets transmitted that were between 65 and 127 octets in length inclusive (excluding framing bits but including FCS octets). Tx 128 to255: The total number of packets transmitted that were between 128 and 255 octets in length inclusive (excluding framing bits but including FCS octets). Tx 256 to511: The total number of packets transmitted that were between 256 and 511 octets in length inclusive (excluding framing bits but including FCS octets). Tx 51 to1023: The total number of packets transmitted that were between 511 and 1023 octets in length inclusive (excluding framing bits but including FCS octets). Tx 1023 to Max: The total number of packets transmitted that were between 1023 and 1518 octets in length inclusive (excluding framing bits but including FCS octets). CRC Errors: The total number of packets received that had a length (excluding framing bits, but including FCS octets) of between 64 and 1518 octets, inclusive but had a bad Frame Check Sequence (FCS) with an integral number of octets. Alignment Errors: The total number of packets received that had a length (excluding framing bits, but including FCS octets) of between 64 and 1518 octets, inclusive but had a a bad FCS with a nonintegral number of octets. Undersized: The total number of packets received that were less than 64 octets long (excluding frame bits, but including FCS octets) and were otherwise well formed. Oversized: The total number of packets received that were longer than 1518 octets (excluding frame bits, but including FCS octets) and were otherwise well formed. Fragments: The total number of packets received that were less than 64 octets in length (excluding framing bits, but including FCS octets) and had either a bad FCS with an integral number of octets (FCS Error) or a bad FCS with a non-integral number of octets (Alignment Error). Magnum Network Software - DX Administrator’s Guide 80 CHAPTER 3 - System Administration Ethernet Tasks Table 3-33. Ethernet: Ports: Extended Statistics Field Name Field Value Jabbers: The total number of packets received that were longer than 1518 octets (excluding framing bits, but including FCS octets), and had either a bad Frame Check Sequence (FCS) with an integral number of octets (FCS Error) or a bad FCS with a nonintegral number of octets (Alignment Error). Filtered: The total number of valid frames received that are not forwarded to a destination port. Discards: The total number of valid frames that were discarded due to lack of buffer space. Collisions: The total number of collisions on this Ethernet segment. Excessive: The total number of frames not transmitted because the frame experienced too many transmission attempts and was discarded. Single: The total number of successfully transmitted frames that experienced exactly one collision. Multiple: The total number of successfully transmitted frames that experienced more than one collision. Late: The total number of times a collision is detected later than 512 bit-times into the transmission of a frame. Deferred: The total number of successfully transmitted frames that are delayed because the medium was busy during the first attempt. 3.4.1.5 Ports: Mirroring This screen enables you configure Ethernet port mirrors. Port mirroring forwards a copy of each incoming and each outgoing packet from one port of a DX device to another port on the device, where the traffic can be monitored and/or analyzed. 8 NOTE: Port mirroring is not supported on the DX40. Magnum Network Software - DX Administrator’s Guide 81 CHAPTER 3 - System Administration Ethernet Tasks Figure 3-35. Ethernet: Ports: Mirroring Table 3-34 describes the parameters that can be viewed and edited in the Ports: Mirroring screen. Table 3-34. Ethernet: Ports: Mirroring Field Name Field Value Port ID: Uniquely identifies a logical Ethernet port that corresponds to a physical, labeled interface on the exterior of the product chassis. The Port ID string should exactly match the physical labeling scheme. Copy to: Uniquely identifies the logical Ethernet port to which packets ingressing and egressing on this port will be copied. The default is "None," indicating that packets for the port are not copied to any other port. 3.4.1.6 Ports: Rate Limits This feature limits the ingress and egress throughput on a port. On ingress, various classes of packets can be limited. The user may choose to limit only broadcast packets, broadcast and multicast packets, all flooded packets (which includes unicast packets with destinations not found in the station cache), or all packets. On egress, all packet types are limited. Rate limits are configured as pre-defined values. 8 NOTE: Port rate limiting is not supported on the DX40. Magnum Network Software - DX Administrator’s Guide 82 CHAPTER 3 - System Administration Ethernet Tasks This screen enables you to view and edit the parameters that control port rate limits. Figure 3-36. Ethernet: Ports: Rate Limits Table 3-35 describes the parameters available in the Ethernet: Ports: Rate Limits screen. Table 3-35. Ethernet: Ports: Rate Limits Field Name Field Value Port ID: Uniquely identifies a logical Ethernet port that corresponds to a physical, labeled interface on the exterior of the product chassis. The Port ID string should exactly match the physical labeling scheme. Ingress Limit Type: Specifies the type of packets that will be limited. This parameter can take one of four parameters: • Broadcast – broadcast frames only. • Multicast – - multicast plus broadcast frames. • Flooded – broadcast, multicast, and any frame for which the destination address has not been learned by the bridge. • All – every received frame. Magnum Network Software - DX Administrator’s Guide 83 CHAPTER 3 - System Administration Ethernet Tasks Table 3-35. Ethernet: Ports: Rate Limits Field Name Ingress Rate (bps): Field Value Specifies the maximum bit rate for the packets of the selected type. This parameter can take one of eight parameters: • Unlimited – No restrictions on the incoming bit rate. • 128K • 256K • 512K • 1M • 2M • 4M • 8M Egress Rate (bps): Specifies the transmit rate for a port. This setting applies to all packets egressing the port. This parameter can take one of eight parameters: • Unlimited – No restrictions on the egress bit rate. • 128K • 256K • 512K • 1M • 2M • 4M • 8M 3.4.2 Bridge The Bridge screens enable you to configure and monitor Media Access Control (MAC) addresses. There are two types of MAC addresses maintained by the bridge in its station cache: 1. Static – This is a MAC address that you enter and specify as entry type “Configured” in the Bridge: Static MACs screen, described in Section 3.4.2.3. 2. Dynamic – This is an address that is added to the station cache when the bridge detects a new address from a packet’s source address field. The bridge stores this address along with the ID of the port on which it was received. A learned address is maintained in the station cache so long as it remains active in the system - a condition that is determined by the “aging interval.” For details see the Bridge: Global Settings screen, described in Section 3.4.2.1, and the Bridge: Station Cache screen, described in Section 3.4.2.4. Magnum Network Software - DX Administrator’s Guide 84 CHAPTER 3 - System Administration Ethernet Tasks 3. Learned – This is a static address that is learned by the bridge when addressbased Ethernet port security is enabled for a port. Once a static address has been learned for a secure port, the port will be disabled if frames sourced from any other MAC address are received. See the Ethernet Port screen, described in Section 3.10.2, for more information. 3.4.2.1 Bridge: Global Settings This screen displays the aging interval applied to MAC addresses learned by the bridge and enables you to edit that setting. Figure 3-37. Ethernet: Bridge: Global Settings Table 3-36 describes the parameter you can configure in the Ethernet: Bridge: Global Settings screen. Table 3-36. Ethernet: Bridge: Global Settings Field Name Aging Interval: Field Value Entries (MAC addresses) learned by the bridge are deleted from the cache after they have been in the cache for the specified aging interval without another packet arriving with the same source address. Default value = 300 seconds (5 minutes) Valid range = 15 seconds - 1,800 seconds (30 minutes) Magnum Network Software - DX Administrator’s Guide 85 CHAPTER 3 - System Administration Ethernet Tasks 3.4.2.2 Bridge: Port Settings The Bridge: Port Settings screen allows the user to choose whether an Ethernet port is part of the bridge or if packets may only be forwarded in software by the IP stack (that is, the port is "routed"). Figure 3-38. Ethernet: Bridge: Port Settings Table 3-37 describes the parameters you can configure in the Ethernet: Bridge: Port Settings screen. Table 3-37. Ethernet: Bridge: Port Settings Field Name Field Value Port: Uniquely identifies an Ethernet interface. Bridged?: indicates whether or not this port participates in the Ethernet bridge function or if packets on this port are only forwarded by the IP stack's routing function: • Yes – The port participates in the Ethernet bridge and frames may be forwarded between this port and other bridged ports at Layer 2. If a packet was sent to the router's MAC address, the packet may also be forwarded at Layer 3 if a route to the packet's destination is known. • No – The port does not participate in the Ethernet bridge. If a packet is sent to the router's MAC address, the packet may be forwarded at Layer 3 if a route to the packet's destination is known. Default value = Yes Magnum Network Software - DX Administrator’s Guide 86 CHAPTER 3 - System Administration Ethernet Tasks 3.4.2.3 Bridge: Static MACs The bridge station cache is a database that stores information about MAC addresses and their associated ports. This screen enables you to add the MAC addresses of stations to this cache or to remove them from the cache. By factory default the static MAC address table is empty. Figure 3-39. Ethernet: Bridge: Static MACs Table 3-38 describes the uses of the fields of the Bridge: Static MACs screen. Table 3-38. Ethernet: Bridge: Static MACs Field Name Field Value Add Static MAC Address Form Static Source Address: Specify the static MAC Address of a station to add it to the bridge station cache. MAC addresses are entered in their hexadecimal representation. Each octet must be separated by a colon or a hyphen (for example, 01-02-03-04-05-06 or 01:02:03:04:05:06). Source Port: Select a “Source Port” designation from the drop-down menu. Existing Static MAC Addresses Table Static Source Address: Lists the static MAC addresses already recognized in the system. Magnum Network Software - DX Administrator’s Guide 87 CHAPTER 3 - System Administration Ethernet Tasks Table 3-38. Ethernet: Bridge: Static MACs Field Name Field Value Source Port: Lists the source ports associated with static MAC addresses. Delete: Set the Delete checkbox in a row and click the Apply Settings button to delete the entry from the table and from the station cache. 3.4.2.4 Bridge: Station Cache This screen enables you to view the station cache. The station cache is a database maintained by the Ethernet bridge that tracks MAC addresses of stations on the network and the ports associated with them. This form displays a snapshot of the contents of the Ethernet bridge station cache. The cache can contain up to 1,024 entries. The only administrative action available on this screen is provided by the Purge Dynamic Entries button. You might want to purge these learned addresses if you make changes to the network that are completed before the configured aging interval. In such a case it could be true that the cache record of a port/station relationship could be incorrect from the time you complete your changes until the old information ages out with the expiration of the aging interval. Figure 3-40. Ethernet: Bridge: Station Cache Magnum Network Software - DX Administrator’s Guide 88 CHAPTER 3 - System Administration Ethernet Tasks Table 3-39 describes the uses of the fields and buttons in the Bridge: Station Cache screen. Table 3-39. Ethernet: Bridge: Station Cache Field Name Source Address: Field Value IP address of a station known to be active in the system. An Ethernet packet that has a destination address that matches an entry in the table is forwarded out the interface shown in the Source Port column in the same row. Source Port: Identifies the port associated with the address in the Source Address column. Entry Type: There are three entry types: • Static – Entries that are set by the user. These are not removed automatically. • Dynamic – Entries that are learned by the bridge. These are removed automatically from the cache if they are not refreshed in the "aging interval." (The aging interval is specified in the Bridge: Global Settings screen, describe in Section 3.4.2.1.) • Learned – A static address that is learned by the bridge when address-based Ethernet port security is enabled for a port. Once a static address has been learned for a secure port, the port will be disabled if frames sourced from any other MAC address are received. See the Ethernet Port screen, described in Section 3.10.2, for more information. Magnum Network Software - DX Administrator’s Guide 89 CHAPTER 3 - System Administration Ethernet Tasks 3.4.3 RSTP The RSTP screens enable you to configure Rapid Spanning Tree Protocol (RSTP). For more on RSTP see Section 5.6, “RSTP”. 3.4.3.1 RSTP: Bridge Settings This screen enables you to configure bridge-specific Rapid Spanning Tree Protocol (RSTP) settings. Figure 3-41. Ethernet: RSTP: Bridge Settings Table 3-40 describes the bridge parameters you can view and configure in the RSTP: Bridge Settings form. Table 3-40. Ethernet: RSTP: Bridge Settings Field Name Protocol: Field Value Select whether or not to run the Spanning Tree Protocol. This parameter can take one of the following values: • Enabled • Disabled Default value = disabled Priority: Used by the IEEE 802.1d spanning tree algorithm to determine the root of the interconnected network. Bridge priority provides a means of assigning relative priority to each bridge within the set of bridges in the bridged LAN. Default value = 32768 Valid range = 0 - 65535 Numerically lower values indicate higher priorities. Magnum Network Software - DX Administrator’s Guide 90 CHAPTER 3 - System Administration Ethernet Tasks Table 3-40. Ethernet: RSTP: Bridge Settings Field Name Hello Time: Field Value The amount of time between the transmission of configuration BPDUs on any port. Default value = 2 seconds Valid range = 1 - 10 seconds Forward Delay: Controls how long the bridge waits after any state or topology change before forwarding the information to the network. Default value = 15 seconds Valid range = 4 - 30 seconds Maximum Age: Specifies the age of STP information learned from the network on any port before it is discarded. Default value = 20 seconds Valid range = 6 - 40 seconds Cost Style: Specifies whether 16-bit (STP-style) or 32-bit (RSTP-style) path cost values are used. This parameter can take one of the following values: • 32-bit • 16-bit Default value = 16-bit 3.4.3.2 RSTP: Port Settings The RSTP: Port Settings screen enables you to configure port-specific Rapid Spanning Tree Protocol (RSTP) parameters. Figure 3-42. Ethernet: RSTP: Port Settings Magnum Network Software - DX Administrator’s Guide 91 CHAPTER 3 - System Administration Ethernet Tasks Table 3-41 describes the port parameters you can view and configure in the RSTP: Port Settings form. Table 3-41. Ethernet: RSTP: Port Settings Field Name Field Value Port ID: Uniquely identifies an Ethernet interface. Mode: The mode the switch will use on this port for RSTP operation. This parameter can take one of the following values: • Legacy – The port uses STP only. • Auto – The port automatically determines the correct mode based on received BPDUs. • Edge – The port uses RSTP and is connected to an end system where no loops are possible. • Point – The port uses RSTP and is connected to another switch (that runs RSTP) over a point-to-point link where loops may be possible. • None – Disable RSTP on this port. Default value = Auto Priority: The priority part of the port identifier. mode the switch will use on this port. Default value = 128 Valid range = 0 - 240 Numerically lower values indicate higher priorities. Auto Path Cost?: Specify whether or not path cost will be set automatically. • If “Yes” is specified the path cost will be set automatically based on link speed and the “Cost Style” setting specified in the RSPT: Bridge: Settings form. • If “No” is specified the path cost used will be the value specified in the “Path Cost” field (below). Path Cost: Specify a path cost value in the range 1 - 200000000. Magnum Network Software - DX Administrator’s Guide 92 CHAPTER 3 - System Administration Ethernet Tasks 3.4.3.3 RSTP: Bridge Status The RSPT: Bridge Status screen enables you to view bridge-specific RSTP counters and status. Figure 3-43. Ethernet RSPT: Bridge Status Table 3-42 describes the bridge status and counters you can view in the RSTP: Bridge Status table. Table 3-42. Ethernet: RSTP: Bridge Status Field Name Bridge Status: Field Value This parameter can take one of the following values: • Root • Designated • Not Designated Bridge ID: The bridge identifier, which consists of the bridge priority and the bridge address. Root ID: The bridge identifier of the root. Root Port: The Ethernet port that provides connectivity towards the root bridge for this network. Root Path Cost: The total cost of the path to the root bridge. This is the summation of the costs of each link in the path to the root. Configured Hello Time: The locally configured Hello Time. Magnum Network Software - DX Administrator’s Guide 93 CHAPTER 3 - System Administration Ethernet Tasks Table 3-42. Ethernet: RSTP: Bridge Status Field Name Field Value Learned Hello Time: The actual Hello Time provided by the root bridge through configuration BPDUs. The learned Hello Time is used in all designated bridges. Configured Forward Delay: The locally configured Forward Delay. Learned Forward Delay: The actual Forward Delay provided by the root bridge through configuration BPDUs. The learned Forward Delay is used in all designated bridges. Configured Maximum Age: The locally configured Maximum Age. Learned Maximum Age: The actual Maximum Age provided by the root bridge through configuration BPDUs. The learned Maximum Age is used in all designated bridges. Topology Changes: 3.4.3.4 The total number of topology changes that have been detected by this bridge since the last time statistics were cleared, or since the device was powered on (whichever event is more recent). RSTP: Port Status The RSTP: Port Status screen enables you to view port-specific RSTP counters and status. Forwarding Designated 200000 342 332 33 2 Root 200000 32 22 22 6 Blocking Backup 200000 11 11 2 3 Blocking Alternate 200000 233 222 1 1 Figure 3-44. Ethernet: RSPT: Port Status Magnum Network Software - DX Administrator’s Guide 94 CHAPTER 3 - System Administration Ethernet Tasks Table 3-43 describes the port status and counters you can view in the RSTP: Port Status table. Table 3-43. Ethernet: RSTP: Port Status Field Name Field Value Port ID: Unique port identifier. State: This parameter can take one of the following values: • Disabled • Blocking • Forwarding • Learning • Listening For an explanation of port states see Section 5.6.1.5. Role: This parameter can take one of the following values: • Root • Designated • Backup • Alternate For an explanation of port roles see Section 5.6.1.3. Cost: The cost metric associated with this port. This is automatically determined based on the speed of the interface and the configured cost style (32-bit or 16-bit). Rx CFGs: The number of STP configuration BPDUs received on this port. Rx TCNs: The number of STP TCNs (Topology Change Notifications) received on this port. Rx RSTPs: The number of RSTP BPDUs received on this port. Tx BPDUs: The number of BPDUs (STP or RSTP) transmitted on this port. Magnum Network Software - DX Administrator’s Guide 95 CHAPTER 3 - System Administration Ethernet Tasks 3.4.4 VLAN VLAN (Virtual Local Area Network) configuration is a technique for segmenting ports on an Ethernet switch into logical groupings. For a discussion of VLAN configuration see Section 5.7, “VLAN”. 3.4.4.1 VLAN: Global Settings This screen enables you enable VLAN functionality on a switch. Figure 3-45. Ethernet: VLAN: Global Settings Table 3-44 describes the parameters you can view and configure in the VLANs: Global Settings screen. Table 3-44. Ethernet: VLANs: Global Settings Field Name Mode: Field Value Indicates whether or not the switch is VLAN-aware. • Enabled – perform Ethernet switching based on VLAN tags and configured port membership. • Disabled – ignore VLAN tags and port memberships when performing Ethernet switching. Default value = Disabled Magnum Network Software - DX Administrator’s Guide 96 CHAPTER 3 - System Administration Ethernet Tasks 3.4.4.2 VLAN: VIDs This screen enables you to add and delete up to 16 VLAN IDs (VIDs). It also serves to show a summary of the VLAN configuration. Figure 3-46. Ethernet: VLAN: VIDs Table 3-45 describes the parameters you can view and configure in the VLAN: VIDs screen. Table 3-45. Ethernet: VLAN: VIDs Field Name Field Value Add VLAN Form VID: A unique numerical identifier assigned to this VLAN. Valid range = 1 - 4094. VLAN Name: Give this VLAN a meaningful name of up to 23 printable characters. Existing VLANs Table VID: A unique numerical identifier assigned to this VLAN. Valid range = 1 - 4094. VLAN Name: An administratively assigned name. You can modify this name in the Existing VLANs table. The change will take effect when you click Apply Settings. Tagged Ports: Lists the Ethernet ports that have "Tagged?" set to "Yes" and are members of this VLAN. (The “Tagged?” parameter is set in the VLAN: Port Settings screen. See Section 3.4.4.3.) Magnum Network Software - DX Administrator’s Guide 97 CHAPTER 3 - System Administration Ethernet Tasks Table 3-45. Ethernet: VLAN: VIDs Field Name Field Value Untagged Ports: Lists the Ethernet ports that have "Tagged?" set to "No" and are members of this VLAN. (The “Tagged?” parameter is set in the VLAN: Port Settings screen. See Section 3.4.4.3.) Delete: Set the Delete checkbox in a row in the Existing VLANs table and click Apply Settings to delete that VLAN. VLAN deletion will fail if that VLAN is referenced by any port. The Default VLAN, 1, cannot be deleted. 3.4.4.3 VLAN: Port Settings This screen enables you to configure VLAN operation on a per-port basis. The options are simplified and based on common VLAN usage scenarios and network topologies. Figure 3-47. Ethernet: VLAN: Port Settings Table 3-46 describes the VLAN parameters you can configure in the Port Settings form. Table 3-46. Ethernet: VLAN: Port Settings Field Name Field Value Port ID: Unique identifier for this port. PVID: This is the native VLAN assigned to this port. When the port receives an untagged frame, an 802.3ac VLAN tag is added to the frame using the port's PVID. When a port receives a tagged frame on an access port, the frame is discarded unless its VID matches the port's PVID. When a port receives a priority-tagged frame, the tag's VID is set to the port's PVID. Default value = 1. Magnum Network Software - DX Administrator’s Guide 98 CHAPTER 3 - System Administration Ethernet Tasks Table 3-46. Ethernet: VLAN: Port Settings Field Name Mode: Field Value This is the port type with respect to VLAN operation. • An access port is typically connected to an end station and supports a single VLAN. When a port is set to Access mode, the "Prohibited VLANs" field (which only applies to Trunk ports) is disabled. • A trunk port is typically connected to another switch and by default supports all configured VLANs. When a port is set to Trunk, the "Tagged?" field is automatically set to "Yes" and the "Prohibited VLANs" field is enabled. Default value = Access Tagged?: The available options for this field have the following significance: • No – the port strips all VLAN tags before transmitting frames. • Yes – the port ensures that a VLAN tag is present in a frame before transmission. Default value = No Prohibited VLANs: This is a list of VLANs to prohibit from a Trunk port. By default, this field is blank and the port allows all configured VLANs. By setting the Prohibited VLANs list, the user can filter certain VLANs on the trunk. The Trunk's PVID is not allowed in the Prohibited VLANs list for the port. This field is disabled when the port mode is set to "Access". Enter the VID numbers of prohibited VLANs separated by commas. A continuous range of VIDs can be indicated by a dash. For example: 4, Magnum Network Software - DX Administrator’s Guide 99 6-8, 12, 15. CHAPTER 3 - System Administration Serial Tasks 3.5 Serial Tasks The following subsections describe the tasks that you can perform using the screens of the Serial Tasks branch. 3.5.1 Ports The Ports screens enable you to configure and monitor serial ports. 3.5.1.1 Ports: Profiles This screen enables you to add and configure serial port profiles. The Add New Profile Form enables you to add a new profile to the table of existing profiles. The values shown in Figure 3-48 are the default values presented in this table when the screen loads or re-loads. After setting the appropriate parameters and giving the profile a name, press the Apply Settings button and the profile is added to the Edit Existing Profiles table. The Edit Existing Profiles table enables you to change one or more of the parameters in a profile. Each profile entry has a checkbox in the “Delete” column. You can delete one or more profiles by checking the appropriate box and pressing the Apply Settings button. You can make any number of changes to the table; however, none of these changes take effect until the Apply Settings button is pressed. Pressing the Reset Settings button will reset all modified fields to the value they had when the screen originally loaded. To supply the correct values for each of the parameters in the Profiles screen you need to know the specifications of the device with which each port will be communicating. This information can usually be found in the installation documentation of the communicating device. Magnum Network Software - DX Administrator’s Guide 100 CHAPTER 3 - System Administration Serial Tasks Systems are shipped from the factory with a single default profile called “Default”. Figure 3-48. Serial: Ports: Profiles Figure 3-48 describes the parameters in the Ports: Profiles screen. Table 3-47. Serial: Ports: Profiles Field Name Field Value Profile Name: A user-assigned name for this profile. When you assign a profile to a port (in the Ports: Settings screen, described in Section 3.5.1.2), you select this name in the “Profile” drop-down box. Interface Standard: The physical interface standard used by the port. This parameter may take one of three values: • RS232 (RTS always asserted) • RS232 Half (RTS asserted only when transmitting) • RS485 2-wire (half duplex operation) • RS485 4-wire (full duplex operation) Default value = RS232 Magnum Network Software - DX Administrator’s Guide 101 CHAPTER 3 - System Administration Serial Tasks Table 3-47. Serial: Ports: Profiles Field Name Speed: Field Value The baud rate of the port. This parameter may take one of the following values: • 300 • 600 • 1200 • 2400 • 4800 • 9600 • 19200 • 28800 • 33600 • 38400 • 57600 • 115200 • 230400 Default value = 9600 Data Bits: The total number of bits in a character. This parameter may take one of the following values: • 7 • 8 Default value = 8 Stop Bits: The duration of the MARK condition on the line after character transmission is complete. This parameter may take one of the following values: • 1 • 1.5 • 2 Default value = 1 Parity: This parameter may take one of the following values: • None • Odd • Even Default value = None Magnum Network Software - DX Administrator’s Guide 102 CHAPTER 3 - System Administration Serial Tasks Table 3-47. Serial: Ports: Profiles Field Name Ignore DSS: Field Value This parameter takes one of the following values: • No – The Oper State of the port is UP if the DSR or DCD handshake signal is on and the Admin State is ENABLED. • Yes – The Oper State of the port is UP if the Admin State is ENABLED. Default value = No Flow Control: The type of flow control implemented. This parameter may take one of the following values: • None • XON/XOFF – Software flow control. Unit will stop transmitting if an XOFF (19) character (CTL-S) is detected in the received stream and will start when an XON (17) character (CTL-Q) is detected. • RTS/CTS – Hardware flow control. Unit will stop transmitting if CTS is de-asserted. Default value = None Pkt Char: This parameter defines a special character in the data stream that forces a packetization event. This parameter may take any value from 0 to 255. If this parameter is set to the label “None” packetization will not occur based on a received character. Default value = None Pkt Time (ms): This parameter defines a timeout value in milliseconds. If an additional character is not received before the timer expires, a packetization event occurs. The special value 0 disables the packetization timer. Default value = 200 Valid range = 10 – 1000 msec Max Pkt Size (bytes): This parameter defines a maximum packet size. When the number of received characters reaches this maximum, a packetization event occurs. Default value = 1024 Valid range = 32 - 1024. (Note that this means no packet will hold more than 1024 serial characters. The actual packet size will be larger than this when network headers and encryption overhead are taken into account.) Magnum Network Software - DX Administrator’s Guide 103 CHAPTER 3 - System Administration Serial Tasks Table 3-47. Serial: Ports: Profiles Field Name T/A Time (ms): Field Value This parameter defines a turnaround time for the serial port. The turnaround time is an enforced minimum delay between received network packets that are sent out the serial port. The purpose of the minimum delay is to give legacy RTUs a chance to recover from the previous packet reception. Default value = 0 (off) Valid range = 0 - 1000 msec Set the Delete checkbox in a row in the Edit Existing Profiles table and click Apply Settings to delete that profile. Delete: 3.5.1.2 Ports: Settings This Form enables you to set high-level configuration parameters for a serial port. Most of the low-level serial port configuration is contained in the profile which is selected for each port. (For more on profiles Ports: Profiles, explained in Section 3.5.1.1.) Figure 3-49. Serial: Ports: Settings Table 3-48 describes the values in the fields of the Ports: Settings screen. Table 3-48. Serial: Ports: Settings Field Name Field Value Port ID: This value uniquely identifies a Serial interface. Port Name: A user-assigned name for this port of up to 15 printable characters. Magnum Network Software - DX Administrator’s Guide 104 CHAPTER 3 - System Administration Serial Tasks Table 3-48. Serial: Ports: Settings Field Name Field Value Profile: The serial profile assigned to this port. The assigned profile defines all of the communication parameters associated with this serial port. The default value is the default factory profile “Default”. (Profiles are set in the Ports: Profiles screen. See Section 3.5.1.1.) Admin Status: The desired status of the port. This parameter is used to enable or disable the port. This parameter can take the following values: • Enabled – Port is UP • Disabled – Port is DOWN Default value = Disabled Note: The actual status of the port is reported in the Oper Status column of the Ports: Status screen, explained in Section 3.5.1.3. 3.5.1.3 Ports: Status This screen displays the current state of the Control Signals for each Serial port in the system. Figure 3-50. Serial: Ports: Status Table 3-49 describes the parameters displayed in the Ports: Status screen. Table 3-49. Serial: Ports: Status Field Name Field Value Port ID: Uniquely identifies a Serial interface. DCD: The current state of the Data Carrier Detect signal. CTS: The current state of the Clear-to-Send signal. Magnum Network Software - DX Administrator’s Guide 105 CHAPTER 3 - System Administration Serial Tasks Table 3-49. Serial: Ports: Status Field Name Field Value DSR: The current state of the Data-Set-Ready signal. Oper Status: The actual status of the port. This is a read-only parameter. • If the Admin Status is set to Disabled, the Oper Status will always be Disabled. • If the Admin Status is set to Enabled and the port is ready to send and receive data, the Oper Status will be Up. • If the Admin Status is set to Enabled and the port is not ready to send and receive data, the Oper Status will be Down. Note: The desired status of the port is set in the Oper Status column of the Ports: Settings screen, explained in Section 3.5.1.2. 3.5.1.4 Ports: Statistics This screen displays counters for each Serial port in the system. Figure 3-51. Serial: Ports: Statistics The statistics for each port are grouped into separate rows. The “Last cleared” text under each table tells you when the counting of the displayed statistics began. All totals displayed are since the “Last cleared” date and time. Table 3-50 describes the parameters displayed in the Ports: Statistics tables. Table 3-50. Serial: Ports: Statistics Field Name Field Value Port ID: Uniquely identifies a Serial interface. Tx Char: The number of characters transmitted on this port. Rx Char: The number of characters received on this port. Magnum Network Software - DX Administrator’s Guide 106 CHAPTER 3 - System Administration Serial Tasks Table 3-50. Serial: Ports: Statistics Field Name Field Value Breaks: The number of times a break was detected in the middle of receiving a character. A break is detected when an all-zero character with no stop bit is received. Parity Errors: The number of times the calculated parity of a character did not match the configured parity mode. (Note: character will be dropped.) Framing Errors: The number of times a character without a valid stop bit was detected. Overruns: The number of times a received character was dropped because it could not be buffered. Ports: Statistics Screen Controls The Ports: Statistics screen includes the following controls for viewing, clearing, and updating statistics: • • • Refresh Button – Click this button to update the statistics. Clear Counters Button – Click this button to zero out all counters. Counting will begin again and the “Last cleared” date and time will be refreshed. Port ID hyperlink – The port ID in the leftmost column is a hyperlink. Click on the hyperlink to open the statistics for that port in a separate window. Magnum Network Software - DX Administrator’s Guide 107 CHAPTER 3 - System Administration Serial Tasks 3.5.2 Terminal Server The screens described in the following subsections enable you to configure and view your TCP/IP connections. 3.5.2.1 Terminal Server: Channel Settings This screen enables you to configure the terminal server channel settings. For more on terminal server applications see Appendix A, “Terminal Server Application Notes”. Figure 3-52. Serial: Terminal Server: Channel Settings Magnum Network Software - DX Administrator’s Guide 108 CHAPTER 3 - System Administration Serial Tasks The Add New Channel form is used to add new Terminal Server channels. The Existing Channels table to modify parameters for channels that have already been added to the system. Each channel has the capability to make a single outgoing connection and accept multiple incoming connections. By default, a single channel exists for each serial port. Table 3-51 describes the parameters in the Terminal Server: Channel Settings screen. Table 3-51. Serial: Terminal Server: Channel Settings Field Name Field Value Port ID: A unique identifier for the serial port being configured. Call Direction: The direction in which the TCP connection will be established. This parameter takes one of the following values: • In – The port acts like a passive TCP server, listening at the configured Local TCP port. • Out – The port acts like an active TCP client and attempts to connect out to the server specified by the Remote IP and Remote TCP parameters. You can add multiple "Out" channels to a single serial port; however, you can have only a single "In" channel assigned to a serial port. You cannot assign two channels the same Local Address and Local Port. Default value = In Session Type: This parameter takes one of the following values: • Raw – Provides a transparent pipe for serial data. • Telnet – Enables basic Telnet negotiation and control character processing (ECHO and BINARY modes supported). Default value = Raw Priority (DiffServ): Each IP packet generated on this port will be assigned a DiffServ Code Point (DSCP) based on the priority set by the user. The priorities are: • Default – Best Effort Service (DSCP 0). This is normal queuing. • Expedited – Expedited Forwarding (DSCP 0x2E) (RFC2598). This will also result in data from this port having a higher priority on WAN ports. Local IP: The local IP address upon which the server listens for connections when the direction is set to “In”. The default value of “Any” provides the most flexible configuration; however if you have configured filtering or pattern matching parameters elsewhere to expect a specific IP address you can specify that address here. Default value = Any Magnum Network Software - DX Administrator’s Guide 109 CHAPTER 3 - System Administration Serial Tasks Table 3-51. Serial: Terminal Server: Channel Settings Field Name Field Value The local TCP port upon which the server listens for connections. This parameter may be set to any value between 1000 and 65535. Local TCP: Note: No two rows in the table may have the same Local IP and Local TCP combination. The remote IP address that the client attempts to connect to when the direction is set to “Out”. This parameter may be set to any IP address. Remote IP: Default value = 0.0.0.0 The remote TCP port to which the client attempts to connect. This parameter may be set to any value between 0 and 65535. Remote TCP: Default value = 0 Maximum Connections: The maximum number of incoming TCP connections to accept for this serial port. This parameter may be set to a value ranging from 1 to 16. Default value = 5 Retry Time: The number of seconds the client waits for a connection to succeed before timing out and retrying. Default value = 30 Delete: 3.5.2.2 Set the Delete checkbox in a row in the Existing Channels table and click Apply Settings to delete that channel. Terminal Server: Channel Status This screen enables you to view the current status of each Terminal Server Channel. Figure 3-53. Serial: Terminal Server: Channel Status Magnum Network Software - DX Administrator’s Guide 110 CHAPTER 3 - System Administration Serial Tasks The Terminal Server: Channel Status screen is similar to the Terminal Server: Channel Settings screen, described in Section 3.5.2.1; however, it displays two types of information not included in the Terminal Server screen: the state of each channel and the number of established connections. These two fields are explained in Table 3-52. For explanations of the other fields in the Services: Channels screen see the description of the Terminal Server: Channel Settings screen. Table 3-52. Serial: Terminal Server: Channel Status Field Name State: Connections: Field Value The state of the channel. This field may display one of the following values: • Inactive The channel is disabled because the associated serial port is disabled or down. • Listening The channel is acting as a passive server and is waiting for incoming connection requests. • Refusing The channel is acting as a passive server and is actively refusing new connections because it has reached the maximum number of connections for the channel. • Waiting The channel is acting as an active client and is waiting for the re-try timer to expire. After the timer expires the channel will attempt again to establish the configured connection. • Connecting The channel is acting as an active client, has issued a connection request to the configured remote host, and is waiting for a response. • Connected The channel is acting as an active client and a connection has been established. • Handshaking The channel is associated with a secure serial port and is currently attempting an SSL handshake with the remote host. The number of connections that have been established on this channel. For a client this is always 0 or 1. For a server it can be 0 up to the maximum number of connections allowed for that channel. Magnum Network Software - DX Administrator’s Guide 111 CHAPTER 3 - System Administration Serial Tasks 3.5.2.3 Terminal Server: Connections The Terminal Server: Connections screen displays the status of the current TCP/IP connections carrying serial traffic. The values displayed are a subset of the values that can be configured in the Terminal Server: Channel Settings screen, explained in Section 3.5.2.1, but the Terminal Server: Connections screen is a read-only display of active TCP/ IP connections. Figure 3-54. Serial: Terminal Server: Connections Table 3-53 describes the parameters displayed in the Terminal Server: Connections screen. Table 3-53. Serial: Terminal Server: Connections Field Name Field Value Port ID: A unique identifier for this serial port. Connection Type: Indicates whether or not the connection is encrypted and if so, which cipher is being used. Session Type: This parameter can take one of the following values: • Raw – Provides a transparent pipe for serial data. • Telnet – Enables basic Telnet negotiation and control character processing (ECHO and BINARY modes supported). Default value = Raw Local IP: The local IP address upon which the server listens for connections when the direction is set to “In”. Local TCP: The local TCP port upon which the server listens for connections. Remote IP: The remote IP address that the client attempts to connect to when the direction is set to “Out”. Remote TCP: The remote TCP port to which the client attempts to connect. Magnum Network Software - DX Administrator’s Guide 112 CHAPTER 3 - System Administration Serial Tasks 3.5.3 Frame Relay Frame Relay is a data transmission protocol used in Wide Area Networks. DX devices that include a WAN port support this protocol. Use the following screens to configure and monitor Frame Relay. For more information see Section 5.1, “Frame Relay”. 3.5.3.1 Frame Relay: Channel Settings This screen enables you to configure "direct-to-frame" serial channels. Figure 3-55. Serial: Frame Relay: Channel Settings WARNING: This screen is available only on devices equipped with a WAN port. If a non-IP DLCI channel has not been configured in the WAN: “DLCI Settings” screen, explained in Section 3.6.5, the Frame Relay: Channel Settings screen will display the message: To add a channel, at least one non-IP DLCI must be defined. To display an editable Frame Relay: Channel Settings screen go to the WAN: DLCI Settings screen and add a DLCI, specifying “No” in the IP column, then return to the Frame Relay: Channel Settings screen. Magnum Network Software - DX Administrator’s Guide 113 CHAPTER 3 - System Administration Serial Tasks Table 3-54 describes the parameters available in the Serial: Frame Relay: Channel Settings screen. Table 3-54. Serial: Frame Relay: Channel Settings Field Name Field Value Port ID: A unique identifier for the serial port associated with this channel. Circuit ID: A unique identifier for the DLCI to which the serial port is connected. In most cases, the identifier includes the WAN port and the DLCI on that port. You can select any identifier that has previously been configured. Priority: The priority specification controls the queueing of frames from this port on this channel at the WAN port. Selections are: • Default – Frames from this channel are handled by the low priority queue at the WAN port. They will be forwarded only when there are no frames in the high priority queue. • Expedited – Frames from this channel are handled by the high priority queue at the WAN port. They will be forwarded before any frames in the low priority queue. Payload Offset: Format Frame Relay messages with or without a 3-byte offset between the Frame Relay header and the data bytes. Selections are: • Yes – Include the 3-byte offset between the header and the data portion of the message. • No – Begin the data portion of each Frame Relay message immediately after the 2-byte Frame Relay header. To interoperate with Garrettcom Dynastar DS products this value should be set to Yes. Delete: Set the Delete checkbox in a row in the Existing Routing Table Entries table and click Apply Settings to delete that channel. Magnum Network Software - DX Administrator’s Guide 114 CHAPTER 3 - System Administration Serial Tasks 3.5.3.2 Frame Relay: Connections This screen enables you to view the status of the current frame relay connections carrying serial traffic. 100344 338320 Figure 3-56. Serial: Frame Relay: Connections Table 3-55 describes the values you can view in the Serial: Frame Relay: Connections screen. Table 3-55. Serial: Frame Relay: Connections Field Name Field Value Port ID: A unique identifier for the serial port associated with this channel. Circuit ID: A unique identifier for the DLCI to which the serial port is connected. In most cases, the identifier includes the WAN port and the DLCI on that port. TxOctets: The number of serial characters transmitted over the frame relay for the given port RxOctets: The number of serial characters received over the frame relay for the given port. TxDrops: The number of frames to be transmitted on the DLCI that were dropped because they could not be buffered at the WAN port. RxDrops: The number of frames received on the DLCI that were dropped because they could not be buffered at the serial port. Magnum Network Software - DX Administrator’s Guide 115 CHAPTER 3 - System Administration Serial Tasks 3.5.4 Modbus Modbus is a protocol, based on a master/slave architecture, for communication with industrial electronic devices. Use the following screens to configure and monitor Modbus masters and slaves. For more information see Section 5.11, “Modbus”. 3.5.4.1 Modbus: Local Masters The Modbus: Local Masters screen enables you to configure local serial Modbus Masters that will act as Modbus/TCP clients. Use this screen to define the directly connected Modbus Master devices. Figure 3-57. Serial: Modbus: Local Masters Table 3-56 specifies the parameters you can edit in the Serial: Modbus: Local Masters screen. Table 3-56. Serial: Modbus: Local Masters Field Name Field Value Port ID: A unique identifier for the serial port to which the device is connected. Protocol Variant: Specify a serial transmission mode. Valid options are: • RTU – Messages are binary encoded with CRC and begin with a silent interval of 3.5 character times. • ASCII – messages are ASCII encoded with LRC and begin with a ':' character and end with a CRLF sequence. Default value = RTU Magnum Network Software - DX Administrator’s Guide 116 CHAPTER 3 - System Administration Serial Tasks Table 3-56. Serial: Modbus: Local Masters Field Name Priority (DiffServ): Field Value Each IP packet generated by this device will be assigned a DiffServ Code Point (DSCP) based on the priority set by the user. The factory-supplied priority profiles are: • Default – Best Effort Service (DSCP 0). This is normal queuing. • Expedited – Expedited Forwarding (DSCP 0x2E) (RFC2598). This will also result in data from this port having a higher priority on WAN ports. You can also create custom priority profiles with the DiffServ screen. Forward Gateway Exceptions: Specify whether or not the attached master understands Modbus exception messages. In some cases Modbus devices do not support the exception function codes and will be confused by them if received. This option allows you to disable exception forwarding to the master device. Set the Delete checkbox in a row in the Existing Devices table and click Apply Delete: Settings to delete that local master. 3.5.4.2 Modbus: Local Slaves The Modbus: Local Slaves screen enables you to configure local serial Modbus slaves that will be accessible via the Modbus/TCP server. Use this screen to define the directly connected Modbus devices. Figure 3-58. Serial: Modbus: Local Slaves Magnum Network Software - DX Administrator’s Guide 117 CHAPTER 3 - System Administration Serial Tasks Table 3-57 specifies the parameters you can view and edit in the Serial: Modbus: Local Slaves screen. Table 3-57. Serial: Modbus: Local Slaves Field Name Field Value Port ID: A unique identifier for the serial port to which the device is connected. Device Address: Modbus/TCP unit identifier assigned to the device. Valid range = 1 - 247 Protocol Variant: Specify a serial transmission mode. Valid options are: • RTU – Messages are binary encoded with CRC and begin with a silent interval of 3.5 character times. • ASCII – messages are ASCII encoded with LRC and begin with a ':' character and end with a CRLF sequence. Default value = RTU Priority (DiffServ): Each IP packet generated by this device will be assigned a DiffServ Code Point (DSCP) based on the priority set by the user. The factory-supplied priority profiles are: • Default – Best Effort Service (DSCP 0). This is normal queuing. • Expedited – Expedited Forwarding (DSCP 0x2E) (RFC2598). This will also result in data from this port having a higher priority on WAN ports. You can also create custom priority profiles with the DiffServ screen. Response Timer (msec): The amount of time to wait for a response from this device before giving up and sending back a Modbus exception message. Valid range = 10 - 10000 Send Gateway Exceptions: Specify whether or not to send exception codes. Possible values are: • Yes – Send Modbus/TCP exception codes when an error occurs (for example, timeout). • No – Remain silent when an error occurs. Delete: Set the Delete checkbox in a row in the Existing Devices table and click Apply Settings to delete that local slave. Magnum Network Software - DX Administrator’s Guide 118 CHAPTER 3 - System Administration Serial Tasks 3.5.4.3 Modbus: Remote Slaves The Modbus: Remote Slaves screen enables you to configure the forwarding table used to map Modbus slave device addresses to remote IP addresses. Use this screen to add a mapping between a Modbus device address and the IP address of a remote Modbus/ TCP server. Figure 3-59. Serial: Modbus: Remote Slaves Use this screen is used to add a mapping between a Modbus device address and the IP address of a remote Modbus/TCP server. Table 3-58 specifies the parameters you can view and edit in the Serial: Modbus: Remote Slaves screen. Table 3-58. Serial: Modbus: Remote Slaves Field Name Device Address: Field Value Modbus/TCP unit identifier assigned to the remote device. Valid range = 1 - 247 Remote IP Address: The IP address of the remote Modbus/TCP server. Magnum Network Software - DX Administrator’s Guide 119 CHAPTER 3 - System Administration Serial Tasks Table 3-58. Serial: Modbus: Remote Slaves Field Name Field Value The TCP connection for this device is torn down if the idle time (time between messages) exceeds the value specified here. This parameter allows multiple successive requests to the same remote device to re-use a single TCP connection, thereby reducing latency. As a special case, if this value is set to 0, a TCP connection is immediately made to the remote (that is, the client does not wait for a request) and it is always kept open. This special mode eliminates the connection latency associated with the initial Modbus request. Idle Time (secs): Default value = 10 Valid range = 1 - 604800 The client will wait this amount of time before giving up on a request. If the client times out, it closes down the current TCP connection for the remote device. Response Time (msecs): Default value = 1000 Valid range = 10 - 10000 Set the Delete checkbox in a row in the Existing Devices table and click Apply Settings to delete that remote slave. Delete: 3.5.4.4 Modbus: Connections This table contains all of the active Modbus/TCP connections in the system and the traffic statistics associated with each connection. You can also use this screen to manually disconnect any TCP connection by selecting the appropriate Delete checkbox and pressing the Apply Settings button. Figure 3-60. Serial: Modbus: Connections Table 3-59 describes the values you can view in the Serial: Modbus: Connections screen. Table 3-59. Serial: Modbus: Connections Field Name Field Value Connection Mode: Indicates whether this connection was established in client or server mode. Local Address: The IP address of the local Modbus/TCP client/server. Local Port: The TCP port of the local Modbus/TCP client/server. Magnum Network Software - DX Administrator’s Guide 120 CHAPTER 3 - System Administration WAN Tasks Table 3-59. Serial: Modbus: Connections Field Name 3.6 Field Value Remote Address: The IP address of the remote Modbus/TCP client/server. Remote Port: The TCP port of the remote Modbus/TCP client/server. Requests: The number of requests generated (if client) or number of requests received (if server). Responses: The number of responses received (if client) or number of responses generated (if server). Tx Octets: The total number of octets transmitted on this connection. Rx Octets: The total number of octets received on this connection. Delete: Set the Delete checkbox in a row and click Apply Settings to delete that connection. WAN Tasks Some DX devices include a Wide Area Network (WAN) port which supports either Digital Data Service (DDS) or T1/E1. Use the following screens to configure WAN port parameters. 3.6.1 Port Settings (DDS) This screen enables you to configure the WAN ports on a system supporting DDS. Figure 3-61. WAN: Port Settings (DDS) Magnum Network Software - DX Administrator’s Guide 121 CHAPTER 3 - System Administration WAN Tasks Table 3-60 describes the parameters you can set in the WAN: Port Settings (DDS) screen. Table 3-60. Wide Area Network: Port Settings (DDS) Field Name Field Value Port ID: Uniquely identifies a logical WAN port that corresponds to a physical, labeled interface on the exterior of the product chassis. The Port ID string should exactly match the physical labeling scheme. Port Name: A user-configurable name for the port. This may be any arbitrary text string up to 16 printable ASCII characters. This field is empty by factory default. Speed: Specify the usable data rate of the interface.The following values may be selected: • 56k • 64k Default value = 56k Clock: Specify the source for the data clock. The following values may be selected: • Local • Received Default value = Received Admin Status: Set the desired status of the port. If this parameter is set to Disabled, the port's transmit and receive functions are turned off. The following values may be selected: • Disabled • Enabled Default value = Disabled 3.6.2 Port Settings (T1/E1) This screen enables you to configure the WAN ports on a system supporting T1/E1. Figure 3-62. WAN: Port Settings (T1/E1) Magnum Network Software - DX Administrator’s Guide 122 CHAPTER 3 - System Administration WAN Tasks Table 3-61 describes the parameters you can set in the WAN: Port Settings (T1/E1) screen. Table 3-61. Wide Area Network: Port Settings (T1/E1) Field Name Field Value Port ID: Uniquely identifies a logical WAN port that corresponds to a physical, labeled interface on the exterior of the product chassis. The Port ID string should exactly match the physical labeling scheme. Port Name: A user-configurable name for the port. This may be any arbitrary text string up to 16 printable ASCII characters. This field is empty by factory default. Timeslot Bandwidth: Specify the usable data rate of the interface.The following values may be selected: • 56k • 64k Default value = 56k Clock: Specify the source for the data clock. The following values may be selected: • Local • Received Default value = Received Admin Status: Set the desired status of the port. If this parameter is set to Disabled, the port's transmit and receive functions are turned off. The following values may be selected: • Disabled • Enabled Default value = Disabled Mode: The mode for this port. The following values may be selected: • T1 • E1 Default value = T1 Time Slots: Specify which available time slots are used by this port. Separate single slot numbers with commas and specify a range of slots with a hyphen. For example: 1,3, 5-6. Magnum Network Software - DX Administrator’s Guide 123 CHAPTER 3 - System Administration WAN Tasks Table 3-61. Wide Area Network: Port Settings (T1/E1) Field Name Frame Types: Field Value The frame type for this port. For T1 mode the following values may be selected: • ESF – Extended Super Framing format, consisting of 24 consecutive 193 bit frames. • D4 – A framing format also known as SF (Super Frame), consisting of 12 consecutive 193 bit frames. Default value = ESF For E1 mode the following values may be selected: • FAS – Frame Alignment Signaling. • CAS – Channel Associated Signaling. A method that “robs” some bits of each frame to transmit synchronization information. Line Codes: The line code for this port. For T1 mode the following values may be selected: • AMI – Alternate Mark Inversion line coding. • B8ZS – Bipolar With 8 Zero Substitution line coding. Default value = B8ZS For E1 mode the following values may be selected: • AMI – Alternate Mark Inversion line coding. • HDB3 – High Density Bipolar 3 line coding. 3.6.3 Port Status This screen enables you to view the current status of each WAN port in the system. Figure 3-63. WAN: Port Status Magnum Network Software - DX Administrator’s Guide 124 CHAPTER 3 - System Administration WAN Tasks Table 3-62 describes the values you can view in the WAN: Port Status screen. Table 3-62. Wide Area Network: Port Status Field Name Line State: Field Value Possible values for DDS: • OK – The line has link and is functioning properly. • Rx Inactive – The receiver is inactive (possibly because it is being reset). • Loss of Sig – The signal has been lost or the signal has dropped more than 6dB. • Excess BPVs – Excessive occurrence of invalid Bipolar Violation events. • Data Idle – Receiving Data Mode Idle. • Cm Idle – Receiving Control Mode Idle. • Out of Service – Receiving out of Service code. • Out of Frame – An error has been reported in the framing pattern. • DSU Loopback – The line is in local DSU loopback. (Looping back what this interface is trying to transmit. Diagnostic only.) • CSU Loopback – The line is in CSU loopback. (Looping back what is on the wire. Diagnostic only.) Possible values for T1/E1: • :OK – The line has link and is functioning properly. • Carrier Loss – No carrier signal detected. • Blue Alarm – Also known as Alarm Indication Signal (AIS) or an “all ones” alarm. This indicates a total absence of an incoming signal due to a disruption in the communications path. • Loss of Sync – The line is not synchronized to the received data stream. • Yellow Alarm – Also known as a Remote Alarm indication (RAI). This indicates that a remote interface is encountering a problem with a signal from this interface. This could result from an equipment problem or from incompatible configurations. • Red Alarm – The incoming signal is corrupted (wrong frame type or errors in framing). • Loop Up – The line is looping back received data. LMI State: Possible values for the Local Management Interface (LMI) state are: • Disabled – The LMI has been disabled. • Down – The LMI is enabled but is down. • Up – The LMI has successfully established communication with it’s peer. • Suspend – The LMI has been suspended due to sequence number mismatches. • Resume – The LMI is resuming after being suspended. This is a transient state. Magnum Network Software - DX Administrator’s Guide 125 CHAPTER 3 - System Administration WAN Tasks Table 3-62. Wide Area Network: Port Status Field Name Field Value Rx Packets: The number of packets received on this interface since the counter was last reset. Tx Packets: The number of packets transmitted on this interface since the counter was last reset. Rx Octets: The number of bytes received on this interface since the counter was last reset. Tx Octets: The number of bytes transmitted on this interface since the counter was last reset. LMI Rx: The number of LMI packets received on this interface since the counter was last reset. LMI Tx: The number of LMI packets transmitted from this interface since the counter was last reset. TxDrops: The number of packets that could not be transmitted out this interface due to resource limitations since the counter was last reset. CRCs: The number of packets received that had a CRC mismatch since the counter was last reset. Short: The number of short frames (frames smaller than 6 bytes) received since the counter was last reset. Long: The number of long frame (a frame over 1600 bytes) errors received since the counter was last reset. No Buffer: The number of times the interface ran out of buffers since the counter was last reset. Bad address: The number of packets received that were destined for an unconfigured DLCI since the counter was last reset. 3.6.4 Frame Relay This screen enables you configure the frame relay function of the system's WAN ports. Figure 3-64. WAN: Frame Relay Magnum Network Software - DX Administrator’s Guide 126 CHAPTER 3 - System Administration WAN Tasks Table 3-63 describes the parameters you can view and edit in the WAN; Frame relay screen. Table 3-63. Wide Area Network: Frame Relay Field Name Field Value Port ID: Uniquely identifies a logical WAN port that corresponds to a physical, labeled interface on the exterior of the product chassis. Fragmentation Size: The maximum bytes in a frame relay fragment. The default, 1600, is the maximum transmission unit (MTU) setting, plus frame relay overhead, for the DLCI IP interfaces. Clearing this field turns off end-to-end fragmentation. If fragmentation is not enabled the transmission of large IP packets on one Permanent Virtual Circuit (PVC) can obstruct traffic for other PVCs on the same line and significantly increase latency. MNS-DX supports end-to-end fragmentation only; that is fragmentation is done at the packet’s point of origin on the PVC and reassembly is done at the packet’s termination point on the PVC, regardless of the number of links intervening. Default value = 1600 Valid range = 8 - 1600 LMI Type: Specify the Local Management Interface (LMI) type. The following values may be selected: • None • LMI • CCITT • ANSI Default value = None LMI Mode: Specify the Local Management Interface (LMI) mode. The following values may be selected: • User • Network • NNI Default value = User Magnum Network Software - DX Administrator’s Guide 127 CHAPTER 3 - System Administration WAN Tasks 3.6.5 DLCI Settings This screen enables you to add and delete DLCIs. Existing DLCIs are IP interfaces and must have IP addresses assigned to them in order for IP traffic to be forwarded over them. Figure 3-65. WAN: DLCI Settings Table 3-64 describes the parameters you can view and edit in the WAN: DLCI Settings screen. Table 3-64. Wide Area Network: DLCI Settings Field Name Field Value Port ID: Uniquely identifies a logical WAN port that corresponds to a physical, labeled interface on the exterior of the product chassis. DLCI: Data Link Connection Identifier. Valid range = 1 - 1022. CIR: The Committed Information Rate in bits per second. It may be cleared or it may take a value of 1 or greater. If no value is specified the bit rate of the port is the CIR. Valid range = 1 - 2097152. Magnum Network Software - DX Administrator’s Guide 128 CHAPTER 3 - System Administration WAN Tasks Table 3-64. Wide Area Network: DLCI Settings Field Name Field Value Indicates whether or not this DLCI will carry IP traffic. If the DLCI carries IP traffic, it becomes an IP interface and must be assigned an IP address. IP: Select “Yes” to make the DLCI an IP interface (RFC 1490). The IP can be configured using the Routing: IP Addresses screen. Select “No” to specify that the DLCI is to be used by the terminal server so that raw serial data will be transmitted to/from a serial port to the DLCI. Configure the port with the Serial: Frame Relay screen. Set the Delete checkbox in a row in the Existing Routing Table Entries table and click Apply Settings to delete that DLCI. Delete: 3.6.6 DLCI Status This screen enables you to view DLCI status. Figure 3-66. WAN: DLCI Status Table 3-65 describes the values you can view in the WAN; DLCI Status screen. Table 3-65. Wide Area Network: DLCI Status Field Name Field Value Port ID: The physical port this DLCI is configured on. DLCI: The DLCI number (16 -991). State: The DLCI state: active or inactive. Rx Packets: The number of packets received on this interface. Rx Octets: The number of bytes received on this interface. Tx Packets: The number of packets transmitted on this interface. Tx Octets: The number of bytes transmitted on this interface. TxDrops: The number of packets that could not be transmitted out this DLCI because of resource limitations. Magnum Network Software - DX Administrator’s Guide 129 CHAPTER 3 - System Administration PPP Tasks 3.7 PPP Tasks PPP stands for Point-to-Point Protocol, a data link protocol commonly used to establish a direct connection between two networking nodes. It can provide authentication, encryption, and compression. PPP is commonly used to act as a data link layer protocol for connection over synchronous and asynchronous circuits. PPP is used over many types of physical networks including serial cable, phone line, trunk line, cellular telephone, specialized radio links, or fiber optic links such as SONET. Most Internet service providers (ISPs) use PPP for customer dial-up access to the Internet. 8 NOTE: The current DX implementation of PPP only supports passive operation as a remote access server. PPP clients can authenticate and connect to the DX over a phone line or serial link, but it is not possible at this time to connect a DX to another router over a PPP link. 3.7.1 Profiles This screen enables you to configure a PPP profile. A profile is a group of PPP parameters that can be applied to multiple PPP connections. There must always be at least one profile. An initial Default profile is supplied with the system’s factory defaults. These default parameters support a Crossbow™ PPP connection over a Hayescompatible modem. Figure 3-67. PPP: Profiles Magnum Network Software - DX Administrator’s Guide 130 CHAPTER 3 - System Administration PPP Tasks Table 3-66 describes the parameters you can view and edit in the PPP: Profiles screen. Table 3-66. PPP: Profiles Field Name Field Value Name: A user-selected name for this PPP profile. LCP Echo Interval (secs.): The frequency in seconds of LCP (Link Control Protocol) keepalive exchanges. More frequent exchanges reduce the time to detect a down link but use more bandwidth. Default value = 30 Valid range = 3 - 36000 Authentication Type: Specify the type of authentication. Possible values are: • None – Do not authenticate the client. • CHAP – MD5 protected challenge/response. • PAP – username and password sent in the clear. • CH/PAP – PAP or CHAP depending on the client’s preference. Default value = CHAP Assign IP to Client: if checked, the PPP process will use the Internet Protocol Control Protocol (IPCP) to assign an IP address to the remote PPP client. Default value = checked Use Hayes Modem: if checked, the serial port will attempt to initialize a connected Hayes Modem and answer incoming dial-in calls. Default value = checked Compress TCP Headers: if checked, PPP will attempt to negotiate Van Jacobson TCP header compression with the remote client. Default value = checked Modem Init String: A string of up to 31 printable characters. While the modem is in the "listening" state, this string is periodically sent to the modem over the serial port. Consult your modem documentation for the initialization string for your modem. Delete: Set the Delete checkbox in a row in the Existing Profiles table and click Apply Settings to delete that profile. Magnum Network Software - DX Administrator’s Guide 131 CHAPTER 3 - System Administration PPP Tasks 3.7.2 Connections This screen enables you to view and edit PPP connections. Figure 3-68. PPP: Connections Table 3-67 describes the parameters you can view and edit in the PPP: Connections screen. Table 3-67. PPP: Connections Field Name Field Value Port ID: The serial port for this PPP connection. Profile: The profile for this PPP connection. Username: Specify a PAP pr CHAP username. A device attempting a PAP or CHAP PPP connection to the DX on this port must use the username defined here. Password: Specify a PAP pr CHAP password. A device attempting a PAP or CHAP PPP connection to the DX on this port must use the password defined here. Delete: Set the Delete checkbox in a row in the Existing Connections table and click Apply Settings to delete that connection. Magnum Network Software - DX Administrator’s Guide 132 CHAPTER 3 - System Administration PPP Tasks 3.7.3 Status This screen enables you to view the status of PPP ports. Figure 3-69. PPP: Status Table 3-68 describes the parameters you can view in the PPP: Status screen. Table 3-68. PPP: Status Field Name Field Value Port ID: The physical port associated with this connection Oper Status: The operational state of the connection. Possible values are: • Down – The PPP connection has not yet been established. • Up – The PPP connection has been established. Modem Status: The status of the modem. Possible values are: • Not Present – The user indicated that there is no modem connected to the serial port or the modem initialization failed. • Listening – The modem was successfully initialized. • Answering – The modem is currently answering a call. • Connected – The modem has successfully connected to the remote modem. Uptime: Total time the current connection has been active. Disconnect: Checking this box forces the PPP connection to disconnect. Magnum Network Software - DX Administrator’s Guide 133 CHAPTER 3 - System Administration PPP Tasks 3.7.4 Statistics This screen enables you to view performance statistics for PPP ports. Figure 3-70. PPP: Statistics Table 3-69 describes the parameters you can view in the PPP: Statistics screen. Table 3-69. PPP: Statistics Field Name Field Value Port ID: The physical port associated with this connection. Tx Frames: The number of transmitted PPP frames. Tx Octets: The number of transmitted PPP octets. Rx Frames: The number of received PPP frames. Rx Octets: The number of received PPP octets. Connect Count: The number of connections made for this PPP instance. Auth Failures: The number of connections that failed due to an authentication problem. Magnum Network Software - DX Administrator’s Guide 134 CHAPTER 3 - System Administration Routing Tasks 3.8 Routing Tasks The following subsections describe the tasks that you can perform using the screens of the Routing branch. For a discussion of routing see Section 5.3, “IP Addressing and Routing”. 3.8.1 IP Addresses This screen enables you to configure system IP addresses. Figure 3-71. Routing: Addresses By factory default, the IP address 192.168.1.2 and subnet mask 255.255.255.0 are assigned to the Default interface. See Section 2.2.1 for instructions on how to change this default IP address to one that is compatible with your network. Table 3-70 describes the parameters in the IP Addresses screen. Table 3-70. Routing: IP Addresses Field Name Interface: Field Value This field may be set to one of the following values depending on the available IP interfaces: • Default (When VLANs are enabled, the IP address assigned to the Default Interface is also assigned to the default VLAN (System/VID 1).) • VID x. The VID of a configured VLAN. • IDs of Ethernet ports that are configured as routed ports. (See the Routing: Bridge: Port Settings screen, explained in Section 3.4.2.2.) Address: A valid IP address. Subnet Mask: A valid Subnet Mask value. If this field is left blank the inferred network mask of the given Interface Address is used for the added entry. Magnum Network Software - DX Administrator’s Guide 135 CHAPTER 3 - System Administration Routing Tasks Table 3-70. Routing: IP Addresses Field Name Field Value Remote Address: The IP that is assigned to a PPP client after it connects. System: Specifies that this interface is the System interface. The System interface must have an IP address assigned. Although your DX device can be used in some applications that do not require the designation of a System interface bear in mind that the following protocols do depend on the presence of a System IP address for their proper functioning: • SNTP • SNMP • Syslog • RADIUS Status: Specifies whether this interface is Up or Down. For any interface to be Up it must have an IP address assigned. • If the interface is an unbridged port the Status field will correspond with the Oper Status field of the Ethernet: Ports: Status screen (Section 3.4.1.2); that is, the port is Up if it is enabled and a link is detected. • If the interface is a VLAN the port is Up if any port on that VLAN is up and VLANs are enabled. 3.8.1.1 The Other Options Link The Routing: IP Addresses screen includes a hyperlink to “Other Options.” This is a hyperlink to a subordinate screen which enables you to instruct the system to ignore a configured interface. Figure 3-72. Routing: IP Addresses: Other Options screen Magnum Network Software - DX Administrator’s Guide 136 CHAPTER 3 - System Administration Routing Tasks Table 3-71 describes the parameters you can view and edit in the Routing: IP Addresses: Other Options screen. Table 3-71. Routing: IP Addresses: Other Options Field Name Field Value Interface: The name of a configured IP interface. Ignore Link?: You can specify one of two values for this parameter: • No – Interface status changes according to the link status of the physical ports associated with this interface. • Yes – Ignore the link status on this interface. The interface state will always be treated as UP. Default value = No 3.8.2 Static Routes This screen enables you to add a new Static IP Route and to view and modify the existing routing table entries. Figure 3-73. Routing: Static Routes Magnum Network Software - DX Administrator’s Guide 137 CHAPTER 3 - System Administration Routing Tasks Table 3-72 describes the fields available for viewing and modification in the Static Routes screen. Table 3-72. Routing: Static Routes Field Name Field Value Route Destination: A valid destination IP address. New destinations added must be different from any existing route since the displayed existing routes are the routing table, which is indexed by “Route Destination.” Default value = 0.0.0.0 Route Mask: A valid route mask. Default value = 0.0.0.0 Next Hop: A valid IP address for the next hop on this route. The “Next Hop” must be reachable via an attached LAN. Delete: Set the Delete checkbox in a row in the Existing Routing Table Entries table and click Apply Settings to delete that entry. 3.8.2.1 Specifying a Default Gateway To use the Routing: Routes screen to specify a default gateway: add a static IP route with a Route Destination value of 0.0.0.0, a Route Mask value of 0.0.0.0 (the default value in each case), and a Next Hop value that matches the IP address of the router to use as the default gateway. Figure 3-74 depicts an example specifying IP address 192.168.1.100 as the default gateway. Figure 3-74. Specifying a Default Gateway Magnum Network Software - DX Administrator’s Guide 138 CHAPTER 3 - System Administration Routing Tasks 3.8.3 Table This screen enables you to view the routing table. Figure 3-75. Routing: Table Press the Refresh button to get an updated list of routes. Table 3-73 describes the fields displayed in the Routing: Table screen. Table 3-73. Routing: Table Field Name Route Destination: Field Value The destination IP address for this IP route. (Note: the Route Destination 127.0.0.1 is the localhost address; that is, the loopback interface for the computer currently being used. It is included in the routing table for internal purposes.) Route Mask: The subnet mask for this IP route. Next Hop: The IP address for the next hop on this IP route. Protocol: Specifies the source of the route. This may take the following values: • BGP – A route learned by the BGP routing protocol. • Management – A static route. • Local – A route to a directly connected subnet. • OSPF – A route learned by the OSPF routing protocol. • RIP – A route learned by the RIP routing protocol. • VPN – A route to a private network associated with a VPN tunnel. Metric: Metric has a different meaning depending on the Protocol. For RIP the metric is the number of hops to the destination. For OSPF and BGP, the metric is an administratively configured cost to the destination. Age The number of seconds since this route was last learned (or refreshed). Magnum Network Software - DX Administrator’s Guide 139 CHAPTER 3 - System Administration Routing Tasks 3.8.4 ARP Table This screen enables you to view and flush the Address Resolution Protocol (ARP) table. Figure 3-76. Routing: ARP Table Press the Refresh button to get an updated list of ARP entries. Press the Flush button to clear the table; this forces the software to re-execute an ARP for all hosts. Table 3-74 describes the fields displayed in the Routing: ARP Table screen. Table 3-74. Routing: ARP Table Field Name Field Value IP Address: The IP address associated with the MAC address in this row. MAC Address: The MAC address associated with the IP address in this row. IP Interface: The IP interface upon which the host is connected Magnum Network Software - DX Administrator’s Guide 140 CHAPTER 3 - System Administration Routing Tasks 3.8.5 RIP The Routing Information Protocol (RIP) is an Interior Gateway Protocol (IGP) routing protocol used on internal networks. It determines a route based on the smallest hop count between source and destination. It has a limit of 15 hops. 3.8.5.1 RIP: Global Settings This screen enables you to configure Routing Information Protocol (RIP) parameters. Figure 3-77. Routing: RIP: Global Settings Magnum Network Software - DX Administrator’s Guide 141 CHAPTER 3 - System Administration Routing Tasks Table 3-75 describes the parameters you can configure in the RIP form. Table 3-75. Routing: RIP: Global Settings Field Name Mode: Field Value This parameter can take one of the following values: • Disabled • RIP – RIP version 1. • RIP-II – RIP version 2 with subnet broadcast (uses the subnet broadcast address). • RIP-II multi – RIP version 2 with multicast. • RIP-II local – RIP version 2 with local broadcast (Uses the local broadcast address, 255.255.255.255. This is sometimes needed for compatibility with older devices.) Default value = Disabled RIP-1 Compatible: You can specify one of two values for this parameter: • No – RIP routes with CIDR masks will be propagated and learned as per RIP-2. • Yes – will enforce the restrictions necessary for RIP-1 and RIP-2 routers to operate correctly in the same network as described in section 3.2 of RFC 1058 and section 3.3 of RFC 1723. Routes to portions of a logical network (including host routes) will be limited to routers within that network. Updates sent outside that network will only include a single entry representing the entire network. That entry will subsume all subnets and host-specific routes. If supernets are used, the entry will advertise the largest class-based portion of the supernet reachable through the connected interface. Default (and recommended) value = No Gateway: If this parameter is set to Yes the router advertises itself as a default gateway. Default value = No Import OSPF Routes: Specify whether or not OSPF routes are redistributed by this router into the RIP network. • No – OSPF routes are not redistributed into the RIP network by this router. • Yes – OSPF routes are redistributed into the RIP network by this router. Default value = No Magnum Network Software - DX Administrator’s Guide 142 CHAPTER 3 - System Administration Routing Tasks Table 3-75. Routing: RIP: Global Settings Field Name Field Value Default OSPF Route Metric: Select a fixed hop count that will be used for all OSPF routes imported into the RIP routing domain. Default value = 1 Valid range = 1 - 15 Expire Time: This parameter tells RIP the number of seconds between updates before a route is invalidated. An invalidated route is not used, but it is not deleted immediately. It is retained for the length of time you specify with the Flush Time parameter. If confirmation arrives before the route flush timer expires, the route is re-marked as valid. Valid range = 1 - 600 seconds Default value = 180 Flush Time: This parameter tells RIP the number of additional seconds to wait after a route expires before that route is deleted entirely from the routing table. Valid range = 1 - 600 seconds Default value = 120 3.8.5.2 RIP: Interface Settings This screen enables you to view and edit RIP interface settings. Figure 3-78. Routing: RIP: Interface Settings Magnum Network Software - DX Administrator’s Guide 143 CHAPTER 3 - System Administration Routing Tasks Table 3-76 describes the parameters you can view and edit in the Routing: RIP Interface Settings screen. Table 3-76. Routing: RIP: Interface Settings Field Name Field Value IP Interface: The name of an IP interface. The system automatically supplies a list of valid interfaces. You create these interfaces when you create a VLAN with the VLAN: VIDs screen or when you designate a port as “not bridged” (that is, “Routed”) in the Ethernet: Bridge: Port Settings screen. Enabled?: Indicates whether or not this port is a member of the bridge. • Yes – The IP interface participates in RIP, which therefore sends and receives routing information on the interface (default). • No – The IP interface does not participate in RIP. It does not send and receive routing information. This interface is also not advertised in RIP updates sent out other interfaces. 3.8.6 OSPF Open Shortest Path First (OSPF) is an Interior Gateway Protocol (IGP) that uses link state information to compute the shortest path between networks. The protocol is defined in RFC 2328. 3.8.6.1 OSPF: Global Settings This screen enables you to view and edit global OSPF functionality on this unit. Figure 3-79. Routing: OSPF: Global Settings Magnum Network Software - DX Administrator’s Guide 144 CHAPTER 3 - System Administration Routing Tasks Table 3-77 describes the parameters you can view and edit in the Routing: OSPF: Global Settings screen. Table 3-77. Routing: OSPF: Global Settings Field Name Field Value Enabled?: Specifies whether or not the unit should use OSPF as its routing protocol. Router ID: A 32-bit integer that is unique within the OSPF Autonomous System (AS). It is written in standard dotted decimal notation but it is not an IP address; however, it is standard practice to use one of the router’s IP addresses for the Router ID value to guarantee uniqueness. AS Border Router?: Specifies whether or not this router sits at the border between two autonomous systems. Note: The router must be configured as an AS Border Router in order to import RIP or static routes into OSPF. This is because RIP and static routes are treated as external routes. Import RIP Routes?: Specify whether or not RIP routes are redistributed by this router into the OSPF network. The AS Border Router parameter must be set to Yes in order to redistribute RIP routes. • No – RIP routes are not redistributed into the OSPF network by this router. • Yes – RIP routes are redistributed into the OSPF network by this router. Default RIP Route Metric: Specify a specific OSPF cost metric that will be used for all RIP routes imported into the OSPF routing domain. Default value = 20 Valid range = 0 - 16777214 Import Static Routes?: Specify whether or not static routes are redistributed by this router into the OSPF network. The AS Border Router parameter must be set to Yes in order to redistribute static routes. • No – Static routes are not redistributed into the OSPF network by this router. • Yes – Static routes are redistributed into the OSPF network by this router. Default Static Route Metric: Specify a specific OSPF cost metric that will be used for all static routes imported into the OSPF routing domain. Default value = 20 Valid range = 0 - 16777214 Magnum Network Software - DX Administrator’s Guide 145 CHAPTER 3 - System Administration Routing Tasks 3.8.6.2 OSPF: Area Settings This screen enables you to view and edit the OSPF area settings. Figure 3-80. Routing: OSPF: Area Settings Table 3-78 describes the parameters you can view and edit in the Routing: OSPF: Area Settings screen. Table 3-78. Routing: OSPF: Area Settings Field Name Field Value Area ID: A 32-bit integer (in dotted decimal notation) that uniquely identifies an area. Import AS: Indicates how routers in this area import information about networks outside of the area. • External – Import routing information for all networks, including those outside the AS. • No External – Import routing information for all networks within the AS. • Not So Stubby Area – External routing information is allowed to flow from the NSSA toward the backbone but not in the other direction. Summary: Whether or not routers in this area receive summary Link State Advertisements (LSAs) for networks outside of this area. Delete: Set the Delete checkbox in a row in the Existing Areas table and click Apply Settings to delete that entry. Magnum Network Software - DX Administrator’s Guide 146 CHAPTER 3 - System Administration Routing Tasks 3.8.6.3 OSPF: Interface Settings This screen enables you to view and edit OSPF interface settings. Figure 3-81. Routing: OSPF: Interface Settings Table 3-79 describes the parameters you can view and edit in the Routing: OSPF: Interface Settings screen. Table 3-79. Routing: OSPF: Interface Settings Field Name Field Value IP Interface: The unique identifier of an IP interface defined by the router. Enabled?: Enable OSPF on this interface: • Yes – This interface is included in the OSPF protocol. • No – OSPF does not run on this interface and OSPF will not advertise this subnet. Area ID: The OSPF area to which this interface belongs. Type: The media type of the interface. Possible types are: • Broadcast – a broadcast media such as an Ethernet LAN. • NBMA – non-broadcast multiple access. • Point to Point – a point-to-point line such as a frame relay link or a full duplex Ethernet link with only two endpoints. • Point to Multipoint – multiple point-to-point links. Metric: An integer in the range 0-66335 that indicates the relative cost of passing traffic over this interface. This is used by the shortestpath algorithm to select optimal routes. Router Priority: An integer in the range 0-255 that specifies a priority for this router. This value is used in electing a designated router on a broadcast network. The greater the value the higher the priority and the greater the likelihood that this router will be elected the designated router. Profile: Specify a profile to apply to this interface. Each profile contains a set of OSPF configuration parameters. Profiles are defined in “OSPF: Interface Profiles” screen, explained in Section 3.8.6.4. Magnum Network Software - DX Administrator’s Guide 147 CHAPTER 3 - System Administration Routing Tasks 3.8.6.4 OSPF: Interface Profiles This screen enables you to view and edit OSPF Interface Profiles. These profiles specify a set of configuration parameters that can be applied to OSPF interfaces. Figure 3-82. Routing: OSPF: Interface Profiles Table 3-80 describes the parameters you can view and edit in the Routing: OSPF: Interface Profiles screen. Table 3-80. Routing: OSPF: Interface Profiles Field Name Field Value Profile Name: A name for this profile. The name is a user-supplied alphanumeric string of 1-16 characters. Transit Delay: Estimated number of seconds it takes to transmit a link state update packet over this interface. Valid range = virtually unlimited Retrans. Interval: Estimated number of seconds between link state advertisement retransmissions for adjacencies belonging to this interface. Valid range = virtually unlimited Hello Interval: Specify the frequency (in seconds) with which hello packets will be sent from the interface. Valid range = 1 - 65535 Dead Interval: The number of seconds that must elapse with no receipt of hello packets from a neighbor before OSPF concludes that neighbor is unavailable. Valid range = virtually unlimited Magnum Network Software - DX Administrator’s Guide 148 CHAPTER 3 - System Administration Routing Tasks Table 3-80. Routing: OSPF: Interface Profiles Field Name Field Value Specify a type of authorization to be used with neighbors. Authorization Type: • None – No authorization is performed between neighbors. • Simple – An authorization key is sent in the clear. • MD5 – An authorization key is used along with MD5 to sign OSPF packets. Receiving routers check the signature to verify authorization. Authorization Key: The authorization secret shared between neighboring routers. The secret is an alphanumeric string of 1-16 characters. Authorization Key ID: An integer in the range 1-255 that uniquely identifies this authorization key. Delete: Set the Delete checkbox in a row in the Existing Profiles table and click Apply Settings to delete that profile. 3.8.6.5 OSPF: Area Aggregates Subnet addresses within an OSPF area can be aggregated and represented with a single address. This can significantly reduce the size of routing tables and link-state databases. This screen enables you to view and edit OSPF area aggregate parameters. Figure 3-83. Routing: OSPF: Area Aggregates Magnum Network Software - DX Administrator’s Guide 149 CHAPTER 3 - System Administration Routing Tasks Table 3-81 describes the parameters you can view and configure in the Routing: OSPF: Area Aggregates screen. Table 3-81. Routing: OSPF: Area Aggregates Field Name Field Value Area ID: The OSPF area the address aggregate is to be found within. Net: The IP address of the net or subnet indicated by the range. Mask: The subnet mask that pertains to the net or subnet. Effect: Indicates whether or not the aggregate is advertised outside the area. Delete: Set the Delete checkbox in a row in the Existing Area Aggregates table and click Apply Settings to delete that entry. 3.8.6.6 OSPF: Neighbor Status This screen enables you to view the status of OSPF neighbors. Figure 3-84. Routing: OSPF: Neighbor Status Table 3-82 describes the parameters you can view in the Routing: OSPF: Neighbor Status screen. Table 3-82. Routing: OSPF: Neighbor Status Field Name Field Value IP Address: The IP address of the neighbor’s interface used to communicate with this router. Router ID: The unique OSPF router ID of the neighbor. Magnum Network Software - DX Administrator’s Guide 150 CHAPTER 3 - System Administration Routing Tasks Table 3-82. Routing: OSPF: Neighbor Status Field Name Field Value Priority: The router priority of the neighbor. State: This field reports the current status of the connection to a neighbor. • Init – A hello packet has recently been seen from the neighbor. • Two-Way – Bi-directional communication has been established with the neighbor. • Exchange – This router is in the process of synchronizing with the neighbor’s link state database. • Full – Synchronization is complete and the neighbor is considered to be “fully adjacent.” 3.8.7 BGP Border Gateway Protocol (BGP) is a Protocol for routing traffic between autonomous systems (AS). An autonomous system is a set of routers under a single technical administration, such as a set of routers in a power utility substation or a set dedicated to some specific purpose within a larger network. BGP is the core routing protocol of the internet. It rides on top of a TCP session. The latest version of BGP is BGP4. This is defined in rfc 4271 and is the version supported in the DX implementation. BGP is a type of External Gateway Protocol (EGP). Within an autonomous system other protocols, such as RIP, OSPF, or IS-IS, are used to communicate information. These are Internal Gateway Protocols (IGP). Standards have been defined for an external (inter-AS) version of BGP called eBGP, and for an internal (intra-AS) version called iBGP. The DX implementation of BGP supports the eBGP standard and partially supports the iBGP standard. All references to BGP in this document refer to communication between ASs. Communication between routers within a single AS are handled by whatever IGP you have configured on your system. A BGP-enabled router (or “speaker”) keeps its neighbor(s) informed of the subnets to which it can provide access by exchanging a stream of messages with them. Magnum Network Software - DX Administrator’s Guide 151 CHAPTER 3 - System Administration Routing Tasks 3.8.7.1 BGP: Global Settings This screen enables you to view and edit BGP global settings. Figure 3-85. Routing: BGP: Global Settings Table 3-83 describes the parameters you can view and edit in the Routing: BGP: Global Settings screen. Table 3-83. Routing: BGP: Global Settings Field Name Field Value BGP Mode: Enable or Disable BGP capability. AS Number: An identifying number for this AS. This will be included in the router’s BGP Hello packet. Valid range = 0 - 65535 Router ID: The IP address of the router you are configuring for BGP. Magnum Network Software - DX Administrator’s Guide 152 CHAPTER 3 - System Administration Routing Tasks 3.8.7.2 BGP: Peer Settings This screen enables you to view and edit BGP peer settings. Figure 3-86. Routing: BGP: Peer Settings Table 3-84 describes the parameters you can view and edit in the Routing: BGP: Peer Settings screen. Table 3-84. Routing: BGP: Peer Settings Field Name Field Value BGP Name: A user-supplied BGP reference name of up to 15 characters. Peer IP Address: The IP address of the router to which BGP traffic will be sent. If no value is specified a value of 0 is used to signify that the system will accept whatever value the remote end supplies. Local IP Address: The IP address of the router you are configuring for BGP. Peer AS: An identifying number for the AS of the peer. This will be included in the router’s BGP Hello packet. Valid range = 0 - 65535 Local AS: An identifying number for a local AS to override the AS specified in the Routing: BGP: Global Settings screen. The router will use this AS value only for this connection. This will be included in the router’s BGP Hello packet. Valid range = 0 - 65535 Hold Timer (sec): Specify the frequency (in seconds) with which this router will send Keepalive packets to its peers. Magnum Network Software - DX Administrator’s Guide 153 CHAPTER 3 - System Administration Routing Tasks Table 3-84. Routing: BGP: Peer Settings Field Name Field Value Profile: The name of the profile used by this peer. Delete: Set the Delete checkbox in a row in the Existing Peers table and click Apply Settings to delete that peer. 3.8.7.3 BGP: Profiles This screen enables you to view and edit BGP profiles. Figure 3-87. Routing: BGP: Profiles Table 3-83 describes the parameters you can view and edit in the Routing: BGP: Profiles screen. Table 3-85. Routing: BGP: Profiles Field Name Field Value Profile Name: A user-supplied name of up to 15 characters for this profile. Default Router: If “Yes” specifies that the router using this profile is the default router. Redist Static: If “Yes” include static route information from this router in BGP Update messages. Redist RIP: If “Yes” include RIP route information from this router in BGP Update messages. Redist BGP: If “Yes” include BGP route information from this router in BGP Update messages. Magnum Network Software - DX Administrator’s Guide 154 CHAPTER 3 - System Administration Routing Tasks Table 3-85. Routing: BGP: Profiles Field Name Field Value Weight: A priority value in the range 0 - 4294967295. Private AS: If “Yes” private AS numbers are redistributed. Local Pref: A priority value assigned to a route that is local to this AS. Default value = 100 Valid range = 0 - 4294967295 TCP Passive: If “Yes” this router will not initiate a TCP connection but will wait for one to be initiated by a peer. Delete: Set the Delete checkbox in a row in the Existing Profiles table and click Apply Settings to delete that profile. 3.8.7.4 BGP: Status This screen enables you to view BGP status. Figure 3-88. Routing: BGP: Status Table 3-86 describes the parameters you can view and edit in the Routing: BGP: Status screen. Table 3-86. Routing: BGP: Status Field Name Field Value Neighbor: The IP address of a neighbor configured to exchange BGP traffic. Version: The BGP version running on this connection. AS #: The AS number of the router whose IP address is displayed under Neighbor in this row of the table. Magnum Network Software - DX Administrator’s Guide 155 CHAPTER 3 - System Administration Routing Tasks Table 3-86. Routing: BGP: Status Field Name BGP State: Field Value The state of the connection with this neighbor. Possible values are: • Established – can exchange UPDATE and KEEPALIVE messages with its peer. • Active – trying to acquire a peer by listening for, and accepting, a TCP connection. • Idle – passively waiting to receive. • Connect – waiting for the TCP connection to be completed. • OpenSent – connection has sent an OPEN message and is waiting for an OPEN message from its peer. • OpenConfirm – connection has sent an OPEN message, has received an OPEN message, and is waiting for a KEEPALIVE message. Nets Rcvd: The number of subnets received from this peer. Pkts Sent: Count of the number of HELLO, KEEPALIVE, NOTIFICATION, and UPDATE packets sent by this neighbor since BGP Open was initiated. Pkts Rcvd: Count of the number of HELLO, KEEPALIVE, NOTIFICATION, and UPDATE packets received by this neighbor since BGP Open was initiated. TCP Session: The TCP session status. Possible values are: • Idle • Listening • Connecting • Connect Reset: Use the dropdown list to specify the type of reset. Possible values are: • None • Soft Reset- send a BGP route refresh message. • Hard Reset - reset TCP connection. Magnum Network Software - DX Administrator’s Guide 156 CHAPTER 3 - System Administration Routing Tasks 3.8.7.5 BGP: RIB This screen enables you to view the Routing Information Base (RIB). Figure 3-89. Routing: BGP: RIB Table 3-87 describes the information you can view in the Routing: BGP: RIB screen. Table 3-87. Routing: BGP: RIB Field Name Field Value Prefix: An IP address prefix to be followed by a specified number of bits. Bits: The number of bits used on the prefix. Source Peer #: The IP address of the source peer. Source AS #: The AS number of the source. Number Hops: Number of AS hops between the source and this system. Weight: A priority value for the peer specified by “Prefix.” Origin: The origin attribute of the Network Layer Reachability Information (NLRI): • 0 – IGP, interior to the originating AS. • 1 – BGP, learned via the EGP protocol. • 2 – Other, learned by some other means. Local Pref: A priority specification distributed among internal peers only. eBGP/iBGP: Whether prefix came through and iBGP or an eBGP connection. Magnum Network Software - DX Administrator’s Guide 157 CHAPTER 3 - System Administration Routing Tasks 3.8.7.6 BGP: Statistics This screen enables you to view BGP statistics. Figure 3-90. Routing: BGP: Statistics Table 3-88 describes the values you can view in the Routing: BGP: Statistics screen. Table 3-88. Routing: BGP: Statistics Field Name Field Value Prefix: The address of a BGP peer. Sent: Hellos: The number of BGP Hello messages sent from the address listed under “Prefix.” Keepalives: The number of BGP Keepalive messages sent from the address listed under “Prefix.” Updates: The number of BGP Update messages sent from the address listed under “Prefix.” Route Refresh: The number of BGP Route Refresh messages sent from the address listed under “Prefix.” Notifies: The number of BGP Notification messages sent from the address listed under “Prefix.” Received: Hellos The number of BGP Hello messages received on the address listed under “Prefix.” Keepalives: The number of BGP Keepalive messages received on the address listed under “Prefix.” Updates: The number of BGP Update messages received on the address listed under “Prefix.” Route Refresh: The number of BGP Route Refresh messages received on the address listed under “Prefix.” Notifies: The number of BGP Notification messages received on the address listed under “Prefix.” Magnum Network Software - DX Administrator’s Guide 158 CHAPTER 3 - System Administration Routing Tasks 3.8.8 VRRP The Virtual Router Redundancy Protocol (VRRP), described in RFC 3768, is a method of providing a backup router if a primary (or “master”) router should fail. The virtual router is a group of two or more physical routers sharing certain identifying information on the same network. One of these routers is configured with the IP address that will be used as the VRIP. This router is the “owner” of the VRIP and will serve the master role so long as it is operational. The devices that are included in a virtual router communicate with one another with a frequency specified by the value of the advertising interval. When a device serving the master role has not been heard from for a length of time that exceeds three times the advertising interval that device is presumed to be non-functioning and priority values are used to elect a new master router from the remaining members of the virtual router. 3.8.8.1 VRRP: Groups This screen enables you to add new VRRP groups and to edit the parameters of existing groups. Figure 3-91. Routing: VRRP: Groups Magnum Network Software - DX Administrator’s Guide 159 CHAPTER 3 - System Administration Routing Tasks Table 3-89 describes the parameters you can view and edit in the Routing: VRRP: Groups screen. Table 3-89. Routing: VRRP: Groups Field Name Field Value An integer to serve as an ID for this virtual router. VRID: Valid range = 1 - 255 VRIP: The virtual router IP address. If this address matches the IP address assigned to a local interface, this router is considered to be the "owner" of that IP and is always the Master if it is available. Otherwise, the router is considered a backup. Priority: The configured relative priority of backup routers (that is, routers that do not "own" the virtual router IP). The router with the highest priority will take over if the master fails. Default value if master = 255, if backup =100. Note that a master will have priority value of 255 no matter what priority value a user may specify. Valid range = 1 - 254 Adver Interval: The advertisement interval in seconds. This determines how often the master sends VRRP advertisements. Default value = 1 Valid range = 1 - 60 Preemption: If this flag is set to yes, this router will take the master role over from another router that has a lower priority. Default value = yes Delete: 3.8.8.2 Set the Delete checkbox in a row in the Existing Groups table and click Apply Settings to delete that entry. VRRP: Status This screen enables you to view the status of VRRP groups. Figure 3-92. Routing: VRRP: Status Magnum Network Software - DX Administrator’s Guide 160 CHAPTER 3 - System Administration Routing Tasks Table 3-90 describes the values you can view in the Routing: VRRP: Status screen. Table 3-90. Routing: VRRP: Status Field Name Field Value VRID: The ID for this virtual router. VRIP: The virtual router IP address. Priority: The actual priority of this router (255 for a Master, otherwise, the configured priority). State: The status of this router as a member of a VRRP group. Possible values are: • Master – This router is forwarding traffic for its subnet. • Backup – This router is a backup for the master. • Initialize – The system cannot determine the status of this router. This could result from specification of an invalid IP address. 3.8.9 NAT Network Address Translation (NAT) translates the IP address of a network’s public interface (typically an interface with the internet) into an address within the private network. This makes it possible for numerous nodes on the private network to be addressable by the public with the single public IP address. Address translation is done with a Network Address and Port Translation table. Use the NAT screens to: 1. Enable dynamic NAT on the public interface (the NAT: Global Settings screen explained in Section 3.8.9.1). This enables communication between a host on the private network and destinations outside the network to be initiated by the host on the private network while protecting the security of the private network. 2. Enable Port Forwarding (the NAT: Port Forwarding screen explained in Section 3.8.9.2). This enables communication between sources outside the private network and a host on the private network to be initiated by sources outside the network while protecting the security of the private network. 3. Configure entries in the static translation table. (the NAT: Static Translations screen explained in Section 3.8.9.3). This enables communication between a specific host on the private network and a host outside the network using a surrogate address. Magnum Network Software - DX Administrator’s Guide 161 CHAPTER 3 - System Administration Routing Tasks The Add Static Translation Form is used for adding to the translation table. An entry in the table allows a client on the public network to access a server on the private network. When an IP datagram arrives at the public IP interface with a destination IP address of the public interface and a protocol and port matching the protocol and public port of an entry, the destination IP address and port are changed to the private IP address and private protocol port of the entry. On egress the private source IP address and port are changed to the public IP address and port of the entry matching the source. 3.8.9.1 NAT: Global Settings Use this screen to enable NAT on the public IP interface. Figure 3-93. Routing: NAT: Global Settings Table 3-91 describes the parameters you can view and edit in the Routing: NAT: Global Settings screen. Table 3-91. Routing: NAT: Global Settings Field Name Mode: Field Value This parameter can take one of the following values: • Disabled – No dynamic NAT functionality is enabled. Static translations will still be applied if they are configured. (See Section 3.8.9.3.) • Enabled – Dynamic NAT functionality is enabled. IP address masquerading occurs for all TCP/UDP sessions initiated to a host on the public network. Selecting Enabled in the Routing: NAT: Global Settings screen is all that is necessary to support IP masquerading in sessions initiated on the private network. No sessions are allowed to be initiated from the public network to a private host unless a specific port forwarding rule has been defined. (See Section 3.8.9.2.) For more on IP masquerading see Section 5.8.5.1. Default value = Disabled Public Interface: This parameter selects the public IP interface. Other IP interfaces are private. Magnum Network Software - DX Administrator’s Guide 162 CHAPTER 3 - System Administration Routing Tasks 3.8.9.2 NAT: Port Forwarding Use this screen to configure NAT port forwarding. Use the Add Forwarding Rule Form to create a port forwarding rule. The private IP address, protocol, and private port of an entry must be unique in the table. Also, the protocol and public port of an entry must be unique in the table. The Existing Forwarding Rules Form displays the rules the user has configured. The entries may be edited. By factory default, no rules exist. Figure 3-94. Routing: NAT: Port Forwarding Table 3-91 describes the parameters you can view and edit in the Routing: NAT: Port Forwarding screen. Table 3-92. Routing: NAT: Port Forwarding Field Name Field Value Private Address: The address of a server reachable from one of the router's private interfaces. Protocol: The protocol (TCP or UDP) to forward. Magnum Network Software - DX Administrator’s Guide 163 CHAPTER 3 - System Administration Routing Tasks Table 3-92. Routing: NAT: Port Forwarding Field Name Field Value Private TCP or UDP Port: The port at which the service is accessible on the private server. For a brief explanation of network port numbers see Section B.1, “Well Known TCP/UDP Network Ports”. Public TCP or UDP Port: The port at which the server is accessible by hosts on the public network using the address of the router's public interface. Delete: Set the Delete checkbox in a row in the Existing Forwarding Rules table and click Apply Settings to delete that entry. 3.8.9.3 NAT: Static Translations This screen enables you to manage the Network Address and Port Translations table. Figure 3-95. Routing: NAT: Static Translations The combination of private IP address, protocol, and private port of an entry must be unique in the table. Also, the combination of protocol and public port of an entry must be unique in the table. For the Public TCP or UDP Port (the field labeled “Translated Port”) choose a value outside of the “Well Known” or “Registered” port range. (See Appendix B, “Port and Type Reference”.) In the example screen above these port numbers are constructed by appending the private port number to the last element of the IP address in the same row. Magnum Network Software - DX Administrator’s Guide 164 CHAPTER 3 - System Administration Routing Tasks The Existing Static Translations Form displays the translations that have already been configured. These may be edited. By factory default, no translations exist. Table 3-93 describes the parameters you can view and edit in the Routing: NAT: Static Translations screen. Table 3-93. Routing: NAT: Static Translations Field Name Field Value Interface: The interface upon which the translation occurs. Translation Type: The type of translation. The possible values are: • NAT – Translate the address only. • NAPT - TCP – Translate the address and TCP port. • NAPT - UDP – Translate the address and UDP port. Original Address: The original destination address of a packet received on this interface. Original Port: The original destination port of a packet received on this interface (ignored for NAT translation type). Translated Address: If a match occurs this is the address that is substituted for the original address. Reply packets have the reverse translation applied automatically when they are sent back out the interface. Translated Port: If a match occurs this is the port that is substituted for the original port (ignored for NAT translation type). Reply packets have the reverse translation applied automatically when they are sent back out the interface. Delete: Set the Delete checkbox in a row in the Existing Translations table and click Apply Settings to delete that entry. Magnum Network Software - DX Administrator’s Guide 165 CHAPTER 3 - System Administration Routing Tasks 3.8.10 DHCP Server The Dynamic Host Configuration Protocol (DHCP) enables you to reserve up to 16 ranges of addresses that can be allocated temporarily to devices as needed. For more information see Section 5.4, “DHCP Server”. 3.8.10.1 DHCP Server: Host Parameters This screen enables you to manually configure groups of host parameters that can be assigned to DHCP address entries. Figure 3-96. Routing: DHCP Server: Host Parameters Table 3-94 specifies the parameters you can view and edit in the DHCP Server: Host Parameters screen. Table 3-94. Routing: DHCP Server: Host Parameters Field Name Field Value Group Name: Assign a name for this group. Gateway: The address of the default gateway router to be used by the DHCP client. Primary DNS: The address of the primary DNS server to be used by the DHCP client. Secondary DNS: The address of the secondary DNS server to be used by the DHCP client. DNS Suffix: A domain name suffix that will be appended to any local names by the DHCP client before making a DNS query. Delete: Set the Delete checkbox in a row in the Existing Host Parameter Groups table and click Apply Settings to delete that entry. Magnum Network Software - DX Administrator’s Guide 166 CHAPTER 3 - System Administration Routing Tasks 3.8.10.2 DHCP Server: Static Addresses This screen enables you to manually configure IP addresses for specific DHCP clients. Figure 3-97. Routing: DHCP Server: Static Addresses Table 3-95 specifies the parameters you can view and edit in the DHCP Server: Static Addresses screen. Table 3-95. Routing: DHCP Server: Static Addresses Field Name Field Value IP Address: The IP address to allocate to the DHCP client with the MAC address specified in this row. (You can find the MAC address of this device in the System Information screen.) Subnet Mask: The subnet mask that applies to the specified IP address. MAC Address: The MAC address of the DHCP client. When a client with this MAC address requests an address, the specified IP address and subnet mask are assigned by the server. Host Parameters: The name of a host parameter group previously defined on the Routing: DHCP Server: Host Parameters screen. The default selection is the special Default group. If the Default host parameter group is used, the IP address of the DX will be provided to the client as its default gateway. No DNS servers will be provided. Delete: Set the Delete checkbox in a row in the Existing Addresses table and click Apply Settings to delete that entry. Magnum Network Software - DX Administrator’s Guide 167 CHAPTER 3 - System Administration Routing Tasks 3.8.10.3 DHCP Server: Dynamic Addresses This screen enables you to configure ranges of IP addresses that can be dynamically allocated to DHCP clients. Figure 3-98. Routing: DHCP Server: Dynamic Addresses Table 3-96 specifies the parameters you can view and edit in the DHCP Server: Dynamic Addresses screen. Table 3-96. Routing: DHCP Server: Dynamic Addresses Field Name Field Value Start Address: The start of a range IP addresses available for dynamic allocation. End Address: The end of a range IP addresses available for dynamic allocation. Subnet Mask: The subnet mask that applies to the address range delimited by Start Address and End Address. Max Lease (mins): The maximum allowable lease duration for a dynamically allocated address. If a DHCP client requests a duration longer than the default, the server offers the maximum length lease as configured by this parameter. Default value = 1440 minutes (1day) Magnum Network Software - DX Administrator’s Guide 168 CHAPTER 3 - System Administration Routing Tasks Table 3-96. Routing: DHCP Server: Dynamic Addresses Field Name Field Value Default Lease (mins): If a client does not request a specific lease duration, the default lease time is assigned. Default value = 1440 minutes (1day) Host Parameters: The name of a host parameter group previously defined on the Routing: DHCP Server: Host Parameters screen. The default selection is the special Default group. If the Default host parameter group is used, the IP address of the DX will be provided to the client as its default gateway. No DNS servers will be provided. Set the Delete checkbox in a row in the Existing Address table and click Apply Settings to delete that entry. Delete: 3.8.10.4 DHCP Server: Leases This screen enables you to view the status of current DHCP leases. 192.168.1.90 00-0a-95-c0-d1-94 Tue Jul 17 05:28 2007 Figure 3-99. Routing: DHCP Server: Leases Note: Leases are only tracked for dynamically allocated addresses. Even though a DHCP client may show a static address allocation as an infinite (or long-lived) lease, the DHCP server does not treat a static mapping as a lease; rather, it simply assigns the specified static IP address whenever a client with the matching MAC address requests an address. Table 3-97 describes the values you can view in the Routing: DCHP Server: Leases screen. Table 3-97. Routing: DHCP Server: Leases Field Name Field Value IP Address: The IP address allocated to the DHCP client with the specified MAC Address. MAC Address: The MAC address of the DHCP client that was allocated the specified IP Address. Magnum Network Software - DX Administrator’s Guide 169 CHAPTER 3 - System Administration Routing Tasks Table 3-97. Routing: DHCP Server: Leases Field Name Expires: Field Value The time and date when the lease expires. This is given in local time. Note: A DHCP server authorizes a lease of a certain duration expressed as total minutes. The expiration time displayed in the Routing: DHCP Server: Leases screen is a calculated value. In order for this value to be accurate the local time of the DX must be synchronized exactly to the local time of your DHCP client; otherwise there may be a discrepancy between the time shown here and the time shown on the client. Delete: Set the Delete checkbox in a row and click Apply Settings to delete that entry. Magnum Network Software - DX Administrator’s Guide 170 CHAPTER 3 - System Administration QoS Tasks 3.9 QoS Tasks Quality of Service (QoS) enables you to assign priorities to specified traffic streams so that the more important streams can be assured faster delivery in comparison to the less important streams. You can assign up to four priority levels based on DiffServ code points, 802.1p markings, Ethernet port ID, or source or destination IP address. For a complete discussion of QoS see Section 5.2. The following subsections describe the tasks that you can perform using the screens of the QoS branch. 3.9.1 DiffServ This screen is used to define DiffServ Code Points (DSCPs) and assign each code point to a priority queue.The priority mapping applies to all IP packets transmitted by the system (regardless of whether they were generated by the DX, routed, or bridged). If a packet is received that has a DSCP marking that is not defined in this table the packet is treated as if its marking is Best Effort.The table is pre-configured with two profiles (one for Best Effort and one for Expedited per-hop behavior). Diffserv supplies QoS at layer 3 by using the IP type of service (TOS) header field. Figure 3-100. QoS: DiffServ Magnum Network Software - DX Administrator’s Guide 171 CHAPTER 3 - System Administration QoS Tasks Table 3-98 describes the parameters that can be viewed and edited in the QoS: DiffServ screen. Table 3-98. QoS: DiffServ Field Name Field Value Name: A user-assigned name for a specific code point. Code Point: The value of a 6-bit DiffServ Code Point. Valid values are 0-63. Priority: The queuing priority of a packet tagged with this DSCP. (The higher the priority value the more urgent the priority.) 802.1p Marking: When an IP packet is generated by the DX it is assigned a DSCP (by default, Best Effort 0x00 is used).The packet may optionally be assigned an 802.1p priority based on the DSCP as specified by this field.This field can take the value 0-7 or the special value “None,” meaning that no mapping between DSCP and 802.1p priority is implemented and thus no 802.1p marking is made.This field has no effect when the IP packet being processed is not an Ethernet frame. Note: The mapping is performed only for packets generated by the DX. Bridged packets retain whatever markings they had when they were received. Delete: Set the Delete checkbox in a row in the Existing Profiles table and click Apply Settings to delete that entry. Magnum Network Software - DX Administrator’s Guide 172 CHAPTER 3 - System Administration QoS Tasks 3.9.2 802.1p The 802.1p standard supplies QoS at layer 2 by using the 3-bit user_priority header field. The 802.1p standard defines eight classes of service.This screen enables you to map Ethernet frames marked with a specific 802.1p priority into the four available switch priority queues. Figure 3-101. QoS: 802.1p Table 3-99 specifies the values you can view and edit in the QoS 802.1p screen. Table 3-99. QoS: 802.1p Field Name Field Value Ingress 802.1p Tag: Ethernet priority Priority: Priority queue assignment.The defaults are as follows: • Priority 1 – 802.1p 0 and 1 (Lowest) • Priority 2 – 802.1p 2 and 3 • Priority 3 – 802.1p 4 and 5 • Priority 4 – 802.1p 6 and 7 (Highest) Magnum Network Software - DX Administrator’s Guide 173 CHAPTER 3 - System Administration QoS Tasks 3.9.3 Ethernet Port This screen enables you to choose how an Ethernet port assigns a priority to an incoming frame. It maps a Port ID to a default priority from one of the four available switch priority queues. It also allows you to specify whether incoming packets will be assigned that default priority or another priority, depending on the presence or absence of DiffServ or 802.1p information. Figure 3-102. QoS: Ethernet Port Table 3-100 describes the parameters you can view and edit in the QoS: Ethernet Port screen. Table 3-100. QoS: Ethernet Port Field Name Field Value Port ID: Ethernet port ID. Priority Assignment Rule: A rule for assigning the priority of packets that are received by the specified port: • Default – always use the Default Priority for the port (Default) • DiffServ – use the DSCP if it is present, otherwise use the Default Priority • 802.1p – use the 802.1p tag if it is present, otherwise use the Default Priority Default Priority: The Default Priority for a port. See above for when the default priority is used. Default value = 3 Magnum Network Software - DX Administrator’s Guide 174 CHAPTER 3 - System Administration QoS Tasks 3.9.4 IP Flows This screen enables you to define IP packet flows and assign DiffServ markings to each flow. A unique flow is defined by its source address, its destination address, and its protocol type. When a packet is sent by the DX, its header fields are checked against the defined flows. If a match is found, the specified DiffServ marking is applied. This marking overrides any markings created by specific applications such as the terminal server. Figure 3-103. QoS: IP Flows Table 3-101 describes the parameters contained in an IP packet flow. Table 3-101. QoS: IP Flows Field Name Field Value Source Address: The source address of IP packets in the flow. If this field is blank it acts as a wildcard, that is, any source address is accepted. Source Mask: The source network mask. This field allows a flow to be described in terms of an entire subnet. If this field is blank and the source address field is not blank then only one source address matches the flow. Destination Address: The destination address of IP packets in the flow. If this field is blank it acts as a wildcard, that is, any destination address is accepted. Destination Mask: The destination network mask. This field allows a flow to be described in terms of an entire subnet. If this field is blank and the destination address field is not blank then only one destination address matches the flow. Magnum Network Software - DX Administrator’s Guide 175 CHAPTER 3 - System Administration QoS Tasks Table 3-101. QoS: IP Flows Field Name Protocol/dir.: Field Value This parameter takes one of seven values which determine the meaning of the TCP or UDP Ports or ICMP Types: • TCP/dest. – TCP destination ports in the flow • TCP/source – TCP source ports in the flow • UDP/dest. – UDP destination ports in the flow • UDP/source – UDP source ports in the flow • ICMP/type – ICMP types in the flow • IPsec-ESP – IPsec ESP packets (IP protocol 50) in the flow • IPsec-AH – IPsec AH packets (IP protocol 51) in the flow TCP or UDP Ports or ICMP Types: A list of virtual port numbers or ICMP types in the flow. List port numbers in ascending order, separated by commas. For a partial list of Well Known Port numbers see Section B.1, “Well Known TCP/UDP Network Ports”. For a list of ICMP types see Section B.2, “ICMP Types”. DiffServ: the DiffServ code point to associate with this flow. This is a dropdown box that allows the user to select any code point defined on the DiffServ screen, explained in Section 3.9.1. Delete: Set the Delete checkbox in a row in the Existing Flows table and click Apply Settings to delete that entry. Magnum Network Software - DX Administrator’s Guide 176 CHAPTER 3 - System Administration Security Tasks 3.10 Security Tasks The following subsections describe the tasks that you can perform using the screens of the Security branch. For a discussion of security issues see Section 5.8, “Security”. 3.10.1 Certificates An X.509 certificate is an electronic document in Privacy Enhanced Mail (PEM) format used to publish a public key. These certificates consist of an RSA private key and a matching X.509 certificate that was either uploaded through the Install form or generated online by the DX (see Section 3.11.2, “The Certificate Creation Wizard”.). For more on X.509 certificates see Section 5.8.3.3, “X.509 Certificates”. The Certificates screens enable you to upload SSL keys and certificates in PEM format to the system and to view and delete installed files. You can assign a certificate file to a serial port or the embedded web server as part of the procedure for configuring Secure Sockets Layer (SSL). See the Serial/SSL screen described in Section 3.10.3. 3.10.1.1 Certificates: Local This screen enables you to upload X.509 certificates in PEM format to the system and to view and delete installed certificate files. The system is shipped with no installed certificate files. 8 NOTE: Local certificates are not contained in the system's configuration file. They are part of the non-volatile system state; therefore, the installed keys will not change if a new configuration file is selected or the system configuration is reset to default values. Figure 3-104. Security: Certificates: Local Magnum Network Software - DX Administrator’s Guide 177 CHAPTER 3 - System Administration Security Tasks Use the Create New Certificate button to start up the The Certificate Creation Wizard, explained in Section 3.11.2. Table 3-102 describes the fields in the Certificates: Local screen. Table 3-102. Security: Certificates: Local Field Name Install Form: Field Value Browse for a PEM file on your local system and click Upload to copy the file to the system. If the PEM file does not contain a valid RSA private key and matching X.509 certificate, the file is rejected. Existing Local Certificates Table Certificate Name: The Existing Keys Form contains an entry for each local certificate. All filenames are hypertext links. Click the link to display the contents of the file. Delete: 3.10.1.2 Set the Delete checkbox in a row in the Existing Local Certificates table and click Apply Settings to delete that entry. Certificates: CAs This screen enables you to upload X.509 Certificate Authorities (CAs) in PEM format to the system, to view and delete installed certificate files, and to mark CAs as Trusted. The system is shipped with no installed CAs. 8 NOTE: CAs are not contained in the system's configuration file. They are part of the non-volatile system state; therefore, the installed keys will not change if a new configuration file is selected or the system configuration is reset to default values. Figure 3-105. Security: Certificates: CAs Magnum Network Software - DX Administrator’s Guide 178 CHAPTER 3 - System Administration Security Tasks Table 3-103 describes the fields in the Certificates: CAs screen. Table 3-103. Security: Certificates: CAs Field Name Field Value Browse for a PEM file on your local system and click Upload to copy the file to the system. If the PEM file does not contain a valid, self-signed CA, the file is rejected. Install Form: Existing Local Certificates Table The names of previously installed PEM files that are classified as usable CAs. Certificate Name: All filenames are hypertext links. Click the link to display the contents of the file. Trusted: Indicate whether or not you trust a CA by checking (or unchecking) the appropriate "Trusted" checkbox and clicking the Apply Settings button. Delete: Set the Delete checkbox in a row in the Existing CAs table and click Apply Settings to delete that entry. 3.10.2 Ethernet Port This screen enables you to configure Ethernet Port Security settings. Figure 3-106. Security: Ethernet Port Magnum Network Software - DX Administrator’s Guide 179 CHAPTER 3 - System Administration Security Tasks Table 3-104 describes the fields you can view and modify in the Security: Ethernet Port screen. For more on Ethernet port security see Section 5.8.1. Table 3-104. Security: Ethernet Port Field Name Field Value Port: A unique identifier for the Ethernet port being configured. Security Type: Indicates what type of security to enable on the port: • None – (default) • Address – This port will be locked out if a frame is received with a Source Address other than one of the authorized MACs for this port, either a configured static MAC or a learned authorized MAC. (A learned authorized MAC is the first dynamic MAC address learned on the port after address-based port security is enabled for the port.) A port that is locked out is effectively disabled. • Link – This port will be locked out the next time the operational state of the link changes from UP to DOWN. A port that is locked out is effectively disabled. Locked Out?: Indicates whether or not the port has been disabled by the port security software: • No – Port is not locked out. • Yes – Port is locked out and is effectively disabled. The port can be unlocked by changing this field to No and pressing the Apply Settings button Magnum Network Software - DX Administrator’s Guide 180 CHAPTER 3 - System Administration Security Tasks 3.10.3 Serial/SSL The Serial/SSL screen enables you to enable SSL (Secure Sockets Layer) and to configure the security parameters for a serial port. You can make changes to the table and apply them at once by clicking the Apply Settings button. Figure 3-107. Security: Serial/SSL Table 3-105 describes the fields in the Serial/SSL screen. Table 3-105. Security: Serial/SSL Field Name Field Value Port ID: A unique identifier for the serial port being configured. Enable Security: Enable or disable the use of SSL on this port. Magnum Network Software - DX Administrator’s Guide 181 CHAPTER 3 - System Administration Security Tasks Table 3-105. Security: Serial/SSL Field Name Allowed Ciphers: Field Value This parameter specifies the cipher suites to be allowed on a port. You can select one of the following standard suites: • SSL_RSA_WITH_RC4_128_MD5 • SSL_RSA_WITH_RC4_128_SHA • SSL_RSA_WITH_DES_CBC_SHA • SSL_RSA_WITH_3DES_EDE_CBC_SHA • TLS_RSA_WITH_RC4_128_MD5 • TLS_RSA_WITH_RC4_128_SHA • TLS_RSA_WITH_DES_CBC_SHA • TLS_RSA_WITH_3DES_EDE_CBC_SHA • TLS_RSA_WITH_AES_128_CBC_SHA • TLS_RSA_WITH_AES_256_CBC_SHA In addition, the following groups, which are combinations of the standard cipher suites, may be specified: • ANY - any supported cipher suite • ANY_STRONG - any supported cipher suite with at least 128 bit keys • ANY_STRONG_SSL - any strong cipher suite that uses SSLv3 • ANY_STRONG_TLS - any strong cipher suite that uses TLSv1 • ANY_AES - any cipher suite that uses AES Require Authentication?: If this option is set to "Yes", the connected SSL peer must provide a valid and trusted certificate or the SSL handshake will fail. Local Certificate: The name of an x.509 local certificate to use during the SSL handshake/negotiation. Magnum Network Software - DX Administrator’s Guide 182 CHAPTER 3 - System Administration Security Tasks 3.10.4 Web Server This screen enables you to configure security settings on the system's embedded web server. Figure 3-108. Security: Web Server Table 3-106 specifies the values you can view and edit in the Security: Web Server screen. Table 3-106. Security: Web Server Field Name Mode: Field Value Indicates if the server accepts non-secure HTTP requests. This parameter takes the following values: • Allow HTTP – The server accepts requests on port 80 (http://) or on port 443 (https://) (default). • SSL Only – The server will only allow connections over SSL. Any requests sent to port 80 (http://) will be re-directed to the https://URL. Cipher: Specify the type of encryption to support on the server. This parameter takes the following values: • ANY (RC4, 3DES, AES128, or AES256)(factory default) • RC4 • 3DES • AES128 • AES256 Local Certificate: This is the certificate used by the web server when running over SSL (that is, when a browser accesses the server through the https:// URL and/or on port 443). When this parameter is set to Default, a default certificate is presented to a browser during an SSL handshake. The default certificate is self-signed and valid until the year 2038. It is highly recommended that users install or generate their own local certificate for use with the web server. If valid local certificates are installed on the system you can select one of these files via the dropdown. Once the Apply Settings button is pressed the web server is restarted and will begin using the certificate present in the new file. Magnum Network Software - DX Administrator’s Guide 183 CHAPTER 3 - System Administration Security Tasks 3.10.5 CLI This screen enables you to configure Secure Shell (SSH) security settings on the system's command line interface. Before the SSH server can start a key must be generated using the ssh keygen command. This can only be done via the CLI. See The ssh Command, explained in Section 4.2.3.31. 8 NOTE: Typically a key has been generated at the factory, so that your DX device is delivered with SSH enabled; that is, the SSH Server State value is “Running.” If the SSH Server State value is “No Key” you must run the keygen command in the CLI. Figure 3-109. Security: CLI Table 3-107 specifies the parameters you can view and edit in the Security: CLI screen. Table 3-107. Security: CLI Field Name CLI Mode: Field Value Specify whether or not the server accepts non-secure telnet connections. This parameter takes the following values: • Allow Telnet – The server accepts requests on port 23 (Telnet) or on port 22 (SSH). • SSH Only – The server will only allow connections over SSH. If a client connects on port 23 that client is sent instructions to use SSH before the connection is dropped. Default value = SSH only Magnum Network Software - DX Administrator’s Guide 184 CHAPTER 3 - System Administration Security Tasks Table 3-107. Security: CLI Field Name SSH Server State: Field Value Indicates the current state of the SSH server process: • No Key – No Digital Signature Algorithm (DSA) key has been generated for the SSH server and therefore it cannot be started. To start the server, log in to the CLI and issue the command ssh keygen. • Running – The SSH server is running normally. SSH Port Forwarding: You can use port forwarding to transmit data with SSH security from a specified port on a client to a remote port on a server. This device is a server on which you can Enable or Disable this feature. Configure the ports on your client. The available options in this screen are: • Enable – Allow SSH port forwarding from a client to this server. • Disable – Do not allow SSH port forwarding from a client to this server. A typical configuration command, executed on the client, would be: ssh -L 44:192.168.2.5:23 [email protected] Where: -44 is the port on the client (the local port). -192.168.2.5 specifies the target server. -23 is the destination port on the target server. [email protected] is the IP address of the shell server. See your SSH documentation for more details. Magnum Network Software - DX Administrator’s Guide 185 CHAPTER 3 - System Administration Security Tasks 3.10.6 Firewall The Firewall: IP Interfaces, Firewall: Interface Groups, and Firewall: IP Filters screens enable you to manage firewall protection by configuring filters that allow only specified types of traffic to pass through an interface and by assigning filters to specific interfaces or groups of interfaces. 3.10.6.1 IP Interface Groups in General It can be useful to create groups of IP interfaces that share the same filtering requirements. For example, you might want to segregate public and private traffic. If you create a group for all interfaces that need a filter that permits only private traffic you can then assign as many IP interfaces as you like to that group. You do not have to repetitively assign the same filter to many interfaces and you can edit and maintain a single filter for many IP interfaces. To configure a firewall interface group: 1. Create a name for the group with the Firewall: Interface Groups Screen. Note: The order in which you carry out the following two steps is not important. 2. Populate the interface group you have named with appropriate IP interfaces in the Firewall: IP Interfaces screen. 3. Associate the group with a filter in the Firewall: IP Filters screen. 3.10.6.2 Firewall: IP Interfaces In the Firewall: IP interfaces screen you can enable firewall protection for a specific interface and you can assign that interface to a group you created with the Firewall: Interface Groups screen. Figure 3-110. Security: Firewall: IP Interfaces Magnum Network Software - DX Administrator’s Guide 186 CHAPTER 3 - System Administration Security Tasks Table 3-108 describes the fields you can view and edit in the Firewall: IP Interfaces screen. Table 3-108. Security: Firewall: IP Interfaces Field Name Field Value IP Interface: The name of an IP interface. The system automatically supplies a list of valid interfaces. You create these interfaces when you create a VLAN with the VLAN: VIDs screen or when you designate a port as “not bridged” (that is, “Routed”) in the Ethernet: Bridge: Port Settings screen. Firewall Status: Specify whether the firewall is enabled or disabled for this interface. Group: The group of which the IP interface is a member. Group names are created in the Firewall: Interface Groups screen. 3.10.6.3 Firewall: Interface Groups This screen enables you to create the names of groups. Once a group has been named you can control the IP interfaces that are included with the Firewall: IP Interfaces screen and the filtering applied to that group with the Firewall: IP Filters screen. Figure 3-111. Security: Firewall: Interface Groups Magnum Network Software - DX Administrator’s Guide 187 CHAPTER 3 - System Administration Security Tasks Table 3-109 describes the fields that can be viewed and edited in the Firewall: Interface Groups screen. Table 3-109. Security: Firewall: Interface Groups Field Name Field Value Group Name: The name of an interface or group of interfaces to which the filters are applied. IP Interfaces: The name of an IP interface, if any, that has been associated with this group via the Firewall: IP Interfaces screen. Delete: Set the Delete checkbox in a row in the Existing Groups table and click Apply Settings to delete that group. A group which has an IP interface assigned to it cannot be deleted in this screen. You must first break the association in the Firewall: IP Interfaces screen, then delete the group name from this screen. 3.10.6.4 Firewall: IP Filters This screen enables you to configure the filtering criteria to apply to specific interfaces or groups. When a packet entering the IP stack does not match a filter it is dropped. If firewall operation is enabled on an interface and no filter is configured all packets are rejected. You must configure filters to allow specific traffic through the firewall. Figure 3-112. Security: Firewall: IP Filters Magnum Network Software - DX Administrator’s Guide 188 CHAPTER 3 - System Administration Security Tasks Table 3-110 describes the parameters you can add or modify in the Firewall: IP Filters screen. Note that a source or destination address and a network mask, taken together, specify a network or range of addresses. Table 3-110. Security: Firewall: IP Filters Field Name Field Value Interface or Group: The IP interface or group of interfaces to which the filter is applied. Available interfaces or groups can be viewed and selected from the pull-down menu. Source Address: The source address of allowed IP packets. If blank then any source address is allowed. Source Mask: The source network mask of allowed IP packets. If blank and the source address is not blank, then only one source address is allowed. Destination Address: The destination address of allowed IP packets. If blank then any destination address is allowed. Destination Mask: The destination network mask of allowed IP packets. If blank and the destination address is not blank then only one destination address is allowed. Protocol/dir.: This parameter takes one of seven values which determine the meaning of the TCP or UDP Ports or ICMP Types: • TCP/dest. allowed TCP destination ports • TCP/source allowed TCP source ports • UDP/dest. allowed UDP destination ports • UDP/source allowed UDP source ports • ICMP/type allowed ICMP types • IPsec-ESP allow IPsec ESP packets (IP protocol 50) • IPsec-AH TCP or UDP Ports or ICMP Types: allow IPsec AH packets (IP protocol 51) • OSPF allow OSPF packets (IP protocol 89) • VRRP allow VRRP packets (IP protocol 112) The list of allowed logical protocol port numbers. These are dependent on the value of the Protocol/dir parameter, for instance 80 and 443 for HTTP and HTTPS. List port numbers in ascending order, separated by commas. For a partial list of Well Known Port numbers see Section B.1, “Well Known TCP/UDP Network Ports”. For a list of ICMP types see Section B.2, “ICMP Types”. Delete: Set the Delete checkbox in a row in the Existing Filters table and click Apply Settings to delete that filter. Magnum Network Software - DX Administrator’s Guide 189 CHAPTER 3 - System Administration Security Tasks 3.10.6.5 Firewall: Stateful IP Filters The stateful firewall provides finer-grained control than does a conventional firewall over packets that are allowed to pass. When a packet that matches a stateful firewall rule egresses an interface, the software automatically opens a hole in the firewall that will allow return packets to bypass filtering. The hole is temporary and is specifically for the traffic flow associated with the packet that matched the stateful rule. For a complete discussion of firewalls see Section 5.8.4. This screen enables you to view and edit the parameters of the Security: Firewall: Stateful IP FIlters screen. Figure 3-113. Security: Firewall: Stateful IP Filters Table 3-111 describes the parameters you can view and modify in the Security: Firewall: Stateful IP Filters screen. Table 3-111. Security: Firewall: Stateful IP Filters Field Name Field Value Interface or Group: The IP interface or group of interfaces to which the filter is applied. Available interfaces or groups can be viewed and selected from the pull-down menu. Source Address: The source address of allowed IP packets. If blank then any source address is allowed. Source Mask: The source network mask of allowed IP packets. If blank and the source address is not blank, then only one source address is allowed. Destination Address: the destination address of allowed IP packets. If blank then any destination address is allowed. Magnum Network Software - DX Administrator’s Guide 190 CHAPTER 3 - System Administration Security Tasks Table 3-111. Security: Firewall: Stateful IP Filters Field Name Field Value Destination Mask: The destination network mask of allowed IP packets. If blank and the destination address is not blank then only one destination address is allowed. Protocol/dir.: This parameter takes one of seven values which determine which TCP or UDP Ports or ICMP Types will be matched against outbound packets. Returning inbound traffic will then be allowed for the current session: TCP or UDP Ports or ICMP Types: • TCP/dest. TCP destination ports • TCP/source TCP source ports • UDP/dest. UDP destination ports • UDP/source UDP source ports • ICMP/type ICMP types The list of allowed logical protocol port numbers. These are dependent on the value of the Protocol/dir parameter, for instance 80 and 443 for HTTP and HTTPS. List port numbers in ascending order, separated by commas. For a partial list of Well Known Port numbers see Section B.1, “Well Known TCP/UDP Network Ports”. For a list of ICMP types see Section B.2, “ICMP Types”. Log?: If Yes is selected, matching TCP connections will be written to the event log. Delete: Set the Delete checkbox in a row in the Existing Filters table and click Apply Settings to delete that filter. 3.10.7 Radius The RADIUS screens enable you to add and configure Remote Authentication Dial-In User Service (RADIUS) servers. For more about RADIUS see RADIUS Support, described in Section 5.8.6. Magnum Network Software - DX Administrator’s Guide 191 CHAPTER 3 - System Administration Security Tasks 3.10.7.1 RADIUS: Global Settings The RADIUS: Global Settings screen enables you to configure global Remote Authentication Dial-In User Service (RADIUS) parameters. For more about RADIUS see RADIUS Support, described in Section 5.8.6. Figure 3-114. Security: RADIUS: Global Settings Table 3-112 describes the parameters you can configure in the RADIUS: Global Settings screen. Table 3-112. Security: RADIUS: Global Settings Field Name Local IP: Field Value Available options are: • Any – Packets will use their actual egress interface address as a source address. • Specific IP address – Packets will use the source address selected from a drop-down list. This may be necessary for conformity with VPN or NAT configurations. Authentication Port: The UDP port used to communicate to the RADIUS server that is configured for authentication. Default value = 1812 Valid range = 0 - 65536 Challenge Type: The protocol to be used when validating user credentials. It can take the following values: • PAP – Username/password sent in the clear (default). • CHAP – Uses challenge and MD5 hash. Magnum Network Software - DX Administrator’s Guide 192 CHAPTER 3 - System Administration Security Tasks Table 3-112. Security: RADIUS: Global Settings Field Name Field Value User Authentication Control: This parameter determines whether the system uses its own local user database or a RADIUS server for authentication. It can take the following values: • Local Database – use the local user database (default). • RADIUS – use a configured RADIUS server. Default Privilege Level: This parameter determines the default privilege level assigned to a user when a RADIUS server does not provide vendorspecific attributes. It can take the following values: • No Access (default) • Read-Only • Read-Write • Administrator 3.10.7.2 RADIUS: Servers The RADIUS: Servers screen enables you to configure multiple redundant Remote Authentication Dial-In User Service (RADIUS) servers. For more about RADIUS see RADIUS Support, described in Section 5.8.6. Figure 3-115. Security: RADIUS: Servers Magnum Network Software - DX Administrator’s Guide 193 CHAPTER 3 - System Administration Security Tasks Table 3-113 describes the parameters you can configure in the RADIUS: Servers screen. Table 3-113. Security: RADIUS: Servers Field Name Field Value IP Address: The IP Address of the RADIUS server to query. UDP Port: The UDP port used to send requests. Authentication servers use UDP port 1812. Accounting servers use port 1813. It is not recommended to use the legacy port 1645 where it conflicts with “Datametrics” service. Request Retry Limit: The number of times the client will retry a request in the event a server is not responding or is slow to respond. Request Timeout: The time in seconds the client will wait for each retry attempt. Shared Secret: The plain text shared secret used to communicate with the RADIUS server. Re-Type Shared Secret: Repeat exactly the shared secret entered in the previous field. Role: Defines the order in which servers are accessed. If the primary is down, the system attempts to contact the secondary server. Delete: Set the Delete checkbox in a row in the Existing Servers table and click Apply Settings to delete that server. 3.10.8 VPN MNS-DX supports Virtual Private Networks (VPN) by way of IP Security (IPSec). The IPsec implementation supports the following features: Diffie-Hellman groups 1 and 2 Hashing algorithms MD5 and SHA-1 Encryption methods DES, 3DES and AES Maximum supported tunnels 16 Event logging IKE, SPD and SADB VPN Mode Tunnel For more information on VPN see Section 5.9, “VPN”. Magnum Network Software - DX Administrator’s Guide 194 CHAPTER 3 - System Administration Security Tasks 3.10.8.1 VPN: Global Settings This screen enables you to configure the VPN public network interface. Figure 3-116. Security: VPN: Global Settings Table 3-114 specifies the parameter you can view and edit in the VPN: Global Settings screen. Table 3-114. Security: VPN: Global Settings Field Name Send Initial Contact: Field Value Specify whether or not this system will initiate contact: • Yes – The system will send an initial contact informational message when it initiates an IKE handshake with a peer for the first time (for example, after a reboot). • No – The system will not send an initial contact message. This option works with most peer types. Default value = No Magnum Network Software - DX Administrator’s Guide 195 CHAPTER 3 - System Administration Security Tasks 3.10.8.2 VPN: Profiles This screen enables you to view and configure VPN profiles for use in establishing tunnels. Figure 3-117. Security: VPN: Profiles Table 3-115 specifies the parameters you can view and edit in the VPN: Profiles screen. Table 3-115. Security: VPN: Profiles Field Name Field Value Name: A unique plain-text name to identify this profile. IKE Encryption: The encryption algorithm to use for Phase 1 and Phase 2 exchanges. Possible values are: • AES – Advanced Encryption Standard • 3DES – Triple DES - 192 bit • DES – Data Encryption Standard - 64 bit IKE Hash: The hashing algorithm to use for Phase 1 and Phase 2 exchanges. Possible values are: • SHA – Secure Hashing Algorithm • MD5 – Message Digest 5 IKE Lifetime (secs): The lifetime for the keys exchanged in Phase 1. Default value = 21600 seconds (6 hours) Valid range = 90 - 64800 seconds (64800 seconds = 18 hours) Magnum Network Software - DX Administrator’s Guide 196 CHAPTER 3 - System Administration Security Tasks Table 3-115. Security: VPN: Profiles Field Name ESP Encryption: Field Value The encryption algorithm to use for encrypting tunneled IP traffic. Possible values are: • AES – Advanced Encryption Standard • 3DES – Triple DES - 192 bit • DES – Data Encryption Standard - 64 bit ESP Hash: The hashing algorithm to use for authenticating tunneled IP traffic. Possible values are: • SHA – Secure Hashing Algorithm • MD5 – Message Digest 5 ESP Lifetime (secs): The lifetime for the keys exchanged in phase 2 negotiations before re-keying is required. Default value = 21600 seconds (6 hours) Valid range = 90 - 64800 seconds (64800 seconds = 18 hours) DH Group: The size of the Diffie-Hellman modulus: • 1 – 768 bits • 2 – 1024 bits DPD Poll Time: The length of time in seconds for this device to wait before sending a Dead Peer Detection (DPD) message. Default value = 30 seconds Valid range = 0 - 600 A DPD Poll Time value of 0 is an instruction not to use DPD. Delete: Set the Delete checkbox in a row in the Existing Profiles table and click Apply Settings to delete that profile. Magnum Network Software - DX Administrator’s Guide 197 CHAPTER 3 - System Administration Security Tasks 3.10.8.3 VPN: Authentication This screen enables you to create and modify IPsec authentication methods. Figure 3-118. Security: VPN: Authentication Table 3-115 specifies the parameters you can view and edit in the VPN: Authentication screen. Table 3-116. Security: VPN: Authentication Field Name Field Value Name: Specify a unique name for the authentication method in a maximum of 15 printable characters. Type: The authentication type. It can be one of the following: • PSK – Pre-Shared Key (Password Required) • Certificate – RSA Keys with X.509 Certificate Default value = PSK Preshared Key: The preshared key password string to use when the type is PSK. Characters in the Preshared Key field are always echoed back as the bullet character ( ). Valid range = 1 - 16 characters Note: If you have specified Certificate in the Type field you will not be able to enter text in the Preshared Key field. Preshared Key Verify: Retype Preshared Key for verification. Magnum Network Software - DX Administrator’s Guide 198 CHAPTER 3 - System Administration Security Tasks Table 3-116. Security: VPN: Authentication Field Name Local Certificate: Field Value Specify an X.509 certificate to use when the Type is Certificate. Note: If you have specified PSK in the Type field the dropdown menu in the Local Certificate field will be inoperative. Set the Delete checkbox in a row in the Existing Methods table and click Apply Settings to delete that server. Delete: 3.10.8.4 VPN: Tunnels This screen enables you to specify VPN “tunnels.” A tunnel establishes encrypted communication between a source IP address (or range of addresses) and a destination IP address (or range of addresses). In the VPN: Tunnels screen you can create and modify security policies between the source and destination addresses. Figure 3-119. Security: VPN: Tunnels Table 3-117 specifies the parameters you can view and edit in the VPN: Tunnels screen. Note that a source or destination address and a network mask, taken together, specify a network or range of addresses. Table 3-117. Security: VPN: Tunnels Field Name Field Value Source Address: A source IP address on this device or on the subnet supported by this device. Source Mask: A subnet mask to apply to the source IP address. Destination Address: The destination IP address. Destination Mask: A subnet mask to apply to the destination IP address. Magnum Network Software - DX Administrator’s Guide 199 CHAPTER 3 - System Administration Security Tasks Table 3-117. Security: VPN: Tunnels Field Name Field Value Destination Gateway: The IP address of the gateway router to be used to access the Destination Address. Profile: The security profile to bind to this tunnel. (Profiles are defined in the VPN: Profiles screen, explained in Section 3.10.8.2.) Authentication: The authentication method to use for this tunnel. Authentication methods are defined in the VPN: Authentication screen, explained in Section 3.10.8.3. Valid range = 1 - 16 characters 3.10.8.5 VPN: Status This screen enables you to view the status of existing VPN security associations. Figure 3-120. Security: VPN: Status Table 3-118 describes the parameters you can view in the VPN: Status screen. Table 3-118. Security: VPN: Status Field Name Field Value Source Address: The source IP address for this Security Association (SA). Destination Address: The destination IP address for this SA. Status: The status for this tunnel. Remaining Time Hard: The remaining seconds for the hard life time interval. Note: The “hard lifetime” is the length of time until this tunnel is torn down. The hard lifetime exceeds the soft lifetime and is not configurable. A tunnel can persist under its old SPI for a period of time after its function has been taken over by a re-keyed tunnel with a new SPI. Magnum Network Software - DX Administrator’s Guide 200 CHAPTER 3 - System Administration Security Tasks Table 3-118. Security: VPN: Status Field Name Remaining Time Soft: Field Value The remaining time in seconds for the soft life time interval. Note: The “soft lifetime” is the length of time this tunnel stays in operation with its current key. This is the length of time configured as “ESP Lifetime” in the VPN: Profiles screen. If traffic is present in the tunnel at the expiration of the soft lifetime the system will automatically attempt to negotiate a new key and re-establish the tunnel with a new SPI. Checking this box and pressing the Apply Settings button will cause the tunnel to be renegotiated (starting with Phase 1). Restart: 3.10.8.6 VPN: Details This screen enables you to view in detail the state of the tunnels and the errors encountered on them. 2.3.4.100 192.168.1.2 0x12345678 0x98765432 200 120 0 0 0 0 Figure 3-121. Security: VPN: Details Table 3-119 specifies the values displayed in the Security: VPN: Details screen. Table 3-119. Security: VPN: Details Field Name Field Value Source Address: SA Source address. Destination Address: SA Destination address. Source SPI: The source security policy index. Destination SPI: The destination security policy index. Remaining Time Hard: The remaining hard lifetime of the SA. Once this timer expires, the SA is deleted. Remaining Time Soft: The remaining soft lifetime of the SA. This is always 75% of the hard lifetime. Once this timer expires, IKE will attempt to renegotiate a new SA to take this one's place. Inbound Packets: Packets received from the tunnel. Outbound Packets: Packets sent into the tunnel. Magnum Network Software - DX Administrator’s Guide 201 0 CHAPTER 3 - System Administration Security Tasks Table 3-119. Security: VPN: Details Field Name Field Value Decryption Errors: Encapsulation Security Payload decryption errors. Authentication Errors: Phase 1 or phase 2 authentication errors. Sequence Errors: Encapsulation Security Payload sequence errors. Magnum Network Software - DX Administrator’s Guide 202 CHAPTER 3 - System Administration Wizards 3.11 Wizards Wizards are self-documenting processes that guide you through the steps to the accomplishment of a configuration goal. You read and respond to requests for information in a succession of screens. In MNS-DX two processes are automated with wizards. 3.11.1 The Router Setup Wizard The Router Setup Wizard enables you to configure the following router features: 1. IP Interfaces 2. Address Assignment 3. Routing Protocol 4. Firewall (management access allowed) After confirming your selections you can see the results of the wizard-assisted configuration and make any specific changes by using: 1. The Ethernet: Ports: Settings screen, explained in Section 3.4.1.1 2. The Routing: IP Addresses screen, explained in Section 3.8.1 3. The Routing: RIP: Global Settings screen, explained in Section 3.8.5.1 4. The Security: Firewall: IP Interfaces screen, explained in Section 3.10.6.2. 3.11.2 The Certificate Creation Wizard The Certificate Creation Wizard enables you to create RSA key pairs and matching signed certificates for use with SSL and IPsec. You can: 1. Create a new RSA key pair and a certificate request that can be submitted to your Certificate Authority for signing. 2. Create a new RSA key pair and your own self-signed certificate. The Certificate Creation wizard automates actions that you can take in the Certificates: Local screen, explained in Section 3.10.1.1, and in the Certificates: CAs screen, explained in Section 3.10.1.2, and that are explained in Section 5.8.3.9, “Certificate and Key File Generation”. Magnum Network Software - DX Administrator’s Guide 203 CHAPTER 3 - System Administration Wizards Magnum Network Software - DX Administrator’s Guide 204 Chapter 4 The CLI and Protocol Monitor MNS-DX includes a command line interface (CLI) that supports the same command set managed by the GUI documented in Chapter 3, “System Administration”.The CLI is accessed via the unit's serial console. 4.1 CLI Access You can access the CLI in two ways: 1. Through a serial connection from your PC to a serial port on the GarrettCom device – Use a terminal emulator (such as HyperTerminal or Procomm) configured to the following settings: • • • • Speed: 38400 Data bits: 8 Stop bits: 1 Parity: None On the DX800, DX900, and DX1000 – Connect your PC to the Console port on the GarrettCom device by a null modem serial cable. (See your Installation Guide for details.) When the terminal emulator is properly configured the CLI Login prompt will display automatically. On the DX40 – This device does not have a dedicated Console port. The S1 port does double duty as a console port and as a normal serial port. To access the CLI on a DX40: i. Connect a serial port on your PC and port S1 on the DX40 with a serial cable. ii. Start up a terminal emulator configured as described above. iii. Power up the DX40. If power to the DX40 is on, turn it off (that is, unplug the power cord) and immediately restore power (plug the power cord back in). iv. As soon as the connection is made on the terminal emulator hold down the space bar on your keyboard until the MNS-DX boot menu appears. v. Select the "Boot with console port on S1" option by typing "c" and Enter. vi. The device will reboot and the CLI Login prompt will display. The S1 port is now functioning as a Console port. Resetting the unit will automatically return serial port S1 to its normal functionality. Magnum Network Software - DX Administrator’s Guide 205 CHAPTER 4 - The CLI and Protocol Monitor CLI Access 2. Over an Ethernet connection to the DX device – This connection can be via telnet or SSH: • • Telnet – On the Windows Start menu select Run, enter cmd in the Open: field and click OK. At the command window prompt enter telnet xxx.xxx.xxx.xxx, where xxx.xxx.xxx.xxx is the IP address of the GarrettCom device. The CLI Login prompt will appear. SSH (Secure SHell) – The interface you encounter will vary with the client software you select. Connect to the IP address of the Garrettcom device and log in. Note: For SSH to operate an SSH key must have been generated. See Section 4.2.3.31. Login to the CLI using the same username and password you use for the browser-based MNS-DX Administration program. The following example uses the default username and password, but any password changes you make in the MNS-DX Administration: Change Password screen will also apply to the CLI: Login: manager Password: manager MagnumDX# _ 4.1.1 MNS-DX support for SFTP MNS-DX supports the Secure File Transfer Protocol (SFTP) to complement the CLI. An SFTP server on the DX device creates a set of virtual directories that you can use to upgrade software or to check configuration and log files. 8 NOTE: SFTP works cooperatively with SSH technology. To use SFTP with MSN-DX you must have generated an SSH key. If you have not generated an SSH key do so with the keygen command, which is a member of the ssh command set. (See Section 4.2.3.31, “The ssh Command”.) The SFTP server implements a virtual file system on the DX device containing the following directory structure: / logs/ config/ swupgrade/ These directories cannot be renamed or deleted and no other directories may be created by any user. • Logs Directory – The contents of the /logs directory can be displayed by all users. The directory listing contains all of the log file names as they would be displayed by the Events: Logs: Files screen in the browser-based management system. (See Section 3.3.1.2.) Magnum Network Software - DX Administrator’s Guide 206 CHAPTER 4 - The CLI and Protocol Monitor CLI Access The following access limitations apply to the /logs directory: - - Files may be read via the SFTP get command by all users. Files may be deleted only by an administrator using the SFTP rm command. The put command is always rejected in the /logs directory. The rename command is always rejected in the /logs directory. For more on managing log files through the CLI see Section 4.2.3.13, “The log Command”. • Config Directory – The contents of the /config directory may be displayed by all users. The directory listing contains all of the config file names as they would be displayed by the Administration: Configuration: Files screen in the browser-based management system. (See Section 3.2.9.1.) The following access limitations apply to the /logs directory: - - - - - Files may be read via the SFTP get command by all users. Files may be deleted only by an administrator using the SFTP rm command. The Active and Fallback config files cannot be deleted using the rm command. Executing the put command in the /config directory has the same effect as if the file had been uploaded through the Administration: Configuration: Files screen in the browser-based management system. Executing a put command for a file that already exists will be rejected. The rename command is always rejected in the /config directory. For more on managing configuration files through the CLI see Section 4.2.3.7, “The config Command”. • Swupgrade Directory – The /swupgrade directory is always empty when displayed by any user. - Executing the put command in the /swupgrade directory has the same effect as if the file had been uploaded through the Administration: Software Upgrade screen in the browser-based management system. (See Section 3.2.8.) For more on upgrading software through the CLI see Section 4.2.3.32, “The sw Command”. Magnum Network Software - DX Administrator’s Guide 207 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality 4.2 CLI Functionality In addition to providing protocol monitoring functionality the CLI enables you to carry out from the command line all of the management tasks you can also perform with the graphical interface. The CLI supports three types of commands: • • • Global commands – These are commands that can be entered at any prompt in the CLI. Global commands are described in Section 4.2.2. Basic commands – These are commands that give access to a subset of specific commands. Most basic commands, when entered with no parameters, move the CLI into a mode to accept the specific commands. This mode change is signaled by a change in the CLI prompt, for example, from MagnumDX# to MagnumDX(vlan)#. Basic commands are described in Section 4.2.3.9 through Section 4.2.3.42. Specific commands – These are the commands that enable you to configure, manage, and monitor your system. They are described in the tables contained in Section 4.2.3.9 through Section 4.2.3.42. 4.2.1 Keyboard Navigation in the CLI Some keys have special uses in the CLI. Table 4-1 explains how to use these keys. Table 4-1. Keyboard Navigation Key Function ? Enter the question mark character at the MagnumDX# prompt or a MagnumDX(basic_command)# prompt to view a list of available options. Esc While monitoring is in progress press the Escape key to abort the Protocol Monitor. Enter During monitoring the Enter key is a Pause/Resume toggle. Press the Enter key to pause monitoring; press again to resume monitoring. The CLI program keeps a record of the commands you have entered. Use the Up Arrow key to move back in this command history and select a command you have previously issued. After you have moved back in the command history you can move forward toward the most recently issued command using the Down Arrow key. Magnum Network Software - DX Administrator’s Guide 208 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality 4.2.2 Global Commands Global commands take no parameters and can be entered from any prompt in the CLI. Table 4-2 describes the CLI global commands. Table 4-2. CLI Global Command Command Description exit When you are in a basic command mode, such as MagnumDX(firewall)#, the exit command returns you to the main CLI prompt - MagnumDX#. help (or ?) Display options available in current mode. logout Log out of the system and display the Login prompt. reboot Shutdown and restart the system. revert Undo changes since last save. save Save current configuration. service Customer service access. whoami Show current user information. 4.2.3 Basic and Specific Commands Type a question mark ("?") at the MagnumDX# prompt to see a list of global and basic commands and a brief description of each: alarm – alarm management auth – authentication and authorization bgp – border gateway protocol bridge – ethernet bridge management cert – x.509 certificates config – configuration file management dhcp – dynamic host configuration protocol ethernet – ethernet port management firewall – ip filtering services fr – frame relay management ip – internet protocol management log – event log management Magnum Network Software - DX Administrator’s Guide 209 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality modbus – modbus/tcp monitor – traffic monitoring and analysis nat – network address translation ospf – open shortest path first password – password maintenance ping – ping network utility ppp – point-to-point protocol qos – quality of service radius – remote access dial-in user service rip – routing information protocol rstp – rapid spanning tree protocol s2f – serial-to-frame encapsulation serial – serial ports session – user sessions snmp – simple network management protocol sntp – simple network time protocol ssh – secure shell management sw – software upgrade syslog – syslog system – system information terminal – terminal settings time – time and date ts – terminal server vlan – virtual local area networking vpn – virtual private network vrrp – virtual router redundancy protocol wan – wide area networking web – embedded web server exit – exit intermediate mode (global) help – help system (global) logout – log off this system (global) reboot – reset the system (global) Magnum Network Software - DX Administrator’s Guide 210 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality revert – undo changes since last save (global) save – save current configuration (global) service – customer service access (global) whoami – show current user info (global) Most of the basic commands preface a subset of more specific commands. You can execute any specific command from the MagnumDX# prompt in the following syntax: MagnumDX# basic_command specific_command parameters After execution of such a command you are returned to the MagnumDX# prompt. For example, MagnumDX# session set timeout 30min MagnumDX# For most basic commands you have the option to issue the basic command followed by nothing to enter a specialized mode for that basic command that will automatically preface all specific commands with the basic command. For example, MagnumDX# session MagnumDX(session)#set timeout 30min MagnumDX(session)# While a specialized mode prompt is displayed you can only execute the specific commands proper to that basic command. To move to another basic command prompt you must first return to the main MagnumDX# prompt by typing exit: MagnumDX(session)# exit MagnumDX# Then type the name of the other basic command to obtain the specialized prompt for that command. Magnum Network Software - DX Administrator’s Guide 211 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality 4.2.3.1 Obtaining Help on CLI Commands While the CLI is displaying a specialized mode prompt you can type "?" to see a list of the commands specific to that basic command. For example, typing a "?" at the MagnumDX(alarm)# prompt produces the following list of available commands. (The ? character typed following the prompt is not echoed to the screen.) Figure 4-1. alarm Command Help Example You can type the "?" character after each successive element in a command line to view the options available. Some of these options will be accompanied with explanatory information. Figure 4-2 is an example of the output obtained by typing "?" after the MagnumDX(alarm)#set action cold command. Multiple valid options are enclosed in angle brackets (< >). Explanatory information is preceded by a colon (:). Figure 4-2. Help explanatory information example The example in Figure 4-2 means that you can follow cold with either the literal string disabled or the literal string momentary. The explanatory information following the colon is not part of the command and must not be entered, so that a complete and valid command would be MagnumDX(alarm)# set action cold momentary Some values specified on the CLI command line must be preceded by a keyword, as illustrated in Figure 4-3: Valid options Keywords Figure 4-3. Help keyword example The example in Figure 4-3 means that the valid options enclosed in angle brackets must be preceded by a keyword such as gateway, primary-dns, etc., so that a complete and valid command would be MagnumDX(dhcp)# add param-group group1 gateway 192.168.2.1 Magnum Network Software - DX Administrator’s Guide 212 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality 4.2.3.2 The alarm Command Table 4-3 explains the commands available for alarm management when the MagnumDX(alarm)# prompt is displayed or from the MagnumDX# prompt using an alarm prefix. For example: MagnumDX# alarm set action cold momentary or MagnumDX(alarm)# set port mode enabled Table 4-3. CLI alarm Commands Command set Synopsis set action | port param... Description Configure alarm parameters for your DX device. The available parameters are: • action event select – Where event is the specification of an event that will trigger an alarm and select specifies whether to trigger an alarm (momentary) or take no action (disabled). Possible values for event are: -cold – A cold start event is detected. -warm – A warm start event is detected. -linkup – A link up event is detected. -linkdown – A link down event is detected. -authfail – An authentication failure event is detected. -rstp – An RSTP/STP reconfiguration event is detected. • port mode|relay-closure n – Configure the alarm port. Possible values are: -mode enabled|disabled – Enable or disable the alarm port. -relay-closure n – Specify the number of seconds the relay is kept in the abnormal state for momentary alarm actions.The default value is 3 and the valid range is 1 - 10. show show action | port Display information about alarm configuration. Possible values are: • action – Display the momentary/disabled selection for each programmable alarm. • port – Display the enabled state and closure time for the alarm port. For more information see the description of alarm management in Section 3.3.3, “Alarms”. Magnum Network Software - DX Administrator’s Guide 213 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality 4.2.3.3 The auth Command Table 4-4 explains the commands available for authentication management when the MagnumDX(auth)# prompt is displayed or from the MagnumDX# prompt using an auth prefix. For example: MagnumDX# auth add user user1 admin or MagnumDX(auth)# edit user 3 group admin suspend y Table 4-4. CLI auth Commands Command add user Synopsis add user parameters Description Create a new user where the parameters are: • name loginname – A login name of up to 40 • group privilegelevel – One of three privilege levels. (See the edit user printable characters. command below for details.) • notes textstring – Optional arbitrary text of up to 31 printable ASCII characters. After you have fully specified a new user the system will prompt for a password and a password confirmation. delete user delete user UserID Delete an existing user specified by UserID. Magnum Network Software - DX Administrator’s Guide 214 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-4. CLI auth Commands Command edit Synopsis edit password | user UserID Description Change the password or edit the user information of the user specified by UserID. Note: UserID is not the loginname. It is the integer associated with a user, which can be obtained by viewing the results of the show user command. When changing the password enter: edit password UserID and press Return. The CLI interface will display a prompt at which you can enter the new password. After you enter Return a second prompt is presented at which you must repeat the password. To edit user information follow the edit command with one of these parameters: user UserID • name loginname – A unique name of up to 40 • group privilegelevel – One of three printable characters. privilege levels: -admin – Members of this group may perform all functions including managing software, user accounts, and configuration files. -read-write – Members of this group may perform all configuration functions with the exception of software, user account, and configuration file management. -read-only – Members of this group are like Read-Write except they cannot change any parameters. • suspend y|n – Specify user suspension state with one of two parameters: -y – This user is permitted to log on to the system. -n– This user is not permitted to log on to the system. • notes textstring – Arbitrary text of up to 31 Magnum Network Software - DX Administrator’s Guide 215 printable ASCII characters. CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-4. CLI auth Commands Command set Synopsis set parameters Description Where parameters can be any of the following: • expire – Newly created accounts that are not part of the administration group can be set to expire when they have been inactive (that is, no logins) for a number of days exceeding the value specified here. A setting of 0 (default) disables this feature, otherwise the duration of inactivity before being locked out ranges from 1 to 255 days. • lockout n – Where n is the amount of time (in minutes) a user account spends in the suspended state after being locked out. This parameter takes one of the following values: -5 (default) -30 -60 • login-attempts n – Where n is the number of • password-aging n – Where n is the duration of the password until replacement. Newly created accounts that are not part of the administration group can optionally expire passwords by setting this value to the number of days a password is valid before a change is required. consecutive failed login attempts before a user is locked out. The default value is 5 and the valid range is 1 - 5. Accounts that attempt to log in prior to the expiration date may change the password to reset the counter. Accounts that exceed this setting without a password change will be forced to change the password prior to accessing any other configuration screens. Valid settings (in days) for this option are: -None (default) -30 -60 -90 Magnum Network Software - DX Administrator’s Guide 216 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-4. CLI auth Commands Command Synopsis Description • set (cont.) secure-enforce y|n – Setting this value to y forces password changes to comply to the following standards: -Length of 8 characters minimum -Must consist of at least 2 of the 3 character types Alphabetic Numeric Printable Special characters -Default value = No show show parameters Where parameters can be: • file – Prints the contents of the current user • policies – Display the current values that are controlled by the auth set command. • user – Display the current values that are controlled by the auth user command. definition file to the screen. unlock user unlock user UserID Enable user UserID, who has been locked out, to regain access to the system. (A list of configured UserID values can be viewed by executing the show user command.) write write XMLtext Enter a user definition file in correct XML format (see Section 3.2.5.3.) This command enables the pasting of valid user definition files from other sources. For more information see Section 3.2.5, “Authentication”. Magnum Network Software - DX Administrator’s Guide 217 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality 4.2.3.4 The bgp Command Table 4-5 explains the commands available for Border Gateway Protocol (BGP) management when the MagnumDX(bgp)# prompt is displayed or from the MagnumDX# prompt using a bgp prefix. For example: MagnumDX# bgp add peer BGP1 192.168.1.3 192.168.1.2 129 local-as 43 or MagnumDX(bgp)# edit profile Profile1 weight 100 Table 4-5. CLI bgp Commands Command add Synopsis add peer | profile params.. Description Add a BGP peer or a BGP profile. To add a BGP peer follow the add following required parameters; peer command with the • name – A user-supplied BGP reference name of up to 15 characters. • x.x.x.x – The IP address of the router to which BGP traffic will be sent. • y.y.y.y – The IP address of the router you are configuring for BGP. • as_number – The Autonomous System (AS) number of the peer, in a range of 1 - 65535. If no value is specified a value of 0 is used to signify that the system will accept whatever value the remote end supplies. and any of the following optional parameters: • local-as n – An Autonomous System (AS) number of • hold-timer secs – The frequency (in seconds) • profile profname – The name of the profile used the local system, in a range of 1 - 65535. Specify an AS value here to override the value specified with the bgp set as-number command (below). with which this router will send Keepalive packets to its peers. by this peer. Magnum Network Software - DX Administrator’s Guide 218 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-5. CLI bgp Commands Command Synopsis Description To add a BGP profile follow the add profile command with one or more of the following commands: add (cont.) • profname – Supply a name for the profile in up to 15 characters. This is the only required parameter. You may enter only add profile profname and accept defaults for all other values. delete delete peer | profile name • default-router y|n – If y specifies that the • redistribute-static y|n – If y include static • redistribute-rip y|n – If y include RIP route • redistribute-bgp y|n – If y include BGP route • weight – A priority value in the range 0-4294967295. • private-as y|n – If y private AS numbers are • local-pref – A priority value assigned to a route that • tcp-passive y|n – If y this router will not initiate a router using this profile is the default router. route information from this router in BGP Update messages. information from this router in BGP Update messages. information from this router in BGP Update messages. redistributed. is local to this AS. The default value is 100. The valid range is 0-4294967295. TCP connection but will wait for one to be initiated by a peer. Delete a configured BGP peer or BGP profile: • delete peer peername – Delete the BGP peer specified by peername. • delete profile profname – Delete the BGP profile specified by profname. Magnum Network Software - DX Administrator’s Guide 219 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-5. CLI bgp Commands Command edit reset Synopsis edit peer | profile params... reset neighbor x.x.x.x Description Change a value or values of a configured BGP peer or BGP profile: • edit peer peername key newval – Where peername is the name of a configured BGP peer, key is a keyword for one of the parameters configurable with the bgp add peer command (see above), and newval is the new value for key. • edit peer profname key newval – Where profname is the name of a configured BGP peer, key is a keyword for one of the parameters configurable with the bgp add profile command (see above), and newval is the new value for key. Reset a BGP neighbor, where x.x.x.x is the neighbor’s IP address. Enter this command with no parameter to produce the default soft reset. Enter reset neighbor x.x.x.x hard to produce a hard reset. set show set param... show param Configure global BGP parameters, where param can be: • as-number n – The Autonomous System (AS) • mode enabled|disabled – Enable or disable • router-id x.x.x.x – The IP address of the router number for this DX in a range of 1-65535. BGP on this DX. you are configuring for BGP. Display information about BGP configuration, where param can be: • peer – Display BGP peer configurations. • profile – Display BGP profile configurations. • rib – Display BGP peer configurations. • settings – Display the contents of the Routing • statistics – Display BGP performance statistics for • status – Display BGP neighbor status. Information Base (RIB). configured peers. For more information see the description of BGP management in Section 3.8.7, “BGP”. Magnum Network Software - DX Administrator’s Guide 220 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality 4.2.3.5 The bridge Command Table 4-6 explains the commands available to control devices to be included or excluded from the bridge when the MagnumDX(bridge)# prompt is displayed or from the MagnumDX# prompt using a bridge prefix. For example: MagnumDX# bridge add mac 00:01:60:3E:4A:32 E1 or MagnumDX(bridge)# include port E1 Table 4-6. CLI bridge Commands Command Synopsis Description add add mac x.x.x.x.x.x Ex Add the device specified by the MAC address x.x.x.x.x.x at the port specified by Ex. delete delete mac x.x.x.x.x.x Delete the device specified by the MAC address x.x.x.x.x.x. exclude exclude port Ex Port Ex is specified as not bridged; that is, the port does not participate in the Ethernet bridge. If a packet is sent to the router's MAC address, the packet may be forwarded at Layer 3 if a route to the packet's destination is known. flush flush cache Delete the contents of the bridge station cache. include include port Ex Port Ex is specified as bridged; that is, the port participates in the Ethernet bridge and frames may be forwarded between this port and other bridged ports at Layer 2. set set age n Set the aging interval to the number of seconds specified by n. Entries (MAC addresses) learned by the bridge are deleted from the cache after they have been in the cache for the specified aging interval without another packet arriving with the same source address. The default value is 300 seconds (5 minutes) and the valid range is 15 seconds - 1,800 seconds (30 minutes). show show param Display bridge information, where param can be: • addresses – Display the contents of the station cache. • port – Display the bridged/not bridged status of each • settings – Display the configured aging interval. Ethernet port. For more information see the description of station cache monitoring in Section 3.4.2, “Bridge”. Magnum Network Software - DX Administrator’s Guide 221 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality 4.2.3.6 The cert Command Table 4-7 explains the commands available for X.509 Certificate creation and management when the MagnumDX(cert)# prompt is displayed or from the MagnumDX# prompt using a cert prefix. For example: MagnumDX# cert trust ca_cert.pem or MagnumDX(cert)# write ca secure13.pem Table 4-7. CLI cert Commands Command Synopsis Description create create This command starts the self-documenting Certificate Creation Wizard. delete delete filename Delete the certificate file specified by filename. dump dump filename Print the contents of filename to the screen. show show local | cas Display the names of either local certificates or of certificate authorities (cas). trust trust filename Designate the ca specified by filename as trusted. untrust untrust filename Remove the trusted designation from the ca specified by filename. write write ca | trusted filename Specify a filename and designate it either local or ca. The system responds with the following message: Enter PEM encoded X.509 certificate and private key. Use two blank lines to finish. This command provides a convenient means to paste and save the contents of a certificate. For more information see the description of certificate management in Section 3.10.1, “Certificates” and the discussion in Section 5.8.3, “Keys and Certificates”. Magnum Network Software - DX Administrator’s Guide 222 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality 4.2.3.7 The config Command Table 4-8 explains the commands available for system configuration when the MagnumDX(config)# prompt is displayed or from the MagnumDX# prompt using a config prefix. For example: MagnumDX# config delete config5.xml or MagnumDX(config)# switch netB_config.xml Table 4-8. CLI config Commands Command Synopsis Description delete delete filename Delete the configuration file specified by filename. dump dump filename Display the entire contents of the configuration file filename to the screen. restore restore Restore system defaults. Note: Default values do not necessarily mean "factory default" values. While most parameters will take on their factory defaults, the following exceptions apply: • System IP Address and Mask – Set to the IP address/mask configured in the boot menu. • Default Gateway – Set to the default gateway configured in the boot menu. revert revert Make the system's current settings those of the saved configuration file. save save Save the system’s current settings. saveas saveas filename Save the system’s current settings to a configuration file specified by filename. show show Display the names, versions, and status of configuration files. switch switch filename Switch from the current configuration file to the configuration file specified by filename. write write filename Create a new configuration file named filename. After entering write filename Return you are prompted to enter an XML configuration. Enter a valid configuration and press Return twice to write the new configuration file to disk. For more information see the descriptions of system configuration in Section 3.2.9, “Configuration”. Magnum Network Software - DX Administrator’s Guide 223 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality 4.2.3.8 The dhcp Command Table 4-9 explains the commands available for Dynamic Host Configuration Protocol (DHCP) management when the MagnumDX(dhcp)# prompt is displayed or from the MagnumDX# prompt using a dhcp prefix. For example: MagnumDX# dhcp add dynamic-address-range 192.168.1.4 192.168.1.50 255.255.255.0 max-lease 1000 default-lease 500 param-group LAN-a or MagnumDX(dhcp)# add param-group name LAN-b gateway 192.168.11.1 primary-dns 192.168.2.3 sec-dns 10.1.2.3 domain garrettcom.com Table 4-9. CLI dhcp Commands Command add Synopsis add params... Description Add an address, range of addresses for allocation, or a host parameters group, where params are: • dynamic-address-range rangeparams – Specify a range of IP addresses that can be dynamically allocated to DHCP clients; where rangeparams are: -startIPaddress – The start of a range of IP addresses available for dynamic allocation. -endIPaddress – The end of a range of IP addresses available for dynamic allocation. -netmask – The subnet mask that applies to the address range delimited by startIPaddress and endIPaddress. -max-lease n (optional) – The maximum allowable lease duration for a dynamically allocated address. If a DHCP client requests a duration longer than the default, the server offers the maximum length lease as configured by this parameter. The valid range is 0-65535 days. -default-lease n (optional) – If a client does not request a specific lease duration, the default lease time is assigned. The valid range is 0-65535 days. -param-group groupname (optional) – The name of a previously defined host parameter group. Magnum Network Software - DX Administrator’s Guide 224 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-9. CLI dhcp Commands Command Synopsis Description • add (cont.) param-group groupname groupparams – Add the host parameters group specified by groupname, where the optional groupparams are: -gateway gateIP – The address of the default gateway router to be used by the DHCP client. -primary-dns primdnsIP – The address of the primary DNS server to be used by the DHCP client. -secondary-dns secdnsIP – The address of the secondary DNS server to be used by the DHCP client. -domain domainsfx – A domain name suffix of up to 32 characters that will be appended to any local names by the DHCP client before making a DNS query. • static-address IPaddress staticparams – Add the static address specified by IPaddress, where staticparams are: -netmask – A network mask to apply to IPaddress. -macaddress – The MAC address of the device at IPaddress. -param-group groupname (optional) – The name of a host parameters group to which this static address belongs. delete delete param... Delete previously configured DHCP values, where param are: • dynamic-address-range rangeID – The range of allocatable addresses specified by rangeID. rangeID is a system-supplied ID displayed with the show dynamicaddress-ranges command. • param-group groupname – The host parameters group specified by groupname. • static-address IPaddress – A configured static IP address. Magnum Network Software - DX Administrator’s Guide 225 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-9. CLI dhcp Commands Command edit Synopsis edit param... Description Edit any of the configurable DHCP values. View these parameters with the show command (below) and see the add command (above) for details. param can be: • dynamic-address-range rangeID params – Where rangeID is a range of allocatable addresses. params can be any of the following configurable values: -start-address -end-address -mask IPaddress netmask -max-lease n -default-lease -param-group • IPaddress n groupname param-group groupname params – Where groupname is a host parameters group and params can be: -gateway gateIP -primary-dns primdnsIP -secondary-dns -domain • secdnsIP domainsfx static-address IPaddress params – Where IPaddress is a configured IP address and params can be: -mask -mac netmask macaddress -param-group show show param... groupname Display DHCP configuration, where param can be: • dynamic-address-range – Ranges of IP addresses that can be dynamically allocated to DHCP clients. • lease – The IP address, MAC address and expiration time of allocated leases. • param-group – Configured host parameter groups. • static-address – Configured static IP addresses. For more information see the description of IP address management in Section 3.8.10, “DHCP Server”. Magnum Network Software - DX Administrator’s Guide 226 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality 4.2.3.9 The ethernet Command Table 4-10 explains the commands available for managing and monitoring Ethernet ports when the MagnumDX(ethernet)# prompt is displayed or from the MagnumDX# prompt using an ethernet prefix. For example: MagnumDX# ethernet set mirror E1 E2 or MagnumDX(ethernet)# set rate-limit E3 ingress-type all ingress-rate 1M Table 4-10. CLI ethernet Commands Command Synopsis Description clear clear statistics portnum Clear the statistics for the port specified by portnum. set set params... Set one or more several Ethernet properties, where params can be. •mirror spnum tpnum – Forward incoming and outgoing packets from the source port, spnum, to the target port, tpnum, for monitoring and/or analysis. • port portnum portparams – Where portnum is the ID of a port in the format E1, E2..., and portparams can be -admin enabled|disabled – Enable or disable the port. -fefi enabled|disabled – Enable or disable far end fault indication (fefi). -flow enabled|disabled – Enable or disable flow control. -media – Specify media type from among the following options: auto – autonegotiate (10/100BaseTX) (default for 10/100T) 10half – (10/100BaseTX) 10full – (10/100BaseTX) 100half – (10/100BaseTX) 100full – (10/100BaseTX) • Magnum Network Software - DX Administrator’s Guide 227 name – Supply a name for the port in up to 15 printable characters. CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-10. CLI ethernet Commands Command set (cont.) Synopsis Description • rate-limit Ex type dir lim – Limit the traffic rate on port Ex by specifying the type of traffic, type, the direction of the traffic, dir, and a maximum rate, lim. where type can be: -ingress-type be: traf – where traf can broadcast multicast flooded all and dir can be: ingress-rate egress-rate and lim can be: unlimited 128K 256K 1M 2M 4M 8M -egress-type traf – where traf can be any of the values specified above for ingress-type. • security Ex – Specify a type of security for port Ex. The allowable types are: -None – (default) -Address – This port will be locked out if a frame is received with an unauthorized source address. -Link – This port will be locked out the next time the link goes from UP to DOWN. Magnum Network Software - DX Administrator’s Guide 228 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-10. CLI ethernet Commands Command show unlock Synopsis show params... unlock port portnum. Description Display the current Ethernet settings, where params can be: • mirror Ex – Display any mirroring assignment on port Ex. • port Ex – Display the properties controlled by the set port command (above) on port Ex. • rate-limit Ex – Display the properties controlled by the set rate-limit command (above) on port Ex. • security Ex – Display the properties controlled by the set security command (above) on port Ex. • statistics Ex – Display extended statistics for port Ex. • status Ex – Display status information for port Ex. Unlock a port. Where portnum is the ID of a port in the format E1, E2, etc. For more information see the descriptions of Ethernet functionality in Section 3.4, “Ethernet Tasks”. Magnum Network Software - DX Administrator’s Guide 229 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality 4.2.3.10 The firewall Command Table 4-11 explains the commands available for managing and monitoring the firewall when the MagnumDX(firewall)# prompt is displayed or from the MagnumDX# prompt using a firewall prefix. For example: MagnumDX# firewall add filter default src-address 192.168.1.0 protocol tcpdst ports 23 or MagnumDX(firewall)# edit stateful filter 5 logging y Table 4-11. CLI firewall Commands Command add Synopsis add filter param | stateful filter param | group groupname Description Add a filter, a stateful filter, or a group to the system. The param arguments to the add filter command specify the types of information to be included. • interface interface_ID – Specify an IP • src-address ipaddress – Specify the source • src-mask netmask – The source network mask of • dst-addr ipaddress – Specify the destination • dst-mask netmask – The destination network mask • protocol protospec – Specify a protocol type and direction where protospec can be: interface (or group of interfaces) to which to apply the filter. address of allowed IP packets. allowed IP packets. address of allowed IP packets. of allowed IP packets. -icmp – allowed ICMP types -tcpdst – allowed TCP destination ports -tcpsrc – allowed TCP source ports -udpdst – allowed UDP destination ports -udpsrc – allowed UDP source ports -esp – allow IPsec ESP packets (IP protocol 50) -ah – allow IPsec AH packets (IP protocol 51) -ospf – allow OSPF packets (IP protocol 89) -vrrp – allow VRRP packets (IP protocol 112) Magnum Network Software - DX Administrator’s Guide 230 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-11. CLI firewall Commands Command Synopsis Description • add (cont.) ports portlist – The list of allowed logical protocol port numbers. These are dependent on the value of the Protocol/dir parameter, for instance 80 and 443 for HTTP and HTTPS. The groupname argument to the add group command is a user-supplied group name of up to 15 printable characters. The param arguments to the add stateful filter command specify the types of information to be included. • interface interface_ID – Specify an IP • src-address ipaddress – Specify the source • src-mask netmask – The source network mask of • dst-addr ipaddress – Specify the destination • dst-mask netmask – The destination network mask • protocol protospec – Specify a protocol type and direction where protospec can be: interface (or group of interfaces) to which to apply the filter. address of allowed IP packets. allowed IP packets. address of allowed IP packets. of allowed IP packets. -icmp – allowed ICMP types -tcpdst – allowed TCP destination ports -tcpsrc – allowed TCP source ports -udpdst – allowed UDP destination ports -udpsrc – allowed UDP source ports delete delete filter ID| stateful filter ID| group group-name • ports portlist – The list of allowed logical protocol • logging y|n – If y is selected, matching TCP port numbers. These are dependent on the value of the Protocol/dir parameter, for instance 80 and 443 for HTTP and HTTPS. connections will be written to the event log. Delete the filter or stateful filter identified by ID or the group identified by group-name. Magnum Network Software - DX Administrator’s Guide 231 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-11. CLI firewall Commands Command edit Synopsis edit filter ID | stateful filter ID key newval Description Edit the filter identified by filter ID, or the stateful filter identified by stateful filter ID. Any of the values described under the add command (above) can be modified in an existing filter, where • key – Is the keyword for a parameter, such as protocol or • newval – Is the new value for the parameter sepcified by key. logging. Note: A given ID can be learned by using the show all filters command. The filterID is necessarily displayed in the CLI. This value is not used in the graphical interface but the system will assign a filterID to a filter created in the graphical interface. set set interface ID param... Where ID identifies an interface and where the possible values for param are: • status enabled | disabled – Enable or • group none | groupname – Assign the interface identified by ID to the group identified by groupname. (groupname may consist of up disable firewall protection on the interface identified by ID. to 15 printable characters.) show show params... Where the possible values for params are: • filter ID – The filter command with no argument • group – Display information on all groups. • interface ID – The interface command with no • stateful filter ID – The stateful filter displays all configured filters. With the ID spec supplied it displays only the filter identified by ID. argument displays all configured interfaces. With the ID spec supplied it displays only the interface identified by ID. command with no argument displays all configured stateful filters. With the ID spec supplied it displays only the stateful filter identified by ID. For more information see the descriptions of firewall functionality in Section 3.10.6, “Firewall”. Magnum Network Software - DX Administrator’s Guide 232 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality 4.2.3.11 The fr Command Table 4-12 explains the commands available for Frame Relay configuration and monitoring when the MagnumDX(fr)# prompt is displayed or from the MagnumDX# prompt using an fr prefix. For example: MagnumDX# fr set port W1 frag 1600 lmitype lmi lmimode user or MagnumDX(fr)# add dlci W1 100 cir 1000 ip y Table 4-12. CLI fr Commands Command add dlci Synopsis add dlci param... Description Add a DLCI (Data Link Connection Identifier) to the specified port. The required parameters are: • portID – Where portID identifies a logical WAN • dlciID – Where dlciID is the Data Link Connection port that corresponds to a physical, labeled interface on the exterior of the product chassis. Identifier in a range 16-1022. Optional parameters are: • cir cirvalue – Where cirvalue is the • ip y | n – Specify y to make the DLCI an IP interface (RFC 1490). Specify n to direct that the DLCI is to Committed Information Rate in bits per second. The valid range is 1-2097152. If no value is specified the bit rate of the port is the CIR. be used by the terminal server so that raw serial data will be transmitted to/from a serial port to the DLCI. The default value is y. delete dlci delete dlci param... Delete the specified DLCI. The required parameters are: • portID – Where portID identifies a logical WAN • dlciID – Where dlciID is the Data Link Connection port that corresponds to a physical, labeled interface on the exterior of the product chassis. Magnum Network Software - DX Administrator’s Guide 233 Identifier of an existing DLCI associated with the port specified in portID. CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-12. CLI fr Commands Command edit dlci Synopsis edit dlci param... Description Modify existing DLCI settings. Required parameters are: • port portID – Where portID identifies a logical • id dlciID – Where dlciID is the Data Link WAN port that corresponds to a physical, labeled interface on the exterior of the product chassis. Connection Identifier of an existing DLCI associated with the port specified in portID. Optional parameters are: • cir cirvalue – Where cirvalue is the • ip y | n – Specify y to make the DLCI an IP interface (RFC 1490). Specify n to direct that the DLCI is to Committed Information Rate in bits per second. The valid range is 1-2097152. If no value is specified the bit rate of the port is the CIR. be used by the terminal server so that raw serial data will be transmitted to/from a serial port to the DLCI. set port set port param... Configure DLCI settings for the specified port. Required parameter is: • port portID – Where portID identifies a logical WAN port that corresponds to a physical, labeled interface on the exterior of the product chassis. Optional parameters are: • frag fragvalue – Where fragvalue is an • lmitype type – Where type is the LMI (Local integer in the range 8-1600 that represents the maximum bytes in a frame relay fragment. The default, 1600, is the maximum transmission unit (MTU) setting, plus frame relay overhead, for the DLCI IP interfaces. Management Interface) type and may take one of the following values: -none -lmi -ccitt -ansi • lmimode mode – Where mode may take one of the following values: -network -user -nni Magnum Network Software - DX Administrator’s Guide 234 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-12. CLI fr Commands Command show Synopsis show dlci params | port params Description Display information about Frame Relay settings or status. The params to follow show dlci can be: • settings ID – The dlci settings • status ID – The dlci status command with command with no argument displays all DLCIs. The ID parameter may specify a WAN port or a circuit identifier to display information on a specified DLCI. no argument displays the status of all DLCIs. The ID spec may specify a WAN port or a circuit identifier to display status on a specified DLCI. The params to follow show • port can be: settings ID – Display information configured with the fr set port command. The port settings command used with no argument displays information on all WAN ports. The ID parameter identifies a specific WAN port. • statistics ID – Display performance information for the WAN port specified by ID. For more information see the descriptions of Frame Relay configuration and monitoring in Section 3.6.4, “Frame Relay”, Section 3.6.5, “DLCI Settings” and Section 3.6.6, “DLCI Status”. Magnum Network Software - DX Administrator’s Guide 235 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality 4.2.3.12 The ip Command Table 4-13 explains the commands available for IP address management when the MagnumDX(ip)# prompt is displayed or from the MagnumDX# prompt using an ip prefix. For example: MagnumDX# ip add route 192.168.2.0 255.255.255.0 192.168.1.100 or MagnumDX(ip)# set address PPP-S1 192.168.3.3 remote 192.168.3.4 Table 4-13. CLI ip Commands Command add Synopsis Description Possible parameters are: add route parameters • route parameters to add a static IP route; where parameters can be: -IPaddress – A valid destination IP address. -subnetmask – A valid route mask. -nexthop – A valid IP address for the next hop on this route. The “Next Hop” must be reachable via an attached LAN. clear address clear address interface Clear the address and netmask specifications for the interface identified by interface. delete delete route destinationnw Delete a static route where destinationnw is the IP address of the destination network to be deleted. flush arp flush arp Clear the ARP table. This forces the software to reexecute an ARP for all hosts. set set param... Set a variety of IP management values. The available parameters are: • address interface ipaddress netmask remoteIP – Assign a valid IP address, a network mask and the IP address of a remote host to the specified interface. • option y|n – Select y to ignore this interface when advertising routes. Select n to treat this interface normally with respect to RIP • system interface – Specify an interface to serve as the default (or system) interface. Magnum Network Software - DX Administrator’s Guide 236 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-13. CLI ip Commands Command show Synopsis show param... Description Display specified information. The available parameters are: • addresses – Display information about all • arp – Display the ARP table. • configured IP addresses. options – Display option selection for each interface. • routes – Display the contents of the routing table. • static routes – Display configured static routes. For more information see the description of IP address management in Section 3.8.1, “IP Addresses”. Magnum Network Software - DX Administrator’s Guide 237 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality 4.2.3.13 The log Command Table 4-13 explains the commands available for event log management when the MagnumDX(log)# prompt is displayed or from the MagnumDX# prompt using a log prefix. For example: MagnumDX# log delete 20080315015451.log or MagnumDX(log)# dump 20080307004406.log Table 4-14. CLI log Commands Command Synopsis Description delete delete filename Delete the log file specified by filename. dump dump filename Display the contents of the log file specified by filename. set set param Configure global logging settings, where param can be: show show • mode enabled|disabled – Specify whether or not • create freq – Specify the frequency with which to create new log files. Options are daily, weekly and monthly. • files n – Specify the maximum number of log files to be • size n – Specify the maximum size, in KB, of any log file, • overwrite y|n – Indicates whether or not old log to record events in the system log. preserved at any one time, where n is an integer in the range of 1-100. The default value is 14. where n is an integer in the range of 1-128. The default value is 32KB. files should be deleted when the maximum number of log files is reached and a new log file must be created. If you do not specify the deletion of old files no new log files will be created after the Max Log Files value is reached. List the filenames, sizes, and status of available log files. Magnum Network Software - DX Administrator’s Guide 238 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality 4.2.3.14 The modbus Command Table 4-15 explains the commands available for Modbus management when the MagnumDX(modbus)# prompt is displayed or from the MagnumDX# prompt using a modbus prefix. For example: MagnumDX# modbus add remote-slave 100 192.168.1.10 response 1000 or MagnumDX(modbus)# edit master S3 exceptions n Table 4-15. CLI modbus Commands Command add Synopsis add param... Description Where param specifies a modbus device. param can be: • local-slave lslaveparams – Where lslaveparams can be: -port Sn – Where Sn is s1, s2, etc. A unique identifier for the serial port to which the device is connected. -device n – Where n, the Modbus/TCP unit identifier assigned to the device, is an integer in the range 1-247. -variant rtu|ascii – Specify an RTU or an ASCII transmission mode. The default is RTU. -priority default|expedited – Specify the default or expedited priority. (Use the qos show profiles command to display configured priority profiles.) -response n – Where n is an integer in the range 10-10000 specifying the amount of time in msec to wait for a response from this device before giving up and sending back a Modbus exception message. -exceptions y|n – Specify whether or not to send Modbus/TCP exception codes. • master mastparams – Where mastparams can be: -port Sn – Where Sn is S1, S2, etc. A unique identifier for the serial port to which the device is connected. -variant rtu|ascii – Specify an RTU or an ASCII transmission mode. The default is RTU. -priority DSprofile – Specify the DiffServ priority. (Use the qos show profiles command to display configured priority profiles.) -exceptions y|n – Specify whether or not to send Modbus/TCP exception codes. Magnum Network Software - DX Administrator’s Guide 239 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-15. CLI modbus Commands Command Synopsis Description • add (cont.) remote-slave rslaveparams – Where rslaveparams can be: -device n – Where n, the Modbus/TCP unit identifier assigned to the device, is an integer in the range 1-247. -address IPaddress – The IP address of the remote Modbus/TCP server. -idle n (optional) – Where n is an integer specifying the number of seconds (in a range of 1 -604800) of idle time that can elapse before the TCP connection for this device is torn down. The default value is 10. -response n (optional) – Where n is an integer specifying the number of milliseconds (in a range of 10 -10000) that the client will wait before giving up on a request. If the client times out, it closes down the current TCP connection for the remote device. The default value is 1000. delete delete param... Where c can be: • local-slave device n – Where n specifies the device • master Sn – Where Sn specifies the port to which the master number of the local slave. is attached. •remote-slave device n – Where n specifies the device number of the remote slave. edit show edit dev key val show param... Edit any of the values that can be configured with the add command, where: • dev – is the device (local-slave, master, remoteslave), followed by the port designation. • key – is the name of the parameter to be edited (variant, priority, etc.). • val – is the new value of the parameter. Display information about all configured IP addresses. • connection – Display statistics for configured modbus • local-slave – Display local slave device configuration. connections. • master – Display master device configuration. • remote-slave – Display remote slave device configuration. For more information see the description of Modbus management in Section 3.5.4, “Modbus”. Magnum Network Software - DX Administrator’s Guide 240 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality 4.2.3.15 The monitor Command The monitor command is used to configure monitoring on a per-port basis and also to start the monitoring process. Note that the actual monitoring process can only be active for one port at a time. The Protocol Monitor The Protocol Monitor enables you to specify an Ethernet, serial, or WAN port for a detailed view of the data being sent and received. You can customize your real time report as to the protocol to observe, source and destination IP or MAC address or port, and display format. Starting the Protocol Monitor Start the protocol monitor by specifying a port to be monitored - in this example Ethernet port 3. Enter the following command at the MagnumDX# prompt: MagnumDX# monitor e3 This command will result in the display of a monitor mode prompt: MagnumDX(monitor)# When the MagnumDX(monitor)# prompt is displayed you can enter any of the commands in the Protocol Monitor command set to control the display of information on Ethernet port 3. After you have configured the display to show the type and format of information you want, you begin the display of information with the start command. While you are in monitor mode you have exclusive access to the monitor feature. The following example illustrates three configuration commands given in monitor mode followed by the start command. This produces the Monitor Started message that confirms that monitoring has begun: MagnumDX(monitor)# MagnumDX(monitor)# MagnumDX(monitor)# MagnumDX(monitor)# Monitor Started filter display ip filter linenum 4 set mode terse start You can also configure and start the Protocol Monitor from the MagnumDX# prompt by preceding each command with monitor and the ID of the port to be monitored. The example below executes the same commands as the previous example but does so from the basic MagnumDX# prompt rather than the monitor mode (MagnumDX(monitor)#) prompt: MagnumDX# monitor MagnumDX# monitor MagnumDX# monitor MagnumDX# monitor Monitor Started e3 e3 e3 e3 filter display ip filter linenum 4 set mode terse start Magnum Network Software - DX Administrator’s Guide 241 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality The Protocol Monitor Command Set Table 4-16 explains the commands available for configuring and operating the Protocol Monitor when the MagnumDX(monitor)# prompt is displayed or from the MagnumDX# prompt using a monitor prefix. Magnum Network Software - DX Administrator’s Guide 242 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-16. Protocol Monitor Command Set CMD Synopsis filter filter [no] params... Description The param arguments to the filter command specify the types of information to be included. Only one filter may be configured on a single command line. In addition, only a single filter of each type may be specified. •dlci circID – Display packets that have the matching DLCI circuit ID in the header. cicrID is a unique identifier for the DLCI. In most cases, the identifier includes the WAN port and the DLCI on that port, for example, W1-DLCI 104. • dstip ipaddr – Display packets that have the matching • dstmac macaddr – Display packets that have the matching • dstport portnum – Display packets that have the matching • ip ipaddr – Display packets that have the matching IP • mac macaddr – Display packets that have the matching MAC • port portnum – Display packets that have the matching port • srcip ipaddr – Display packets that have the matching • srcmac macaddr – Display packets that have the matching • srcport portnum – Display packets that have the matching • protocol icmp | tcp | udp – Display packets that destination IP address in the IP header. The IP address is specified in standard dotted notation, for example, 192.168.1.1. destination MAC address in the Ethernet header. The MAC address is specified as hex octets separated by colons, for example, 00:20:61:54:3A:CD. destination port in the TCP or UDP header. The port is specified as an integer between 1 and 65535. address in either the source or the destination address field of the IP header. address in either the source or the destination address field of the IP header. number as either the destination or the source port in the TCP or UDP header. source IP address in the IP header. source MAC address in the Ethernet header. source port in the TCP or UDP header. have the matching protocol specified in the IP header. To cancel a previously specified filtering option precede the specification with no. For example: MagnumDX(monitor)# filter no destip Magnum Network Software - DX Administrator’s Guide 243 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-16. Protocol Monitor Command Set CMD set Synopsis set property param Description Where the possible values for property are: •display param – Specify a type of information to be displayed from among the following possible values of param: -ethernet – The Ethernet header is parsed into fields and the payload is displayed as a raw hex dump. -ip – The Ethernet header is ignored and the IP header is parsed into fields. The payload is displayed as a raw hex dump -ipfull – The Ethernet header is ignored and the IP header is parsed into fields. In addition, an attempt is made to parse additional fields in the payload based on its type. -raw – No analysis is performed. The entire packet is displayed as a raw hex dump -tcp – The Ethernet header is ignored and part of the IP header is parsed into fields. In addition, TCP fields such as sequence number, acknowledgement number, and window size are displayed. show show • format hex | ascii – In terse mode the ascii option • framenum enabled | disabled – When this property • lines n – Limits the total number of payload lines displayed for • mode terse | verbose – Verbose mode changes the • timestamp diff | none | rel – Apply a timestamp causes the packet payload to be dumped in ASCII. This is especially useful for textual protocols such as HTTP. is enabled sequence numbers are applied to each packet. a packet. If set to zero, the entire packet is displayed. n can be an integer value from 0 to 10. display formatting so that more white-space is used. Payloads are also automatically dumped in both hex and ASCII format. In some cases it may make the monitor output more readable at the expense of more transmitted characters per packet. to each packet. When diff (differential) is specified The timestamp on the current packet corresponds to how much time elapsed between this packet and the packet before it. When rel (relative) is specified the timestamp on the current packet corresponds to how much time has elapsed since the monitor was first started. Display the current monitor configuration for the port being monitored. This command prints all of the configured formatting options as well as any configured filters for the port. Magnum Network Software - DX Administrator’s Guide 244 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-16. Protocol Monitor Command Set CMD start Synopsis start 4.2.3.16 Description Begin monitoring. Once the command has been issued, packets will be displayed. You can pause the display by pressing the Enter key. You can abort the monitor and return to the CLI by pressing the ESC key: Protocol Monitor Output Example For an Ethernet port with the Protocol Monitor configured as shown in Figure 4-4: Figure 4-4. Protocol Monitor Example Configuration Sample output is illustrated in Figure 4-5. Figure 4-5. Protocol Monitor Example Output Magnum Network Software - DX Administrator’s Guide 245 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality 4.2.3.17 The nat Command Table 4-17 explains the commands available for Network Address Translation (NAT) management when the MagnumDX(nat)# prompt is displayed or from the MagnumDX# prompt using a nat prefix. For example: MagnumDX# nat add static-translation tcp E1 192.168.3.3 10020 192.168.2.3 80 or MagnumDX(nat)# edit port-forwarding 5 private-address 192.168.10.10 Table 4-17. CLI nat Commands Command add Synopsis add param Description Add a port forwarding rule or a static translation, where param can be: • port-forwarding pfparams – where pfparams can be: -IPaddress – The address of a server reachable from one of the router's private interfaces. -tcp|udp – The protocol to forward. -privportn – An integer in the range 1-65535 that specifies the port at which the service is accessible on the private server. -pubportn – An integer in the range 1-65535 that specifies the port at which the server is accessible by hosts on the public network using the address of the router's public interface. Magnum Network Software - DX Administrator’s Guide 246 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-17. CLI nat Commands Command Synopsis Description • add (cont.) static-translation stparams – where stparams can be: -type typeparam – The type of translation. The possible values are: nat – Translate the address only. tcp – Translate the address and TCP port. udp – Translate the address and UDP port. -interfaceID – The interface upon which the translation occurs. -origIPaddress – The original destination address of a packet received on this interface. -original-port portn – Where portn is an integer in the range 1-65535 that specifies the original destination port of a packet received on this interface (ignored for NAT translation type). -transIPaddress – If a match occurs this is the address that is substituted for the original address. Reply packets have the reverse translation applied automatically when they are sent back out the interface -translated-port portn – If a match occurs this is the port that is substituted for the original port (ignored for NAT translation type). Reply packets have the reverse translation applied automatically when they are sent back out the interface. The valid range is 1-65535. delete delete param Delete a port forwarding rule or a static translation, where param can be: • port-forwarding ruleID_n – Where ruleID_n is the system-supplied identifying number. (Use show port-forwarding to display Rule ID.) • static-translation ruleID_n – Where ruleID_n is the system-supplied identifying number. (Use show static-translation to display Rule ID.) Magnum Network Software - DX Administrator’s Guide 247 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-17. CLI nat Commands Command edit Synopsis edit param Description Edit a value or values in a configured port forwarding rule or a static translation. port-forwarding | static-translation ruleID_n param newvalue – Where: • ruleID_n is the system-supplied identifying number. (Use show port-forwarding | static-translation to display Rule ID.) set show set param show param • param is the name of the configured parameter to be edited. Valid names for port-forwarding are: private-address protocol private-port public-port Valid names for static-translation are: type interface original-address original-port translated-address translated-port • newvalue is the value to replace the previously configured value. Enable NAT and specify a public interface, where param can be: • dynamic-napt enabled | disabled – Enable or • public-interface IFname – Where IFname specifies disable Network Address and Port Translation. the public interface where the translation will take place. Display information about any of the three possible configured values for param: • port-forwarding • settings • static-translation For more information see the description of NAT management in Section 3.8.9, “NAT”. Magnum Network Software - DX Administrator’s Guide 248 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality 4.2.3.18 The ospf Command Table 4-18 through Table 4-22 explain the commands available for Open Shortest Path First (OSPF) protocol management when the MagnumDX(ospf)# prompt is displayed or from the MagnumDX# prompt using an ospf prefix. For example: MagnumDX# ospf add area 0.0.2.2 import-as no-external summary y or MagnumDX(nat)# edit aggregate 0.0.1.1 192.168.2.0 255.255.255.0 effect advertise The ospf add Commands Table 4-18. CLI ospf add Commands Command: ospf add aggregate Synopsis: ospf add aggregate IDspec parameters Description: Aggregate subnet addresses within an OSPF area to be represented with a single address, where IDspec is the OSPF area the address aggregate is to be found within and parameters can be: -net – The IP address of the net or subnet indicated by the range. -mask – The subnet mask that pertains to the net or subnet. -effect advertise|do-not-advertise – Indicates whether or not the aggregate is advertised outside the area. Example: ospf add aggregate 0.0.0.5 192.168.1.2 255.255.255.0 effect advertise Magnum Network Software - DX Administrator’s Guide 249 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-18. CLI ospf add Commands Command: ospf add area Synopsis: ospf add areaID parameters Description: Add an OSPF area, where areaID is a 32-bit integer (in dotted decimal notation) that uniquely identifies an area and parameters can be any of the following: • import-as – Indicates how routers in this area import information about networks outside of the area. import-as must be modified with one of the following three parameters: -external – Import routing information for all networks, including those outside the AS. -no-external – Import routing information for all networks within the AS. -nssa – (Not So Stubby Area) External routing information is allowed to flow from the NSSA toward the backbone but not in the other direction. • summary – Whether or not routers in this area receive summary Link State Advertisements (LSAs) for networks outside of this area. summary must be modified with one of the following two parameters: -y – Routers in this area will receive summary LSAs. -n – Routers in this area will not receive summary LSAs. Example: ospf add 0.0.0.4 import-as nssa Magnum Network Software - DX Administrator’s Guide 250 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-18. CLI ospf add Commands Command: ospf add profile Synopsis: ospf add profilename parameters Description: Add an OSPF profile, where profilename is a name for this profile. The name is a user-supplied alphanumeric string of 1-16 characters and parameters can be any of the following: • transit-delay transdelayvalue – Where transdelayvalue is the estimated number of seconds it takes to transmit a link state update packet over this interface. The valid range is 1-4294967295. •retrans-interval retransintervalue – Where retransintervalue is the estimated number of seconds between link state advertisement retransmissions for adjacencies belonging to this interface. The valid range is 1-4294967295. • hello-interval hellointervalue – Specify (in seconds) the frequency with which hello packets will be sent from the interface. hellointervalue is an integer in the range 1-4294967295. • dead-interval deadintervalue – The number of seconds that must elapse • auth-type authtypevalue – Specify a type of authorization to be used with neighbors. Possible values for authtypevalue are: with no receipt of hello packets from a neighbor before OSPF concludes that that neighbor is unavailable. deadintervalue is an integer in the range 1-4294967295. -None – No authorization is performed between neighbors. -Simple – An authorization key is sent in the clear. -MD5 – An authorization key is used along with MD5 to sign OSPF packets. Receiving routers check the signature to verify authorization. Example: • key keyvalue – The authorization secret shared between neighboring routers where keyvalue is an alphanumeric string of 1-16 characters. • id keyid – An authorization key ID where keyid is an integer in the range 1-255 that uniquely identifies this authorization key. ospf add station1 transit-delay 5 retrans-interval 10 hello-interval 120 auth-type MD5 key ffl3 id 33 Magnum Network Software - DX Administrator’s Guide 251 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality The ospf delete Commands Table 4-19. CLI ospf delete Commands Command: ospf delete Synopsis: ospf delete aggregate|area|profile Description: Delete specified OSPF configurations: • aggregate IDspec net mask – Delete the specified OSPF aggregate. • area areaID – Delete the OSPF area specified by areaID. • profile profilename – Delete the OSPF profile specified by profilename. Example: ospf delete aggregate 0.0.1.1 192.168.2.0 255.255.255.0 The ospf edit Command Table 4-20. CLI ospf edit Commands Command: ospf edit aggregate Synopsis: ospf edit aggregate area-id net mask effect advertise | do-not-advertise Description: Toggle the advertise/do not advertise attribute of a configured OSPF aggregate, where: • area-id net mask – Together identify a configured OSPF aggregate. (See the add ospf aggregate command, above, for details.) • effect advertise | do-not-advertise – Indicates whether or not the aggregate is advertised outside the area. Example: ospf edit aggregate 0.0.0.0 2.3.4.0 255.255.255.0 effect advertise Command: ospf edit area Synopsis: ospf edit area area-id parameters Description: Edit the configured OSPF area configuration specified by area-id, where parameters can be: Example: • import-as external|no-external|nssa – See the ospf add area • summary y|n – See the ospf add area command, above, for details. command, above, for details. ospf edit area 0.0.2.2 summary n Magnum Network Software - DX Administrator’s Guide 252 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-20. CLI ospf edit Commands Command: ospf edit profile Synopsis: ospf edit profile profile-name parameters Description: Edit the configured OSPF profile configuration specified by profile-name, where parameters can be (See the ospf add profile command, above, for details.): •transit-delay retrans-interval hello-interval dead-interval auth-type key id Example: ospf edit profile Profile1 auth-type md5 The ospf set Commands Table 4-21. CLI ospf set Commands Command: ospf set as-border-router Synopsis: ospf set as-border-router yes|no Description: Specifies whether or not this router sits at the border between two autonomous systems. asborder router must be modified with one of the following two parameters: • yes – This router is located at the border between two autonomous systems. • no – This router is not located at the border between two autonomous systems. Example: ospf set as-border-router yes Command: ospf set enabled Synopsis: ospf set enabled yes|no Description: Specifies whether or not the unit should use OSPF as its routing protocol. enabled must be modified with one of the following two parameters: Example: • yes – OSPF is enabled on this unit. • no – OSPF is not enabled on this unit. ospf set enabled yes Magnum Network Software - DX Administrator’s Guide 253 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-21. CLI ospf set Commands Command: ospf set import-rip-routes Synopsis: ospf set import-rip-routes yes|no Description: Specify whether or not RIP routes are redistributed by this router into the OSPF network. import-rip-routes must be modified with one of the following two parameters: • yes – RIP routes are redistributed into the OSPF network by this router. • no – RIP routes are not redistributed into the OSPF network by this router. Example: ospf set import-rip-routes yes Command: ospf set import-static-routes Synopsis: ospf set import-static-routes yes|no Description: Specify whether or not static routes are redistributed by this router into the OSPF network. import-static-routes must be modified with one of the following two parameters: • yes – Static routes are redistributed into the OSPF network by this router. • no – Static routes are not redistributed into the OSPF network by this router. Example: ospf set import-static-routes yes Command: ospf set interface Synopsis: ospf set interface parameters Description: Where parameters can be any of the following: • enabled – Specify whether or not to enable OSPF on this interface. enabled must be modified with one of the following two parameters: -Yes – This interface is included in the OSPF protocol. -No – OSPF does not run on this interface and OSPF will not advertise this subnet Example: • area areaID – The OSPF area to which this interface belongs. • priority priorityvalue – An integer in the range 0-255 that specifies a priority • profile profilename – Specify a profile to apply to this interface. Each profile • type typespec – The media type of the interface. Possible types are: broadcast, nbma, point-to-point, point-to-multipoint. • metric n – Where n is an integer in the range 0-66335 that indicates the relative cost for this router. This value is used in electing a designated router on a broadcast network. The greater the value the higher the priority and the greater the likelihood that this router will be elected the designated router. contains a set of OSPF configuration parameters. Profiles are defined with the set (or add) ospf profile command and can be viewed with the show ospf profile command. of passing traffic over this interface. ospf set import-static-routes y Magnum Network Software - DX Administrator’s Guide 254 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-21. CLI ospf set Commands Command: ospf set rip-route-metric Synopsis: ospf set rip-route-metric n Description: Specify a specific OSPF cost metric that will be used for all RIP routes imported into the OSPF routing domain. The default value is 20 and the valid range is 0-16777214. Example: ospf set rip-route-metric 100 Command: ospf set router-id Synopsis: ospf set router-id X.X.X.X Description: Where X.X.X.X is a 32-bit integer that is unique within the OSPF Autonomous System (AS). It is written in standard dotted decimal notation. Example: ospf set router-id 1.1.1.1 Command: ospf set static-route-metric Synopsis: ospf set static-route-metric n Description: Specify a specific OSPF cost metric that will be used for all static routes imported into the OSPF routing domain. The default value is 20 and the valid range is 0-16777214. Example: ospf set static-route-metric 1000 Thes ospf show Commands Table 4-22. CLI ip show ospf Commands Command: show ospf Synopsis: show ospf [parameters] Description: Where show ospf (without parameters) displays basic OSPF configuration information. parameters can be any of the following: • aggregate – Displays information about configured OSPF aggregates. • area – Displays information about configured OSPF areas. • interface – Displays information about configured OSPF interfaces. • neighbor – Displays information about OSPF neighbors. • profile – Displays information about configured OSPF profiles. • settings – Displays information about OSPF global settings. Example: ip show ospf interfaces Magnum Network Software - DX Administrator’s Guide 255 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality 4.2.3.19 The password Command Table 4-23 explains the command available for password management when the MagnumDX(password)# prompt is displayed or from the MagnumDX# prompt using a password prefix. For example: MagnumDX# password change Table 4-23. CLI password Command Command change Synopsis change Description Change the current password to a new password. After you enter the change command and press Return you are asked to respond to three prompts. (Note that for security reasons your input is not visible on the screen): • Old Password: – Enter the current password. • New Password: – Enter the new password. • Retype Password: – Repeat the new password. After these three steps are completed the new password is in effect. For more information see the description of the HTML-based Change Password command in Section 3.2.7. 4.2.3.20 The ping Command Table 4-24 explains the ping command. This command is available from the MagnumDX# prompt. For example: MagnumDX# ping 192.168.1.2 Table 4-24. CLI ping Command Command ping Synopsis ping ipaddress Description Test the accessibility of another device at ipaddress. Magnum Network Software - DX Administrator’s Guide 256 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality 4.2.3.21 The ppp Command Table 4-25 explains the commands available for Point-to-Point Protocol (PPP) management when the MagnumDX(ppp)# prompt is displayed or from the MagnumDX# prompt using a ppp prefix. For example: MagnumDX# ppp add profile Profile2 lcp-echo-interval 30 or MagnumDX(ppp)# edit connection S1 username user1 Table 4-25. CLI ppp Commands Command add Synopsis add params... Description Add PPP configurations, where params can be: • connection connspecs – Add a PPP connection, where connspecs can be: -Sx – A serial port identifier (S1, S2, etc.). -profile profname – The name of a PPP profile to use on this connection. -username namespec – Specify a PAP or CHAP username of up to 32 characters. A device attempting a PAP or CHAP PPP connection to the DX on this port must use the username defined here. • profile profspecs – add a PPP profile, where profspecs can be: -profname – A user-supplied name of up to 16 characters for this profile. -lcp-echo-interval secs – Where secs is the frequency in seconds of LCP (Link Control Protocol) keep-alive exchanges. The default value is 30 and the valid range is 3-3600. -authentication-type authspec – Specify an authentication type where authspec can be one of: none, chap, pap, chpap. -assign-ip y|n – if y the PPP process will use the Internet Protocol Control Protocol (IPCP) to assign an IP address to the remote PPP client. -use-modem y|n – if y the serial port will attempt to initialize a connected Hayes Modem and answer incoming dial-in calls. -tcp-compression y|n – if y PPP will attempt to negotiate Van Jacobson TCP header compression with the remote client. delete delete connection Sx | profile profname Delete the PPP connection specified by Sx or the PPP profile specified by profname. Magnum Network Software - DX Administrator’s Guide 257 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-25. CLI ppp Commands Command edit Synopsis edit params... Description Edit configured PPP values, where params can be: • connection Sx key val – Where Sx is the port number of a PPP connection, key is a keyword for a value, such as profile, and val is the new value. • profile profname key val – Where profname is the name of a PPP profile, key is a keyword for a value, such as assign-ip, and val is the new value. See the ppp and values. add command (above) for details of keywords restart restart connection Sx Restart the PPP connection on the port specified by Sx. show show param Display information PPP configuration, where param can be: • connection – Display information about configured • profile – Display information about configured PPP • statistics – Display PPP performance statistics. • status – Display information about the status of PPP connections. profiles. configured PPP connections. For more information see the description of PPP management in Section 3.7, “PPP Tasks”. Magnum Network Software - DX Administrator’s Guide 258 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality 4.2.3.22 The qos Command Table 4-26 explains the commands available for Quality of Service (QoS) management when the MagnumDX(qos)# prompt is displayed or from the MagnumDX# prompt using a qos prefix. For example: MagnumDX# qos add profile tester code 44 priority 1 tag 3 or MagnumDX(qos)# set port E1 rule default priority 2 Table 4-26. CLI qos Commands Command add Synopsis add params... Description Add QoS management configurations, where params can be: •flow flowparams – Where flowparams can be: -diffserv diffservprofile – Where diffservprofile specifies a diffserv profile to associate with this flow. If no diffserv profile is specified on the command line the first profile in the diffserv profiles table will be used. (Use the show profile command to view the diffserv profile table.) -src-address IPaddress (optional) – The source address of IP packets in the flow. If no source address is specified this value is a wildcard, that is, any source address is accepted. -src-mask mask (optional) – The source network mask. This field allows a flow to be described in terms of an entire subnet. If no source mask is specified and the source address field is specified then only one source address matches the flow. -dst-addr address (optional) – The destination address of IP packets in the flow. If no destination address is specified this value is a wildcard, that is, any destination address is accepted. -dst-mask mask (optional) – The destination network mask. This field allows a flow to be described in terms of an entire subnet. If no destination mask is specified and the destination address field is specified then only one destination address matches the flow. Magnum Network Software - DX Administrator’s Guide 259 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-26. CLI qos Commands Command Synopsis Description -protocol prottype (optional) – prottype can be one of seven values which determine the meaning of the TCP or UDP Ports or ICMP Types: add (cont.) ah IPsec AH packets (IP protocol 51) in the flow esp IPsec ESP packets (IP protocol 50) in the flow icmp ICMP types in the flow tcpdst TCP destination ports in the flow tcpsrc TCP source ports in the flow udpdst UDP destination ports in the flow udpsrc UDP source ports in the flow -ports portlist – A list of virtual port numbers or ICMP types in the flow. List port numbers in ascending order, separated by commas. For a partial list of Well Known Port numbers see Section B.1, “Well Known TCP/UDP Network Ports”. For a list of ICMP types see Section B.2, “ICMP Types”. • profile name – A user-assigned name of up to 40 printable characters. -code c – Where c is the value of a 6-bit DiffServ Code Point (DSCP). Valid values are 0-63. -priority p – Where p is the queuing priority of a packet tagged with the DSCP specified with code c. (The higher the priority value the more urgent the priority.) The valid range is 1-4. -tag t – When an IP packet is generated by the DX it is assigned a DSCP (by default, Best Effort 0x00 is used).The packet may optionally be assigned a priority based on the DSCP as specified by this field.The tag value t can be 0-7 or the special value “None,” meaning that no mapping between DSCP and priority is implemented and thus no marking is made.This field has no effect when the IP packet being processed is not an Ethernet frame. Note: The mapping is performed only for packets generated by the DX. Bridged packets retain whatever markings they had when they were received. delete delete params Delete a configured flow or profile, where params can be: • flow flowID – Delete the flow specified by x. (Use the show all flows command to display flow IDs.) • profile name – Delete the profile specified by name. (Use the show profiles command to display profile names.) Magnum Network Software - DX Administrator’s Guide 260 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-26. CLI qos Commands Command edit Synopsis edit params Description Edit parameters of configured flows or profiles, where params can be: • flow flowID param editvalue – Where, -flowID is the ID of the flow to be edited -param is one of the configurable flow parameters. (See the add command above for details.) -editvalue is the new value for this parameter. • profile name param editvalue – Where, -name is the name of the profile to be edited -param is one of the configurable profile parameters. (See the add command above for details.) -editvalue is the new value for this parameter. set set param... Determine how an Ethernet port assigns a priority to an incoming frame. It maps a Port ID to a default priority from one of the four available switch priority queues. It also allows you to specify whether incoming packets will be assigned that default priority or another priority, depending on the presence or absence of DiffServ or information. The parameters are: • port En params – Where En specifies an Ethernet port (E1, E2, etc.) and params can be: -rule rulespec– Where rulespec is a rule for assigning the priority of packets that are received by the specified port. rulespec may be any of the following: Default – Always use the Default Priority for the port (default). DiffServ – Use the DSCP if it is present, otherwise use the Default Priority. 802p – Use the 802.1p tag if it is present, otherwise use the Default Priority. -priority – The Default Priority for port En. See above for when the default priority is used. The valid range is 1-4, a higher value representing a higher priority. The default value is 3. • tag int1 priority int2 – Assign a priority where int1 is an 802.1p tag in the range 1-7 and int2 is a switch priority queue value in the range 1-4. The 802.1p value specified by int1 will be equated with the priority queue value specified by int2. Magnum Network Software - DX Administrator’s Guide 261 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-26. CLI qos Commands Command show Synopsis show param Description Display information about QoS configuration, where param can be: • flow • flow flowID • port • profile • tag For more information see the description of Qos management in Section 3.9, “QoS Tasks”. Magnum Network Software - DX Administrator’s Guide 262 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality 4.2.3.23 The radius Command Table 4-27 explains the commands available for Remote Authentication Dial-In User Service (RADIUS) management when the MagnumDX(radius)# prompt is displayed or from the MagnumDX# prompt using a radius prefix. For example: MagnumDX# radius set default-level readonly or MagnumDX(radius)# add server 192.168.2.11 port 1812 retries 5 timeout 10 role secondary Enter secret: Re-enter secret: Table 4-27. CLI radius Commands Command add Synopsis add server IPaddress params... Description Add a RADIUS server to query specified by IPaddress, and where params can be: • port p – The UDP port used to send requests, where p is an integer in the range 0-65535. Authentication servers use UDP port 1812. Accounting servers use port 1813. It is not recommended to use the legacy port 1645 where it conflicts with “Datametrics” service. The default value is 1812. • retries r – The number of times the client will retry a • timeout t – The time in seconds the client will wait for each retry attempt. t is one of the following request in the event a server is not responding or is slow to respond. r is one of the following integers: 1, 3, 5, 10. The default value is 3. integers: 1, 2, 3, 4, 5, 10, 15, 20, 30. The default value is 3. • delete delete server IPaddress role primary|secondary – This parameter defines the order in which servers are accessed. If the primary is down, the system attempts to contact the secondary server. The default value is primary. Delete the configured RADIUS server specified by IPaddress. Magnum Network Software - DX Administrator’s Guide 263 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-27. CLI radius Commands Command edit Synopsis edit params... Description Edit the specified RADIUS parameter, where params can be: • secret IPaddress – Where IPaddress is the • server IPaddress radiusparams – Where IPaddress is the IP address of a configured RADIUS server and radiusparams can be any of the following (see the add command, IP address of a configured RADIUS server. After you enter Return the system will prompt for the new secret text string. above, for details): -port -retries -timeout -role set set params... Specify global settings for your RADIUS service, where params can be: • auth-control cont – This parameter determines whether the system uses its own local user database or a RADIUS server for authentication. cont can take the following values: -local – Use the local user database (default). -radius – Use a configured RADIUS server. • auth-port portn – Where portn is an integer in • challenge prot – Where prot is the protocol to the range 0-65535. This is the UDP port used to communicate to the RADIUS server that is configured for authentication. The default value of portn is 1812. be used when validating user credentials. It can take the following values: -PAP – Username/password sent in the clear (default). -CHAP – Uses challenge and MD5 hash. Magnum Network Software - DX Administrator’s Guide 264 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-27. CLI radius Commands Command Synopsis Description • default-level lvl – This parameter determines the default privilege level assigned to a user when a RADIUS server does not provide vendorspecific attributes. It can take the following values: -noaccess (default) -readonly -readwrite -admin • local-address LocalIP – Available options for LocalIP are: -Any – Packets will use their actual egress interface address as a source address. -x.x.x.x – Packets will use the source address specified by x.x.x.x. This may be necessary for conformity with VPN or NAT configurations. show show servers | settings Display information about: • Configured RADIUS servers. This option displays the parameters configured with the add command. • Configured global parameters. This option displays the parameters configured with the set command. For more information see the description of RADIUS management in Section 3.10.7, “Radius”. Magnum Network Software - DX Administrator’s Guide 265 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality 4.2.3.24 The rip Command Table 4-28 explains the commands available for Routing Information Protocol (RIP) management when the MagnumDX(rip)# prompt is displayed or from the MagnumDX# prompt using a rip prefix. For example: MagnumDX# rip set compatible y or MagnumDX(rip)# set interface default enabled Table 4-28. CLI rip Commands Command set Synopsis set param... Description Set a range of RIP values, where param can be: • compatible y|n – If y RIP will assume • expire nsec - where nsec is the number of • flush nsec - where nsec is the number of • gateway y|n – If this parameter is set to y the • import-ospf-routes y|n – If set to y • interface name enabled|disabled – • mode disabled|v1|v2|v2multi| v2local – Specify a RIP mode. • ospf-route-metric hops – Where hops classful addressing in order to be compatible with RIP-1 routers. If n RIP routes with CIDR masks will be propagated and learned as per RIP-2. seconds between updates before a route is invalidated. (The route is temporarily invalidated but is not deleted until expiration of the flush timer. See below.) Valid range = 1 to 600 seconds Default value = 180 additional seconds to wait after a route expires (as specified with the expire parameter, see above) before that route is deleted entirely from the routing table. Valid range = 1 to 600 seconds Default value = 120. router advertises itself as a default gateway. OSPF routes are redistributed into the RIP network by this router. Enable or disable the interface specified by name. is a fixed hop count that will be used for all OSPF routes imported into the RIP routing domain. Magnum Network Software - DX Administrator’s Guide 266 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-28. CLI rip Commands Command show Synopsis show interface | settings Description Display the names and status of configured interfaces or show RIP global settings. For more information see the description of RIP management in Section 3.8.5, “RIP”. Magnum Network Software - DX Administrator’s Guide 267 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality 4.2.3.25 The rstp Command Table 4-29 explains the commands available for managing and monitoring Rapid Spanning Tree Protocol (RSTP) functionality when the MagnumDX(rstp)# prompt is displayed or from the MagnumDX# prompt using an rstp prefix. For example: MagnumDX# rstp set bridge age 10 cstyle 32-bit or MagnumDX(rstp)# set port E1 mode point priority 10 auto-cost n cost 10000 Table 4-29. CLI rstp Commands Command set Synopsis Description set bridge | port portnum params... Specify RSTP settings for a bridge or port, where portnum is an Ethernet port designated E1, E2, etc. The available bridge parameters are: • age n – Specify the maximum age of STP • cstyle 16-bit | 32-bit – Specify 16-bit • delay n – Specify a delay (in seconds) before • hello n – Specify interval (in seconds) between transmission of configuration BPDUs. n is an information before discard in a range of 6 - 40 seconds. (STP) cost style or 32-bit (RSTP) cost style. forwarding state or topology change information in. n is an integer in the range of 4 - 30. integer in the range of 1 - 10. • mode enabled | disabled – Enable or • priority n – Specify a priority value for this disable RSTP on this bridge. bridge in the range of 0 (highest priority) to 61440. The available port parameters are: • mode spec – Where spec specifies one of the following modes: -auto – The port automatically determines the correct mode based on received BPDUs. -edge – For an RSTP-enabled port connected to an end system. -legacy – For a port that uses STP only. -point – For an RSTP-enabled port connected to another switch. -none – Disable RSTP on this port. Magnum Network Software - DX Administrator’s Guide 268 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-29. CLI rstp Commands Command Synopsis set (cont.) Description • priority – A priority value in the range 0-240. • auto-cost y|n – If y path cost will be determined automatically. If n the path cost Numerically lower values indicate higher priorities. used will be the value specified with the cost parameter (below). The default value is y. • show show param... cost – Optionally specify a path cost value in the range 1 - 200000000. Display information about the settings or status of the bridge or ports. The available parameters are: • bridge settings – Display information about • bridge status – Display information about • port settings – Display information about the • port status – Display information about the bridge RSTP settings. bridge RSTP status. RSTP settings of all ports. RSTP status of all ports. For more information see the description of RSTP functionality in Section 3.4.3, “RSTP” and in Section 5.6, “RSTP”. Magnum Network Software - DX Administrator’s Guide 269 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality 4.2.3.26 The s2f Command Table 4-30 explains the commands available to manage serial to Frame Relay traffic when the MagnumDX(s2f)# prompt is displayed or from the MagnumDX# prompt using an s2f prefix. For example: MagnumDX# s2f add channel S1 W1 100 priority expedited offset y or MagnumDX(s2f)# edit channel W1 100 offset n Table 4-30. CLI s2f Commands Command add Synopsis add channel params Description Add a channel where the required parameters are: • Sx – A serial port designation in the form S1, S2, etc. • Wx – A WAN port designation - W1 or W2. • dlcinum – A Data Link Connection Identifier (DLCI) in the range 1-1022. And where the optional parameters are: • priority default|expedited – Select a priority queue (high or low) at the WAN port for processing on this channel: -default – Use the low priority queue. -expedited – Use the high priority queue. • offset y|n – Specify whether or not to use a payload offset: -If y is selected include the 3-byte offset between the header and the data portion of the message. (Required to interoperate with the Garrettcom DS product line.) -If n is selected begin the data portion of each Frame Relay message immediately after the 2-byte Frame Relay header. delete edit delete channel param edit channel Wx dlci params Delete the channel defined by the following 2 values: • Wx – A WAN port designation. • dlcinum – A DLCI number. Edit values in the channel defined by Wx, a WAN port designation, and dlci, a DLCI number. Possible params are: • priority default|expedited •offset y|n See the add channel command (above) for details. Magnum Network Software - DX Administrator’s Guide 270 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-30. CLI s2f Commands Command show Synopsis show channel params Description Display information about serial to Frame Relay configuration, where params can be: • connection – Display performance statistics about • settings – Display the values that have been set with the add channel command (below). configured s2f connections. For more information see the descriptions in Section 3.5.3.1, “Frame Relay: Channel Settings” and Section 3.6.5, “DLCI Settings”. Magnum Network Software - DX Administrator’s Guide 271 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality 4.2.3.27 The serial Command Table 4-31 explains the commands available to manage serial ports when the MagnumDX(serial)# prompt is displayed or from the MagnumDX# prompt using a serial prefix. For example: MagnumDX# serial add profile Profile3 interface rs4852wire speed 1200 or MagnumDX(ip)# set port S1 admin enabled profile Profile2 Table 4-31. CLI serial Commands Command add Synopsis add profile profname params Description Add a serial port profile named profname (a user-supplied string of up to 32 characters), where params can be: • interface IFtype – Specify an interface types where valid values for IFtype are rs232, rs232half, rs4852wire, rs4854wire. • speed rate – Specify a baud rate where valid values for rate are 300, 600, 1200, 2400, 4800, 9600, 19200, 28800, 33600, 38400, 57600, 1152K, 230K. • data 7|8 – Select 7 or 8 bits/character. The default value is 8. • stop 1|1point5|2 – Specify stop bits. The default value is 1. • parity none|even|odd – Specify parity. The default value is none. • ignore-dss y|n – Specify whether or not to ignore DSS. -y – The Oper State of the port is UP if the Admin State is ENABLED. -n – The Oper State of the port is UP if the DSR or DCD handshake signal is on and the Admin State is ENABLED. • flowcontrol contype – Specify the type of flow control where valid values for contype are none, xonxoff (software flow control), and rtscts (hardware flow control). The default value is none. Magnum Network Software - DX Administrator’s Guide 272 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-31. CLI serial Commands Command Synopsis add (cont.) Description • pktchar char – Where char is either none or a • pkttime timer – Where timer defines a timeout • pktsize maxsize – Where maxsize defines a • tatime turnt – Where turnt defines a turnaround character that will force packetization. The default value is none. value in milliseconds. If an additional character is not received before the timer expires, a packetization event occurs. The special value 0 disables the packetization timer. The default value is 200 and the valid range is 10-1000. maximum packet size. The default value is 1024 and the valid range is 32-1024. time, an enforced minimum delay between received network packets that are sent out the serial port. The default value is 0 (off) and the valid range (in milliseconds) is 0-1000. clear clear statistics Sx Clear the performance statistics for the port designated by Sx. delete delete profile name Delete the profile specified by name. edit edit profile name key newval Edit the configured profile specified by name, where key is a keyword for one of the parameters configurable with the add profile command, such as speed, data, etc., and newval is the new value for that parameter. set set port Sx | ssl Sx params Administer port settings or Secure Socket Layer (SSL) functionality, where Sx designates a serial port. • port Sx params – Where params can be: -name string – Where string is a user-supplied name of up to 32 characters. -admin enabled|disabled – Enable or disable the port. -profile name – Where name is the name of a configured profile. • ssl Sx params – Where params can be: -enabled y|n – Specify y to enable SSL. -cipher spec – Specify a cipher (see Section 3.10.3, “Serial/SSL” for details) -auth y|n – specify y to require authentication. -cert name – Where name is the name of a local certificate. Magnum Network Software - DX Administrator’s Guide 273 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-31. CLI serial Commands Command show Synopsis Description Display information about serial port configuration, where param can be: show param • port Sx – Display configuration information about the port designated by Sx. • profile name – Display configuration information about the profile designated by name. • ssl – Display SSL configuration for all ports. • statistics Sx – Display performance statistics for the port designated by Sx. • status Sx – Display status for the port designated by Sx. For more information see the description of serial port management in Section 3.5.1, “Ports”. 4.2.3.28 The session Command Table 4-32 explains the commands available for session management when the MagnumDX(session)# prompt is displayed or from the MagnumDX# prompt using a session prefix. For example: MagnumDX# session delete 2 or MagnumDX(session)# set timeout 30min Table 4-32. CLI session Commands Command Synopsis Description delete delete sessionID Delete the session specified by sessionID. set set timeout dur Specify the amount of time a user session may be idle before it is automatically deleted by the system. Possible values for dur are none, 5min, 30min, 1hour, 24hours. show show active|policies Display information on active sessions or display the timeout setting. For more information see the description of IP address management in Section 3.2.6.1, “Sessions: Policies” and Section 3.2.6.2, “Sessions: Active Logins”. Magnum Network Software - DX Administrator’s Guide 274 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality 4.2.3.29 The snmp Command Table 4-33 explains the commands available for Simple Network Management Protocol (SNMP) management when the MagnumDX(snmp)# prompt is displayed or from the MagnumDX# prompt using an snmp prefix. For example: MagnumDX# snmp add trap-station 192.168.1.120 name public or MagnumDX(snmp)# snmp set traps enabled Table 4-33. CLI snmp Commands Command add Synopsis add params... Description Where params can be: • station IPaddress – Where IPaddress is the IP • trap-station IPaddress – Where IPaddress • user name modespec – Where name is a name for address of a management station that is allowed to query the SNMP agent. is the IP address of the trap station. You can specify up to 4 trap stations. A trap station is a destination to which SNMP traps are sent. the trap station in up to 40 printable characters and modespec is one of the following: -none – No authentication or encryption -md5 – MD-5 authentication, no encryption -sha – SHA-1 authentication, no encryption -md5-des – MD-5 authentication, DES encryption -sha-des – SHA-1 authentication, DES encryption Note: After you have supplied name and modespec and entered Return the system will prompt you for the following two passwords: • Authentication password authpwd – Where authpwd is a string to be used for generating the authentication keys. Allowed password length is 8 to 40 characters. • Privacy password privpwd – Where privpwd Magnum Network Software - DX Administrator’s Guide 275 is a string to be used for generating the encryption keys. Allowed password length is 8 to 40 characters. CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-33. CLI snmp Commands Command delete Synopsis delete param Description Delete a configured station, trap station, or user, where param can be: • station IPaddress – Where IPaddress is the IP • trap-station IPaddress – Where IPaddress • user ID – Where ID is the system-supplied ID of a configured user. (Use the snmp show users address of a configured management station. is the IP address of a configured trap station. command to view user IDs.) edit edit params... Edit a configured trap station or user value, where params can be: •auth-password userID – Edit the authentication password of the user identified by userID. •priv-password userID – Edit the privacy password of the user identified by userID. • trap-station IPaddress securname – Where IPaddress is the IP address of a configured trap station and securname is a new community or v3 security name for that trap station. • user ID key newval – Where ID is the systemsupplied ID of a configured user and the key newval combination can be: -name username – A new user name value. -mode securmode – A new security mode value. Magnum Network Software - DX Administrator’s Guide 276 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-33. CLI snmp Commands Command set Synopsis set params... Description Configure global SNMP parameters where params can be: • engine-id id – where id is unique identifier assigned to this SNMP agent. You can configure an engine ID that is a string 32 characters long. If you do not configure an engine ID a 12-byte string will be assigned as the default ID. The default ID is a unique value combining the enterprise ID followed by MAC address or IP Address or plain text. The default engine ID for a MNS-DX device is as follows: -The first four octets contain the Enterprise ID (39cd). -The fifth octet is a format identifier, which is 03 for MAC address. -Six to eleven octets of MAC address. -The remainder (up to the twelfth octet) is filled by zeroes. • local-address addr – Where addr can be: -any -a configured IP address • mode modeval – Enable or disable SNMP agent, where modeval can be: -disabled – agent does not respond to queries (default). -v1v2 – agent only responds to v1 or v2c PDUs. -V3 – agent only responds to v3 PDUs. • read-comm commstring – Where commstring • traps disabled|enabled – Enable or disable the • write-access disabled|enabled – Enable or • write-comm commstring – Where commstring is an arbitrary text string of up to 16 printable ASCII characters. The community string sent by the SNMP client must match this text for the MIB to be accessible for reading. sending of traps to configured trap stations. Traps are event notifications sent by the agent to a trap station. disable write access to the MIB Magnum Network Software - DX Administrator’s Guide 277 is an arbitrary text string of up to 16 printable ASCII characters. The community string sent by the SNMP client must match this text for the MIB to be accessible for writing. CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-33. CLI snmp Commands Command show Synopsis Description Display information about SNMP configuration, where param can be: show param • settings • station • statistics • trap-station • user For more information see the description of SNMP in Section 5.5, “SNMP” and the discussion of the browser-based SNMP management screens in Section 3.2.4, “SNMP”. 4.2.3.30 The sntp Command Table 4-34 explains the commands available for Simple Network Time Protocol (SNTP) management when the MagnumDX(sntp)# prompt is displayed or from the MagnumDX# prompt using an sntp prefix. For example: MagnumDX# sntp add server 192.168.1.2 or MagnumDX(sntp)# set polling-interval 240 Table 4-34. CLI sntp Commands Command Synopsis Description add add server IPaddress Add the SNTP server specified by IPaddress. Up to 3 servers may be added. If a server is down, the software will try the next configured server when retrieving the current time and date. delete delete server IPaddress Delete the configured SNTP server specified by IPaddress. Magnum Network Software - DX Administrator’s Guide 278 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-34. CLI sntp Commands Command set Synopsis set params... Description Configure global SNTP settings, where params can be: • local-address localIP – Where localIP can be, -any – Packets will use their actual egress interface address as a source address. -specific IP address – Packets will use the source address selected from a list of eligible addresses. This may be necessary for conformity with VPN or NAT configurations. To see available addresses use the set ? command. • mode modeval – Indicates if and how the SNTP client should be used to set the system's time and date information. modeval takes one of the following values: -disable – SNTP will not be used to acquire the current time -active – system time and date information is taken from a configured SNTP server -passive – system time and date information is retrieved from SNTP information that is broadcast periodically from an SNTP server • show show server | settings polling-interval p – Where p is an integer in the range 15- 86400 that specifies the frequency in seconds at which the SNTP server will be accessed to obtain the correct time in active mode. The default value is 60. Display information about configured SNTP servers or settings. For more information see the description of SNTP management in Section 3.2.3, “SNTP”. Magnum Network Software - DX Administrator’s Guide 279 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality 4.2.3.31 The ssh Command Table 4-35 explains the commands available for viewing and managing Secure Shell (SSH) functionality when the MagnumDX(ssh)# prompt is displayed or from the MagnumDX# prompt using an ssh prefix. For example: MagnumDX# ssh set mode sshonly or MagnumDX(ssh)# set pfmode enable Table 4-35. CLI ssh Commands Command Synopsis Description keygen keygen Generate a Digital Signature Algorithm (DSA) key. This must be done once to start the SSH server. set set mode sec | pfmode able You can use the set command to specify the security mode of the command line interface or to enable or disable SSH port forwarding. The available commands are: • mode sec – Where sec can be: -telnet – Allow port 23 (telnet) and port 22 (SSH) connections. -sshonly – Allow only SSH connections. If a client attempts a telnet connection the server will send a message indicating that telnet access is not allowed and then shut down the connection. • pfmode able – Where able can be: -Enable – Allow SSH port forwarding from a client to this server. -Disable – Do not allow SSH port forwarding from a client to this server. show show Show current SSH server setting and state: • CLI Mode–Possible values are Allow Telnet and SSH Only. • SSH Server State – Possible values are No Key and Running. No Key is seen only when no Digital Signature Algorithm (DSA) key has been generated for the SSH server with the ssh keygen command or when a complete reformat of the DX flash has eliminated a previously generated key. • SSH Port Forwarding – Possible values are Enabled and Disabled. For more information see the description of CLI security management in Section 3.10.5, “CLI”. Magnum Network Software - DX Administrator’s Guide 280 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality 4.2.3.32 The sw Command The sw command enables you to manage the process of upgrading your MNS-DX software version. It is used in conjunction with the SFTP utility. Many versions of the SFTP (Secure File Transfer Protocol) client and server applications are freely available. Use one of these to access versions of MNS-DX software. When you have obtained a new software image move a copy of it to the /swupgrade directory with the sftp put command. That file will be displayed, marked as a New version, when you run the sw show command. A detailed example of the upgrade process begins on page 281. (Also see Section 4.1.1, “MNS-DX support for SFTP”.) Table 4-36 explains the commands available for software upgrade management when the MagnumDX(sw)# prompt is displayed or from the MagnumDX# prompt using an sw prefix. For example: MagnumDX# sw finalize or MagnumDX(ssh)# upgrade Table 4-36. CLI sw Commands Command Synopsis Description fallback sw fallback When the sw show command displays an Upgrade State of READY TO UPGRADE or UPGRADING, entering the sw fallback command cancels the upgrade. finalize sw finalize When the sw show command displays an Upgrade State of UPGRADING, entering the sw finalize command approves the upgrade to the software version marked Current. retry sw retry When the sw show command displays an Upgrade State of FALLBACK enter sw retry to attempt the upgrade process again (move to the READY TO UPGRADE state). show sw show Display current and previous software versions and upgrade state. upgrade sw upgrade When the sw show command displays an Upgrade State of READY TO UPGRADE, entering the sw upgrade command reboots the system and loads the new software image. For more information see the description of software upgrade management in Section 3.2.8, “Software Upgrade”. Example: Software upgrade with the sw command The following sequence of commands depicts a typical upgrade procedure using the sw command. This example uses freely available client software to manage the process: PuTTY for the SSH client to make an Ethernet connection to the CLI and psftp for an sftp client to make a secure file transfer. Magnum Network Software - DX Administrator’s Guide 281 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality 1. Login to the DX CLI and use the ssh show command to make sure that your SSH server is running (that is, that an SSH key has been generated). MagnumDX# ssh show CLI Mode : SSH Only SSH Server State : Running Figure 4-6. CLI: ssh show command output If the ssh show command does not show the result displayed in Figure 4-6 use the ssh keygen command to generate an SSH key. 2. View the current software upgrade state. In the DX CLI run the sw show command to view the current software upgrade state. Figure 4-7 illustrates a typical system before the beginning of the upgrade process. MagnumDX# sw show Filename Version Use dx800v140rc3.elf 1.4.0 Current dx800v140rc2.elf 1.4.0 Previous Upgrade State: UPGRADED Figure 4-7. CLI: sw show command output - Before Upgrading Magnum Network Software - DX Administrator’s Guide 282 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality 3. Prepare the sftp command line for the file transfer and execute the put command. In this example the new software image file, dx800v140rcQ.elf, is stored in the directory C:\temp. It must be copied to /swupgrade virtual directory on the DX device. The steps illustrated in Figure 4-8 are: • • • • Logging in Changing the remote directory to /swupgrade Changing the local directory to C:\temp Executing the put command . Documents and Settings\user1\psftp 2.3.4.100 login as: manager [email protected]’s password: Remote working directory is / psftp> cd swupgrade Remote directory is now /swupgrade psftp> C:\temp New local directory is C:\temp psftp> put dx800v140rcQ.elf Local:dx800v140rcQ.elf => remote:/swupgrade/dx800v140rcQ.elf psftp> Figure 4-8. SFTP Client: Executing the put Command WARNING: The transfer of the software image file to the /swupgrade directory may take a long time. Your experience will vary with the sftp client used, but the image file is large and some sftp clients will make the transfer in many packets. Be prepared to wait ten or more minutes for the transfer to complete. Magnum Network Software - DX Administrator’s Guide 283 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality 4. View the changed software upgrade state. In the DX CLI run the sw show command to view the software upgrade state now that the software image file has been placed in the /swupgrade directory. Figure 4-7 illustrates the system at this stage of the upgrade process. MagnumDX# sw show Filename Version Use dx800v140rc3.elf 1.4.0 Current dx800v140rcQ.elf 1.4.0 New Upgrade State: READY TO UPGRADE Figure 4-9. CLI: sw show command output - READY TO UPGRADE 5. Perform the upgrade. In the CLI command window enter the command sw upgrade. Confirm that you want to carry out the upgrade by answering yes to the "are you sure" question. 6. Reconnect to the CLI. After the upgrade command has been issued your connection to the CLI will probably be lost. Reconnect and run the sw show command. MagnumDX# sw show Filename Version Use dx800v140rc3.elf 1.4.0 Fallback dx800v140rcQ.elf 1.4.0 Current Upgrade State: UPGRADING Figure 4-10. CLI: sw show command output - UPGRADING Magnum Network Software - DX Administrator’s Guide 284 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality 7. Finalize. Complete the upgrade procedure by entering the sw finalize command to approve the new software image. Run the sw show command one last time to confirm the new configuration. MagnumDX# sw show Filename Version Use dx800v140rcQ.elf 1.4.0 Current dx800v140rc3.elf 1.4.0 Fallback Upgrade State: UPGRADED Figure 4-11. CLI: sw show command output - UPGRADED Magnum Network Software - DX Administrator’s Guide 285 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality 4.2.3.33 The syslog Command Table 4-37 explains the commands available for syslog management when the MagnumDX(syslog)# prompt is displayed or from the MagnumDX# prompt using a syslog prefix. For example: MagnumDX# syslog add collector 192.168.1.2 or MagnumDX(syslog)# set mode enabled Table 4-37. CLI syslog Commands Command Synopsis Description add add collector IPaddr Where IPaddr is the IP address of a server to which syslog messages will be sent. delete delete collector IPaddr Delete the syslog collector specified by IPaddr. set set param... Configure global syslog settings, where param can be: • local-address localIP – Where localIP can be, -any – Packets will use their actual egress interface address as a source address. -specific IP address – Packets will use the source address selected from a list of eligible addresses. This may be necessary for conformity with VPN or NAT configurations. To see available addresses use the set ? command. • mode modeval – Where modeval indicates whether or not events should be sent as Syslog messages. The available modeval values are: -enabled – Send a syslog message for each event. -disabled – Do not send syslog messages (default). show show collector | settings Display information about configured syslog collectors or settings. For more information see the description of syslog management in Section 3.3.2, “Syslog”. Magnum Network Software - DX Administrator’s Guide 286 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality 4.2.3.34 The system Command Table 4-13 explains the commands available for basic system information management when the MagnumDX(system)# prompt is displayed or from the MagnumDX# prompt using a system prefix. For example: MagnumDX# system set location North Andover or MagnumDX(system)# show Table 4-38. CLI system Commands Command set show Synopsis set name | location | contact show info|status Description The available parameters are: • name sysname – Where sysname is a name of up • location placename – Where placename is a • contact identinfo – Where identinfo is a to 256 characters for the system under configuration. name of up to 256 characters of the place where the system under configuration is located. name or contact information for a person responsible for management of the system under configuration, in up to 256 characters. Display basic system information: • info – Displays identity information, • info – Displays system memory and performance information. For more information see the description of basic system information management in Section 3.2.1.1, “System Information”. Magnum Network Software - DX Administrator’s Guide 287 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality 4.2.3.35 The terminal Command Table 4-13 explains the commands available for terminal settings when the MagnumDX(terminal)# prompt is displayed or from the MagnumDX# prompt using a terminal prefix. These commands enable you to control the display of CLI command output in your virtual terminal window. For example: MagnumDX# terminal set lines 18 or MagnumDX(terminal)# show Table 4-39. CLI terminal Commands Command set Synopsis set lines | paging Description Control the display of the CLI terminal. Available parameters are: • lines n – Where n is a number in the range of 1 - 100. • paging y|n – Control scrolling in the CLI terminal This is the maximum number of lines to display in the terminal window on execution of a CLI command. Default value = 24 window: -If y is specified output will display one "page" at a time; that is the scrolling of information will pause at the number of lines specified by the lines parameter and resume after a key is pressed. -If n is specified output will scroll to the screen without pausing until command output is complete. show show Show lines and paging settings. Magnum Network Software - DX Administrator’s Guide 288 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality 4.2.3.36 The time Command Table 4-40 explains the commands available for time and date management when the MagnumDX(time)# prompt is displayed or from the MagnumDX# prompt using a time prefix. For example: MagnumDX# time set dst country britain or MagnumDX(time)# set dst custom-rule sun mar 1 12:00 sun oct 1 12:00 Note: With the custom daylight saving rule in the preceding example command line in place an execution of the time show command would provide the following description: Starts the first Sunday on or after March 1 at 12:00 Ends the first Sunday on or after October 1 at 12:00 Table 4-40. CLI time Commands Command Synopsis set params... Description Set the date and time and optional variables, where params can be:. • clock hms – Where hms is the current time of day in the 24-hour HH:MM:SS format. • date mdy – Where mdy is the current date in the format mm/dd/yyyy. • dst dstparams– Set Daylight Saving Time, where dstparams can be: -country cntryname – Use the daylight saving rule of the country specified by cntryname. (Use the set dst ? command to display available country names.) Magnum Network Software - DX Administrator’s Guide 289 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-40. CLI time Commands Command set Synopsis Description -custom-rule descr – Where descr is a description of a custom daylight saving time rule built on the following parameters: set param... sf where sf is either day (meaning any day of the week) or a three-letter abbreviation for the name of a day of the week to begin dst. sm where sm is a three-letter abbreviation for the name of a month. sd where sd is an integer in the range of 1-31 specifying "on or after this date." st where st is a starting time expressed as hour and minute in the format HH:MM. ef where ef is either day (meaning any day of the week) or a three-letter abbreviation for the name of a day of the week to end dst. em where em is a three-letter abbreviation for the name of a month. ed where ed is an integer in the range of 1-31 specifying "on or after this date." et where et is an ending time expressed as hour and minute in the format HH:MM. -mode disabled|enabled – Enable to enforce daylight saving time by one of the methods above. Disable to use standard time throughout the year. show show • persistence disabled|enabled – The • utc-offset hm – Where hm is your offset from persistence feature supports systems such as DX40 that do not have a clock with battery backup. When the power to these systems is cycled, the clock may come up in an undefined state. With persistence enabled the clock is set to the last known good time and date. Universal Coordinated Time (UTC). The value is in HH:MM format. The range is from -12:59 to +12:59. Display configured time and date settings. For more information see the description of time and date management in Section 3.2.2, “Time”. Magnum Network Software - DX Administrator’s Guide 290 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality 4.2.3.37 The ts Command Table 4-41 explains the commands available for terminal server configuration when the MagnumDX(ts)# prompt is displayed or from the MagnumDX# prompt using a ts prefix. For example: MagnumDX# ts add channel S2 direction out remote-address 192.168.1.100 remote-tcp 10000 or MagnumDX(ip)# edit channel S2 max-conn 10 Magnum Network Software - DX Administrator’s Guide 291 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-41. CLI ts Commands Command add Synopsis add channel Sx params Description Add a channel at the serial port designated by Sx, where params can be: • direction in|out – Specify call direction: -In – The port acts like a passive TCP server, listening at the configured Local TCP port. -Out – The port acts like an active TCP client and attempts to connect out to the server specified by the Remote IP and Remote TCP parameters. • session-type raw|telnet – Specify a session type: -Raw – Provides a transparent pipe for serial data. -Telnet – Enables basic Telnet negotiation and control character processing (ECHO and BINARY modes supported). • priority diffserv-profile – Specify a • local-address any|X.X.X.X – Specify the • local-tcp n – The local TCP port upon which the • remote-address X.X.X.X – Specify the remote • remote-tcp n – Specify the remote TCP port to • max-conn maxn – Specify the maximum number of diffserv profile. local IP address upon which the server listens for connections when the direction is set to “In”. The default value of any provides the most flexible configuration; however if you have configured filtering or pattern matching parameters elsewhere to expect a specific IP address you can specify that address here. server listens. IP address that the client attempts to connect to. which the client attempts to connect. incoming TCP connections to accept for this serial port, where maxn is an integer in the range 1-16. The default value is 5. •retry-time secs – Where secs is number of seconds the client waits for a connection to succeed before timing out and retrying. The valid range 1-90. The default value is 30. delete delete channel chanID Delete the channel specified by chanID. Magnum Network Software - DX Administrator’s Guide 292 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-41. CLI ts Commands Command Synopsis Description edit edit channel Sx key val Edit the parameters of the channel at serial port Sx, where key is a keyword for a terminal server channel parameter, such as direction or max-conn, and val is the new value for that parameter. See the ts add channel command (above) for details show show param Display information about terminal server configuration, where param can be: •channel chanID •connection •status chanID For more information see the descriptions of terminal server configuration in Section 3.5.2, “Terminal Server”. 4.2.3.38 The vlan Command Table 4-42 explains the commands available for viewing and managing VLANs when the MagnumDX(vlan)# prompt is displayed or from the MagnumDX# prompt using a vlan prefix. For example: MagnumDX# vlan add 22 substation_22 or MagnumDX(vlan)# show port E3 Table 4-42. CLI vlan Commands Command Synopsis Description add add n vlan_name Add a VLAN with VID n (a number in the range 1 4094) and the name vlan_name (up to 24 printable characters). delete delete n Delete the VLAN identified by VID n. edit edit n name new_name Change the name of the VLAN identified by n to the name specified in new_name (up to 24 printable characters). Magnum Network Software - DX Administrator’s Guide 293 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-42. CLI vlan Commands Command set Synopsis set param... Description Enable or disable VLAN functionality and/or configure a port, where param can be: • mode enable | disable – Enable or • port Ex portparams – Set VLAN disable VLAN awareness on the switch. properties on the Ethernet port identified by Ex, where portparams can be: -mode access | trunk – An access port is typically connected to an end station and supports a single VLAN. A trunk port is typically connected to another switch and by default supports all configured VLANs. -pvid n – Where n is the ID number of the native VLAN assigned to this port. -tagged y|n – If y, the port ensures that a VLAN tag is present in a frame before transmission. If n, the port strips all VLAN tags before transmitting frames. -prohibit list – Where list is a list of VLANs to prohibit from a Trunk port. Enter the VID numbers of prohibited VLANs separated by commas. A continuous range of VIDs can be indicated by a dash. For example: 4, 6-8, 12, 15. show show param Display information about VLAN configuration, where param can be: • mode – Whether VLAN awareness is enabled or • port Ex – VLAN settings of the port identified by Ex. • vid n – Settings of the VLAN identified by vid n. disabled on the switch. For more information see the description of VLAN functionality in Section 3.4.4, “VLAN” and in Section 5.7, “VLAN”. Magnum Network Software - DX Administrator’s Guide 294 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality 4.2.3.39 The vpn Command Table 4-43 explains the commands available for Virtual Private Network (VPN) management when the MagnumDX(vpn)# prompt is displayed or from the MagnumDX# prompt using a vpn prefix. For example: MagnumDX# vpn add tunnel 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 192.168.3.3 or MagnumDX(vpn)# edit profile profile1 dhgroup 1 Table 4-43. CLI vpn Commands Command add Synopsis add params... Description Where params can be: • cert authmethod xxcert.pem – Select a local • profile profname profparams – Create a VPN profile with the name profname. Configure it by specifying the following profparams or X.509 certificate as an authentication method, where authmethod is the name of an authentication method in up to 32 characters and xxcert.pem is a valid X.509 certificate. omitting them to accept the defaults: -ike-enc des|3des|aes – Specify an encryption algorithm to use for Phase 1 and Phase 2 exchanges. The default value is 3des. -ike-hash md5|sha – Specify a hashing algorithm to use for Phase 1 and Phase 2 exchanges. The default value is sha. -ike-lifetime n – Specify a lifetime (n) in the range 90-64800 seconds for the keys exchanged in phase 1 negotiations. The default value is 21600. -esp-enc des|3des|aes – Specify an encryption algorithm to use for encrypting tunneled IP traffic. The default value is 3des. -esp-hash md5|sha – Specify a hashing algorithm to use for authenticating tunneled IP traffic. The default value is sha. -esp-lifetime n – Specify a lifetime (n) in the range 90-64800 seconds for the keys exchanged in phase 2 negotiations before re-keying is required. The default value is 21600. Magnum Network Software - DX Administrator’s Guide 295 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-43. CLI vpn Commands Command Synopsis Description -dhgroup 1|2 – The size of the Diffie-Hellman modulus: add (cont.) -1 – 768 bits -2 – 1024 bits (default) -dpd-poll-time polln – Where polln is the length of time in seconds for this device to wait before sending a Dead Peer Detection (DPD) message. DPD messages are sent only when a device has not exchanged IPSec traffic with a peer for the prescribed interval.The default vaue is 30 seconds. The valid range is 0-600. A dpd-poll-time value of 0 is an instruction not to use DPD. • psk authname – Select a pre-shared key as an authentication method, where authname is the name of an authentication method in up to 32 characters. Enter Return after authmethod and the system will prompt for the key. • tunnel defins – Define a VPN tunnel, where defins is comprised of the following required parameters: -sIPaddr – where sIPaddr is a source IP address on this device or on the subnet supported by this device. -smask – where smask is a subnet mask to apply to the source IP address. -dIPaddr – where dIPaddr is a destination IP address. -dmask – where dmask is a subnet mask to apply to the destination IP address. -gIPaddr – where gIPaddr is the IP address of the gateway router to be used to access the destination address. and the following optional parameters: -profile profname – where profname is the security profile to bind to this tunnel. (Use the show profiles command to view configured profiles.) -authentication authmethod – where authmethod is the authentication method to use for this tunnel. (Use the show authentication command to view configured authentication methods. Use the add cert name or add psk name commands to configure authentication methods.) Magnum Network Software - DX Administrator’s Guide 296 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-43. CLI vpn Commands Command delete Synopsis delete params... Description Delete configured VPN values, where params can be: • cert authmethodname – Where authmethodname is the name an authentication method. • profile profname – Where profname is the • psk authmethodname – Where authmethodname is the name an name of a configured VPN profile. authentication method. • edit edit params... tunnel tunnelID – Where tunnelID is the system-supplied ID of a configured tunnel. Change a configured value in a VPN profile or tunnel definition, where params can be: • profile profname param newvalue – Where profname is the name of a configured VPN profile, param is a parameter in the profile description, and newvalue is the new value for param. See the add profile command, above, for details. • tunnel tunnelID param newvalue – Where tunnelID is the system-supplied ID of a VPN tunnel, param is a parameter in the tunnel definition, and newvalue is the new value for param. See the add tunnel command, above, for details. restart restart tunnel tID Cause the tunnel specified by tID to be renegotiated (starting with Phase 1). set set send-initialcontact y|n Specify whether or not this system will initiate contact: • y – The system will send an initial contact informational • n – The system will not send an initial contact message. message when it initiates an IKE handshake with a peer for the first time (for example, after a reboot). This option works with most peer types. The default value is n. show show authentication | details | profiles | settings | status |tunnels Display information about the specified VPN configuration feature. trace trace Display diagnostic information about operating VPNs. For more information see the description of the browser-based management screens in Section 3.10.8, “VPN” and the discussion of VPNs in Section 5.9, “VPN”. Magnum Network Software - DX Administrator’s Guide 297 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality 4.2.3.40 The vrrp Command Table 4-44 explains the commands available for Virtual Router Redundancy Protocol management when the MagnumDX(vrrp)# prompt is displayed or from the MagnumDX# prompt using a vrrp prefix. For example: MagnumDX# vrrp add router 100 192.168.2.2 priority 5 or MagnumDX(vrrp)# edit router 100 preemption y Table 4-44. CLI vrrp Commands Command add Synopsis add router params.. Description Add a VRRP group. The required parameters are: • n – Where n is an integer in the range 1-255 to serve as • IPaddress – The virtual router IP address. If this an ID for this virtual router. address matches the IP address assigned to a local interface, this router is considered to be the "owner" of that IP and is always the Master if it is available. Otherwise, the router is considered a backup. The optional parameters (that is, if these parameters are not specified default values will be used) are: • priority pval – Where pval is an integer in the • adver-interval advval – Where advval is • preemption y|n – If this flag is set to y this router range 1-254 specifying the configured relative priority of backup routers (that is, routers that do not "own" the virtual router IP). The router with the highest priority will take over if the master fails. Default value if master is 255, if backup,100. an integer in the range 1-60 specifying the frequency in seconds with which the master will send VRRP advertisements. The default value is 1. will take the master role over from another router that has a lower priority. The default value is y. delete delete router IDn Delete the VRRP group specified by IDn. edit edit router IDn key val Edit one or more of the configured values of the VRRP group specified by IDn, where key is a keyword for a VRRP parameter, such as priority or preemption, and val is the new value for that parameter. See the vrrp add router command (above) for details show show groups | status Display information about VRRP group configurations or about group status. Magnum Network Software - DX Administrator’s Guide 298 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality For more information see the description of VRRP management in Section 3.8.8, “VRRP”. 4.2.3.41 The wan Command Table 4-45 explains the commands available for configuration of your DX device’s WAN (Wide Area Network) port when the MagnumDX(wan)# prompt is displayed or from the MagnumDX# prompt using a wan prefix. For example: MagnumDX# wan set port W1 name HQWan bandwidth 56k clock received admin enabled or MagnumDX(wan)# show port W1 Table 4-45. CLI wan Commands Command set Synopsis set port Wx param... Description Configure parameters on the WAN port specified by Wx, where param can be: The possible parameters for either a DDS or T1/E1 connection are: • admin enabled | disabled – Specify the administrative • bandwidth 56k | 64k – Specify a connection speed of either • clock local | received – Specify the source of the data clock. (Default value is received.) • name portname – Where portname is a user-supplied name status of this port. 56k (typical for carrier-supplied connections) or 64k (available for private networks and all E1 circuits). of up to 15 printable characters for this WAN port. Possible parameters for T1/E1 connections only are: • code codespec – Where codespec specifies the line code for this port, -for T1: ami or b8zs (default). -for E1: ami or hdb3. • frame frtype – Where frtype specifies the frame type for this port, -for T1: esf (default) or d4. -for E1: fas or cas. • mode t1|e1 – Specify whether this connection is T1 or E1. • timeslots slotlist – Specify which available time slots are used by this port. Separate single slot numbers with commas and specify a range of slots with a hyphen. For example: 1,3, 5-6. Magnum Network Software - DX Administrator’s Guide 299 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Table 4-45. CLI wan Commands Command show Synopsis Description show port Wx | status Wy Display information about the configuration of the WAN port specified by Wx or the status of the WAN port specified by Wy. For more information see the descriptions of WAN port configuration in Section 3.6, “WAN Tasks”. Magnum Network Software - DX Administrator’s Guide 300 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality 4.2.3.42 The web Command Table 4-46 explains the web command, which enables you to configure security settings on the embedded web server. This command is available when the MagnumDX(web)# prompt is displayed or from the MagnumDX# prompt using a web prefix. For example: MagnumDX# web set cipher aes128or MagnumDX(wan)# set cert mycert.pem Table 4-46. CLI web Commands Command set Synopsis set cert certname| cipher ciphval| mode http|ssl Description Configure security settings on the system's embedded web server: • cert certname – Where certname is the name • cipher ciphval – Where ciphval specifies of the certificate used by the web server when running over SSL (that is, when a browser accesses the server through the https:// URL and/or on port 443). the type of encryption to support on the server. This parameter takes the following values: -any (3des, aes128, aes256, or rc4 ) (factory default) -3des -aes128 -aes256 -rc4 • mode http|ssl – Indicates if the server accepts non-secure HTTP requests. This parameter takes the following values: -http – The server accepts requests on port 80 (http://) or on port 443 (https://) (default). -ssl – The server will only allow connections over SSL. Any requests sent to port 80 (http://) will be re-directed to the https://URL. show show Display the current security setting of the embedded web server. For more information see the description of web server security management in Section 3.10.4, “Web Server”. Magnum Network Software - DX Administrator’s Guide 301 CHAPTER 4 - The CLI and Protocol Monitor CLI Functionality Magnum Network Software - DX Administrator’s Guide 302 Chapter 5 Operational Guide 5.1 Frame Relay The Frame Relay protocol is supported on some DX devices. Frame relay configuration requires the complementary configuration of parameters in the WAN section of the navigation bar and in the Serial: Frame Relay section. 5.1.1 Wide Area Network Ports A Wide Area Network (WAN) port supports Digital Data Service (DDS) and has the following user configurable parameters. • • • • • Name Speed – 56 or 64 kbps Local Management Interface (LMI) type – LMI, CCIT, ANSI, or None LMI mode – User or Net Fragment Size You can view WAN port status and statistics, including: • • • • • state received packets sent packets received octets sent octets 5.1.2 Data Link Channel Identifiers You can configure a list of Data Link Channel Identifiers (DLCIs) with the following parameters: • • • Name DLCI Committed Information Rate (CIR) Once in the list a DLCI is an IP interface and may have an IP address and subnet mask set as with other interfaces, for example, VLANs and Ethernet ports that are not bridged. IP packets traversing the attached frame relay network are encapsulated in compliance with RFC-1490, and (possibly) fragmented as specified by FRF.12. Magnum Network Software - DX Administrator’s Guide 303 CHAPTER 5 - Operational Guide Quality of Service 5.2 Quality of Service In MagnumDX products, Quality of Service (QoS) features exist at both layer 2 (Ethernet, frame relay) and layer 3 (IP) and is implemented by a combination of tag analysis/ marking and priority queuing. At the IP layer, each packet header contains a Type of Service (ToS field). This field contains a DiffServ code point that describes what sort of service routers should afford the packet as it is forwarded through the network. For IP-over-frame, packets are placed in one of four priority queues based on the DiffServ marking found in the IP header. For Serial-over-frame, packets are placed in one of four priority queues based on the priority assigned to that particular serial-over-frame channel. For Ethernet, in addition to the DiffServ marking in the IP header, each Ethernet header may contain an IEEE 802.3ac tag containing IEEE priority information. Using this field, a priority of 0-7 may be assigned, with priority 0 being the lowest priority and priority 7 being the highest. For received Ethernet frames, the user may configure a port to assign packets to a priority queue based on the IEEE priority, the DiffServ marking, or the ingress port. 5.2.1 QoS Model The following block diagram depicts the QoS model used by MagnumDX products. Each block represents a process or function that operates on a packet. The behavior of some blocks is defined through user configuration, represented by text in an attached box with dashed lines. Magnum Network Software - DX Administrator’s Guide 304 CHAPTER 5 - Operational Guide Quality of Service IP Stack Output Software DiffServ Tagging (optional) User chooses a default priority queue for each port. This priority is used when the packet contains no tag or when portbased priority is configured. Map DiffServ tag to tag (optional) User chooses a DSCP to apply to specific packet types or flows. These rules are global and override application-specific DiffServ. User chooses an 802.1p tag to apply to the Ethernet frame based on the packet’s DiffServ tag. This is a global mapping. Bridge (Hardware or Software) Use DiffServ tag to assign priority queue Ethernet Rx-n Priority Classification Queue Controller User chooses a priority assignment method for each port: - Use default priority (port-based priority. - Use tag. - Use DiffServ tag. - Prefer tag. - Prefer DiffServ tag. Q-1 Q-x Q-n User defines mappings between tags and priority queues: - to priority queue - DiffServ to priority queue Ethernet Tx-n User chooses strict priority queuing or fixed 8-4-2-1 weighted fair queuing (WFQ) discipline. Figure 5-1. QoS Flow Chart 5.2.1.1 Priority Queues Magnum DX800, DX900, and DX1000 support four distinct priority queues for each Ethernet port. Note that the DX40 will NOT support priority queues for this release. When a packet is received it is assigned one of four internal priority levels. It is then copied to some number of output ports (according to the switch's bridging rules) and placed in the queue that matches its priority level. The queuing discipline is implemented in hardware and is a fixed weighted fair queuing algorithm that services a certain number of packets from each queue and then moves on to the next queue. The weighting is 8-42-1, meaning that up to 8 priority-1 packets are sent, followed by up to 4 priority-2 packets, followed by up to 2 priority-3 packets, followed by a single priority-4 packet. In this way, low priority packets still have a chance (albeit at a lower rate) to egress the port when there is a heavy stream of higher priority traffic. Magnum Network Software - DX Administrator’s Guide 305 CHAPTER 5 - Operational Guide Quality of Service 5.2.1.2 DiffServ Marking DiffServ markings may be applied to any packet that is generated by the DX (for example, terminal server traffic, routed traffic, etc.). This is accomplished through the use of configurable rules that map DiffServ codepoints to particular packet types or flows. When an IP packet is sent from the stack (either due to IP forwarding or because the packet was sourced by the DX management process) it is compared with the configured filters. If a match is found, the codepoint associated with that filter is applied to the packet. This codepoint overrides any codepoint that was applied by an application (for example, the DiffServ marking applied by the terminal server process). 5.2.1.3 DiffServ Processing The system can optionally be configured to assign packets to priority queues based on their DiffServ marking. If a packet is received that has an unknown marking (i.e. one that is not explicitly configured and mapped to a priority), the packet is treated as if it were marked as Best Effort. The mapping of DiffServ markings to priority queues is configurable by the user. Packets generated by the DX are always assigned a priority based on their DiffServ marking. When an IP packet is generated by the DX, the DiffServ marking may optionally be used to map to an Ethernet priority. The mapping between DiffServ codepoints and priorities is configurable by the user. All Ethernet frames processed by the switch may optionally be assigned to a priority queue based on the frame's priority. Whether or not the priority is used for mapping and the mapping of priorities to queues is configurable by the user. 5.2.1.4 WAN ports 8-4-2-1 WFQ is also implemented on each WAN port and packets are classified based on their DiffServ marking (if IP-over-frame) or the configured channel priority (if Serial-overframe) as shown in Figure 5-2. Magnum Network Software - DX Administrator’s Guide 306 CHAPTER 5 - Operational Guide Quality of Service TCP/IP Applications IP Stack Output Serial-to-Frame User selects channel priority. DiffServ Tagging (optional) User chooses a DSCP to apply to specific packet types or flows. These rules are global and override application-specific DiffServ. WAN Driver Use DiffServ tag to assign priority Q Queue Controller Q-1 Q-x Q-n WAN Tx-n Figure 5-2. WAN QoS Flow Chart WAN QoS is controlled by the combination of Differential Services (DiffServ - RFC 2474) information in IP packets being forwarded out of a frame relay port and the settings of the fragment size for the port and CIR of the DLCI. The DiffServ value may be configured directly for a Terminal Server connection to any configured DiffServ code point. Factory default code points include Default ("Best Effort" forwarding) as well as Expedited Forwarding (EF - RFC-2598) which requires a Per Hop forwarding Behavior (PHB) that yields low-loss, low-latency, low-jitter, and assured bandwidth (given by the CIR). Packets marked EF will be queued for forwarding out the WAN port ahead of default packets. Also, large packets are fragmented according to the settings of the port, so that EF packets do not have to wait for an entire large packet with some lower priority DiffServ value to finish transmission when started before the EF packet is queued, but must wait only for a fragment of the other to be sent. Note that the network must be designed so that only EF packets will be forwarded on any DLCI where any EF packet is forwarded, since the fragmentation standard does not permit interleaving of fragments from different packets over the same DLCI. Magnum Network Software - DX Administrator’s Guide 307 CHAPTER 5 - Operational Guide IP Addressing and Routing 5.3 IP Addressing and Routing Each Ethernet port is configured as either a bridged or unbridged (that is, routed) interface. An IP packet that is received on a routed interface is not switched at Level 2 and can only be forwarded at Layer 3 by the Router. An IP packet that is received on a bridged port may be forwarded at Layer 2 but may also be handled at Layer 3 if the packet's destination MAC address equals the Router's MAC address. Each routed Ethernet and VLAN interface in the system may be assigned its own IP address. In the special case where VLANs are disabled and all of the system's Ethernet interfaces are configured as bridged, the DX may only be assigned a single system IP address. 5.3.1 Default Configuration By default, the product operates as a non VLAN-aware bridge. In this configuration, a single IP address may be assigned to the system for accessing the product's management and terminal server functions. This IP address is assigned to the special Default interface in the IP address table. 5.3.2 Router Interfaces Some or all of the system's Ethernet ports may be configured as routed interfaces. In this configuration, the ports configured as routed interfaces are isolated from the Ethernet switch and are connected directly to the system's routing function. Each routed interface may be assigned its own IP address. These IP addresses are assigned to "Ex" interfaces in the IP address table. 5.3.3 VLAN Interfaces When VLANs are enabled, each VLAN that is added to the system becomes a virtual Ethernet interface that is accessible to the Router. Each VLAN may be assigned its own IP address. These IP addresses are assigned to "VIDx" interfaces in the IP address table. 5.3.4 IP Address Table The IP address table contains one entry for each assigned IP address. An entry in the table contains three columns: interface name, IP address, and subnet mask. The interface name may be "Default", the port ID of a non-bridged (routed) Ethernet interface (for example, "E1"), or the VLAN ID of a virtual Ethernet interface (for example, "VID52"). Only a single Default interface entry exists and it may not be deleted. When VLANs are disabled, the System IP address is directly reachable via any bridged Ethernet port and indirectly reachable (via routing) through any non-bridged Ethernet port. When VLANs are enabled, the IP address assigned to this interface becomes the IP address assigned to the default VLAN (VID 1). Magnum Network Software - DX Administrator’s Guide 308 CHAPTER 5 - Operational Guide DHCP Server 5.3.5 Routing Table The system's IP routing table can be accessed through the user interface (see Section 3.8.2, “Static Routes”). The table includes routes that have been learned through the operation of routing services or routes that have been statically configured by a user. The routing table is used to make IP packet forwarding decisions. 5.3.6 Routing Services MNS-DX supports the following routing services: • • • • 5.4 Routing Information Protocol, specifically RIP, RIP-II, and RIP-II with multicasting as specified in RFCs 1058 and 1388 Open Shortest Path First, Version 2 (OSPFv2) as specified in RFC 2328 Border Gateway Protocol (BGP) as specified in RFC 4271 Virtual Router Redundancy Protocol (VRRP) as specified in RFC 3768 DHCP Server MNS-DX supports manual and dynamic allocation of IP addresses as defined in RFC 2131 (Dynamic Host Configuration Protocol). Manual (static) allocation creates a permanent, static mapping between a host's MAC address and an IP address and subnet mask. In this case the purpose of the DHCP server is simply to tell a host what its IP address is when its network interface comes online. Dynamic allocation allows automatic reuse of addresses by granting temporary address leases to hosts as they are requested. When a lease expires, the host must renew the lease with the server. If a lease is not renewed, that address may be allocated to a new host. For dynamic allocation a set of address pools (or "ranges") are configured on the server and new addresses are selected from these pools. You can define up to 16 dynamic address ranges and up to 100 static addresses. The total number of reserved addresses (both static and dynamic) cannot exceed 100. The DHCP supports the ability to send additional host parameters to each client. The parameters supported for this release are gateway, primary and secondary DNS servers, and the DNS domains suffix. 5.5 SNMP The Simple Network Management Protocol (SNMP) is a protocol for managing network devices. It includes a central manager, an agent monitoring each device, and a database of information called a Management Information Base (MIB). The MNS-DX part of this framework is the agent part. You can configure the SNMP agent with the SNMP: Global Settings screen described in Section 3.2.4.1. This screen will also enable you to specify up to four management stations to which the agent can supply trap information. The monitoring of the gathered information is a task for your Network Management System. Magnum Network Software - DX Administrator’s Guide 309 CHAPTER 5 - Operational Guide RSTP 5.5.1 Supported Versions and Features MNS-DX supports SNMP v1, v2c, and v3. The intent of SNMPv3 support is to provide a secure (authenticated and encrypted) channel for managing the device using common SNMP-based tools. Therefore, SNMPv3 support is limited to the User-based Security Model (USM) as defined in RFC 2574. The more complicated View-based Access Control Model (VACM) defined in RFC 2575 is not supported at this time. You have the option of completely disabling the SNMP agent, enabling the agent to accept SNMP v1 or v2c PDUs, or enabling the agent to only accept SNMP v3 PDUs. When configured for v1/v2c operation, access to the MIB is controlled via community string. When configured for v3 operation, access to the MIB is controlled on a per-user basis. The total number of user accounts is limited to a maximum of 32. Each user account can be configured to require authentication and/or data encryption. User authentication can be configured to use either the SHA-1 or the MD5 hash algorithm. Data encryption options are limited to DES. For simplicity, each user account is assigned a single password that is used to create both the "authKey" and the "encryptKey" defined in RFC 2574. The SNMP v3 agent implementation also includes a configurable engine ID, a nonvolatile boot count, and a counter that indicates the number of seconds since the last boot. These variables are used to provide some level of protection against message delay and message replay attacks. MNS-DX supports the following MIBs: • • • • • MIB-II TARGET-MIB SNMP-NOTIFICATION-MIB SNMP-USER-BASED-SM-MIB DX ENTERPRISE MIB All MIBs are read-only. MNS-DX supports the following standard SNMP traps: • • • • 5.6 LINK UP LINK DOWN WARM START COLD START RSTP The Rapid Spanning Tree Protocol (RSTP) constructs a system linking the elements of a bridged local area network so as to supply redundancy, provide for quick recovery from failure of a segment, and eliminate loops. The protocol can be said to be "spanning" in that it connects all elements in the system and to be a "tree" in that it connects these elements while remaining implicitly free of loops. Magnum Network Software - DX Administrator’s Guide 310 CHAPTER 5 - Operational Guide RSTP The original Spanning Tree Protocol (STP) was defined by IEEE standard 802.1D. The faster RSTP was first defined in IEEE 802.1W and RSTP supersedes STP in IEEE 802.1D (2004). STP consumes 45 to 60 seconds to recover from a failure because it needs to recalculate the entire tree after a failure. RSTP can recover in less than one second because it enables ports to actively communicate information about special conditions. MNS-DX supports both protocols, so that you can configure a port to use the older STP if it is necessary to accommodate a legacy bridge. This appendix provides a high-level summary of the protocol to enable understanding of your options in configuring RSTP. For a more detailed understanding see the freely available IEEE 802.1D (2004) standard. Access RSTP functionality in MNS-DX with the following screens: • • • • RSTP: Bridge Settings, described in Section 3.4.3.1. RSTP: Port Settings, described in Section 3.4.3.2. RSTP: Bridge Status, described in Section 3.4.3.3. RSTP: Port Status, described in Section 3.4.3.4. 5.6.1 RSTP Setup When first configured with RSTP the bridges in a system exchange messages with one another to elect a root bridge and to discover the shortest path from each bridge to the root bridge. The ports that enable the shortest paths are put into forwarding mode. All other ports are assigned backup or alternate roles. When a stable tree has been established and traffic is being transmitted the system is said to have achieved convergence. R E Designated Bridge D B Designated R Bridge D Root Bridge R Root port D Designated port B Backup port A Alternate port E Edge port R R Designated Bridge D B B Bridge A Figure 5-3. Port Roles in a Rapid Spanning Tree Network Magnum Network Software - DX Administrator’s Guide 311 D CHAPTER 5 - Operational Guide RSTP 5.6.1.1 BPDUs The messages exchanged by the bridges are special data frames called Bridge Protocol Data Units (BPDUs). The BPDUs contain identifying information and information about the root path cost. The best path from a bridge to the root has the lowest path cost. (The measurement takes into account the bandwidth on intervening segments.) When the spanning tree is being calculated the bridges exchange configuration BPDUs. Other types of BPDUs are exchanged during normal operation. MNS-DX supports a choice of cost style. 5.6.1.2 Bridge Roles Each configured spanning tree has a single root bridge. All other bridges active in the system are designated bridges. For each segment the connected bridge that provides the shortest path to the root bridge is that segment’s designated bridge. 5.6.1.3 Port Roles After convergence each port in the tree is assigned one of four roles: Table 5-1. RSTP Port Roles Port Root: Role Each bridge (except the root bridge) has a single root port. This is the port with the lowest root path cost (the best way to the root.). All traffic to and from the root bridge passes through the root port of the designated bridge. Designated: Each bridge (except the root bridge) has at least one designated port. If only one port is connected to the segment it is the designated port. If more than one port is connected to the segment then the port with the best priority value in its ID is the designated port for the segment. Any port on the root bridge that is connected to a segment is a designated port. All Traffic to and from a specific segment passes through the designated port of the designated bridge. Backup: A port on a designated bridge that is connected to the same segment as the designated port on that bridge. In the event of failure in the designated port the backup port would become the designated port. A backup port is blocked (inactive). Alternate: A port that connects to a different segment than the root port on the same bridge. An alternate port provides an alternate path to the root that is inferior to the path provided by the root port. In the event of failure in the root port the alternate port would become the root port. An alternate port is blocked (inactive). Magnum Network Software - DX Administrator’s Guide 312 CHAPTER 5 - Operational Guide RSTP 5.6.1.4 Edge Ports and Point-to-Point Links There are two other ways of classifying ports that can enable a quick transfer to the forwarding state and thus faster convergence: • • 5.6.1.5 Edge Port – This is a port that connects directly to an end station. Since it connects to a single host it is incapable of forming loops, so may be safely placed in a forwarding state without going through the listening and learning stages. Point-to-Point Links – When a port connects directly to another switch it can safely be placed in forwarding mode. Port States The MNS-DX implementation of RSTP supports four operational states for a port: Blocking – The port does not transmit or receive data frames, but the port does continue to receive BPDUs. Listening – The port can send and receive BPDUs, but it is not learning MAC addresses or forwarding data frames. Learning – The port is receiving BPDUs and is learning MAC addresses but it is not forwarding data frames. Forwarding – The port is sending and receiving all packets. Once the RSTP network is functioning all traffic is by definition handled by the ports in the forwarding state. 5.6.2 RSTP Normal Operation After initial configuration RSTP functions by circulating BPDUs through the system. When these BPDUs indicate a change in the topology, such as failure of a link or the addition of a new node, the system is reconfigured. System maintenance is carried out by the traffic in BPDUs among the bridges. Maintenance is managed under certain configurable constraints: Hello Time – The amount of time between the transmission of configuration BPDUs on any port. Valid Range = 1-10 seconds Default value = 2 seconds. A connection is considered to be lost if hellos are not received for three consecutive times (by default this is six seconds). Forward Delay – Controls how long the bridge waits after any state or topology change before forwarding the information to the network. The valid Range = 4-30 seconds. The default value = 15 seconds. Maximum Age – The length of time a configuration BPDU remains valid before it is discarded. Magnum Network Software - DX Administrator’s Guide 313 CHAPTER 5 - Operational Guide RSTP 5.6.3 Design Considerations The RSTP protocol can make network decisions automatically. In fact, in the absence of manual intervention the protocol will completely configure the network; however, you may want to specify the settings for some or all of your bridges and ports. For instance, you may want to ensure that a particular bridge is the root bridge or that a certain port on a bridge is the designated port. Note that you should use the Port: Settings screen to ensure that ports connecting to end stations are specified as edge ports, and that ports that connect to other bridges using RSTP are specified as Point ports (also known as Point-to-Point ports). 5.6.3.1 Configuring Bridge Settings Use the RSTP: Bridge Settings screen, described in Section 3.4.3.1 to configure the following parameters: • • • • • • Enabled – Any bridge active in the system must have the Disabled/Enabled value set to Enabled. Priority – The default priority value is 32768 (in a valid range of 0-65535). If you know that you want a specific bridge to be the root bridge, then set this value on that bridge low - lower than any other bridge in the system. You can also effectively specify a bridge as an alternate root bridge, to take over in the event of failure of the original root bridge, by giving it a priority value only slightly higher than that of the root bridge. When you have more than one bridge connecting to the same LAN you can determine which bridge will become the designated bridge by setting its priority value low. Hello Time – The default Hello Time value is 2 seconds (in a valid range of 1-10). The manually configurable Hello Time value applies to the root bridge. A smaller Hello Time value will result in quicker detection of topology changes but it will also result in increased traffic on the system. Designated bridges use a Hello Time learned from BPDUs sent from the root bridge. Forward Delay – The default Forward Delay value is 15 seconds (in a valid range of 4-30). A shorter Forward Delay may result in quicker adaptation to topology changes. Designated bridges use a Forward Delay learned from BPDUs sent from the root bridge. Maximum Age – The default Maximum Age value is 20 seconds (in a valid range of 6-40). In a network that includes some slow links it could be useful to set a higher value for Maximum Age. Cost Style – Specifies whether 16-bit (STP-style) or 32-bit (RSTP-style) path cost values are used. Magnum Network Software - DX Administrator’s Guide 314 CHAPTER 5 - Operational Guide VLAN 5.6.3.2 Configuring Port Settings Use the RSTP: Port Settings screen, described in Section 3.4.3.2 to configure the following parameters: • • 5.7 Mode – • Point – Specify that any port that connects to another switch that uses RSTP is a point port. • Edge – Specify that any port that connects to and end station is an edge port. This allows direct transition to forwarding and prevents unnecessary topology change messages. • Legacy – Specify that a port that uses STP only is a legacy port. Port Priority – The default Port Priority value is 128 (in a valid range of 0255). The RSTP protocol will select root, designated, and backup ports from among redundant ports on a bridge based on the port ID and the priority settings. To force the selection of a specific port as the root port give it a low priority value. VLAN VLAN (Virtual Local Area Network) configuration is a technique for segmenting ports on an Ethernet switch into logical groupings. Each logical grouping behaves as if it were a separate physical LAN. A VLAN may also span multiple physical Ethernet switches through the use of frame tagging. The MNS-DX supports VLAN as specified in IEEE 802.1Q (2003). The following sections describes the VLAN implementation on DX devices. 5.7.1 Adding VLANs Before you can use a VLAN you must explicitly add it to the switch configuration using the form provided in the VLAN: VIDs screen described in Section 3.4.4.2. 5.7.1.1 VLAN IDs You can configure up to 16 VLANs, associating each with a VLAN ID (VID) in the range 1 through 4094 (the value 4095 is reserved), subject to the following limitations: • • VID 1 is the default VLAN VID 0 is defined as the NULL VID that is used in priority-tagged frames Add a VLAN to the switch in the following steps: 1. Go to the VLAN: VIDs screen described in Section 3.4.4.2. 2. Enter a valid VID and VLAN Name in the fields provided in the Add VLAN form. 3. Click the Apply Settings button. Magnum Network Software - DX Administrator’s Guide 315 CHAPTER 5 - Operational Guide VLAN 5.7.2 Configuring Ports for VLAN Membership Each port to be included in a VLAN must be assigned a VID. They can also be configured to expect tagged or untagged frames and filtered to include or exclude specific VLANs. 5.7.2.1 Port VLAN IDs A Port VLAN ID (PVID) is a user-configurable parameter that associates a native VLAN with a port. Each port is assigned exactly one PVID. By default, each port is assigned PVID 1. 5.7.2.2 Tagging An Ethernet port in MNS-DX can be configured to expect tagged or untagged frames by setting the “Tagged?” field appropriately in the VLAN: Port Settings screen described in Section 3.4.4.3. Tagged Field Set to No When a port has its “Tagged?” field set to “No”, that port will: • • • Admit all untagged or priority-tagged frames and mark them with the port's PVID Admit tagged frames if and only if the tagged VID matches the port's PVID. All other tagged frames will be dropped Strip all tag information (including VID and priority fields) from the frame before transmission Tagged Field Set to Yes When a port has its “Tagged?” field set to “Yes”, that port will: • • • 5.7.2.3 Admit untagged or priority-tagged frames and mark them with the port’s PVID Admit tagged frames if and only if the tagged VID matches the port's PVID or one of the VLANs assigned to that port. All other tagged frames will be dropped Transmit all frames with an appropriate VLAN tag Filtering An Ethernet port can be designated a "Trunk" port or an "Access" port. By default a trunk port is a member of all VLANs. It may optionally prohibit traffic from a list of VLANs which you can configure using the VLAN: Port Settings screen described in Section 3.4.4.3. An access port only passes traffic associated with its native VLAN. Magnum Network Software - DX Administrator’s Guide 316 CHAPTER 5 - Operational Guide VLAN 5.7.2.4 Frame Classification and Forwarding Frames that are admitted to the switch are always tagged (with either the frame's original VID or with the PVID of the port upon which it entered) and the frame's VLAN tag is included as part of the criteria used by the bridge forwarding process. Specifically, a frame will only be forwarded on a port that is a member of its tagged VLAN. Note that other criteria, such as destination MAC address and port state, may prevent a frame from being forwarded on a port even if it has a matching VID. Default Configuration By default all ports are configured with “Tagging” set to “No,” “Mode” set to “Access,” and nothing configured in "Prohibited VLANs" field. The default PVID is 1. In this configuration, the switch accepts untagged and priority-tagged frames as well as frames that are tagged with the default VLAN (VID 1). All other tagged frames are dropped. Port-based VLANs Port-based VLAN functionality may be emulated by making all ports untagged. Each VLAN operates as a virtual bridge within the larger physical switch. The VLANs have only local significance since tags are always stripped before a frame is transmitted. Configure the switch for port-based VLANs by adding a VLAN for each port group in the following steps: 1. Go to the VLAN: VIDs screen described in Section 3.4.4.2. a. Add a VLAN for each group. b. Click the Apply Settings button. 2. Go to the VLAN: Port Settings screen described in Section 3.4.4.3. a. For each port, select the appropriate PVID based on the desired group (VLAN) membership. b. Click the Apply Settings button. Tagged VLANs The software supports tag-based VLAN operation. In this mode each port is either an access (admitting only untagged frames or frames tagged with its PVID) or a trunk (allowing all frames on the configured VLANs). Tags allow VLANs to span multiple physical bridges. Configure tagged VLANs using the following steps: 1. Go to the VLAN: VIDs screen described in Section 3.4.4.2. a. Add a VLAN for each group. b. Click the Apply Settings button. Magnum Network Software - DX Administrator’s Guide 317 CHAPTER 5 - Operational Guide VLAN 1. Go to the VLAN: Port Settings screen described in Section 3.4.4.3. a. For each port that will be connected to an end device, set the “Mode” to “Access” and select the port’s PVID. b. For each port that will be connected to another switch, set the “Mode” to “Trunk”. This will automatically set the Tagging field to “Yes” and enable the "Prohibited VLANs" field. If you want to specify VLANS to be filtered from this trunk, do so now. c. Click the Apply Settings button. 5.7.3 VLANs and Serial Ports This section describes the concept of Serial VLANs, a network design in which SCADA traffic is segregated from other network traffic by placing it on a separate VLAN. It also presents an example network application. MagnumDX products offer the capability of segregating serial traffic from other network traffic using VLANs. Because the terminal server application encapsulates serial traffic in IP packets, it cannot directly assign serial ports to a VLAN. Instead, IP addresses are assigned to VLANs (creating virtual IP interfaces) and serial ports are in turn associated with local and/or remote IP addresses. Serial IP packets transmitted by MagnumDX will include an 802.1q VLAN tag if the following two conditions are met: 1. To reach a particular remote host, an IP packet must be sent over a virtual IP interface. 2. The selected physical transmission port (chosen based on VLAN assignments and MAC learning) is configured for VLAN tagging. 5.7.3.1 Example Scenario Refer to Figure 5-4 for a depiction of the network configuration on which the following example is based. Magnum Network Software - DX Administrator’s Guide 318 CHAPTER 5 - Operational Guide VLAN Ethernet VLAN 1 Host 1 192.168.3.101 Host 2 192.168.2.101 VLAN 2 Serial IED 1 Serial IED 2 192.168.3.1 DX-3 192.168.1.1 S2 S1 E2 E3 E1 DX-1 Tagged Ethernet Network E1 DX-2 VLAN 1: 192.168.1.10 VLAN 2: 192.168.2.10 Figure 5-4. Serial Ports and VLANs In this example, two serial IEDs are connected to remote management stations on different IP subnets and the serial traffic is carried (for a portion of its trip) over separate tagged VLANs. Configuration The DXs illustrated in Figure 5-4 are configured as follows: • • • DX-1 is configured with VLANs enabled and two VLANs defined. Each VLAN becomes a virtual IP interface on the switch. VLAN 1 and its IP interface is assigned the address 192.168.1.10. VLAN 2 and its IP interface is assigned the address 192.168.2.10. Port E1 is configured as a VLAN trunk that carries tagged traffic for both VLANs. DX-2 is configured with VLANs enabled and the same two VLANs defined as for DX-1. Port E1 is also configured as a trunk. Port E2 is configured as an untagged access port assigned to the VLAN 1 and port E3 is configured as an untagged access port assigned to the VLAN 2. DX-3 is configured as a router. Port E1 is assigned the IP address 192.168.1.1. Port E2 is assigned the IP address 192.168.3.1. The Serial IEDs illustrated in Figure 5-4 are configured as follows: • • Serial IED 1 is connected to serial port S1 on DX-1 and is bound to the local IP address 192.168.1.10. Serial IED2 is connected to serial port S2 on DX-1 and is bound to the local IP address 192.168.2.10. Magnum Network Software - DX Administrator’s Guide 319 CHAPTER 5 - Operational Guide Security The hosts illustrated in Figure 5-4 are configured as follows: • • HOST1 is a management station assigned the IP address 192.168.3.101. It communicates with Serial IED 1. HOST2 is a management station assigned the IP address 192.168.2.101. It communicates with Serial IED 2. Traffic Flow Assume that all routing tables have been statically configured or that there is a routing protocol running. Host1 initiates a TCP connection for communication with Serial IED 1 (192.168.3.101 ' 192.168.1.10) and Host2 initiates a TCP connection for communication with Serial IED 2 (192.168.2.101 ' 192.168.2.10). When Host1 sends a request packet to Serial IED 1, the packet is forwarded to the router at 192.168.3.1. The router then forwards the packet on its 192.168.1.1 interface to DX-1 at 192.168.1.10. The packet is transmitted out DX-3's port E1 and received by DX-2's port E2 where it is classified as belonging to VLAN 1. Because the frame must be switched out port E1 and that port is a tagged VLAN trunk, an 802.1q tag for VLAN 1 is added to the Ethernet frame before transmission. The tagged frame is then passed through a tagged Ethernet cloud and eventually is received on port E1 of DX-1 where the encapsulating Ethernet and TCP/IP headers are removed and the serial data is transmitted out port S1. When Serial IED 1 responds, a similar flow occurs in the opposite direction. When Host2 sends a request packet to Serial IED 2, the packet is forwarded directly to DX-1 at 192.168.2.10. The packet is transmitted by Host2 and received by DX-2's port E3 where it is classified as belonging to VLAN 2. Because the frame must be switched out port E1 and that port is a tagged VLAN trunk, an 802.1q tag for VLAN 2 is added to the Ethernet frame before transmission. The tagged frame is then passed through a tagged Ethernet cloud and eventually is received on port E1 of DX-1 where the encapsulating Ethernet and TCP/IP headers are removed and the serial data is transmitted out port S2. When Serial IED 2 responds, a similar flow occurs in the opposite direction. 5.8 Security The following sections briefly describes the security features of MNS-DX. 5.8.1 Ethernet Port Security MNS-DX offers the ability to disable Ethernet ports upon access by an unauthorized station. Each port may be placed in either of two different security modes: address locking or link locking. Magnum Network Software - DX Administrator’s Guide 320 CHAPTER 5 - Operational Guide Security 5.8.1.1 Address Locking In address locking mode a port detects an unauthorized station by comparing the source MAC address in the frames that it receives to a list of authorized MACs. If the source MAC is not in the authorized list the port is locked out, which effectively disables the port by electrically isolating its PHY. Once a port is locked out it will not be re-enabled until it is explicitly unlocked by an administrator. Lock-outs persist across resets. When static MAC addresses have been configured on a port by an administrator those addresses are treated as the list of authorized MACs. If no static MAC addresses are configured, the port will "learn" the source address of the first frame it receives and treat that MAC address as the single authorized MAC for the port. Learned authorized MACs persist across resets. If a static MAC is configured after a port has learned an authorized MAC, the learned MAC is forgotten and the configured static MACs are treated as the list of authorized MACs. If all static MACs are removed from a port, the port will learn a new authorized MAC. 5.8.1.2 Link Locking In link locking mode a port is locked out if it loses link. Note that if a port is configured for link locking while it is down it is not automatically locked out. It waits for the link to go up and then down before locking out. 5.8.2 Serial Port Security MNS-DX supports the ability to carry serial data over authenticated, encrypted TCP connections using the SSL protocol (SSLv3 or TLSv1). RSA public key cryptography and X.509 certificates are used to verify the authenticity of a connecting entity. Once a connection has been established, any of a number of encryption algorithms may be employed including DES, 3DES, AES (128 or 256 bit), or RC-4 (128 bit). Either MD5 or SHA-1 may be used for generating message authentication codes. 5.8.2.1 Serial Data Over SSL SSL is a cryptographic protocol that creates a secure data transfer session over a standard TCP connection. It provides both authentication and privacy and supports a large number of cryptographic algorithms. When an SSL connection is first established, a handshake protocol is executed. The handshake accomplishes the following: • • • negotiates connection parameters optionally authenticates the peer determines a shared master secret If the handshake succeeds, data transferred over the connection is now encrypted using the negotiated encryption algorithm and the shared master secret. Magnum Network Software - DX Administrator’s Guide 321 CHAPTER 5 - Operational Guide Security For more detailed information on SSL see the following texts: Rescorla, Eric. SSL and TLS: Designing and Building Secure Systems, Addison Wesley, ISBN 0201615983. Viega, John. Messier, Matt. Pravir, Chandra. Network Security with OpenSSL, O'Reilly Media Inc., ISBN 0-596-00270-X. 5.8.2.2 MNS-DX SSL Version Support Each terminal server connection on a MagnumDX product may be authenticated and encrypted using SSL. The product supports the following versions of SSL: • • SSLv3 TLSv1 SSLv2 has many known vulnerabilities and is not supported. 5.8.2.3 Secure Web Server using HTTP over SSL (https://) Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS) are cryptographic protocols to protect traffic on the Internet. SSL and non-SSL access to the web server is always available. The system is shipped with a default web server key and certificate. We recommend that you generate and install a new key file. You can do this by uploading the file to the keys screen and then selecting the new key on the web server configuration screen. No reboot is necessary for the change to take effect. 5.8.3 Keys and Certificates MNS-DX supports RSA public key encryption and x.509 certificates. RSA is a widelyused algorithm for public key encryption. X.509 is an International Telecommunication Union Telecommunication Standardization Sector (ITU-T) standard for public key infrastructure (PKI). MNS-DX uses keys and certificates encoded using the Privacy enhanced Mail (PEM) format. These files conventionally use the .pem extension. A PEM file containing both a valid X.509 certificate chain and a valid RSA private key is treated as a certificate file. Manage these files with the Certificates: Local screen described in Section 3.10.1.1 and the Certificates: CAs described in Section 3.10.1.2. For an extended discussion and examples of key file and certificate file generation see Section 5.8.3.9, “Certificate and Key File Generation”. Magnum Network Software - DX Administrator’s Guide 322 CHAPTER 5 - Operational Guide Security 5.8.3.1 RSA Public Key Cryptography RSA public key cryptography is the most popular of the so-called asymmetric cryptography algorithms. Unlike symmetric cryptography, which uses a single key for encryption and decryption operations, asymmetric cryptography uses a pair of keys. One of the keys is published and well-known while the other is private and is known only to its owner. Information encrypted by the public key can only be decrypted by the private key and vice versa. This special property is what allows us to use asymmetric cryptography as a way of creating digital signatures. 5.8.3.2 Digital Signatures Digital signatures provide a way of verifying that an electronic document was generated by a certain entity. Digital signatures protect electronic documents against tampering and forgery. Digital signatures may be created using RSA public key cryptography. The basic technique involves creating a message digest of a plaintext document and then encrypting the result with the author’s private key. The original plaintext document and the digested/encrypted version (the signature) are passed to a recipient who then decrypts the signature using the author’s public key and compares the result to the message digest of the original plaintext document. If there is a match, the signature is valid. SSL authentication involves validating the digital signature on an electronic document known as an X.509 certificate. 5.8.3.3 X.509 Certificates An X.509 certificate is an electronic document used to publish a public key. It generally contains additional information that describes the certificate owner’s name, organization, and contact information. The certificate is digitally signed by a trusted third-party to prove its authenticity. Certificates may be chained, with each certificate in the chain holding the RSA public key of the entity that signed the previous certificate. In this way, a “chain of trust” is established from the entity being authenticated to a mutually trusted third party known as a Certificate Authority. 5.8.3.4 Certificate Authority A Certificate Authority (CA) is usually a well-known, trusted entity that issues signed certificates for entities that wish to distribute their RSA public key. You can think of a CA as the equivalent of notary public for the Internet. A CA has its own RSA public and private key pair that it uses to sign X.509 certificates. It publishes its public key in a root X.509 certificate that is self-signed. This means that there is no way to digitally verify the authenticity of a root CA certificate. You must choose which root CA certificates to trust. Often, root CA certificates are distributed “out-of-band” or bundled with software that uses SSL. Magnum Network Software - DX Administrator’s Guide 323 CHAPTER 5 - Operational Guide Security 5.8.3.5 MNS-DX Certificate Files MNS-DX does not come with any bundled or pre-installed root CA certificates. You must generate or otherwise acquire these certificate files and install them on each unit. This is accomplished through the “Security: Certificates” screen. To use an installed certificate, you must tell the software that you trust the issuing entity by marking the “Trusted” checkbox next to the certificate name and pressing the Apply Settings button. Again, this is required because the certificate is self-signed and therefore its authenticity cannot be verified (that is, anyone can generate a self-signed certificate). MNS-DX only understands X.509 certificates that are encoded in the Privacy Enhanced Mail (PEM) format. This is an ASCII text format that is easy to cut and paste into files or mail messages. An example PEM-encoded X.509 certificate is shown below: -----BEGIN CERTIFICATE----MIICyzCCAjQCCQDcC3lajBRvIDANBgkqhkiG9w0BAQUFADCBqTELMAkGA1UEBhMC VVMxCzAJBgNVBAgTAk1BMRYwFAYDVQQHEw1Ob3J0aCBBbmRvdmVyMRQwEgYDVQQK EwtEeW1lYywgSW5jLjEeMBwGA1UECxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRow GAYDVQQDExFNYXR0aGV3IFNjaGlja2xlcjEjMCEGCSqGSIb3DQEJARYUbXNjaGlj a2xlckBkeW1lYy5jb20wHhcNMDYwNjI2MTgwNzQwWhcNMDYwNzI2MTgwNzQwWjCB qTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1BMRYwFAYDVQQHEw1Ob3J0aCBBbmRv dmVyMRQwEgYDVQQKEwtEeW1lYywgSW5jLjEeMBwGA1UECxMVQ2VydGlmaWNhdGUg QXV0aG9yaXR5MRowGAYDVQQDExFNYXR0aGV3IFNjaGlja2xlcjEjMCEGCSqGSIb3 DQEJARYUbXNjaGlja2xlckBkeW1lYy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBAL/JrmUHTDPBkzENUWWnoBjo2iD1owJd/ZYrpHvLfkg8ljdLjlGNUdBl kwN7+8H6KN5J+IJWBq2C/cNfvfyUJ2/95a6TNYwt9/k/K3r70A6iuzFM0wVFpM0q H7tPOFStc9IygR36FOPasCoNxze9DofIfC8IypSf2S6B6tL6+8LXAgMBAAEwDQYJ KoZIhvcNAQEFBQADgYEAEq3kTPfT5i1Z5XtXtOabwkAcWW+tCw/wDhC6DME2XY5E OnuJchpFGgTPmA1z5neUTYT9pHX50rutrk28vvj6ELn1XLD5sp6Hqxj5Wslo4jDb LFxgft46TUgISqRHiSbixWfsLSNq7lfdlyH+f3cpGjMQjWO8xtEExNDuk7NUVbM= -----END CERTIFICATE----- 5.8.3.6 MNS-DX Key Files You must generate or otherwise acquire key files for your system and install them on each unit. This is accomplished using the Security: Keys screen. MNS-DX requires that a key file is assigned to any serial port that will use SSL. Note, in some connection scenarios, a key file is not strictly necessary to establish a secure connection but a key file assignment is still required by the software because these scenarios cannot always be predicted. Each port may have a different assigned key file. You can enable SSL on a port and assign key files to ports using the Security: Serial screen. MNS-DX only understands key files that are encoded in the Privacy Enhanced Mail (PEM) format. The key file consists of multiple parts: 1. An RSA Private Key 2. The signed, X.509 Certificate that contains the matching public key for #1 3. The X.509 Certificate of the root CA that signed the certificate in #2 Magnum Network Software - DX Administrator’s Guide 324 CHAPTER 5 - Operational Guide Security An example key file is shown below: -----BEGIN RSA PRIVATE KEY----MIICXQIBAAKBgQC8tHGfI5p2ucaY9b+GavC/WwnpOuW4sFody5e65ifeIEvvlaUE Fe8epd2HBKm4u4T9llBAPZcy4Qi07zXjqGPlOvUf80QUT9/Rti3Nh3rAT837S8Dn TaEJyoptixJHVmuB4KZo5T3O7t91vMXAhHmSt+7utSawCsSI5pEe0Ag6vwIDAQAB AoGADcKuwmcLPXsgk0jgVYH42kteNqa317bsa13MS7G62ITMZMUpyll7HWYE+HKL mc/6y68pXPXgz7H/O4pyCI7f8dgzWArO2BVVRNj/efSCrYeWEDWSO3g7/+2TKbst lkHwi+ZQQZVPGW72XgvHMk07jevj6GHmfykeip+79VHjvGECQQDqFhUdFZ7lZ7eZ /+QhNLWy1AdBaOPHasOxUU5+nDYSCb0t22Q0zj5+prPWXErU54+UbevQiA5la4RU Y7eJ182vAkEAzl7JzB3pfNLxcBpBQFBTBcbOnb0KTWe1RjcRvuDN9TgnpTtoq3iT z1Cl7g8j6yU1QRUcgjjnMoO5nXLubwE38QJBAJ8f375joh4DwTU4U9WWxSUJKN13 9c7rbpes05URj1f3stfnWVjkEmt52qoPFvdfaaTWjAS3WEHtMolDN9LGFhUCQAKg Ti0czFXcUVo920q4OvY9229Ccpkdkr78AGvPbI+MUWTW5rQX6rmeqx3mb2yUoqLb Y+t8UeTgrEIGrmYXO+ECQQDP3oWvHuBCo3bCvtao+CjYNdYd/65bhGln24w3w+WI BcjP5qaHQiihUNT+jaNW0OurhP2fctPJJVNbmtw1AcFH -----END RSA PRIVATE KEY---------BEGIN CERTIFICATE----MIICyDCCAjECCQC+GECAdm9XLjANBgkqhkiG9w0BAQUFADCBqTELMAkGA1UEBhMC VVMxCzAJBgNVBAgTAk1BMRYwFAYDVQQHEw1Ob3J0aCBBbmRvdmVyMRQwEgYDVQQK EwtEeW1lYywgSW5jLjEeMBwGA1UECxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRow GAYDVQQDExFNYXR0aGV3IFNjaGlja2xlcjEjMCEGCSqGSIb3DQEJARYUbXNjaGlj a2xlckBkeW1lYy5jb20wHhcNMDYwNjI2MTgxMDMxWhcNMDYwNzI2MTgxMDMxWjCB pjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1BMRYwFAYDVQQHEw1Ob3J0aCBBbmRv dmVyMRQwEgYDVQQKEwtEeW1lYywgSW5jLjEbMBkGA1UECxMSVGVjaG5pY2FsIFNl cnZpY2VzMRowGAYDVQQDExFNYXR0aGV3IFNjaGlja2xlcjEjMCEGCSqGSIb3DQEJ ARYUbXNjaGlja2xlckBkeW1lYy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ AoGBALy0cZ8jmna5xpj1v4Zq8L9bCek65biwWh3Ll7rmJ94gS++VpQQV7x6l3YcE qbi7hP2WUEA9lzLhCLTvNeOoY+U69R/zRBRP39G2Lc2HesBPzftLwOdNoQnKim2L EkdWa4HgpmjlPc7u33W8xcCEeZK37u61JrAKxIjmkR7QCDq/AgMBAAEwDQYJKoZI hvcNAQEFBQADgYEAKjo1QpCO0nDMV85w73FhrwMvLmMObsj8q756c7u0wgQDB50C DSTX0bKWgRgD2LVORuDZ4pTTYh2Qyk9VQxB3HLEuin75uUwVHsS3Ec0LnTFgNkBh 7NuGM3VlSLrk3mKuiLBkfADChx84SESSl4bGk6rRPDPLKK1/zHgGNW+CQ4k= -----END CERTIFICATE---------BEGIN CERTIFICATE----MIICyzCCAjQCCQDcC3lajBRvIDANBgkqhkiG9w0BAQUFADCBqTELMAkGA1UEBhMC VVMxCzAJBgNVBAgTAk1BMRYwFAYDVQQHEw1Ob3J0aCBBbmRvdmVyMRQwEgYDVQQK EwtEeW1lYywgSW5jLjEeMBwGA1UECxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRow GAYDVQQDExFNYXR0aGV3IFNjaGlja2xlcjEjMCEGCSqGSIb3DQEJARYUbXNjaGlj a2xlckBkeW1lYy5jb20wHhcNMDYwNjI2MTgwNzQwWhcNMDYwNzI2MTgwNzQwWjCB qTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1BMRYwFAYDVQQHEw1Ob3J0aCBBbmRv dmVyMRQwEgYDVQQKEwtEeW1lYywgSW5jLjEeMBwGA1UECxMVQ2VydGlmaWNhdGUg QXV0aG9yaXR5MRowGAYDVQQDExFNYXR0aGV3IFNjaGlja2xlcjEjMCEGCSqGSIb3 DQEJARYUbXNjaGlja2xlckBkeW1lYy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBAL/JrmUHTDPBkzENUWWnoBjo2iD1owJd/ZYrpHvLfkg8ljdLjlGNUdBl kwN7+8H6KN5J+IJWBq2C/cNfvfyUJ2/95a6TNYwt9/k/K3r70A6iuzFM0wVFpM0q H7tPOFStc9IygR36FOPasCoNxze9DofIfC8IypSf2S6B6tL6+8LXAgMBAAEwDQYJ KoZIhvcNAQEFBQADgYEAEq3kTPfT5i1Z5XtXtOabwkAcWW+tCw/wDhC6DME2XY5E OnuJchpFGgTPmA1z5neUTYT9pHX50rutrk28vvj6ELn1XLD5sp6Hqxj5Wslo4jDb LFxgft46TUgISqRHiSbixWfsLSNq7lfdlyH+f3cpGjMQjWO8xtEExNDuk7NUVbM= -----END CERTIFICATE----- Magnum Network Software - DX Administrator’s Guide 325 CHAPTER 5 - Operational Guide Security 5.8.3.7 Key Exchange SSL does not use RSA keys to actually encrypt data sent over the secure connection. Before data transmission can begin the peer entities must agree on a shared secret key that will be used by a symmetric encryption algorithm such as 3DES or AES. This process is called key exchange. The SSL client encrypts a random secret using the server’s public RSA key and passes the result to the server. Since only the server knows the matching private key, it is the only entity that can decrypt the message and discover the shared secret. MNS-DX does not currently support alternative key exchange algorithms such as Diffie-Hellman. 5.8.3.8 Peer Authentication MNS-DX supports peer authentication for both clients and servers but it is always optional and configurable by the user. By default peer authentication is not performed. When peer authentication is required, the SSL handshake fails and the connection is closed unless the following conditions are met: 1. The entity being authenticated must prove that it owns the public key in the certificate that it presented. This is accomplished by using its private key to encrypt some data that the authenticator decrypts and verifies. 2. The signature on the supplied certificate must be valid and verifiable (that is, the signing entity’s certificate must be signed by another verifiable entity or by a trusted entity such as a CA). 3. The current system date and time must be within the supplied certificate’s valid time range. 5.8.3.9 Certificate and Key File Generation This section gives an example of how to create a root CA Certificate and System Key File that can be used in conjunction with MNS-DX. The example uses the OpenSSL command line tool, which is freely available software that runs under Linux, MAC OS-X, and Cygwin for Microsoft Windows. For more information on OpenSSL, see the following text: Viega, John. Messier, Matt. Pravir, Chandra. Network Security with OpenSSL, O’Reilly Media Inc., ISBN 0-596-00270-X. 8 NOTE: In the following example files text in italic font is user-supplied input. Magnum Network Software - DX Administrator’s Guide 326 CHAPTER 5 - Operational Guide Security Step 1: Generate an RSA key and a certificate request for your CA $ openssl req -newkey rsa:1024 -nodes -sha1 -keyout cakey.pem -out careq.pem Generating a 1024 bit RSA private key .............................................................++++++ .............++++++ writing new private key to 'cakey.pem' ----You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:MA Locality Name (eg, city) []:North Andover Organization Name (eg, company) [Internet Widgits Pty Ltd]:DYMEC, Inc. Organizational Unit Name (eg, section) []:Technical Services Common Name (eg, YOUR name) []:Support Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Step 2: Generate a self-signed CA certificate from the request $ openssl x509 -req -in careq.pem -sha1 -signkey cakey.pem -out cacert.pem Signature ok subject=/C=US/ST=MA/L=North Andover/O=DYMEC, Inc./OU=Technical Services/ CN=Support/[email protected] Getting Private key Step 3: Create the CA’s Key File $ cat cacert.pem cakey.pem > ca.pem Magnum Network Software - DX Administrator’s Guide 327 CHAPTER 5 - Operational Guide Security Step 4: Create an RSA key and a certificate request for your system $ openssl req -newkey rsa:1024 -nodes -sha1 -keyout syskey.pem -out sysreq.pem Generating a 1024 bit RSA private key .++++++ .................++++++ writing new private key to 'syskey.pem' ----You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:MA Locality Name (eg, city) []:North Andover Organization Name (eg, company) [Internet Widgits Pty Ltd]:DYMEC, Inc. Organizational Unit Name (eg, section) []:Network Planning Common Name (eg, YOUR name) []:Planner Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Step 5: Create the system’s certificate and have it signed by the CA $ openssl x509 -req -in sysreq.pem -sha1 -CA ca.pem -CAkey ca.pem -CAcreateserial -out syscert.pem Signature ok subject=/C=US/ST=MA/L=North Andover/O=DYMEC, Inc./OU=Network Planning/CN=Planner/ [email protected] Getting CA Private Key Step 6: Create the System Key File $ cat syscert.pem syskey.pem cacert.pem > sys.pem 5.8.3.10 Certificate and Key File Installation After generating your root CA certificate and key file, you must install them on your system. Use the Certificates: Local screen, described in Section 3.10.1.1, and the Certificates: CAs screen, described in Section 3.10.1.2, to do this Magnum Network Software - DX Administrator’s Guide 328 CHAPTER 5 - Operational Guide Security 5.8.4 IP Firewall An IP Firewall provides packet filtering services that can, in some cases, prevent unauthorized access to network resources. MNS-DX supports basic static IP filters as well as stateful firewall functionality. 5.8.4.1 IP Filters The IP Firewall can be enabled on a per-IP interface basis. After the firewall is enabled on an interface, all packets received on that interface are discarded. Regardless of the firewall settings, packets are always allowed to egress any interface. Filter rules must be defined that specify the parameters of packets that are allowed to bypass the firewall. Each filter rule can be thought of as creating a "hole" in the firewall. An IP packet entering the system through an interface that has the firewall disabled will be processed normally; that is, it will be forwarded according to the routing table. See the user interface description (beginning at Section 3.10.6) for behavior of the firewall when specific fields are not set. Typically a firewall is placed between a public "outside" network and a private "inside" network. Once the firewall is enabled on the "outside" interface, no traffic is allowed to pass from the "outside" to the "inside" of the network. Basic IP filters are typically used to allow clients on the "outside" to access a network resource, such as a file or terminal server, that is located on the "inside" network. This is accomplished by adding a filter rule that references the server address (destination address) and service (protocol and port) associated with the resource. Optionally, the address of the client (source address) may also be specified to further restrict the type of access that is allowed. A simple example of accessing a terminal server located behind a firewall is shown in Figure 5-5. The filter only allows Host 1 at 10.1.0.2 to access Host 3 at 10.2.0.2 using TCP connection port 10201. All other access is denied. For example, packets from Host 2 to 10.2.0.2 on TCP port 10201 will be discarded. Magnum Network Software - DX Administrator’s Guide 329 CHAPTER 5 - Operational Guide Security 10.1.0.2/16 10.1.0.1/16 10.2.0.2/16 10.2.0.1/16 Firewall Host 1 Host 3 E2 E1 10.1.0.3/16 Host 2 Outside Network Inside Network Firewall enabled on E1. Filter rule applied to E1: SRC = 10.1.0.2/255.255.0.0 DST = 10.2.0.2/255.255.0.0 Protocol = TCP/Dest. Port = 10201 Figure 5-5. Simple IP Firewall Example Another common application is for a client on the inside to access a network resource on the outside. Many utility customers set up their networks so that the terminal server on the inside network initiates a connection to a management system on the outside network. This application is supported by the basic IP filtering functionality. The only difference is that instead of opening a hole for request packets from the outside, the hole must be opened for reply packets. Typically, in a reply packet, the well-known port for the network service is found in the Source Port field. For example, to support the example depicted in Figure 5-5, but with the inside host connecting to the outside host, the filter rule must be changed so that Protocol =TCP/Source. 5.8.4.2 Stateful Firewall The stateful firewall provides finer-grained control over packets that are allowed to pass. When a packet that matches a stateful firewall rule egresses an interface, the software automatically opens a hole in the firewall that will allow return packets to bypass filtering. The hole is temporary and is specifically for the traffic flow associated with the packet that matched the stateful rule. Stateful firewall supports the TCP, UDP, and ICMP protocols. TCP state information and the associated temporary hole are maintained for the duration of the connection. Since UDP and ICMP are stateless protocols firewall state and the associated temporary hole for these protocols are kept for a small amount of time and then deleted. The default timeout for UDP and ICMP state is 120 seconds. Magnum Network Software - DX Administrator’s Guide 330 CHAPTER 5 - Operational Guide Security The operation of the stateful firewall is best described in terms of a timeline. In Figure 5-6 a stateful firewall rule has been applied to E1 which allows the host on the inside to make a TCP connection to the host on the outside using a temporary hole opened specifically for that connection. The stateful rule specifies the parameters of the packet that egresses E1 in order to establish the connection (that is, the initial TCP SYN packet from 10.2.0.2). In this case, we are allowing Host 2 to access a web server running on Host 1. 10.1.0.2/16 10.1.0.1/16 10.2.0.2/16 10.2.0.1/16 Firewall Host 1 Host 2 E2 E1 SYN, ACK Temporary hole created SYN SYN, ACK ACK Outside Network Inside Network Firewall enabled on E1. Stateful rule applied to E1: SRC = 10.2.0.2/255.255.0.0 DST = 10.1.0.2/255.255.0.0 Protocol = TCP/Dest. Port = 80 Figure 5-6. Stateful IP Firewall Example TCP Connection Logging Logging of TCP connections is provided as an option when specifying a stateful firewall filter rule. If an outgoing TCP connection matches the rule, the start and end of the connection are written to the system event log. These events may also be optionally sent to a remote syslog collector. An example set of log records for a TCP connection is shown below: <6>Nov 21 11:12:30 2007 192.168.1.101 TCP (192.168.1.42, 2688) <-> (192.168.3.98, 23) established. <6>Nov 21 11:12:36 2007 192.168.1.101 TCP (192.168.1.42, 2688) <-> (192.168.3.98, 23) ended. Magnum Network Software - DX Administrator’s Guide 331 CHAPTER 5 - Operational Guide Security 5.8.4.3 Filter Rules A firewall filter rule contains the following fields: • Source IP Address and Mask These two parameters specify the source address (or range of source addresses) that match the rule. If no address or mask is specified, any source address matches the rule. If the mask is not specified an exact match is required. If the mask is specified bit positions that are set in the mask are treated as wild cards for the purpose of matching a packet's source address to the rule. • Destination IP address and Optional Mask These two parameters specify the destination address (or range of destination addresses) that match the rule. If no address or mask is specified any destination address matches the rule. If the mask is not specified an exact match is required. If the mask is specified bit positions that are set in the mask are treated as wild cards for the purpose of matching a packet's destination address to the rule. • Protocol and direction this parameter selects the IP protocol (and possibly the directionality of the port list) that matches this rule. Possible protocols are TCP, UDP, ICMP, ESP, and AH. Source or destination may be chosen for TCP or UDP protocol types and this determines whether the source or destination port is specified by the port list parameter. • TCP/UDP Port or ICMP Type List This parameter is a list of port numbers or ICMP types. The list of numbers is delimited by commas and may contain ranges specified using a hyphen. For example, the string "22, 23, 10201-10204" is a valid list. For information on network ports and ICMP types see Appendix B, “Port and Type Reference”. For detailed information see Section 3.10.6, Firewall and the descriptions of the Firewall: IP Interfaces, Firewall: Interface Groups, and Firewall: IP Filters screens. 5.8.5 Network Address Translation MNS-DX supports a variety of network address translation techniques including IP Masquerading, Port Forwarding, and static address and port translation rules. IP Masquerading and Port Forwarding are enabled as a single service. Static address and port translation rules can be used by themselves or in conjunction with the other two capabilities. Magnum Network Software - DX Administrator’s Guide 332 CHAPTER 5 - Operational Guide Security 5.8.5.1 IP Masquerading The purpose of IP Masquerading is to allow multiple hosts on an internal, private IP network to share a single address on an external, public IP network. When a packet is sent from an internal host to an external network, the packet source address is changed so that it looks like the packet was sent from the DX router. In addition, the source UDP/ TCP port is translated and this translation is remembered and associated with the original source address. When return traffic arrives on the public interface, the destination UDP/ TCP port of the packet is used to look up the original address and port and this information is substituted into the destination address and port fields of the packet before it is forwarded to the internal network. In MNS-DX, IP Masquerading functionality can only be enabled on a single public interface. To use masquerading, the NAT mode must be set to "Enabled" and the public interface must be selected on the Routing: NAT: Global Settings screen. Once the DX NAT mode is set to "enabled", incoming IP packets are automatically filtered unless they are destined for the DX NAT’s public IP address. 5.8.5.2 Port Forwarding Once the DX NAT mode has been set to "Enabled", attempts to reach private, internal hosts from the public network will be filtered. Port Forwarding enables the user to selectively allow access to internal hosts by making their network services appear to be reachable via UDP or TCP ports on the DX router. For each service that will be exposed to the external network in this way, the user must create a port forwarding rule. This rule maps an external TCP/UDP port on the DX router's public interface to an IP address and port pair that exists on the internal, private network. When a matching request packet is received on the public NAT interface, the private IP address and port are substituted for the packet's destination IP address and port and the packet is forwarded onto the private network. Before a matching response is forwarded onto the public network, the private IP address and port in the packet's source fields are substituted with the destination fields from the original request packet. This makes it appear to hosts on the public network as if the DX router is responding to the request. 5.8.5.3 Static Translations In addition to IP Masquerading and Port Forwarding, the DX NAT supports the establishment of static translation rules. These rules are associated with a specific IP interface and perform a single, bi-directional address and port translation for matching packets. A static rule consists of an interface, a translation type, an original IP address and TCP/ UDP port, and a translated IP address and TCP/UDP port. A translation type can be a straight address translation (NAT), an address and TCP port translation (NAPT-TCP), or an address and UDP port translation (NAPT-UDP). The original and translated port parameters are only used for NAPT-TCP and NAPT-UDP rules. If static NAT rules are defined for an interface, when a packet is received on that interface, the rules are checked for a match and if a match occurs a translation is executed. Magnum Network Software - DX Administrator’s Guide 333 CHAPTER 5 - Operational Guide Security For a NAT rule, a match occurs if the original IP in the rule matches the destination IP of the packet. Once a match is found, the destination IP is substituted with the translated IP defined by the rule. For a NAPT rule, a match occurs if the original IP and port in the rule matches the destination IP and port of the packet. Once a match is found, the destination IP and port are substituted with the translated IP and port defined by the rule. To properly support bi-directional packet flows, packets egressing the interface are also evaluated against the static NAT rules. For a NAT rule, a match occurs if the translated IP in the rule matches the source IP of the packet. Once a match is found, the source IP is substituted with the original IP defined by the rule. For a NAPT rule, a match occurs if the translated IP and port in the rule matches the source IP and port of the packet. Once a match is found, the source IP and port are substituted with the original IP and port defined by the rule. 5.8.5.4 Firewall/NAT Interaction If the Firewall and the NAT are enabled at the same time on an interface, it is important to understand the order in which these modules process packets. The following diagram describes the processing flow. IP Input Firewall Processing (filtering) NAT Input Processing IP Forwarding Engine NAT Output Processing Firewall Processing (state generation) IP Output Figure 5-7. Magnum Network Software - DX Administrator’s Guide 334 CHAPTER 5 - Operational Guide Security 5.8.6 RADIUS Support MNS-DX supports remote user authentication by a RADIUS server. Radius is an authentication, authorization, and accounting (AAA) protocol defined in RFC 2865 and RFC 2866. • • • Authentication – A RADIUS server receives requests for connections and checks that the username and password provided are authentic using a shared secret and one of two authentication schemes. Authorization – After successful authentication the RADIUS authorizes the requesting user to begin a session on the system. Accounting – This RADIUS resource is not used by MNS-DX. Use the RADIUS: Global Settings screen, described in Section 3.10.7.1, and the RADIUS: Servers screen, described in Section 3.10.7.2, to add RADIUS servers and to configure them. 5.8.7 DX-Series Cipher Support The following list specifies the type of cipher supported by the DX-Series for each security purpose: • • • • Signing/Authentication – RSA Key Exchange – RSA Cryptographic Hashing – SHA1, MD5 Encryption – DES, 3DES, RC4, AES The DX-Series supports the following standard cipher suites: • • • • • • • • • • • • SSL_RSA_EXPORT_WITH_RC4_40_MD5 SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_SHA SSL_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_EXPORT_WITH_RC4_40_MD5 TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA The DX-Series also supports the following pre-defined cipher suite lists: • • • ANY – all the cipher suites listed above ANY_STRONG – all cipher suites listed above that have a key size of at least 128 bits ANY_STRONG_SSL – all cipher suites listed above that are defined by the SSLv3 standard and have a key size of at least 128 bits Magnum Network Software - DX Administrator’s Guide 335 CHAPTER 5 - Operational Guide VPN • • ANY_STRONG_TLS – all cipher suites listed above that are defined by the TLSv1 standard and have a key size of at least 128 bits ANY_AES – all cipher suites that use AES128 or AES256 for encryption MNS-DX always uses RSA public key cryptography and X.509 certificates for key exchange and peer authentication. The default cipher suite uses RSA public keys, 3DES encryption, and SHA1 hashing 5.9 VPN MNS-DX supports the creation of Virtual Private Networks (VPN) over a public network infrastructure using IPsec tunnels. You select one of the DX’s IP interfaces as its "public" interface. The remaining interfaces are considered to be "private" interfaces. Then, through the configuration of a security policy, an authenticated, encrypted tunnel can be established between two devices over a public IP network as shown in Figure 5-8. Devices at Remote Site A can communicate securely with devices at Remote Site B by forwarding their traffic through the MagnumDX routers. Figure 5-8. An MNS-DX Virtual Private Network Although a DX router might only have a single "public" interface, multiple tunnels can be established on that interface to multiple endpoints. For example, in Figure 5-9, hosts at Remote Site A can communicate securely with hosts at both site B and C. Magnum Network Software - DX Administrator’s Guide 336 CHAPTER 5 - Operational Guide VPN Figure 5-9. Multiple VPNs using MNS-DX 5.9.1 Key Management MNS-DX supports the automatic generation of shared encryption keys using a Group 1 or Group 2 Diffie-Hellman exchange as defined by the Internet Key Exchange (IKE) protocol (RFC 2409). Note that MNS-DX does not currently support Group 5. Perfect Forward Secrecy (PFS) is always enabled. 5.9.2 Peer Authentication Peer authentication is achieved through the use of administratively configured pre-shared keys (PSK). If the PSKs configured on each end of the tunnel do not match, the tunnel will not be established. Certificate-based authentication is also supported. 5.9.3 Packet Integrity and Confidentiality MNS-DX uses Encapsulating Security Payload (ESP) protocol (RFC 2406) in tunnel mode to implement secure VPN functionality. When an IP packet is forwarded through a tunnel, it is encapsulated in a new packet having the structure shown in Figure 5-10. ESP encrypts and authenticates the entire content (header and payload) of the original IP packet, but it does not afford any protection to the new, outer IP header. Magnum Network Software - DX Administrator’s Guide 337 CHAPTER 5 - Operational Guide VPN New IP Header ESP Header Original IP Header Payload ESP Trailer ESP Auth Encrypted Authenticated Figure 5-10. Format of a Tunneled IP Packet 5.9.4 Profiles As defined in RFC 2401, MNS-DX VPN uses a Security Policy Database (SPD) to configure IPsec tunnels. MNS-DX simplifies the management of the SPD by implementing the concept of a profile. Each profile is a labeled set of options that specifies cryptography and security protocol parameters such as encryption and hash algorithms, tunnel lifetimes, and the strength of Diffie-Hellman key exchanges. These profiles can then be assigned to new tunnels as they are created. MNS-DX is shipped with one or more default profiles that are likely to match common customer applications. 5.9.5 Tunnels Configure an IPsec tunnel in MNS-DX by defining a source IP address (or subnet), a destination IP address (or subnet), a gateway IP address, a profile, and a pre-shared key. The source and destination IP addresses may be specified as an exact host address or as a subnet. When a non-IPsec packet is received its source and destination IP addresses are matched against the source and destination IP address configured for the tunnel. If a match occurs the software looks to see if an appropriate tunnel (that is, a security association as defined by the RFC) already exists. If not, IKE is used to establish the tunnel. Once a tunnel exists the packet is encapsulated according to the parameters in the assigned profile and it is sent to the gateway address found in the matching entry. When an IPsec packet belonging to a valid tunnel is received the packet is deencapsulated and sent to its next hop as determined by the device's routing table. 5.9.6 IKE In IPsec each tunnel is defined by a set of security associations (SA). Each SA defines a secure, unidirectional communication channel between two entities. The SAs are established via a two-phase process defined by the IKE protocol. During Phase 1 (in MNS-DX, this is a Main Mode exchange) the entities establish an initial secure channel. This exchange includes an authentication step that proves that each side knows a userconfigured pre-shared key. The encrypted, authenticated Phase 1 channel is then used for communication during Phase 2 (in MNS-DX, this is a Quick Mode exchange) where the entities establish the keys that are actually used to encrypt the traffic that flows through the tunnel. Magnum Network Software - DX Administrator’s Guide 338 CHAPTER 5 - Operational Guide VPN 5.9.6.1 Tunnel Lifetimes MNS-DX allows the user to set the lifetime of a VPN tunnel. When the lifetime expires the peers are forced to perform a new Phase 1 or Phase 2 exchange to refresh the keying material generated in that phase. In MNS-DX the configurable lifetime is the "soft" lifetime. When the "soft" lifetime expires a Phase 1 or Phase 2 exchange is triggered. There is also a "hard" lifetime, which is defined to be 33% longer than the soft lifetime. When the "hard" lifetime expires, the keys for that phase are destroyed regardless of whether new keying material was generated after the "soft" lifetime expiration. This prevents a tunnel from staying up indefinitely. 5.9.7 Configuring a VPN This section describes the minimum set of steps required to establish a VPN between two remote sites. One site might be an operations center while the other site could be a substation where SCADA devices are connected to a number of MagnumDX industrial routers with one DX acting as a security gateway as shown in Figure 5-11. Figure 5-11. Example VPN Application Assume that the DX800s in Figure 5-11 have been configured with two IP interfaces. DX1 acts as a security gateway for the Substation while DX-2 acts as a security gateway for the Operations Center. Substation nodes are configured to use 192.168.1.1 as their default gateway. Operations Center nodes are configured to use 192.168.2.1 as their default gateway. For this VPN application, the default profile is sufficient so it is only necessary to add a tunnel configuration to each end. On the Security: VPN: Tunnels screen on DX-1, the following entry would be added: Source Address: 192.168.1.0 Source Mask: 255.255.255.0 Destination Address: 192.168.2.0 Destination Mask: 255.255.255.0 Magnum Network Software - DX Administrator’s Guide 339 CHAPTER 5 - Operational Guide SSH Gateway: 207.65.151.201 Profile: Default Pre-shared Key: itsasecret On DX-2, the following entry would be added: Source Address: 192.168.2.0 Source Mask: 255.255.255.0 Destination Address: 192.168.1.0 Destination Mask: 255.255.255.0 Gateway: 65.31.232.158 Profile: Default Pre-shared Key: itsasecret Note, security associations are not established until a packet actually needs to be forwarded through the tunnel. At that time, the gateway that received the first packet destined for the tunnel will initiate an IKE exchange to set up the appropriate SAs. 5.10 SSH MNS-DX provides security for CLI transactions with Secure SHell (SSH) technology. Typically a key has been generated at the factory so that your DX device is delivered with SSH enabled; that is, the SSH Server State value is “Running.” If the SSH Server State value is “No Key” you must run the keygen command in the CLI. Once a key has been generated SSH can be enabled or disabled through the browser interface or through the CLI. 5.11 Modbus Magnum DX supports client (master) and server (slave) modes of operation for the Modbus/TCP protocol as per the March 29, 1999 (Release 1.0) Open Modbus/TCP Specification written by Andy Swales of Schneider Electric. 5.11.1 Network Topologies Figure 5-12 depicts an example Modbus/TCP network. Modbus devices (masters and slaves) are connected to MagnumDX industrial routers at the edge of the network. In addition, Modbus/TCP clients and servers may be connected directly to the IP network over an Ethernet link. The Modbus serial devices are connected to the DX units via RS-232 and/or RS-485 single or multidrop interfaces. The serial Modbus masters initiate requests to the slaves. These requests are encapsulated and forwarded by the Modbus/ TCP client software to the appropriate Modbus/TCP server. At the server, the request is Magnum Network Software - DX Administrator’s Guide 340 CHAPTER 5 - Operational Guide Modbus de-encapsulated, analyzed, and sent over the appropriate serial port to the serial Modbus slave. When the slave device responds, the response is encapsulated and sent back to the Modbus/TCP client that in turn de-encapsulates and forwards the response to the Modbus master. Device tables are kept on each DX that describe the locally connected Modbus serial devices as well as how to reach each remote device. MASTER RS-485 Modbus/TCP Server Modbus/TCP Client MASTER SLAVE Device 100 SLAVE Device 101 S1 S1 SLAVE Device 102 IP Modbus/TCP Server Network S2 RS-232 Modbus/TCP Client SLAVE Device 110 S1 MASTER S2 SLAVE Device 111 SLAVE Device 120 Modbus/TCP Server Figure 5-12. Example MODBUS/TCP Network 5.11.2 Serial Protocol Variants For serial data both the Modbus ASCII and the Modbus RTU protocol variants are supported. Modbus ASCII (depicted in Figure 5-13) uses ASCII message encoding with a longitudinal redundancy check (LRC). Each message begins with a ':' character and end with a CRLF character sequence. Start : Address (2 CHARS) Function (2 CHARS) Data (n CHARS) LRC Check (2 CHARS) END CRLF Figure 5-13. Format of a Modbus ASCII Packet Modbus RTU (depicted in Figure 5-14) uses binary message encoding with a cyclic redundancy check (CRC). Each message begins with a silent interval of at least 3.5 characters times and ends with a similar silent interval. Magnum Network Software - DX Administrator’s Guide 341 CHAPTER 5 - Operational Guide Modbus START T1-T2-T3-T4 Address (8 bits) Function (8 bits) Data (nx8 bits) CRC Check (16 bits) END T1-T2-T3-T4 Figure 5-14. Format of a Modbus RTU Packet 5.11.3 Network Protocol The Modbus/TCP format (depicted in Figure 5-15) strips the message framing and LRC/ CRC from the normal Modbus packet and prepends a Modbus/TCP header consisting of a 2-byte Transaction ID (set by the client and echoed by the server), a 2-byte Protocol ID (always 0-0), and a 2-byte length. The device address byte (now referred to as the unit identifier) and the function byte are preserved and are followed by a variable amount of data. This information is then delivered as the payload of a TCP/IP packet. The Modbus LRC/CRC is not included because it is redundant with the CRC provided by the link layer (that is, Ethernet). IP Header Transaction ID (Bytes 0-1) TCP Header Modbus/TCP Header Protocol ID (Bytes 2-3) Length (Bytes 4-5) Modbus Header Modbus Data Unit ID (Byte 6) Function (Byte 7) Figure 5-15. Format of a Modbus/TCP Packet 5.11.4 Exception Handling The Modbus/TCP client and server on MagnumDX can optionally generate and forward Modbus exception codes when certain communication or configuration failures occur. Specifically, the client will generate a GATEWAY PATH UNAVAILABLE exception message (exception code 0x0A) and pass it back to the master device if a remote address has not been configured for the destination device. The server will generate a similar message if a local device entry has not been configured for the destination device address. The message is sent to the client, which then forwards the exception to the Modbus master device. In addition the server will generate a GATEWAY TARGET DEVICE FAILED TO RESPOND exception message (exception code 0x0B) when the destination device does not respond to a request within a user-configured interval. This message is sent to the client, which then forwards the exception to the Modbus master device. Magnum Network Software - DX Administrator’s Guide 342 CHAPTER 5 - Operational Guide Modbus 5.11.5 TCP Connection Handling TCP connection handling performed by MagnumDX complies with the implementation guidelines spelled out in Appendix A of the Open Modbus/TCP Specification. When the Modbus/TCP client software receives a request from an attached serial Modbus master it analyzes the packet and determines the destination device address. It checks to see if it already has an open TCP connection for the destination. If not, the client attempts to open a new TCP connection to the appropriate Modbus/TCP server. Once a connection is established the request message is sent and the client waits for a response. After the response is received it is forwarded back to the master. After the transaction is complete the TCP connection remains open in anticipation of a subsequent request. If another request is not made within the user-configured idle time the TCP connection is closed and will be re-opened when a new request is received. The client may also be configured so that it immediately makes a connection for a configured device and keeps that connection open indefinitely. This mode eliminates the latency associated with making the TCP connection for the initial request. If a response is not received the Modbus/TCP client will time out after a user-configured interval. After a timeout, the TCP connection is closed to eliminate the possibility of receiving an unexpected late response. In addition the GATEWAY TARGET DEVICE FAILED TO RESPOND (exception code 0x0B) exception message is sent to the Modbus Master, which can then make the decision on whether or not to retry. If the client is configured to hold connections open indefinitely a new connection will be established with the remote server immediately following the timeout; otherwise, the client waits for the next Modbus request before re-opening the connection. The Modbus/TCP server process always listens for connections on TCP port 502. Magnum Network Software - DX Administrator’s Guide 343 CHAPTER 5 - Operational Guide User Account Management 5.12 User Account Management MNS-DX supports three separate user groups with different privileges: 5.12.1 User Groups • • • Admin – An administrator can access all features. Read/Write – A read/write operator can access all features except the following web menu items (and any related CLI commands): • Administration / SNMP / * • Administration / Authentication / * • Administration / Sessions / * • Administration / Software Upgrade • Administration / Configuration / * • Administration / System Reboot • Events / Logs / Global Settings • Security / Keys • Security / Certificates • Security / RADIUS / * Read Only – read-only operator can access all features that a read/write operator can access but does not have the ability to apply or save configuration settings. Magnum Network Software - DX Administrator’s Guide 344 Appendix A Terminal Server Application Notes A.1 What is a Terminal Server? A Terminal Server is a device or software application that can pass data between a standard serial protocol link and an IP-based network. The Terminal Server functionality of the MagnumDX Series provides a service that encapsulates asynchronous serial data in a TCP/IP stream. Service provisioning is flexible and allows a number of different configurations as described below. A.1.1 Serial Protocol Standards There are many techniques for passing serial binary data between two or more digital systems. A number of popular methods based on standards published by the ITU-T are commonly referred to as "serial" protocols. Two of the most popular of these interfaces are EIA-232 (also know as RS-232) and EIA-485 (also known as RS-485). Interfaces that support RS-232 (or some subset of the standard) are ubiquitous and found on nearly all personal computers. They also appear on many embedded computing devices where they are used to carry streaming data or provide access to a user console. An RS-232 link provides full-duplex data and asymmetric control. One device on the link is defined as the DTE (Data Terminal Equipment) and the other device is defined as the DCE (Data Communications Equipment). Traditionally, a DTE was a computer system and a DCE was a communications device such as a modem. Handshaking signals provide for flow control as well as valid link detection. Data rates typically range from 150bps to 115Kbps over distances up to 10 meters. Interfaces that support RS-485 are less common; however, this protocol has a number of advantages over RS-232. RS-485 can be configured as a 4-wire, full duplex channel or a 2-wire, half duplex channel. It may also be operated in point-to-point or multi-point topologies (RS-232 only supports point-to-point). Because the standard uses differential signaling over twisted pair, it can run over long distances, up to a kilometer. Maximum theoretical data transmission speeds are also higher than RS-232, up to 30Mbps over short distances. A.1.2 Networking Standards Serial data transfer standards like RS-232 and RS-485 are generally insufficient for implementing modern digital communication networks. In the past, these networks have been constructed using a number of available technologies but industrial applications are increasingly shifting toward running the Internet Protocol (IP) over Ethernet-based technologies. This enables the deployment of highly interoperable, reliable, and secure Magnum Network Software - DX Administrator’s Guide 345 APPENDIX A - Terminal Server Application Notes high-speed networks at extremely low cost. The IEEE is responsible for publishing standards related to Ethernet. A large body of such standards exists as IEEE 802.x. Data transfer rates range from 10Mbps to 1000Mbps depending on the physical layer technology employed. Distances can run up to 100 meters on twisted pair cables and for tens of kilometers using fiber optic transceivers. A.2 Bridging the Gap between Serial and Network Communication A Terminal Server is a device or software application that can pass data between a standard serial protocol link and an Ethernet-based network. Figure A-1 illustrates passing characters from an RS-232 port over a TCP/IP connection. Serial Characters TCP/IP Packets Management Stations Management Host Station TCP/IP Network Terminal Server RTU RTU RS-232 Device Figure A-1. Serial Over TCP/IP Without a terminal server, the host system in Figure A-1 must connect to the DCE device over a serial cable. Some of the advantages of using a terminal server are: 1. The distance between the computer system and the end device is increased significantly. The effective maximum range of an RS-232 link is about 10 meters. With a terminal server, the computer system connects to the device over a network and the effective maximum range is limited only by the latency requirements of the communicating end systems. Magnum Network Software - DX Administrator’s Guide 346 APPENDIX A - Terminal Server Application Notes 2. Multiple computer systems can communicate with a single RS-232 device. This would be impossible using just an RS-232 link because it only operates in pointto-point topologies. The terminal server performs a multiplexing function that passes data from multiple endpoints over the single RS-232 link. 3. Connections between relatively large numbers of communicating end systems are supported over a common cabling infrastructure. Without a terminal server, limitations imposed by the RS-232/485 standards would likely require many dedicated lines between end systems. A.3 Terminal Server Operation The MagnumDX offers a terminal server function that transports serial characters over a TCP/IP network. A flexible set of connection options allows the user to configure each serial port for a different mode of operation. The terminal server functionality is organized into serial communication channels that may be added or deleted from the system. Each channel is associated with a particular serial port and operates either in passive or active mode. A.3.1 Passive Mode Channels When a terminal server channel operates in passive (server) mode, it waits for incoming TCP connection requests. When a request is received it is accepted if the following criteria are met: • • serial port operational state is UP maximum number of incoming connections will not be exceeded After a connection request is accepted, the TCP connection becomes active and serial data may be transmitted and received on the channel. A terminal server channel operates in passive mode if the “Call Direction” parameter is set to “IN." The following configuration parameters also affect the operation of the port in passive mode: • • • Local IP – the IP address at which the server listens for connections. If the system has only a single assigned IP address, this parameter defaults to the system IP address and cannot be changed. If the system has multiple assigned IP addresses, this parameter can be set to any of those addresses. In this case, the software will only accept connections destined for the configured IP address. The port will not be reachable using other IP addresses, even if they are assigned to the system. Local TCP – the TCP port at which the server listens for connections. The TCP port may be in the range 1000 to 65535. It is invalid to assign the same TCP port to multiple terminal server serial ports. Maximum Connections – the maximum number of incoming connections that will be accepted for the terminal server serial port. Up to 5 simultaneous incoming connections are supported per serial port. Magnum Network Software - DX Administrator’s Guide 347 APPENDIX A - Terminal Server Application Notes A.3.2 Active Mode Channels When a terminal server port operates in active (client) mode, it actively attempts to connect to a specified remote host whenever the serial port operational state is UP. After an outgoing connection request is accepted by the remote host, the TCP connection becomes active and serial data may be transmitted and received on the channel. A terminal server port operates in active mode if the “Call Direction” parameter is set to “OUT". The following configuration parameters also effect the operation of the port in active mode: • • • • • Local IP – the IP address to which the channel binds before making an outgoing connection. This is the address used in a transmitted packet's source address IP header field. Local TCP– the TCP port to which the channel binds before making an outgoing connection. The TCP port may be in the range 1000 to 65535. This is the port number used in a transmitted packet's source port TCP header field. It is invalid to assign the same TCP port to multiple terminal server channels. When a channel is configured in active mode, it is also valid to assign a value of '0' for the Local TCP port. This tells the system that it can select any unused port number as the local TCP port for this connection. Remote IP – the IP address to which the terminal server attempts to connect Remote TCP – the TCP port to which the terminal server attempts to connect Retry Time – when a connection attempt fails (for any reason), this is the minimum amount of time the terminal server will wait before re-trying the attempt. A.3.3 Mixed Mode You can configure a terminal server port to operate in a mixed mode in which it simultaneously acts as both a passive server and an active client. This is accomplished by adding an "IN" channel as well as at least one "OUT" channel that uses the port. In general, this mode should be used with care. If you configure both sides of a connection with a mixed mode you can produce redundant TCP connections. A.3.4 Session Type Each terminal server port can be configured as a raw TCP connection or as a Telnet connection. Generally, the session type should be specified as raw (the default) unless you plan on connecting to the port using a telnet application. This may be appropriate in certain cases where you are accessing a device console port using the terminal server. Such a case is illustrated in Section A.4, “Application #1: Device Console Access”. Magnum Network Software - DX Administrator’s Guide 348 APPENDIX A - Terminal Server Application Notes A.4 Application #1: Device Console Access The terminal server is used to remotely access the console on an RTU using telnet. Host System (192.168.1.42) TCP/IP Network DX800 (192.168.1.2) S1 Serial Characters RTU TCP/IP Packets Figure A-2. Device Console Access Magnum Network Software - DX Administrator’s Guide 349 APPENDIX A - Terminal Server Application Notes The DX800 is configured as follows: Figure A-3. Configuration for Device Console Access Executes a telnet client application on the host system to open a connection to 192.168.1.2 on port 10201: If serial port S1 is UP and the terminal server is reachable by the host, a TCP connection will be established: Figure A-4. TCP Connection Confirmed Magnum Network Software - DX Administrator’s Guide 350 APPENDIX A - Terminal Server Application Notes A.5 Application #2: Serial-over-TCP/IP Tunnel Two GarrettCom MagnumDX devices are used to connect a user's host system to an RTU console over a TCP/IP network. Specifically, a DX800 is configured to receive an active connection from a DX40. Host System S1 Serial Characters DX800 DX40 (192.168.1.2) (192.168.1.3) Connection Request to 192.168.1.2 10201 from 192.168.1.3 S1 S1 TCP/IP Network TCP/IP Packets Figure A-5. Serial-over-TCP/IP Tunnel The DX800 is configured as illustrated in Figure A-6: Figure A-6. DX800 Configured for Serial-over-TCP/IP Tunnel Magnum Network Software - DX Administrator’s Guide 351 RTU APPENDIX A - Terminal Server Application Notes The DX40 is configured as illustrated in Figure A-7: Figure A-7. DX40 Configured for Serial-over-TCP/IP Tunnel When serial port S1 is UP on each unit, a TCP connection is established between the two. Confirmation of the connection is illustrated in Figure A-8. Figure A-8. TCP Connection Established After the connection is established, the computer system acting as a terminal can communicate with the RTU through its local serial port. 8 NOTE: When creating a TCP/IP tunnel between two serial ports, you should always choose one node to be the client (the "OUT" channel) and the other to be the server (the "IN" channel). Configuring a client and a server for the port on each side will result in redundant TCP connections and each serial port will end up seeing "duplicate" characters. Magnum Network Software - DX Administrator’s Guide 352 APPENDIX A - Terminal Server Application Notes A.6 Application #3: Multipoint SCADA Three GarrettCom MagnumDX devices are used to connect three serial devices over a TCP/IP network. One of the serial devices is a SCADA master and the other two are slaves. The DX800 (connected to the master) is configured to make one active connection to each of the DX40s (each connected to one slave device). Figure A-9. Multipoint SCADA Magnum Network Software - DX Administrator’s Guide 353 APPENDIX A - Terminal Server Application Notes The DX800 is configured as illustrated in Figure A-10: Figure A-10. DX800 Configured for Multipoint SCADA The DX40 is configured as illustrated in Figure A-11: Figure A-11. DX40s Configured for Multipoint SCADA Magnum Network Software - DX Administrator’s Guide 354 APPENDIX A - Terminal Server Application Notes A.7 Using MNS-DX Secure Serial Ports For a detailed discussion of serial port security see Section 5.8.2, “Serial Port Security”. A.8 Application #4: Serial-over-Secure-TCP Tunnel Two GarrettCom MagnumDX devices are used to connect two serial devices over a TCP/ IP network. This example is like Application #2 except that all of the serial data passing over the network is encrypted. In addition, the initial connection includes an SSL handshake that forces each side to authenticate using RSA keys and X.509 certificates. This setup not only prevents intruders from snooping on active serial sessions but it also prevents them from connecting to an open terminal server port and impersonating a host. Serial Terminal DX800 (192.168.1.2) DX40 Connection Request to 192.168.1.2 10201 from 192.168.1.3 + SSL Handshake (192.168.1.3) S1 Serial Data Encrypted Data RTU S1 TCP/IP Network Figure A-12. Serial-over-Secure-TCP Tunnel Both sides of the terminal server connection must be configured for SSL. Magnum Network Software - DX Administrator’s Guide 355 APPENDIX A - Terminal Server Application Notes SSL is configured on the DX800 for serial port S1 as shown in Figure A-13: Figure A-13. DX800 Configured for Serial-over-SSL Tunnel SSL is configured similarly on the DX40 for serial port S1, as shown in Figure A-14: Figure A-14. DX40 Configured for Serial-over-SSL Tunnel Magnum Network Software - DX Administrator’s Guide 356 APPENDIX A - Terminal Server Application Notes The basic terminal server parameters are configured as in Application #2. When serial port S1 is UP on each side the TCP connection is established, the SSL handshake is performed, and then encrypted serial data can be passed over the network as shown in Figure A-15: Figure A-15. Serial-over-SSL Tunnel Connection Magnum Network Software - DX Administrator’s Guide 357 APPENDIX A - Terminal Server Application Notes A.9 Troubleshooting Terminal Server SSL Connections If a terminal server connection between two DX products cannot be established, use the table below to determine what is wrong. Table A-2. Troubleshooting Terminal Server Connections Example Symptom Connection is not made and no events appear in the event log. Problem Resolution The local DX unit is not attempting to connect out. Verify that the serial port is enabled and in the UP operational state. A connection will not be attempted from a serial port that is DOWN or DISABLED. Note: Enabling a serial port and setting “Ignore DSS” to TRUE will force a serial port into the UP state. Event: "Serial port S1 reports that the host at 192.168.1.2 is unreachable" Event: "Serial port S1 reports that the host at 192.168.1.2 is down" The local DX unit attempted to connect to the remote unit but it was unreachable or the TCP port is not open. Verify that the remote unit is reachable by logging into the Command Line Interface (CLI) and using the ping command. Verify that the specified port is open/ available on the remote unit by using a PC to telnet to the port. If the connection is refused, your remote unit is probably not configured properly. Event: "Serial port S1 reports that the connection to the host at 192.168.1.2 (10201) was refused" Verify that the operational state of the remote serial port is UP. A connection will not be accepted on a port that is in the DOWN or DISABLED state. Event: "Serial port S1 experienced a problem (unsupported protocol) while connecting to the host at 192.168.1.2 (10201)" The SSL handshake could not complete because the peer is attempting to use a protocol that we do not support. Check your configuration. Make sure that both sides of the connection allow compatible cipher suites. Event: "Serial port S1 experienced a problem (no shared cipher) while connecting to the host at 192.168.1.2 (10201)" The SSL handshake could not complete because no shared cipher was available. Check your configuration. Make sure that both sides of the connection allow compatible ciphers suites. Event: "Serial port S1 reports that the certificate presented by the host at 192.168.1.2 (10201) was invalid (certificate has expired)" The SSL handshake failed during certificate verification because the current day and time are not within the peer certificate's valid date range Make sure your system's time and date is set properly. Event: "Serial port S1 reports that the certificate presented by the host at 192.168.1.2 (10201) was invalid (certificate is not yet valid)" Check the certificate on the other system and make it has appropriate "notBefore" and "notAfter" dates. Magnum Network Software - DX Administrator’s Guide 358 APPENDIX A - Terminal Server Application Notes Table A-2. Troubleshooting Terminal Server Connections Example Symptom Problem Resolution Event: "Serial port S1 received a notification (sslv3 alert certificate expired) from the host at 192.168.1.2 (10201)" The SSL handshake failed during certificate verification because your certificate has expired. Make sure the other system’s time and date are set properly. Event: "Serial port S1 reports that the certificate presented by the host at 192.168.1.2 (10201) was invalid (self signed certificate in certificate chain)" The SSL handshake failed during certificate verification because an untrusted self-signed certificate was found in the chain. Make sure that you have installed the peer’s root CA certificate and have marked it as trusted. Event: “SSL: Message from peer on channel SX (tlsv1 alert unknown ca)." The SSL handshake failed during certificate verification because you presented an un-trusted self-signed certificate in your certificate chain. Make sure that you are presenting a valid certificate chain (that is, each certificate in a valid chain is signed by the next certificate in the chain, except for the final certificate, which is a self-signed root CA certificate). Check your key file and make sure that the enclosed certificate file has appropriate “notBefore” and “notAfter” dates. Make sure that the other system has installed your CA’s certificate and marked it as trusted. Magnum Network Software - DX Administrator’s Guide 359 APPENDIX A - Terminal Server Application Notes Magnum Network Software - DX Administrator’s Guide 360 Appendix B Port and Type Reference B.1 Well Known TCP/UDP Network Ports Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) are members of the Internet Protocol Suite. They enable the transmission of data among networked computers by directing traffic to ports associated with specific functions. TCP is a connection-oriented protocol; that is, it creates an identified connection from client to server for the transmission of data. TCP provides a very reliable interface to a specified port. UDP is a simpler message-based connectionless protocol; that is, UDP simply sends a packet of data to a specified address and port. UDP does not provide the reliability of TCP but it can deliver data with less overhead. Network port numbers are assigned to specific uses by the Internet Assigned Numbers Authority (IANA). Port numbers 0-1023 are called Well Known Ports and have standard uses, such as port 80 for HTML traffic. Port numbers 1024-49151 are reserved for Registered Ports, and port numbers 49152-65535 are the dynamic ports which can be put to any use. (These are the ports called "Public" in Section 3.8.9.3, “NAT: Static Translations”.) Comprehensive lists of the conventional uses of all Well Known and Registered ports are available on the internet and in publications. Table B-1 is a partial list of official Well Known ports. Table B-1. Well Known Ports Port Description 0/TCP,UDP Reserved 1/TCP,UDP TCPMUX (TCP port service multiplexer) 5/TCP,UDP RJE (Remote Job Entry) 7/TCP,UDP ECHO protocol 9/TCP,UDP DISCARD protocol 13/TCP,UDP DAYTIME protocol 17/TCP,UDP QOTD (Quote of the Day) protocol 18/TCP,UDP Message Send Protocol 19/TCP,UDP CHARGEN (Character Generator) protocol Magnum Network Software - DX Administrator’s Guide 361 APPENDIX B - Port and Type Reference Table B-1. Well Known Ports Port Description 20/TCP,UDP FTP - data port 21/TCP,UDP FTP - control (command) port 22/TCP,UDP SSH (Secure Shell) 23/TCP,UDP Telnet protocol 25/TCP,UDP SMTP 37/TCP,UDP TIME protocol 38/TCP,UDP Route Access Protocol 39/TCP,UDP Resource Location Protocol 41/TCP,UDP Graphics 42/TCP,UDP Host Name Server 43/TCP WHOIS protocol 49/TCP,UDP TACACS Login Host protocol 53/TCP,UDP DNS (Domain Name System) 67/UDP BOOTP (BootStrap Protocol) server; also used by DHCP (Dynamic Host Configuration Protocol) 68/UDP BOOTP client; also used by DHCP 69/UDP TFTP (Trivial File Transfer Protocol) 70/TCP Gopher protocol 79/TCP Finger protocol 80/TCP HTTP (HyperText Transfer Protocol) 88/TCP Kerberos - authenticating agent 110/TCP POP3 (Post Office Protocol version 3) 113/TCP ident 118/TCP,UDP SQL Services 119/TCP NNTP (Network News Transfer Protocol) 123/UDP NTP (Network Time Protocol) 135/TCP,UDP EPMAP / Microsoft RPC Locator Service 137/TCP,UDP NetBIOS Name Service 138/TCP,UDP NetBIOS Datagram Service 139/TCP,UDP NetBIOS Session Service 143/TCP,UDP IMAP4 (Internet Message Access Protocol 4) 156/TCP,UDP SQL Service Magnum Network Software - DX Administrator’s Guide 362 APPENDIX B - Port and Type Reference Table B-1. Well Known Ports Port Description 161/TCP,UDP SNMP (Simple Network Management Protocol) 162/TCP,UDP SNMPTRAP 179/TCP BGP (Border Gateway Protocol) 194/TCP IRC (Internet Relay Chat) 213/TCP,UDP IPX 369/TCP,UDP Rpc2portmap 371/TCP,UDP ClearCase albd 389/TCP,UDP LDAP (Lightweight Directory Access Protocol) 401/TCP,UDP UPS Uninterruptible Power Supply 427/TCP,UDP SLP (Service Location Protocol) 443/TCP,UDP HTTPS - HTTP Protocol over TLS/SSL (encrypted transmission) 445/TCP Microsoft-DS (Active Directory, Windows shares, Sasser worm, Agobot, Zobotworm) 445/UDP Microsoft-DS SMB file sharing 464/TCP,UDP Kerberos Change/Set password 500/TCP,UDP ISAKMP, IKE-Internet Key Exchange 514/UDP syslog protocol 520/UDP Routing - RIP 524/TCP,UDP NCP (NetWare Core Protocol) 530/TCP,UDP RPC 540/TCP UUCP (Unix-to-Unix Copy Protocol) 542/TCP,UDP commerce (Commerce Applications) 554/TCP,UDP RTSP (Real Time Streaming Protocol) 563/TCP,UDP NNTP protocol over TLS/SSL (NNTPS) 587/TCP email message submission (SMTP) (RFC 2476) 591/TCP FileMaker 6.0 Web Sharing (HTTP Alternate, see port 80) 593/TCP,UDP HTTP RPC Ep Map 636/TCP,UDP LDAP over SSL (encrypted transmission) 691/TCP MS Exchange Routing 873/TCP rsync File synchronization protocol 989/TCP,UDP FTP Protocol (data) over TLS/SSL 990/TCP,UDP FTP Protocol (control) over TLS/SSL Magnum Network Software - DX Administrator’s Guide 363 APPENDIX B - Port and Type Reference Table B-1. Well Known Ports Port Description 992/TCP,UDP Telnet protocol over TLS/SSL 993/TCP IMAP4 over SSL (encrypted transmission) 995/TCP POP3 over SSL (encrypted transmission) B.2 ICMP Types The Internet Control Message Protocol (ICMP) is a core protocol of the Internet protocol suite. It is mainly used to send error messages. Unlike TCP and UDP, ICMP is usually not used by network applications (with the exception of the ping application). Table B-2 is a list of the ICMP types. Table B-2. ICMP Types Port Description 0 Echo Reply 1 Unassigned 2 Unassigned 3 Destination Unreachable 4 Source Quench 5 Redirect 6 Alternate Host Address 7 Unassigned 8 Echo 9 Router Advertisement 10 Router Selection 11 Time Exceeded 12 Parameter Problem 13 Timestamp 14 Timestamp Reply 15 Information Request 16 Information Reply 17 Address Mask Request 18 Address Mask Reply Magnum Network Software - DX Administrator’s Guide 364 APPENDIX B - Port and Type Reference Table B-2. ICMP Types Port Description 19 Reserved (for Security) 20-29 Reserved (for Robustness Experiment) 30 Traceroute 31 Datagram Conversion Error 32 Mobile Host Redirect 33 IPv6 Where-Are-You 34 IPv6 I-Am-Here 35 Mobile Registration Request 36 Mobile Registration Reply 37 Domain Name Request 38 Domain Name Reply 39 SKIP 40 Photuris 41-255 Reserved Magnum Network Software - DX Administrator’s Guide 365 APPENDIX B - Port and Type Reference Magnum Network Software - DX Administrator’s Guide 366 Appendix C Frame Relay Provisioning C.1 Introduction The DX900 provides WAN port support. In provisioning a new WAN circuit it is helpful to make reference to the OSI 7 layer model. The sections that follow will guide you through the Frame Relay provisioning by configuring your DX device from the bottom up with respect to the OSI model: 1. The Physical Layer – Your software will automatically detect whether you have a DDS or a T1/E1 connection. You complete the physical layer configuration with the Port Settings screen, as described in Section C.2 and Section C.3. 2. The Data Link Layer – use the Frame Relay Configuration screen, described in Section C.4, to configure this layer. 3. The protocols handled in the network, transport, and other upper layers of the OSI model are addressed by configuring the screens documented in Section C.5. Figure C-1 shows the lower OSI layers most relevant to Frame Relay provisioning. TCP/IP APPLICATIONS SERIAL-FR Apps TCP TRANSPORT IP NETWORK FRAME RELAY T1, DDS DATA LINK PHYSICAL Figure C-1. OSI Layers and the Frame Relay Provisioning Magnum Network Software - DX Administrator’s Guide 367 APPENDIX C - Frame Relay Provisioning C.2 DDS Interface Configuration If your DX device is supplied with a DDS interface the WAN: Port Settings screen will appear as illustrated in Figure C-2. DDS circuits are normally provided by a Telecom Service Provider. In most cases they run at 56 kilobits of bandwidth and the clocking is provided by the carrier. This interface has few options and is simple to configure. Figure C-2. WAN Port DDS Port Settings Screen The screen enables you to give a name to the WAN port circuit. This could be the actual circuit number, for example DDS-147658A12, or simply a name that is easy to remember, such as WAN1. Other options include the circuit speed (normally 56k), clock source (usually Received), and the option to administratively enable the port. Table C-1 provides detailed descriptions of the available options. Table C-1. WAN: Port Settings (DDS) Field Name Field Value Port ID: Uniquely identifies a logical WAN port that corresponds to a physical, labeled interface on the exterior of the product chassis. The Port ID string should exactly match the physical labeling scheme. Port Name: A user-configurable name for the port. This may be any arbitrary text string up to 16 printable ASCII characters. This field is empty by factory default. Speed: Specify the usable data rate of the interface.The following values may be selected: • 56k • 64k (Note that an MNS-DX DDS connection can operate at 64k only if the clock is remotely supplied.) Default value = 56k Magnum Network Software - DX Administrator’s Guide 368 APPENDIX C - Frame Relay Provisioning Table C-1. WAN: Port Settings (DDS) Field Name Clock: Field Value Specify the source for the data clock. The following values may be selected: • Local • Received Default value = Received Admin Status: Set the desired status of the port. If this parameter is set to Disabled, the port's transmit and receive functions are turned off. The following values may be selected: • Disabled (default) • Enabled Default value = Disabled Some options are available to be used if the DDS circuit is part of a TDM network operated by the user rather than a "Carrier" leased circuit, or if the circuit is just a bare copper connection not terminated by any other equipment. When operating over a dedicated point-to-point link one unit is nominated to be the "clock source" or "Local" and the other end "clock receive" or "Received". It does not matter which end is which, so long as one is "Local" and the other "Received". As soon as you have finished applying and saving your settings to the WAN: Port Settings screen you can check the status of the connection by going to the WAN: Port Status screen, illustrated in Figure C-3. Figure C-3. WAN: Port Status - LIne State OK The Line State field should display O.K. An incorrect Speed specification (56k or 64k) will not affect this initial status message. After you have completed Frame Relay Configuration (Section C.4) a Line State status other than OK may indicate a Speed configuration error. Magnum Network Software - DX Administrator’s Guide 369 APPENDIX C - Frame Relay Provisioning Table C-2 provides detailed descriptions of the possible status values. Table C-2. WAN: Port Status Field Name Field Value Port ID: Uniquely identifies a logical WAN port that corresponds to a physical, labeled interface on the exterior of the product chassis. Line State: Possible values for DDS: • OK – The line has link and is functioning properly. • Rx Inactive – The receiver is inactive (possibly because it is being reset). • Loss of Sig – The signal has been lost or the signal has dropped more than 6dB. • Excess BPVs – Excessive occurrence of invalid Bipolar Violation events. • Data Idle – Receiving Data Mode Idle. • Cm Idle – Receiving Control Mode Idle. • Out of Service – Receiving out of Service code • Out of Frame – An error has been reported in the framing pattern. • DSU Loopback – The line is in local DSU loopback. (Looping back what this interface is trying to transmit. Diagnostic only.) • CSU Loopback – The line is in CSU loopback. (Looping back what is on the wire. Diagnostic only.) Possible values for T1/E1: • :OK – The line has link and is functioning properly. • Carrier Loss – No signal received. • Blue Alarm – Also known as Alarm Indication Signal (AIS) or an “all ones” alarm. • Loss of Sync – The line is not synchronized to the received data stream. • Yellow Alarm – Also known as a Remote Alarm indication (RAI). This indicates that a remote interface is encountering a problem with a signal from this interface. This could result from an equipment problem or from incompatible configurations. • Red Alarm – The incoming signal is corrupted (wrong frame type or errors in framing). • Loop Up – The line is looping back received data. Magnum Network Software - DX Administrator’s Guide 370 APPENDIX C - Frame Relay Provisioning Table C-2. WAN: Port Status Field Name LMI State: Field Value Possible values for the Local Management Interface (LMI) state are: • Disabled – The LMI has been disabled. • Down – The LMI is enabled but is down. • Up – The LMI has successfully established communication with it’s peer. • Suspend – The LMI has been suspended due to sequence number mismatches. • Resume – The LMI is resuming after being suspended. This is a transient state. C.3 Rx Packets: The number of packets received on this interface. Rx Octets: The number of bytes received on this interface. Tx Packets: The number of packets transmitted on this interface. Tx Octets: The number of bytes transmitted on this interface. T1/E1 Interface Configuration If your DX device is supplied with a T1/E1 interface the WAN: Port Settings screen will appear as illustrated in Figure C-4. T1 circuits are normally provided by a Telecom Service Provider. In most cases they run at 56 kilobits of bandwidth and the clocking is provided by the carrier. If you are managing a private network you can take advantage of the 64 kilobits speed option with T1. E1 circuits always run at 64 kilobits. Figure C-4. WAN Port T1 Port Settings Screen In a carrier-supplied T1/E1 connection the values for Timeslots, Frame Types, and Line Codes will be determined by the carrier. Table C-3 provides detailed descriptions of the available options. Magnum Network Software - DX Administrator’s Guide 371 APPENDIX C - Frame Relay Provisioning Table C-3. WAN: Port Settings (T1/E1) Field Name Field Value Port ID: Uniquely identifies a logical WAN port that corresponds to a physical, labeled interface on the exterior of the product chassis. The Port ID string should exactly match the physical labeling scheme. Port Name: A user-configurable name for the port. This may be any arbitrary text string up to 16 printable ASCII characters. This field is empty by factory default. Timeslot Bandwidth: Specify the usable data rate of the interface.The following values may be selected: • 56k • 64k Default value = 56k Clock: Specify the source for the data clock. The following values may be selected: • Local • Received Default value = Local Admin Status: Set the desired status of the port. If this parameter is set to Disabled, the port's transmit and receive functions are turned off. The following values may be selected: • Disabled • Enabled Default value = Disabled Mode: The mode for this port. The following values may be selected: • T1 • E1 Default value = T1 Time Slots: Specify which available time slots are used by this port. Separate single slot numbers with commas and specify a range of slots with a hyphen. For example: 1,3, 5-6. Magnum Network Software - DX Administrator’s Guide 372 APPENDIX C - Frame Relay Provisioning Table C-3. WAN: Port Settings (T1/E1) Field Name Frame Types: Field Value The frame type for this port. For T1 mode the following values may be selected: • ESF – Extended Super Framing format, consisting of 24 consecutive 193 bit frames. • D4 – A framing format also known as SF (Super Frame), consisting of 12 consecutive 193 bit frames. For E1 mode the following values may be selected: • FAS – Frame Alignment Signaling. • CAS – Channel Associated Signaling. A method that “robs” some bits of each frame to transmit synchronization information. Line Codes: The line code for this port. For T1 mode the following values may be selected: • AMI – Alternate Mark Inversion line coding. • B8ZS – Bipolar With 8 Zero Substitution line coding. For E1 mode the following values may be selected: • AMI – Alternate Mark Inversion line coding. • HDB3 – High Density Bipolar 3 line coding. As soon as you have finished applying and saving your settings to the WAN: Port Settings screen you can check the status of the connection by going to the WAN: Port Status screen, illustrated in Figure C-3. C.4 Frame Relay Configuration Provisioning at the Frame Relay (OSI Data Link) layer is only required if you want to employ the Frame Relay Standard Link Management Protocol (LMI) as part of the overall application or if you want to use end-to-end fragmentation. Figure C-5. WAN: Frame Relay Screen Magnum Network Software - DX Administrator’s Guide 373 APPENDIX C - Frame Relay Provisioning C.4.1 The LMI Protocol The Local Management Interface (LMI protocol) provides minimal management visibility into a Frame Relay connection between the DX900 and the other end of a local connection. It adds a "ping" type function across the local connection, that is, an LMI status of "Up" confirms a local connection, and it also provides local information about available Frame Relay PVC circuits (DLCIs). Your configuration options in this screen are discussed in the following subsections and defined in Table C-4. C.4.1.1 Fragmentation Size The Frame Relay standard supports data fragmentation so that circuits that share this Frame Relay interface can have more consistent end-to-end response times. This is especially important when you have applications that have different message sizes. The type of fragmentation configurable in the Wide Area Network: Frame Relay screen is the End-to-End fragmentation defined in FRF.12. The fragmentation size applies to all configured IP DLCIs (RFC1490), but not to non-IP DLCIs (used for serial over Frame). Supported fragment sizes range from 8 to 1600 bytes. The default is no fragmentation C.4.1.2 LMI Types For historical reasons the "standardization" of this protocol has resulted in three variants or "Types." In North America the original version (designated "LMI") is the most common, although the ANSI standard is also used. The CCITT type is the more frequently used outside North America. You must know the specific LMI type in use for a specific application and select it from the dropdown menu in the LMI column of the Wide Area Network: Frame Relay screen. Carrier-provided Frame Relay services typically require you to use the LMI protocol. In a private network there are probably better tools available to manage connections and you may choose to use one of them rather than LMI. C.4.1.3 LMI Modes The second part of the LMI protocol configuration is the specification of a Mode. The mode specification describes which peer-to-peer side of the protocol you want this DX900 to use. The end point of the Frame Relay network is usually defined as the "User." In most cases this will be the DX900 but in configurations employing a private network or bare copper circuit the DX900 may be designated "Network." As a rule of thumb: in a system using a carrier-provided Frame Relay service the DX900 should be selected as "User" and over a dedicated private wire system with two DX900's directly connected back-to-back select one end as "User" and the other end as "Network". The Network-to-Network (NNI) option would not be employed in any configuration considered in this document. Magnum Network Software - DX Administrator’s Guide 374 APPENDIX C - Frame Relay Provisioning Table C-4. WAN: Frame Relay Field Name Field Value Port ID: Uniquely identifies a logical WAN port that corresponds to a physical, labeled interface on the exterior of the product chassis. Fragmentation Size: The maximum bytes in a frame relay fragment. The default, 1600, is the maximum transmission unit (MTU) setting, plus frame relay overhead, for the DLCI IP interfaces. Clearing this field turns off end-to-end fragmentation. If fragmentation is not enabled the transmission of large IP packets on one Permanent Virtual Circuit (PVC) can obstruct traffic for other PVCs on the same line and significantly increase latency. MNS-DX supports end-to-end fragmentation only; that is fragmentation is done at the packet’s point of origin on the PVC and reassembly is done at the packet’s termination point on the PVC, regardless of the number of links intervening. LMI Type: Specify the Local Management Interface (LMI) type. The following values may be selected: • None • LMI • CCITT • ANSI Default value = None LMI Mode: Specify the Local Management Interface (LMI) mode. The following values may be selected: • User • Network • NNI (Network to Network interface) Default value = User As soon as you have finished applying and saving your settings to the WAN: Frame Relay screen you can check the status of the connection by going to the WAN: Port Status screen, illustrated in Figure C-6. Magnum Network Software - DX Administrator’s Guide 375 APPENDIX C - Frame Relay Provisioning Up Figure C-6. WAN: Port Status - LMI State UP The LMI State field should display Up. If the LMI State is not Up check for the correct specification of Speed (DDS -Section C.2) or Time Slots (T1/E1 - Section C.3). Other status messages are detailed in Table C-2. C.5 Provisioning Frame Relay Applications. The DX900 supports two applications over the Frame Relay WAN port: • • IP applications Serial Tunnel over FR C.5.1 IP Applications Configuring the WAN port for IP applications involves two configuration areas: • • C.5.1.1 Defining the DLCI to be used over the WAN port Configuring IP router-related items DLCI configuration Configure the DlCIs using the Wide Area Network: DLCI Settings entry screen (Figure C7). Magnum Network Software - DX Administrator’s Guide 376 APPENDIX C - Frame Relay Provisioning Figure C-7. WAN: DLCI Settings Specify a DLCI Add a new entry by specifying a DLCI in the range 1-1022 (this would normally match the circuit number given to you by a Service Provider or defined within the your organization) and mark the IP box "Yes" for IP applications. Define a CIR A Committed Information Rate (CIR) is a "Leaky Bucket" mechanism that controls how much of the overall WAN bandwidth this DLCI is allowed to use. The CIR is expressed in bits per second. This is useful in making sure one or more DLCIs cannot starve other DLCIs sharing the same WAN interface. If this parameter is left blank then the CIR is defined as the bandwidth of the WAN port physical settings. As soon as you have finished applying and saving your settings to the WAN: DLCI Settings screen you can check the status of the connection by going to the WAN: DLCI Status screen, illustrated in Figure C-8. Magnum Network Software - DX Administrator’s Guide 377 APPENDIX C - Frame Relay Provisioning Figure C-8. WAN: DLCI Status C.5.1.2 Configuring IP Router-Related Items The primary router-related tasks to be completed are: • • Assignment of an IP address to the WAN port Selection of router discovery mechanisms: static or dynamic After you have assigned a Frame Relay DLCI for IP applications the Routing: IP Addresses screen will display the WAN interface. (See Figure C-9.) Figure C-9. Routing: IP Addresses - WAN Interface Magnum Network Software - DX Administrator’s Guide 378 APPENDIX C - Frame Relay Provisioning Enter the IP address and subnet mask assigned to this interface and click Apply Settings. The specified address will then display in the Routing: Table screen (Figure C-10) as a Local connection. Figure C-10. Routing: Table The final step in routing configuration is to determine how the DX900 router functions can use this address and/or discover other IP addresses on the network. The options are: 1. Use a default (static) route that points to the "Next Hop" gateway. 2. Turn on automatic Routing discovery using Routing Information Protocol (RIP). Static Routes / Default Gateway To define a Static Route entry use Routing: Static Routes screen to define a default gateway. A default gateway is a static route where the route destination is defined as 0.0.0.0 and Mask 0.0.0.0, representing any IP address. The next hop is the IP address at the other end of the Frame Relay connection; for example, 100.1.1.1 in the example above. (not the local IP address, 100.1.1.2). If you wish to define specific destinations rather than a universal default, specify as many specific entries as required in the Add Static Route form, applying settings after each entry. Check the Routing: Table screen (Figure C-10) to confirm that each new route is present. Static entries will be shown as Management under the Protocol column. Figure C-11. Routing: Static Routes Magnum Network Software - DX Administrator’s Guide 379 APPENDIX C - Frame Relay Provisioning Automated Routing Discovery Using RIP An alternative to adding static routes is to use the automated Routing Information Protocol (RIP). This protocol has several MNS-DX settings, including: • • • • RIP – RIP version 1 RIP-II – RIP version 2 with subnet broadcast (uses the subnet broadcast address) RIP-II multi – RIP version 2 with multicast RIP-II Local – RIP version 2 with local broadcast (uses the local broadcast address. Sometimes needed for compatibility with older devices.) RIP is disabled by default. Configure this protocol on the DX900 from the Routing: RIP screen (Figure C-12). This screen also allows you to advertise or not advertise the presence of a default gateway within the RIP message and to change the generic RIP timers. Figure C-12. Routing: RIP: Global Settings Screen After you have defined RIP Global Settings you must go to the Routing: RIP: Interface Settings screen (Figure C-13) to enable the settings on each of the IP interfaces. Figure C-13. Routing: RIP: Interface Settings Screen After you have enabled RIP you can check the Routing: Table screen for discovered routes. Figure C-14 provides an example. Magnum Network Software - DX Administrator’s Guide 380 APPENDIX C - Frame Relay Provisioning Figure C-14. Routing: Table Screen - RIP Example At this point IP applications should be able to use the WAN interface. Issue the ping command from the DX900 Command Line Interface to check the accessibility of other devices. C.5.2 Serial Tunnel over FR (Direct to Frame) Applications The second application the DX900 supports over the WAN port is the ability to take asynchronous data streams from the local serial ports and encapsulate, or "tunnel," the stream through a Frame Relay (WAN) connection without the IP application. Once again there are a couple of steps to take: • • C.5.2.1 Define additional DLCI circuits. Map DLCI circuits to Serial Ports. Define Additional DLCIs In the Wide Area Network: DLCI Settings screens use the Add DLCI form to: 1. Specify additional DlCIs circuits in the range 16-991. 2. Specify an appropriate CIR for each new DLCI. 3. Set the value in IP field to No for each new DLCI. 4. Click Apply Settings after completing each set of specifications. Figure C-15 illustrates the Wide Area Network: DLCI Settings screen with three new DCLIs added for serial applications. Magnum Network Software - DX Administrator’s Guide 381 APPENDIX C - Frame Relay Provisioning Figure C-15. WAN: DLCI Settings - Direct to Frame Example The DLCI circuit numbers should be configured to match the circuit numbers provided by the Frame Relay service provider or, in Point-to-Point applications, to match the circuit numbers at the distant end. Check the DLCI status by viewing the Wide Area Network: DLCI Status screen. (See Figure C-16.) Figure C-16. WAN: DLCI Status - Direct to Frame Example C.5.2.2 Map DLCI Circuits to Serial Ports The next step is to map these new DLCIs directly to serial ports using the Add New Channel form of the Serial: Frame Relay: Channel Settings screen (Figure C-17). For each new entry: 1. Match a Serial Port ID with the appropriate DLCI Circuit ID. Magnum Network Software - DX Administrator’s Guide 382 APPENDIX C - Frame Relay Provisioning 2. Select Default or Expedited priority. (See Table 3-54.) 3. Set Payload Offset to Yes or No. To interoperate with Garrettcom Dynastar DS products this value should be set to Yes. Figure C-17. Serial: Frame Relay: Channel Settings Screen - Direct to Frame Example You can view the status of these connections in the Frame Relay: Channel Status screen (Figure C-18). Figure C-18. WAN: DLCI Status - Direct to Frame Example Magnum Network Software - DX Administrator’s Guide 383 APPENDIX C - Frame Relay Provisioning Table C-5 describes the values you can view in the Serial: Frame Relay: Connections screen. Table C-5. Frame Relay: Connections Field Name Field Value Port ID: A unique identifier for the serial port associated with this channel. Circuit ID: A unique identifier for the DLCI to which the serial port is connected. In most cases, the identifier includes the WAN port and the DLCI on that port. TxOctets: The number of serial characters transmitted over the frame relay for the given port RxOctets: The number of serial characters received over the frame relay for the given port. TxDrops: The number of frames to be transmitted on the DLCI that were dropped because they could not be buffered at the WAN port. RxDrops: The number of frames received on the DLCI that were dropped because they could not be buffered at the serial port. Magnum Network Software - DX Administrator’s Guide 384 Appendix D Third Party Licenses This appendix contains the texts of required licenses for third party software. D.1 GNU LESSER GENERAL PUBLIC LICENSE Version 2.1, February 1999 Copyright (C) 1991, 1999 Free Software Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copiesof this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public Licenses are intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This license, the Lesser General Public License, applies to some specially designated software packages-typically libraries--of the Free Software Foundation and other authors who decide to use it. You can use it too, but we suggest you first think carefully about whether this license or the ordinary General Public License is the better strategy to use in any particular case, based on the explanations below. When we speak of free software, we are referring to freedom of use, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish); that you receive source code or can get it if you want it; that you can change the software and use pieces of it in new free programs; and that you are informed that you can do these things. To protect your rights, we need to make restrictions that forbid distributors to deny you these rights or to ask you to surrender these rights. These restrictions translate to certain responsibilities for you if you distribute copies of the library or if you modify it. For example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights that we gave you. You must make sure that they, too, receive or can get the source code. If you link other code with the library, you must provide complete object files to the recipients, so that they can relink them with the library after making changes to the library and recompiling it. And you must show them these terms so they know their rights. We protect your rights with a two-step method: (1) we copyright the library, and (2) we offer you this license, which gives you legal permission to copy, distribute and/or modify the library. To protect each distributor, we want to make it very clear that there is no warranty for the free library. Also, if the library is modified by someone else and passed on, the recipients should know that what they have is not the original version, so that the original author's reputation will not be affected by problems that might be introduced by others. Finally, software patents pose a constant threat to the existence of any free program. We wish to make sure that a company cannot effectively restrict the users of a free program by obtaining a restrictive license from a patent holder. Therefore, we insist that any patent license obtained for a version of the library must be consistent with the full freedom of use specified in this license. Magnum Network Software - DX Administrator’s Guide 385 APPENDIX D - Third Party Licenses Most GNU software, including some libraries, is covered by the ordinary GNU General Public License. This license, the GNU Lesser General Public License, applies to certain designated libraries, and is quite different from the ordinary General Public License. We use this license for certain libraries in order to permit linking those libraries into non-free programs. When a program is linked with a library, whether statically or using a shared library, the combination of the two is legally speaking a combined work, a derivative of the original library. The ordinary General Public License therefore permits such linking only if the entire combination fits its criteria of freedom. The Lesser General Public License permits more lax criteria for linking other code with the library. We call this license the "Lesser" General Public License because it does Less to protect the user's freedom than the ordinary General Public License. It also provides other free software developers Less of an advantage over competing non-free programs. These disadvantages are the reason we use the ordinary General Public License for many libraries. However, the Lesser license provides advantages in certain special circumstances. For example, on rare occasions, there may be a special need to encourage the widest possible use of a certain library, so that it becomes a de-facto standard. To achieve this, non-free programs must be allowed to use the library. A more frequent case is that a free library does the same job as widely used non-free libraries. In this case, there is little to gain by limiting the free library to free software only, so we use the Lesser General Public License. In other cases, permission to use a particular library in non-free programs enables a greater number of people to use a large body of free software. For example, permission to use the GNU C Library in non-free programs enables many more people to use the whole GNU operating system, as well as its variant, the GNU/Linux operating system. Although the Lesser General Public License is Less protective of the users' freedom, it does ensure that the user of a program that is linked with the Library has the freedom and the wherewithal to run that program using a modified version of the Library. The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a "work based on the library" and a "work that uses the library". The former contains code derived from the library, whereas the latter must be combined with the library in order to run. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License Agreement applies to any software library or other program which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Lesser General Public License (also called "this License"). Each licensee is addressed as "you". A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables. The "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law: that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".) "Source code" for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library. Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does. Magnum Network Software - DX Administrator’s Guide 386 APPENDIX D - Third Party Licenses 1. You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and distribute a copy of this License along with the Library. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: "a) The modified work must itself be a software library. "b) You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change. "c) You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License. "d) If a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful. (For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library. In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices. Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy. This option is useful when you wish to copy part of the code of the Library into a program that is not a library. 4. You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code. Magnum Network Software - DX Administrator’s Guide 387 APPENDIX D - Third Party Licenses 5. A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License. However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables. When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law. If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.) Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself. 6. As an exception to the Sections above, you may also combine or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications. You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things: "a) Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-readable "work that uses the Library", as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.) "b) Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that (1) uses at run time a copy of the library already present on the user's computer system, rather than copying library functions into the executable, and (2) will operate properly with a modified version of the library, if the user installs one, as long as the modified version is interface-compatible with the version that the work was made with. "c) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution. "d) If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place. "e) Verify that the user has already received a copy of these materials or that you have already sent this user a copy. For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the materials to be distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute. Magnum Network Software - DX Administrator’s Guide 388 APPENDIX D - Third Party Licenses 7. You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things: "a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above. "b) Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work. 8. You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 9. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it. 10. Each time you redistribute the Library (or any work based on the Library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties with this License. 11. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 12. If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 13. The Free Software Foundation may publish revised and/or new versions of the Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation. Magnum Network Software - DX Administrator’s Guide 389 APPENDIX D - Third Party Licenses 14. If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Libraries If you develop a new library, and you want it to be of the greatest possible use to the public, we recommend making it free software that everyone can redistribute and change. You can do so by permitting redistribution under these terms (or, alternatively, under the terms of the ordinary General Public License). To apply these terms, attach the following notices to the library. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. one line to give the library's name and an idea of what it does. Copyright (C) year This library is modify it under as published by of the License, name of author free software; you can redistribute it and/or the terms of the GNU Lesser General Public License the Free Software Foundation; either version 2.1 or (at your option) any later version. This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General PublicLicense along with this library; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Magnum Network Software - DX Administrator’s Guide 390 Glossary This glossary contains brief explanations of acronyms and other terms used in this manual. Term Definition 3DES Triple Data Encryption Standard (DES). A more secure version of the DES standard in which data is encrypted three times. 802.1p An IEEE standard that provides Quality of Service (QoS) at the layer 2 level. AES Advanced Encryption Standard. A NIST-standard cryptographic cipher that uses a block length of 128 bits and key lengths of 128, 192 or 256 bit. ANSI American National Standards Institute. ARP Address Resolution Protocol. Enables discovery of a device’s MAC address when only its IP address is known. AS Autonomous System. A set of routers under a single technical administration with an apparently coherent interior routing plan. ASCII American Standard Code for Information Interchange. BGP Border Gateway Protocol. a Protocol for routing traffic between autonomous systems (AS). BPV Bipolar violation. BPDU Bridge Protocol Data Units. Message units that carry the Spanning Tree Protocol information. CBT Core Based Trees. One of the communications protocols of the Internet Protocol Suite. Builds and maintains a shared delivery tree for a multicast group. CCITT Comité consultatif international téléphonique et télégraphique. An institution to coordinate telecommunication standards. Although the CCITT acronyms is still widely used the institution has been known since 1992 as ITU Telecommunication Standardization Sector (ITU-T). CHAP Challenge-Handshake Authentication Protocol. A method of authentication of remote clients used by Point to Point Protocol (PPP) servers and based on a shared secret. CIDR Classless Inter-Domain Routing. A CIDR address is written with a forward slash preceding a suffix indicating the number of bits in the prefix length, such as 192.168.0.0/16. CIR Committed Information Rate. A guaranteed data rate negotiated with a carrier. CFX Configuration XML File. CRC Cyclic Redundancy Check. A method of detecting errors in transmitted data. Magnum Network Software - DX Administrator’s Guide 391 - Term Definition CTS Clear-to-Send. On an RS-232 interface, a DCE’s signal granting a DTE permission to transmit. DCD Data Carrier Detect. On an RS-232 interface, a DCE’s signal that a connection has been established. DCE Data Communications Equipment. Typically a communication device such as a modem. In an RS-232 link a DCE communicates with a DTE. DDS Digital Data Service. A private line digital service from carriers other than AT&T. DES Data Encryption Standard (DES). A NIST-standard cryptographic cipher that uses a 56-bit key. DHCP Dynamic Host Configuration Protocol. DiffServ DIFFerentiated SERVices. A type of Quality of Service (QoS) functionality. DLCI Data Link Connection Identifier. An identifying number for a private or switched virtual circuit in a frame relay network. DPD Dead Peer Detection. A method of determining that an IKE peer (that is, a networked server) is inoperative. DSA Digital Signature Algorithm. A United States Federal Government standard for verifying digital signatures. DSCP Differentiated Services Code Point. A value in the DiffServ portion of an IP packet header used for classification purposes. DSR/DTR Data Set Ready/Data Terminal Ready. RS-232 handshake signals sent from the modem to the terminal (DSR) or from the terminal to the modem (DTR) indicating readiness to accept data. DTE Data Terminal Equipment. Typically a computer system. In an RS-232 link a DTE communicates with a DCE. DTR See DSR/DTR. E1 See T1/E1. EGP Exterior Gateway Protocol. An internet routing protocol. ESP Encapsulation Security Payload. An IPSec header extension for supporting security services. FCS Frame Check Sequence. Extra characters added to a Frame for error detection and correction. FEFI Far End Fault Indication. A feature of optical ports that detects an unresponsive link and shuts down transmission from the port. GGP Gateway to Gateway Protocol. One of the communications protocols of the Internet Protocol Suite. Used mainly for routing datagrams. HMI Human Machine Interface. The device that enables a person to monitor and control a machine. Typically the HMI is a computer. Magnum Network Software - DX Administrator’s Guide 392 - Term Definition HTTP HyperText Transfer Protocol. ICMP The Internet Control Message Protocol. One of the communications protocols of the Internet Protocol Suite. Chiefly used to convey error messages. IDRP Inter-Domain Routing Protocol. IED A microprocessor-based device that controls power system equipment such as circuit breakers and voltage regulators. IEEE Institute of Electrical and Electronics Engineers IGP Interior Gateway Protocols. A set of routing protocols used within a system. IGMP Internet Group Management Protocol. One of the communications protocols of the Internet Protocol Suite. Used to manage membership in multicast groups. IKE Internet Key Exchange. The protocol used to set up a Security Association in the IPsec protocol suite. IP Internet Protocol. IPCP Internet Protocol Control Protocol. IResponsible for configuring, enabling, and disabling the IP protocol modules on both ends of a Point-to-Point link. IPIP IP in IP encapsulation. One of the communications protocols of the Internet Protocol Suite. Encloses an inner IP header with an outer header for tunneling. ISO-IP ISO Internetworking Protocol. A network layer protocol in an OSI network. ITU-T See CCITT. LAN A. computer network covering a small geographic area, like a home, office, or group of buildings. Compare to WAN. LCP Link Control Protocol. A part of the Point-to-Point Protocol by which communicating devices exchange LCP packets to determine standards of transmission. LMI Local Management Interface. A signaling standard used between routers and frame relay switches. LRC Longitudinal Redundancy Check. A method of detecting errors in transmitted data. LSA Link State Advertisement. An OSPF data structure that describes a portion of an OSPF network. LSC Last Schema Change. MAC Media Access Control. A MAC address is a unique identifier attached to most forms of networking equipment. Magnum Network Software - DX Administrator’s Guide 393 - Term Definition MD5 Message-Digest algorithm 5. A common cryptographic hash function. MIB Management Information Base. A database used by SNMP to manage devices such as switches and routers in a network. Modbus A communications protocol using master/slave architecture. A commonly available means of connecting industrial electronic devices. NAPT See NAT. NAT Network Address Port Translation. A method of using a single public IP address to provide internet access to multiple private IP addresses. NNI Network to Network Interface. NSSA Not So Stubby Area is an OSPF area with a limited ability to import external routes and transmit them to the OSPF backbone. OSPF Open Shortest Path First. A routing protocol to determine the best path for traffic over a TCP/IP network. PAP Password Authentication Protocol. An authentication protocol using unencrypted ASCII passwords over a network. Path Cost A Spanning Tree parameter that measures how close bridges are to one another. It takes into account the bandwidth of the links between bridges. PEM Privacy Enhanced Mail File format. A standard for secure e-mail on the Internet. PFS Perfect Forward Secrecy. A property of public key cryptography whereby the compromise of one key does not lead to the compromise of any other keys. PoE Power over Ethernet. A technology for delivering power (along with data) to remote devices over the twisted pair cabling of an Ethernet network. PPP Point-to-Point Protocol. A data link protocol to establish a direct connection between two networking nodes, commonly used for modem dial-up connections. PVC A point-to-point connection that is established before its first use and maintained regardless of the level of activity. PVID Port VID. A user configurable parameter that associates a native VLAN with a port. Each port is assigned exactly one PVID. By default, each port is assigned PVID 1. QoS Quality of Service. Technology and techniques, such as prioritization, to ensure the predictable handling of specified kinds of traffic. RADIUS Remote Authentication Dial-In User Service. An AAA (authentication, authorization and accounting) protocol using a challenge/response method for authentication. RC4 A stream cipher commonly used with SSL and in wireless networks. RIB Routing Information Base. A database on a BGP router that accumulates information about routes to reachable destinations. Magnum Network Software - DX Administrator’s Guide 394 - Term Definition RIP Routing Information Protocol. An Interior Gateway Protocol (IGP) routing protocol used on internal networks. It determines a route based on the smallest hop count between source and destination. It has a limit of 15 hops. RS-232 A popular standard for passing serial binary data point-to-point between digital systems. Also known as EIA-232. Compare to RS-485. RS-485 A standard for passing serial data in point-to-point or multipoint configurations among digital data systems. Also known as EIA-485. Less common but more versatile than RS-232. RSA Rivest-Shamir-Adleman key. A two-part key. The private key is kept by the owner; the public key is published. RSTP Rapid Spanning Tree Protocol. RSTP is a protocol that prevents loops in bridged LAN environments. It also provides for fast recovery from link failures. This product supports RSTP as specified in IEEE 802.1D (2004). RSVP Resource reSerVation Protocol. One of the communications protocols of the Internet Protocol Suite. Used to support Quality of Service (QoS) flows. RTS/CTS Request to Send/Clear to Send. RS-232 flow control signals sent by transmitting stations (RTS) and receiving stations (CTS). RTU Remote Terminal Unit. A device that collects data from data acquisition equipment and sends it to the main system over a network. SA Security Association. In IPSec an SA defines a secure, unidirectional communication channel between two entities. SADB Security Association Database. An IPSec database containing security information specific to particular connections.Compare to SPD. SCADA Supervisory Control And Data Acquisition. A process control application that collects data from networked devices. SFP Small Form-factor Pluggable Transceiver. A full-duplex serial interface converter that converts electrical signals to optical signals to run over fiber. SHA-1 Secure Hash Algorithm 1. A common cryptographic hash function. SNMP Simple Network Management Protocol. A network monitoring and control protocol. SNTP Simple Network Time Protocol. SONET Synchronous Optical Networking. A multiplexing protocol for use over optical fiber. SPD Security Policies Database. An IPSec database containing security policies general to the device. Compare to SADB. SPI Security Parameters Index. A value added to the header in IPSec tunneling that identifies a session and its encryption properties. SSH Secure SHell. A network protocol using public key cryptography to provide secure remote login. Magnum Network Software - DX Administrator’s Guide 395 - Term Definition SSL Secure Socket Layer. A cryptographic protocol that creates a secure data transfer session over a standard TCP connection. Station Cache A database maintained by the Ethernet bridge that tracks MAC addresses of stations on the network and the ports associated with them. Syslog A protocol for sending event messages over an IP network to remote servers called "event message collectors." T1/E1 T1 is a widely-used T-carrier telecommunications standard capable of transmitting 1.544 Mbits/second. The T1 designation is used in North America. The analogous system outside of North America is called E1. TCP Transmission Control Protocol. TLS Transport Layer Security. UDP User Datagram Protocol. One of the communications protocols of the Internet Protocol Suite. Replaces TCP when a reliable delivery is not required. URL Uniform Resource Locator. VID VLAN Identifier. VLAN Virtual Local Area Network. A logical subgroup within a local area network that is created with software rather than by physically manipulating cables. VRRP Virtual Router Redundancy Protocol. A protocol for specifying a backup router to be used in case of failure of a master router. WAN Wide Area Network. A computer network that crosses metropolitan, regional, or national boundaries. Compare to LAN. WFQ Weighted Fair Queueing. A packet scheduling technique that enables several data flows to use the same link. X.509 An X.509 certificate is a message that contains an entity's credentials. Information such as the entity's name, organization, and contact information are included. XML eXtensible Markup Language XON/XOFF A software flow control protocol in which a receiver sends an XOFF character to a transmitter to signal that it is unable to receive data and an XON character to signal that it is able to receive data. Magnum Network Software - DX Administrator’s Guide 396 - Term Definition Magnum Network Software - DX Administrator’s Guide 397 - Magnum Network Software - DX Administrator’s Guide 398 INDEX System Information 28 Reset 62 Status 29 Time Persistence 33 Time and Date 30 Zone and DST 31 aging interval 85 alarm CLI command 213 alarms 72, 213 actions 73 port settings 72 ARP table 140 auth CLI command 214 authentication 47, 214 Symbols 802.1p 173 A access port 99 Address Resolution Protocol, See ARP addresses IP 135, 308 MAC 29, 84, 87 Administration Tasks screens 28 to 62 Authentication Accounts 50 Files 52 Policies 47 Change Password 54 Configuration Defaults 61 Files 60 Sessions Active Logins 53 Policies 53 SNMP Global Settings 37 Management Stations 39 Statistics 43 Trap Stations 40 Users 41 SNTP Global Settings 34 Servers 35 Software Upgrade 55 B BGP global settings 152, 153 profiles 154 RIB 157 statistics 158 status 155 BPDU 312 bridge CLI command 221 bridges RSTP settings 90 status 93 Magnum Network Software - DX Administrator’s Guide 399 Index save 209 serial 272 session 274 snmp 275 sntp 278 ssh 280 sw 281 syslog 286 system 287 terminal 288 ts 291 vlan 293 vpn 295 vrrp 298 wan 299 web 301 whoami 209 navigation 208 code points 171 collectors, syslog 71 command line interface, SeeCLI config CLI command 223 configuration files 60 connection DDS 121, 368 frame relay 115 Modbus 120, 240 PPP 132 T1/E1 122, 371 terminal server 112 cost style 90, 314 cryptography 177, 320, 321 C CA 178, 222, 323 cert CLI command 222 certificate files 324 X.509 323 Certificate Authority, See CA certificates 177, 222 channels 108, 110 cipher support 335 CIR 128, 377 CLI 184, 205 commands alarm 213 auth 214 bridge 221 cert 222 config 223 dhcp 224 ethernet 227 exit 209 firewall 230 fr 233 help 209 ip 218, 236, 270, 289 log 238 logout 209 modbus 239 monitor 241 nat 246 ospf 249 password 256 ping 256 ppp 257 qos 259 radius 263 reboot 209 revert 209 rip 266 rstp 268 D Data Link Channel Identifier, See DLCI date and time 30 daylight saving time 31 DDS connection 121, 368 Dead Peer Detection, See DPD decryption 177, 320, 321 Magnum Network Software - DX Administrator’s Guide 400 Index VLAN Global Settings 96 Port Settings 98 VIDs 97 defaults, restoring 61 dhcp CLI command 224 DHCP server 224, 309 dynamic addresses 168, 224 host parameters 166, 224 leases 169, 224 static addresses 167, 224 DiffServ 171, 306 digital signatures 323 DLCI 303, 376 DPD 197, 296 DSCP 171 Dynamic Host Configuration Protocol, See DHCP events 63 Events Tasks screens 63 to 71 Alarms Actions 73 Port Settings 72 Logs Files 69 Global Settings 67 Syslog Collectors 71 Global Settings 70 exit CLI command 209 E E1/T1 connection 122, 371 edge ports 91, 313, 315 encryption 177, 320, 321 ethernet CLI command 227 Ethernet ports priorities 174 security 179 Ethernet Tasks screens 74 to 99 Bridge Global Settings 85 Port Settings 86 Static MACs 87 Station Cache 88 Ports Extended Statistics 78 Mirroring 81 Rate Limits 82 Settings 74 Status 76 Summary Statistics 77 RSTP Bridge Settings 90 Bridge Status 93 Port Settings 91 Port Status 94 F filtering 316 firewall 186, 329 firewall CLI command 230 forward delay 90, 313, 314 fr CLI command 233 Frame Relay 233, 303 channel settings 113 connections 115 provisioning 367 G gateway, specifying default 138, 379 H hello time 90, 313, 314 help CLI command 209 http/https 183 Magnum Network Software - DX Administrator’s Guide 401 Index modbus CLI command 239 monitor CLI command 241 monitor, protocol 205 I ICMP 189, 191, 364 IKE 338 Internet Key Exchange, See IKE IP addresses 308 ip CLI command 218, 236, 270, 289 IP firewall, See firewall IP flow priorities 175 IP masquerading 162, 333 IPSec 194, 295 N NAPT, See NAT NAT 161 global settings 162, 246 port forwarding 163, 246 static translation 164, 246 nat CLI command 246 Network Address Translation, See NAT networking standards 345 K key files 324 public 323 O OSPF 144, 249 area aggregates 149 area settings 146 global settings 144 interface profiles 148 interface settings 147 neighbor status 150 ospf CLI commands 249 L leases 169 LMI 127, 374 locked out? 180, 229 log CLI command 238 logged events 63 logout CLI command 209 P M password administrator 54 user 51 password CLI command 256 PEM 177, 322, 324, 324 ping CLI command 256 point ports 91, 313, 315 point-to-point-links 91, 313, 315 policies authentication 47 sessions 53 MAC addresses 29, 84 masquerading 162, 333 maximum age 90, 313, 314 Media Access Control addresses, See MAC addresses MIB 310 mirroring 81 Modbus 116, 239, 340 connections 120, 240 local masters 116, 239 local slaves 117, 239 remote slaves 119, 240 Magnum Network Software - DX Administrator’s Guide 402 Index Q port forwarding NAT 163 SSH 184, 280 ports access 99 configuring alarm 72, 73 Ethernet 74 RSTP 91, 315 serial 100, 104, 318 VLAN 98, 316 Ethernet 174 Ethernet security 179 rate limits 82 RSTP 313 trunk 99 PPP connections 132 profiles 130 statistics 134 status 133 ppp CLI command 257 PPP Tasks screens Connections 132 Profiles 130 Statistics 134 Status 133 priorities 174 priority queues 305 Privacy Enhanced Mail, See PEM protocol monitor 205 standards 345 public key cryptography 323 QoS 171, 304 qos CLI command 259 QoS Tasks screens 171 to 176 802.1p 173 Diffserv 171 Ethernet Port 174 IP Flows 175 Quality of Service, See QoS queues, priority 305 R RADIUS 191, 263, 335 radius CLI command 263 rate limits, ports 82 reboot CLI command 209 resetting the system 62 revert CLI command 209 RIB 157 RIP 309, 380 global settings 141 interface settings 143 rip CLI command 266 Routing Information Protocol, See RIP routing table 139 Routing Tasks screens 135 to 170 ARP Table 140 BGP Global Settings 152, 153 Profiles 154 RIB 157 Statistics 158 Status 155 DHCP Server Dynamic Addresses 168 Host Parameters 166 Leases 169 Static Addresses 167 Magnum Network Software - DX Administrator’s Guide 403 Index CLI 184 Ethernet Port 179 Firewall Interface Groups 187 IP Filters 188 IP Interfaces 186 Stateful IP FIlters 190 RADIUS Global Settings 192 Servers 193 Serial/SSL 181 VPN Authentication 198 Details 201 Global Settings 195 Profiles 196 Status 200 Tunnels 199 Web Server 183 serial CLI command 272 serial ports 100, 318 Serial Tasks screens 100 to 121 Frame Relay Channel Settings 113 Connections 115 Modbus Connections 120 Local Masters 116 Local Slaves 117 Remote Slaves 119 Ports Profiles 100 Settings 104 Statistics 106 Status 105 Terminal Server Channel Settings 108 Channel Status 110 Connections 112 IP Addresses 135 NAT Global Settings 162 Port Forwarding 163 Static Translations 164 OSPF Area Aggregates 149 Area Settings 146 Global Settings 144 Interface Settings 147 Interfaces Profiles 148 Neighbor Status 150 RIP Global Settings 141 Interface Settings 143 StaticRoutes 137 Table 139 VRRP Groups 159 Status 160 RSA 321, 322, 323, 335 RSTP 90, 310 screens 90 to 95 Bridge Settings 90 Bridge Status 93 Port Settings 91 Port Status 94 rstp CLI command 268 RSTP:Port Settings 315 S save CLI command 209 SCADA 353 Secure Shell, See SSH security 177, 183, 320, 321 Security Tasks screens 177 to 202 Certificates CAs 178 Local 177 Magnum Network Software - DX Administrator’s Guide 404 Index T servers RADIUS 193 SNTP 35 terminal 108 sessiion CLI command 274 sessions 53 sftp 206 signatures, digital 323 Simple Network Management Protocol, See SNMP SNMP 309 screens 37 to 47 snmp CLI command 275 SNTP 34, 278 sntp CLI command 278 software, upgrading 55, 281 SSH 184, 340 ssh CLI command 280 SSH port forwarding 184, 280 SSL 181, 321, 355 to 359 Stateful IP FIlters 190 station cache 88 status BGP 155 DLCI 129 Ethernet ports 76 PPP 133 RSTP bridge 93 RSTP port 94 serial ports 105 system 29 terminal server channel 110 VPN 200 VRRP 160 WAN port 124 sw CLI command 281 syslog 70, 286 collectors 71 defined 70 syslog CLI command 286 system CLI command 287 system reset 62 T1/E1 connection 122, 371 tagging 99, 316 TCP 109, 112, 189, 361 TCP/IP 112 terminal CLI command 288 terminal server 108, 291, 345 time and date 30 time zones 31 traps, SNMP 40, 310 trunk port 99 ts CLI command 291 tunnels 199, 338, 381 U UDP 189, 361 unlocking 180, 217, 229 upgrading software 55, 281 user accounts 50, 344 user definition file 52, 217 V Virtual Router Redundancy Protocol, See VRRP VLAN and serial ports 318 screens 96 to 99 Global Settings 96 Port Settings 98 VIDs 97 vlan CLI command 293 VPN 194, 295, 336 vpn CLI command 295 VRRP 159 groups 159 status 160 vrrp CLI command 298 Magnum Network Software - DX Administrator’s Guide 405 Index W WAN DLCI settings 128, 303 DLCI status 129, 303 Frame Relay 126, 373 Frame Relay provisioning 367 port settings 121, 122, 303 port status 124, 303, 369 wan CLI command 299 WAN Tasks screens 121 to 129 DLCI Settings 128 DLCI Status 129 Frame Relay 126 Port Settings 121, 122 Port Status 124 web CLI command 301 web server security 183 whoami CLI command 209 X X.509 certificate 323 Magnum Network Software - DX Administrator’s Guide 406