- DL manuals
- RAD Data Communications
- Gateway
- SecFlow-1
- Nstallation And Operations Manual
RAD Data Communications SecFlow-1 Nstallation And Operations Manual - Limited Warranty
Front Matter
Installation and Operation Manual
ii
SecFlow-1
Limited Warranty
RAD warrants to DISTRIBUTOR that the hardware in the SecFlow-1 to be delivered hereunder
shall be free of defects in material and workmanship under normal use and service for a period
of twelve (12) months following the date of shipment to DISTRIBUTOR.
If, during the warranty period, any component part of the equipment becomes defective by
reason of material or workmanship, and DISTRIBUTOR immediately notifies RAD of such defect,
RAD shall have the option to choose the appropriate corrective action: a) supply a replacement
part, or b) request return of equipment to its plant for repair, or c) perform necessary repair at
the equipment's location. In the event that RAD requests the return of equipment, each party
shall pay one-way shipping costs.
RAD shall be released from all obligations under its warranty in the event that the equipment has
been subjected to misuse, neglect, accident or improper installation, or if repairs or
modifications were made by persons other than RAD's own authorized service personnel, unless
such repairs by others were made with the written consent of RAD.
The above warranty is in lieu of all other warranties, expressed or implied. There are no
warranties which extend beyond the face hereof, including, but not limited to, warranties of
merchantability and fitness for a particular purpose, and in no event shall RAD be liable for
consequential damages.
RAD shall not be liable to any person for any special or indirect damages, including, but not
limited to, lost profits from any cause whatsoever arising from or in any way connected with the
manufacture, sale, handling, repair, maintenance or use of the SecFlow-1, and in no event shall
RAD's liability exceed the purchase price of the SecFlow-1.
DISTRIBUTOR shall be responsible to its customers for any and all warranties which it makes
relating to SecFlow-1 and for ensuring that replacements and other adjustments required in
connection with the said warranties are satisfactory.
Software components in the SecFlow-1 are provided "as is" and without warranty of any kind.
RAD disclaims all warranties including the implied warranties of merchantability and fitness for a
particular purpose. RAD shall not be liable for any loss of use, interruption of business or
indirect, special, incidental or consequential damages of any kind. In spite of the above RAD
shall do its best to provide error-free software products and shall offer free Software updates
during the warranty period under this Agreement.
RAD's cumulative liability to you or any other party for any loss or damages resulting from any
claims, demands, or actions arising out of or relating to this Agreement and the SecFlow-1 shall
not exceed the sum paid to RAD for the purchase of the SecFlow-1. In no event shall RAD be
liable for any indirect, incidental, consequential, special, or exemplary damages or lost profits,
even if RAD has been advised of the possibility of such damages.
This Agreement shall be construed and governed in accordance with the laws of the State of
Israel.
Product Disposal
To facilitate the reuse, recycling and other forms of recovery of waste
equipment in protecting the environment, the owner of this RAD product is
required to refrain from disposing of this product as unsorted municipal waste at
the end of its life cycle. Upon termination of the unit’s use, customers should
provide for its collection for reuse, recycling or other form of environmentally
conscientious disposal.
Summary of SecFlow-1
Page 1
Secflow-1 ruggedized scada-aware router gateway version 4.00ca ins tal latio n and o pe ratio n m anu al.
Page 3: Secflow-1
Secflow-1 ruggedized scada-aware router gateway version 4.00ca installation and operation manual notice this manual contains information that is proprietary to rad data communications ltd. ("rad"). No part of this publication may be reproduced in any form whatsoever without prior written approval by...
Page 4: Limited Warranty
Front matter installation and operation manual ii secflow-1 limited warranty rad warrants to distributor that the hardware in the secflow-1 to be delivered hereunder shall be free of defects in material and workmanship under normal use and service for a period of twelve (12) months following the dat...
Page 5: Safety Symbols
Installation and operation manual front matter secflow-1 iii general safety instructions the following instructions serve as a general guide for the safe installation and operation of telecommunications products. Additional instructions, if applicable, are included inside the manual. Safety symbols ...
Page 6
Front matter installation and operation manual iv secflow-1 handling energized products general safety practices do not touch or tamper with the power supply when the power cord is connected. Line voltages may be present inside certain products even when the power switch (if installed) is in the off...
Page 7
Installation and operation manual front matter secflow-1 v the maximum permissible current capability of the branch distribution circuit that supplies power to the product is 16a (20a for usa and canada). The circuit breaker in the building installation should have high breaking capacity and must op...
Page 8
Front matter installation and operation manual vi secflow-1 when using shielded or coaxial cables, verify that there is a good ground connection at both ends. The grounding and bonding of the ground connections should comply with the local codes. The telecommunication wiring in the building may be d...
Page 9: Fcc-15 User Information
Installation and operation manual front matter secflow-1 vii fcc-15 user information this equipment has been tested and found to comply with the limits of the class a digital device, pursuant to part 15 of the fcc rules. These limits are designed to provide reasonable protection against harmful inte...
Page 10: Mise Au Rebut Du Produit
Front matter installation and operation manual viii secflow-1 f ran çai s mise au rebut du produit afin de faciliter la réutilisation, le recyclage ainsi que d'autres formes de récupération d'équipement mis au rebut dans le cadre de la protection de l'environnement, il est demandé au propriétaire de...
Page 11
Installation and operation manual front matter secflow-1 ix f ran çai s certains produits peuvent être équipés d'une diode laser. Dans de tels cas, une étiquette indiquant la classe laser ainsi que d'autres avertissements, le cas échéant, sera jointe près du transmetteur optique. Le symbole d'averti...
Page 12
Front matter installation and operation manual x secflow-1 f ran çai s connexion au courant du secteur assurez-vous que l'installation électrique est conforme à la réglementation locale. Branchez toujours la fiche de secteur à une prise murale équipée d'une borne protectrice de mise à la terre. La c...
Page 13: Contents
Secflow-1 i contents chapter 1. Introduction 1.1 overview .............................................................................................................................. 1-1 product options ..................................................................................................
Page 14
Table of contents installation and operation manual ii secflow-1 chapter 3. Operation 3.1 turning on the unit ............................................................................................................. 3-1 3.2 indicators ................................................................
Page 15
Installation and operation manual table of contents secflow-1 iii interface assignment rules ................................................................................................ 6-1 ip interface id .............................................................................................
Page 16
Table of contents installation and operation manual iv secflow-1 modbus gateway commands hierarchy ........................................................................... 6-33 modbus gateway commands description......................................................................... 6-35 exampl...
Page 17
Installation and operation manual table of contents secflow-1 v terminal server commands hierarchy .............................................................................. 8-22 terminal server commands ...............................................................................................
Page 18
Table of contents installation and operation manual vi secflow-1 chapter 10. Administration 10.1 operation system version .................................................................................................. 10-1 commands hierarchy ..........................................................
Page 19: Chapter 1
Secflow-1 overview 1-1 chapter 1 introduction 1.1 overview the secflow-1 service-aware industrial ethernet routers combine a ruggedized ethernet platform with a unique application-aware processing engine. As an industrial ethernet router the secflow-1 provides a strong ethernet and ip features set w...
Page 20
Chapter 1 introduction installation and operation manual 1-2 overview secflow-1 dual-sim cellular modem rs-232 (t.Server) hub dnp3 & t.Client com s4 232 (tunneling) secflow-2 dnp.3 eth rs-232 (tunneling) s1 s2 spoke video camera psn switch switch secflow-1 mgre2 ipsec mgre 1 ipsec fo fo figure 1-1. ...
Page 21
Installation and operation manual chapter 1 introduction secflow-1 physical description 1-3 secflow-1 can be set to perform static or dynamic routing using: • ipv4 (internet protocol version 4) • ospf (open shortest path first) v2 • nat • auto crossing • auto negotiation per ieee 802.3ab • vlan tagg...
Page 22
Chapter 1 introduction installation and operation manual 1-4 functional description secflow-1 figure 1-2. 3d view of secflow-1 1.3 functional description this section provides a functional description of the secflow-1 system. Depending on the ordering option, secflow-1 may include the following ethe...
Page 23
Installation and operation manual chapter 1 introduction secflow-1 functional description 1-5 figure 1-3. Secflow-1 block diagram table 1-1 displays the supported feature sets and the corresponding configuration environment. Table 1-1. Configuration environments and corresponding features applicatio...
Page 24
Chapter 1 introduction installation and operation manual 1-6 technical specifications secflow-1 cellular uplink secflow-1 has an integrated cellular modem. The cellular uplink transfers traffic from the device to a remote hub. 1.4 technical specifications ethernet interface number of ports one 10/10...
Page 25: Chapter 2
Secflow-1 safety information 2-1 chapter 2 installation and setup this chapter provides installation instructions for the secflow-1 systems including: • general description of the equipment enclosure and its panels. • mechanical and electrical installation instructions. After the system is installed...
Page 26
Chapter 2 installation and setup installation and operation manual 2-2 safety information secflow-1 secflow-1 includes class 1 lasers. For your safety: • do not look directly into the optical connectors while the unit is operating. The laser beams are invisible. • do not attempt to adjust the laser ...
Page 27
Installation and operation manual chapter 2 installation and setup secflow-1 package contents 2-3 2.2 site requirements and prerequisites before connecting this product to a power source, make sure to read the handling energized products section at the beginning of this manual. Secflow-1 does not ha...
Page 28
Chapter 2 installation and setup installation and operation manual 2-4 mounting secflow-1 secflow-1 2.4 required equipment hand tools and kits secflow-1 needs no special tools for installation. You need a screwdriver to mount the unit in a 19-inch rack or on a wall. Cables rs- 232 serial cable secfl...
Page 29
Installation and operation manual chapter 2 installation and setup secflow-1 mounting secflow-1 2-5 mounting for din rail these mounting instructions assume that a standard din rail has been previously installed. If one has not then use the installation instructions that come with the din rail to mo...
Page 30
Chapter 2 installation and setup installation and operation manual 2-6 connecting secflow-1 secflow-1 2.6 connecting secflow-1 inside the secflow-1 housing are the power supply module, main processing unit, io interface modules and cellular modem. The secflow-1 external connectors are located on its...
Page 31
Installation and operation manual chapter 2 installation and setup secflow-1 connecting to power 2-7 protective earth: the marked lug or terminal should be connected to the building protective earth bus. 2.7 connecting to power the secflow-1 body must be grounded before power connection. A good grou...
Page 32
Chapter 2 installation and setup installation and operation manual 2-8 connecting to a terminal secflow-1 8. Connect the leads to an external dc power source (color code the wiring according to local standards to ensure that the input power and ground lines are easily distinguished). 9. Turn on the ...
Page 33
Installation and operation manual chapter 2 installation and setup secflow-1 connecting to user equipment 2-9 table 2-3. Consol port pinout device side pc side rj-45 pinout db-9 pinout tod rx (inpit) 1 cts 8 cli rx (input 2 dsr 6 cli tx (output) 3 rxd 2 gnd 4 gnd 5 gnd 5 gnd 5 cli rx (input) 6 txd 3...
Page 34
Chapter 2 installation and setup installation and operation manual 2-10 connecting to user equipment secflow-1 table 2-4. Secflow-2 serial user port pinout line rj-45 connector pin dcd 2 tx 6 rx 5 dsr 1 gnd 4 dtr 3 cts 7 rts 8 to connect to serial equipment: • connect the rj-45 serial port to serial...
Page 35
Installation and operation manual chapter 2 installation and setup secflow-1 connecting to user equipment 2-11 4. Isolate the exposed terminal screws/wire leads using a plastic sleeve or insulating tape to avoid a short-circuit. Cable labeling keep your data and power cables organized and clearly la...
Page 36
Chapter 2 installation and setup installation and operation manual 2-12 connecting to user equipment secflow-1.
Page 37: Chapter 3
Secflow-1 indicators 3-1 chapter 3 operation 3.1 turning on the unit when turning on secflow-1, it is useful to monitor the power-up sequence. Secflow-1 does not have a power on/off switch, and will start operating as soon as power is applied. To turn on secflow-1: 1. Connect the secflow-1 to power ...
Page 38
Chapter 3 operation installation and operation manual 3-2 startup secflow-1 interface status meaning serial 1-2 act led off yellow (blinking) no traffic traffic eth 1 link led off green port administratively disable or no link connected to it enabled link acting eth 1 act led off yellow (blinking) p...
Page 39
Installation and operation manual chapter 3 operation secflow-1 startup 3-3 configuration database user configuration takes effect immediately upon entering. No specific commit command is required. Use commit command to save configuration changes and make them available after system reboot. User can...
Page 40
Chapter 3 operation installation and operation manual 3-4 startup secflow-1 db export {remote-host } [filename ] show disk info reboot the system following new os image activation. Os upgrade example this example demonstrates how to upgrade the secflow-1 os image file and export the data base. Figur...
Page 41
Installation and operation manual chapter 3 operation secflow-1 safe mode 3-5 6. Download the os image file from the tftp server. Command syntax: secflow-1# os-image download download tftp://aa.Bb.Cc.Dd/file_name example: os-image download download-sw tftp://172.18.212.240/rf_1031_4.0.02.09.Tar 7. F...
Page 42
Chapter 3 operation installation and operation manual 3-6 safe mode secflow-1 the second safe mode can be activated using the following prompt: ########################## for safe mode press 's'... ########################## the screenshot below displays the safe mode menus and their options for: • ...
Page 44
Chapter 3 operation installation and operation manual 3-8 turning off the unit secflow-1 oem new_version sf_0290_4.0.02.03.Tar detected oem 3 veryfing sw version sf_0290_4.0.02.03.Tar =appl.Tar.Gz: ok ==vmlinux.Uboot: ok sw version was verified successfully vmlinux.Tar =vmlinux.Uboot: ok updating ba...
Page 45: Chapter 4
Secflow-1 login and management 4-1 chapter 4 management and security this chapter provides general operating instructions and preliminary configuration instructions for secflow-1 units. 4.1 login and management configuring the login authentication method sets the authentication method for user login...
Page 46
Chapter 4 management and security installation and operation manual 4-2 management secflow-1 table 4-1. Console cable pinout rj45 male connector db9 female connector 1 - 2 3 3 2 4 5 5 5 6 - 7 - 8 - cli terminal commands following are the cli commands related to terminal functioning. + root - idle-ti...
Page 47
Installation and operation manual chapter 4 management and security secflow-1 management 4-3 commands hierarchy + root + reload - schedule date-and-time yyyy-mm-dd,hh:mm:ss - schedule every - schedule time hh:mm:ss - schedule in - cancel - show - commit - delete diagnostics - delete logs - delete st...
Page 48
Chapter 4 management and security installation and operation manual 4-4 command line interface secflow-1 command description reload schedule in set specific timer for next router reload. Permissible range in seconds is 180 – 604800. Configuration which was not committed will not be available after r...
Page 50
Chapter 4 management and security installation and operation manual 4-6 command line interface secflow-1.
Page 51: Chapter 5
Secflow-1 serial tunneling 5-1 chapter 5 services this chapter presents information on services supported by secflow-1. 5.1 serial tunneling this section describes how to provision serial tunneling services. Configuration overview figure 5-1 illustrates a typical service created between two secflow-...
Page 52
Chapter 5 services installation and operation manual 5-2 serial tunneling secflow-1 table 5-1. Serial tunneling service provisioning sequence step command comments d ef in e d e vic e p ar am et e rs configure router interface router interface create address-prefix vlan_id • the router interface is ...
Page 53
Installation and operation manual chapter 5 services secflow-1 serial tunneling 5-3 router interface create address-prefix 172.18.212.230/24 vlan 100 purpose application-host physical-interface eth2 serial port create slot 1 port 1 baudrate 9600 parity even mode-of-operation transparent serial local...
Page 55
Installation and operation manual chapter 5 services secflow-1 dynamic multipoint vpn 5-5 sequence step command comments de fi n e ap p lic at io n p ar am e te rs configure router interface for access ip router interface create address-prefix vlan_id the router interface is the source ip of the udp...
Page 56
Chapter 5 services installation and operation manual 5-6 dynamic multipoint vpn secflow-1 configuring dm-vpn to configure the hub (secflow-2): 1. Set router host name (not mandatory). Set host-name hub 2. Disable spanning tree and remove the ports to be used in the vpn from default vlan 1. Config te...
Page 57
Installation and operation manual chapter 5 services secflow-1 dynamic multipoint vpn 5-7 7. Assign ace ip interface for routing towards the wan. Router interface create address-prefix 172.18.20.10/24 vlan 20 purpose application-host 8. Assign the gre tunnel. Vpn gre tunnel create address-prefix 10....
Page 58
Chapter 5 services installation and operation manual 5-8 dm-vpn over the cellular link secflow-1 configure terminal ip route 192.168.10.0/24 10.10.10.10 write exit exit 5. Configure ipsec. Ipsec isakmp update my-id rtu1.Radiflow.Com ipsec preshared create id hub.Radiflow.Com key secretkey ipsec pres...
Page 59
Installation and operation manual chapter 5 services secflow-1 dm-vpn over the cellular link 5-9 • since this is the layer 3 service, the users behind the spoke and hub belong to the different vlans and subnets. • ip interface 192.168.40.10 (eth1:1) is created in the spoke. This interface routes the...
Page 60
Chapter 5 services installation and operation manual 5-10 dm-vpn over the cellular link secflow-1 cellular enable cellular settings update default-route yes 3. From the wan update menu configure the sim card in slot 1. Cellular wan update sim-slot 1 admin-status enable operator-name cellcom apn- nam...
Page 61
Installation and operation manual chapter 5 services secflow-1 dm-vpn over the cellular link 5-11 vlan 10 ports fastethernet 0/1 gigabitethernet 0/3 untagged fastethernet 0/1 exit vlan 20 ports fastethernet 0/8 gigabitethernet 0/3 untagged fastethernet 0/8 exit interface fastethernet 0/1 description...
Page 62
Chapter 5 services installation and operation manual 5-12 dm-vpn over the cellular link secflow-1 ip route 0.0.0.0/0 172.18.212.100 write exit exit 7. Configure ipsec. Sexflow-1#application connect ipsec isakmp update my-id pc.Radiflow.Com ipsec preshared create id pc.Radiflow.Com key secretkey ipse...
Page 63
Installation and operation manual chapter 5 services secflow-1 dm-vpn over the cellular link 5-13 secflow-1#router route show kernel ip routing table destination gateway genmask flags metric ref use iface 0.0.0.0 0.0.0.0 0.0.0.0 u 0 0 0 ppp0 10.10.10.0 0.0.0.0 255.255.255.0 u 0 0 0 mgre1 192.168.10....
Page 64
Chapter 5 services installation and operation manual 5-14 dm-vpn over the cellular link secflow-1 e: 3des-cbc e106edb4 40103b21 95609c4a 2dcedbe5 4ac0a5d2 b6762651 a: hmac-md5 5719c1c7 a42a25b5 b9a3bb2a d391f8da seq=0x00000000 replay=4 flags=0x00000000 state=mature created: may 18 13:09:36 2014 curr...
Page 65
Installation and operation manual chapter 5 services secflow-1 dm-vpn over the cellular link 5-15 to configure the hub: 1. Create the serial port and transparent serial tunneling service. Application connect []serial port create port 1 mode-of-operation transparent []serial local-end-point create po...
Page 66
Chapter 5 services installation and operation manual 5-16 dm-vpn over the cellular link secflow-1.
Page 67: Chapter 6
Secflow-1 ip interfaces 6-1 chapter 6 ports 6.1 ip interfaces secflow-1 supports multiple layer 3 interfaces to be set for the purposes of: • routing • management • serial services. Ip interfaces the following services require assignment of an ip interface. • dhcp client • management • ping • trace ...
Page 68
Chapter 6 ports installation and operation manual 6-2 ip interfaces secflow-1 one (and only one) of the interfaces must be set to purpose ‘application- host’ all other interfaces must be set to purpose ‘general’ if a “purpose” is not configured by the user, the interface have the ‘general’ status by...
Page 69
Installation and operation manual chapter 6 ports secflow-1 ip interfaces 6-3 ip interface vlan id when an ip interface is assigned with vlan id, it supports vlan tagging. Such interface accepts only the packets tagged with the corresponding vlan tag. Packets transmitted by such interface does not h...
Page 70
Chapter 6 ports installation and operation manual 6-4 ip interfaces secflow-1 command description show show application engine ip interfaces vlan aware interface example 1. Create an ip interface with vlan 1 and static route (default gateway). Secflow-1# router interface create address-prefix 10.10....
Page 71
Installation and operation manual chapter 6 ports secflow-1 serial ports and services 6-5 example of ip retrieving from the dhcp server 1. Enable dhcp on the eth1 interface to retrieve an ip from a dhcp server. Secflow-1# router dhcp enable physical-interface eth1 secflow-1# router interface show +-...
Page 72
Chapter 6 ports installation and operation manual 6-6 serial ports and services secflow-1 table 6-3 specifies the main configuration parameters according to the application type. Table 6-3. Application parameters hierarchy level configurable parameter transparent tunneling terminal server 101/104 ga...
Page 75
Installation and operation manual chapter 6 ports secflow-1 serial ports and services 6-9 command description create slot : 1 (constant) port : port number .1-2 service id: numeric value of serial service. Position: master – point to multipoint slave – point to multipoint application : serial-tunnel...
Page 76
Chapter 6 ports installation and operation manual 6-10 serial ports and services secflow-1 command description remove slot : 1 (constant) port : port number .1-2 service id : numeric value of serial service. Position: master – point to multipoint slave – point to multipoint application : serial-tunn...
Page 77
Installation and operation manual chapter 6 ports secflow-1 serial ports and services 6-11 rs- 232 port pin assignment table 6-6 shows the serial port pin assignment. Table 6-6. Rj-45 serial port pin assignment line pin dcd 2 tx 6 rx 5 dsr 1 gnd 4 dtr 3 cts 7 rts 8 the serial control lines are not s...
Page 78
Chapter 6 ports installation and operation manual 6-12 transparent serial tunneling secflow-1 table 6-7. Cbl-rj45/db9/null cable pinout rj-45 male db-9 female female db-9 (dce) male rj-45 female rj-45 2 6 6 tx 3 5 5 tx 5 4 4 gnd to avoid the serial port damage, do not use the secflow-1 console cable...
Page 79
Installation and operation manual chapter 6 ports secflow-1 transparent serial tunneling 6-13 the serial devices must all be connected to secflow routers. The secflow-1 serial port supports a full set of serial parameters. Each serial port is assigned with a service-id. The service-id groups the ser...
Page 80
Chapter 6 ports installation and operation manual 6-14 transparent serial tunneling secflow-1 point-to-multipoint application figure 6-4 illustrates point-to-multipoint service with the master and slave units connected locally to the same router. Figure 6-4. Point-to-multipoint local service figure ...
Page 81
Installation and operation manual chapter 6 ports secflow-1 transparent serial tunneling 6-15 figure 6-6. Multipoint-to-multipoint mixed service operation modes the port mode-of-operation parameter is a part of serial port configuration. It defines the serial data collection method. Transparent tunn...
Page 82
Chapter 6 ports installation and operation manual 6-16 transparent serial tunneling secflow-1 byte m ode the byte structure includes start-bit, data-bits, parity-bit, stop-bits. The data-bits number may be from 5 to 8. In the byte mode, the serial-processor collects received bytes and encapsulates d...
Page 83
Installation and operation manual chapter 6 ports secflow-1 transparent serial tunneling 6-17 aware mode serial data is received in the frame mode. Each serial device, connected to the router, is identified with its protocol unit-id. For example, the iec101 serial device common address of asdu is co...
Page 84
Chapter 6 ports installation and operation manual 6-18 transparent serial tunneling secflow-1 serial ports counters the tx and rx serial ports counters are controlled by the serial-processor. Rx counters • switch 1 – the counter increases when ce1 transmits data. Data is received by the serial proce...
Page 85
Installation and operation manual chapter 6 ports secflow-1 transparent serial tunneling 6-19 bus idle time bus idle time determines the serial line silence period denoting the end of frame. This parameter is configured in a number of bits. The bus idle time is calculated on the basis of the bits nu...
Page 86
Chapter 6 ports installation and operation manual 6-20 iec 101 to iec 104 protocol gateway secflow-1 configuration router a (master) 1. Configure the serial gateway. Router interface create address-prefix 172.18.212.231/24 vlan 100 purpose application-host physical-interface eth2 serial port create ...
Page 87
Installation and operation manual chapter 6 ports secflow-1 iec 101 to iec 104 protocol gateway 6-21 the gateway implements three functions: • iec 104 server – the application module functions as an iec 104 server to any iec 104 clients connected via the ethernet network. This functioning includes f...
Page 88
Chapter 6 ports installation and operation manual 6-22 iec 101 to iec 104 protocol gateway secflow-1 figure 6-9. Iec 101 balanced operation mode unbalanced mode is illustrated on figure 6-10 . Up to 32 asdu addresses can be supported by each iec 101 server. Figure 6-10. Iec 101 unbalanced operation ...
Page 89
Installation and operation manual chapter 6 ports secflow-1 iec 101 to iec 104 protocol gateway 6-23 multipoint-party line (planned) physical layer: • monitor and control traffic transmission speed: 300 – 38400 bps link layer: • link transmission procedure balanced transmission unbalanced transmissi...
Page 90
Chapter 6 ports installation and operation manual 6-24 iec 101 to iec 104 protocol gateway secflow-1 • iec 101 device parameters - the physical link properties (baud-rate, parity, stop bits) should be configured for the serial interfaces. Besides this, the iec 101 addressing information should be pr...
Page 91
Installation and operation manual chapter 6 ports secflow-1 iec 101 to iec 104 protocol gateway 6-25 ii. The serial port must be configured with mode-of-operation set to transparent. B. Configure a local service (serial local endpoint). I. Create a local endpoint and assign the serial port. Ii. The ...
Page 93
Installation and operation manual chapter 6 ports secflow-1 iec 101 to iec 104 protocol gateway 6-27 iec 101/104 gateway commands table 6-9 describes the 101/104 gateway configuration commands. Table 6-9. 101/104 gateway commands description command description iec101-gw configuration mode of 101/10...
Page 94
Chapter 6 ports installation and operation manual 6-28 iec 101 to iec 104 protocol gateway secflow-1 command description are one or two bytes. Should be identical to the configuration at the 101 slave. Orig_addr: should be configured as the originator address set at the 101 slave. Orig_addr_particip...
Page 95
Installation and operation manual chapter 6 ports secflow-1 iec 101 to iec 104 protocol gateway 6-29 iec 101/104 gateway example figure 6-12 illustrates iec 101/104 connection setup using secflow-1 as a gateway. Figure 6-12. Iec 101/104 gateway example iec 101/104 gateway configuration 1. Configure ...
Page 97
Installation and operation manual chapter 6 ports secflow-1 modbus gateway 6-31 up to five gateways can operate simultaneously. Each must use a different ace ip interface and have a unique gateway id. A serial port, connecting a modbus rtu device, can be associated with a single gateway unit. Modbus...
Page 99
Installation and operation manual chapter 6 ports secflow-1 modbus gateway 6-33 modbus gateway example figure 6-13 demonstrates modbus gateway example. Figure 6-13. Modbus gateway example to configure the modbus gareway: 1. Assign ip interface. Router interface create address-prefix 192.168.40.10/24...
Page 101
Installation and operation manual chapter 6 ports secflow-1 dnp3 gateway 6-35 dnp3 gateway is configured with a terminal server using the tcp port 20000 protocol. Refer to the terminal server section for the configuration structure. Dnp3 gateway example figure 6-14 demonstrates dnp3 gateway example....
Page 102
Chapter 6 ports installation and operation manual 6-36 dnp3 gateway secflow-1.
Page 103: Chapter 7
Secflow-1 gprs/umts interface 7-1 chapter 7 resiliency 7.1 gprs/umts interface the secflow-1 gprs/umts modem provides a key solution for remote sites connectivity. The modem supports a dual sim card for redundancy and internet service providers backup, providing the utilities small sites with a traf...
Page 104
Chapter 7 resiliency installation and operation manual 7-2 gprs/umts interface secflow-1 spokes. In case of the public network, the hub must have the public static ip address. The hub listens to the nhrp requests from the spokes and enables vpn connection establishment depending on the authenticatio...
Page 105
Installation and operation manual chapter 7 resiliency secflow-1 gprs/umts interface 7-3 • failed – connection with the selected sim card cannot be establised • connected as secondary – cellular modem is connected with the alternative sim card (user selected primary sim card status) • connected as a...
Page 106
Chapter 7 resiliency installation and operation manual 7-4 backup and redundancy secflow-1 7.2 backup and redundancy cellular and physical interfaces backup a cellular link has higher cost and lower throughput than a physical connection (copper or fiber line). When the cellular link is used as a phy...
Page 108
Chapter 7 resiliency installation and operation manual 7-6 backup and redundancy secflow-1 gprs/umts commands description table 7-1 describes the secflow-1 gprs/umts commands. Table 7-1. Gprs/umts commands description command description cellular enter the configuration mode for the cellular applica...
Page 109
Installation and operation manual chapter 7 resiliency secflow-1 backup and redundancy 7-7 command description settings update quality check: define time interval in seconds for internal rssi check of active sim. 604800>. 0 –disable rssi check. Backoff1 : minimum time to stay on a sim after any fail...
Page 110
Chapter 7 resiliency installation and operation manual 7-8 backup and redundancy secflow-1 command description network show show connection time and rssi per sim card connection show show cellular connection status nhrp entering nhrp configuration hub show : display connected spokes list spoke updat...
Page 111
Installation and operation manual chapter 7 resiliency secflow-1 backup and redundancy 7-9 imei retrieving example the example below shows the imei identifier retrieving. Secflow-1# cellular disable cellular modem power-up completed ok cellular modem send command at+cgsn send : at+cgsn reply : +cgsn...
Page 112
Chapter 7 resiliency installation and operation manual 7-10 backup and redundancy secflow-1.
Page 113: Chapter 8
Secflow-1 acls 8-1 chapter 8 networking this chapter explains how to configure networking entities in secflow-1. It presents the following information: • vlan and ip interface • acls • qos • ospf • gprs/umts interface • transparent tunneling • discrete io tunneling • vpn • protocol gateway iec 101 t...
Page 114
Chapter 8 networking installation and operation manual 8-2 acls secflow-1 • each rule must have a unique priority number, specified in the range from 1 to 255. The lower priority number represents the higher priority. • the acl check packets using the rules in order of priorities, until the first re...
Page 115
Installation and operation manual chapter 8 networking secflow-1 acls 8-3 figure 8-1. Secflow-1 acl functionality pc 1 sends udp packets to the eth1 interface. Acgs receive and verify the incoming packets in the following sequence: • acg with priority 10 verifies the packet with the acl 1050 rules: ...
Page 118
Chapter 8 networking installation and operation manual 8-6 qos secflow-1 secflow-1# ip access-list extended permit icmp acl-num 1010 priority 10 src-ip 192.168.1.250 dst-ip 192.168.1.101 secflow-11# ip access-list extended deny icmp acl-num 1010 priority 20 src-ip 192.168.1.250 dst-ip 192.168.2.101 ...
Page 120
Chapter 8 networking installation and operation manual 8-8 nat secflow-1 figure 8-2. Nat networking pc communication towards the server depends on the secflow-1 router nat configuration: • static nat only: the pc is not able to initiate a session towards the server. Sessions initiated by the server ...
Page 121
Installation and operation manual chapter 8 networking secflow-1 nat 8-9 command description original-port: the original protocol ‘destination port’ at the incoming packet ip header. Modified-port: the protocol port to which the nat should traverse the original-port to. Protocol: define the protocol...
Page 122
Chapter 8 networking installation and operation manual 8-10 ospf secflow-1 router nat static create original-ip 192.168.10.11 modified-ip 10.10.10.10 original-port 23 modified-port 23 protocol tcp 5. Configure static nat to direct wan traffic targeted to 192.168.10.11 towards 10.10.10.100 with port ...
Page 123
Installation and operation manual chapter 8 networking secflow-1 ospf 8-11 the link-state algorithms to send routing information to all nodes in an inter-network by calculating the shortest path to each node based on topography of the internet constructed by each node. Each router sends: • its porti...
Page 124
Chapter 8 networking installation and operation manual 8-12 ospf secflow-1 command description router ospf area – ospf area parameters given in a.B.C.D format or as a metric id (0-4294967295). Router-id – router-id for the ospf process given in a.B.C.D format. Network – enable routing on an ip netwo...
Page 125
Installation and operation manual chapter 8 networking secflow-1 ospf 8-13 s1 configuration 1. Remove the network ports from default vlan 1. Config vlan 1 no ports fa 0/1-2 untagged fa 0/1-2 exit 2. Assign vlans and corresponding ip interfaces. Vlan 101 ports fastethernet 0/1 exit vlan 102 ports fas...
Page 126
Chapter 8 networking installation and operation manual 8-14 ospf secflow-1 exit interface vlan 102 shutdown ip address 172.18.102.202 255.255.255.0 no shutdown exit interface vlan 103 shutdown ip address 172.18.103.202 255.255.255.0 no shutdown exit 3. Configure ospf. Router ospf router-id 10.10.10....
Page 127
Installation and operation manual chapter 8 networking secflow-1 ospf 8-15 3. Configure ospf. Router ospf router-id 10.10.10.103 network 172.18.104.203 255.255.255.0 area 0.0.0.0 network 172.18.103.203 255.255.255.0 area 0.0.0.0 end commit s4 configuration 1. Remove the network ports from default vl...
Page 128
Chapter 8 networking installation and operation manual 8-16 ripv2 secflow-1 8.5 ripv2 rip (routing information protocol), is a distance-vector routing protocol, which employs the hop count as a routing metric. Rip commands hierarchy +root + router rip enable exit show ip rip + configure terminal + [...
Page 129
Installation and operation manual chapter 8 networking secflow-1 ripv2 8-17 command description updates on an interface. Given as a name of a preconfigured interface eth1.. Redistribute – redistribute information from another routing protocol. Neighbor – specify a neighbor router. Given as a.B.C.D/m...
Page 130
Chapter 8 networking installation and operation manual 8-18 terminal server secflow-1 8.6 terminal server secflow-1 allows a special service to convert a tcp session to serial session. A router functions as the terminal server can be connected to the telnet client (management station) via local conn...
Page 131
Installation and operation manual chapter 8 networking secflow-1 terminal server 8-19 in the second option the terminal servers are set in the remote router connected to the serial devices locally ( figure 8-6 ). This scenario benefit is tcp sessions over the ip network and not over the tunnel. Figu...
Page 132
Chapter 8 networking installation and operation manual 8-20 terminal server secflow-1 - remove service-id - show terminal server commands command description serial port create/update the serial port clear counters clear counters create slot : 1 (constant) port : port number .1-4 baud rate : 50,75,1...
Page 133
Installation and operation manual chapter 8 networking secflow-1 terminal server 8-21 command description serial port create/update the serial port allowed range will be the entered value (x) to x+100 update dead-peer-timeout > : this parameter will release the open tcp socket after the configurable...
Page 134
Chapter 8 networking installation and operation manual 8-22 terminal server secflow-1 command description serial port create/update the serial port the telnet session established from the client (user) to the terminal server (router). Show : display the configuration. Remove address: ip address in t...
Page 135
Installation and operation manual chapter 8 networking secflow-1 terminal server 8-23 terminal-server settings update low-border-telnet-tcp-port 20000 buffer-mode byte terminal-server telnet-service create service-id 1 remote-address 172.18.212.230 telnet-port 20000 commit use the proper serial cabl...
Page 137
Installation and operation manual chapter 8 networking secflow-1 vpn 8-25 router interface create address-prefix 172.18.212.230/24 vlan 100 purpose application-host physical-interface eth2 serial port create slot 1 port 1 mode-of-operation transparent serial local-end-point create service-id 1 slot ...
Page 138
Chapter 8 networking installation and operation manual 8-26 vpn secflow-1 figure 8-9. Secflow-1 in vpn application supported modes secflow-1 supports the l3 mgre dm-vpn route based operation mode.. This mode is based on gre tunnelling. Layer 3 dm vpn the layer 3 mgre tunneling enables to support mor...
Page 140
Chapter 8 networking installation and operation manual 8-28 isakmp secflow-1 origin authentication is supported by ike phase 1 and phase 2 hash cryptographic. The encryption is supported by ike phase 1 and phase 2 algorithms. Security associations a security association (sa) is a relationship betwee...
Page 141
Installation and operation manual chapter 8 networking secflow-1 isakmp 8-29 isakmp phase 1 in phase 1 two isakmp vpn peers establish a secure, authenticated communication channel named isakmp security association (sa) or ike security association. The authentication is done using pre-shared keys or ...
Page 142
Chapter 8 networking installation and operation manual 8-30 isakmp secflow-1 • fully qualified domain name (fqdn), allowed only when aggressive ike mode is used. Below is an example of psk configuration. 1. Detail the vpn members preshared ids and specify the local unit id. Secflow-1# ipsec isakmp u...
Page 143
Installation and operation manual chapter 8 networking secflow-1 isakmp 8-31 rsa signatures (x.509) rsa (rivest, shamir, adleman) is the public-key cryptosystems widely used for secure data transmission. In such a cryptosystem, the encryption key is public and differs from the decryption key which i...
Page 144
Chapter 8 networking installation and operation manual 8-32 isakmp secflow-1 the above configuration result is presented by the following show output. Exchange modes main main mode is the phase 1 option featuring higher security level since it includes identity protection. Session process is as foll...
Page 145
Installation and operation manual chapter 8 networking secflow-1 isakmp 8-33 the ike main mode is not applicable to the applications with the dynamic vpn ip addresses (for example a cellular spoke retrieving dynamic ip from the isp over its ppp interface). In the main mode the psk must be in the for...
Page 149
Installation and operation manual chapter 8 networking secflow-1 isakmp 8-37 command description key exchange process. The higher the group number, the stronger the key and security increases. Options : none modp768 (dh group 1) modp1024 (default) (dh group 2) modp1536 (dh group 3 and 5) modp2048 (d...
Page 150
Chapter 8 networking installation and operation manual 8-38 isakmp secflow-1 command description my-id own preshared id. Dependent on “ id-type ” set , my-id can be in either domain name format or ipv4 format. If “ id-type ” is set to “ none ”: no need to set value in “ my-id ” as it will automatica...
Page 151
Installation and operation manual chapter 8 networking secflow-1 isakmp 8-39 command description 180-946080000 sec. Default is 86400 soft-lifetime when a dynamic ipsec sa is created, two types of lifetimes are used: hard and soft. The hard lifetime specifies the lifetime of the sa. The soft lifetime...
Page 152
Chapter 8 networking installation and operation manual 8-40 discrete io channels secflow-1 ipsec defaults parameters 8.9 discrete io channels discrete channel interface discrete signals are widely used in the industrial applications to monitor alarms and indications from the field side. Secflow-1 fe...
Page 153
Installation and operation manual chapter 8 networking secflow-1 discrete io channels 8-41 the digital input status can be received by the operator and helps to make an operation decision. The discrete channels and the alarm-relay system use the same physical interface. Therefore these two services ...
Page 154
Chapter 8 networking installation and operation manual 8-42 application aware firewall secflow-1 discrete io channels commands command description discrete in shutdown: disable the input channels no-shutdown: enable the input channels set name set a name to describe each channel clear clear the name...
Page 155
Installation and operation manual chapter 8 networking secflow-1 application aware firewall 8-43 relevant scada protocol (for example, common address of asdu in iec104), thus not only the packet’s ip header is checked, but its payload as well. • a packet, originated and designated to a service membe...
Page 156
Chapter 8 networking installation and operation manual 8-44 application aware firewall secflow-1 figure 8-13. Firewall service example to configure firewall service: 1. Set acl in the 104 server eth1 port to send traffic to the firewall. Ip access-list extended create acl-num 1101 acl-name fw1 redir...
Page 157
Installation and operation manual chapter 8 networking secflow-1 application aware firewall 8-45 firewall commands command description firewall enter the configuration mode for the cellular application. Enable: enable application disable: disable application profile show display the content of the f...
Page 158
Chapter 8 networking installation and operation manual 8-46 application aware firewall secflow-1.
Page 160
Chapter 9 timing and synchronization installation and operation manual 9-2 clock and time secflow-1.
Page 161: Chapter 10
Secflow-1 operation system version 10-1 chapter 10 administration 10.1 operation system version updating of system version is available by tftp/sftp server in safe mode. Os files available in secflow-1 can be displayed with the command shown below. Running os file is marked as active. Secflow-1#os-i...
Page 162
Chapter 10 administration installation and operation manual 10-2 operation system version secflow-1 os upgrade example this example demonstrates how to upgrade the secflow-1 os image file and export the data base. Figure 10-1. Os upgrade via tftp server 1. Connect your pc via the serial console cabl...
Page 163
Installation and operation manual chapter 10 administration secflow-1 safe mode 10-3 7. Follow downloading process. Secflow-1#os-image download-status in progress 3 mb secflow-1#os-image download-status in progress 10 mb secflow-1#os-image download-status in progress 16 mb secflow-1#os-image downloa...
Page 164
Chapter 10 administration installation and operation manual 10-4 safe mode secflow-1 • data base export / import (running configuration). For first safe mode press 's'... Phy: fixed-0:02 - link is up - 100/full s ------------------------------------------------------------------------------- -------...
Page 166
Chapter 10 administration installation and operation manual 10-6 safe mode secflow-1.
Page 167: Chapter 11
Secflow-1 alarm relay 11-1 chapter 11 monitoring and diagnostics the following topics are covered in this chapter: • detecting problems • alarms and traps • performing diagnostic tests 11.1 alarm relay secflow-1 has a capability to present the system and features alarms as a relay output (alarm rela...
Page 168
Chapter 11 monitoring and diagnostics installation and operation manual 11-2 alarm relay secflow-1 wiring example the connection diagram on figure 11-2 illustrates the alarm normal-open outputs. Contacts 1 and 2 are open when there are no an active alarm. Once the alarm triggers the relay, the conta...
Page 169
Installation and operation manual chapter 11 monitoring and diagnostics secflow-1 alarm relay 11-3 once this alarm is activated, the alarm relay ignors any other alram types. Default state no alarms are associated with the alarm relay interfaces in the secflow-1 default status. The relay contacts ar...
Page 170
Chapter 11 monitoring and diagnostics installation and operation manual 11-4 system logs export secflow-1 command description remove condition remove the assignment of trigger conditions • l2vp read interface read the current relay state at the interface • alarm – the “alarm” relay interface • d-out...
Page 171
Installation and operation manual chapter 11 monitoring and diagnostics secflow-1 syslog 11-5 commands description command description schedule manages scheduled task to copy system logs to the usb drive. To load a usb drive, insert it to the router usb port and reboot the router. Add task-name copy...
Page 172
Chapter 11 monitoring and diagnostics installation and operation manual 11-6 syslog secflow-1 the priority indicator the priority indicator is calculated as follow: priority = 8x facility_coefficient + severity_level . Table 11-1. Priority indicator facility coefficient facility priority 16 local0 1...
Page 173
Installation and operation manual chapter 11 monitoring and diagnostics secflow-1 ethernet service traffic capturing 11-7 11.4 ethernet service traffic capturing the secflow-1 system supports the selected service ip interface ethernet traffic sniffing and capturing. This feature enables network traf...
Page 175: Chapter 12
Secflow-1 upgrading the os from sftp 12-1 chapter 12 software upgrade 12.1 upgrading the os from sftp system software can be upgraded via a tftp/sftp server using the following commands: - os-image show-list - os-image activate version-name - os-image delete version-name - os-image download-sw sftp:...
Page 176
Chapter 12 software upgrade installation and operation manual 12-2 upgrading the os from sftp secflow-1 secflow-1#router interface create address-prefix 192.168.2.101/24 physical- interface eth1 purpose application-host 3. Check connectivity with the tftp server. Ping 192.168.2.240 (192.168.2.240): ...
Page 177: Appendix A
Secflow-1 required equipment a-1 appendix a test plan a.1 introduction this appendix describes basic verification tests for secflow-1. The aim is to perform a series of short tests that check the following: • ip connectivity and management • dhcp client • vlan tagging, ip interfaces, static routing ...
Page 178
Appendix a test plan installation and operation manual a-2 ip connectivity and management test secflow-1 function requirements unit notes eth cable straight standard straight ethernet cable serial testing device hbt/firebird scada simulator rtu simulator all tests should pass if the following proced...
Page 179
Installation and operation manual appendix a test plan secflow-1 ip connectivity and management test a-3 # action expected result result 3 connect the pc to eth1 port. Set the pc ip address belongs to the router subnet. 4 check the following: • ping between pc and router • ssh between pc and router....
Page 180
Appendix a test plan installation and operation manual a-4 dhcp client secflow-1 3. Verify ssh from the pc to the router. 4. Verify ssh from the pc to the router. 5. Verify counters progressing in eth1 port. Secflow-1# port show interface-table port eth1 interface eth1 +------------------------+----...
Page 181
Installation and operation manual appendix a test plan secflow-1 dhcp client a-5 preparing the test layout figure a-2. Dhcp client test estimated duration the estimated duration of this test is 20 minutes. Test procedure table a-2 details the dhcp client test procedure. Table a-2. Dhcp client test p...
Page 182
Appendix a test plan installation and operation manual a-6 dhcp client secflow-1 set ip allocation to port 0/2 from the pool secflow-1 configuration steps: • enable dhcp on eth1. Dhcp server configuration (secflow-2) set host-name dhcp-server config interface vlan 1 ip address 172.17.203.100 255.255...
Page 183
Installation and operation manual appendix a test plan secflow-1 vlan tagging, ip interfaces, static routing a-7 client identifier ip address 54:53:ed:2b:19:86 172.17.203.110 port identifier ip address fa0/1 172.17.203.110 ---- client view (secflow-1) secflow-1# router interface show +-----+------+...
Page 184
Appendix a test plan installation and operation manual a-8 vlan tagging, ip interfaces, static routing secflow-1 preparing the test layout figure a-4. Vlan, ip interfaces, and static routing test estimated duration the estimated duration of this test is 30 minutes. Test procedure table a-3 details t...
Page 185
Installation and operation manual appendix a test plan secflow-1 vlan tagging, ip interfaces, static routing a-9 • configure static route for 192.168.4.X via 192.168.2.101 set the secflow-1 interface 192.168.1.102 as a pc1 default gateway. Set the secflow-2 interface 192.168.4.101 as a pc2 default g...
Page 186
Appendix a test plan installation and operation manual a-10 nat secflow-1 secflow-1 configuration secflow-1# router interface create address-prefix 192.168.1.102/24 purpose application-host physical-interface eth1 router interface create address-prefix 192.168.2.102/24 vlan 2 purpose general physica...
Page 187
Installation and operation manual appendix a test plan secflow-1 nat a-11 preparing the test layout figure a-5. Nat test estimated duration the estimated duration of this test is 20 minutes. Test procedure table a-4 details the vlan, ip interfaces, and static routing test procedure. Table a-4. Nat t...
Page 188
Appendix a test plan installation and operation manual a-12 nat secflow-1 verify ping connectivity: • between the wan client and the secflow-1 wan interface • between the lan server the secflow-1 lan interface. Open wan client with port 23 tcp connection for router management. Open wan client with p...
Page 190
Appendix a test plan installation and operation manual a-14 dm vpn secflow-1 a.7 dm vpn the objective of this test is dynamic multipoint vpn functionality. Preparing the test layout figure a-6. Dm vpn test estimated duration the estimated duration of this test is 90 minutes. Test procedure table a-5...
Page 191
Installation and operation manual appendix a test plan secflow-1 dm vpn a-15 • in the gce set a static route using the ace interface as default gateway • in the ace, set routing: option 1: set a static route, pointing to subnet 192.168.40.X behind the spoke mgre interface option 2: enable ospf and s...
Page 192
Appendix a test plan installation and operation manual a-16 dm vpn secflow-1 ports fastethernet 0/8 gigabitethernet 0/3 exit interface fastethernet 0/1 alias uni switchport pvid 10 exit 4. Assign the gce ip interface for management (not mandatory). Interface vlan 10 shut ip address 192.168.10.1 255....
Page 193
Installation and operation manual appendix a test plan secflow-1 dm vpn a-17 11. Configure ipsec. Ipsec isakmp update my-id hub.Radiflow.Com ipsec preshared create id hub.Radiflow.Com key secretkey ipsec preshared create id rtu1.Radiflow.Com key secretkey ipsec isakmp update id-type fqdn ipsec polic...
Page 194
Appendix a test plan installation and operation manual a-18 dm vpn secflow-1 6. Configure ipsec. Ipsec isakmp update my-id rtu1.Radiflow.Com ipsec preshared create id hub.Radiflow.Com key secretkey ipsec preshared create id rtu1.Radiflow.Com key secretkey ipsec isakmp update id-type fqdn ipsec polic...
Page 195
Installation and operation manual appendix a test plan secflow-1 dm vpn a-19 e: 3des-cbc dc654725 37b9b9f6 52f98873 e022e294 9f2f1b2c 0a862df6 a: hmac-md5 4736a293 93850813 3814bcf4 2942144f seq=0x00000000 replay=4 flags=0x00000000 state=mature created: nov 25 03:51:24 2000 current: nov 25 03:55:28 ...
Page 196
Appendix a test plan installation and operation manual a-20 dm vpn secflow-1 5. Verify connectivity to the 192.168.40.X remote subnet. [/] ping 192.168.40.10 ping 192.168.40.10 (192.168.40.10): 56 data bytes 64 bytes from 192.168.40.10: seq=0 ttl=64 time=1.935 ms 64 bytes from 192.168.40.10: seq=1 t...
Page 197
Installation and operation manual appendix a test plan secflow-1 dm vpn a-21 esp mode=transport spi=24577061(0x01770425) reqid=0(0x00000000) e: 3des-cbc cba46f76 4a82acdf 1b0ce829 a8e21961 0170528c b0d42140 a: hmac-md5 3c2635ed db679013 8850c825 9b9fb53b seq=0x00000000 replay=4 flags=0x00000000 stat...
Page 198
Appendix a test plan installation and operation manual a-22 dm vpn secflow-1 172.18.20.0 0.0.0.0 255.255.255.0 u 0 0 0 eth2.20 192.168.10.0 10.10.10.10 255.255.255.0 ug 0 0 0 mgre1 ------ 192.168.40.0 0.0.0.0 255.255.255.0 u 0 0 0 eth1 completed ok 5. Verify that the ospf (option 2) neighbor state ...
Page 199
Installation and operation manual appendix a test plan secflow-1 dm vpn a-23 figure a-7. Terminal server test router (secflow-1) configuration 1. Configure the serial port to be consistent with the serial slave properties. The serial port operation mode must be transparent. The local end-point appli...
Page 200
Appendix a test plan installation and operation manual a-24 dm vpn secflow-1 figure a-8. Tcp connection 3. Verify connection established. Secflow-1# terminal-server services show ---- 'telnet server' service ----- +---------+--------+---------------+-------------+------------- +-------------+-------...
Page 201
Installation and operation manual appendix a test plan secflow-1 dm vpn a-25 completed ok secflow-1# adding qos to terminal server traffic there are two options to use qos in the terminal server (secflow-1): • option 1: set the dscp value 16 to traffic assigned for the telnet client 192.168.10.250 a...
Page 202
Appendix a test plan installation and operation manual a-26 dm vpn secflow-1 result figure a-10. Backbone traffic with qos dscp assignment option 2 set a tos value to the dm-vpn tunnel header (value of 30 is given as an example). Ipsec disable vpn gre nhrp disable vpn gre nhrp map remove multipoint-...
Page 203
Installation and operation manual appendix a test plan secflow-1 dm vpn a-27 result figure a-11. Backbone traffic with tunnel tos assignment adding cellular link to add the cellular link, perform the following steps: • configure secflow-1 with the requested vlans and interfaces. • in the hub (secflo...
Page 204
Appendix a test plan installation and operation manual a-28 dm vpn secflow-1 set a static route, pointing to subnet 192.168.10.X behind the hub mgre interface set ipsec parameters • define the corresponding router interface as the pcs default gateway. Verify the following: • ping connectivity betwee...
Page 205
Installation and operation manual appendix a test plan secflow-1 dm vpn a-29 dm-vpn multipoint-gre create address-prefix 10.10.10.10/24 lower-layer-dev eth1.20 name mgre1 key 10.0.0.0 dm-vpn nhrp disable dm-vpn nhrp enable router static enable configure terminal ip route 192.168.40.0/24 10.10.10.20 ...
Page 206
Appendix a test plan installation and operation manual a-30 iec 101/104 gateway secflow-1 ipsec enable commit serial tunneling: serial port create port 2 baudrate 9600 parity even mode-of- operation transparent serial local-end-point create port 2 service-id 1 application serial-tunnel position slav...
Page 207
Installation and operation manual appendix a test plan secflow-1 iec 101/104 gateway a-31 table a-6. Iec 101/104 gateway test procedure # action expected result result 1 configure the gateway (secflow-1) 2 verify connectivity between over the serial link telnet client and iec 101 device are connecte...
Page 208
Appendix a test plan installation and operation manual a-32 iec 101/104 gateway secflow-1 5. Configure the gateway parameters to comply with the iec 101 server configuration. Iec101-gw config iec101 create slot 1 port 1 asdu_addr 1 orig_addr 0 link_addr 27 link_address_field_length 2 common_address_...
Page 210
Appendix a test plan installation and operation manual a-34 ospf secflow-1 # action expected result result 4 verify ospf neighborship and routing table ospf neighborship and the routing table comply with the configuration configuring devices configuration steps: • configure vlan 2 and assign the req...
Page 211
Installation and operation manual appendix a test plan secflow-1 ospf a-35 secflow-1 configuration secflow-1# router interface create address-prefix 192.168.1.102/24 purpose application-host physical-interface eth1 router interface create address-prefix 192.168.2.102/24 vlan 2 purpose general physic...
Page 212
Appendix a test plan installation and operation manual a-36 ospf secflow-1 192.168.1.0/255.255.255.0 0 192.168.2.102/vlan2 11 intraarea 0.0.0.0 192.168.2.0/255.255.255.0 0 0.0.0.0/vlan2 1 intraarea 0.0.0.0 192.168.4.0/255.255.255.0 0 0.0.0.0/vlan4 1 intraarea 0.0.0.0 secflow-2# show ip route codes: ...
Page 213
Installation and operation manual appendix a test plan secflow-1 ospf a-37 192.168.1.0 0.0.0.0 255.255.255.0 u 0 0 0 eth1 192.168.2.0 0.0.0.0 255.255.255.0 u 0 0 0 eth2.2 192.168.4.0 192.168.2.101 255.255.255.0 ug 11 0 0 eth2.2 completed ok secflow-1# ping 192.168.4.101 ping 192.168.4.101 (192.168.4...
Page 214
Appendix a test plan installation and operation manual a-38 ospf secflow-1.
Page 216
Publication no. 611-200-05/15 order this publication by catalog no. 805073 international headquarters 24 raoul wallenberg street tel aviv 69719, israel tel. 972-3-6458181 fax 972-3-6498250, 6474436 e-mail market@rad.Com north america headquarters 900 corporate drive mahwah, nj 07430, usa tel. 201-52...