- DL manuals
- RAD
- Network Router
- SecFlow-2
- Installation and operation manual
RAD SecFlow-2 Installation and operation manual
Summary of SecFlow-2
Page 1
Secflow-2 ruggedized scada-aware ethernet switch/router version 3.6 ins tal latio n and o pe ratio n m anu al.
Page 3: Secflow-2
Secflow-2 ruggedized scada-aware ethernet switch/router version 3.6 installation and operation manual notice this manual contains information that is proprietary to rad data communications ltd. ("rad"). No part of this publication may be reproduced in any form whatsoever without prior written approv...
Page 4: Limited Warranty
Front matter installation and operation manual ii secflow-2 limited warranty rad warrants to distributor that the hardware in the secflow-2 to be delivered hereunder shall be free of defects in material and workmanship under normal use and service for a period of twelve (12) months following the dat...
Page 5: Safety Symbols
Installation and operation manual front matter secflow-2 iii general safety instructions the following instructions serve as a general guide for the safe installation and operation of telecommunications products. Additional instructions, if applicable, are included inside the manual. Safety symbols ...
Page 6
Front matter installation and operation manual iv secflow-2 handling energized products general safety practices do not touch or tamper with the power supply when the power cord is connected. Line voltages may be present inside certain products even when the power switch (if installed) is in the off...
Page 7
Installation and operation manual front matter secflow-2 v the maximum permissible current capability of the branch distribution circuit that supplies power to the product is 16a (20a for usa and canada). The circuit breaker in the building installation should have high breaking capacity and must op...
Page 8
Front matter installation and operation manual vi secflow-2 when using shielded or coaxial cables, verify that there is a good ground connection at both ends. The grounding and bonding of the ground connections should comply with the local codes. The telecommunication wiring in the building may be d...
Page 9: Fcc-15 User Information
Installation and operation manual front matter secflow-2 vii fcc-15 user information this equipment has been tested and found to comply with the limits of the class a digital device, pursuant to part 15 of the fcc rules. These limits are designed to provide reasonable protection against harmful inte...
Page 10: Mise Au Rebut Du Produit
Front matter installation and operation manual viii secflow-2 f ran çai s mise au rebut du produit afin de faciliter la réutilisation, le recyclage ainsi que d'autres formes de récupération d'équipement mis au rebut dans le cadre de la protection de l'environnement, il est demandé au propriétaire de...
Page 11
Installation and operation manual front matter secflow-2 ix f ran çai s certains produits peuvent être équipés d'une diode laser. Dans de tels cas, une étiquette indiquant la classe laser ainsi que d'autres avertissements, le cas échéant, sera jointe près du transmetteur optique. Le symbole d'averti...
Page 12
Front matter installation and operation manual x secflow-2 f ran çai s connexion au courant du secteur assurez-vous que l'installation électrique est conforme à la réglementation locale. Branchez toujours la fiche de secteur à une prise murale équipée d'une borne protectrice de mise à la terre. La c...
Page 13
Declaration of conformity manufacturer's name: rad data communications ltd. Manufacturer's address: 24 raoul wallenberg st., tel aviv 6971920, israel declares that the product: product name: secflow ‐ 2 product options: all conforms to the following standard(s) or other normative document(s): emc en...
Page 15: Contents
Secflow-2 i contents chapter 1. Introduction 1.1 overview .............................................................................................................................. 1-1 product options ..................................................................................................
Page 16
Table of contents installation and operation manual ii secflow-2 connecting to ethernet equipment .................................................................................. 2-10 connecting to serial equipment ......................................................................................
Page 17
Installation and operation manual table of contents secflow-2 iii terminal server commands hierarchy .............................................................................. 4-20 terminal server commands .............................................................................................
Page 18
Table of contents installation and operation manual iv secflow-2 6.1 a logical view of ports .......................................................................................................... 6-1 6.2 port addressing ...............................................................................
Page 19
Installation and operation manual table of contents secflow-2 v vlans of system usage ........................................................................................................ 4 vlan range of nms usage ......................................................................................
Page 20
Table of contents installation and operation manual vi secflow-2 command descriptions ..................................................................................................... 100 example: rstp/mstp ............................................................................................
Page 21
Installation and operation manual table of contents secflow-2 vii rip commands hierarchy .................................................................................................. 163 rip commands descriptions .....................................................................................
Page 22
Table of contents installation and operation manual viii secflow-2 example ............................................................................................................................. 9-2 9.2 simple network time protocol (sntp) ..........................................................
Page 23
Installation and operation manual table of contents secflow-2 ix commands description .................................................................................................. 11-14 example ........................................................................................................
Page 24
Table of contents installation and operation manual x secflow-2.
Page 25: Chapter
Secflow-2 overview 1-1 chapter 1 introduction 1.1 overview the secflow-2 industrial ethernet switches combine a ruggedized ethernet platform with a unique application-aware processing engine. As an industrial ethernet switch the secflow-2 switch provides a strong ethernet and ip feature set with a s...
Page 26
Chapter 1 introduction installation and operation manual 1-2 overview secflow-2 remote site b modbus rtus modbus rtu 104 client modbus client scada nms psn modbus rtu iec 101 remote site a iec 101 asdu3 asdu2 iec 101 modbus rtu modbus rtu id 12 id 11 id 13 iec-104 udp/ip ssh (t. Server) modbus tcp a...
Page 27
Installation and operation manual chapter 1 introduction secflow-2 overview 1-3 vpn gateway with ipsec secflow-2 provides secured interconnection of remote sites over public networks, using layer 2 gre vpn, layer 3 multipoint gre dynamic multipoint vpn, x.509-certified ipsec encryption per 3des or a...
Page 28
Chapter 1 introduction installation and operation manual 1-4 overview secflow-2 lacp ensures smooth and steady traffic flow by automating the configuration and maintenance of aggregated links. Terminal server and serial tunneling secflow-2 enables connection of multiple devices with serial interface...
Page 29
Installation and operation manual chapter 1 introduction secflow-2 physical description 1-5 • rip v2. Time flexible clock distribution and network synchronization is based on ptp (precision time protocol) transparent clock per ieee 1588v2. Diagnostics secflow-2 provides extensive diagnostic tools to...
Page 30
Chapter 1 introduction installation and operation manual 1-6 functional description secflow-2 1.3 functional description this section provides a functional description of the secflow-2 system. Figure 1-4. Data flow secflow-2 is divided into two configuration environments, gce and ace. The table belo...
Page 31
Installation and operation manual chapter 1 introduction secflow-2 technical specifications 1-7 ethernet traffic ethernet ports transfer uni traffic. User traffic is routed via the switch to the network or into the ace to establish l2 vpn, l3 vpn etc. Ethernet traffic can also be routed to the cellu...
Page 32
Chapter 1 introduction installation and operation manual 1-8 technical specifications secflow-2 weight 1.4 kg (8-port dc), 1.8 kg (16-port dc) environment temperature -40°c to 75°c (-40°f to 167°f) humidity 5 to 90% rugged enclosure fanless, ip 30-rated.
Page 33: Chapter
Secflow-2 safety information 2-1 chapter 2 installation and setup this chapter provides installation instructions for the secflow-2 systems including: • general description of the equipment enclosure and its panels. • mechanical and electrical installation instructions. After the system is installed...
Page 34
Chapter 2 installation and setup installation and operation manual 2-2 safety information secflow-2 secflow-2 includes class 1 lasers. For your safety: • do not look directly into the optical connectors while the unit is operating. The laser beams are invisible. • do not attempt to adjust the laser ...
Page 35
Installation and operation manual chapter 2 installation and setup secflow-2 site requirements and prerequisites 2-3 2.2 site requirements and prerequisites before connecting this product to a power source, make sure to read the handling energized products section at the beginning of this manual. Se...
Page 36
Chapter 2 installation and setup installation and operation manual 2-4 required equipment secflow-2 2.3 package contents the secflow-2 package includes the following items: • secflow-2 unit • cbl-sf-rj45-console: 1x rs-232 console cable • optional: cbl-sf-rj45/db9/null- serial ports cable • optional...
Page 37
Installation and operation manual chapter 2 installation and setup secflow-2 mounting secflow-2 2-5 do not use the console cable for the user serial ports. The console cable is uniquely colored white. "cbl-tj45-db9/s-rpt" 2.5 mounting secflow-2 mounting secflow-2 secflow-2 is designed as a fixed uni...
Page 38
Chapter 2 installation and setup installation and operation manual 2-6 connecting secflow-2 secflow-2 secflow-2 secflow-2 figure 2-3. Secflow-2 dismantling 2.6 connecting secflow-2 inside the secflow-2 housing are the power supply module, main switching unit, io interface modules and (optionally) an...
Page 39
Installation and operation manual chapter 2 installation and setup secflow-2 connecting to power 2-7 3. Adhere to your company’s policy as to the wire gauge and the number of crimps on the lug. Figure 2-5. Secflow-2 grounding lug 4. Apply some anti-oxidant onto the metal surface. 5. Mount the lug on...
Page 40
Chapter 2 installation and setup installation and operation manual 2-8 connecting to power secflow-2 figure 2-6. Dc power connectors wiring to connect the device to a dc power source: 1. Strip 7 mm (1/4 inch) of insulation from the leads (copper wire within the range of 10 to 18 awg). Pay attention ...
Page 41
Installation and operation manual chapter 2 installation and setup secflow-2 connecting to a terminal 2-9 to connect the device to an ac power source: 1. Strip 7 mm (1/4 inch) of insulation from the leads. 2. Release the terminal screw. 3. Push the lead into the terminal up to its insulating sleeve....
Page 42
Chapter 2 installation and setup installation and operation manual 2-10 connecting to user equipment secflow-2 figure 2-8. Secflow-2 console port table 2-3. Consol port pinout device side pc side rj-45 pinout db-9 pinout tod rx (inpit) 1 cts 8 cli rx (input 2 dsr 6 cli tx (output) 3 rxd 2 gnd 4 gnd ...
Page 43
Installation and operation manual chapter 2 installation and setup secflow-2 connecting to user equipment 2-11 to connect to ethernet equipment with copper interface: • connect secflow-2 to the ethernet equipment at customer premises using standard cat5 cables terminated with rj-45 connectors. Conne...
Page 44
Chapter 2 installation and setup installation and operation manual 2-12 connecting to user equipment secflow-2 figure 2-10. Terminal block wire stripping 2. Place each wire lead into the appropriate tb plug terminal according to figure 2-10 . 3. Tighten the terminal screws to close them. 4. Isolate ...
Page 45
Installation and operation manual chapter 2 installation and setup secflow-2 connecting to user equipment 2-13 contact switching capabilities the alarm relay contacts comply with the following electric requirements: • maximum dc voltage: 220 vdc • maximum current: 1a • maximum power: 30w. Cable labe...
Page 46
Chapter 2 installation and setup installation and operation manual 2-14 connecting to user equipment secflow-2.
Page 47: Chapter
Secflow-2 indicators 3-1 chapter 3 operation 3.1 turning on the unit when turning on secflow-2, it is useful to monitor the power-up sequence. Secflow-2 does not have a power on/off switch, and will start operating as soon as power is applied. For secflow-2 equipped with ac power supply modules, be ...
Page 48
Chapter 3 operation installation and operation manual 3-2 startup secflow-2 interface status meaning sfp off red green (static) green (blinking) port administratively disabled no sfp present sfp present traffic serial 1-4 link led off green disabled enable serial 1-4 link led off yellow (blinking) n...
Page 49
Installation and operation manual chapter 3 operation secflow-2 startup 3-3 feature default state spanning tree mst is enabled. Application ports gigabit 0/3-0/4 are edge ports. Depending on hardware type ports fast 0/9-0/16 may be edge ports as well (et28 hw variants) erp disabled lldp disabled ssh...
Page 50
Chapter 3 operation installation and operation manual 3-4 using a custom configuration file secflow-2 to save user configuration (to the secflow-2.Conf): secflow-2# write startup-cfg building configuration ... [ok] to remove all user configurations and set the switch to its factory defaults: secflow...
Page 51
Installation and operation manual chapter 3 operation secflow-2 saving configuration changes 3-5 the usb drive must be fat32 secflow-2 can hold at its disk maximum two os image files. Before downloading a new os file to the switch make sure secflow-2 has on it only one (the active) file. If needed, ...
Page 52
Chapter 3 operation installation and operation manual 3-6 turning off the unit secflow-2 secflow-2# write startup-config the following flow will show how to upgrade the os image file and export the data base. 1. Display available os files secflow-2# os-image show-list versions list: rf_secflow-2_3.1...
Page 53: Chapter
Secflow-2 cli-based configuration 4-1 chapter 4 management and security this chapter provides general operating instructions and preliminary configuration instructions for secflow-2 units. 4.1 cli-based configuration working with telnet and ssh the device can be accessed from any platform using a te...
Page 54
Chapter 4 management and security installation and operation manual 4-2 cli-based configuration secflow-2 - show logging - show users - listuser table 4-1. Login authentication commands command description config terminal authorized-manager ip-source this command configures an ip authorized manager ...
Page 55
Installation and operation manual chapter 4 management and security secflow-2 cli-based configuration 4-3 example: secflow-2(config)# username user password user123 privilege 15 to assign an authorized manager: secflow-2(config)# authorized-manager ip-source 10.10.20.20 / 32 interface fastethernet 0...
Page 56
Chapter 4 management and security installation and operation manual 4-4 cli-based configuration secflow-2 command mode access method prompt exit method global configuration use the command config to enter the global configuration mode. Secflow-2 (config)# to exit to the privileged exec mode, the com...
Page 57
Installation and operation manual chapter 4 management and security secflow-2 configuration environment 4-5 secflow-2# show running-config #building configuration... Snmp trap syslog-server-status ! No smtp authentication ! ! Queue 1 interface fastethernet 0/1 qtype 1 scheduler 1 weight 1 queue-type...
Page 58
Chapter 4 management and security installation and operation manual 4-6 configuration environment secflow-2 table 4-4. Supported features configuration environment feature interfaces cellular modem with 2 sim cards fe rj45 ports fiber optic ports gigabit ports poe ports rs 232 ports, with control li...
Page 59
Installation and operation manual chapter 4 management and security secflow-2 configuration environment 4-7 configuration environment feature networking lldp oam cfm itu-t y.1731 qos conditioned/ scheduled system reboot itu-t g.8032v2 ethernet ring link aggregation with lacp mstp ieee 802.1s protect...
Page 60
Chapter 4 management and security installation and operation manual 4-8 gui-based configuration secflow-2 configuration environment feature iec 104 firewall serial transparent tunneling terminal server l2 gre vpn l3 ipsec vpn l3 mgre dm-vpn 4.3 gui-based configuration working with radview radview is...
Page 61
Installation and operation manual chapter 4 management and security secflow-2 gce and ace configuration environments 4-9 rfc 3413 (snmp-target-mib) rfc 3414 (snmp-user-based-sm-mib) rfc 3415 (snmp-view-based-acm-mib) rfc 3418 (snmpv2-mib) rfc 3433 (entity-sensor-mib) rfc 3636 (mau-mib) rfc 4133 (ent...
Page 62
Chapter 4 management and security installation and operation manual 4-10 gce and ace configuration environments secflow-2 [no] ip route - debug ip dhcp client all - release dhcp vlan - renew dhcp vlan - show interfaces - show ip interface [vlan ] [loopback ] - show running-config interface vlan - sh...
Page 63
Installation and operation manual chapter 4 management and security secflow-2 gce and ace configuration environments 4-11 command description defines the ip address or ip alias of the next hop that can be used to reach that network. A.B.C.D (1-254) default configuration secflow-2# show ip interface ...
Page 65
Installation and operation manual chapter 4 management and security secflow-2 gce and ace configuration environments 4-13 command description default ip allocation protocol dhcp allows the client device to obtain configuration parameters such as network address, from the dhcp server. Default : dhcp ...
Page 66
Chapter 4 management and security installation and operation manual 4-14 gce and ace configuration environments secflow-2 - interface show - route show application ip interface command description command description application connect enter the industrial application menu router enter the applicat...
Page 67
Installation and operation manual chapter 4 management and security secflow-2 management access methods 4-15 [router/] static router/static> enable router/static# configure terminal router/static(config)# ip route 0.0.0.0/0 172.17.212.100 router/static(config)# write router/static(config)# exit rout...
Page 69
Installation and operation manual chapter 4 management and security secflow-2 management access methods 4-17 commands description command description config terminal line vty set idle time out for telnet / ssh to the switch. Exec-timeout : given in seconds . Default : 300 seconds [no] cli this comma...
Page 70
Chapter 4 management and security installation and operation manual 4-18 terminal control port secflow-2 example follow the configuration example for establishing management on a certain port/s using a designated vlan and ip. 1. Create your vlan and assign ports. Port 0/1 is configured as untagged, ...
Page 71
Installation and operation manual chapter 4 management and security secflow-2 terminal control port 4-19 secflow-4 “b” telnet client management www telnet 10.10.10.10 2001 telnet 10.10.10.10 2002 telnet 10.10.10.10 2100 serial service 2003 serial service 2001 serial service 2002 rtu-1 rtu-2 rs-232 r...
Page 73
Installation and operation manual chapter 4 management and security secflow-2 terminal control port 4-21 terminal server commands command description application connect enter the industrial application menu serial port create/update the serial port clear counters clear counters create slot : 1 (con...
Page 74
Chapter 4 management and security installation and operation manual 4-22 terminal control port secflow-2 command description settings manage the range of tcp ports used for the terminal server to respond to. By default the allowed range is 2001-2100. Restore : restore to the default range. Update lo...
Page 75
Installation and operation manual chapter 4 management and security secflow-2 terminal control port 4-23 command description telnet-service configuration options to be used at the switch where the terminal server is set. These fields will determine the remote side to where to draw the serial service...
Page 76
Chapter 4 management and security installation and operation manual 4-24 terminal control port secflow-2 example of local service the following example demonstrates a setup of a single switch to which the serial device is connected to directly and as well the user pc (telnet client). Secflow-2 rs-23...
Page 77
Installation and operation manual chapter 4 management and security secflow-2 terminal control port 4-25 secflow-2# application-connect welcome to secflow industrial cli [/] router interface create address-prefix 172.18.212.230/24 vlan 100 [/] serial port create slot 1 port 1 mode-of-operation trans...
Page 79
Installation and operation manual chapter 4 management and security secflow-2 terminal control port 4-27 to configure the left switch: 1. Create vlan 4092 for the serial link. Port gbe 0/3 and fe 0/10 are mandatory as shown: config vlan 4092 ports gigabitethernet 0/3 ports add fastethernet 0/10 unta...
Page 80
Chapter 4 management and security installation and operation manual 4-28 monitor session secflow-2 vlan 100 ports fastethernet 0/1-2 gigabitethernet 0/3 untagged fastethernet 0/2 exit interface fastethernet 0/1 no shut switchport pvid 100 exit interface fastethernet 0/2 no shut switchport pvid 100 e...
Page 83
Installation and operation manual chapter 4 management and security secflow-2 snmp management 4-31 command description security - stores the security model of the corresponding snmp community name. Default : none context - indicates the name of the context in which the management information is acce...
Page 84
Chapter 4 management and security installation and operation manual 4-32 snmp management secflow-2 command description volatile – sets the storage type as temporary. Erases the configuration setting on restarting the system. Non volatile – sets the storage type as permanent. Saves the configuration ...
Page 85
Installation and operation manual chapter 4 management and security secflow-2 snmp management 4-33 command description context - configures the name of the snmp context. The maximum length of the string is 32. Snmp engineid this command configures the engine id that is utilized as a unique identifie...
Page 86
Chapter 4 management and security installation and operation manual 4-34 snmp management secflow-2 command description target address name - configures a unique identifier of the target. Param - configures the parameters when generating messages to be sent to transport address. Ipaddress - configure...
Page 87
Installation and operation manual chapter 4 management and security secflow-2 snmp management 4-35 command description auth - enables message digest (md5) or secure hash algorithm (sha) packet authentication no auth - sets no-authentication priv - specifies both authentication and privacy message-pr...
Page 88
Chapter 4 management and security installation and operation manual 4-36 snmp management secflow-2 command description erases the configuration setting on restarting the system nonvolatile- sets the storage type as permanent. Saves the configuration to the system. You can view the saved configuratio...
Page 89
Installation and operation manual chapter 4 management and security secflow-2 authentication via radius server 4-37 snmp targetaddr pc1 param paramlist1 172.18.212.36 taglist taglist1 snmp targetparams paramlist1 user none security-model v2c message-processing v2c snmp notify rad tag taglist1 type t...
Page 91
Installation and operation manual chapter 4 management and security secflow-2 authentication via tacacs+ server 4-39 command description server, any existing defaults: timeout - 3 seconds retransmit - 3 attempts key- empty string show radius server this command displays radius server host informatio...
Page 92
Chapter 4 management and security installation and operation manual 4-40 authentication via tacacs+ server secflow-2 • provides some level of protection against an active attacker. The list of cli commands for the configuration of tacacs is as follows: • tacacs-server host • tacacs use-server addres...
Page 93
Installation and operation manual chapter 4 management and security secflow-2 authentication via tacacs+ server 4-41 - [no] login authentication tacacs [local] - show tacacs - show system-information - show running-config tacacs tacacs command descriptions command description tacacs-server host this...
Page 94
Chapter 4 management and security installation and operation manual 4-42 igmp snooping secflow-2 command description dumprx: generates debug statements for handling traces. This trace is generated when there is an error condition in reception of packets. Defaults: debugging is disabled show tacacs t...
Page 95
Installation and operation manual chapter 4 management and security secflow-2 igmp snooping 4-43 - [no] ip igmp snooping [vlan ] - [no] ip igmp snooping clear counters [vlan ] - [no] ip igmp snooping group-query-interval - [no] ip igmp snooping mrouter-time-out - [no] ip igmp snooping port-purge-int...
Page 96
Chapter 4 management and security installation and operation manual 4-44 igmp snooping secflow-2 command description group when it receives a leave message. If it does not receive a response from the group, the port is removed from the group membership information in the forwarding database. Default...
Page 97
Installation and operation manual chapter 4 management and security secflow-2 igmp snooping 4-45 command description check if there are any interested v2 receivers for the group when it receives a leave message in the proxy/ proxy-reporting mode. The port is deleted from the group membership informa...
Page 98
Chapter 4 management and security installation and operation manual 4-46 dhcp relay secflow-2 command description information is removed from a multicast group entry immediately after fast leave message is received. Ip igmp snooping mrouter this command enables igmp snooping and configures a list of...
Page 99
Installation and operation manual chapter 4 management and security secflow-2 dhcp relay 4-47 • by default, dhcp-relay is disabled. • with secflow systems supporting dhcp server (future feature) mode, the server must be disabled prior to enabling dhcp-relay mode. Dhcp relay command hierarchy root +c...
Page 100
Chapter 4 management and security installation and operation manual 4-48 dhcp relay secflow-2 command description ip dhcp server this command adds the configured ip address to the ip address list created for the dhcp server. The switches or systems having these ip addresses represent the dhcp server...
Page 101
Installation and operation manual chapter 4 management and security secflow-2 dhcp relay 4-49 command description ip dhcp relay circuit-id this command configures circuit id value for an interface. The no form of the command deletes the circuit id configuration for the interface (that is, the circui...
Page 102
Chapter 4 management and security installation and operation manual 4-50 dhcp relay secflow-2 example the following setup illustrates dhcp-relay configuration. Ip: 172.18.212.1 vlan dhcp-client 20 secflow-2 subnet: 172.17.203.0/24 fe 0/1 fe 0/2 ip: 172.17.203.1 ip: 172.17.203.100 dhcp client circuit...
Page 103
Installation and operation manual chapter 4 management and security secflow-2 ssh 4-51 the configuration will result in following state: secflow-2# sh ip dhcp relay information dhcp relay : enabled dhcp relay servers only : enabled dhcp server 1 : 172.18.212.100 dhcp relay rai option : enabled defau...
Page 105
Installation and operation manual chapter 4 management and security secflow-2 ssh 4-53 command description ssh re-sets the ssh trace levels. Trace. System errors such as memory allocation failures are notified using log messages and trace messages. Interface errors and protocol errors are notified u...
Page 106
Chapter 4 management and security installation and operation manual 4-54 ssh secflow-2.
Page 107: Chapter
Secflow-2 serial tunneling 5-1 chapter 5 services this chapter presents information on services supported by secflow-2. 5.1 serial tunneling this section describes how to provision serial tunneling services. Configuration overview figure 5-1 illustrates a typical service created in switch-to-switch ...
Page 108
Chapter 5 services installation and operation manual 5-2 serial tunneling secflow-2 sequence step command comments de fi n e ap p lic at io n p ar am e te rs configure router interface router interface create address-prefix vlan_id • the router interface is the source ip of the udp packets. • the ro...
Page 109
Installation and operation manual chapter 5 services secflow-2 serial tunneling 5-3 configuring serial tunneling the following example shows how to configure serial tunneling between two secflow-2 devices connected through a network. To configure device a: config vlan 100 ports fastethernet 0/1 port...
Page 110
Chapter 5 services installation and operation manual 5-4 ethernet over layer 2 vpn secflow-2 5.2 ethernet over layer 2 vpn this section describes how to provision ethernet over layer 2 vpn services. Configuration overview figure 5-2 illustrates a typical service created in switch-to-switch direction...
Page 111
Installation and operation manual chapter 5 services secflow-2 ethernet over layer 2 vpn 5-5 sequence step command comments de fi n e ap p lic at io n p ar am e te rs configure router interface router interface create address-prefix vlan_id • the router interface is the source ip of the udp packets....
Page 112
Chapter 5 services installation and operation manual 5-6 ethernet over layer 3 vpn secflow-2 config interface vlan 10 shutdown ip address 192.168.0.101 255.255.255.0 no shutdown exit to configure secflow-b config vlan 18 ports fastethernet 0/1 gigabitethernet 0/3 exit vlan 10 ports fastethernet 0/8 ...
Page 113
Installation and operation manual chapter 5 services secflow-2 ethernet over layer 3 vpn 5-7 ace gce define vlan define application parameters define switch parameters define vlan membership gce create router interface for access ip and network ip define dm-vpn local port ace gce define vlan define ...
Page 114
Chapter 5 services installation and operation manual 5-8 ethernet over layer 3 vpn secflow-2 configuring ethernet over layer 3 vpn maintaining virtual lan, layer 2 connectivity between two remote sites connected over a layer 3 cloud. To configure the hub (secflow-4): vlan 1 no untagged no tagged no ...
Page 115
Installation and operation manual chapter 5 services secflow-2 ethernet over layer 3 vpn 5-9 application connect router interface create address-prefix 172.16.100.1/24 vlan 100 purpose application-host router interface create address-prefix 10.1.99.1/24 vlan 99 purpose general dm-vpn multipoint-gre ...
Page 116
Chapter 5 services installation and operation manual 5-10 ethernet over layer 3 vpn secflow-2 interface fastethernet 0/1 description uni switchport pvid 99 exit interface fastethernet 0/8 description nni switchport pvid 100 exit interface vlan 1 shutdown no ip address exit ip route 0.0.0.0 0.0.0.0 1...
Page 117
Installation and operation manual chapter 5 services secflow-2 ethernet over layer 3 vpn 5-11 ipsec preshared create id hub2.Radiflow.Com key secretkey ipsec preshared create id lan20.Radiflow.Com key secretkey ipsec preshared create id lan40.Radiflow.Com key secretkey ipsec policy create protocol g...
Page 118
Chapter 5 services installation and operation manual 5-12 ethernet over layer 3 vpn secflow-2.
Page 119: Chapter
Secflow-2 addressing port 6-1 chapter 6 ports 6.1 displaying port the screen shot below displays the available typical ports of secflow-2 with 8 ethernet ports. The rs 232 ports are configured and identified within the application cli mode and are not seen at “show vlan”. See chapter serial interfac...
Page 120
Chapter 6 ports installation and operation manual 6-2 application ports secflow-2 command description port id specify the port id as slot number/port number slot number is constant0 (zero) port number is in the range of 0-16 (depended on the hardware) 6.3 enabling ports use the no shutdown command t...
Page 121
Installation and operation manual chapter 6 ports secflow-2 poe ports 6-3 table 6-2. Vlan assignment networking/port gbe 0/3 gbe 0/4 serial tunneling service vlans terminal server service vlans gateway service vlans l2 vpn nni vlan uni vlan l3 vpn nni vlan ipsec nni vlan cellular firewall service vl...
Page 124
Chapter 6 ports installation and operation manual 6-6 controlling ports secflow-2 command description mtu frame size this command configures the maximum transmission unit frame size for all the frames transmitted and received on all the interfaces in a switch. The size of the mtu frame size can be i...
Page 126
Chapter 6 ports installation and operation manual 6-8 serial ports secflow-2 services configuration structure the table below displays the relevant configuration areas that should be included per application type. Table 6-3. Configuration area per application type hierarchy transparent tunneling tra...
Page 127
Installation and operation manual chapter 6 ports secflow-2 serial ports 6-9 configurable parameter transparent tunneling transparent 9 bit bitstream terminal server 101/104 gateway local dsr delay × × local cts delay × × tx delay × bits for sync1 × bits for sync2 × serial command hierarchy + applic...
Page 128
Chapter 6 ports installation and operation manual 6-10 serial ports secflow-2 serial commands command description application connect enter the industrial application menu serial card auto-recover: allows automatic recovery when identifying continuous loss of serial infrastructure keep alive (betwee...
Page 131
Installation and operation manual chapter 6 ports secflow-2 serial ports 6-13 command description create slot : 1 (constant) port : port number .1-4 service id : numeric value of serial service. Position: • n/a - point to point • master – point to multipoint • slave – point to multipoint application...
Page 132
Chapter 6 ports installation and operation manual 6-14 serial ports secflow-2 serial interfaces configuration of the serial interfaces and tunneling and gateway requires the application processor to be installed. System default vlan 4093 the system vlan 4093 is used for internal purposes. The user s...
Page 133
Installation and operation manual chapter 6 ports secflow-2 serial ports 6-15 default state the default state of the serial ports is non-configured. Rs-232 control lines secflow-2 supports rs-232 control lines use for the transparent serial tunneling service. By default, the control lines are disabl...
Page 134
Chapter 6 ports installation and operation manual 6-16 serial ports secflow-2 figure 6-1. Point-to-point remote service, rts/cts lines when ce1 sends rts, signals interchange is as follow: 1. Switch#1 serial-processor will reply with cts back to ce1. The reply may be with or without configurable tim...
Page 135
Installation and operation manual chapter 6 ports secflow-2 serial ports 6-17 figure 6-2. Point-to-point remote service, dtr/dsr lines when ce1 sends dtr, signals interchange is as follow: 1. Switch #1 serial-processor will reply with dsr back to ce1. The reply may be with or without configurable ti...
Page 136
Chapter 6 ports installation and operation manual 6-18 serial ports secflow-2 figure 6-3. Point-to-point local service, cts/rts lines when ce1 sends rts, the serial-processor will reply with cts back to ce1. The reply may be with or without configurable time delay. Simultaneously, dcd will be receiv...
Page 137
Installation and operation manual chapter 6 ports secflow-2 serial ports 6-19 figure 6-4. Point-to-point local service, dtr/dcr lines when ce1 sends dtr, the serial-processor will reply with dsr back to ce1. The reply may be with or without configurable time delay. Ce1 data will be sent and received...
Page 138
Chapter 6 ports installation and operation manual 6-20 serial ports secflow-2 figure 6-6. Rs-232 cable assembly led states each serial port has a led to indicate its state. Table 6-5. Led state port created port admin state traffic passing led no (default) n/a n/a off yes down n/a off yes up (defaul...
Page 139: Chapter
Secflow-2 link aggregation 7-1 chapter 7 resiliency 7.1 link aggregation standards secflow-2 provides increased bandwidth and high availability links using link aggregation per ieee 802.3-2005. Benefits ethernet link aggregation ensures increased service availability. If a link within a lag fails or...
Page 140
Chapter 7 resiliency installation and operation manual 7-2 link aggregation secflow-2 key, l2cp profile, etc). Service flows to and from the lag, use the lag as their ingress/egress port. The guidelines for lag configuration are as follows: • port-channel must be enabled in the system for link aggre...
Page 141
Installation and operation manual chapter 7 resiliency secflow-2 link aggregation 7-3 command description [no] shutdown port-channel this command shuts down la feature in the switch and releases all resources allocated to the la feature. The no form of the command starts and enables la feature in th...
Page 142
Chapter 7 resiliency installation and operation manual 7-4 link aggregation secflow-2 command description src-mac: load distribution is based on the source mac address in the frame. Packets from different hosts use different ports in the channel, but packets from the same host use the same port. Des...
Page 143
Installation and operation manual chapter 7 resiliency secflow-2 link aggregation 7-5 secflow-2# configure terminal secflow-2(config)# set port-channel enable secflow-2(config)# interface port-channel 1 secflow-2(config-if)# no shutdown secflow-2(config)# interface gigabitethernet 0/3 secflow-2(conf...
Page 144
Chapter 7 resiliency installation and operation manual 7-6 ethernet ring protection switching (erps) secflow-2 4. Show lacp neighbor. S1# show lacp neighbor flags: a - device is in active mode p - device is in passive mode channel group 1 neighbors port fa0/1 ---------- partner system id : 00:20:d2:...
Page 145
Installation and operation manual chapter 7 resiliency secflow-2 ethernet ring protection switching (erps) 7-7 • revertive and non-revertive mode of operation • multi-board environment standards and mibs ring automatic protection switching (r-aps) creates a fault tolerant ring topology by configurin...
Page 146
Chapter 7 resiliency installation and operation manual 7-8 ethernet ring protection switching (erps) secflow-2 command description is shutdown in the context and all the ring configurations in the context are deleted. When the command is used with the switch string, then the erps context information...
Page 147
Installation and operation manual chapter 7 resiliency secflow-2 ethernet ring protection switching (erps) 7-9 command description configuring the ring ports and r-aps vlan id for the ring and so on. : indicates the name of the ring. The maximum string size is 35.The group name is created by appendi...
Page 148
Chapter 7 resiliency installation and operation manual 7-10 ethernet ring protection switching (erps) secflow-2 command description the ring node becomes the rpl owner. The no form of the command configures the given port as non- rpl port from the ring. If the given port is configured earlier as rpl...
Page 149
Installation and operation manual chapter 7 resiliency secflow-2 ethernet ring protection switching (erps) 7-11 command description 8191)> between 1 and 4294967295. : configures the unique identifier of the maintenance entity for the working entity of the ring group. This value ranges between 1 and ...
Page 150
Chapter 7 resiliency installation and operation manual 7-12 ethernet ring protection switching (erps) secflow-2 command description number separated by a slash, for interface type other than internal-lan and port-channel. Only i-lan or port-channel id is provided, for interface types internal-lan an...
Page 151
Installation and operation manual chapter 7 resiliency secflow-2 ethernet ring protection switching (erps) 7-13 command description milliseconds – configures the time interval in milliseconds. Seconds – configures the time interval in seconds. Minutes – configures the time interval in minutes. Hours...
Page 152
Chapter 7 resiliency installation and operation manual 7-14 ethernet ring protection switching (erps) secflow-2 command description the configured tc list for the rings. Ring id of the ring (self ring id) should not be configured in the tc ring id list. Status: specifies the status of the propagatio...
Page 154
Chapter 7 resiliency installation and operation manual 7-16 ethernet ring protection switching (erps) secflow-2 command description port-channel – logical interface that represents an aggregator which contains several ports aggregated together. : configures a port for the specified interface identif...
Page 155
Installation and operation manual chapter 7 resiliency secflow-2 ethernet ring protection switching (erps) 7-17 command description architecture that supports data transfer upto 1 gigabit per second. Extreme-ethernet – a version of ethernet that supports data transfer upto 10 gigabits per second. Th...
Page 156
Chapter 7 resiliency installation and operation manual 7-18 ethernet ring protection switching (erps) secflow-2 command description be applied in the interconnection node sub-ring port. On recovery of loss of connectivity between the two interconnection nodes, manual switch is cleared command in the...
Page 157
Installation and operation manual chapter 7 resiliency secflow-2 ethernet ring protection switching (erps) 7-19 command description [no]aps distribute this command configures the ring port as distributing port. The fault monitoring entities (y.1731 specific) will be associated with this ring port. T...
Page 159
Installation and operation manual chapter 7 resiliency secflow-2 ethernet ring protection switching (erps) 7-21 command description pkt-dump: generates debug statements for packet dump traces. These traces are generated during the reception and transmission of packets. Resource: generates debug stat...
Page 160
Chapter 7 resiliency installation and operation manual 7-22 ethernet ring protection switching (erps) secflow-2 erp setup example below setup example and configuration will allow protection over vlan 2 running the pcs traffic and switch management. The link between s1 and s2 is chosen as the rpl. Se...
Page 161
Installation and operation manual chapter 7 resiliency secflow-2 ethernet ring protection switching (erps) 7-23 4. Assign the default vlan for the user ports. Interface fast 0/8 switchport pvid 2 exit 5. Assign the management ip to the switch over the monitored vlan. Interface vlan 2 ip address 192....
Page 162
Chapter 7 resiliency installation and operation manual 7-24 ethernet ring protection switching (erps) secflow-2 11. Ring ports cfm assignment. As per the setup drawing, gi 0/1 holds mep 12 at cfm domain_1. Gi 0/2 holds mep 13 at cfm domain_3. Interface gi 0/1 ethernet cfm mep level 6 mpid 12 vlan 35...
Page 163
Installation and operation manual chapter 7 resiliency secflow-2 ethernet ring protection switching (erps) 7-25 3. Create the monitored user vlan .Tag the ring ports and user port. Vlan 2 port gigabitethernet 0/1-2 fastethernet 0/8 untagged fastethernet 0/8 exit 4. Assign the default vlan for the us...
Page 164
Chapter 7 resiliency installation and operation manual 7-26 ethernet ring protection switching (erps) secflow-2 10. Control vlan enable and ccm interval. Ethernet cfm cc level 6 vlan 3500 interval ten-ms ethernet cfm cc enable level 6 vlan 3500 11. Ring ports cfm assignment. As per the setup drawing...
Page 165
Installation and operation manual chapter 7 resiliency secflow-2 ethernet ring protection switching (erps) 7-27 2. Create the control vlan .Tag the ring ports. Config vlan 3500 port gigabitethernet 0/1-2 exit 3. Create the monitored user vlan .Tag the ring ports and user port. Vlan 2 port gigabiteth...
Page 166
Chapter 7 resiliency installation and operation manual 7-28 ethernet ring protection switching (erps) secflow-2 9. Create cfm domain, name ‘domain_2’ for the s2-s3 link. The system will generate this domain with index 2. An me named ‘ma_erps_ring1’ is created, common for all domains, at all 3 ring s...
Page 167
Installation and operation manual chapter 7 resiliency secflow-2 ethernet ring protection switching (erps) 7-29 15. Activate the group. Aps group active end 16. Commit. Write startup-cfg configuration validation following is an output example for s1. A validation of configuration will include verify...
Page 168
Chapter 7 resiliency installation and operation manual 7-30 ethernet ring protection switching (erps) secflow-2 2. Show the erp configuration. Notice the color indication representing the domain index relation to the aps port configuration and meg. Cfm domain_1 has index 1 (yellow). It defines mep 1...
Page 169
Installation and operation manual chapter 7 resiliency secflow-2 ethernet ring protection switching (erps) 7-31 this node is rpl owner. Rpl port is gi0/1 ring node is configured with virtual channel ring port link status command port status -----------------------------------------------------------...
Page 170
Chapter 7 resiliency installation and operation manual 7-32 ethernet ring protection switching (erps) secflow-2 icc code : ma_erp umc code : domain total meps : 2 primary vlan associations : none crosscheck status : enabled crosscheck: mpid vlan isid type mep-up mac address 13 3500 - local yes 60:64...
Page 171: Chapter
Secflow-2 mac address table 8-1 chapter 8 networking this chapter explains how to configure networking entities in secflow-2. It presents the following information: • mac address table • vlan and ip interface • acls • qos • lldp • ospf • ethernet oam cfm • bridge • root switch • stp • rstp/mstp • er...
Page 174
Chapter 8 networking installation and operation manual 8-4 vlan and ip interface secflow-2 vlan offers a number of advantages over traditional lan. They are: • performance. In networks with traffic consisting of a high percentage of broadcasts and multicasts, vlan minimizes the possibility of sendin...
Page 175
Installation and operation manual chapter 8 networking secflow-2 vlan and ip interface 8-5 • bridge-mode status cannot be set to provider mode if the protocol/mac based vlan is enabled. • it is not possible to configure a port as trunk, if the port is an untagged member of a vlan. • to enable dot1q-...
Page 176
Chapter 8 networking installation and operation manual 8-6 vlan and ip interface secflow-2 • if the port type is not explicitly specified as untagged, then all the ports are configured to be of tagged port type allowing transmission of frames with the specified vlan tag. • if pvid value has not been...
Page 177
Installation and operation manual chapter 8 networking secflow-2 vlan and ip interface 8-7 configuration example 1. Setting all ports of the secflow-2 to vlan 1. Config vlan 1 ports fastethernet 0/1-8 untagged fastethernet 0/1-8 ports gigabitethernet 0/1-2 untagged gigabitethernet 0/1-2 exit interfa...
Page 178
Chapter 8 networking installation and operation manual 8-8 vlan and ip interface secflow-2 switchport pvid 1 exit end write startup-cfg 2. Vlan configuration. Secflow-2 # config terminal secflow-2 (config)# vlan 55 secflow-2 (config-vlan)# ports fastethernet 0/1-4,0/7 untagged fastethernet 0/2,0/7 s...
Page 179
Installation and operation manual chapter 8 networking secflow-2 vlan and ip interface 8-9 command descriptions command description config terminal interface vlan ip address this command sets the ip address for an interface. The no form of the command resets the ip address of the interface to its de...
Page 180
Chapter 8 networking installation and operation manual 8-10 vlan and ip interface secflow-2 • interface vlan 1 is available by default for inband management. • interface vlan 4093 is used for internal purposes and should not be deleted or changed. Configuration examples 1. Interface configuration. I...
Page 183
Installation and operation manual chapter 8 networking secflow-2 access control list (acl) 8-13 [router/] static router/static> enable router/static# configure terminal router/static(config)# ip route 0.0.0.0/0 172.17.212.100 router/static(config)# write router/static(config)# exit router/static# ex...
Page 186
Chapter 8 networking installation and operation manual 8-16 access control list (acl) secflow-2 command description considered, modify-vlan – modifies the vlan id to which the packet gets classified. The packet could be an untagged or vlan tagged packet. Nested-vlan – adds an outer vlan tag to the p...
Page 187
Installation and operation manual chapter 8 networking secflow-2 access control list (acl) 8-17 command description ip-address> : copies the ip control packets to control plane cpu with or without switching of packets based on the following destination address configuration: any - copies all control...
Page 188
Chapter 8 networking installation and operation manual 8-18 access control list (acl) secflow-2 command description value of 'filter priority' implies a higher priority. Svlan-id: service vlan value to match against incoming packets. Svlan-priority: service vlan priority value to match against incom...
Page 191
Installation and operation manual chapter 8 networking secflow-2 access control list (acl) 8-21 command description 6 destination network unknown 7 destination host unknown 8 source host isolated 9 destination network administratively prohibited 10 destination hostadministratively prohibited 11 netw...
Page 194
Chapter 8 networking installation and operation manual 8-24 access control list (acl) secflow-2 command description the destination ip address in the packets. Host - copies only the control packets having the specified host ip address as the destination address. - copies only the control packets hav...
Page 195
Installation and operation manual chapter 8 networking secflow-2 access control list (acl) 8-25 command description / vlan id provided in outer tag. This value ranges between 1 and 4094. Svlan-priority : copies only the ip control packets having the specified service vlan priority / outer vlan prior...
Page 197
Installation and operation manual chapter 8 networking secflow-2 access control list (acl) 8-27 command description between 1 and 65535. Lt: copies only the tcp control packets having the tcp source / destination port numbers lesser than the specified port number. This value ranges between 1 and 655...
Page 198
Chapter 8 networking installation and operation manual 8-28 access control list (acl) secflow-2 command description tos. 0 - copies all control packets. Does not check for the tos field in the packets. 1 - copies only the control packets having tos field set as high reliability. 2 - copies only the ...
Page 199
Installation and operation manual chapter 8 networking secflow-2 access control list (acl) 8-29 command description packets. The tag type is set as double-tag and cannot be configured, if any one of the parameter service vlan id, service vlan priority or customer vlan priority is configured. Noswitc...
Page 201
Installation and operation manual chapter 8 networking secflow-2 access control list (acl) 8-31 command description max-throughput - copies only the control packets having tos field set as high throughput. Min-delay - copies only the control packets having tos field set as low delay. Normal - copies...
Page 203
Installation and operation manual chapter 8 networking secflow-2 access control list (acl) 8-33 command description address> : source ip address can be: ‘any’ or the dotted decimal address or the ip address of the network or the host that the packet is from and the network mask to use with the sourc...
Page 204
Chapter 8 networking installation and operation manual 8-34 access control list (acl) secflow-2 command description dscp (001000) cs2 - matches packets with cs2 (precedence 2) dscp (010000) cs3 - matches packets with cs3 (precedence 3) dscp (011000) cs4 - matches packets with cs4 (precedence 4) dscp...
Page 205
Installation and operation manual chapter 8 networking secflow-2 access control list (acl) 8-35 command description ifxtype – specifies the interfae type ifnum – specifies the interface number iface_list – specifies the list of interfaces load-balance: specifies the parameters based on which the tra...
Page 207
Installation and operation manual chapter 8 networking secflow-2 access control list (acl) 8-37 configuration example – acls acl should be configured with the priority range 1-255. 1. Ip acl, allowing specific ip traffic. Secflow-2(config)# ip access-list extended 1001 secflow-2(config-ext-nacl)# pe...
Page 208
Chapter 8 networking installation and operation manual 8-38 quality of service (qos) secflow-2 secflow-2(config-ext-macl)# permit any any priority # secflow-2(config-ext-macl)# exit secflow-2(config)# interface fastethernet 0/3 secflow-2(config-if)# mac access-group 1 in secflow-2(config-if)# end 7....
Page 210
Chapter 8 networking installation and operation manual 8-40 quality of service (qos) secflow-2 - show qos queue-stats [interface ] qos command descriptions command description config terminal enters the configuration mode shutdown qos shuts down the qos subsystem. The no form of the command starts t...
Page 211
Installation and operation manual chapter 8 networking secflow-2 quality of service (qos) 8-41 command description iftype : interface type ifnum : interface number sched-algo : packet scheduling algorithm for the port. The algorithms are: strict-priority – strictpriority. - rr – roundrobin. - wrr – ...
Page 212
Chapter 8 networking installation and operation manual 8-42 quality of service (qos) secflow-2 command description hierarchy deletes a scheduler hierarchy hierarchy-level : depth of the queue/scheduler hierarchy sched-id : scheduler identifier. Next-level-queue – next-level queue to which the schedu...
Page 213
Installation and operation manual chapter 8 networking secflow-2 quality of service (qos) 8-43 command description class : traffic class to which an incoming frame pattern is classified. Pre-color : color of the packet prior to metering. This can be any one of the following: no n e – traffic is not ...
Page 214
Chapter 8 networking installation and operation manual 8-44 quality of service (qos) secflow-2 command description packets are found to be in profile (conform). Options are: n o n e – no action is configured. S e t -cos-transmit – sets the vlan priority of the outgoing packet. S e t -de-transmit – s...
Page 215
Installation and operation manual chapter 8 networking secflow-2 quality of service (qos) 8-45 command description executed which may randomly drop a packet. Queue-limit - queue size. This value ranges between 1 and 65535. Queue-drop-algo - enable/disable drop algorithm for congestion management. Op...
Page 216
Chapter 8 networking installation and operation manual 8-46 quality of service (qos) secflow-2 setting a scheduling algorithms the following script configures scheduler-1 for the outgoing interface fa 0/4 as wrr. The queues with weights configured will be serviced with weighted round robin. Config q...
Page 217
Installation and operation manual chapter 8 networking secflow-2 quality of service (qos) 8-47 interface fa 0/4 rate-limit output 2000 15000 map 802.1p to cos the following will demonstrate how to map ingress, priority tagged packets to internal class of service per port. Default assignment of prior...
Page 218
Chapter 8 networking installation and operation manual 8-48 quality of service (qos) secflow-2 ip access-list extended 1002 permit ip any any exit interface fastethernet 0/1 ip access-group 1001 in ip access-group 1002 in exit 2. Enable qos. Qos enable 3. Create policer for acl 1001 to determine dsc...
Page 219
Installation and operation manual chapter 8 networking secflow-2 link layer discovery protocol (lldp) 8-49 meterid : 0 connclass : 0 excnclass : 0 vionclass : 0 confact : none. Excact : none. Vioact : none. Secflow-2# show class-map qos class map entries --------------------- classmapid : 20 l2filte...
Page 220
Chapter 8 networking installation and operation manual 8-50 link layer discovery protocol (lldp) secflow-2 secflow lldp is a portable software implementation of the link layer discovery protocol (lldp). It provides complete management capabilities using snmp and cli. Secflow lldp conforms to ieee 80...
Page 222
Chapter 8 networking installation and operation manual 8-52 link layer discovery protocol (lldp) secflow-2 command description delay the minimum time an lldp port will wait before reinitializing lldp transmission. The no form of the command sets the reinitialization delay time to the default value. ...
Page 223
Installation and operation manual chapter 8 networking secflow-2 link layer discovery protocol (lldp) 8-53 command description defined value. Default: mac-addr clear lldp counters this command clears the inbuilt counter which has the total count of lldp frames that are transmitted/received. Note: th...
Page 224
Chapter 8 networking installation and operation manual 8-54 link layer discovery protocol (lldp) secflow-2 command description transmission of a particular ipv4 address on the current interface. Mgmt-addr ipv6 : enables the transmission of a particular ipv6 address on the current interface. Lldp por...
Page 226
Chapter 8 networking installation and operation manual 8-56 link layer discovery protocol (lldp) secflow-2 command description system description tlv traces tlv sys-capab : generates debug statements for system capabilities tlv traces tlv mgmt-addr : generates debug statements for management address...
Page 227
Installation and operation manual chapter 8 networking secflow-2 link layer discovery protocol (lldp) 8-57 command description combination of slot number and port number separated by a slash, for interface type other than i-lan and port- channel. For example: 0/1 represents that the slot number is 0...
Page 228
Chapter 8 networking installation and operation manual 8-58 link layer discovery protocol (lldp) secflow-2 command description total tlvs discarded iftype : displays the lldp counters for specified type of interface. The interface can be: fastethernet – officially referred to as 100base-t standard. ...
Page 229
Installation and operation manual chapter 8 networking secflow-2 link layer discovery protocol (lldp) 8-59 command description a slash, for interface type other than i-lan and port- channel. For example: 0/1 represents that the slot number is 0 and port number is 1. Only i-lan or port-channel id is ...
Page 230
Chapter 8 networking installation and operation manual 8-60 link layer discovery protocol (lldp) secflow-2 -vlan name vlan id vlan name txstatus ------- --------- -------- 1 disabled ------------------------------------------------------------ s1# s2 configuration: 1. Set system hostname (not mandat...
Page 231
Installation and operation manual chapter 8 networking secflow-2 link layer discovery protocol (lldp) 8-61 capability codes : (r) router, (b) bridge, (t) telephone, (c) docsis cable device, (w) wlan access point, (p) repeater, (s) station, (o) other chassis id local intf hold-time capability port id...
Page 232
Chapter 8 networking installation and operation manual 8-62 link layer discovery protocol (lldp) secflow-2 lldp tlv-select dot1tlv vlan-name 5 end 6. Show local lldp state at the interface. S1# show lldp local fastethernet 0/3 port id subtype : interface alias port id : s1p1 port description : ether...
Page 233
Installation and operation manual chapter 8 networking secflow-2 open shortest path first (ospf) 8-63 ifid subtype address oid ---- ------- ------- --- 49 ipv4 172.18.212.53 1 3 6 1 2 1 2 2 1 1 extended 802.1 tlv info -vlan name vlan id vlan name ------- --------- 5 www -----------------------------...
Page 236
Chapter 8 networking installation and operation manual 8-66 open shortest path first (ospf) secflow-2 command description election process defaults: candidate [no] compatible rfc1583 this command sets ospf compatibility list compatible with rfc 1583 and the no form of the command disables rfc 1583 c...
Page 237
Installation and operation manual chapter 8 networking secflow-2 open shortest path first (ospf) 8-67 command description into ospf metric : the metric value applied to the route before it is advertised into the ospf domain. Metric-type: the metric type applied to the route before it is advertised i...
Page 239
Installation and operation manual chapter 8 networking secflow-2 open shortest path first (ospf) 8-69 command description range summary : summary lsas type7 : type-7 lsa advertise : when associated areaid is 0.0.0.0, aggregated type-5 are generated. Otherwise if associated areaid is x.X.X.X (other t...
Page 240
Chapter 8 networking installation and operation manual 8-70 open shortest path first (ospf) secflow-2 command description specified range translation : indicates how an nssa border router is performing nssa translation of type-7 to into type-5 lsas. When set to enabled, p bit is set in the generated...
Page 241
Installation and operation manual chapter 8 networking secflow-2 open shortest path first (ospf) 8-71 command description domain tag : the tag type describes whether tags will be automatically generated or will be manually configured defaults: metric-value - 10 metric-type - asexttype2 tag - manual ...
Page 242
Chapter 8 networking installation and operation manual 8-72 open shortest path first (ospf) secflow-2 command description support for restarting of system due to restart of software. Swreloadupgrade : enables / disables helper support for restarting of system due to reload or upgrade of software. Sw...
Page 243
Installation and operation manual chapter 8 networking secflow-2 open shortest path first (ospf) 8-73 command description switchtoredundant: system restarts due to switchover to a switchover to a redundant support processor. Defaults: unknown [no] distance [route- map ] this command enables the admi...
Page 245
Installation and operation manual chapter 8 networking secflow-2 open shortest path first (ospf) 8-75 command description [no] ip ospf hello-interval (1 - 65535)> this command specifies the interval between hello packets sent on the interface and the no form of the command sets default value for, in...
Page 246
Chapter 8 networking installation and operation manual 8-76 open shortest path first (ospf) secflow-2 command description [no]ip ospf authentication- key this command specifies a password to be used by neighboring routers that are using the ospf simple password authentication. The no form of the com...
Page 250
Chapter 8 networking installation and operation manual 8-80 open shortest path first (ospf) secflow-2 command description the type of the lsa. The value must be entered in the form of an ip address adv-router: displays all the specified router link-state advertisements (lsas). If no ip address is in...
Page 251
Installation and operation manual chapter 8 networking secflow-2 open shortest path first (ospf) 8-81 vlan 102 ports fastethernet 0/2 exit interface vlan 101 shutdown ip address 172.18.101.201 255.255.255.0 no shutdown exit interface vlan 102 shutdown ip address 172.18.102.201 255.255.255.0 no shutd...
Page 252
Chapter 8 networking installation and operation manual 8-82 open shortest path first (ospf) secflow-2 exit 3. Configure ospf. Router ospf router-id 10.10.10.102 network 172.18.102.202 255.255.255.0 area 0.0.0.0 network 172.18.103.202 255.255.255.0 area 0.0.0.0 end write startup-cfg s3 configuration ...
Page 253
Installation and operation manual chapter 8 networking secflow-2 connectivity fault managenet 8-83 vlan 1 no ports fa 0/4,0/1 untagged fa 0/1,0/4 exit 2. Assign vlans and corresponding ip interfaces. Vlan 101 ports fastethernet 0/1 exit vlan 104 ports fastethernet 0/4 exit interface vlan 101 shutdow...
Page 254
Chapter 8 networking installation and operation manual 8-84 connectivity fault managenet secflow-2 • vlan-id, then its primary vlan id must be mapped to all the associated vlan • ids with the command ethernet cfm associate vlan-id • primary-vlan-id • ma mep list with mepid of the mep. Cfm command hi...
Page 255
Installation and operation manual chapter 8 networking secflow-2 connectivity fault managenet 8-85 command description domain. The options are: dns-like-name – configures the domain name like string. Globally unique text string derived from a dns name. This option of format should be chosen only alo...
Page 256
Chapter 8 networking installation and operation manual 8-86 connectivity fault managenet secflow-2 command description this is a unique value that represents the specific vlan created / to be created. This value ranges between 1 and 4094. When the service vlan command is executed: ma in t e n a n ce...
Page 257
Installation and operation manual chapter 8 networking secflow-2 connectivity fault managenet 8-87 command description for vlan unaware mep, vlan is not to be specified. Domain : identifies the maintenance domain. The maximum length of the domain-name is 20. Level : maintenance domain level for the ...
Page 258
Chapter 8 networking installation and operation manual 8-88 connectivity fault managenet secflow-2 command description - level with which mip is to be created must be set corresponding to the - if the service (maintenance association) associated with the specified vlan and level is configured in the...
Page 259
Installation and operation manual chapter 8 networking secflow-2 connectivity fault managenet 8-89 command description ethernet cfm cc this command sets the parameters (that is, interval and role) for ccms (continuity check messages). The level and vlan identifies the service (maintenance associatio...
Page 260
Chapter 8 networking installation and operation manual 8-90 connectivity fault managenet secflow-2 command description transmission of ccms. For the transmission of ccms by the vlan unaware meps, vlan is not to be specified. Ethernet cfm associate vlan- id this command associates a vlan id or a list...
Page 261
Installation and operation manual chapter 8 networking secflow-2 spanning tree protocol (stp) 8-91 command description database connectivity fault management (cfm) data learned through the continuity check messages (ccm). The no form of the command disables caching. Ethernet cfm loopback cache this ...
Page 262
Chapter 8 networking installation and operation manual 8-92 spanning tree protocol (stp) secflow-2 transparent to the protocols operating above this boundary. In complex networks, a loop may occur when there are two or more paths between two end points. This leads to the duplication of frames, which...
Page 263
Installation and operation manual chapter 8 networking secflow-2 spanning tree protocol (stp) 8-93 bridge. If the switch receives an inferior configuration bpdu to that currently stored for that port, it discards the bpdu. If the switch is a designated switch for that lan from which the inferior inf...
Page 264
Chapter 8 networking installation and operation manual 8-94 spanning tree protocol (stp) secflow-2 vlan 1 – 10.0.0.3/255.0.0.0 default state by default the stp is enabled on all ports. Application ports gi 0/3 and gi 0/4 are set as edge ports. Bridge id and switch priority each switch has a unique b...
Page 266
Chapter 8 networking installation and operation manual 8-96 spanning tree protocol (stp) secflow-2 command description values. The spanning tree timers are reset to its default value, even if the spanning tree mode is changed. Forward-time : configures the number of seconds, a port waits before chan...
Page 267
Installation and operation manual chapter 8 networking secflow-2 spanning tree protocol (stp) 8-97 command description default value even if the spanning tree mode is changed. Cost : configures the port’s path cost value that contributes to the path cost of paths containing this particular port. The...
Page 268
Chapter 8 networking installation and operation manual 8-98 spanning tree protocol (stp) secflow-2 command description no bpdu is received on the port. The port is set as non-edge port, if any bpdu is received. Defaults: automatic detection of edge port parameter of an interface is enabled. Spanning...
Page 269
Installation and operation manual chapter 8 networking secflow-2 spanning tree protocol (stp) 8-99 command description and port level spanning tree statistics information, transmit hold-count value, link-type, and status of l2gp, loop guard, bpdu receive, bpdu transmit, restricted tcn, restricted ro...
Page 270
Chapter 8 networking installation and operation manual 8-100 spanning tree protocol (stp) secflow-2 port roles port role description root provides the best path to the root. This is the port that receives the best bpdu on a bridge. Designated a port is designated if it can send the best bpdu on a se...
Page 271
Installation and operation manual chapter 8 networking secflow-2 spanning tree protocol (stp) 8-101 figure 8-2. Proposal agreement handshake if a new link is created between the root and switch a, then both the ports on this link are put in designated blocking state, until they receive a bpdu from t...
Page 272
Chapter 8 networking installation and operation manual 8-102 spanning tree protocol (stp) secflow-2 the topology of the network, it sets the topology change (tc) flag on the bpdus it sends out, which are then relayed to all the bridges in the network. When a bridge receives a bpdu with the tc flag b...
Page 273
Installation and operation manual chapter 8 networking secflow-2 spanning tree protocol (stp) 8-103 root switch. Valid priority values are 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, and 61440. All other values are rejected. 4. Exit configuratio...
Page 274
Chapter 8 networking installation and operation manual 8-104 spanning tree protocol (stp) secflow-2 this bridge is the root max age 20 sec, forward delay 15 sec mst00 spanning tree protocol enabled. Mst000 is executing the mstp compatible mutiple spanning tree protocol bridge id priority 4096 addres...
Page 275
Installation and operation manual chapter 8 networking secflow-2 spanning tree protocol (stp) 8-105 4. Exit configuration mode. Secflow-2(config-if)# end 5. View the spanning tree properties of an interface. 6. In switch a. Secflow-2# show spanning-tree root id priority 32768 address 00:01:02:03:04:...
Page 276
Chapter 8 networking installation and operation manual 8-106 spanning tree protocol (stp) secflow-2 address 00:03:02:03:04:01 max age is 20 sec, forward delay is 15 sec name role state cost prio type ---- ---- ----- ---- ---- ------ gi0/1 root forwarding 2000 128 sharedlan gi0/2 designated forwardin...
Page 277
Installation and operation manual chapter 8 networking secflow-2 spanning tree protocol (stp) 8-107 to configure switch a: 1. Enter the global configuration mode. Secflow-2# configure terminal 2. Specify the interface for which the port priority is to be configured. Secflow-2(config)# interface giga...
Page 278
Chapter 8 networking installation and operation manual 8-108 spanning tree protocol (stp) secflow-2 mst00 spanning tree protocol enabled. Mst00 is executing the mstp compatible multiple spanning tree protocol bridge id priority 32768 address 00:02:02:03:04:01 max age is 20 sec, forward delay is 15 s...
Page 279
Installation and operation manual chapter 8 networking secflow-2 spanning tree protocol (stp) 8-109 3. Configure link type of interface as point-to-point. Secflow-2(config-if) # spanning-tree link-type point-to-point 4. Exit configuration mode. Secflow-2(config-if)# end 5. View the spanning tree pro...
Page 280
Chapter 8 networking installation and operation manual 8-110 gprs/umts interface secflow-2 to configure the switch 1. Enter the global configuration mode. Secflow-2# configure terminal 2. Specify the interface for which the auto edge configuration is to be done. Secflow-2(config)# interface gigabite...
Page 281
Installation and operation manual chapter 8 networking secflow-2 gprs/umts interface 8-111 applications where small sites require a backup traffic path on top of the physical line. As well it might be the case that the customer installation is at a remote site or not permanent at a fixed location. S...
Page 282
Chapter 8 networking installation and operation manual 8-112 gprs/umts interface secflow-2 once holding an ip address retrieved from the isp at its ppp interface, and with a vpn configured, the spoke will initiate nhrp request for registration towards the hub. The hub must hold a static address. The...
Page 283
Installation and operation manual chapter 8 networking secflow-2 gprs/umts interface 8-113 1. Run the show command cellular wan show. 2. Sim 1 is connected following the modem enable and the sim properties configured.Sim 2 is configured an in ready state. Application connect: cellular enable cellula...
Page 284
Chapter 8 networking installation and operation manual 8-114 gprs/umts interface secflow-2 if a preferred sim is chosen: • the system will use the preferred sim for the gsm connection and will keep this link as long as the connection meets the conditions set at the watchdog • as long as the primary ...
Page 285
Installation and operation manual chapter 8 networking secflow-2 gprs/umts interface 8-115 xstp secflow-2 cell sites bts/enb bts/enb bts/enb fo lan fo vpn/ ipsec figure 8-4. L2 protection ospf secflow-2 cell sites bts/enb bts/enb bts/enb lan dm vpn dm vpn dm vpn figure 8-5. L3 protection modem condi...
Page 287
Installation and operation manual chapter 8 networking secflow-2 gprs/umts interface 8-117 gprs/umts commands command description application connect enter the industrial application menu cellular enter the configuration mode for the cellular application. Enable: enable application disable: disable ...
Page 288
Chapter 8 networking installation and operation manual 8-118 gprs/umts interface secflow-2 command description settings update quality check: define time interval in seconds for internal rssi check of active sim. 604800>. 0 –disable rssi check. Backoff1 : minimum time to stay on a sim after any fail...
Page 289
Installation and operation manual chapter 8 networking secflow-2 gprs/umts interface 8-119 command description wan show show configuration and status of sim cards network show show connection time and rssi per sim card connection show show cellular connection status nhrp entering nhrp configuration ...
Page 290
Chapter 8 networking installation and operation manual 8-120 gprs/umts interface secflow-2 example for retrieving the imei below is an example of retrieving the imei identifier of the modem. Secflow-2 application connect [/] cellular disable [/] cellular modem power-up completed ok [/] cellular mode...
Page 291
Installation and operation manual chapter 8 networking secflow-2 gprs/umts interface 8-121 example cellular watch dog in the following example we will configure a watchdog to cellular modem and see how the sim status is changing due to the failed test of the watch dog. An unreachable address of 10.1...
Page 292
Chapter 8 networking installation and operation manual 8-122 gprs/umts interface secflow-2 +---------------+-------------+----------+----------+---------+-----------+--- --------+ 2. Display watchdog status. [cellular/continuous-echo/] show-status cellular echo response diagnostics table: +---------...
Page 293
Installation and operation manual chapter 8 networking secflow-2 gprs/umts interface 8-123 4. Adding a second test for the watchdog. This time the destination address is reachable. [cellular/continuous-echo/] create name destination_2 dest-ip-address 80.74.102.38 loss-threshold 20 num-of-requests 3 ...
Page 294
Chapter 8 networking installation and operation manual 8-124 gprs/umts interface secflow-2 • as the hub is located behind a nat router, a default gateway should be assigned at the application interface (172.18.212.100). • at the spoke, an ip for the application interface should be assigned for prope...
Page 295
Installation and operation manual chapter 8 networking secflow-2 gprs/umts interface 8-125 write startup-cfg 2. Enable cellular application mode. Application connect [/] cellular enable cellular settings update default-route yes 3. Wan update menu, sim card configuration –slot 1. Cellular wan update...
Page 296
Chapter 8 networking installation and operation manual 8-126 gprs/umts interface secflow-2 secflow-4 (hub)(config-vlan-default/1)#untagged 1/6/4 secflow-4 (hub)(config-tagged-1/3/1)#top secflow-4 (hub)(config)#vlan lan 700 secflow-4 (hub)(config-vlan-lan/700)#tagged 1/3/2 secflow-4 (hub)(config-tagg...
Page 297
Installation and operation manual chapter 8 networking secflow-2 gprs/umts interface 8-127 testing the setup use show commands to verify the configuration. 1. Spoke configuration. Secflow-2(spoke)#show vlan []router interface show []l2-vpn nhrp spoke show []cellular show []cellular wan show []cellul...
Page 298
Chapter 8 networking installation and operation manual 8-128 gprs/umts interface secflow-2 • 101/104 gateway configuration is required at the spoke • as the 101 is a serial device, vlan 4092 must be used for setting the serial link at the spoke. Ge port 0/3 and fe port 0/10 must be the members. • th...
Page 299
Installation and operation manual chapter 8 networking secflow-2 gprs/umts interface 8-129 switchport pvid 100 exit 2. Assign l3 interface for management to vlan 100 (not mandatory). Interface vlan 100 shutdown ip address 172.18.212.219 255.255.255.0 no shutdown end write startup-cfg 3. Enabling cel...
Page 300
Chapter 8 networking installation and operation manual 8-130 gprs/umts interface secflow-2 8. Nhrp configuration. [/] l2-vpn nhrp spoke update private-ip 10.10.10.10 remote-ip 80.74.102.38 []commit commited ok.. []exit 9. Ipsec configuration. Secflow-4#application connect ipsec isakmp update dh-grou...
Page 301
Installation and operation manual chapter 8 networking secflow-2 gprs/umts interface 8-131 [/] router interface create address-prefix 172.18.212.230/24 vlan 1 completed ok [router/] static router/static> enable router/static# configure terminal router/static(config)# ip route 0.0.0.0/0 172.18.212.10...
Page 302
Chapter 8 networking installation and operation manual 8-132 gprs/umts interface secflow-2 in this example the hub is located behind a nat router. The nat, holding a public address 80.74.102.38 should route all traffic designated to it to the application interface of the hub 172.18.212.230. • as the...
Page 303
Installation and operation manual chapter 8 networking secflow-2 gprs/umts interface 8-133 spoke 1. Create a vlan uni to direct traffic from the pc to the application. Ge port 0/4 must be a tagged member at this vlan. Ge port 0/3 must as well be a member in order to direct terminal server and serial...
Page 304
Chapter 8 networking installation and operation manual 8-134 gprs/umts interface secflow-2 7. Create an ip interface to serve the terminal server and serial tunneling services. Application connect [/]router interface create address-prefix 192.168.100.101/24 vlan 100 purpose application-host commit 8...
Page 305
Installation and operation manual chapter 8 networking secflow-2 gprs/umts interface 8-135 vlan 100 ports fastethernet 0/1 gigabitethernet 0/3-4 untagged fastethernet 0/1 exit interface fastethernet 0/1 switchport pvid 100 exit 2. Create vlan nni to direct traffic from the application to the uplink....
Page 306
Chapter 8 networking installation and operation manual 8-136 gprs/umts interface secflow-2 5. Configure ip interface at the application for the serial tunneling service udp traffic. Secflow-4#application connect [/] router interface create address-prefix 192.168.100.100/24 vlan 100 purpose general c...
Page 307
Installation and operation manual chapter 8 networking secflow-2 gprs/umts interface 8-137 • as the hub is located behind a nat router, a default gateway should be assigned at the application interface (172.18.212.100). • as this is a layer 3 service, the users behind the spoke and hub are in differ...
Page 308
Chapter 8 networking installation and operation manual 8-138 gprs/umts interface secflow-2 exit interface fastethernet 0/1 description uni switchport pvid 40 exit interface vlan 40 shutdown ip address 192.168.40.1 255.255.255.0 no shut exit ip route 0.0.0.0 0.0.0.0 192.168.40.10 1 end write startup-...
Page 309
Installation and operation manual chapter 8 networking secflow-2 gprs/umts interface 8-139 configure terminal ip route 192.168.10.0/24 10.10.10.10 write exit exit commit 9. Configure ipsec. Secflow-2#application connect []ipsec isakmp update dh-group modp1024 []ipsec isakmp update my-id rtu1.Secflow...
Page 310
Chapter 8 networking installation and operation manual 8-140 gprs/umts interface secflow-2 write startup-cfg 2. Create an ip interface eth.20 in the subnet of the router. [/]router interface create address-prefix 172.18.212.230/24 vlan 20 purpose application-host [/] commit 3. Create an ip interface...
Page 311
Installation and operation manual chapter 8 networking secflow-2 gprs/umts interface 8-141 []cellular wan show []cellular connection show []ipsec show hub secflow-4 (hub)#show vlan []router interface show 2. Make sure both the ip of the hub and the one of the spoke are each accessible from the inter...
Page 312
Chapter 8 networking installation and operation manual 8-142 transparent serial tunneling secflow-2 spoke create the serial port and transparent serial tunneling service. Application connect []serial port create slot 1 port 4 mode-of-operation transparent []serial local-end-point create slot 1 port ...
Page 313
Installation and operation manual chapter 8 networking secflow-2 transparent serial tunneling 8-143 cloud secflow-2 rs-232 serial port 1 serial master serial port local end point secflow-2 rs-232 serial port 1 serial slave serial port local end point port 0/2 vlan 100 a b local service-id local serv...
Page 314
Chapter 8 networking installation and operation manual 8-144 application aware firewall secflow-2 []serial remote-end-point create remote-address 172.18.212.230 service-id 1 position master []commit 8.11 application aware firewall the integrated scada protocol firewall provides network-based distrib...
Page 315
Installation and operation manual chapter 8 networking secflow-2 application aware firewall 8-145 • a packet originated and designated to a service member will be directed to the application processor for in depth inspection of the payload before being allowed to pass to the network. Firewall flow i...
Page 316
Chapter 8 networking installation and operation manual 8-146 application aware firewall secflow-2 configuration made by isim should not be tampered with by the user. Firewall end to end service and provisioning is supported using isim only. Example below is an example of configuration made by isim. ...
Page 317
Installation and operation manual chapter 8 networking secflow-2 application aware firewall 8-147 7. Place the acls on the client port. Interface fa 0/1 ip access-group 2001 in ip access-group 1006 in mac access-group 1001 in mac access-group 2998 in exit 8. Place the acls on the server port. Interf...
Page 318
Chapter 8 networking installation and operation manual 8-148 vrrp secflow-2 command description log show show : display the firewall log clear : clears the log tcp show : status of the firewall is displayed tcp activate mode disabled : firewall is disabled. Packets are not inspected. Enabled : packe...
Page 319
Installation and operation manual chapter 8 networking secflow-2 vrrp 8-149 - priority - text-authentication - timer [msec] - timers advertise [msec] - [no] vrrp group shutdown - show vrrp - show running-config vrrp vrrp commands descriptions command description config enters the global configuratio...
Page 320
Chapter 8 networking installation and operation manual 8-150 vrrp secflow-2 command description successive advertisement messages. Permissible values :(1-255secs)/(100- 255000msecs). Msec : unit is changed to milli-seconds example following is a configuration example of a vrrp instance. Setup drawin...
Page 321
Installation and operation manual chapter 8 networking secflow-2 vrrp 8-151 exit interface vlan 12 ip address 12.0.0.1 255.0.0.0 no shutdown exit 3. Set vrrp instance (master router). Router vrrp interface vlan 11 vrrp 1 ipv4 11.0.0.1 vrrp 1 ipv4 11.0.0.1 secondary exit interface vlan 12 vrrp 1 ipv4...
Page 322
Chapter 8 networking installation and operation manual 8-152 ripv2 secflow-2 vrrp 1 ipv4 12.0.0.2 vrrp 1 ipv4 12.0.0.1 secondary end write startup-cfg 8.13 ripv2 rip (routing information protocol) is a distance-vector routing protocol, which employs the hop count as a routing metric. Ripv2 protocol ...
Page 323
Installation and operation manual chapter 8 networking secflow-2 ripv2 8-153 router rip network – enable routing on an ip network . Network can be given as a.B.C.D/m or as a name of a preconfigured interface eth1.. Passive-interface – suppress routing updates on an interface. Given as a name of a pr...
Page 324
Chapter 8 networking installation and operation manual 8-154 ripv2 secflow-2 l3 rip vlan 101; fe1 eth1.101: 172.16.101.100 eth1.111: 172.16.111.100 secflow-4 eth1.101: 172.16.101.100 vlan 111; fe3 eth1.111: 172.16.111.20 vlan 101; 1/4/4 secflow-2 secflow-2 secflow-2 eth1.102: 172.16.102.100 vlan 102...
Page 325
Installation and operation manual chapter 8 networking secflow-2 ripv2 8-155 switchport pvid 104 exit commit end 4. Assign the application ip interfaces. Application connect router interface create address-prefix 172.16.101.100/24 vlan 101 purpose application-host router interface create address-pre...
Page 326
Chapter 8 networking installation and operation manual 8-156 ripv2 secflow-2 127.128.127.0 0.0.0.0 255.255.255.0 u 0 0 0 eth1 172.16.112.0 0.0.0.0 255.255.255.0 u 0 0 0 eth1.112 172.16.111.0 0.0.0.0 255.255.255.0 u 0 0 0 eth1.111 completed ok [/] router rip router/rip> show ip rip codes: r - rip, c ...
Page 327
Installation and operation manual chapter 8 networking secflow-2 discrete io tunneling 8-157 8.14 discrete io tunneling discrete channel interfaces discrete signals are very common in industrial applications to monitor alarms and indications from the field side. Secflow-2 allows the most effective f...
Page 328
Chapter 8 networking installation and operation manual 8-158 discrete io tunneling secflow-2 service service id 1 direction hardware terminals input 6,4 output 1,3 service id 2 direction hardware terminals input 5,4 output 2,3 diagnostics and logic states 1. Within the cli, diagnostics of the discre...
Page 329
Installation and operation manual chapter 8 networking secflow-2 vpn 8-159 discrete io tunneling commands hierarchy + root + application connect + discrete + service - create service direction remote-address - remove service direction - show discrete io tunneling commands command description applica...
Page 330
Chapter 8 networking installation and operation manual 8-160 vpn secflow-2 modes supported with the secflow switches both l2 and l3 vpns are supported. Both modes are based on gre tunnelling. Operational modes: • l2 gre vpn • l3 mgre dm-vpn.Route based. Layer 2 vpn gre tunneling supports encapsulati...
Page 332
Chapter 8 networking installation and operation manual 8-162 ipsec secflow-2 8.16 ipsec internet protocol security (ipsec) is a protocol suite for securing internet protocol (ip) communications by authenticating and/or encrypting each ip packet of a communication session. The ipsec protocol suite in...
Page 333
Installation and operation manual chapter 8 networking secflow-2 ipsec 8-163 isakmp isakmp provides a framework for a agreeing to the format of sa attributes, and for negotiating, modifying, and deleting sas. First, an initial protocol exchange allows a basic set of security attributes to be agreed ...
Page 334
Chapter 8 networking installation and operation manual 8-164 ipsec secflow-2 this number can then be converted into cryptographic keying material. This keying material is typically used as a key-encryption key (kek) to encrypt the vpn gre traffic. This key is kept secret and never exchanged over the...
Page 335
Installation and operation manual chapter 8 networking secflow-2 ipsec 8-165 the above configuration example will result in following show output: rsa signatures (x.509) uses a digital certificate authenticated by an rsa signature. The user is required to generate certificates from a trusted source ...
Page 336
Chapter 8 networking installation and operation manual 8-166 ipsec secflow-2 below is a screenshot of such 2 certificate files placed on a pc with tftp client and cli example of importing them. To perform certification: 1. Import the key file. Secflow-2# rsa-signature import tftp://172.17.203.31/ips...
Page 337
Installation and operation manual chapter 8 networking secflow-2 ipsec 8-167 the above configuration example will result in following show output: exchange modes main main mode is the more secure option for phase1 as it involves the identity protection. Session flow: 1. Session begins with the initi...
Page 338
Chapter 8 networking installation and operation manual 8-168 ipsec secflow-2 in applications at which the ip addresses used for the vpn network are not static (for example a cellular spoke retrieving dynamic ip from the isp over its ppp interface) the main mode of ike is not applicable. Pre-shared k...
Page 340
Chapter 8 networking installation and operation manual 8-170 ipsec secflow-2 ipsec command association in bellow are detailed the configuration fields of the ipsec in their respective association to the isakmp structure. Highlighted in blue are the cli names of the configurable fields. Enable ipsec ...
Page 343
Installation and operation manual chapter 8 networking secflow-2 ipsec 8-173 command description modp8192 dpd-delay dead peer discovery delay .Defines the interval between following keep alive messages. Permissible range : 0-120 (default is 5) dpd-maxfail dead peer discovery max attempts to determin...
Page 344
Chapter 8 networking installation and operation manual 8-174 ipsec secflow-2 command description phase1-encryption-algo encryption algorithm used for phase 1. 3des aes-128 (default) aes-256 phase1-hash-algo hash algorithm used for phase 1. Md5 sha1 (default) sha256 sha512 phase1-lifetime the lifetim...
Page 345
Installation and operation manual chapter 8 networking secflow-2 ipsec 8-175 command description traffic to encrypt: src-ip : a.B.C.D form ip address of the packet source. Dst-ip : a.B.C.D form ip address of the packet destination. Src-port : port number of the packet source. Dst-port : port number ...
Page 346
Chapter 8 networking installation and operation manual 8-176 ipsec secflow-2 ipsec defaults example secure l2 vpn over layer 3 cloud the following example will demonstrate proper configuration of gre over layer 3 cloud. Concept maintaining virtual lan, layer 2 connectivity between two remote sites c...
Page 347
Installation and operation manual chapter 8 networking secflow-2 ipsec 8-177 network drawing a vlan access 10 uni fa 0/8 (u) app gi 0/4 (t) ip: 192.168.0.100 secflow-2 interface vlan 10: 192.168.0.101 app ip: 172.17.203.220 vlan 17 app gw: 172.17.203.100 vlan 17 nnifa 0/1 (t) app gi 0/3 (t) interfac...
Page 348
Chapter 8 networking installation and operation manual 8-178 ipsec secflow-2 ports fastethernet 0/1 gigabitethernet 0/3 exit 2. Create lan access for user port. Vlan 10 ports fastethernet 0/8 gigabitethernet 0/4 untagged fastethernet 0/8 exit interface fastethernet 0/8 no shutdown switchport pvid 10...
Page 349
Installation and operation manual chapter 8 networking secflow-2 ipsec 8-179 3. Disable rstp. Shutdown spanning-tree no spanning-tree end write startup-cfg 4. Configure the tunnel. Secflow-2#application connect [/] router interface create address-prefix 172.18.212.220/24 vlan 18 [router/] static rou...
Page 350
Chapter 8 networking installation and operation manual 8-180 ipsec secflow-2 ipsec isakmp update id-type fqdn []ipsec isakmp update dh-group modp1024 []ipsec isakmp update my-id sb. Secflow-2.Com []ipsec preshared create id sa. Secflow-2.Com key secretkey []ipsec preshared create id sb. Secflow-2.Co...
Page 351
Installation and operation manual chapter 8 networking secflow-2 ipsec 8-181 vlan 20 ports fastethernet 0/1 exit vlan 30 ports fastethernet 0/2 exit vlan 1 no ports fastethernet 0/1-2 untagged fastethernet 0/1-2 end write startup-cfg hub 1. Set switch host name (not mandatory). Set host-name hub 2. ...
Page 352
Chapter 8 networking installation and operation manual 8-182 ipsec secflow-2 6. Assign ip interface in the application which will route user traffic. Application connect router interface create address-prefix 192.168.10.1/24 vlan 10 purpose application-host description user1 7. Assign ip interface i...
Page 353
Installation and operation manual chapter 8 networking secflow-2 ipsec 8-183 no ports fastethernet 0/1,0/4 gigabitethernet 0/3 untagged fastethernet 0/1,0/4 exit 3. Assign the user and network vlans and set pvid for the untagged ports. Vlan 40 ports fastethernet 0/1 gigabitethernet 0/3 untagged fast...
Page 354
Chapter 8 networking installation and operation manual 8-184 protocol gateway iec 101 to iec 104 secflow-2 10. Configure ipsec. Ipsec isakmp update dh-group modp1536 ipsec isakmp update pfs-group modp1536 ipsec isakmp update phase1-hash-algo md5 ipsec isakmp update phase1-encryption-algo 3des ipsec ...
Page 355
Installation and operation manual chapter 8 networking secflow-2 protocol gateway iec 101 to iec 104 8-185 the iec101 devices will be configured with their serial link properties, device address and asdu address to be uniquely identified behind the gateway. Overall the iec101 devices will be address...
Page 356
Chapter 8 networking installation and operation manual 8-186 protocol gateway iec 101 to iec 104 secflow-2 multipoint-party line (planned) • physical layer transmission speed in monitor & control direction: 300 – 38400bps • link layer link transmission procedure balanced transmission unbalanced tran...
Page 357
Installation and operation manual chapter 8 networking secflow-2 protocol gateway iec 101 to iec 104 8-187 • iec101 device parameters - for the serial interfaces the physical link properties should be configured (baud-rate, parity, stop bits). Furthermore the iec101 addressing information should be ...
Page 358
Chapter 8 networking installation and operation manual 8-188 protocol gateway iec 101 to iec 104 secflow-2 {slot } { port } { asdu_address } { link address } [ ca_length ] [ translated_cmn_addr ] [ la_length ] [ ioa_length ] [ orig_address ] [ orig_participate ] [ dir_bit ] [ single_char ] [ test_pr...
Page 359
Installation and operation manual chapter 8 networking secflow-2 protocol gateway iec 101 to iec 104 8-189 command description link_address_field_length : length in bytes of the link address. Permissible values are one or two bytes. Should be identical to the configuration at the 101 slave. Orig_add...
Page 360
Chapter 8 networking installation and operation manual 8-190 protocol gateway iec 101 to iec 104 secflow-2 secflow-2 iec 104 client iec 104 server rtu rs-232 port 1 fe port 1 iec 104 iec 101 scada simulator ip: 172.18.212.240 ip: 172.18.212.230 ip: 172.18.212.220 iec 101 master iec 101 slave ca=2 / ...
Page 361
Installation and operation manual chapter 8 networking secflow-2 protocol gateway iec 101 to iec 104 8-191 write startup-cfg 4. Configure the gateway (values are example only). Router interface creates address-prefix 172.18.212.230/24 vlan 100. []serial port create slot 1 port 1 baudrate 9600 parity...
Page 362
Chapter 8 networking installation and operation manual 8-192 protocol gateway iec 101 to iec 104 secflow-2.
Page 364
Chapter 9 timing and synchronization installation and operation manual 9-2 simple network time protocol (sntp) secflow-2 example • example for time configuration secflow-2# clock set 14:00:00 20 august 2012 secflow-2# show clock mon aug 20 14:02:54 2012 9.2 simple network time protocol (sntp) the sn...
Page 365
Installation and operation manual chapter 9 timing and synchronization secflow-2 simple network time protocol (sntp) 9-3 command description the server. Broadcast: sets the addressing mode of sntp client as broadcast which operates in a point-to-multipoint fashion. The sntp server uses an ip local b...
Page 366
Chapter 9 timing and synchronization installation and operation manual 9-4 simple network time protocol (sntp) secflow-2 command description week of month. Day –sunday, monday, tuesday, wednesday, thursday, friday or saturday. Month: january, february, march, april, may, june, july, august, septembe...
Page 367
Installation and operation manual chapter 9 timing and synchronization secflow-2 simple network time protocol (sntp) 9-5 command description as internet protocol version 6. Primary: sets the unicast server type as primary server. Secondary: sets the unicast server type as secondary server. Version 3...
Page 368
Chapter 9 timing and synchronization installation and operation manual 9-6 simple network time protocol (sntp) secflow-2 command description sets the multicast default address as a default value ipv6: sets the internet protocol version as version 6. - sets the ipv6 address. Default – sets the multic...
Page 369
Installation and operation manual chapter 9 timing and synchronization secflow-2 simple network time protocol (sntp) 9-7 command description mgmt.: generates debug statements for management traces. This trace is generated during failure in configuration of any of the sntp features. Data-path: genera...
Page 370
Chapter 9 timing and synchronization installation and operation manual 9-8 simple network time protocol (sntp) secflow-2 , serveripaddress:96.47.67.105 secflow-2# show clock wed feb 06 14:35:58 2013 secflow-2# 1. To remove configuration config sntp no sntp unicast-server ipv4 96.47.67.105 it is mand...
Page 371: Chapter
Secflow-2 system version and data base 10-1 chapter 10 administration 10.1 system version and data base configuration database by default user configuration is saved in a file called secflow-2.Conf. Configuration saved in this file will be available at system startup. If this file is deleted, the sy...
Page 372
Chapter 10 administration installation and operation manual 10-2 system version and data base secflow-2 the os image file is a tar file type. When upgrading the system from the usb the file should be placed at the root directory of the usb drive. The file should not be unzipped. The usb drive must b...
Page 373
Installation and operation manual chapter 10 administration secflow-2 system version and data base 10-3 example upgrade the os from usb the following flow will show how to upgrade the os image file from a usb. 1. Display available os files secflow-2# os-image show-list versions list: rf_secflow-2_3....
Page 374
Chapter 10 administration installation and operation manual 10-4 system version and data base secflow-2 3. Download os file from usb. Command syntax: secflow-2# os-image download-sw sftp://user:password@aa.Bb.Cc.Dd/file_name example: secflow-2# os-image download-sw sftp://user:user@172.17.203.100/rf...
Page 375
Installation and operation manual chapter 10 administration secflow-2 system version and data base 10-5 to access safe mode, connect to the switch via console cable, reboot the unit and interrupt the boot process at the safe mode prompt. The first safe mode is to be used by approved technicians only...
Page 376
Chapter 10 administration installation and operation manual 10-6 system version and data base secflow-2 os image update from a usb stored file – example the following steps provide an example of uploading a desired os image stored on a local usb key and activating it..
Page 377
Installation and operation manual chapter 10 administration secflow-2 system version and data base 10-7 sw image upgrade and recovery in this sub-menu the user can handle the running configuration backup and restore..
Page 378
Chapter 10 administration installation and operation manual 10-8 system version and data base secflow-2.
Page 379: Chapter
Secflow-2 alarm relay 11-1 chapter 11 monitoring and diagnostics the following topics are covered in this chapter: • detecting problems • alarms and traps • performing diagnostic tests 11.1 alarm relay the switch has the capability to manifest system and feature alarms as a relay output. Two interfa...
Page 380
Chapter 11 monitoring and diagnostics installation and operation manual 11-2 alarm relay secflow-2 contact switching capabilities max dc voltage : 220v max current : 1a max power : 30w wiring example the following connection diagram illustrates the wiring of the alarm output at its n/o contact. Pole...
Page 381
Installation and operation manual chapter 11 monitoring and diagnostics secflow-2 alarm relay 11-3 dry contact interface wiring example the following connection diagram illustrates the wiring of the 2 alarm outputs..
Page 382
Chapter 11 monitoring and diagnostics installation and operation manual 11-4 alarm relay secflow-2 contact switching capabilities digital outputs are dry mechanical n/o relay contacts. Maximum power to be implemented at the contacts : ac: max 250v, 37.5va. Dc: max 220v, 30 watt. Above mentioned powe...
Page 386
Chapter 11 monitoring and diagnostics installation and operation manual 11-8 capture ethernet service traffic secflow-2 11.3 capture ethernet service traffic the system supports sniffing and capturing of ethernet traffic for selected service ip interfaces. This capability is important in order to di...
Page 387
Installation and operation manual chapter 11 monitoring and diagnostics secflow-2 capture ethernet service traffic 11-9 example 1. Set a vlan for the service traffic. Assign an access port and the ace port gi 0/3. Config vlan 20 ports add fastethernet 0/5 gigabitethernet 0/3 untagged fastethernet 0/...
Page 389
Installation and operation manual chapter 11 monitoring and diagnostics secflow-2 port mirroring 11-11 command description flash : indicates the maximum flash usage of the switch in percentage to trigger a trap. Threshold percentage : 1-100 default : 100 set switch temperature this command sets the ...
Page 390
Chapter 11 monitoring and diagnostics installation and operation manual 11-12 rmon secflow-2 example secflow-2# config terminal secflow-2 (config)# monitor session 1 source interface fa 0/1 both secflow-2 (config)# monitor session 1 source interface fa 0/3 rx secflow-2 (config)# monitor session 1 so...
Page 391
Installation and operation manual chapter 11 monitoring and diagnostics secflow-2 ddm 11-13 command description rmon collection stats this command enables history collection of interface statistics in the buckets for the specified time interval. The no form of the command disables the history collec...
Page 392
Chapter 11 monitoring and diagnostics installation and operation manual 11-14 ddm secflow-2 - show sfp-port extended - show sfp-port ddm [gigabitethernet ] example below is a show output of a ddm supporting sfp . Secflow-2# show sfp-port extended gigabitethernet 0/1 ______ extended data for gigabite...
Page 395
Installation and operation manual chapter 11 monitoring and diagnostics secflow-2 syslog 11-17 debug interface this command sets the debug traces for all the interfaces. The no form of the command resets the configured debug traces. Track : generates debug messages for all track messages. Enetpktdum...
Page 396
Chapter 11 monitoring and diagnostics installation and operation manual 11-18 syslog secflow-2 severity of logging can be set with its numeric value or its name tag. When configuring a server, it should be set with priority tag, reflecting the level of the message and the facility. Priority indicato...
Page 399
Installation and operation manual chapter 11 monitoring and diagnostics secflow-2 syslog 11-21 command description show syslog role displays the syslog role show syslog localstorage displays the syslog local storage configuration example set a server with priority 135 for facility local0 and severit...
Page 400
Chapter 11 monitoring and diagnostics installation and operation manual 11-22 technical support secflow-2 output example a typical output of syslog at console interface. Secflow-2# jan 1 01:00:09 iss cfa slot0/6 link status [down] jan 1 01:00:11 iss cfa slot0/4 link status [up] secflow-2# show loggi...
Page 401: Chapter
Secflow-2 upgrading the os from usb 12-1 chapter 12 software upgrade 12.1 upgrading the os from usb the following flow shows how to upgrade the os image file via the usb connector. 1. Display available os files. Secflow-2# os-image show-list versions list: rf_secflow-2_3.5.03.11 (active) rf_secflow-...
Page 402
Chapter 12 software upgrade installation and operation manual 12-2 upgrading the os from sftp secflow-2 12.2 upgrading the os from sftp the following flow shows how to upgrade the os image file from an sftp server. 1. Display available os files. Secflow-2# os-image show-list versions list: rf_secflo...
Page 403: Appendix
Secflow-2 required equipment a-1 appendix a test plan a.1 introduction this appendix describes basic verification tests for secflow-2. The aim is to perform a series of short tests that check the following: • testing auto negotiation • testing poe • testing vlan • testing port security • testing rst...
Page 404
Appendix a test plan installation and operation manual a-2 testing auto negotiation secflow-2 devices under test function hw version sw version secflow-2 3.6 test equipment function requirements unit notes pc pc with com port eth cable straight standard straight ethernet cable serial testing device ...
Page 405
Installation and operation manual appendix a test plan secflow-2 testing poe a-3 table a-1. Auto-negotiation test procedure # action expected result result 1 set one port of each secflow-2 device to “auto negotiation” both ports are synced on 100 mbps 2 set the s1 link port to 10 mbps the neighbor l...
Page 406
Appendix a test plan installation and operation manual a-4 testing vlan secflow-2 preparing the test layout secflow-2 telephone telephone estimated duration the estimated duration of this test is 10 minutes. Test procedure table a-2 details the poe test procedure. Table a-2. Poe test procedure # act...
Page 407
Installation and operation manual appendix a test plan secflow-2 testing vlan a-5 table a-3. Vlan test procedure # action expected result result 1 ping s1 and s2 devices the pc can ping the local switch s2 only 2 ping s1 and s2 devices after assigning both switches to vlan 3 the pc can ping both loc...
Page 408
Appendix a test plan installation and operation manual a-6 testing vlan secflow-2 internet address is 172.18.212.231/24 broadcast address 172.18.212.255 secflow-2# to configure the s2 switch: use the following example to configure the switch: secflow-2# config configuring from memory or network is n...
Page 409
Installation and operation manual appendix a test plan secflow-2 testing port security a-7 secflow-2# show vlan port config port fastethernet 0/2 switch default vlan port configuration table ------------------------------- port fa0/2 bridge port type : customer bridge port port vlan id : 2 port acce...
Page 410
Appendix a test plan installation and operation manual a-8 testing port security secflow-2 fa 1 secflow-2 s1 interface vlan 1: 172.18.212.232 vlan 1 pc 172.18.212.200 ping 200 to 232: ok ssh management: no estimated duration the estimated duration of this test is 1 hour. Test procedure table a-4 det...
Page 411
Installation and operation manual appendix a test plan secflow-2 testing rstp a-9 step 2: allow only icmp and arp traffic mac access-list extended 1 permit any any 0x0806 priority 9 exit ip access-list extended 1001 permit icmp any any priority 8 exit block all traffic ip access-list extended 2000 d...
Page 412
Appendix a test plan installation and operation manual a-10 testing rstp secflow-2 preparing the test layout fa 4 fa 4 secflow-2 alternate s2 secflow-2 root s1 pc fa 8 edge port fa 8 fa 2 fa 4 fa 4 secflow-2 forwarding s2 secflow-2 root s1 pc fa 8 edge port fa 8 fa 2 estimated duration the estimated...
Page 413
Installation and operation manual appendix a test plan secflow-2 testing erp a-11 no shutdown to show interfaces: show spanning-tree detail show spanning-tree interface show spanning-tree summary a.8 testing erp ethernet ring protection is supported, allowing layer 2 fast protection and resilient ne...
Page 414
Appendix a test plan installation and operation manual a-12 testing erp secflow-2 configuring devices to configure s1: config vlan 100 ports add fa 0/1,0/2 exit interface fa 0/1 spanning-tree disable exit interface fa 0/2 spanning-tree disable exit ethernet cfm start ethernet cfm enable ethernet cfm...
Page 415
Installation and operation manual appendix a test plan secflow-2 testing erp a-13 config vlan 200 port add fa 0/1 port add fa 0/2 exit end write startup-cfg config interface vlan 200 shutdown ip address 172.18.212.231 255.255.255.0 no shutdown exit end write startup-cfg to configure s2: config vlan ...
Page 416
Appendix a test plan installation and operation manual a-14 testing erp secflow-2 exit exit ethernet cfm cc level 6 vlan 100 interval one-sec ethernet cfm cc enable level 6 vlan 100 no shutdown aps ring aps ring enable aps ring group 1 aps working fa 0/1 fa 0/2 vlan 100 aps working meg 1 me 1 mep 1 ...
Page 417
Installation and operation manual appendix a test plan secflow-2 testing erp a-15 cfm no shutdown domain zdmnz01z002 format none level 6 sender-id-content all ma zerpz0000z001 format icc vlan 100 mep 2 bind-to 1/4/1 direction down no shutdown ccm-enabled exit mep 3 bind-to 1/4/2 direction down no sh...
Page 418
Appendix a test plan installation and operation manual a-16 testing snmp traps secflow-2 management routing-interface sw200 commit end a.9 testing snmp traps preparing the test layout estimated duration the estimated duration of this test is 1 hour. Test procedure table a-7 details the snmp test pro...
Page 419
Installation and operation manual appendix a test plan secflow-2 testing syslog a-17 snmp targetparams paramlist1 user none security-model v2c message-processing v2c snmp notify rad tag taglist1 type trap a.10 testing syslog preparing the test layout estimated duration the estimated duration of this...
Page 420
Appendix a test plan installation and operation manual a-18 testing l3 capabilities secflow-2 a.11 testing l3 capabilities preparing the test layout layer 3 management fa 0/1 secflow-2 s1 secflow-2 s2 1 4002 secflow-4 vlan 200: 172.18.212.232 4001 fa 0/1 vlan 200: 172.18.212.231 vlan 200: 172.18.212...
Page 421
Installation and operation manual appendix a test plan secflow-2 testing l3 capabilities a-19 configuring devices to configure layer 3 management: config feature telnet ssh enable set ip http enable end write startup-cfg to configure layer 3 routing: 1. Configure switch s3. Config router interface s...
Page 422
Appendix a test plan installation and operation manual a-20 testing ospf secflow-2 3. Configure switch s2. Config vlan 18 ports add fastethernet 0/1,0/8 untagged fastethernet 0/8 exit interface fastethernet 0/8 switchport pvid 18 exit interface vlan 18 shutdown ip address 172.18.212.232 255.255.255....
Page 423
Installation and operation manual appendix a test plan secflow-2 testing ospf a-21 configuring devices to configure switch s1: config vlan 101 ports fastethernet 0/1 exit vlan 102 ports fastethernet 0/2 exit interface vlan 101 shutdown ip address 172.18.101.201 255.255.255.0 no shutdown exit interfa...
Page 424
Appendix a test plan installation and operation manual a-22 testing ospf secflow-2 router ospf router-id 10.10.10.102 network 172.18.102.202 255.255.255.0 area 0.0.0.0 network 172.18.103.202 255.255.255.0 area 0.0.0.0 end write startup-cfg to configure switch s3: top router interface sw101 address 1...
Page 425
Installation and operation manual appendix a test plan secflow-2 testing serial tunneling a-23 a.13 testing serial tunneling preparing the test layout cloud secflow-2 rs-232 serial port 1 serial master serial port local end point secflow-2 rs-232 serial port 1 serial slave serial port local end poin...
Page 426
Appendix a test plan installation and operation manual a-24 testing serial tunneling secflow-2 configuration switch b config vlan 100 ports fastethernet 0/2 gigabitethernet 0/3 end application connect router interface create address-prefix 172.18.212.230/24 vlan 100 serial port create slot 1 port 1 ...
Page 428
Appendix a test plan installation and operation manual a-26 testing the vpn secflow-2 configuring devices config vlan 100 ports fastethernet 0/1 gigabitethernet 0/3 untagged fastethernet 0/1 exit interface fastethernet 0/1 switchport pvid 100 end application-connect router interface create address-p...
Page 429
Installation and operation manual appendix a test plan secflow-2 testing the vpn a-27 test procedure table a-13 details the vpn test procedure. Table a-13. Vpn test procedure # action expected result result 1 send pings between both pc’s layer 2 connectivity established between the pcs. Configuring ...
Page 430
Appendix a test plan installation and operation manual a-28 testing the vpn secflow-2 [/] l2-vpn tunnel create local-end-point 172.17.203.220 remote- address 172.18.212.220 name tunnel_1 completed ok switch b configuration config no spanning-tree interface gi 0/4 switchport unicast-mac learning enab...
Page 431
Installation and operation manual appendix a test plan secflow-2 testing ipsec a-29 switch c configuration config router interface sw17 address 172.17.203.100/24 route interface sw18 address 172.18.212.100/24 top vlan 1 no ports gigabitethernet 0/3-4 exit vlan 17 name net-17 management routing-inter...
Page 432
Appendix a test plan installation and operation manual a-30 testing ipsec secflow-2 test procedure table a-14 details the ipsec test procedure. Table a-14. Ipsec test procedure # action expected result result 1 send continuous icmp requests and ssh management from switch a to the remote switch b • t...
Page 434
Publication no. 622-200- 1 0/14 order this publication by catalog no. 805050 international headquarters 24 raoul wallenberg street tel aviv 69719, israel tel. 972-3-6458181 fax 972-3-6498250, 6474436 e-mail market@rad.Com north america headquarters 900 corporate drive mahwah, nj 07430, usa tel. 201-...