Magnum Network Software – DX - Comex · Magnum Network Software – DX Administrator’s Guide...

Magnum Network Software – DX

Administrator’s Guide

GarrettCom Utility Networks25 Commerce Way #1

North Andover, MA 01845Phone: 978.688.8807

Fax: 978.688.8771

Declarations

DOCUMENT NOTICE

CopyrightCopyright 2007 by GarrettCom. Printed in the US. All rights reserved.

This manual may not be reproduced or disclosed in whole or in part by any means without the written consent of GarrettCom DynaStar is a trademark of Garrett. All other trademarks mentioned in this document are the property of their respective owners.

This document has been prepared to assist users of equipment manufactured by GarrettCom, and changes are made periodically to the information in this manual. Such changes are published in Software Release Notices. If you have recently upgraded your software, carefully note those areas where new commands or procedures have been added. The material contained in this manual is supplied without any warranty of any kind. GarrettCom therefore assumes no responsibility and shall incur no liability arising from the supplying or use of this document or the material contained in it.

RightsExcept as set forth in the Software License Agreement, GarrettCom makes no representation that software programs and practices described herein will not infringe on existing or future patent rights, copyrights, trademarks, trade secrets or other proprietary rights of third parties and GarrettCom makes no warranties of any kind, either express or implied, and expressly disclaims any such warranties, including but not limited to any implied warranties of merchantability or fitness for a particular purpose and any warranties of non-infringement. The descriptions contained herein do not imply the granting of licenses to make, use, sell, license or otherwise transfer GarrettCom products described herein. GarrettCom disclaims responsibility for errors which may appear in this document, and it reserves the right, in its sole discretion and without notice, to make substitutions and modifications in the products and practices described in this document.

Part Number InformationPaper Version Part Number: 3-01-2117-00 Rev. AC

CD Part Number: 3-01-2115-00 Rev. AC

Magnum Network Software - DX Administrator’s Guidei

Warranty

Revision History

WARRANTYGarrettCom warrants equipment manufactured by it to be free from defects in materials and workmanship for a period of one (1) year from date of shipment. If within the warranty period the purchaser discovers such item was not as warranted above and promptly notifies GarrettCom in writing, GarrettCom shall repair or replace the items at the company's option. This warranty shall not apply to: (a) equipment not manufactured by GarrettCom; (b) equipment which shall have been repaired or altered by anyone other than GarrettCom; (c) equipment which shall have been subjected to negligence, accident, or damage by circumstances beyond GarrettCom control, or to improper operation, maintenance or storage, or to other than normal use or service. With respect to equipment sold but not manufactured by GarrettCom, the warranty obligation of GarrettCom shall, in all aspects, conform and be limited to the warranty actually extended to GarrettCom by its supplier.

The foregoing warranties do not cover reimbursement for labor, transportation, removal, installation, or other expenses that may be incurred in connection with repair or replacement.

THE FOREGOING WARRANTIES ARE EXCLUSIVE AND IN LIEU OF ALL OTHER EXPRESS AND IMPLIED WARRANTIES EXCEPT WARRANTIES OF TITLE, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

LIMITATION OF LIABILITYAnything to the contrary herein contained notwithstanding, GarrettCom, ITS CONTRACTORS AND SUPPLIERS OF ANY TIER, SHALL NOT BE LIABLE IN CONTRACT, IN TORT (INCLUDING NEGLIGENCE OR STRICT LIABILITY) OR OTHERWISE FOR ANY SPECIAL, INDIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES WHATSOEVER. The remedies of the purchaser set forth herein are exclusive where so stated and the total cumulative liability of GarrettCom its contractors and suppliers of any tier, with respect to this contract or anything done in connection therewith, such as the use of any product covered by or furnished under the contract, whether in contract, in tort (including negligence or strict liability) or otherwise, shall not exceed the price of the product or part on which such liability is based.

Unless otherwise agreed to in writing by an authorized official of GarrettCom, products sold hereunder are not intended for use in or in connection with a nuclear facility or activity. If so used, GarrettCom disclaims all liability for nuclear damage, injury or contamination, and purchaser shall indemnify GarrettCom against any such liability, whether as a result of breach of contract, warranty, tort (including negligence) or otherwise.

Release Date Document Revision

Software Release Change Note

October, 2006 01 1.1 New product release, Hardware and Software.

January, 2007 02 1.2 New product release, Hardware and Software.

February, 2007 AA 1.2 New product release, Hardware and Software.

June, 2007 AB 1.3 Added support for Modbus, WAN, VPN, NAT, SSH. New chapter structure.

September, 2007 AC 1.3.4 Added support for WAN port functionality.

Magnum Network Software - DX Administrator’s Guideii

Patents

PATENTSAs to equipment proposed and furnished by GarrettCom, GarrettCom shall defend any suit or proceeding brought against purchaser so far as based on a claim that said equipment constitutes an infringement of any patent of the United States, if notified promptly in writing and given authority, information, and assistance at GarrettCom's expense for the defense of the claim. In event of a final award of costs and damages from such a suit, GarrettCom shall pay such award. In event the use of said equipment by purchaser is enjoined in such a suit, GarrettCom shall, at its own expense, and at its sole option either (a) procure for purchaser the right to continue using equipment, (b) modify said equipment to render it non-infringing, (c) replace said equipment with non-infringing equipment, or (d) refund the purchase price (less depreciation) and transportation and installation costs of said equipment. GarrettCom will not be responsible for any compromise or settlement made without its written consent. The foregoing states the entire liability of GarrettCom for patent infringement, and in no event shall GarrettCom be liable if the infringement charge is based on the use of GarrettCom equipment for a purpose other than that for which it was sold by GarrettCom As to any equipment furnished by GarrettCom to purchaser and manufactured in accordance with designs proposed by purchaser, purchaser shall indemnify GarrettCom against any award made against GarrettCom for patent, trademark, or copyright infringement.

RETURN OF EQUIPMENTNo equipment may be returned without purchaser first obtaining GarrettCom's written Return Material Authorization (RMA). An RMA can be obtained by contacting Sales at 978.688-8807.

Equipment accepted for credit, not involving a GarrettCom error, shall be subject to all the terms of the original purchase contract and to a service charge. Returned equipment must be of current manufacture, unused, and in reasonable condition, securely packed to reach GarrettCom without damage, shipped F.O.B. GarrettCom facility with transportation charges paid, and labeled with Return Material Authorization (RMA) number. Any cost incurred by GarrettCom to put equipment in first class condition will be charged to purchaser.

COMPLIANCE NOTICES

FCC Part 15This device complies with part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation.

Note: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his/her own expense.

In order to maintain compliance with FCC regulations shielded cables must be used for electrical I/O with this equipment. Operation with non-approved equipment or unshielded cables may result in interference to radio and television reception.

Changes or modifications could void the user’s authority to operate the equipment. The user is cautioned not to change or modify this product.

Magnum Network Software - DX Administrator’s Guideiii

Safety

IC CS03 (Industry Canada)This digital apparatus does not exceed the Class A limits for radio noise emissions from digital apparatus set out in the interference-causing equipment entitled “Digital Apparatus”, ICES-003 of the department of Communications (Cet appareil numérique respecte les limites bruits radioélectriques applicables aux appareils numériques de Class A prescrites dans la norme sur le materiel brouilleur: “Appareils Numériques”, NMB-003 édictée par le ministre des Communications).

EN55022Warning: This is a Class A product. In a domestic environment this product may cause radio interference, in which case the user may be required to take adequate measures.

SAFETYWARNING: Service to this unit can be made only by factory authorized personnel. Failure to observe this caution can result in malfunction to the unit as well as electrocution to personnel.

Avertissement: Cet appareil ne peut être examiné ou réparé que par un employé autorisé du fabricant. Si cette consigne n’est pas respectée, il y a risque de panne et d’électrocution.

Vorsicht: Dieses Gerät darf nur durch das bevollmächtigte Kundendienstpersonal der fabrik instandgehalten werden. Die Nichtbeachtung dieser Vorschrift kann zu Fehlfunktionen des Gerätes führen und das Personal durch Stromschläge gefährden.

Table 2-1.

Industry Canada Warnings Avis d’Industrie Canada

Notice:

Before installing this equipment, users should ensure that it is permissible to be connected to the facilities of the local telecommunications company. The equipment must also be installed using an acceptable method of connection. The customer should be aware that compliance with the above conditions may not prevent degradation of service in some situations.

Repairs to certified equipment should be coordinated by a representative designated by the supplier. Any repairs or alterations made by the user to this equipment, or equipment malfunctions, may give the telecommunications company cause to request the user to disconnect the equipment.

Avis:

Avant d’installer ce matériel, l’utilisateur doit s’assurer qu’il est permis de le raccorder aux installations de l’entreprise locale de télécommunication. Le matériel doit également être installé en suivant une méthode acceptée de raccordement. L’abonné ne doit pas oublier qu’il est possible que la conformité aux conditions énoncées ci-dessus n’empêche pas la dégradation du service dans certaines situations.

Les réparations de matériel homologué doivent être coordonnées par un représentant désigné par le fournisseur. L’entreprise de télécommunications peut demander à l’utilisateur de débrancher un appareil à la suite de réparations ou de modifications effectuées par l’utilisateur ou à cause de mauvais fonctionnement.

Users should ensure for their own protection that the electrical ground connections of the power utility, telephone lines, and internal metallic water pipe system, if present, are connected together. The precaution may be particularly important in rural areas.

Pour sa propre protection, l’utilisateur doit s’assurer que tous les fils de mise à la terre de la source d’énergie électrique, des lignes téléphoniques et des canalisations d’eau métalliques, s’il y en a, sont raccordés ensemble. Cette précaution est particulièrement importante dans les régions rurales.

Magnum Network Software - DX Administrator’s Guideiv

Contacting GarrettCom Utility Networks

Service Personnel WarningThe DX series devices may be AC or DC powered. Remove all power connections at the circuit panel before removing the unit.

The installation of this product must comply with all applicable codes and practices specified by the country, city, and operating company in which it is installed.

GroundingAll units requiring grounding, use a grounding wire a with minimum size of 14 AWG at a maximum length of five feet.

The DX40 is equipped with an external grounding screw (6-32 pan head). The grounding screw should be torqued to 10 inch pounds (1.1 Nm).

The DX800 and DX900 are equipped with an external grounding bolt (#10/32 UNF-2B). The ground lug bolt should be torqued to 32 inch pounds (3.6 Nm).

CONTACTING GARRETTCOM UTILITY NETWORKSBy Mail:

GarrettCom Utility Networks25 Commerce Way #1North Andover, MA 01845

Telephone:

978.688-8807

Fax:

978.688-8771

Website:

www.garrettcom.com

Email:

[email protected]

Customer support representatives are available during normal business hours, 8 - 5pm EST.

Magnum Network Software - DX Administrator’s Guidev

Contacting GarrettCom Utility Networks

Magnum Network Software - DX Administrator’s Guidevi

TABLE OF CONTENTS

PrefaceAbout This Manual ........................................................................................................................... xvConventions .................................................................................................................................... xviRelated Documents......................................................................................................................... xviWeb Access .................................................................................................................................... xviYour Comments .............................................................................................................................. xvi

CHAPTER 1: OVERVIEW1.1 Features and Benefits ....................................................................................................................... 1

1.1.1 Magnum DX40 Serial Device Router ................................................................................... 11.1.2 Magnum DX800 Serial Device Router ................................................................................. 11.1.3 Magnum DX900 Industrial Router ........................................................................................ 11.1.4 GarrettCom-hardened .......................................................................................................... 21.1.5 Features Summary ............................................................................................................... 2

1.2 Applications/Topologies – Magnum DX800 ...................................................................................... 71.2.1 Integrated Substation Network ............................................................................................. 71.2.2 Standalone Local Communications Platform ....................................................................... 81.2.3 Remote Network Concentration ........................................................................................... 91.2.4 Distributed Local Network using Ethernet .......................................................................... 101.2.5 Distributed Regional Fiber-optic Network ........................................................................... 11

1.3 Applications/Topologies – Magnum DX900 .................................................................................... 121.4 Applications/Topologies – Magnum DX40 ...................................................................................... 12

1.4.1 Linking WAN and Remote Site ........................................................................................... 131.4.2 Fiber-based Extension of WAN to Serial Devices. ............................................................. 131.4.3 Daisy Chain Topology ........................................................................................................ 141.4.4 Paired Point-to-Point .......................................................................................................... 14

CHAPTER 2: GETTING STARTED2.1 Hardware Installation ....................................................................................................................... 152.2 Software Management .................................................................................................................... 15

2.2.1 Configuring a New IP Address ........................................................................................... 152.3 The Administrator Interface Overview ............................................................................................. 17

2.3.1 Navigation Tree .................................................................................................................. 19

CHAPTER 3: SYSTEM ADMINISTRATION3.1 Administration Tasks ....................................................................................................................... 25

3.1.1 System Information ............................................................................................................ 253.1.2 Time ................................................................................................................................... 27

3.1.2.1 Time: Time and Date ........................................................................................... 273.1.2.2 Time: Zone and DST ........................................................................................... 283.1.2.3 Time: Persistence ................................................................................................ 29

Magnum Network Software - DX Administrator’s Guidevii

CONTENTS

3.1.3 SNTP ..................................................................................................................................303.1.3.1 SNTP: Global Settings .........................................................................................303.1.3.2 SNTP: Servers .....................................................................................................31

3.1.4 SNMP .................................................................................................................................323.1.4.1 SNMP: Global Settings ........................................................................................323.1.4.2 SNMP: Management Stations ..............................................................................343.1.4.3 SNMP: Trap Stations ...........................................................................................353.1.4.4 SNMP: Users .......................................................................................................363.1.4.5 SNMP: Statistics ..................................................................................................37

3.1.5 Authentication .....................................................................................................................413.1.5.1 Authentication: Policies ........................................................................................413.1.5.2 Authentication: Accounts .....................................................................................443.1.5.3 Authentication: Files .............................................................................................46

3.1.6 Sessions .............................................................................................................................473.1.6.1 Sessions: Policies ................................................................................................473.1.6.2 Sessions: Active Logins .......................................................................................48

3.1.7 Change Password ..............................................................................................................493.1.8 Software Upgrade ...............................................................................................................49

3.1.8.1 Software Upgrade States .....................................................................................503.1.9 Configuration ......................................................................................................................53

3.1.9.1 Configuration: Files ..............................................................................................533.1.9.2 Configuration: Defaults ........................................................................................55

3.1.10System Reboot ...................................................................................................................553.2 Events Tasks ...................................................................................................................................56

3.2.1 Logs ....................................................................................................................................563.2.1.1 Logs: Global Settings ...........................................................................................603.2.1.2 Logs: Files ............................................................................................................62

3.2.2 Syslog .................................................................................................................................633.2.2.1 Syslog: Global Settings ........................................................................................633.2.2.2 Syslog: Collectors ................................................................................................64

3.3 Ethernet Tasks .................................................................................................................................653.3.1 Ports ...................................................................................................................................65

3.3.1.1 Ports: Settings ......................................................................................................653.3.1.2 Ports: Status ........................................................................................................673.3.1.3 Ports: Summary Statistics ....................................................................................683.3.1.4 Ports: Extended Statistics ....................................................................................693.3.1.5 Ports: Mirroring ....................................................................................................72

3.3.2 Bridge .................................................................................................................................733.3.2.1 Bridge: Global Settings ........................................................................................743.3.2.2 Bridge: Port Settings ............................................................................................753.3.2.3 Bridge: Static MACs .............................................................................................763.3.2.4 Bridge: Station Cache ..........................................................................................77

3.3.3 RSTP ..................................................................................................................................793.3.3.1 RSTP: Bridge Settings .........................................................................................793.3.3.2 RSTP: Port Settings .............................................................................................803.3.3.3 RSTP: Bridge Status ............................................................................................823.3.3.4 RSTP: Port Status ................................................................................................83

3.3.4 VLAN ..................................................................................................................................853.3.4.1 VLAN: Global Settings .........................................................................................853.3.4.2 VLAN: VIDs ..........................................................................................................863.3.4.3 VLAN: Port Settings .............................................................................................87

Magnum Network Software - DX Administrator’s Guideviii

CONTENTS

3.4 Serial Tasks ..................................................................................................................................... 893.4.1 Ports ................................................................................................................................... 89

3.4.1.1 Ports: Profiles ...................................................................................................... 893.4.1.2 Ports: Settings ..................................................................................................... 933.4.1.3 Ports: Status ........................................................................................................ 943.4.1.4 Ports: Statistics .................................................................................................... 95

3.4.2 Terminal Server .................................................................................................................. 963.4.2.1 Terminal Server: Channel Settings ...................................................................... 963.4.2.2 Terminal Server: Channel Status ........................................................................ 983.4.2.3 Terminal Server : Connections .......................................................................... 100

3.4.3 Frame Relay ..................................................................................................................... 1013.4.3.1 Frame Relay: Channel Settings ......................................................................... 1013.4.3.2 Frame Relay: Connections ................................................................................ 103

3.4.4 Modbus ............................................................................................................................ 1033.4.4.1 Modbus: Local Masters ..................................................................................... 1043.4.4.2 Modbus: Local Slaves ....................................................................................... 1053.4.4.3 Modbus: Remote Slaves ................................................................................... 1073.4.4.4 Modbus: Connections ........................................................................................ 108

3.5 WAN Tasks ................................................................................................................................... 1093.5.1 Port Settings (DDS) .......................................................................................................... 1093.5.2 Port Settings (T1/E1) ........................................................................................................ 1103.5.3 Port Status ....................................................................................................................... 1123.5.4 Frame Relay ..................................................................................................................... 1143.5.5 DLCI Settings ................................................................................................................... 1163.5.6 DLCI Status ...................................................................................................................... 117

3.6 Routing Tasks ............................................................................................................................... 1183.6.1 IP Addresses .................................................................................................................... 1183.6.2 Static Routes .................................................................................................................... 120

3.6.2.1 Specifying a Default Gateway ........................................................................... 1213.6.3 Table ................................................................................................................................ 1213.6.4 ARP Table ........................................................................................................................ 1223.6.5 RIP ................................................................................................................................... 123

3.6.5.1 RIP: Global Settings .......................................................................................... 1233.6.5.2 RIP: Interface Settings ....................................................................................... 125

3.6.6 NAT .................................................................................................................................. 1253.6.6.1 NAT: Global Settings ......................................................................................... 1263.6.6.2 NAT: Translations .............................................................................................. 127

3.6.7 DHCP Server ................................................................................................................... 1283.6.7.1 DHCP Server: Host Parameters ........................................................................ 1283.6.7.2 DHCP Server: Static Addresses ........................................................................ 1293.6.7.3 DHCP Server: Dynamic Addresses ................................................................... 1313.6.7.4 DHCP Server: Leases ....................................................................................... 132

3.7 Security Tasks ............................................................................................................................... 1343.7.1 Certificates ....................................................................................................................... 134

3.7.1.1 Certificates: Local .............................................................................................. 1343.7.1.2 Certificates: Trusted .......................................................................................... 135

3.7.2 Ethernet Port .................................................................................................................... 1363.7.3 Serial/SSL ........................................................................................................................ 1383.7.4 Web Server ...................................................................................................................... 1403.7.5 CLI .................................................................................................................................... 1413.7.6 Firewall ............................................................................................................................. 142

3.7.6.1 IP Interface Groups in General .......................................................................... 1423.7.6.2 Firewall: IP Interfaces ........................................................................................ 142

Magnum Network Software - DX Administrator’s Guideix

CONTENTS

3.7.6.3 Firewall: Interface Groups ..................................................................................1433.7.6.4 Firewall: IP Filters ..............................................................................................144

3.7.7 Radius ..............................................................................................................................1453.7.7.1 RADIUS: Global Settings ...................................................................................1463.7.7.2 RADIUS: Servers ...............................................................................................147

3.7.8 VPN ..................................................................................................................................1483.7.8.1 VPN: Global Settings .........................................................................................1483.7.8.2 VPN: Profiles ......................................................................................................1493.7.8.3 VPN: Authentication ...........................................................................................1503.7.8.4 VPN: Tunnels .....................................................................................................1523.7.8.5 VPN: Status .......................................................................................................1533.7.8.6 VPN: Details .......................................................................................................154

3.8 Wizards ..........................................................................................................................................1563.8.1 The Router Setup Wizard .................................................................................................1563.8.2 The Certificate Creation Wizard .......................................................................................156

CHAPTER 4: THE CLI AND PROTOCOL MONITOR4.1 CLI Access .....................................................................................................................................1574.2 CLI Functionality ............................................................................................................................158

4.2.1 Keyboard Navigation in the CLI ........................................................................................1594.2.2 Global Commands ............................................................................................................1594.2.3 Basic and Specific Commands .........................................................................................160

4.2.3.1 The bridge Command ........................................................................................1614.2.3.2 The config Command .........................................................................................1614.2.3.3 The ethernet Command .....................................................................................1634.2.3.4 The firewall Command .......................................................................................1654.2.3.5 The fr Command ................................................................................................1674.2.3.6 The ip Command ...............................................................................................1694.2.3.7 The monitor Command ......................................................................................1704.2.3.8 Protocol Monitor Output Example ......................................................................1734.2.3.9 The ping Command ...........................................................................................1744.2.3.10 The rstp Command ............................................................................................1754.2.3.11 The session Command ......................................................................................1774.2.3.12 The ssh Command .............................................................................................1784.2.3.13 The system Command .......................................................................................1794.2.3.14 The vlan Command ............................................................................................1794.2.3.15 The wan Command ............................................................................................1814.2.3.16 The web Command ............................................................................................182

CHAPTER 5: OPERATIONAL GUIDE5.1 Frame Relay ..................................................................................................................................183

5.1.1 Wide Area Network Ports .................................................................................................1835.1.2 Data Link Channel Identifiers ...........................................................................................1835.1.3 Quality of Service .............................................................................................................184

5.2 IP Addressing and Routing ............................................................................................................1845.2.1 Default Configuration ........................................................................................................1845.2.2 Router Interfaces ..............................................................................................................1845.2.3 VLAN Interfaces ...............................................................................................................184

Magnum Network Software - DX Administrator’s Guidex

CONTENTS

5.2.4 IP Address Table .............................................................................................................. 1855.2.5 Routing Table ................................................................................................................... 1855.2.6 Routing Information Protocol ............................................................................................ 185

5.3 Network Address Port Translation ................................................................................................. 1855.4 DHCP Server ................................................................................................................................. 1855.5 SNMP ............................................................................................................................................ 186

5.5.1 Version Support ............................................................................................................... 1865.6 RSTP ............................................................................................................................................. 186

5.6.1 RSTP Setup ..................................................................................................................... 1875.6.1.1 BPDUs ............................................................................................................... 1875.6.1.2 Bridge Roles ...................................................................................................... 1885.6.1.3 Port Roles .......................................................................................................... 1885.6.1.4 Edge Ports and Point-to-Point Links .................................................................. 1885.6.1.5 Port States ......................................................................................................... 189

5.6.2 RSTP Normal Operation .................................................................................................. 1895.6.3 Design Considerations ..................................................................................................... 189

5.6.3.1 Configuring Bridge Settings ............................................................................... 1905.6.3.2 Configuring Port Settings ................................................................................... 190

5.7 VLAN ............................................................................................................................................. 1915.7.1 Adding VLANs .................................................................................................................. 191

5.7.1.1 VLAN IDs ........................................................................................................... 1915.7.2 Configuring Ports for VLAN Membership ......................................................................... 191

5.7.2.1 Port VLAN IDs ................................................................................................... 1915.7.2.2 Tagging .............................................................................................................. 1915.7.2.3 Filtering .............................................................................................................. 1925.7.2.4 Frame Classification and Forwarding ................................................................ 192

5.7.3 VLANs and Serial Ports ................................................................................................... 1935.7.3.1 Example Scenario ............................................................................................. 194

5.8 Security ......................................................................................................................................... 1955.8.1 Ethernet Port Security ...................................................................................................... 195

5.8.1.1 Address Locking ................................................................................................ 1965.8.1.2 Link Locking ....................................................................................................... 196

5.8.2 Serial Port Security .......................................................................................................... 1965.8.2.1 Serial Data Over SSL ........................................................................................ 1965.8.2.2 MNS-DX SSL Version Support .......................................................................... 1975.8.2.3 Secure Web Server using HTTP over SSL (https://) ......................................... 197

5.8.3 Keys and Certificates ....................................................................................................... 1975.8.3.1 RSA Public Key Cryptography ........................................................................... 1985.8.3.2 Digital Signatures .............................................................................................. 1985.8.3.3 X.509 Certificates .............................................................................................. 1985.8.3.4 Certificate Authority ........................................................................................... 1985.8.3.5 MNS-DX Certificate Files ................................................................................... 1995.8.3.6 MNS-DX Key Files ............................................................................................. 1995.8.3.7 Key Exchange ................................................................................................... 2015.8.3.8 Peer Authentication ........................................................................................... 2015.8.3.9 Certificate and Key File Generation ................................................................... 2015.8.3.10 Certificate and Key File Installation ................................................................... 203

5.8.4 IP Firewall ........................................................................................................................ 2045.8.5 RADIUS Support .............................................................................................................. 2045.8.6 DX-Series Cipher Support ................................................................................................ 204

Magnum Network Software - DX Administrator’s Guidexi

CONTENTS

5.9 VPN ...............................................................................................................................................2055.9.1 Key Management .............................................................................................................2065.9.2 Peer Authentication ..........................................................................................................2065.9.3 Packet Integrity and Confidentiality ..................................................................................2065.9.4 Profiles ..............................................................................................................................2075.9.5 Tunnels .............................................................................................................................2075.9.6 IKE ....................................................................................................................................207

5.9.6.1 Tunnel Lifetimes .................................................................................................2085.9.7 Configuring a VPN ............................................................................................................208

5.10 SSH ...............................................................................................................................................2095.11 Modbus ..........................................................................................................................................209

5.11.1Network Topologies ..........................................................................................................2095.11.2Serial Protocol Variants ....................................................................................................2105.11.3Network Protocol ..............................................................................................................2115.11.4Exception Handling ...........................................................................................................2115.11.5TCP Connection Handling ................................................................................................212

5.12 User Account Management ...........................................................................................................2135.12.1User Groups .....................................................................................................................213

Appendix A:Terminal Server Application Notes A.1 What is a Terminal Server? ...........................................................................................................215

A.1.1 Serial Protocol Standards ...............................................................................................215A.1.2 Networking Standards .....................................................................................................215

A.2 Bridging the Gap between Serial and Network Communication ....................................................216A.3 Terminal Server Operation ............................................................................................................217

A.3.1 Passive Mode Channels .................................................................................................217A.3.2 Active Mode Channels ....................................................................................................218A.3.3 Mixed Mode ....................................................................................................................218A.3.4 Session Type ..................................................................................................................218

A.4 Application #1: Device Console Access ........................................................................................219A.5 Application #2: Serial-over-TCP/IP Tunnel ...................................................................................221A.6 Application #3: Multipoint SCADA .................................................................................................223A.7 Using MNS-DX Secure Serial Ports ...............................................................................................225A.8 Application #4: Serial-over-Secure-TCP Tunnel ............................................................................225A.9 Troubleshooting Terminal Server SSL Connections ......................................................................228

Appendix B:Port and Type Reference B.1 Well Known TCP/UDP Network Ports ............................................................................................231B.2 ICMP Types ...................................................................................................................................234

Appendix C:Frame Relay Provisioning C.1 Introduction ....................................................................................................................................237C.2 DDS Interface Configuration ..........................................................................................................238C.3 T1/E1 Interface Configuration ........................................................................................................241

Magnum Network Software - DX Administrator’s Guidexii

CONTENTS

C.4 Frame Relay Configuration ........................................................................................................... 243C.4.1 The LMI Protocol ............................................................................................................ 244

C.4.1.1 Fragmentation Size ............................................................................................ 244C.4.1.2 LMI Types........................................................................................................... 244C.4.1.3 LMI Modes.......................................................................................................... 244

C.5 Provisioning Frame Relay Applications. ........................................................................................ 246C.5.1 IP Applications ................................................................................................................ 246

C.5.1.1 DLCI configuration.............................................................................................. 246C.5.1.2 Configuring IP Router-Related Items.................................................................. 248

C.5.2 Serial Tunnel over FR (Direct to Frame) Applications .................................................... 251C.5.2.1 Define Additional DLCIs ..................................................................................... 251C.5.2.2 Map DLCI Circuits to Serial Ports....................................................................... 252

Appendix D:Third Party Licenses D.1 GNU LESSER GENERAL PUBLIC LICENSE ............................................................................... 255

Glossary ................................................................................................................................................. 261

Index ......................................................................................................................................................... 267

Magnum Network Software - DX Administrator’s Guidexiii

CONTENTS

Magnum Network Software - DX Administrator’s Guidexiv

Preface

ABOUT THIS MANUALThis manual provides the Administrator with instructions on how to use the Magnum Network Software – DX (MNS-DX) to configure, manage, and monitor the Magnum DX family of products.This manual contains: a basic description of the MNS-DX, the basics of using the DXOS and the hierarchical menu structure, and instructions for configuring the MNS-DX for specific applications. The specific applications and configuration cover IP Routing and Terminal Server operation. The chapters and appendices are presented as follows:

Chapter 1, “Overview” - This chapter describes the specific features of the MNS-DX.

Chapter 2, “Getting Started” - This chapter describes the initial setup of MNS-DX, explains its user interface, and provides an annotated and hyperlinked map of user-accessible screens.

Chapter 3, “System Administration” - This chapter provides a detailed field-by-field guide to the screens of the user interface.

Chapter 4, “The CLI and Protocol Monitor” - This chapter describes the protocol monitor and command line configuration functionality.

Chapter 5, “Operational Guide” - This chapter provides detailed information on a number of DX features to broaden understanding and suggest some guidelines for making configuration decisions.

Appendix A, “Terminal Server Application Notes” - This appendix provides a detailed explanation of how to implement terminal server functionality on a DX800.

Appendix B, “Port and Type Reference” - This appendix provides a table of well known TCP/UDP network ports and a table of ICMP types.

Appendix C, “Frame Relay Provisioning” - This appendix provides a detailed explanation of how to configure a DX900 for Frame Relay support.

Glossary - A list of acronyms and other technical terms used in this manual.

Magnum Network Software - DX Administrator’s Guidexv

-

CONVENTIONSGraphically distinctive alerts labeled either “Note” or “Caution” (illustrated below) are interspersed throughout this manual. These alerts call your attention to useful information related to the text immediately following the alert. Notes provide supplemental information or provide a point of emphasis. Cautions warn you of the risk of poor system performance or of system failure.

RELATED DOCUMENTS• Magnum DX800 Serial Device Router Installation Guide• Magnum DX40 Serial Device Router Installation Guide• Magnum DX900 Serial Device Router Installation Guide

WEB ACCESSAll of the MNS-DX manuals are also available in .pdf format on the GarrettCom Utility Networks website, www.garrettcomun.com.

YOUR COMMENTSIf you find an error or have a helpful tip on the layout or informational content of this or any other Garrettcom manual please feel free to contact us via email with any problems or helpful information. All enquiries will be responded to with a correction or whatever resolution is required. Please make all comments to [email protected] or phone a support engineer at 978.688-8807.

NOTE: Notes provide you with helpful information about an upcoming step or action. If youdo not use the information contained in a Note there is no risk of harm to the system, butusing the information will improve performance and/or increase your understanding.

CAUTION: A caution warns you that you should take some action to avoid poor systemperformance or system failure.

Magnum Network Software - DX Administrator’s Guidexvi

Chapter 1Overview

1.1 Features and BenefitsMNS-DX is the operating system that supports the DX series of networking devices that provides secure multiprotocol networking in compact, rugged packages purpose-built for power utility substations and other harsh environments. Cyber-security protection is assured by encrypted per-connection SSL and IPsec VPN capabilities, IP Firewall, and port security features.

The series includes the Magnum DX40 Serial Device Router and the Magnum DX800 Serial Device Router.

1.1.1 Magnum DX40 Serial Device RouterThe DX40's dual-serial, dual-Ethernet configuration supports several flexible configurations. In addition to serving as an IP router it provides resilient dual fiber-based extension from a core Ethernet network to serial devices distributed across a large facility. It serves as a multiprotocol concentration and access point for a fiber-based Ethernet wide area network connection to a small site.

Encrypted per-connection SSL and IPsec VPN capabilities, along with other IP Firewall and port security features, assure cyber-security protection will extend cost effectively all the way to end point devices and small facilities.

1.1.2 Magnum DX800 Serial Device RouterThe DX800 combines the capabilities of an Ethernet Switch, an Async-to-TCP/IP Terminal Server and an IP Router in a single integrated device.

Dual fiber Ethernet connectivity coupled with Rapid Spanning Tree and IP routing capabilities ensure resilient backbone communications.

The DX800 provides full perimeter protection with IP Firewall and IPsec VPN features when used as an edge router/terminal server at remote critical facilities. Per-session encrypted SSL capabilities permit fine-grained security extended to end-point connections when used as a distributed terminal server in larger installations.

1.1.3 Magnum DX900 Industrial RouterThe DX900 Industrial Router provides most of the functionality of the DX800 Serial Device Router. In addition it enables remote network connectivity to substations, transportation systems and other remote industrial sites using Digital WAN services such as DDS, T1/E1, frame relay, TDM, IP and MPLS-based VPN services.

Magnum Network Software - DX Administrator’s Guide1

CHAPTER 1 - OverviewFeatures and Benefits

1.1.4 GarrettCom-hardenedThe DX40/800 devices are multi-function, multi-protocol networking platforms that are purpose-built for distributed industrial automation applications such as Supervisory Control and Data Acquisition (SCADA) systems.They support a wide range of communications interfaces used by industrial devices, enabling multiple generations of remote devices and support systems to be consolidated onto a single integrated network infrastructure. The DX40/800 also operate effectively in extremely harsh environmental conditions such as those within power utility substations, pumping stations, treatment plants, transportation systems, pipelines and wind farms. This robustness is primarily due to extended-range specifications in areas such as electromagnetic interference, temperature and electrical surges. Most other networking products will fail when facing these conditions.

DX series devices have been rigorously tested to extreme industrial specifications for temperature, electrical surge protection and immunity. They are packaged in steel or steel and aluminum cases with no fans or moving parts and have been subjected to manufacturing test and control processes that include temperature cycling and prolonged product burn-in to ensure reliability delivered to the field. Physical product reliability is complemented by advanced network resiliency features that enable redundant and dual-routed network designs that protect network availability despite facility/element failures.

1.1.5 Features SummaryTable 1-1 summarizes the hardware features of the DX series of products.

Table 1-1. Hardware Features Summary

Feature Details

Connectivity

DX40 • 2 Ethernet ports

— 2 100FX multi/single mode SFP

OR

— 1 100FX multi/single mode SFP and 1 10/100 BaseT, RJ45 Auto-Negotiation and

Auto-MDIX

• 2 programmable RS232/485 serial ports

DX800 • 4 Ethernet ports

— 2 100FX multi/single mode SFP— 2 10/100 BaseT, RJ45 Auto-Negotiation and

Auto-MDIX


DX900 • 1 DDS or T1/E1 WAN port

• 4 Ethernet ports (10/100 BaseT, RJ45 Auto-Negotiation and Auto-MDIX)




Table 1-2 summarizes the features of the MNS-DX.

Power Options • High (90 -250 VAC or VDC)

• Low (24-48 VDC)

Mounting Options • Panel

• DIN-rail

• 19” rack (DX800 only)

Compliance • IEEE 1613/IEC 61850-3 requirements for power utility substations.

• EN55022A, FCC Part 15A emissions standards

• NERC / CIP Cyber-security mandates

Table 1-2. Software Features Summary

Feature Details

Serial Port Management • Up to 8 serial profiles

• Serial data statistics

• RS-232 (Full/Half) & RS-485 (Full/Half) supported via software selection

• Data rates from 300 baud to 230 kbps

• 7 or 8 data bits

• 1, 1.5, or 2 stop bits

• Even, Odd, or No Parity

• Hardware and Software (XON/XOFF) Flow Control

• Packetization options

— Forward on specific character, idle time, or packet size

— Turnaround timer

Terminal Server • Active, passive, and mixed connection modes

• Telnet and raw TCP sessions

• Multiple incoming connections per serial port

Table 1-1. Hardware Features Summary

Feature Details



WAN Port Management (DX900)

• DDS: 56 kbps

• T1/E1: 1.544 Mbps / 2.048 Mbps G.703;

• Full rate and fractional (N*56/64kbps)

• Integral CSU/DSU

• Frame relay, IP

• Local Management Interface (LMI) type: LMI, CCIT, ANSI, or None

• LMI mode: User or Net

• End-to-End fragmentation

Ethernet Port Management • Supported media types include 10/100BaseTX and 100FX

• 10, 100, or Auto speed selections for 10/100BaseTX Auto-Negotiation and Auto-MDIX

• Half or full duplex operation for 10/100BaseTX

• Ethernet frame statistics

Ethernet Switching • Maximum Station Cache capacity of 1,024 random MAC addresses

• Up to 64 static MAC addresses

• Purge Dynamic Cache Entries

• 802.1D-compliant Learning Bridge

IP Routing • Supports distinct IP addresses for each physical and virtual switch interface

• Up to 64 Static IP Routes

• RIP/RIP2

Rapid Spanning Tree Protocol (RSTP))

• STP

• RSTP

VLANs • Up to 16 different VLANs

• Tagged and untagged operation

• VLAN security (tag-based filtering)

• Optional egress tag stripping


Feature Details



Security • Secure Web Server using HTTP over SSL (https://)

• User authentication via RADIUS

• Authenticated and encrypted terminal server connections over SSL

• RSA public key and X.509 certificate management and generation

• Web-based upload of new keys and certificates

• Supports a number of SSL and TLS cipher suites that include support for RSA public keys, 3DES/AES/RC4 encryption, and MD5/SHA1 hashing

• Firewall filters IP packets per-interface based on source IP, destination IP, IP protocol, and TCP/UDP port and/or ICMP message type

IPsec VPNs • Supports single public interface for IKE negotiation

• Diffie-Hellman Groups 1 & 2

• Peer authentication with pre-shared key (PSK) or RSA/X.509 certificates

• ESP tunnel-mode encapsulation using 3DES, AES, MD5, and/or SHA-1

• Tunnels can be established host-to-host, subnet-to-subnet, or host-to-subnet

Embedded Web Server(HTTP/HTTPS)

• Primary User Interface

• Compatible with standard web browsers (such as Internet Explorer or Firefox)

User Account Management • Configurable security policies

• Up to 16 user accounts

• Stored passwords are hashed using MD5

Configuration File Management • XML Configuration Files

• Web-based Upload/Download

• Multiple configurations stored in Flash File System

Software Image Management • Software upgrade with revert capability

• Web-based upload of new software images

Time and Date Management • Real-time clock support

• Active or passive-mode SNTP client

• Time offsets, time zone and Daylight Saving Time support

• Up to 3 SNTP servers can be specified for redundancy


Feature Details



Event Logging • Flexible logging options

• Log files stored in flash file system

• SYSLOG capability

• Up to 5 remote collectors may be specified

SNMP v1/v2c/v3 Agent • Supports User-based Security Model (USM) when v3 is enabled

• MIB-II and SNMPv2 Traps

• Up to 4 remote management/trap destinations may be specified

Modbus/TCP • Modbus/TCP to Modbus/RTU or Modbus/ASCII encapsulation

• Support for multiple masters and slaves

• Maps Modbus device addresses to configurable remote IP addresses

• Enables multi-master access to slaves on a single bus by serializing Modbus requests at the server, a capability not possible in normal serial Modbus

Network Address and Port Translation (NAT)

• Maps external IP address and ports to internal IP addresses and ports

• Manual configuration of address/port translations going from the public to a private interface

• Dynamic translations going from a private to the public interface

"Dynamic Host Configuration Protocol (DHCP) Server

• Manual and dynamic address allocation

• Up to 100 reserved addresses may be specified

• Each address range or manual address may be assigned distinct host parameters such as default gateway, DNS server, and DNS suffix

Protocol Monitor • Sniffs ingress and egress packets on any port

• Filter by MAC address, IP address, TCP port, or protocol

• Displays frame addresses, ports, protocol identifier, and data payload


Feature Details


CHAPTER 1 - OverviewApplications/Topologies – Magnum DX800

1.2 Applications/Topologies – Magnum DX800The DX800 combines the capabilities of an Ethernet Switch, an Async-to-TCP/IP Terminal Server and an IP Router in a single integrated device. This feature set, depicted in Figure 1-1, enables several important applications, each building on the ability to combine Serial-and Ethernet-based industrial devices on a common communications network.

Figure 1-1. Device Consolidation in a DX800

1.2.1 Integrated Substation NetworkThe Integrated Substation Network is GarrettCom’s vision of an Ethernet-based infrastructure interconnecting substations and central operations systems, providing a communications solution for power utility substations encompassing both serial- and Ethernet-based devices. Numerous Intelligent Electronic Devices (IEDs) such as relays, sensors, meters and Remote Terminal Units (RTUs), as well as surveillance cameras, VOIP phones and other devices are connected in a substation Local Area Network (LAN); serial protocol devices are connected via GarrettCom routers or terminal servers, and various Ethernet devices are directly connected to DX Series devices. The substation LAN connects to a GarrettCom Wide Area Network (WAN) router to transmit data to central operations systems and centers for processing and storage.

Wide Area Ethernet Network


Core Ethernet

Router/Firewall

Ethernet Switch Terminal Server

IEDIEDIEDIEDIEDIED

Ethernet IEDs Serial IEDs



IEDIEDIEDIEDIEDIED IED

Ethernet IEDs Serial IEDs



Figure 1-2. Integrated Substation Network

1.2.2 Standalone Local Communications PlatformThe DX800 provides a complete, local communications network within an industrial location, as depicted in Figure 1-3. The DX800 consolidates connections from a variety of industrial devices having differing communications interfaces, including Async serial connections at connections rates of 300 bps to 230.4 Kbps and IP-oriented Ethernet connections at 10 or 100 Mbps. This interface capability covers most RTUs, PLCs, Intelligent Electrical Devices (IEDs), industrial servers and other devices with digital data connectivity. An operator may use a Human Machine Interface (HMI) application to locally connect to all the devices within the site from a common connection point. The DX800 provides Ethernet switching of IP sessions directly among Ethernet-connected devices. TCP/IP based applications, such as the HMI, may also connect directly to serial devices, with the DX800 providing Async-to-TCP/IP terminal services.

PBX

GW

PBX

GWGW

SCADA/ EMS

RTU Management &

Provisioning

Host Site

Video Monitoring

VideoVOIP

HMI RTUs

Alarms

Wide Area Network

VideoVOIP

HMI RTUs

Alarms

VideoVOIP

HMI RTUs

Alarms



Figure 1-3. DX800 Standalone Local Communications Platform Topology

1.2.3 Remote Network ConcentrationWhen combined with a wide-area network access device, the DX800 provides an integrated point of interconnection of a number of devices in a remote industrial site. There are several wide area network options. Figure 1-4 depicts a wide area network and a wireless network. Since the DX800 provides an integrated IP Router capability, remote networks do not require a separate IP router device. The DX800 connects to a centralized system over a routed IP network, accessed using only a physical layer interface device such as a wireless modem or other WAN device.

Figure 1-4. Remote Network Concentration

E1

En

E2

S2

S1 S3

Sn

Ethernet Devices Serial Devices

Relay

PLCHMI

Hardened Industrial Site

En

E2

S2

S1 S3

Sn

Ethernet Devices Serial Devices

Relay

PLC

HMI

Hardened Industrial SiteCentral Systems and Centers

Digital Wireless Connection

Wide Area Network



1.2.4 Distributed Local Network using EthernetIn addition to stand-alone deployments, multiple DX800s can form a distributed network within a industrial site using an Ethernet backbone. Typically the Ethernet backbone network is a resilient selfhealing ring configuration. More complex configurations may combine multiple DX800s with larger scale Ethernet switching systems (such as GarrettCom's Ethernet Switch System - ESS) and/or with wide-area network gateways (such as GarrettCom's Industrial Frame Router - IFR). Figure 1-5 depicts an industrial site with multiple DX800s, each collecting a mix of serial and Ethernet traffic types. The "backbone" of this network is a resilient Ethernet ring. Rapid Spanning Tree Protocol (RSTP) and tag-based Virtual Local Area Networks (VLANs) combine to provide high-reliability, application-specific security and performance management capabilities that enable multiple diverse applications to effectively share a common network infrastructure. In this example, a GarrettCom Industrial Frame Router provides IP-over-frame relay network access and an integrated DDS or T1 CSU/DSU for interconnecting to carrier-provided wide area network services.

Figure 1-5. Distributed Local Network using Ethernet

Ser Ser Ser

Ser Ser Ser

Eth Eth Eth

Eth EthEth

IFR

Wide Area Network



1.2.5 Distributed Regional Fiber-optic NetworkThe optional extended-range fiber-optic network interfaces of the DX800 enable interconnection of a number of distributed industrial sites. The ring-configurations and multi-application security and performance features described above for intra-site Ethernet connectivity all extend over inter-site single mode fiber-optic links at 100 Mbps. Figure 1-6 shows several sites interconnected on a resilient Ethernet ring using stand-alone DX800s connected to a GarrettCom Industrial Frame Router, such as a DS2000-IFR.

Figure 1-6. Distributed Regional Fiber-optic Network

Ser Ser Ser

Ser Ser Ser

Eth Eth Eth

Eth EthEth

IFR

Wide Area Network



1.3 Applications/Topologies – Magnum DX900The DX900 provides all of the connectivity of the DX800, with the exception of the fiber optic ports option. In addition the DX900’s WAN port supports IP or Frame Relay traffic over a DDS or T1/E1 connection. Figure 1-7 depicts DX900s in support of a typical Frame Relay application.

Figure 1-7. Typical Frame Relay Network Topology

1.4 Applications/Topologies – Magnum DX40The DX40 provides a rugged and secure solution for extending fiber-based connectivity to remote devices in harsh environments such as power utility substations. The DX40's dual-serial, dual-Ethernet configuration supports several flexible configurations.

SerEthEth

SerSerEth

Frame Relay Network

Management Site

Distributed Industrial Site

Distributed Industrial Site

DD

S (o

r T1/

E1)

DDS (or T1/E1)

DDS (or T1/E1)



1.4.1 Linking WAN and Remote SiteThe DX40 serves as a multi-protocol concentration and access point for a fiber-based Ethernet wide area network connection to a small site.

Figure 1-8. Fiber-based extension of WAN to Serial Devices.

1.4.2 Fiber-based Extension of WAN to Serial Devices.The DX40 provides resilient dual fiber-based extension from a core Ethernet network to serial devices distributed across a large facility.

Figure 1-9. Fiber-based Extension of WAN to Serial Devices.

IP/Ethernet WAN

Ser IED

Ser IED

Ethernet IED / HMI

Ser

IFR

Wide Area Network

Ser Ser

SerSer

Ser



1.4.3 Daisy Chain TopologyThe DX40 is readily adaptable to an Ethernet “bus” (daisy chain, dead end) configuration suitable for wind farm or pipeline applications.

Figure 1-10. Daisy Chain

1.4.4 Paired Point-to-PointThe DX40 can also be used as a Dymec Links replacement in situations where it is necessary to use fiber optics because of extended distances or because of the need to provide electrical isolation. As a links replacement the DX40 has additional advantages, including full management capabilities and security features.

Figure 1-11. Point-to-Point

Ser Ser Ser Ser Ser Ser

Ethernet Core


Chapter 2Getting Started

2.1 Hardware InstallationMake power, ground, Ethernet, and serial connections to your DX device according to the instructions provided in your Installation Guide.

Note that configuration is done by an Ethernet connection between your local terminal and one of the Ethernet ports on the DX40/800.

2.2 Software ManagementMNS-DX is implemented by an easily upgradeable software image and by configuration files.

Software images can be maintained and upgraded with the Manage Software Images Install screen (see Section 3.1.8, “Software Upgrade”), which loads an executable software image into non-volatile memory.

Configuration files can be maintained and upgraded with the Configuration Files screen (see Section 3.1.9, “Configuration”).

The DX device comes with a factory-supplied software image and configuration file. After you have completed the hardware installation you need only replace the default IP address with another that places your PC and the DX device on the same subnet. You can then access the DX’s supervisory software and begin to configure your system.

2.2.1 Configuring a New IP AddressYour DX is delivered with a default IP address 192.168.1.2. You must change this address to one that is valid on your network, but to communicate with the DX to make the IP address change with your internet browser you must first change the IP address of the network card on your PC that communicates with the device to an address in the 192.168.1.x network.

The following example uses a fictional network card at IP address 223.223.223.2 and specifies a new address of 223.223.223.1 for the DX. Replace these values with the actual address of your network card and your preferred address for the DX.

1. Using your PC system software change the IP address of your PC’s network card from 223.223.223.2 to 192.168.1.3.


CHAPTER 2 - Getting StartedSoftware Management

2. With your internet browser go to HTTP://192.168.1.2. The Magnum DX Web Management Logon screen will appear.

Figure 2-1. Logon Screen

3. Login with username manager, password manager.

4. In the Navigation Area of the browser screen click on Routing: IP Addresses.

5. In the System / VID 1 Address field replace 192.168.1.2 with 223.223.223.1.

6. Click Apply Settings.

7. Using your PC system software reset your PC’s ethernet card to 223.223.223.2.

8. With your internet browser go to HTTP://223.223.223.1. The Magnum DX Web Management Logon screen will appear. You are now communicating with the DX on your own network.


CHAPTER 2 - Getting StartedThe Administrator Interface Overview

2.3 The Administrator Interface OverviewThe MNS-DX Administrator Interface enables you to view and edit system parameters through your web browser.

Figure 2-2 is an illustration of a typical administrator screen. Table 2-1 explains the functionality of the areas marked in the illustration.

Figure 2-2. MNS-DX Administrator Interface

Table 2-1. The Administrator Interface

Area Name Area Function

Navigation The Navigation area contains a menu tree that can be expanded or collapsed to show all of the available interaction screens. Clicking on a leaf of the menu tree brings up the corresponding screen in the Interaction area.

Navigation Area

Interaction Area

Global Area



The screen displayed at start-up is the “System Information” screen (see Figure 3-1.)

• Screen – the whole meaningful content of your browser, not including browser tool bars, status bars, and the like.

• Form – a portion of the screen whose primary purpose is to enable the entering of user-supplied information. A form contains fields that you can fill with keyboard input, by using drop-down menus, or by browsing to select a file on your local system. A form may also contain some read-only information.

• Table – a portion of the screen whose primary purpose is to provide the user with information, such as lists of addresses, installed configurations, status reports, etc. A table may or may not contain editable fields. A table often includes a checkbox to enable you to delete the contents of a row in the table.

• Buttons – labeled, clickable areas of the screen. Clicking a button performs the action described in its label. Most screens include buttons labeled Apply Settings, to save any changes you have made, and Reset Settings, to undo any changes you have made that have not yet been applied.

Interaction The Interaction area contains an HTML form where you can configure some aspect of the system. This area can also be used to display read-only information such as port statistics or event logs.

Global The Global area contains controls that have a global effect on the current session.

• Click the Revert button to undo any unsaved changes to the system's configuration.

• Click the Save button to save the current system configuration in the active configuration file.

• Click the Save As button to save the current system configuration in a new configuration file.

• Click the Logout button to end the current session.

This area also displays text identifying the user name of the current user, the user-configurable system name of the node being managed, and the IP address of the node.

NOTE: A note on terminology: The descriptions of the visual display of theMNS-DX Administrator employ the terms “screen,” “form,” “table,” and “button.”These terms have the following meanings.

Table 2-1. The Administrator Interface

Area Name Area Function



2.3.1 Navigation TreeThe menu tree supported in this release is as follows:

Table 2-2. Menu Tree

Screen Function

Administration Tasks

System Information View and edit identifying information.

Time

Time: Time and Date Set the system’s time and date.

Time: Zone and DST Specify standard time and daylight savings time for your system.

Time: Persistence On reset use the last known good time and date (for device clocks without battery backup).

SNTP

SNTP: Global Settings Configure mode and frequency of time synchronization.

SNTP: Servers Designate servers that will provide the correct time.

SNMP

SNMP: Global Settings Configure network management (enable SNMP agent, control MIB access).

SNMP: Management Stations Specify address(es) of station(s) to query SNMP agents.

SNMP: Trap Stations Specify address(es) of station(s) to receive SNMP traps.

SNMP: Users Manage user security provisions.

SNMP: Statistics Monitor 43 measures of SNMP performance.

Authentication

Authentication: Policies Set number of failed logins before lockout and duration of lockout.

Authentication: Accounts Maintain user accounts (names, passwords, etc.)

Authentication: Files Upload new user definitions.

Sessions

Sessions: Policies Set the length of time a login session can be idle before it is automatically terminated.

Sessions: Active Logins View IDs and uptime of active login sessions.

Change Password Change current user’s password.

Software Upgrade Install a newer version of software.



Configuration

Configuration: Files View and manage available configuration files.

Configuration: Defaults Restore the system’s default configuration.

System Reboot Shut down and restart the system.

Events Tasks

Logs

Logs: Global Settings Enable logging of events and control logfile number and size.

Logs: Files Displays hyperlinks to available log files.

Syslog

Syslog: Global Settings Enable/disable syslog protocol functionality.

Syslog: Collectors Specify IP addresses of syslog event collectors.

Ethernet Tasks

Ports

Ports: Settings Enable and disable Ethernet ports and set and view configurations (media type, flow control, FEFI).

Ports: Status Check capabilities and operational status of each Ethernet port.

Ports: Summary Statistics View basic performance statistics for each Ethernet port.

Ports: Extended Statistics View detailed performance statistics for each Ethernet port.

Ports: Mirroring Forward packets from one port on a DX800 to another for analysis.

Bridge

Bridge: Global Settings View or set the aging interval for learned MAC addresses.

Bridge: Port Settings Specify whether a port is routed or is part of the bridge.

Bridge: Static MACs Add or remove static MAC addresses in the bridge MAC address table.

Bridge: Station Cache View a table of MAC addresses and the ports that access them.

RSTP

RSTP: Bridge Settings Configure RSTP settings for the bridge.

RSTP: Port Settings Associate specific Ethernet ports with RSTP values (mode, priority).

RSTP: Bridge Status View RSTP counters and status for the bridge.

RSTP: Port Status View RSTP counters and status for specific Ethernet ports.


Screen Function



VLAN

VLAN: Global Settings Enable/disable VLAN functionality.

VLAN: VIDs Assign VLAN IDs and view properties (tagged/untagged) of existing VIDs.

VLAN: Port Settings Assign ports to VLANs and set properties (mode, tagged/untagged)

Serial Tasks

Ports

Ports: Profiles Create a profile (10 attributes) for later assignment to a serial port.

Ports: Settings Enable and disable serial ports and assign profiles.

Ports: Status Check the status of a serial port.

Ports: Statistics Monitor the performance of a serial port.

Terminal Server

Terminal Server: Channel Settings

Add or remove terminal server channels.

Terminal Server: Channel Status View the status of configured terminal server channels.

Terminal Server : Connections Check status of currently active TCP/IP connections.

Frame Relay

Frame Relay: Channel Settings Configure "direct-to-frame" serial channels.

Frame Relay: Connections View the status of the current frame relay connections carrying serial traffic.

Modbus

Modbus: Local Masters Configure a Modbus local master.

Modbus: Local Slaves Configure a Modbus local slave.

Modbus: Remote Slaves Configure a Modbus remote slave.

Modbus: Connections Monitor Modbus connections.

WAN Tasks

Port Settings (DDS) Configure the system’s WAN ports to support a DDS connection.

Port Settings (T1/E1) Configure the system’s WAN ports to support a T1 or E1 connection.

Port Status View the current status of each WAN port in the system.

Frame Relay Configure the frame relay function of the system's WAN ports.


Screen Function



DLCI Settings Add and delete DLCIs.

DLCI Status View the status of existing DLCIs.

Routing Tasks

IP Addresses Configure IP addresses for VLANs and routed ports

Static Routes Specify new and view existing static IP routes.

Table View the routing table.

ARP Table View and flush the Address Resolution Protocol (ARP) table.

RIP

RIP: Global Settings Enable RIP and specify version and certain parameters.

RIP: Interface Settings Specify whether the RIP interface is not bridged (routed).

NAT

NAT: Global Settings Enable NAT on the public IP interface.

NAT: Translations Manage the Network Address and Port Translations table.

DHCP Server

DHCP Server: Host Parameters Configure and assign groups of host parameters.

DHCP Server: Static Addresses Manually configure IP addresses for particular DHCP clients.

DHCP Server: Dynamic Addresses

Configure ranges of addresses for dynamic assignment.

DHCP Server: Leases View the status of DCHP leases.

Security Tasks

Certificates Install and view PEM certificate files.

Certificates: Local Upload X.509 certificates.

Certificates: Trusted Upload and mark as trusted X.509 certificates.

Ethernet Port Configure conditions for a security lockout on an Ethernet port.

Serial/SSL Configure Secure Sockets Layer for a serial port.

Web Server Configure HTTP or SSL preference and SSL key.

CLI Configure SSH security on the command line interface.

Firewall

Firewall: IP Interfaces Assign IP interfaces to groups and enable IP filtering on an interface.


Screen Function



Firewall: Interface Groups Configure interface groups for filtering.

Firewall: IP Filters Specify filtering criteria.

Radius

RADIUS: Global Settings Configure remote authentication.

RADIUS: Servers Configuration authentication servers.

VPN

VPN: Global Settings Specify an IP address for IKE transactions.

VPN: Profiles Name and configure a set of encryption properties for a VPN tunnel.

VPN: Authentication Configure IPsec authentication methods.

VPN: Tunnels Link two IP addresses and assign a profile to create a VPN tunnel.

VPN: Status View the status of existing VPN security associations.

VPN: Details View tunnel error history.

Wizards

The Router Setup Wizard Automate configuration of routing features.

The Certificate Creation Wizard Automate the creation of RSA keys and certificates.


Screen Function




Chapter 3System Administration

This chapter describes the specific functionality of the DX40/800’s supervisory software.

For an overview of the interface features see Section 2.3, “The Administrator Interface Overview”. For a list of all the available screens organized by function see Section 2.3.1, “Navigation Tree”.

3.1 Administration TasksThe following subsections describe the tasks that you can perform using the screens of the Administration branch.

3.1.1 System InformationThis screen enables you to view and edit information that identifies the system under management.

Figure 3-1. Administration: System Information

Table 3-1 describes the information that can be entered in the fields of the System Information screen. Each field can contain up to 256 printable ASCII characters.


CHAPTER 3 - System AdministrationAdministration Tasks

Table 3-1. System Information

Field Name Field Value

System Name: Configurable MIB-II system name of up to 256 printable characters.

System Location: Configurable MIB-II system location of up to 256 printable characters.

System Contact: Configurable MIB-II system contact of up to 256 printable characters.

System Description: The system model number and current software version.

Upgrade State: The current software upgrade state.

IP Address: The system IP address. This may be changed from the IP Addresses screen, described in Section 3.6.1.

MAC Address: The System MAC Address. This address is defined at the factory. You cannot change this address. All packets sourced from the management and terminal server functions use this MAC address as the Ethernet Source Address (SA). The system will also respond to ARP requests using this MAC address.

In certain cases, an Ethernet port may be assigned its own Port MAC Address. This MAC address is calculated by taking the System MAC Address, adding the port number to the least significant octet, and performing any necessary carries into the more significant octets. For example, if the System MAC Address is “00:20:61:5A:92:FE” then port E4’s MAC address would be “00:20:61:5A:93:02”. A Port MAC Address is used when an Ethernet Port is configured as a routed port. In addition, a Port MAC Address is used as the Ethernet SA when sending BPDUs

Free Space (KB): Number of KB free in the non-volatile file system.

Uptime: The time elapsed since the last system boot.



3.1.2 TimeThe following screens enable you to configure and preserve accurate time on your system.

3.1.2.1 Time: Time and DateThis screen enables you to configure the system time and date.

Figure 3-2. Administration: Time: Time and Date

Table 3-2 specifies the values that can be entered in the Time and Date screen.

Note the following features of the time and date functionality:

• When the system is first powered up, the time and date is undefined.• The DX40 has an onboard real-time clock (RTC) with ride-through (capacitor

backup) capability. The RTC may preserve the current time and date for up to 4 minutes under certain conditions. If the time and date persistence feature is enabled (see Section 3.1.2.3), the time and date will be set to the last saved time and date when the system power is cycled.

• The DX800 also has an onboard RTC with a full battery backup.The RTC will preserve the current time and date for the life of the battery.

• If SNTP is enabled and a server is reachable, the system time and date will be refreshed from the server upon power up.

Table 3-2. Time and Date


Time: The current time of day in the 24-hour hh:mm:ss format.

Date: The current date in the format mm/dd/yyyy.



3.1.2.2 Time: Zone and DSTThis screen enables you to specify the standard time for your location as an offset from Universal Coordinated Time (UTC) and to specify the part of the year during which Daylight Savings Time (DST) will be in effect.

Figure 3-3. Administration: Time: Zone and DST

Table Table 3-3 describes the parameters you can view and edit in the Time: Zone and DST screen.

Table 3-3. Time: Zone and DST


Standard Time=UTC: Your offset from the UTC. Value is in hours:minutes. Range is from -12:59 to 12:59

Daylight Saving Time: In enabled use the following fields to specify the period of the year during which daylight saving time will be in effect either by specifying the date and time of its beginning and end or by selecting a pre-defined national DST rule, which will automatically supply the beginning and ending values. System time will be automatically adjusted according to the specified dates.

If disabled standard time will be used throughout the year.

Starts the first...: Specify the day, date, and time when DST begins.

Examples: UTC OffsetsZone Standard Daylight Saving

Eastern (US) -5 -4

Pacific (US) -8 -7

UK 0 +1



3.1.2.3 Time: PersistenceThis screen enables you to set the time and date persistence feature (similar to the “Save Time Interval” feature offered by other manufacturers). This is used to support systems such as DX40 that do not have a clock with battery backup. When the power to these systems is cycled, the clock may come up in an undefined state. With persistence enabled the clock is set to the last known good time and date. This time and date clearly will not be correct but is likely to be close enough to the actual time and date that the system will be able to continue operating without difficulty.

This feature is useful in an environment where a DX40 keeps its time and date current via an NTP server that it accesses through a VPN tunnel that uses certificates for authentication. If the power to the DX40 is cycled and the time and date were to come up in an undefined state, it is likely that the VPN authentication would fail because the system's time and date would not match the valid dates on the VPN peer certificate. The system would then not be able to access the NTP server and would be permanently cut off from the network. However, if the time and date were set to some time and date from the recent past, the VPN authentication would succeed, the tunnel would be established, and the DX40 would be able to resynchronize its time with the NTP server.

Figure 3-4. Administration: Time: Persistence

Table Table 3-4 specifies the parameter that you can set in the Time: Persistence screen.

Ends the first...: Specify the day, date, and time when DST ends.

Copy DST rule of: Select a pre-defined national DST rule from the drop-down list. This will automatically supply the beginning and ending values.

Table 3-4. Time: Persistence


Mode: Set to Enabled to use the persistence feature.

Table 3-3. Time: Zone and DST




3.1.3 SNTPThe SNTP (Simple Network Time Protocol) screens enable you to maintain the correct time on your system by specifying and configuring SNTP servers.

3.1.3.1 SNTP: Global SettingsThis screen enables you to configure Simple Network Time Protocol (SNTP) functionality to obtain the correct time from an SNTP server.

Figure 3-5. Administration: SNTP: Global Settings

Table 3-5 specifies the values that can be entered in the fields of the SNTP: Global Settings screen to set up the SNTP client.

If multiple SNTP servers are configured, the device will attempt to query the first SNTP server address. If the query is successful, it will acquire the time from that SNTP server. If the query is unsuccessful it will try the second configured server. If that is unsuccessful it will try the third. At the next polling interval, the device will again attempt to query the first SNTP server, followed by the second if necessary, then the third if necessary.

Table 3-5. SNTP Global Settings


Mode: Indicates if and how the SNTP client should be used to set the system's time and date information.This parameter takes one of the following values:

• Active – system time and date information is taken from a configured SNTP server.

• Passive – system time and date information is retrieved from SNTP information that is broadcast periodically from an SNTP server.

• Disabled – SNTP will not be used to acquire the current time.

Polling Interval: The frequency in seconds at which the SNTP server will be accessed to obtain the correct time when Active mode is selected.

Default value = 60 (poll once per minute)

Valid Range = 16 - 16384



3.1.3.2 SNTP: ServersThis screen allows you to add and delete SNTP servers.

Figure 3-6. Administration: SNTP: Servers

Table 3-6 describes the fields of the SNTP: Servers screen to add and delete SNTP servers.

Table 3-6. SNTP Servers


Add Server Form

Server IP: Enter the IP address of an SNTP server to be accessed.

Click Apply Settings to add this server to the Existing SNTP Servers Table.

Up to 3 servers may be added. If a server is down, the software will try the next configured server when retrieving the current time and date.

Existing Servers Table

Server IP: Lists the IP address of any SNTP servers already configured.

Delete: Set the Delete checkbox in a row and click Apply Settings to delete that server.



3.1.4 SNMPThe SNMP (Simple Network Management Protocol) screens enable you to specify up to four SNMP management stations and to maintain and view information in the system’s MIB (Management Information Base). For more information see Section 5.5, “SNMP”.

3.1.4.1 SNMP: Global SettingsThe “SNMP: Global Settings” screen enables you to set up the system’s SNMP V1/V2 or V3 agent.

Figure 3-7. Administration: SNMP: Global Settings

Table 3-7 describes the parameters you can view and configure in the “SNMP: Global Settings” screen.

Table 3-7. SNMP: Global Settings


Mode: Enable or disable SNMP agent.

• Disabled – agent does not respond to queries.

• V1/V2 Enabled – agent only responds to v1 or v2c PDUs.

• V3 Enabled – agent only responds to v3 PDUs.

Default value = Disabled

Write Access: Enable or disable write access to the MIB.

• Disabled – agent does not allow write access to the MIB.

• Enabled – agent allows write access to the MIB.




Traps: Enable or disable the sending of traps to configured trap stations. Traps are event notifications sent by the agent to a trap station.

• Disabled – agent does not send traps to the configured trap stations.

• Enabled – agent sends traps to the configured trap stations.


Read Community String:

An arbitrary text string of up to 15 printable ASCII characters. The community string sent by the SNMP client must match this text for the MIB to be accessible for reading.

Write Community String:

An arbitrary text string of up to 15 printable ASCII characters. The community string sent by the SNMP client must match this text for the MIB to be accessible for writing.

Engine ID: A unique identifier assigned to this SNMP agent. You can configure an engine ID that is a string 32 characters long. If you do not configure an engine ID a 12-byte string will be assigned as the default ID. The default ID is a unique value combining the enterprise ID followed by MAC address or IP Address or plain text.

The default engine ID for a MNS-DX device is as follows:

• The first four octets of the Enterprise ID(39cd).

• The fifth octet is a format identifier, which is 03 for MAC address.

• Six to eleven octets of MAC address.

• The remainder (up to the twelfth octet) is filled by zeroes.

Engine Boots: The number of times the system has booted since the current engine ID was set.

Engine Time: The number of seconds elapsed since the engine ID was changed or the system booted, whichever occurred most recently.

Table 3-7. SNMP: Global Settings




3.1.4.2 SNMP: Management StationsThe “SNMP: Management Stations” screen enables you to configure SNMP management stations.

Figure 3-8. Administration: SNMP: Management Stations

Table 3-8 describes the parameters you can view and configure in the “SNMP: Management Stations” screen.

Table 3-8. SNMP: Management Stations


Add Station Form

IP Address: Enter the IP address of a management station that are allowed to query the SNMP agent. Click Apply Settings to add this address to the Existing Stations table.

You can specify up to four management stations.

Existing Stations Table

IP Address: This table lists the IP addresses of management stations that have been configured in the system.

Delete: Set the Delete checkbox in a row and click Apply Settings to delete that management station.



3.1.4.3 SNMP: Trap StationsThis screen enables you add trap stations (up to a total of 4) and to view and edit the parameters of existing trap stations. A trap station is a destination to which SNMP traps are sent.

Figure 3-9. Administration: SNMP: Trap Stations

Table Table 3-9 describes the parameters you can view and edit in the SNMP: Trap Stations screen.

Table 3-9. SNMP: Trap Stations


IP Address: The Internet Protocol address of the trap station. You can specify up to 4 trap stations.

Security Name: When the agent is enabled for v3 mode this is the name of an SNMP user. The trap will be sent with security mode and auth/priv passwords of that user. For v2 mode this is the trap community string for the trap destination.

Delete: Set the Delete checkbox in a row and click Apply Settings to delete that trap station.



3.1.4.4 SNMP: UsersThis screen enables you to view and edit SNMP security provisions for individual users.

Figure 3-10. Administration: SNMP: Users

Table X specifies the parameters you can view and edit in the SNMP: Users screen.

Table 3-10. SNMP: Users


User Name: A unique security name for an SNMP user.

Security Mode: level of security that the user is allowed. There are five types of security:

• None – No authentication or encryption

• MD5 – MD-5 authentication, no encryption

• SHA – SHA-1 authentication, no encryption

• MD5-DES – MD-5 authentication, DES encryption

• SHA-DES – SHA-1 authentication, DES encryption

Auth Password: Enter a password to be used for generating the authentication keys. Allowed password length is 8 to 40 characters.

Retype Password: Re-type the authentication password to confirm it.

Privacy Password: Enter a password to be used for generating the encryption keys. Allowed password length is 8 to 40 characters.

Retype Password: Re-type the privacy password to confirm it.

Delete: Set the Delete checkbox in a row and click Apply Settings to delete that user.



3.1.4.5 SNMP: StatisticsThis screen enables you to view detailed SNMP performance statistics.

Figure 3-11. Administration: SNMP: Statistics



Table Table 3-11 describes the values you can view in the SNMP: Statistics screen.

Table 3-11. SNMP: Statistics


In Packets: The total number of messages delivered to the SNMP entity from the transport service.

Bad Versions: The total number of SNMP messages which were delivered to the SNMP protocol entity and were for an unsupported SNMP version.

In Bad Community Names: The total number of SNMP messages delivered to the SNMP protocol entity which used an SNMP community name not known to the entity.

In Bad Community Uses: The total number of SNMP messages delivered to the SNMP protocol entity which represented an SNMP operation not allowed by the SNMP community named in the message.

In ASN Parse Errors: The total number of ASN.1 or BER errors encountered by the SNMP protocol entity when decoding received SNMP Messages.

Enable Auth Traps: Indicates whether the SNMP agent process is permitted to generate authentication-failure traps. The value of this object overrides any configuration information; thus, it provides a means whereby all authentication-failure traps may be disabled.

Out Packets: The total number of SNMP Messages which were passed from the SNMP protocol entity to the transport service.

In Bad Types: The total number of SNMP PDUs which were delivered to the SNMP protocol entity and for which the value of the error-status field is “badType.”

In Too Bigs: The total number of SNMP PDUs which were delivered to the SNMP protocol entity and for which the value of the error-status field is “tooBig.”

Out Too Bigs: The total number of SNMP PDUs which were generated by the SNMP protocol entity and for which the value of the error-status field is “tooBig.”

In No Such Names: The total number of SNMP PDUs which were delivered to the SNMP protocol entity and for which the value of the error-status field is “noSuchName.”

Out No Such Names: The total number of SNMP PDUs which were generated by the SNMP protocol entity and for which the value of the error-status is “noSuchName.”

In Bad Values: The total number of SNMP PDUs which were delivered to the SNMP protocol entity and for which the value of the error-status field is “badValue.”

Out Bad Values: The total number of SNMP PDUs which were generated by the SNMP protocol entity and for which the value of the error-status field is “badValue.”



In Read Onlys: The total number valid SNMP PDUs which were delivered to the SNMP protocol entity and for which the value of the error-status field is “readOnly.”

Out Read Onlys: The total number valid SNMP PDUs which were generated by the SNMP protocol entity and for which the value of the error-status field is “readOnly.”

In Gen Errors: The total number of SNMP PDUs which were delivered to the SNMP protocol entity and for which the value of the error-status field is “genErr.”

Out Gen Errors: The total number of SNMP PDUs which were generated by the SNMP protocol entity and for which the value of the error-status field is “genErr.”

In Get Requests: The total number of SNMP Get-Request PDUs which have been accepted and processed by the SNMP protocol entity.

Out Get Requests: The total number of SNMP Get-Request PDUs which have been generated by the SNMP protocol entity.

In Get Nexts: The total number of SNMP Get-Next PDUs which have been accepted and processed by the SNMP protocol entity.

Out Get Nexts: The total number of SNMP Get-Next PDUs which have been generated by the SNMP protocol entity.

In Set Requests: The total number of SNMP Set-Request PDUs which have been accepted and processed by the SNMP protocol entity.

Out Set Requests: The total number of SNMP Set-Request PDUs which have been generated by the SNMP protocol entity.

In Get Responses: The total number of SNMP Get-Response PDUs which have been accepted and processed by the SNMP protocol entity.

Out Get Responses: The total number of SNMP Get-Response PDUs which have been generated by the SNMP protocol entity.

In Traps: The total number of SNMP Trap PDUs which have been accepted and processed by the SNMP protocol entity.

Out Traps: The total number of SNMP Trap PDUs which have been generated by the SNMP protocol entity.

In Total Req Vars: The total number of MIB objects which have been retrieved successfully by the SNMP protocol entity as the result of receiving valid SNMP Get-Request and Get-Next PDUs.

In Total Set Vars: The total number of MIB objects which have been altered successfully by the SNMP protocol entity as the result of receiving valid SNMP Set-Request PDUs.





Silent Drops: The total number of GetRequest PDUs, GetNextRequest PDUs,GetBulkRequest PDUs, SetRequest PDUs, and InformRequest PDUs delivered to the SNMP entity which were silently dropped because the size of a reply containing an alternate Response PDU with an empty variable-bindings field was greater than either a local constraint or the maximum message size associated with the originator of the request.

Proxy Drops: The total number of GetRequest PDUs, GetNextRequest PDUs,GetBulkRequest PDUs, SetRequest PDUs, and InformRequest PDUs delivered to the SNMP entity which were silently dropped because the transmission of the (possibly translated) message to a proxy target failed in a manner (other than a time-out) such that no Response PDU could be returned.

Unknown Security Models: The total number of packets received by the SNMP engine which were dropped because they referenced a securityModel that was not known to or supported by the SNMP engine.

Invalid Messages: The total number of packets received by the SNM engine which were dropped because there were invalid or inconsistent components in the SNMP message, for example, noauth/priv. MNS-DX allows noauth/nopriv, auth/nopriv, and auth/priv but does not allow noauth/priv.

Unknown Contexts: The total number of packets received by the SNMP engine which were dropped because the context contained in the message was unknown.

Unavailable Contexts: The total number of packets received by the SNMP engine which were dropped because the context contained in the message was unavailable.

Unknown PDU Handlers: The total number of packets received by the SNMP engine which were dropped because the PDU contained in the packet could not be passed to an application responsible for handling the pduType, for example, no SNMP application had registered for the proper combination of the contextEngineID and the pduType.

Unsupported Security Levels:

The total number of packets received by the SNMP engine which were dropped because they requested a securityLevel that was unknown to the SNMP engine or otherwise unavailable.

Not In Time Windows: The total number of packets received by the SNMP engine which were dropped because they appeared outside of the authoritative SNMP engine's window.

Unknown Usernames: The total number of packets received by the SNMP engine which were dropped because they referenced a user that was not known to the SNMP engine.

Unknown Engine IDs: The total number of packets received by the SNMP engine which were dropped because they referenced an snmpEngineID that was not known to the SNMP engine.





3.1.5 AuthenticationThe authentication screens enable you to set system-wide security policies, to add or delete user accounts, and to maintain user account information.

3.1.5.1 Authentication: PoliciesThe Authentication “Policies” form enables you to change the number of failed login attempts to allow before a user is locked out.

Figure 3-12. Administration: Authentication: Policies

Wrong Digests: The total number of packets received by the SNMP engine which were dropped because they didn't contain the expected digest value.

Decryption Errors: The total number of packets received by the SNMP engine which were dropped because they could not be decrypted.





Table 3-12 describes the parameters you can configure in configuring authentication security policies.

Note: Violations of security settings such as: failed login attempts or inactive user expiration result in a "lock out" state. Only administrators may clear this state.

Table 3-12. Authentication: Policies


Bad login attempts before lockout:

The number of consecutive failed login attempts before a user is locked out. A user is locked out by setting the Locked Out? field in the user's account to “Yes"

Valid range = 1-5

Default value = 5

Lockout Time: The amount of time a user account spends in the suspended state after being locked out. This parameter takes the following values:

• 5 minutes (default)

• 30 minutes

• 1 hour

Enforce Secure Passwords:

Setting this value to 'Yes' forces password changes to comply to the following standards:

• Length of 8 characters minimum

• Must consist of at least 2 of the 3 character types *

Alphabetic

Numeric

Printable Special characters

Default value = No

*Spaces are not allowed in any password, regardless of this setting.



Password Ageing (Days):

Newly created accounts that are not part of the administration group can optionally expire passwords by setting this value to the number of days a password is valid before a change is required.

Accounts that attempt to log in prior to the expiration date may change the password to reset the counter. Accounts that exceed this setting without a password change will be forced to change the password prior to accessing any other configuration screens. Valid settings for this option are:

• None

• 30 Days

• 60 Days

• 90 Days

Default value = None

Existing accounts will start the password ageing on the login attempt after this change is made.

Inactive User Expiration (Days):

Newly created accounts that are not part of the administration group can optionally expire logins that are inactive exceeding the value specified here.

A setting of 0 (default) disables this feature, otherwise the number of days of inactivity before being locked out ranges from 1 to 255.

Existing accounts will start the user expiration on the login attempt after this change is made.

Table 3-12. Authentication: Policies




3.1.5.2 Authentication: AccountsThe Authentication “User Accounts” enables an administrator to add and delete users and to maintain certain account information.

Figure 3-13. Administration: Authentication: Accounts

By factory default, there is a single administrator account with the login name “manager” and password “manager”. The Authentication: Accounts screen is available only to the administrator.

Table 3-13 describes the parameters you can configure in creating a new account or editing an existing account.

Table 3-13. Authentication: Accounts


Add/Edit User Account(s) Forms

User ID: A unique ID for a user. This read-only value is assigned by the system.

Login Name: The name associated with this account. It must be entered along with the password in order to access the system’s user interface.

Note that each login name on a given DX device must be unique.



Group Name: Use the drop-down list to assign this user to one of four privilege levels. The privilege levels are:

• Admin: Members of this group may perform all functions including managing software, user accounts, and configuration files.

• Read-Write: Members of this group may perform all configuration functions with the exception of software, user account, and configuration file management.

• Read-Only: Members of this group are like Read-Write except they cannot change any parameters.

Suspended?: This flag determines whether or not a user is allowed to log in to the system. The suspended flag may be set or cleared at any time by an administrator.

Locked Out? This flag also determines whether or not a user is allowed to log in to the system. The “Locked Out?” flag is set and cleared by the system based on the failed login attempts policy. This flag may also be manually cleared by an administrator. Unlike the “Suspended?” flag, it is not stored in non-volatile memory and therefore its state does not persist across resets.

Password: The password associated with this account. To create or change an account’s password enter the new password here. Characters in the password are always echoed back as the bullet character ( ). The field length minimum is 6 alphanumeric characters.

Re-Type Password: Confirm the initial password entry by re-typing it in this field.

Administrative Notes:

This field contains arbitrary text up to 31 printable ASCII characters.

Delete: Set the Delete checkbox in a row and click Apply Settings to delete that account.

Table 3-13. Authentication: Accounts




3.1.5.3 Authentication: FilesThis page enables you to upload new user definitions.

Figure 3-14. Administration: Authentication: Files

Table 3-14. Authentication: Files


Browse: To install a new user definition file:

1. Browse to a file on you local system, or enter the full path name of a user definition file.

2. Click Upload.

Uploading a new file will be successful if the following conditions are met:

1. The uploaded file contains valid XML formatting consisting of -

• Only one instance of the UserAccountTable tag

• Only one instance per tag in each UserAccountEntry

• Only one instance of each login

2. The number of users contained in the file does not exceed the maximum number of supported users.

3. Files containing no users are valid, the default login account will be created.

4. If more than 0 accounts are specified, at least one account in the new configuration file is an unsuspended administrator.



3.1.6 SessionsThe sessions screens enable you to set login session policies and to monitor active logins.

3.1.6.1 Sessions: PoliciesThis screen enables you to set up the system's session management policies.

Figure 3-15. Administration: Sessions: Polices

Table Sessions: Policies describes the parameter you can configure in the Sessions: Polices screen.

Table 3-15. Sessions: Policies


Maximum Idle Time: The amount of time a user session may be idle before it is automatically deleted by the system. Possible values are:

• None (Sessions never time out)

• 5 minutes

• 30 minutes

• 1 hour

• 24 hours



3.1.6.2 Sessions: Active LoginsThis screen enables you to view the active login sessions on the device.

Figure 3-16. Administration: Sessions: Active Logins

Table Sessions: Active Logins describes the information displayed in the Sessions: Active Logins screen.

Table 3-16. Sessions: Active Logins


Session: A unique identifier for a session.

Username: The username that is logged in.

Client Host: The IP address of the remote client.

Login Time: The time at which the user logged in to the system.

Last Activity: The last time the user was active in the session.

Delete: Set the Delete checkbox in a row and click Apply Settings to disconnect that active session.

Note: the last saved administrator account is always preserved.



3.1.7 Change PasswordThis screen enables you to change your password. The administrator can also change any user’s password from the Authentication: Accounts screen, described in Section 3.1.5.2.

Figure 3-17. Administration: Change Password

Table 3-17 describes the parameters you can configure in the Change Password screen.

3.1.8 Software UpgradeThe “Software Upgrade” screen enables you to perform software upgrades or to return to a previous software image.

1. Browse to a file on you local system, or enter the full path name of a configuration file and click Upload.When the new configuration file is successfully uploaded it will appear in the “Existing Images” window as “New” and a “Ready to Upgrade” message will appear.

2. Click the Upgrade button.The system will reboot. Reconnect your browser to the system and return immediately to the Administration: Software Upgrade window. Click the Finalize button.

Table 3-17. Change Password


Old Password: Enter the old password.

Password: Enter the new password here. Characters in the password are always echoed back as the bullet character ( ). The field length minimum is 6 alphanumeric characters.

Re-Type Password: Confirm the initial password entry by re-typing it in this field.



3.1.8.1 Software Upgrade StatesFigure 3-18 and Table 3-18 describe the entire software upgrade finite state machine.

Figure 3-18. Software Upgrade State Machine

TIP: Remember that a successful upgrade requires the clicking of three buttons: Upload,Upgrade, and after a reboot, Finalize. Because some time passes while the systemreboots and you reconnect your browser it is easy to overlook the third step.

Don’t Forget to Finalize!

Table 3-18. Upgrade States and User Actions

Event Description

New Software User copies a valid software image.

Reboot User reboots the system.

Upgrade User clicks Upgrade button.

Finalize User clicks Finalize button, approving upgrade.



Figure 3-19 depicts an Administration: Software Upgrade window after a successful upgrade.

Figure 3-19. Administration: Software Upgrade

Fallback User clicks the Fallback button.

Next system reboot loads the Fallback image.

Retry User clicks the Retry button.

Table 3-18. Upgrade States and User Actions

Event Description



Table 3-19 describes the parameters you can view and configure in the Software Upgrade screen.

Table Table 3-20describes the options available to you depending on the State and Use of the software images.

Table 3-19. Software Upgrade


Install Form

File: To install a new software image:

1. Browse to a file on you local system, or enter the full path name of a configuration file.

2. Click Upload.

The system checks to make sure that the uploaded software is valid for this hardware and that it appears to be a good image (not corrupt). If it is valid, then:

1. The filename is added to the Existing Images Table and is given the designation “new” in the Use column.

2. The status reported in the Software Upgrade process state table is changed to “READY TO UPGRADE.”

Existing Images Table

Filename: This table displays either one or two filenames. If the value displayed in the Software Upgrade process state table is “INITIAL” then this is the initial software installation and only one filename is displayed. In all other cases two filenames are displayed.

Use: The values displayed in the Use column depend on the state of the system. (See Table 3-20.)

Software Upgrade Table

State: This field reports the state of the upgrade process.

Button: The buttons displayed below the State field enable you to initiate a change in the state of the software upgrade. The number and purpose of the buttons displayed depends on the state of the software.

Table 3-20. Software Upgrade States

State Button

INITIAL none

READY TO UPGRADE

Upgrade: Click this button to reboot the system and load the new image. (Note that an upgrade by any means other than clicking the Upgrade button in this screen will also result in the loading of the new image.)



The system will automatically reboot during the transition from UPGRADING to FALLBACK and the transition from READY TO UPGRADE to UPGRADING because a new software image needs to be loaded in order to complete these transitions.

3.1.9 Configuration The Configuration: Files and the Configuration: Defaults screens enable you to make system-wide changes by installing a new system configuration file or by returning to factory defaults.

3.1.9.1 Configuration: FilesThis screen enables you to install and manage configuration files.

When the system is shipped from the factory, it contains a single current configuration file with factory default values called "config0.xml". Subsequent configuration files will contain the administrator’s saved settings.

Figure 3-20. Administration: Configuration: Files

UPGRADING Finalize: Click this button to approve the upgrade. (Note that if the system reboots for any reason while in the UPGRADING state it will fall back to the previous image.)

UPGRADED Fallback: Click this button to reboot with the previous image.

FALLBACK Retry: Click this button to attempt the upgrade process again (move to the READY TO UPGRADE state).

Table 3-20. Software Upgrade States

State Button



Table Table 3-21 describes the tasks you can perform in the Configuration Files screen.

You may encounter error messages when creating or saving configuration files if the uploaded file:

• Specifies a version beyond the current software version.• Specifies a model other than the current system.• Contains syntactically invalid XML code.• Has the same name as an existing file on the system.

Table 3-21. Configuration Files


The Install Form

File: To install a configuration file:

1. Browse to a file on you local system, or enter the full path name of a configuration file.

2. Click Upload.

Browse: Browse to select a configuration file on your local system.

Upload: Click this button to make the file specified in pathname the “Current” configuration file. If the configuration is valid the system is reconfigured according to the contents of the file.

The Configurations Table

Filename: This column lists all configuration files present in the system.

Version: This value identifies the software version that was running when the system wrote this configuration file.

Fallback: “Yes” identifies the Fallback configuration file. This file is used to save a copy of the configuration during initialization when the software upgrade state is UPGRADING. The "Fallback" file is designated "Current" when you tell the system to go to the FALLBACK state of software upgrade.

Current: The selected radio button identifies the current configuration file This is the file to which the current configuration data is written when you save it. This is also the file used for configuration when the software starts up.

Delete: Set the Delete checkbox in a row in the Configurations table and click Apply Settings to delete that configuration file.



3.1.9.2 Configuration: DefaultsThis screen enables you to restore the system configuration to default values.

Figure 3-21. Administration: Configuration: Defaults

Click the Restore button to restore system defaults.

3.1.10 System RebootThis Reboot screen enables you to shut down and restart the system.

Figure 3-22. Administration: System Reboot

Click the Reboot button to reset the system.

NOTE: Default values do not necessarily mean "factory default" values. Whilemost parameters will take on their factory defaults, the following exceptionsapply:

• System IP Address and Mask – Set to the IP address/mask configured in the boot menu.

• Default Gateway – Set to the default gateway configured in the boot menu.


CHAPTER 3 - System AdministrationEvents Tasks

3.2 Events TasksEvents are a specified set of actions or attempted actions that are recorded in log files or sent to a visual display to enable a system administrator to monitor system activity.

MNS-DX specifies a set of events (see Table 3-22) that are recorded in log files on the management server. These log files are configured with the Logs: Global Settings screen described in Section 3.2.1.1, and user access to these log files is provided by the Logs: Files screen, described in Section 3.2.1.2.

MNS-DX also supports the syslog protocol for collecting event information and delivering it to a remote device. For more on syslog see Section 3.2.2.

3.2.1 LogsThe following system events are logged by MNS-DX in the log files on the management server described in Section 3.2.1.2:

Table 3-22. Logged Events

Event Description

Login User loginname logged in.

A user with login name loginname logged into the system through the web interface.

Logout User loginname logged out.

A user with login name loginname logged out of the system through the web interface.

Maximum Users Maximum number of users reached.

The maximum number of user accounts has already been reached and an administrator has tried to add an additional user to the system.

New Account New user loginname created in group groupname.

An administrator created a new user named loginname and assigned that user to permission group groupname.

Password Change Password for user loginname has been changed.

A user’s password was changed. This may be due to the user updating the password or to an administrator setting a new password for the user in the Authentication: Accounts screen.

Failed Login User loginname failed to authenticate.

Someone attempted to log in to the system using the user name loginname, but the login was rejected due to a bad password. When the consecutive number of failed logins equals the number set in the Authentication: Policies screen the Account Lockout event is launched (see below).



Account Lockout Account loginname has been locked out for bad logins.

A user account, with login name loginname, was suspended because the user entered a password incorrectly too many times in a row.

Lockout Ended Suspension timeout has elapsed for user loginname.

A user who had been automatically suspended by the system for bad logins has been moved out of the locked out state by the system because the lockout timer (set in the Authentication: Policies screen) expired.

Suspension Cleared Account lockout cleared for user loginname (UID nn).

An administrator manually moved an account out of the suspended state.

Account Deleted User loginname (UID uid) was deleted.

A user account was deleted by an administrator.

Expired Account User loginname expired.

A user account expired due to inactivity (that is, no logins over a specified time period).

Suspended Account User loginname was suspended.

A user was suspended by an administrator.

Hacking Attempt Possible hacking attempt: n failed login attempts in m minutes.

A number of unsuccessful logins have occurred within some time interval. This pattern is recognized by the system and logged as a warning to administrators.

Ethernet Link Up Ethernet port Ex is up.

Link was detected on Ethernet port Ex.

Serial Link Up Serial port Sx is up.

Link was detected on Serial port Sx.

Ethernet Link Down Ethernet port Ex is down.

Link was lost on Ethernet port Ex. This could be because the link was physically lost or because the port was administratively disabled.

Serial Link Down Serial port Sx is down.

Link was lost on Serial port Sx. This could be because the RS-232 handshake signals are off or because the port was administratively disabled.

Unable to Connect Could not connect to remote host ipaddr (tcpport) on channel Sx.

The terminal server channel for Serial port Sx is configured to call out to a remote host at IP address ipaddr and TCP port tcpport, but that host is either unreachable or actively refused the connection.


Event Description



Host Unreachable Serial port Sx reports that the host at ipaddr is unreachable.

The terminal server channel for Serial port Sx is configured to call out to a remote host at IP address ipaddr but the system has no route to the destination address.

Connection Refused Serial port Sx reports that the connection to the host at ipaddr (tcpport) was refused.

The terminal server channel for Serial port Sx is configured to call out to a remote host at IP address ipaddr and TCP port tcpport, but the host actively refused the connection.

Lost Connection Lost connection with host ipaddr (tcpport) on channel Sx.

The terminal server channel for Serial port Sx was connected but the system lost contact with the remote host. The remote host may have actively torn down the connection or the connection may have been flagged as dead due to lack of response to TCP keep-alive messages.

Handshake Failed Serial port Sx reports that the host at ipaddr (tcpport) did not respond to the SSL handshake.

The terminal server channel for Serial port Sx is configured for SSL security. During the authentication phase of the SSL handshake, the peer did not respond. This is likely because the connection was made to a non-SSL enabled host.

See the SSL troubleshooting section (Section A.9) for more information.

Handshake Problem Serial port Sx experienced a problem (problemdescription) while connecting to the host at ipaddr (tcpport).

The terminal server channel for Serial port Sx is configured for SSL security. During the authentication phase of the SSL handshake, a problem occurred and the handshake did not complete. Possible problems include:

• unknown protocol

• no shared cipher

Certificate Problem Serial port Sx reports that the certificate presented by the host at ipaddr (tcpport) was invalid (problemdescription).

The terminal server channel for Serial port Sx is configured for SSL security. During the authentication phase of the SSL handshake, the peer certificate could not be validated. Possible reasons include:

• certificate expired

• certificate is not yet valid

• self signed certificate in certificate chain



Event Description



SSL Alert Message Serial port Sx received a notification (notification) from the host at ipaddr (tcpport).

The terminal server channel for Serial port Sx is configured for SSL security. During the SSL handshake the peer detected a problem and sent an alert message. Possible alerts include:

• certificate expired

• certificate is not yet valid

• unknown ca


RADIUS Server Unreachable

Unable to contact any of the configured RADIUS servers.

The system is configured to contact a RADIUS server to perform user authentication but none of the configured servers are reachable over the network.

Boot Complete Warm start.

The system rebooted.

SPD Packet Discard Packet(s) discarded from not matching SPD rules. Check the source and destination IP address setup and tunnel state at both ends.

IKE Packet Discard Packet(s) discarded due to tunnel Phase II incomplete. This state is usually temporary as the tunnel transitions to Phase II.

IKE Phase I Fail Phase I negotiation failed, most likely due to parameter mismatching of authentication or Diffie Hellman information.

IKE Phase I Success IKE Phase 1 negotiation completed successfully

IKE Phase II Fail Phase II negotiation failed.

VPN Up IKE Phase 2 negotiation completed successfully and the tunnel is carrying traffic.

Sequence Number Overflow

IPsec sequence numbers have exceeded the boundary. This event is informational and should cause the tunnel to re-key.

Soft Life Time Expired

The soft life time for the tunnel has expired. The tunnel will re-key the next time a packet is received that must go through the tunnel. This is part of the normal operation of the tunnel.

Hard Life Time Expired

The hard lfe time for the tunnel has expired. The tunnel state will be deleted and must be re-negotiated.


Event Description



3.2.1.1 Logs: Global SettingsThis screen enables you to specify the frequency, number, and size of log files.

Figure 3-23. Events: Logs: Global Settings

Table 3-23 specifies the valid values for fields of the Logs: Global Settings form.

Table 3-23. Logs: Global Settings


Mode: The available values are:

• Enabled – record events in the system log.

• Disabled – do not record events in the system log (default).

Create New Log File: Indicates how often a new log file should be started, regardless of the size of the current file. This parameter takes one of the following values:

• Daily: start a new log file at the beginning of each day (default).

• Weekly: start a new log file at the beginning of each week.

• Monthly: start a new log file at the beginning of each month.

When logging begins, a new file is created with the name “YYYYMMDDHHMMSS.log”.

Max Log Files: Specify the maximum number of log files to be preserved at any one time.

Default value = 14.

Valid range= 1-100



Use the Create New Log File, Max Log Files, Max Log File Size, and Delete Old Files parameters to structure your view of the history of events on the system. The total amount of available space on the system is now displayed on the System Information screen.

Choose the values for these parameters based on the size of your system, the number of users, and the level of activity. This will take some experimentation. If, for instance, you want to create daily log files so that all the events for one 24-hour period will be included in a single file, it would be wise to specify a high Max Log File value at first, then observe the actual file size produced by routine operations and adjust the specification accordingly. Your observation of daily performance can be used as a basis for specifying the parameters appropriate to longer intervals; that is, a weekly log file ought to be have a Max Log File Size about seven times greater than that of a correctly-sized daily log file. When choosing the amount of space to allocate for logs keep in mind that space should be allowed for system files to grow (for example, software images, configuration files, PEM files, internal system files, etc.). We suggest allocating a maximum of 2 MB for logs.

Note that if you do not set the Delete Old Files to Yes (the default) MNS-DX will stop creating log files when the Max Log Files value is reached.

Max Log File Size (KB):

Specify the maximum size, in KB, of any log file. If the current log file becomes full, a new log file is created.

Default value = 32KB.

Delete Old Files: Indicates whether or not old log files should be deleted when the maximum number of log files is reached and a new log file must be created. If you do not specify the deletion of old files no new log files will be created after the Max Log Files value is reached.

Default value = Yes.

Table 3-23. Logs: Global Settings




3.2.1.2 Logs: FilesThis screen enables you to view a particular log by clicking on its hyperlinked file name. This will open the log file in the text editor configured for the .log suffix on your system. You can also delete a log file by checking the appropriate “Delete” box and pressing the Apply Settings button.

Figure 3-24. Events: Logs: Files

Table 3-24 explains how to use the fields in the Logs: Files table.

Log files are written as ASCII text in syslog format. For example:

<6>Jan 22 08:18:35 2007 192.168.1.2 Ethernet port E2 is down.<6>Jan 22 08:18:40 2007 192.168.1.2 Ethernet port E4 is up.<6>Jan 22 08:18:54 2007 192.168.1.2 Ethernet port E2 is up.<6>Jan 22 08:34:23 2007 192.168.1.2 User 'manager' logged in.<6>Jan 22 09:38:58 2007 192.168.1.2 User 'manager' idled out.

Table 3-24. Logs: Files


Filename: The names and sizes of log files available for viewing. The log file that is currently active for writing is also flagged under the Status column. Click a hyperlinked file name to display a plain text version of the log file.

Delete: Set the Delete checkbox in a row and click Apply Settings to delete that log file.



3.2.2 SyslogSyslog is a protocol for sending event messages over an IP network to remote servers called "event message collectors."The syslog protocol is defined in RFC 3164. You enable syslog functionality with the Syslog: Global Settings screen, described in Section 3.2.2.1. You specify the IP addresses of the remote devices that will serve as syslog collectors in the Syslog: Collectors screen, described in Section 3.2.2.2. If syslog functionality is enabled, MNS-DX will deliver notification of syslog events to the specified collector(s). How that information is stored and displayed on the collector is a function of the software running on the collector. There are many freely available software products to manage this task.

3.2.2.1 Syslog: Global SettingsThis screen enables you to enable syslog functionality.

Figure 3-25. Events: Syslog: Global Settings

Table 3-23 describes the parameter you can configure in the Syslog: Global Settings screen.

Table 3-25. Configure Syslog


Mode: Indicates whether or not events should be sent as Syslog messages. The available values are:

• Enabled – Send a syslog message for each event.

• Disabled – Do not send syslog messages (default).



3.2.2.2 Syslog: CollectorsThis screen enables you to specify the IP addresses of up to five syslog collectors.

Figure 3-26. Events: Syslog: Collectors

Table 3-23 describes the parameters you can edit in the Syslog: Collectors screen

Table 3-26. Syslog: Collectors


Add Collector Form

Collector IP: The IP address of the server to which syslog messages will be sent.

Existing Collector Table

Collector IP: This column lists the addresses of existing configured collectors. The maximum number of collectors is 5. By default no collectors are configured.

Delete Set the Delete checkbox in a row and click Apply Settings to delete that collector.


CHAPTER 3 - System AdministrationEthernet Tasks

3.3 Ethernet TasksThe following subsections describe the tasks that you can perform using the screens of the Ethernet Switching branch.

3.3.1 PortsThe Ports screens enable you to configure ports and to view port status and statistics.

3.3.1.1 Ports: SettingsThis screen enables you to configure the system’s Ethernet ports.

Figure 3-27. Ethernet: Ports: Settings

Table 3-27 describes the fields you can view and edit in the Ports: Settings form.

Table 3-27. Ethernet: Ports: Settings


Port ID: Uniquely identifies a physical, labeled interface on the exterior of the product chassis. The Port ID string should exactly match the physical labeling scheme.

Port Name: A user-configurable name for the port. This may be any arbitrary text string up to 16 printable ASCII characters. This field is “Ethernet-X” by factory default.



Media Type: Enables you to force a speed and duplex setting on an Ethernet port or set the port to auto-negotiate mode. Only speed/duplex settings appropriate for the particular interface type are allowed:

• Auto (10/100BaseTX) (default for 10/100T)

• 10T Half (10/100BaseTX)

• 10T Full (10/100BaseTX)

• 100TX Half (10/100BaseTX)

• 100TX Full (10/100BaseTX)

• 100FX Full (100BaseFX) (default for 100FX)

Flow Control: This parameter applies to full duplex ports only. Flow control is optionally implemented using the 802.3x specification for PAUSE packets. When congested, the switch will send PAUSE packets to attached devices to request temporary suspension of transmission of further frames. The following values may be selected:

• Enabled

• Disabled


FEFI: When selected, this feature will send an alarm signal to the far-end transmitter of an optical port if the near-end receiver detects loss of signal. Also, if an alarm signal is received from a far-end transmitter, the near-end port will report its link status as down (even though it is receiving a good optical signal). The intent is to report a full duplex optical link as down even when a signal failure (for example, a fiber cut) occurs in only one direction. This is useful for automatic link recovery procedures. This parameter is ignored for copper ports.

Admin Status: Enables you to set the activity status of the port. A setting of Disabled completely turns off the port’s transmit and receive functions. By factory default all ports except the last Ethernet port (E2 on the DX40, E4 on the DX800) are disabled.

The following values may be selected:

• Enabled

• Disabled

Default value = Enabled

Table 3-27. Ethernet: Ports: Settings




3.3.1.2 Ports: StatusThis screen enables you to quickly determine the capabilities and current status of each Ethernet port in the system.

Figure 3-28. Ethernet: Ports: Status

Table 3-28 describes the information displayed in the fields of the Ports: Status screen.

Table 3-28. Ethernet: Ports: Status


Port ID: Uniquely identifies a logical Ethernet port that corresponds to a physical, labeled interface on the exterior of the product chassis.

Interface Type: A READ-ONLY field that indicates what interface is physically installed for the port specified in the Port ID column. This parameter is based on the product model and can be one of the following:

• 10/100BaseT

• 100BaseFX

Speed: A READ-ONLY field that indicates the actual speed of the communication channel. If you selected a particular Media Type in the Ports: Settings screen (Section 3.3.1.1), the displayed speed will match that selection. If you selected “Auto” this field will display the actual negotiated speed. This parameter may take one of the following values:

• 10

• 100



3.3.1.3 Ports: Summary StatisticsThis screen displays basic counters for each Ethernet port in the system. All of the statistics for a port are grouped into a table. You can reload the statistics by clicking the Refresh button.

The Summary Statistics screen is illustrated in Figure 3-29.

Figure 3-29. Ethernet: Ports: Summary Statistics

Table 3-29 describes the parameters viewable in the Summary Statistics screens.

Duplex: A READ-ONLY field that indicates the actual duplex of the communication channel. If you selected a particular Media Type in the Ports: Settings screen (Section 3.3.1.1), the displayed duplex value will match that selection. If you selected “Auto” this field will display the actual negotiated duplex value. This parameter may take one of the following values:

• Half

• Full

Oper Status: A READ-ONLY field that indicates the current operational status of the port. This parameter may take one of the following values:

• Up – the port is enabled and a link is detected.

• Down – the port is enabled but there is no link.

• Disabled – the port is administratively disabled.

Table 3-29. Ethernet: Ports: Summary Statistics


Port ID: Uniquely identifies an Ethernet interface.

Rx Packets: The total number of packets (including bad packets, broadcast packets, and multicast packets) received.

Table 3-28. Ethernet: Ports: Status




3.3.1.4 Ports: Extended StatisticsTo display this screen click a hyperlinked Port ID in the Ports: Summary Statistics screen, explained in Section 3.3.1.3. The Extended Statistics screen displays a detailed set of counters for each Ethernet port in the system. The statistics may be re-loaded by clicking the "Refresh" button.

Figure 3-30. Ethernet: Ports: Extended Statistics

Rx Octets: The total number of octets of data (including those in bad packets) received on the network (excluding framing bits but including FCS octets).

Tx Packets: The total number of packets (including broadcast packets and multicast packets) transmitted.

Tx Octets: The total number of octets of data transmitted on the network (excluding framing bits but including FCS octets).

CRC Errors: The total number of packets received that had a length (excluding framing bits, but including FCS octets) of between 64 and 1518 octets, inclusive, but had a bad Frame Check Sequence (FCS) with an integral number of octets.

All Errors: The total number of errors detected

Table 3-29. Ethernet: Ports: Summary Statistics




Table 3-29 describes the parameters viewable in both the Main and the Ports: Extended Statistics screens.

Table 3-30. Ethernet: Ports: Extended Statistics


Rx Octets: The total number of octets of data (including those in bad packets) received on the network (excluding framing bits but including FCS octets).

Rx Packets: The total number of packets (including bad packets, broadcast packets, and multicast packets) received.

Rx Broadcast: The total number of good packets received that were directed to the broadcast address. Note that this number does not include packets directed to a multicast address.

Rx Unicast The total number of good packets received that were directed to a unicast address.

Rx Multicast: The total number of good packets received that were directed to a multicast address. Note that this number does not include packets directed to the broadcast address.

Rx Pause: Total number of PAUSE frames received.

Rx 64 Octets: The total number of packets (including bad packets) received that were exactly 64 octets in length (excluding framing bits but including FCS octets).

Rx 65 to127: The total number of packets (including bad packets) received that were between 65 and 127 octets in length inclusive (excluding framing bits but including FCS octets).

Rx 128 to 255: The total number of packets (including bad packets) received that were between 128 and 255 octets in length inclusive (excluding framing bits but including FCS octets).

Rx 256 to 511 The total number of packets (including bad packets) received that were between 256 and 511 octets in length inclusive (excluding framing bits but including FCS octets).

Rx 511 to1023: The total number of packets (including bad packets) received that were between 511 and 1023 octets in length inclusive (excluding framing bits but including FCS octets).

Rx1023 to Max: The total number of packets (including bad packets) received that were between 1024 and 1518 octets in length inclusive (excluding framing bits but including FCS octets).

Tx Octets: The total number of octets of data transmitted on the network (excluding framing bits but including FCS octets).

Tx Packets: The total number of packets (including broadcast packets and multicast packets) transmitted.

Tx Broadcast: The total number of packets transmitted that were directed to the broadcast address. Note that this number does not include packets directed to a multicast address.



Tx Unicast The total number of good packets transmitted that were directed to a unicast address.

Tx Multicast: The total number of packets transmitted that were directed to a multicast address. Note that this number does not include packets directed to the broadcast address.

Tx Pause: Total number of PAUSE frames transmitted.

Tx 64 Octets: The total number of packets transmitted that were exactly 64 octets in length (excluding framing bits but including FCS octets).

Tx 65to127: The total number of packets transmitted that were between 65 and 127 octets in length inclusive (excluding framing bits but including FCS octets).

Tx 128 to255: The total number of packets transmitted that were between 128 and 255 octets in length inclusive (excluding framing bits but including FCS octets).



Tx 1023 to Max: The total number of packets transmitted that were between 1023 and 1518 octets in length inclusive (excluding framing bits but including FCS octets).

CRC Errors: The total number of packets received that had a length (excluding framing bits, but including FCS octets) of between 64 and 1518 octets, inclusive but had a bad Frame Check Sequence (FCS) with an integral number of octets.

Alignment Errors: The total number of packets received that had a length (excluding framing bits, but including FCS octets) of between 64 and 1518 octets, inclusive but had a a bad FCS with a non-integral number of octets.

Undersized: The total number of packets received that were less than 64 octets long (excluding frame bits, but including FCS octets) and were otherwise well formed.

Oversized: The total number of packets received that were longer than 1518 octets (excluding frame bits, but including FCS octets) and were otherwise well formed.

Fragments: The total number of packets received that were less than 64 octets in length (excluding framing bits, but including FCS octets) and had either a bad FCS with an integral number of octets (FCS Error) or a bad FCS with a non-integral number of octets (Alignment Error).





3.3.1.5 Ports: MirroringThis screen enables you configure Ethernet port mirrors. Port mirroring forwards a copy of each incoming and outgoing packet from one port of a DX800 to another port on the DX800, where the traffic can be monitored and/or analyzed.

Jabbers: The total number of packets received that were longer than 1518 octets (excluding framing bits, but including FCS octets), and had either a bad Frame Check Sequence (FCS) with an integral number of octets (FCS Error) or a bad FCS with a non-integral number of octets (Alignment Error).

Filtered: The total number of valid frames received that are not forwarded to a destination port.

Discards: The total number of valid frames that were discarded due to lack of buffer space.

Collisions: The total number of collisions on this Ethernet segment.

Excessive: The total number of frames not transmitted because the frame experienced too many transmission attempts and was discarded.

Single: The total number of successfully transmitted frames that experienced exactly one collision.

Multiple: The total number of successfully transmitted frames that experienced more than one collision.

Late: The total number of times a collision is detected later than 512 bit-times into the transmission of a frame.

Deferred: The total number of successfully transmitted frames that are delayed because the medium was busy during the first attempt.

NOTE: Port mirroring is not supported on the DX40.





Figure 3-31. Ethernet: Ports: Mirroring

Table 3-31 describes the parameters that can be viewed and edited in the Ports: Mirroring screen.

3.3.2 BridgeThe Bridge screens enable you to configure and monitor Media Access Control (MAC) addresses.

There are two types of MAC addresses maintained by the bridge in its station cache:

1. Static – This is a MAC address that you enter and specify as entry type “Configured” in the Bridge: Static MACs screen, described in Section 3.3.2.3.

2. Dynamic – This is an address that is added to the station cache when the bridge detects a new address from a packet’s source address field. The bridge stores this address along with the ID of the port on which it was received. A learned address is maintained in the station cache so long as it remains active in the system - a condition that is determined by the “aging interval.” For details see the Bridge: Global Settings screen, described in Section 3.3.2.1, and the Bridge: Station Cache screen, described in Section 3.3.2.4.

3. Learned – This is a static address that is learned by the bridge when address-based ethernet port security is enabled for a port. Once a static address has

Table 3-31. Ports: Mirroring


Port ID: Uniquely identifies a logical Ethernet port that corresponds to a physical, labeled interface on the exterior of the product chassis. The Port ID string should exactly match the physical labeling scheme.

Copy to: Uniquely identifies the logical Ethernet port to which packets ingressing and egressing on this port will be copied.

The default is "None," indicating that packets for the port are not copied to any other port.



been learned for a secure port, the port will be disabled if frames sourced from any other MAC address are received. See the Ethernet Port screen, described in Section 3.7.2, for more information.

3.3.2.1 Bridge: Global SettingsThis screen displays the aging interval applied to MAC addresses learned by the bridge and enables you to edit that setting.

Figure 3-32. Ethernet: Bridge: Global Settings

Table 3-32 describes the parameter you can configure in the Ethernet: Bridge: Global Settings screen.

Table 3-32. Ethernet: Bridge: Global Settings


Aging Interval: Entries (MAC addresses) learned by the bridge are deleted from the cache after they have been in the cache for the specified aging time without another packet arriving with the same source address.

Default value = 300 seconds (5 minutes)

Valid range = 15 seconds - 1,800 seconds (30 minutes)



3.3.2.2 Bridge: Port SettingsThe Bridge: Port Settings screen allows the user to choose whether an Ethernet port is part of the bridge or if packets may only be forwarded in software by the IP stack (that is, the port is "routed").

Figure 3-33. Ethernet: Bridge: Port Settings

Table 3-33 describes the parameters you can configure in the Ethernet: Bridge: Port Settings screen.

Table 3-33. Bridge: Port Settings


Port: Uniquely identifies an Ethernet interface.

Bridged?: indicates whether or not this port participates in the Ethernet bridge function or if packets on this port are only forwarded by the IP stack's routing function:

• Yes – the port participates in the Ethernet bridge and frames may be forwarded between this port and other bridged ports at Layer 2. If a packet was sent to the router's MAC address, the packet may also be forwarded at Layer 3 if a route to the packet's destination is known (default)

• No – the port does not participate in the Ethernet bridge. If a packet is sent to the router's MAC address, the packet may be forwarded at Layer 3 if a route to the packet's destination is known



3.3.2.3 Bridge: Static MACsThe bridge station cache is a database that stores information about MAC addresses and their associated ports. This screen enables you to add the MAC addresses of stations to this cache or to remove them from the cache.

By factory default the static MAC address table is empty.

Figure 3-34. Ethernet: Bridge: Static MACs

Table 3-34 describes the uses of the fields of the Bridge: Static MACs screen.

Table 3-34. Ethernet: Bridge: Static MACs


Add Static MAC Address Form

Static Source Address:

Specify the static MAC Address of a station to add it to the bridge station cache.

MAC addresses are entered in their hexadecimal representation. Each octet must be separated by a colon or a hyphen (e.g. 01-02-03-04-05-06 or 01:02:03:04:05:06).

Source Port: Select a “Source Port” designation from the drop-down menu.

Existing Static MAC Addresses Table

Static Source Address:

Lists the static MAC addresses already recognized in the system.

Source Port: Lists the source ports associated with static MAC addresses.



3.3.2.4 Bridge: Station CacheThis screen enables you to view the station cache. The station cache is a database maintained by the Ethernet bridge that tracks MAC addresses of stations on the network and the ports associated with them. This form displays a snapshot of the contents of the Ethernet bridge station cache.

The cache can contain up to 1,024 random entries.

The only administrative action available on this screen is provided by the Purge Dynamic Entries button. You might want to purge these learned addresses if you make changes to the network that are completed before the configured aging interval. In such a case it could be true that the cache record of a port/station relationship could be incorrect from the time you complete your changes until the old information ages out with the expiration of the aging interval.

Figure 3-35. Ethernet: Bridge: Station Cache

Entry Type: Indicates whether an entry in the table was configured by a user or learned by the MAC security feature.

Delete: Set the “Delete” checkbox in a row and click the Apply Settings button to delete the entry from the table and from the station cache.

Table 3-34. Ethernet: Bridge: Static MACs




Table 3-35 describes the uses of the fields and buttons in the Bridge: Station Cache screen.

Table 3-35. Bridge: Station Cache


Source Address: IP address of a station known to be active in the system.

An Ethernet packet that has a destination address that matches an entry in the table is forwarded out the interface shown in the Source Port column in the same row.

Source Port: Identifies the port associated with the address in the Source Address column.

Entry Type: There are three entry types:

• Static – Entries that are set by the user. These are not removed automatically.

• Dynamic – Entries that are learned by the bridge. These are removed automatically from the cache if they are not refreshed in the "aging interval." (The aging interval is specified in the Bridge: Global Settings screen, describe in Section 3.3.2.1.)

• Learned – A static address that is learned by the bridge when address-based ethernet port security is enabled for a port. Once a static address has been learned for a secure port, the port will be disabled if frames sourced from any other MAC address are received. See the Ethernet Portscreen, described in Section 3.7.2, for more information.



3.3.3 RSTPThe RSTP screens enable you to configure Rapid Spanning Tree Protocol (RSTP). For more on RSTP see Section 5.6, “RSTP”.

3.3.3.1 RSTP: Bridge SettingsThis screen enables you to configure bridge-specific Rapid Spanning Tree Protocol (RSTP) settings.

Figure 3-36. Ethernet: RSTP: Bridge Settings

Table 3-36 describes the bridge parameters you can view and configure in the RSTP: Bridge Settings form.

Table 3-36. RSTP: Bridge Settings


Protocol: Select whether or not to run the Spanning Tree Protocol. This parameter can take one of the following values:

• Enabled

• Disabled

Default value = disabled

Priority: Used by the IEEE 802.1d spanning tree algorithm to determine the root of the interconnected network. Bridge priority provides a means of assigning relative priority to each bridge within the set of bridges in the bridged LAN.

Valid range = 0-65535

Default value = 32768

Numerically lower values indicate higher priorities.



3.3.3.2 RSTP: Port SettingsThis page enables you to configure port-specific Rapid Spanning Tree Protocol (RSTP) parameters.

Figure 3-37. Ethernet: RSTP: Port Settings

Hello Time: The amount of time between the transmission of configuration BPDUs on any port.

Valid range = 1-10 seconds

Default value = 2 seconds

Forward Delay: Controls how long the bridge waits after any state or topology change before forwarding the information to the network.



Maximum Age: Specifies the age of STP information learned from the network on any port before it is discarded.



Cost Style: Specifies whether 16-bit (STP-style) or 32-bit (RSTP-style) path cost values are used. This parameter can take one of the following values:

• 32-bit

• 16-bit

Default value = 16-bit

Table 3-36. RSTP: Bridge Settings




Table 3-37 describes the port parameters you can view and configure in the RSTP: Port Settings form.

Table 3-37. RSTP: Port Settings


Port ID: Uniquely identifies an Ethernet interface.

Mode: The mode the switch will use on this port for RSTP operation. This parameter can take one of the following values:

• Legacy – The port uses STP only.

• Auto – The port automatically determines the correct mode based on received BPDUs.

• Edge – The port uses RSTP and is connected to an end system where no loops are possible.

• Point – The port uses RSTP and is connected to another switch (that runs RSTP) over a point-to-point link where loops may be possible.

Default value = Auto

Priority: The priority part of the port identifier. mode the switch will use on this port.

Valid range = 0-255

Default value = 128

Numerically lower values indicate higher priorities.



3.3.3.3 RSTP: Bridge StatusThis page enables you to view bridge-specific RSTP counters and status.

Figure 3-38. Ethernet RSPT: Bridge Status

Table 3-38 describes the bridge status and counters you can view in the RSTP: Bridge Status table.

Table 3-38. RSTP: Bridge Status


Bridge Status: This parameter can take one of the following values:

• Root

• Designated

• Not Designated

Bridge ID: The bridge identifier, which consists of the bridge priority and the bridge address.

Root ID: The bridge identifier of the root.

Root Port: The Ethernet port that provides connectivity towards the root bridge for this network.

Root Path Cost: The total cost of the path to the root bridge. This is the summation of the costs of each link in the path to the root.

Configured Hello Time:

The locally configured Hello Time.



3.3.3.4 RSTP: Port StatusThis page enables you to view port-specific RSTP counters and status.

Figure 3-39. Ethernet: RSPT: Port Status

Learned Hello Time: The actual Hello Time provided by the root bridge through configuration BPDUs.

The learned Hello Time is used in all designated bridges.

Configured Forward Delay:

The locally configured Forward Delay.

Learned Forward Delay:

The actual Forward Delay provided by the root bridge through configuration BPDUs.

The learned Forward Delay is used in all designated bridges.

Configured Maximum Age:

The locally configured Maximum Age.

Learned Maximum Age:

The actual Maximum Age provided by the root bridge through configuration BPDUs.

The learned Maximum Age is used in all designated bridges.

Topology Changes: The total number of topology changes that have been detected by this bridge since the last time statistics were cleared, or since the device was powered on (whichever event is more recent).

Table 3-38. RSTP: Bridge Status


Forwarding

Blocking

Blocking

Designated

Backup

Root

Alternate

200000 342 332 33 2

200000 11 2 311

200000

32 22 622

233 222 1 1

200000



Table 3-39 describes the port status and counters you can view in the RSTP: Port Status table.

Table 3-39. RSTP: Port Status


Port ID: Unique port identifier.

State: This parameter can take one of the following values:

• Disabled

• Blocking

• Forwarding

• Learning

• Listening

Role: This parameter can take one of the following values:

• Root

• Designated

• Backup

• Alternate

Cost: The cost metric associated with this port. This is automatically determined based on the speed of the interface and the configured cost style (32-bit or 16-bit).

Rx CFGs: The number of STP configuration BPDUs received on this port.

Rx TCNs: The number of STP TCNs (Topology Change Notifications) received on this port.

Rx RSTPs: The number of RSTP BPDUs received on this port.

Tx BPDUs: The number of BPDUs (STP or RSTP) transmitted on this port.



3.3.4 VLANFor a discussion of VLAN configuration see Section 5.7, “VLAN”.

3.3.4.1 VLAN: Global SettingsThis screen enables you enable VLAN functionality on a switch.

Figure 3-40. Ethernet: VLAN: Global Settings

Table 3-40 describes the parameters you can view and configure in the VLANs: Global Settings screen.

Table 3-40. VLANs: Global Settings


Mode: Indicates whether or not the switch is VLAN-aware.

• Enabled – perform ethernet switching based on VLAN tags and configured port membership.

• Disabled – ignore VLAN tags and port memberships when performing Ethernet switching.




3.3.4.2 VLAN: VIDsThis screen enables you to add and delete up to 16 VLAN IDs (VIDs). It also serves to show a summary of the VLAN configuration.

Figure 3-41. Ethernet: VLAN: VIDs

Table 3-41 describes the parameters you can view and configure in the VLAN: VIDs screen.

Table 3-41. VLAN: VIDs


Add VLAN Form

VID: A unique numerical identifier assigned to this VLAN.

Valid range = 1-4094.

VLAN Name: Give this VLAN a meaningful name of up to 23 printable characters.

Existing VLANs Table

VID: A unique numerical identifier assigned to this VLAN.

Valid range = 1-4094.

VLAN Name: An administratively assigned name. You can modify this name in the Existing VLANs table. The change will take effect when you click Apply Settings.

Tagged Ports: Lists the Ethernet ports that have "Tagged?" set to "Yes" and are members of this VLAN. (The “Tagged?” parameter is set in the VLAN: Port Settings screen. See Section 3.3.4.3.)



3.3.4.3 VLAN: Port SettingsThis screen enables you to configure VLAN operation on a per-port basis. The options are simplified and based on common VLAN usage scenarios and network topologies.

Figure 3-42. Ethernet: VLAN: Port Settings

Table 3-42 describes the VLAN parameters you can configure in the Port Settings form.

Untagged Ports: Lists the Ethernet ports that have "Tagged?" set to "No" and are members of this VLAN. (The “Tagged?” parameter is set in the VLAN: Port Settings screen. See Section 3.3.4.3.)

Delete: Set the Delete checkbox in a row in the Existing VLANs table and click Apply Settings to delete that VLAN.

VLAN deletion will fail if that VLAN is referenced by any port. The Default VLAN, 1, cannot be deleted.

Table 3-42. VLAN: Port Settings


Port ID: Unique identifier for this port.

PVID: This is the native VLAN assigned to this port. When the port receives an untagged frame, an 802.3ac VLAN tag is added to the frame using the port's PVID. When a port receives a tagged frame on an access port, the frame is discarded unless its VID matches the port's PVID. When a port receives a priority-tagged frame, the tag's VID is set to the port's PVID.

Default value = 1.

Table 3-41. VLAN: VIDs




Mode: This is the port type with respect to VLAN operation.

• An access port is typically connected to an end station and supports a single VLAN. When a port is set to Access mode, the "Prohibited VLANs" field (which only applies to Trunk ports) is disabled.

• A trunk port is typically connected to another switch and by default supports all configured VLANs. When a port is set to Trunk, the "Tagged?" field is automatically set to "Yes" and the "Prohibited VLANs" field is enabled.

Default value = Access

Tagged?: The available options for this field have the following significance:

• No – the port strips all VLAN tags before transmitting frames.

• Yes – the port ensures that a VLAN tag is present in a frame before transmission.

Default value = No

Prohibited VLANs: This is a list of VLANs to prohibit from a Trunk port. By default, this field is blank and the port allows all configured VLANs. By setting the Prohibited VLANs list, the user can filter certain VLANs on the trunk. The Trunk's PVID is not allowed in the Prohibited VLANs list for the port. This field is disabled when the port mode is set to "Access".

Enter the VID numbers of prohibited VLANs separated by commas. A continuous range of VIDs can be indicated by a dash. For example: 4, 6-8, 12, 15.

Table 3-42. VLAN: Port Settings



CHAPTER 3 - System AdministrationSerial Tasks

3.4 Serial TasksThe following subsections describe the tasks that you can perform using the screens of the Serial Tasks branch.

3.4.1 PortsThe Ports screens enable you to configure and monitor serial ports.

3.4.1.1 Ports: ProfilesThis screen enables you to add and configure serial port profiles.

The Add New Profile Form enables you to add a new profile to the table of existing profiles. The values shown in Figure 3-43 are the default values presented in this table when the page loads or re-loads. After setting the appropriate parameters and giving the profile a name, press the Apply Settings button and the profile is added to the Edit Existing Profiles table.

The Edit Existing Profiles table enables you to change one or more of the parameters in a profile. Each profile entry has a checkbox in the “Delete” column. You can delete one or more profiles by checking the appropriate box and pressing the Apply Settings button. You can make any number of changes to the table; however, none of these changes take effect until the Apply Settings button is pressed. Pressing the Reset Settings button will reset all modified fields to the value they had when the page originally loaded.

To supply the correct values for each of the parameters in the Profiles screen you need to know the specifications of the device with which each port will be communicating. This information can usually be found in the installation documentation of the communicating device.



Systems are shipped from the factory with a single default profile called “Default”.

Figure 3-43. Serial: Ports: Profiles

Figure 3-43 describes the parameters in the Ports: Profiles screen.

Table 3-43. Ports: Profiles


Profile Name: A user-assigned name for this profile. When you assign a profile to a port (in the Ports: Settings screen, described in Section 3.4.1.2), you select this name in the “Profile” drop-down box.

Interface Standard: The physical interface standard used by the port. This parameter may take one of three values:

• RS-232 (RTS always asserted)

• RS-232 Half (RTS asserted only when transmitting)

• RS-485 2-wire (half duplex operation)

• RS-485 4-wire (full duplex operation)

Default value = RS-232



Speed: The baud rate of the port. This parameter may take one of the following values:

• 300

• 600

• 1200

• 2400

• 4800

• 9600

• 19200

• 28800

• 33600

• 38400

• 57600

• 115200

• 230400


Data Bits: The total number of bits in a character. This parameter may take one of the following values:

• 7

• 8

Default value = 8

Stop Bits: The duration of the MARK condition on the line after character transmission is complete. This parameter may take one of the following values:

• 1

• 1.5

• 2

Default value = 1

Parity: This parameter may take one of the following values:

• None

• Even

• Odd






Flow Control: The type of flow control implemented. This parameter may take one of the following values:

• None

• XON/XOFF – Software flow control. Unit will stop transmitting if an XOFF (19) character (CTL-S) is detected in the received stream and will start when an XON (17) character (CTL-Q) is detected.

• RTS/CTS – Hardware flow control. Unit will stop transmitting if CTS is de-asserted.


Ignore DSS: This parameter takes one of the following values:

• No: The Oper State of the port is UP if the DSR or DCD handshake signal is on and the Admin State is ENABLED.

• Yes: The Oper State of the port is UP if the Admin State is ENABLED

Default value = No

Pkt Char: This parameter defines a special character in the data stream that forces a packetization event. This parameter may take any value from 0 to 255. If this parameter is set to the label “None” packetization will not occur based on a received character.


Pkt Time (ms): This parameter defines a timeout value in milliseconds. If an additional character is not received before the timer expires, a packetization event occurs. The special value 0 disables the packetization timer.

Valid range = 10 msec to 1 second.

Default value = 10

Max Pkt Size (bytes): This parameter defines a maximum packet size. When the number of received characters reaches this maximum, a packetization event occurs.

Valid range = 32 to 1024. (Note that this means no packet will hold more than 1024 serial characters. The actual packet size will be larger than this when network headers and encryption overhead are taken into account.)


T/A Time (ms): This parameter defines a turnaround time for the serial port. The turnaround time is an enforced minimum delay between received network packets that are sent out the serial port. The purpose of the minimum delay is to give legacy RTUs a chance to recover from the previous packet reception.

Default value = 0 (off)

Delete: Set the Delete checkbox in a row in the Edit Existing Profiles table and click Apply Settings to delete that profile.





3.4.1.2 Ports: SettingsThis Form enables you to set high-level configuration parameters for a serial port. Most of the low-level serial port configuration is contained in the profile which is selected for each port. (For more on profiles Ports: Profiles, explained in Section 3.4.1.1.)

Figure 3-44. Serial: Ports: Settings

Table 3-44 describes the values in the fields of the Ports: Settings screen.

Table 3-44. Ports: Settings


Port ID: This value uniquely identifies a Serial interface.

Port Name: A user-assigned name for this port of up to 15 printable characters. This field is empty by factory default.

Profile: The serial profile assigned to this port. The assigned profile defines all of the communication parameters associated with this serial port. The default value is the default factory profile “Default”. (Profiles are set in the Ports: Profiles screen. See Section 3.4.1.1.)

Admin Status: The desired status of the port. This parameter is used to enable or disable the port.

This parameter can take the following values:

• Enabled – Port is UP

• Disabled – Port is DOWN


Note: The actual status of the port is reported in the Oper Status column of the Ports: Status screen, explained in Section 3.4.1.3.



3.4.1.3 Ports: StatusThis screen displays the current state of the Control Signals for each Serial port in the system.

Figure 3-45. Serial: Ports: Status

Table 3-45 describes the parameters displayed in the Ports: Status screen.

Table 3-45. Ports: Status


Port ID: Uniquely identifies a Serial interface.

DCD: The current state of the Carrier Detect signal.

CTS: The current state of the Clear-to-Send signal.

DSR: The current state of the Data-Set-Ready signal.

Oper Status: The actual status of the port. This is a READ-ONLY parameter.

• If the Admin Status is set to “Down”, the Oper Status will always be “Down”.

• If the Admin Status is set to “Up” and the port is ready to send and receive data, the Oper Status will be “Up”.

• If the Admin Status is set to “Up” and the port is not ready to send and receive data, the Oper Status will be “Down”.

Note: The desired status of the port is set in the Oper Status column of the Ports: Settings screen, explained in Section 3.4.1.2.



3.4.1.4 Ports: StatisticsThis screen displays counters for each Serial port in the system.

Figure 3-46. Serial: Ports: Statistics

The statistics for each port are grouped into separate rows. The “Last cleared” text under each table tells you when the counting of the displayed statistics began. All totals displayed are since the “Last cleared” date and time.

Table 3-46 describes the parameters displayed in the Ports: Statistics tables.

Ports: Statistics Screen Controls

The Ports: Statistics screen includes the following controls for viewing, clearing, and updating statistics:

• Refresh Button – Click this button to update the statistics.• Clear Counters Button – Click this button to zero out all counters. Counting

will begin again and the “Last cleared” date and time will be refreshed.

Table 3-46. Ports: Statistics


Port ID: Uniquely identifies a Serial interface.

Tx Char: The number of characters transmitted on this port.

Rx Char: The number of characters received on this port.

Breaks: The number of times a break was detected in the middle of receiving a character. A break is detected when an all-zero character with no stop bit is received.

Parity Errors: The number of times the calculated parity of a character did not match the configured parity mode. (Note: character will be dropped.)

Framing Errors: The number of times a character without a valid stop bit was detected.

Overruns: The number of times a received character was dropped because it could not be buffered.



• Port ID hyperlink – The port ID in the leftmost column is a hyperlink. Click on the hyperlink to open the statistics for that port in a separate window.

3.4.2 Terminal ServerThe screens described in the following subsections enable you to configure and view your TCP/IP connections.

3.4.2.1 Terminal Server: Channel SettingsThis screen enables you to configure the terminal server channel settings. For more on terminal server applications see Appendix A, “Terminal Server Application Notes”.

Figure 3-47. Serial: Terminal Server: Channel Settings



The Add New Channel Form is used to add new Terminal Server channels and to modify parameters for channels that have already been added to the system. Each channel has the capability to make a single outgoing connection and accept multiple incoming connections. By default, a single channel exists for each serial port.

Table 3-43 describes the parameters in the Terminal Server: Channel Settings screen.

Table 3-47. Terminal Server: Channel Settings


Port: A unique identifier for the serial port being configured.

Call Direction: The direction in which the TCP connection will be established. This parameter takes one of the following values:

• In: The port acts like a passive TCP server, listening at the configured Local TCP port.

• Out: The port acts like an active TCP client and attempts to connect out to the server specified by the Remote IP and Remote TCP parameters.

You can add multiple "Out" channels to a single serial port; however, you can have only a single "In" channel assigned to a serial port. You cannot assign two channels the same Local Address and Local Port.

Default value = In

Session Type: This parameter takes one of the following values:

• Raw: Provides a transparent pipe for serial data.

• Telnet: Enables basic Telnet negotiation and control character processing (ECHO and BINARY modes supported).

Default value = Raw

Local IP: The local IP address upon which the server listens for connections when the direction is set to “In” or “Both”. This parameter may be set to any of the valid IP addresses configured for the system.

Default value = Management IP address of the device

Local TCP: The local TCP port upon which the server listens for connections. This parameter may be set to any value between 1000 and 65535.

Note: No two rows in the table may have the same Local IP and Local TCP combination.

Remote IP: The remote IP address that the client attempts to connect to when the direction is set to “Out” or “Both”. This parameter may be set to any IP address.

Default value = 0.0.0.0

Remote TCP: The remote TCP port to which the client attempts to connect. This parameter may be set to any value between 0 and 65535.

Default value = 0



3.4.2.2 Terminal Server: Channel StatusThis screen enables you to view the current status of each Terminal Server Channel.

Figure 3-48. Serial: Terminal Server: Channels Status

Max Conn: The maximum number of incoming TCP connections to accept for this serial port. This parameter may be set to a value ranging from 1 to 10.

Default value = 5

Retry Time: The number of seconds the client waits for a connection to succeed before timing out and retrying.

Default value = 30

Table 3-47. Terminal Server: Channel Settings




The Terminal Server: Channel Status screen is similar to the Terminal Server: Channel Settings screen, described in Section 3.4.2.1; however, it displays two types of information not included in the Terminal Server screen: the state of each channel and the number of established connections. These two fields are explained in Table 3-48. For explanations of the other fields in the Services: Channels screen see the description of the Terminal Server: Channel Settings screen.

Table 3-48. Terminal Server: Channel Status


State: The state of the channel. This field may display one of the following values:

Connections: The number of connections that have been established on this channel. For a client this is always 0 or 1. For a server it can be 0 up to the maximum number of connections allowed for that channel

• Inactive The channel is disabled because the associated serial port is disabled or down.

• Listening The channel is acting as a passive server and is waiting for incoming connection requests.

• Refusing The channel is acting as a passive server and is actively refusing new connections because it has reached the maximum number of connections for the channel.

• Waiting The channel is acting as an active client and is waiting for the re-try timer to expire. After the timer expires the channel will attempt again to establish the configured connection.

• Connecting The channel is acting as an active client, has issued a connection request to the configured remote host, and is waiting for a response.

• Connected The channel is acting as an active client and a connection has been established.

• Handshaking The channel is associated with a secure serial port and is currently attempting an SSL handshake with the remote host.



3.4.2.3 Terminal Server : ConnectionsThis page displays the status of the current TCP/IP connections carrying serial traffic. The values displayed are a subset of the values that can be configured in the Terminal Server: Channel Settings screen, explained in Section 3.4.2.1, but the Terminal Server: Connections screen is a read-only display of active TCP/IP connections.

Figure 3-49. Serial: Terminal Server: Connections

Table 3-49 describes the parameters displayed in the Terminal Server: Connections screen.

Table 3-49. Terminal Server: Connections


Port ID: A unique identifier for this serial port.

Connection Type: Indicates whether or not the connection is encrypted and if so, which cipher is being used.

Session Type: This parameter can take one of the following values:

• Raw: Provides a transparent pipe for serial data.

• Telnet: Enables basic Telnet negotiation and control character processing (ECHO and BINARY modes supported).

• Default value = Raw

Local IP: The local IP address upon which the server listens for connections when the direction is set to “In” or “Both”.

Local TCP: The local TCP port upon which the server listens for connections.

Remote IP: The remote IP address that the client attempts to connect to when the direction is set to “Out” or “Both”.

Remote TCP: The remote TCP port to which the client attempts to connect



3.4.3 Frame RelayFrame Relay is a data transmission protocol used in Wide Area Networks. DX devices that include a WAN port support this protocol. Use the following screens to configure and monitor Frame Relay. For more information see Section 5.1, “Frame Relay”.

3.4.3.1 Frame Relay: Channel SettingsThis screen enables you to configure "direct-to-frame" serial channels.

Figure 3-50. Serial: Frame Relay: Channel Settings

WARNING: This screen is available only on devices equipped with a WAN port. If a non-IPDLCI channel has not been configured in the WAN: “DLCI Settings” screen, explained inSection 3.5.5, the Frame Relay: Channel Settings screen will display the message:

To add a channel, at least one non-IP DLCI must be defined.

To display an editable Frame Relay: Channel Settings screen go to the WAN: DLCI Settingsscreen and add a DLCI, specifying “No” in the IP column, then return to the Frame Relay:Channel Settings screen.



Table 3-50 describes the parameters available in the Serial: Frame Relay: Channel Settings screen.

Table 3-50. Frame Relay: Channel Settings


Port ID: A unique identifier for the serial port associated with this channel.

Circuit ID: A unique identifier for the DLCI to which the serial port is connected. In most cases, the identifier includes the WAN port and the DLCI on that port. You can select any identifier that has previously been configured.

Priority: The priority specification controls the queueing of frames from this port on this channel at the WAN port.

Selections are:

• Default – Frames from this channel are handled by the low priority queue at the WAN port. They will be forwarded only when there are no frames in the high priority queue.

• Expedited – Frames from this channel are handled by the high priority queue at the WAN port. They will be forwarded before any frames in the low priority queue.

Payload Offset: Format Frame Relay messages with or without a 3-byte offset between the Frame Relay header and the data bytes.

Selectins are:

• Yes – Include the 3-byte offset between the header and the data portion of the message.

• No – Begin the data portion of each Frame Relay message immediately after the 2-byte Frame Relay header.

To interoperate with Garrettcom Dynastar DS products this value should be set to Yes.

Delete: Set the De‘1lete checkbox in a row in the Existing Routing Table Entries table and click Apply Settings to delete that channel.



3.4.3.2 Frame Relay: ConnectionsThis screen enables you to view the status of the current frame relay connections carrying serial traffic.

Figure 3-51. Serial: Frame Relay: Connections

Table 3-51 describes the values you can view in the Serial: Frame Relay: Connections screen.

3.4.4 ModbusModbus is a protocol, based on a master/slave architecture, for communication with industrial electronic devices. Use the following screens to configure and monitor Modbus masters and slaves. For more information see Section 5.11, “Modbus”.

Table 3-51. Frame Relay: Connections



Circuit ID: A unique identifier for the DLCI to which the serial port is connected. In most cases, the identifier includes the WAN port and the DLCI on that port.

TxOctets: The number of serial characters transmitted over the frame relay for the given port

RxOctets: The number of serial characters received over the frame relay for the given port.

TxDrops: The number of frames to be transmitted on the DLCI that were dropped because they could not be buffered at the WAN port.

RxDrops: The number of frames received on the DLCI that were dropped because they could not be buffered at the serial port.

100344 338320



3.4.4.1 Modbus: Local MastersThis screen enables you to configure local serial Modbus Masters that will act as Modbus/TCP clients.

Figure 3-52. Serial: Modbus: Local Masters

This screen is used to define the directly connected Modbus Master devices. Table 3-52 specifies the parameters you can edit in the Serial: Modbus: Local Masters screen.

Table 3-52. Modbus: Local Masters


Port ID: A unique identifier for the serial port to which the device is connected.

Protocol Variant: Specify a serial transmission mode. Valid options are:

• RTU – Messages are binary encoded with CRC and begin with a silent interval of 3.5 character times.

• ASCII – messages are ASCII encoded with LRC and begin with a ':' character and end with a CRLF sequence.

Default value = RTU

Priority (DiffServ): Each IP packet generated by this device will be assigned a DiffServ marking based on the priority set by the user. The priorities are:

• Default – Best Effort Service (Code Point 0)

• Expedited – Expedited Forwarding (Code Point 0x2E) (RFC2598)



3.4.4.2 Modbus: Local SlavesThis screen allows enables you to configure local serial Modbus Slaves that will be accessible via the Modbus/TCP server.

Figure 3-53. Serial: Modbus: Local Slaves

Exception Support: Specify whether or not the attached master understands Modbus exception messages. In some cases Modbus devices do not support the exception function codes and will be confused by them if received. This option allows you to disable exception forwarding to the master device.

Delete: Set the Delete checkbox in a row in the Existing Devices table and click Apply Settings to delete that local master.

Table 3-52. Modbus: Local Masters




This screen is used to define the directly connected Modbus devices.Table Table 3-53 specifies the parameters you can view and edit in the Serial: Modbus: Local Slaves screen.

Table 3-53. Modbus: Local Slaves


Port ID: A unique identifier for the serial port to which the device is connected.

Device Address: Modbus/TCP unit identifier assigned to the device.

Valid range = 1-247

Protocol Variant: Specify a serial transmission mode. Valid options are:

• RTU – Messages are binary encoded with CRC and begin with a silent interval of 3.5 character times.

• ASCII – messages are ASCII encoded with LRC and begin with a ':' character and end with a CRLF sequence.

Default value = RTU

Priority (DiffServ): Each IP packet generated by this device will be assigned a DiffServ marking based on the priority set by the user. The priorities are:

• Default – Best Effort Service (Code Point 0)

• Expedited – Expedited Forwarding (Code Point 0x2E) (RFC2598)

Response Timer (msec):

The amount of time to wait for a response from this device before giving up and sending back a Modbus exception message

Delete: Set the Delete checkbox in a row in the Existing Devices table and click Apply Settings to delete that local slave.



3.4.4.3 Modbus: Remote SlavesThis screen enables you to configure the forwarding table used to map Modbus slave device addresses to remote IP addresses.

Figure 3-54. Serial: Modbus: Remote Slaves

This screen is used to add a mapping between a Modbus device address and the IP address of a remote Modbus/TCP server.Table Table 3-54 specifies the parameters you can view and edit in the Serial: Modbus: Remote Slaves screen.

Table 3-54. Modbus: Remote Slaves


Device Address: Modbus/TCP unit identifier assigned to the remote device.

Valid range = 1-247

Remote IP Address: The IP address of the remote Modbus/TCP server.

Idle Time (secs): The TCP connection for this device is torn down if the idle time (time between messages) exceeds the value specified here. This parameter allows multiple successive requests to the same remote device to re-use a single TCP connection, thereby reducing latency. As a special case, if this value is set to 0, a TCP connection is immediately made to the remote (that is, the client does not wait for a request) and it is always kept open. This special mode eliminates the connection latency associated with the initial Modbus request.



3.4.4.4 Modbus: ConnectionsThis screen displays the status of all active Modbus/TCP connections. This table contains all of the active Modbus/TCP connections in the system and the traffic statistics associated with each connection. You can also manually disconnect any TCP connection by selecting the appropriate Delete checkbox and pressing the "Apply Settings" button.

Figure 3-55. Serial: Modbus: Connections

Table Table 3-55 describes the values you can view in the Serial: Modbus: Connections screen.

Response Time (msecs):

The client will wait this amount of time before giving up on a request. If the client times out, it closes down the current TCP connection for the remote device.

Delete: Set the Delete checkbox in a row in the Existing Devices table and click Apply Settings to delete that remote slave.

Table 3-55. Modbus: Connections


Connection Mode: Indicates whether this connection was established in client or server mode.

Local Address: The IP address of the local Modbus/TCP client/server.

Local Port: The TCP port of the local Modbus/TCP client/server.

Remote Address: The IP address of the remote Modbus/TCP client/server.

Remote Port: The TCP port of the remote Modbus/TCP client/server.

Requests: The number of requests generated (if client) or number of requests received (if server).

Responses: The number of responses received (if client) or number of responses generated (if server).

Tx Octets: The total number of octets transmitted on this connection.

Table 3-54. Modbus: Remote Slaves



CHAPTER 3 - System AdministrationWAN Tasks

3.5 WAN TasksSome DX devices include a Wide Area Network (WAN) port which supports either Digital Data Service (DDS) or T1/E1. Use the following screens to configure WAN port parameters.

3.5.1 Port Settings (DDS)This screen enables you to configure the WAN ports on a system supporting DDS.

Figure 3-56. WAN: Port Settings (DDS)

Table 3-56 describes the parameters you can set in the WAN: Port Settings (DDS) screen.

Rx Octets: The total number of octets received on this connection.

Delete: Set the Delete checkbox in a row and click Apply Settings to delete that connection.

Table 3-56. WAN: Port Settings (DDS)


Port ID: Uniquely identifies a logical WAN port that corresponds to a physical, labeled interface on the exterior of the product chassis. The Port ID string should exactly match the physical labeling scheme.

Port Name: A user-configurable name for the port. This may be any arbitrary text string up to 16 printable ASCII characters. This field is empty by factory default.

Table 3-55. Modbus: Connections




3.5.2 Port Settings (T1/E1)This screen enables you to configure the WAN ports on a system supporting T1/E1.

Figure 3-57. WAN: Port Settings (T1/E1)

Speed: Specify the usable data rate of the interface.The following values may be selected:

• 56k

• 64k

Default value = 56k

Clock: Specify the source for the data clock. The following values may be selected:

• Local

• Received

Default value = Received

Admin Status: Set the desired status of the port. If this parameter is set to Disabled, the port's transmit and receive functions are turned off. The following values may be selected:

• Disabled

• Enabled


Table 3-56. WAN: Port Settings (DDS)




Table 3-56 describes the parameters you can set in the WAN: Port Settings (T1/E1) screen.

Table 3-57. WAN: Port Settings (T1/E1)




Timeslot Bandwidth: Specify the usable data rate of the interface.The following values may be selected:

• 56k

• 64k

Default value = 56k


• Local

• Received



• Disabled

• Enabled


Mode: The mode for this port. The following values may be selected:

• T1

• E1

Default value = T1

Time Slots: Specify which available time slots are used by this port. Separate single slot numbers with commas and specify a range of slots with a hyphen. For example: 1,3, 5-6.



3.5.3 Port StatusThis screen enables you to view the current status of each WAN port in the system.

Figure 3-58. WAN: Port Status

Frame Types: The frame type for this port.

For T1 mode the following values may be selected:

• ESF – Extended Super Framing format, consisting of 24 consecutive 193 bit frames.

• D4 – A framing format also known as SF (Super Frame), consisting of 12 consecutive 193 bit frames.

Default value = ESF

For E1 mode the following values may be selected:

• FAS – Frame Alignment Signaling.

• CAS – Channel Associated Signaling. A method that “robs” some bits of each frame to transmit synchronization information.

Line Codes: The line code for this port.


• AMI – Alternate Mark Inversion line coding.

• B8ZS – Bipolar With 8 Zero Substitution line coding.

Default value = B8ZS



• HDB3 – High Density Bipolar 3 line coding.

Table 3-57. WAN: Port Settings (T1/E1)




Table 3-58 describes the values you can view in the WAN: Port Status screen.

Table 3-58. WAN: Port Status


Line State: Possible values for DDS:

• OK – The line has link and is functioning properly.

• Rx Inactive – The receiver is inactive (possibly because it is being reset).

• Loss of Sig – The signal has been lost or the signal has dropped more than 6dB.

• Excess BPVs – Excessive occurrence of invalid Bipolar Violation events.

• Data Idle – Receiving Data Mode Idle.

• Cm Idle – Receiving Control Mode Idle.

• Out of Service – Receiving out of Service code.

• Out of Frame – An error has been reported in the framing pattern.

• DSU Loopback – The line is in local DSU loopback. (Looping back what this interface is trying to transmit. Diagnostic only.)

• CSU Loopback – The line is in CSU loopback. (Looping back what is on the wire. Diagnostic only.)

Possible values for T1/E1:

• :OK – The line has link and is functioning properly.

• Carrier Loss –

• Blue Alarm – Also known as Alarm Indication Signal (AIS) or an “all ones” alarm. This indicates a total absence of an incoming signal due to a disruption in the communications path.

• Loss of Sync – The line is not synchronized to the received data stream.

• Yellow Alarm – Also known as a Remote Alarm indication (RAI). This indicates that a remote interface is encountering a problem with a signal from this interface. This could result from an equipment problem or from incompatible configurations.

• Red Alarm – The incoming signal is corrupted (wrong frame type or errors in framing).

• Loop Up – The line is looping back received data.

LMI State: Possible values for the Local Management Interface (LMI) state are:

• Disabled – The LMI has been disabled.

• Down – The LMI is enabled but is down.

• Up – The LMI has successfully established communication with it’s peer.

• Suspend – The LMI has been suspended due to sequence number mismatches.

• Resume – The LMI is resuming after being suspended. This is a transient state.



3.5.4 Frame RelayThis screen enables you configure the frame relay function of the system's WAN ports.

Figure 3-59. WAN: Frame Relay

Rx Packets: The number of packets received on this interface since the counter was last reset.

Tx Packets: The number of packets transmitted on this interface since the counter was last reset.

Rx Octets: The number of bytes received on this interface since the counter was last reset.

Tx Octets: The number of bytes transmitted on this interface since the counter was last reset.

LMI Rx: The number of LMI packets received on this interface since the counter was last reset.

LMI Tx: The number of LMI packets transmitted from this interface since the counter was last reset.

TxDrops: The number of packets that could not be transmitted out this interface due to resource limitations since the counter was last reset.

CRCs: The number of packets received that had a CRC mismatch since the counter was last reset.

Short: The number of short frames (frames smaller than 6 bytes) received since the counter was last reset.

Long: The number of long frame (a frame over 1600 bytes) errors received since the counter was last reset.

No Buffer: The number of times the interface ran out of buffers since the counter was last reset.

Bad address: The number of packets received that were destined for an unconfigured DLCI since the counter was last reset.

Table 3-58. WAN: Port Status




Table 3-59 describes the parameters you can view and edit in the WAN; Frame relay screen.

Table 3-59. WAN: Frame Relay


Port ID: Uniquely identifies a logical WAN port that corresponds to a physical, labeled interface on the exterior of the product chassis.

Fragmentation Size: The maximum bytes in a frame relay fragment.

The default, 1600, is the maximum transmission unit (MTU) setting, plus frame relay overhead, for the DLCI IP interfaces.

Clearing this field turns off end-to-end fragmentation.

If fragmentation is not enabled the transmission of large IP packets on one Permanent Virtual Circuit (PVC) can obstruct traffic for other PVCs on the same line and significantly increase latency.

MNS-DX supports end-to-end fragmentation only; that is fragmentation is done at the packet’s point of origin on the PVC and reassembly is done at the packet’s termination point on the PVC, regardless of the number of links intervening.

LMI Type: Specify the Local Management Interface (LMI) type. The following values may be selected:

• None

• LMI

• CCITT

• ANSI


LMI Mode: Specify the Local Management Interface (LMI) mode. The following values may be selected:

• User

• Network

• NNI

Default value = User



3.5.5 DLCI SettingsThis screen enables you to add and delete DLCIs. Existing DLCIs are IP interfaces and must have IP addresses assigned to them in order for IP traffic to forwarded over them.

Figure 3-60. WAN: DLCI Settings

Table 3-60 describes the parameters you can view and edit in the WAN: DLCI Settings screen.

Table 3-60. WAN: DLCI Settings



DLCI: Data Link Connection Identifier.

Valid range = 16 - 991.

CIR: The Committed Information Rate in bits per second. It may be cleared or it may take a value of 1 or greater. If no value is specified the bit rate of the port is the CIR.

Valid range = 1 - 2000.



3.5.6 DLCI StatusThis screen enables you to view DLCI status.

Figure 3-61. WAN: DLCI Status

Table 3-61 describes the values you can view in the WAN; DLCI Status screen.

IP: Indicates whether or not this DLCI will carry IP traffic. If the DLCI carries IP traffic, it becomes an IP interface and must be assigned an IP address.

Select “Yes” to make the DLCI an IP interface (RFC 1490). The IP can be configured using the Routing: IP Addresses screen.

Select “No” to specify that the DLCI is to be used by the terminal server so that raw serial data will be transmitted to/from a serial port to the DLCI. Configure the port with the Serial: Frame Relay screen.

Delete: Set the Delete checkbox in a row in the Existing Routing Table Entries table and click Apply Settings to delete that DLCI.

Table 3-61. WAN: DLCI Status


Port ID: The physical port this DLCI is configured on.

DLCI: The DLCI number (16 -991).

State: The DLCI state: active or inactive.

Rx Packets: The number of packets received on this interface.

Rx Octets: The number of bytes received on this interface.

Tx Packets: The number of packets transmitted on this interface.

Table 3-60. WAN: DLCI Settings



CHAPTER 3 - System AdministrationRouting Tasks

3.6 Routing TasksThe following subsections describe the tasks that you can perform using the screens of the Routing branch.

For a discussion of routing see Section 5.2, “IP Addressing and Routing”.

3.6.1 IP AddressesThis screen enables you to configure system IP addresses.

Figure 3-62. Routing: Addresses

By factory default, the IP address 192.168.1.2 and subnet mask 255.255.255.0 are assigned to the Default interface.

Tx Octets: The number of bytes transmitted on this interface.

TxDrops: The number of packets that could not be transmitted out this DLCI because of resource limitations.

Table 3-61. WAN: DLCI Status




Table 3-62 describes the parameters in the IP Addresses screen.

Table 3-62. IP Addresses


Interface: This field may be set to one of the following values depending on the available IP interfaces:

• Default (When VLANs are enabled, the IP address assigned to the Default Interface is also assigned to the default VLAN (System/VID 1).)

• VID x. The VID of a configured VLAN.

• IDs of Ethernet ports that are configured as routed ports. (See the Routing: Bridge: Port Settings screen, explained in Section 3.3.2.2.)

Address: A valid IP address.

Subnet Mask: A valid Subnet Mask value.

If this field is left blank the inferred network mask of the given Interface Address is used for the added entry.

System: Specifies that this interface is the System interface. The System interface must have an IP address assigned.

Although your DX device can be used in some applications that do not require the designation of a System interface bear in mind that the following protocols do depend on the presence of a System IP address for their proper functioning:

• SNTP

• SNMP

• Syslog

• RADIUS

Status: Specifies whether this interface is Up or Down.

For any interface to be Up it must have an IP address assigned.

• If the interface is an unbridged port the Status field will correspond with the Oper Status field of the Ethernet: Ports: Status screen (Section 3.3.1.2); that is, the port is Up if it is enabled and a link is detected.

• If the interface is a VLAN the port is Up if any port on that VLAN is up and VLANs are enabled.



3.6.2 Static RoutesThis screen enables you to add a new Static IP Route and to view and modify the existing routing table entries.

Figure 3-63. Routing: Static Routes

Table 3-63 describes the fields available for viewing and modification in the Static Routes screen.

Table 3-63. Static Routes


Route Destination: A valid destination IP address. New destinations added must be different from any existing route since the displayed existing routes are the routing table, which is indexed by “Route Destination.”


Route Mask: A valid route mask.


Next Hop: A valid IP address for the next hop on this route. The “Next Hop” must be reachable via an attached LAN.



3.6.2.1 Specifying a Default GatewayTo use the Routing: Routes screen to specify a default gateway: add a static IP route with a Route Destination value of 0.0.0.0, a Route Mask value of 0.0.0.0 (the default value in each case), and a Next Hop value that matches the IP address of the router to use as the default gateway. Figure 3-64 depicts an example specifying IP address 192.168.1.100 as the default gateway.

Figure 3-64. Specifying a Default Gateway

Figure 3-65.

3.6.3 TableThis screen enables you to view the routing table.

Figure 3-66. Routing: Table

Press the Refresh button to get an updated list of routes.

Route Type: This parameter can take one of the following values:

• Direct – A direct route type specifies a destination that is on the same network as the source.

• Indirect – An indirect route type specifies as its destination the address of another router (the first hop) which can forward data toward the ultimate destination.

An entry with an “Indirect” “Route Type” can be modified by changing the “Route Mask” and/or “Next Hop.”

Delete: Set the Delete checkbox in a row in the Existing Routing Table Entries table and click Apply Settings to delete that entry.

Table 3-63. Static Routes




Table Table 3-64 describes the fields displayed in the Routing: Table screen.

3.6.4 ARP TableThis screen enables you to view and flush the Address Resolution Protocol (ARP) table.

Figure 3-67. Routing: ARP Table

Press the Refresh button to get an updated list of ARP entries. Press the Flush button to clear the table; this forces the software to re-execute an ARP for all hosts.

Table 3-64. Routing: Table


Route Destination: The destination IP address for this IP route.

(Note: the Route Destination 127.0.0.1 is the localhost address; that is, the loopback interface for the computer currently being used. It is included in the routing table for internal purposes.)

Route Mask: The subnet mask for this IP route.

Next Hop: The IP address for the next hop on this IP route.

Owner: Specifies the source of the route. This may take the following values:

• Management – A static route.

• Local – A route to a directly connected subnet.

• RIP – A route learned by the RIP routing protocol.

• VPN – A route to a private network associated with a VPN tunnel.

Hop Count: The number of hops to the destination. This is only used for RIP routes.

Age The number of seconds since this route was last learned (or refreshed). This is only used for RIP routes.



Table Table 3-65 describes the fields displayed in the Routing: ARP Table screen.

3.6.5 RIPThe Routing Informatio

-n Protocol (RIP) is an Interior Gateway Protocol (IGP) routing protocol used on internal networks. It determines a route based on the smallest hop count between source and destination. It has a limit of 15 hops.

3.6.5.1 RIP: Global SettingsThis screen enables you to configure Routing Information Protocol (RIP) parameters.

Figure 3-68. Routing: RIP: Global Settings

Table 3-65. Routing: ARP Table


IP Address: The IP address associated with the MAC address in this row.

MAC Address: The MAC address associated with the IP address in this row.

IP Interface: The IP interface upon which the host is connected



Table 3-66 describes the parameters you can configure in the RIP form.

Table 3-66. RIP: Global Settings


Mode: This parameter can take one of the following values:

• RIP: RIP version 1

• RIP-II: RIP version 2 with subnet broadcast (uses the subnet broadcast address)

• RIP-II multi: RIP version 2 with multicast

• RIP-II Local: RIP version 2 with local broadcast (Uses the local broadcast address, 255.255.255.255. This is sometimes needed for compatibility with older devices.)

• Disabled


Gateway: If you have configured a default gateway (see Section 3.6.2.1) setting this field to Yes will propogate that information to neighboring routers. Setting it to No will keep knowledge of the default gateway private.

Expire Time: This parameter tells RIP the number of seconds between updates before a route is invalidated. An invalidated route is not used, but it is not deleted immediately. It is retained for the length of time you specify with the Flush Time parameter. If confirmation arrives before the route flush timer expires, the route is re-marked as valid.

Valid range = 1 to 600 seconds

Default value = 180

Flush Time: This parameter tells RIP the number of additional seconds to wait after a route expires before that route is deleted entirely from the routing table.

Valid range = 1 to 600 seconds

Default value = 120.



3.6.5.2 RIP: Interface SettingsThis screen enables you to view and edit RIP interface settings.

Figure 3-69. Routing: RIP: Interface Settings

Table X describes the parameters you can view and edit in the Routing: RIP Interface Settings screen.

3.6.6 NATNetwork Address Translation (NAT) translates the IP address of a network’s public interface (typically an interface with the internet) into an address within the private network. This makes it possible for numerous nodes on the private network to be addressable by the public with the single public IP address. Address translation is done with a Network Address and Port Translation table.

Use the NAT screens to:

1. Enable NAT on the public interface (the NAT: Global Settings screen explained in Section 3.6.6.1).

2. Configure entries in the translation table. (the NAT: Translations screen explained in Section 3.6.6.2)

Table 3-67. RIP: Interface Settings


IP Interface: The name of an IP interface. The system automatically supplies a list of valid interfaces. You create these interfaces when you create a VLAN with the VLAN: VIDs screen or when you designate a port as “not bridged” (that is, “Routed”) in the Ethernet: Bridge: Port Settings screen.

Enabled?: Indicates whether or not this port is a member of the bridge.

• Yes – the IP interface participates in RIP, which therefore sends and receives routing information on the interface (default).

• No – the IP interface does not participate in RIP.



The Add Translation Form is used for adding to the translation table. An entry in the table allows a client on the public network to access a server on the private network. When an IP datagram arrives at the public IP interface with a destination IP address of the public interface and a protocol and port matching the protocol and public port of an entry, the destination IP address and port are changed to the private IP address and private protocol port of the entry. On egress the private source IP address and port are changed to the public IP address and port of the entry matching the source.

3.6.6.1 NAT: Global SettingsUse this screen to enable NAT on the public IP interface.

Figure 3-70. Routing: NAT: Global Settings

Table Table 3-68 describes the parameters you can view and edit in the Routing: NAT: Global Settings screen.

Table 3-68. NAT: Global Settings


Mode: This parameter can take one of the following values:

Disabled (Default)

Enabled

Public IP Interface: This parameter selects the public IP interface. Other IP interfaces are private.



3.6.6.2 NAT: TranslationsThis screen enables you to manage the Network Address and Port Translations table.

Figure 3-71. Routing: NAT: Translations

The combination of private IP address, protocol, and private port of an entry must be unique in the table. Also, the combination of protocol and public port of an entry must be unique in the table.

For the “Public TCP or UDP Port” choose a value outside of the “Well Known” or “Registered” port range. (See Appendix B, “Port and Type Reference”.) In the example screen above these port numbers are constructed by appending the private port number to the last element of the IP address in the same row.

The Existing Translations Form displays the translations that have already been configured. These may be edited.

By factory default, no translations exist.



Table Table 3-69 describes the parameters you can view and edit in the Routing: NAT: Translations screen.

3.6.7 DHCP ServerThe Dynamic Host Configuration Protocol (DHCP) enables you to reserve up to 16 ranges of addresses that can be allocated temporarily to devices as needed. For more information see Section 5.4, “DHCP Server”.

3.6.7.1 DHCP Server: Host ParametersThis screen enables you to manually configure groups of host parameters that can be assigned to DHCP address entries.

Figure 3-72. Routing: DHCP Server: Host Parameters

Table 3-69. NAT: Translations


Private IP Address: A unique IP address on the private network.

Protocol: Select a communications protocol: TCP or UDP.

Private TCP or UDP Port: Specify a logical protocol port number for this private address.

For a partial list of Well Known Port numbers see Section B.1, “Well Known TCP/UDP Network Ports”.

Public TCP or UDP Port: Specify a logical protocol port number on the public interface.

Delete: Set the Delete checkbox in a row in the Existing Translations table and click Apply Settings to delete that entry.



Table Table 3-70 specifies the parameters you can view and edit in the DHCP Server: Host Parameters screen.

3.6.7.2 DHCP Server: Static AddressesThis screen enables you to manually configure IP addresses for particular DHCP clients.

Figure 3-73. Routing: DHCP Server: Static Addresses

Table 3-70. DHCP Server: Host Parameters


Group Name: Assign a name for this group.

Gateway: The address of the default gateway router to be used by the DHCP client.

Primary DNS: The address of the primary DNS server to be used by the DHCP client.

Secondary DNS: The address of the secondary DNS server to be used by the DHCP client.

DNS Suffix: A domain name suffix that will be appended to any local names by the DHCP client before making a DNS query.

Delete: Set the Delete checkbox in a row in the Existing Host Parameter Groups table and click Apply Settings to delete that entry.



Table Table 3-71 specifies the parameters you can view and edit in the DHCP Server: Static Addresses screen.

Table 3-71. DHCP Server: Static Addresses


IP Address: The IP address to allocate to the DHCP client with the specified MAC address.

Subnet Mask: The subnet mask that applies to the specified IP address.

MAC Address: The MAC address of the DHCP client. When a client with this MAC address requests an address, the specified IP address and subnet mask are assigned by the server.

Host Parameters: The name of a host parameter group previously defined on the Routing : DHCP Server: Host Parameters screen. The default selection is the special Default group.

If the default host parameter group is used, the IP address of the DX will be provided to the client as its default gateway. No DNS servers will be provided.

Delete: Set the Delete checkbox in a row in the Existing Addresses table and click Apply Settings to delete that entry.



3.6.7.3 DHCP Server: Dynamic AddressesThis screen enables you to configure ranges of IP addresses that can be dynamically allocated to DHCP clients.

Figure 3-74. Routing: DHCP Server: Dynamic Addresses

Table Table 3-72 specifies the parameters you can view and edit in the DHCP Server: Dynamic Addresses screen.

Table 3-72. DHCP Server: Dynamic Addresses


Start Address: The start of a range IP addresses available for dynamic allocation.

End Address: The end of a range IP addresses available for dynamic allocation.

Subnet Mask: The subnet mask that applies to the address range delimited by Start Address and End Address.

Max Lease (mins): The maximum allowable lease duration for a dynamically allocated address. If a DHCP client requests a duration longer than the maximum, the server offers the maximum length lease as configured by this parameter.

Default value = 1440 minutes (1day)



3.6.7.4 DHCP Server: LeasesThis screen enables you to view the status of current DHCP leases.

Figure 3-75. Routing: DHCP Server: Leases

Note: Leases are only tracked for dynamically allocated addresses. Even though a DHCP client may show a static address allocation as an infinite (or long-lived) lease, the DHCP server does not treat a static mapping as a lease; rather, it simply assigns the specified static IP address whenever a client with the matching MAC address requests an address.

Table Table 3-73 describes the values you can view in the Routing: DCHP Server: Leases screen.

Default Lease (mins): If a client does not request a specific lease duration, the default lease time is assigned.

Default value = 1440 minutes (1day)

Host Parameters: The name of a host parameter group previously defined on the Routing : DHCP Server: Host Parameters screen. The default selection is the special Default group.

If the default host parameter group is used, the IP address of the DX will be provided to the client as its default gateway. No DNS servers will be provided.

Delete: Set the Delete checkbox in a row in the Existing Address table and click Apply Settings to delete that entry.

Table 3-73. DHCP Server: Leases


IP Address: The IP address allocated to the DHCP client with the specified MAC Address.

MAC Address: The MAC address of the DHCP client that was allocated the specified IP Address.

Table 3-72. DHCP Server: Dynamic Addresses


192.168.1.90 00-0a-95-c0-d1-94 Tue Jul 17 05:28 2007



Expires: The time and date when the lease expires. This is given in local time.

Note: Since lease durations are specified by the server (as opposed to expiration timestamps), in order for this time to match the expiration time shown on your DHCP client, the local time of the DX must be synced exactly to the local time of your DHCP client. Otherwise, there may be a discrepancy between the time shown here and the time shown on the client.

Delete: Set the Delete checkbox in a row and click Apply Settings to delete that entry.

Table 3-73. DHCP Server: Leases



CHAPTER 3 - System AdministrationSecurity Tasks

3.7 Security TasksThe following subsections describe the tasks that you can perform using the screens of the Security branch.

For a discussion of security issues see Appendix B, “Port and Type Reference”.

3.7.1 CertificatesAn X.509 certificate is an electronic document in Privacy Enhanced Mail (PEM) format used to publish a public key. These certificates consist of an RSA private key and a matching X.509 certificate that was either uploaded through the Install form or generated online by the DX (see Section 3.8.2, “The Certificate Creation Wizard”.).

For more on X.509 certificates see Section 5.8.3.3, “X.509 Certificates”.

The Certificates screens enable you to upload SSL keys and certificates in PEM format to the system and to view and delete installed files. You can assign a certificate file to a serial port or the embedded web server as part of the procedure for configuring Secure Sockets Layer (SSL). See the Serial/SSL screen described in Section 3.7.3.

3.7.1.1 Certificates: LocalThis screen enables you to upload X.509 certificates in PEM format to the system and to view and delete installed certificate files.

The system is shipped with no installed certificate files.

Figure 3-76. Security: Certificates: Local

NOTE: Local certificates are not contained in the system's configuration file. They are part ofthe non-volatile system state; therefore, the installed keys will not change if a newconfiguration file is selected or the system configuration is reset to default values.



Use the Create New Certificate button to start up the The Certificate Creation Wizard wizard, explained in Section 3.8.2.

Table 3-74 describes the fields in the Certificates: Local screen.

3.7.1.2 Certificates: TrustedThis screen enables you to upload X.509 certificates in PEM format to the system, to view and delete installed certificate files, and to mark certificates as Trusted.

The system is shipped with no installed certificate files.

Figure 3-77. Security: Certificates: Trusted

Table 3-74. Certificates: Local


Install Form: Browse for a PEM file on your local system and click Upload to copy the file to the system. If the PEM file does not contain a valid RSA private key and matching X.509 certificate, the file is rejected.

Existing Local Certificates Table

Certificate Name: The Existing Keys Form contains an entry for each local certificate.

All filenames are hypertext links. Click the link to display the contents of the file.

Delete: Set the Delete checkbox in a row in the Existing Local Certificates table and click Apply Settings to delete that entry.

NOTE: Trusted certificates are not contained in the system's configuration file. They are partof the non-volatile system state; therefore, the installed keys will not change if a newconfiguration file is selected or the system configuration is reset to default values.



Table 3-75 describes the fields in the Certificates: Trusted screen.

3.7.2 Ethernet PortThis screen enables you to configure Ethernet Port Security settings.

Figure 3-78. Security: Ethernet Port

Table 3-75. Security: Certificates: Trusted


Install Form: Browse for a PEM file on your local system and click Upload to copy the file to the system. If the PEM file does not contain a valid, self-signed X.509 certificate, the file is rejected.

Existing Local Certificates Table

Certificate Name: The names of previously installed PEM files that are classified as usable certificates.

All filenames are hypertext links. Click the link to display the contents of the file.

Trusted: Indicate whether or not you trust a certificate by checking (or unchecking) the appropriate "Trusted" checkbox and clicking the Apply Settings button.

Delete: Set the Delete checkbox in a row in the Existing Trusted Certificates table and click Apply Settings to delete that entry.



Table Table 3-76 describes the fields you can view and modify in the Security: Ethernet Port screen.

Table 3-76. Security: Ethernet Port


Port: A unique identifier for the Ethernet port being configured.

Security Type: Indicates what type of security to enable on the port:

• None – (default)

• Address – This port will be locked out if a frame is received with a Source Address other than one of the authorized MACs for this port, either a configured static MAC or a learned authorized MAC. (A learned authorized MAC is the first dynamic MAC address learned on the port after address-based port security is enabled for the port.) A port that is locked out is effectively disabled.

• Link – This port will be locked out the next time the operational state of the link changes from UP to DOWN. A port that is locked out is effectively disabled.

Locked Out?: Indicates whether or not the port has been disabled by the port security software:

• No – Port is not locked out.

• Yes – Port is locked out and is effectively disabled. The port can be unlocked by changing this field to No and pressing the Apply Settings button



3.7.3 Serial/SSLThe Serial/SSL screen enables you to enable SSL (Secure Sockets Layer) and to configure the security parameters for a serial port. You can make changes to the table and apply them at once by clicking the Apply Settings button.

Figure 3-79. Security: Serial/SSL

Table 3-77 describes the fields in the Serial/SSL screen.

Table 3-77. Serial/SSL


Port ID: A unique identifier for the serial port being configured.

Enable Security: Enable or disable the use of SSL on this port.



Allowed Ciphers: This parameter specifies the cipher suites to be allowed on a port.

You can select one of the following standard suites:

• SSL_RSA_WITH_RC4_128_MD5

• SSL_RSA_WITH_RC4_128_SHA

• SSL_RSA_WITH_DES_CBC_SHA

• SSL_RSA_WITH_3DES_EDE_CBC_SHA

• TLS_RSA_WITH_RC4_128_MD5

• TLS_RSA_WITH_RC4_128_SHA

• TLS_RSA_WITH_DES_CBC_SHA

• TLS_RSA_WITH_3DES_EDE_CBC_SHA

• TLS_RSA_WITH_AES_128_CBC_SHA

• TLS_RSA_WITH_AES_256_CBC_SHA

In addition, the following groups, which are combinations of the standard cipher suites, may be specified:

• ANY - any supported cipher suite

• ANY_STRONG - any supported cipher suite with at least 128 bit keys

• ANY_STRONG_SSL - any strong cipher suite that uses SSLv3

• ANY_STRONG_TLS - any strong cipher suite that uses TLSv1

• ANY_AES - any cipher suite that uses AES

Require Authentication?:

If this option is set to "Yes", the connected SSL peer must provide a valid and trusted certificate or the SSL handshake will fail.

Assigned Key: Use this RSA key and matching certificate during the SSL handshake/negotiation.

Table 3-77. Serial/SSL




3.7.4 Web ServerThis screen enables you to configure security settings on the system's embedded web server.

Figure 3-80. Security: Web Server

Table 3-78 specifies the values you can view and edit in the Security: Web Server screen.

Table 3-78. Web Server


Mode: Indicates if the server accepts non-secure HTTP requests. This parameter takes the following values:

• Allow HTTP The server accepts requests on port 80 (http://) or on port 443 (https://) (default).

• SSL Only: The server will only allow connections over SSL. Any requests sent to port 80 (http://) will be re-directed to the https://URL.

Cipher: Specify the type of encryption to support on the server. This parameter takes the following values:

• ANY (RC4, 3DES, AES128, or AES256)(factory default)

• RC4

• 3DES

• AES128

• AES256

Assigned Key: This is the key file (containing an RSA key and matching certificate) used by the web server when running over SSL (that is, when a browser accesses the server through the https:// URL and/or on port 443). When this parameter is set to "Default", a default certificate is presented to a browser during an SSL handshake. The default certificate is self-signed and valid until the year 2038. It is highly recommended that users install their own key files for use with the web server. If valid key files are installed on the system you can select one of these files via the dropdown. Once the Apply Settings button is pressed the web server is restarted and will begin using the certificate present in the new key file.



3.7.5 CLIThis screen enables you to configure Secure Shell (SSH) security settings on the system's command line interface.

Before the SSH server can start a key must be generated using the ssh keygen command. This can only be done via the CLI. See The ssh Command, explained in Section 4.2.3.12.

Figure 3-81. Security: CLI

Table Table 3-79 specifies the parameters you can view and edit in the Security: CLI screen.

NOTE: Typically a key has been generated at the factory, so that your DX device isdelivered with SSH enabled; that is, the SSH Server State value is “Running.” If the SSHServer State value is “No Key” you must run the keygen command in the CLI.

Table 3-79. CLI


CLI Mode: Specify whether or not the server accepts non-secure telnet connections. This parameter takes the following values:

• Allow Telnet – The server accepts requests on port 23 (Telnet) or on port 22 (SSH).

• SSH Only – The server will only allow connections over SSH. If a client connects on port 23 that client is sent instructions to use SSH before the connection is dropped.

Default value = SSH only

SSH Server State: Indicates the current state of the SSH server process:

• No Key – No Digital Signature Algorithm (DSA) key has been generated for the SSH server and therefore it cannot be started. To start the server, log in to the CLI and issue the command ssh keygen.

• Running – The SSH server is running normally.



3.7.6 FirewallThe Firewall: IP Interfaces, Firewall: Interface Groups, and Firewall: IP Filters screens enable you to manage firewall protection by configuring filters that allow only specified types of traffic to pass through an interface and by assigning filters to specific interfaces or groups of interfaces.

3.7.6.1 IP Interface Groups in GeneralIt can be useful to create groups of IP interfaces that share the same filtering requirements. For example, you might want to segregate public and private traffic. If you create a group for all interfaces that need a filter that permits only private traffic you can then assign as many IP interfaces as you like to that group. You do not have to repetitively assign the same filter to many interfaces and you can edit and maintain a single filter for many IP interfaces.

To configure a firewall interface group:

1. Create a name for the group with the Firewall: Interface Groups Screen.

Note: The order in which you carry out the following two steps is not important.

2. Populate the interface group you have named with appropriate IP interfaces in the Firewall: IP Interfaces screen.

3. Associate the group with a filter in the Firewall: IP Filters screen.

3.7.6.2 Firewall: IP InterfacesIn the Firewall: IP interfaces screen you can enable firewall protection for a specific interface and you can assign that interface to a group you created with the Firewall: Interface Groups screen.

Figure 3-82. Security: Firewall: IP Interfaces



Table 3-80 describes the fields you can view and edit in the Firewall: IP Interfaces screen.

3.7.6.3 Firewall: Interface GroupsThis screen enables you to create the names of groups. Once a group has been named you can control the IP interfaces that are included with the Firewall: IP Interfaces screen and the filtering applied to that group with the Firewall: IP Filters screen.

Figure 3-83. Security: Firewall: Interface Groups

Table 3-80. Security: Firewall: IP Interfaces


IP Interface: The name of an IP interface. The system automatically supplies a list of valid interfaces. You create these interfaces when you create a VLAN with the VLAN: VIDs screen or when you designate a port as “not bridged” (that is, “Routed”) in the Ethernet: Bridge: Port Settings screen.

Firewall Status: Specify whether the firewall is enabled or disabled for this interface.

Group: The group of which the IP interface is a member. Group names are created in the Firewall: Interface Groups screen.



Table 3-81 describes the fields that can be viewed and edited in the Firewall: Interface Groups screen.

3.7.6.4 Firewall: IP FiltersThis screen enables you to configure the filtering criteria to apply to specific interfaces or groups. When a packet entering the IP stack does not match a filter it is dropped. If no filter is configured for a given IP interface, all packets are allowed.

Figure 3-84. Security: Firewall: IP Filters

Table 3-81. Security: Firewall: Interface Groups


Group Name: The name of an interface or group of interfaces to which the filters are applied.

IP Interfaces: The name of an IP interface, if any, that has been associated with this group via the Firewall: IP Interfaces screen.

Delete: Set the Delete checkbox in a row in the Existing Groups table and click Apply Settings to delete that group. A group which has an IP interface assigned to it cannot be deleted in this screen. You must first break the association in the Firewall: IP Interfaces screen, then delete the group name from this screen.



Table 3-82 describes the parameters you can add or modify in the Firewall: IP Filters screen.

Note that a source or destination address and a network mask, taken together, specify a network or range of addresses.

3.7.7 RadiusThe RADIUS screens enable you to add and configure Remote Authentication Dial-In User Service (RADIUS) servers.

For more about RADIUS see RADIUS Support, described in Section 5.8.5.

Table 3-82. Security: Firewall: IP Filters


Interface or Group: The IP interface or group of interfaces to which the filter is applied. Available interfaces or groups can be viewed and selected from the pull-down menu.

Source Address: The source address of allowed IP packets. If blank then any source address is allowed.

Mask: The source network mask of allowed IP packets. If blank and the source address is not blank, then only one source address is allowed.

Destination Address: the destination address of allowed IP packets. If blank then any destination address is allowed.

Mask: The destination network mask of allowed IP packets. If blank and the destination address is not blank then only one destination address is allowed.

Protocol/dir.: This parameter takes one of five values which determine the meaning of the TCP or UDP Ports or ICMP Types:

• TCP/dest. allowed TCP destination ports

• TCP/source allowed TCP source ports

• UDP/dest. allowed UDP destination ports

• UDP/source allowed UDP source ports

• ICMP/type allowed ICMP types

TCP or UDP Portsor ICMP Types:

The list of allowed logical protocol port numbers. These are dependent on the value of the Protocol/dir parameter, for instance 80 and 443 for HTTP and HTTPS.

List port numbers in ascending order, separated by commas. For a partial list of Well Known Port numbers see Section B.1, “Well Known TCP/UDP Network Ports”.For a list of ICMP types see Section B.2, “ICMP Types”.



3.7.7.1 RADIUS: Global SettingsThis page enables you to configure global Remote Authentication Dial-In User Service (RADIUS) parameters.


Figure 3-85. Security: RADIUS: Global Settings

Table 3-83 describes the parameters you can configure in the RADIUS: Global Settings screen.

Table 3-83. RADIUS: Global Settings


Authentication Port: The UDP port used to communicate to the RADIUS server that is configured for authentication.


Valid Range = 0 - 65536

Challenge Type: The protocol to be used when validating user credentials. It can take the following values:

• PAP – Username/password sent in the clear (default).

• CHAP – Uses challenge and MD5 hash.

User Authentication Control:

This parameter determines whether the system uses its own local user database or a RADIUS server for authentication. It can take the following values:

• Local Database – use the local user database (default).

• RADIUS – use a configured RADIUS server.

Default Privilege Level:

This parameter determines the default privilege level assigned to a user when a RADIUS server does not provide vendor-specific attributes. It can take the following values:

• No Access (default)

• Read-Only

• Read-Write

• Administrator



3.7.7.2 RADIUS: ServersThis page enables you to configure multiple, redundant Remote Authentication Dial-In User Service (RADIUS) servers.


Figure 3-86. Security: RADIUS: Servers

Table 3-84 describes the parameters you can configure in the RADIUS: Servers screen.

Table 3-84. RADIUS: Servers


Add Server Form and Existing Servers Table

IP Address: The IP Address of the RADIUS server to query.

UDP Port: The UDP port used to send requests. Authentication servers use UDP port 1812. Accounting servers use port 1813. It is not recommended to use the legacy port 1645 where it conflicts with “Datametrics” service.

Request Retry Limit: The number of times the client will retry a request in the event a server is not responding or is slow to respond.

Request Timeout: The time in seconds the client will wait for each retry attempt.

Shared Secret: The plain text shared secret used to communicate with the RADIUS server.

Role: Defines the order in which servers are accessed. If the primary is down, the system attempts to contact the secondary server.

Delete: Set the Delete checkbox in a row in the Existing Servers table and click Apply Settings to delete that server.



3.7.8 VPNMNS-DX supports Virtual Private Networks (VPN) by way of IP Security (IPSec). The IPsec implementation supports the following features:

For more information on VPN see Section 5.9, “VPN”.

3.7.8.1 VPN: Global SettingsThis screen enables you to configure the VPN public network interface.

Figure 3-87. Security: VPN: Global Settings

Table 3-85 specifies the parameters you can view and edit in the VPN: Global Settings screen.

Diffie-Hellman groups 1 and 2

Hashing algorithms MD5 and SHA-1

Encryption methods DES, 3DES and AES

Maximum supported tunnels 16

Event logging IKE, SPD and SADB

VPN Mode Tunnel

Table 3-85. VPN: Global Settings


Public Interface: This IP address identifies the interface where all IKE transactions will be sent and received on this device.

Send Initial Contact: Specify whether or not this system will initiate contact:

• Yes – The system will send an initial contact informational message when it initiates an IKE handshake with a peer for the first time (for example, after a reboot).

• No – The system will not send an initial contact message. This typically works with most peer types.

Default value = No



3.7.8.2 VPN: ProfilesThis screen enables you to view and configure VPN profiles for use in establishing tunnels.

Figure 3-88. Security: VPN: Profiles

Table 3-86 specifies the parameters you can view and edit in the VPN: Profiles screen.

Table 3-86. VPN: Profiles


Name: A unique plain-text name to identify this profile.

IKE Encryption: The encryption algorithm for the phase 1 Internet Key Exchange process. Possible values are:

• DES – Data Encryption Standard - 64 bit

• 3DES – Triple DES - 192 bit

• AES – Advanced Encryption Standard

IKE Hash: The hashing algorithm for the phase 1 Internet Key Exchange process. Possible values are:

• SHA – Secure Hashing Algorithm

• MD5 – Message Digest 5

ESP Encryption: The encryption algorithm for the phase 2 Encapsulated Security Payload. Possible values are:

• DES – Data Encryption Standard - 64 bit

• 3DES – Triple DES - 192 bit

• AES – Advanced Encryption Standard



3.7.8.3 VPN: AuthenticationThis screen enables you to create and modify IPsec authentication methods.

Figure 3-89. Security: VPN: Authentication

ESP Hash: The hashing algorithm for the phase 2 Encapsulated Security Payload. Possible values are:

• SHA – Secure Hashing Algorithm

• MD5 – Message Digest 5

Tunnel Lifetime (Secs): The lifetime for the keys exchanged in phase 2 negotiations before re-keying is required.

Default value = 21600 seconds (6 hours)

Valid range = 90 - 64800 seconds (64800 seconds = 18 hours.)

DH Group: The size of the Diffie-Hellman modulus:

• 1 – 768 bits

• 2 – 1024 bits

Table 3-86. VPN: Profiles




Table 3-86 specifies the parameters you can view and edit in the VPN: Authentication screen.

Table 3-87. VPN: Authentication


Name: Specify a unique name for the authentication method.

Type: The authentication type. It can be one of the following:

• PSK – Pre-Shared Key (Password Required)

• Certificate – RSA Keys with X.509 Certificate

Default value = PSK

Preshared Key: The preshared key password string to use when the type is PSK. Characters in the Preshared Key field are always echoed back as the bullet character ( ).

Valid range = 1 - 16 characters

Note: If you have specified Certificate in the Type field you will not be able to enter text in the Preshared Key field.

Preshared Key Verify: Retype Preshared Key for verification.

Local Certificate: Specify an X.509 certificate to use when the Type is Certificate.

Note: If you have specified PSK in the Type field the dropdown menu in the Local Certificate field will be inoperative.

Delete: Set the Delete checkbox in a row in the Existing Methods table and click Apply Settings to delete that server.



3.7.8.4 VPN: TunnelsThis screen enables you to specify VPN “tunnels.” A tunnel establishes encrypted communication between a source IP address (or range of addresses) and a destination IP address (or range of addresses). In the VPN : Tunnels screen you can create and modify security policies between the source and destination addresses.

Figure 3-90. Security: VPN: Tunnels

Table 3-88 specifies the parameters you can view and edit in the VPN: Tunnels screen.

Note that a source or destination address and a network mask, taken together, specify a network or range of addresses.

Table 3-88. VPN: Tunnels


Source Address: A source IP address on this device or on the subnet supported by this device.

Source Mask: A subnet mask to apply to the source IP address.

Destination Address: The destination IP address.

Destination Mask: A subnet mask to apply to the destination IP address.

Destination Gateway: The IP address of the gateway router to be used to access the Destination Address.



3.7.8.5 VPN: StatusThis screen enables you to view the status of existing VPN security associations.

Figure 3-91. Security: VPN: Status

Table 3-89 describes the parameters you can view in the VPN: Status screen.

Profile: The security profile to bind to this tunnel. (Profiles are defined in the VPN: Profiles screen, explained in Section 3.7.8.2.)

Authentication: A key composed of printable ASCII key to initiate key exchange. Characters in the Preshared Key field are always echoed back as the bullet character ( ). (Authentication is configured in the VPN: Authentication screen, explained in Section 3.7.8.3.)

Valid range = 1 - 16 characters

Table 3-89. VPN: Status


Source Address: The source IP address for this tunnel.

Destination Address: The destination IP address for this tunnel.

Status: The status for this tunnel.

Remaining Time Hard: The remaining seconds for the hard life time interval.

Note: The “hard lifetime” is the length of time until this tunnel is torn down. The hard lifetime exceeds the soft lifetime and is not configurable. A tunnel can persist under its old SPI for a period of time after its function has been taken over by a re-keyed tunnel with a new SPI.

Table 3-88. VPN: Tunnels


VPN up

VPN up

120 100

600 34



3.7.8.6 VPN: DetailsThis screen enables you to view in detail the state of the tunnels and the errors encountered on them.

Figure 3-92. Security: VPN: Details

Table X specifies the values displayed in the Security: VPN: Details screen.

Remaining Time Soft: The remaining time in seconds for the soft life time interval.

Note: The “soft lifetime” is the length of time this tunnel stays in operation with its current key. This is the length of time configured as “ESP Lifetime” in the VPN: Profiles screen. If traffic is present in the tunnel at the expiration of the soft lifetime the system will automatically attempt to negotiate a new key and re-establish the tunnel with a new SPI.

Errors: Aggregate number of errors encountered on this tunnel.

Delete: Set the Delete checkbox in a row in the Status table and click Apply Settings to delete that tunnel. This will delete all state for that tunnel and force a re-negotiation, starting at Phase 1.

Table 3-90. VPN: Details


Source Address: Tunnel Source address.

Destination Address: Tunnel Destination address.

Source SPI: The source security policy index.

Destination SPI: The destination security policy index.

Inbound Packets: Packets received from the tunnel.

Outbound Packets: Packets sent into the tunnel.

Decryption Errors: Encapsulation Security Payload decryption errors.

Authentication Errors: Phase 1 or phase 2 authentication errors.

Table 3-89. VPN: Status


0x12345678 0x98765432



Sequence Errors: Encapsulation Security Payload sequence errors.

Other Errors: Errors not covered by IPsec.

Table 3-90. VPN: Details



CHAPTER 3 - System AdministrationWizards

3.8 WizardsWizards are self-documenting processes that guide you through the steps to the accomplishment of a configuration goal. You read and respond to requests for information in a succession of screens. In MNS-DX two processes are automated with wizards.

3.8.1 The Router Setup WizardThe Router Setup Wizard enables you to configure the following router features:

1. IP Interfaces

2. Address Assignment

3. Routing Protocol

4. Firewall (management access allowed)

After confirming your selections you can see the results of the wizard-assisted configuration and make any specific changes by using:

1. The Ethernet: Ports: Settings screen, explained in Section 3.3.1.1

2. The Routing: IP Addresses screen, explained in Section 3.6.1

3. The Routing: RIP: Global Settings screen, explained in Section 3.6.5.1

4. The Security: Firewall: IP Interfaces screen, explained in Section 3.7.6.2.

3.8.2 The Certificate Creation WizardThe Certificate Creation Wizard enables you to create RSA key pairs and matching signed certificates for use with SSL and IPsec. You can:

1. Create a new RSA key pair and a certificate request that can be submitted to your Certificate Authority for signing.

2. Create a new RSA key pair and your own self-signed certificate.

The Certificate Creation wizard automates actions that you can take in the Certificates: Local screen, explained in Section 3.7.1.1, and in the Certificates: Trusted screen, explained in Section 3.7.1.2, and that are explained in Section 5.8.3.9, “Certificate and Key File Generation”.


Chapter 4The CLI and Protocol Monitor

MNS-DX includes a command line interface (CLI) that supports a limited number of commands for managing and monitoring some of the DX networking features. When accessed via the unit's serial console, these commands can be useful for recovering from situations where an incorrect configuration results in a loss of communication with the unit's web management interface.

4.1 CLI AccessYou can access the CLI in two ways:

1. Through a serial connection from your PC to a serial port on the GarrettCom device – Use a terminal emulator (such as HyperTerminal or Procomm) configured to the following settings:

• Speed: 38400• Data bits: 8• Stop bits: 1• Parity: None

On the DX800 and DX900 – Connect your PC to the Console port on the GarrettCom device by a null modem serial cable. (See your Installation Guide for details.) When the terminal emulator is properly configured the CLI Login prompt will display automatically.

On the DX40 – This device does not have a dedicated Console port. The S1 port does double duty as a console port and as a normal serial port. To access the CLI on a DX40:

i. Connect a serial port on your PC and port S1 on the DX40 with a serial cable.

ii. Start up a terminal emulator configured as described above.

iii. Power up the DX40. If power to the DX40 is on, turn it off (that is, unplug the power cord) and immediately restore power (plug the power cord back in).

iv. As soon as the connection is made on the terminal emulator hold down the space bar on your keyboard until the MNS-DX boot menu appears.

v. Select the "Boot with console port on S1" option by typing "c" and Enter.


CHAPTER 4 - The CLI and Protocol MonitorCLI Functionality

vi. The device will reboot and the CLI Login prompt will display.

The S1 port is now functioning as a Console port. Resetting the unit will automatically return serial port S1 to its normal functionality.

2. By telnetting to the GarrettCom device over an Ethernet connection – On the Windows Start menu select Run, enter cmd in the Open: field and click OK. At the command window prompt enter telnet xxx.xxx.xxx.xxx, where xxx.xxx.xxx.xxx is the IP address of the GarrettCom device. The CLI Login prompt will appear.

Login to the CLI using the same username and password you use for the browser-based MNS-DX Administration program. The following example uses the default username and password, but any password changes you make in the MNS-DX Administration: Change Password screen will also apply to the CLI:

Login: manager

Password: manager

MagnumDX# _

4.2 CLI FunctionalityIn addition to providing protocol monitoring functionality the CLI enables you to carry out from the command line many of the management tasks you can also perform with the graphical interface.

The CLI supports three types of commands:

• Global commands – These are commands that can be entered at any prompt in the CLI. Global commands are described in Section 4.2.2.

• Basic commands – These are commands that give access to a subset of specific commands. Most basic commands, when entered with no parameters, move the CLI into a mode to accept the specific commands. This mode change is signaled by a change in the CLI prompt, for example, from MagnumDX# to MagnumDX(vlan)#. Basic commands are described in Section 4.2.3.3 through Section 4.2.3.16.

• Specific commands – These are the commands that enable you to configure, manage, and monitor your system. They are described in the tables contained in Section 4.2.3.3 through Section 4.2.3.16.



4.2.1 Keyboard Navigation in the CLISome keys have special uses in the CLI. Table 4-1 explains how to use these keys.

4.2.2 Global CommandsGlobal commands can be entered from any prompt in the CLI. Table 4-2 describes the CLI global commands.

Table 4-1. Keyboard Navigation

Key Function

? Enter the question mark character at the MagnumDX# prompt or a MagnumDX(basic_command)# prompt to view a list of available options.

Esc While monitoring is in progress press the Escape key to abort the Protocol Monitor.

Enter During monitoring the Enter key is a Pause/Resume toggle. Press the Enter key to pause monitoring; press again to resume monitoring.

The CLI program keeps a record of the commands you have entered. Use the Up Arrow key to move back in this command history and select a command you have previously issued.

After you have moved back in the command history you can move forward toward the most recently issued command using the Down Arrow key.

Table 4-2. CLI Global Command

Command Description

exit When you are in a basic command mode, such as MagnumDX(firewall)#, the exit command returns you to the main CLI prompt - MagnumDX#.

help Display options available in current mode.

history Display previous command line input.

logout Log out of the system and display the Login prompt.

reboot Shutdown and restart the system.

restore Restore configuration to default settings.

revert Undo changes since last save.

save Save current configuration.

whoami Show current user information.



4.2.3 Basic and Specific CommandsType a question mark ("?") at the MagnumDX# prompt to see a list of global and basic commands and a brief description of each:

Figure 4-93. Basic CLI Commands

Most of the basic commands preface a subset of more specific commands. You can execute any specific command from the MagnumDX# prompt in the following syntax:

MagnumDX# basic_command specific_command parameters

After execution of such a command you are returned to the MagnumDX# prompt. For example,

MagnumDX# session set timeout 30minMagnumDX#

For most basic commands you have the option to issue the basic command followed by nothing to enter a specialized mode for that basic command that will automatically preface all specific commands with the basic command. For example,

MagnumDX# sessionMagnumDX(session)#set timeout 30minMagnumDX(session)#



While the CLI is displaying a specialized mode prompt you can type "?" to see a list of the commands specific to that basic command. For example, typing a "?" at the MagnumDX(session)# prompt produces the following list of available commands and parameters.

Figure 4-94. Session Commands Example

4.2.3.1 The bridge CommandTable 4-3 explains the commands available for station cache monitoring when the MagnumDX(bridge)# prompt is displayed or from the MagnumDX# prompt using a bridge prefix.

For example:

MagnumDX# bridge show cacheorMagnumDX(bridge)# flush cache

For more information see the description of station cache monitoring in Section 3.3.2.4, “Bridge: Station Cache”.

4.2.3.2 The config CommandTable 4-4 explains the commands available for system configuration when the MagnumDX(config)# prompt is displayed or from the MagnumDX# prompt using a config prefix.

For example:

MagnumDX# config delete config5.xmlorMagnumDX(config)# show

Table 4-3. CLI bridge Commands

Command Synopsis Description

flush flush cache Delete the contents of the bridge station cache.

show show cache Display the contents of the bridge station cache.

Table 4-4. CLI config Commands


delete delete filename Delete the configuration file specified by filename.

dump dump filename Display the entire contents of the configuration file filename to the screen.



For more information see the descriptions of system configuration in Section 3.1.9, “Configuration”.

restore restore Restore system defaults.

Note: Default values do not necessarily mean "factory default" values. While most parameters will take on their factory defaults, the following exceptions apply:

• System IP Address and Mask – Set to the IP address/mask configured in the boot menu.

• Default Gateway – Set to the default gateway configured in the boot menu.

revert revert Make the system's current settings those of the saved configuration file.

save save Save the system’s current settings.

saveas saveas filename Save the system’s current settings to a configuration file specified by filename.

show show Display the names, versions, and status of configuration files.

Table 4-4. CLI config Commands




4.2.3.3 The ethernet CommandTable 4-5 explains the commands available for managing and monitoring Ethernet ports when the MagnumDX(ethernet)# prompt is displayed or from the MagnumDX# prompt using an ethernet prefix.

For example:

MagnumDX# ethernet show all port statusorMagnumDX(ethernet)# set port e1 flow enabled

Table 4-5. CLI ethernet Commands


set set port portnum params... Set one or several properties of a specified port.

Where portnum is the ID of a port in the format E1, E2, S1, S2.

The available parameters are:

• admin enabled|disabled – Enable or disable the port.

• fefi enabled|disabled – Enable or disable far end fault indication (fefi).

• flow enabled|disabled – Enable or disable flow control.

• media – Specify media type from among the following options:

-auto – autonegotiate (10/100BaseTX) (default for 10/100T)

-10half – (10/100BaseTX)

-10full – (10/100BaseTX)

-100half – (10/100BaseTX)

-100full – (10/100BaseTX)

-100FX Full – (100BaseFX) (default for 100FX)

• name – Supply a name for the port in up to 15 printable characters.

• security – Specify a type of security.

-None – (default)

-Address – This port will be locked out if a frame is received with an unauthorized source address.

-Link – This port will be locked out the next time the link goes from UP to DOWN.



For more information see the descriptions of Ethernet functionality in Section 3.3, “Ethernet Tasks”.

show show all port settings | port portnum settings

Display the current settings of all ports or of a specified port.

Where portnum is the ID of a port in the format E1, E2, S1, S2, etc.

unlock unlock port portnum. Unlock a port.

Where portnum is the ID of a port in the format E1, E2, S1, S2, etc.

Table 4-5. CLI ethernet Commands




4.2.3.4 The firewall CommandTable 4-6 explains the commands available for managing and monitoring the firewall when the MagnumDX(firewall)# prompt is displayed or from the MagnumDX# prompt using a firewall prefix.

For example:

MagnumDX# firewall add filter srcaddr 192.168.1.100orMagnumDX(firewall)# edit filter 2 dstaddr 192.168.1.99

Table 4-6. CLI firewall Commands


add add filter param | group groupname

Add a filter or a group to the system.

The param arguments to the add filter command specify the types of information to be included.

• interface interface_ID – Specify an IP interface (or group of interfaces) to which to apply the filter.

• srcaddr ipaddress – Specify the source address of allowed IP packets.

• srcmask netmask – The source network mask of allowed IP packets.

• dstaddr ipaddress – Specify the destination address of allowed IP packets.

• dstmask netmask – The destination network mask of allowed IP packets.

• protocol protospec – Specify a protocol type and direction.

-TCP/dest – allowed TCP destination ports

-TCP/source – allowed TCP source ports

-UDP/dest – allowed UDP destination ports

-UDP/source – allowed UDP source ports

-ICMP/type – allowed ICMP types

• ports portlist – The list of allowed logical protocol port numbers. These are dependent on the value of the Protocol/dir parameter, for instance 80 and 443 for HTTP and HTTPS.

Where the groupname argument to the add group command is a user-supplied group name of up to 15 printable characters.

delete delete filterID | groupname

Delete the filter identified by filterID or the group identified by groupname.



For more information see the descriptions of firewall functionality in Section 3.7.6, “Firewall”.

edit edit filterID Edit the filter identified by filterID. Any of the values described under the add command (above) can be modified in an existing filter.

Note: A given filterID can be learned by using the show all filters command. The filterID is necessarily displayed in the CLI. This value is not used in the graphical interface but the system will assign a filterID to a filter created in the graphical interface.

set set interfaceID param...

Where interface is the ID of an interface and where the possible values for param are:

• status enabled | disabled – Enable or disable firewall protection on the interface identified by interfaceID.

• group none | groupname – Assign the interface identified by interfaceID to the group identified by groupname. (groupname may consist of up to 15 printable characters.)

show show all spec | param...

Where the possible values for spec following show all are:

•interfaces – Display information on all interfaces.

•groups – Display information on all groups.

• filters – Display information on all filters.

Where the possible values for param following show are:

• filterID – Display information on the filter identified by filterID.

• interfaceID – Display information on the interface identified by interfaceID.

• groupname – Display information on the group identified by groupname.

•

Display information on all filters, only the filter identified by filterID, or only the interface identified by interfaceID.

Table 4-6. CLI firewall Commands




4.2.3.5 The fr CommandTable 4-7 explains the commands available for Frame Relay configuration and monitoring when the MagnumDX(fr)# prompt is displayed or from the MagnumDX# prompt using an fr prefix.

For example:

MagnumDX# fr set port W1 frag 1600 lmitype lmi lmimode userorMagnumDX(fr)# add dlci port W1 id 100 cir 1000 ip y

Table 4-7. CLI fr Commands


add dlci add dlci param... Add a DLCI (Data Link Connection Identifier) to the specified port.

The required parameters are:

• port portID – Where portID identifies a logical WAN port that corresponds to a physical, labeled interface on the exterior of the product chassis.

• id dlciID – Where dlciID is the Data Link Connection Identifier in a range 16-991.

• cir cirvalue – Where cirvalue is the Committed Information Rate in bits per second. The valid range is 1-2000. If no value is specified the bit rate of the port is the CIR.

• ip y | n – Specify y to make the DLCI an IP interface (RFC 1490). Specify n to direct that the DLCI is to be used by the terminal server so that raw serial data will be transmitted to/from a serial port to the DLCI.

delete dlci delete dlci param... Delete the specified DLCI.



• id dlciID – Where dlciID is the Data Link Connection Identifier of an existing DLCI associated with the port specified in portID.



modify dlci modify dlci param... Modify an existing DLCI.

Required parameters are:


• id dlciID – Where dlciID is the Data Link Connection Identifier of an existing DLCI associated with the port specified in portID.

Optional parameters are:

• cir cirvalue – Where cirvalue is the Committed Information Rate in bits per second. The valid range is 1-2000. If no value is specified the bit rate of the port is the CIR.

• ip y | n – Specify y to make the DLCI an IP interface (RFC 1490). Specify n to direct that the DLCI is to be used by the terminal server so that raw serial data will be transmitted to/from a serial port to the DLCI.

set port set port param... Configure DLCI settings for the specified port.

Required parameter is:


Optional parameters are:

• frag fragvalue – Where fragvalue is the maximum bytes in a frame relay fragment. The default, 1600, is the maximum transmission unit (MTU) setting, plus frame relay overhead, for the DLCI IP interfaces.

• lmitype type – Where type is the LMI (Local Management Interface) type and may take one of the following values:

-none

-lmi

-ccitt

-ansi

• lmimode mode – Where mode may take one of the following values:

-network

-user

-nni





For more information see the descriptions of Frame Relay configuration and monitoring in Section 3.5.4, “Frame Relay”, Section 3.5.5, “DLCI Settings” and Section 3.5.6, “DLCI Status”.

4.2.3.6 The ip CommandTable 4-8 explains the commands available for ip address management when the MagnumDX(ip)# prompt is displayed or from the MagnumDX# prompt using an ip prefix.

For example:

MagnumDX# ip set address vid2 192.168.1.100 255.255.255.0orMagnumDX(ip)# show addresses

For more information see the description of IP address management in Section 3.6.1, “IP Addresses”.

show show param... Display either settings or status information on all configured DLCIs or on a specified DLCI. Settings information includes CIR value and IP selection. Status information includes current state and activity history.

• show all dlci settings | status – Display information on all configured DLCIs.

• show dlci port portID id dlciID settings | status – Display information on a specific DLCI where portID identifies a logical WAN port and dlciID is the identifier of an existing DLCI associated with the port specified in portID.

Table 4-8. CLI ip Commands


set set address param... Set the IP address for an interface.


• system | vid x – Specify either the system (VID 1) interface or another configured interface.

• ipaddress – Assign a valid IP address to the specified interface.

• netmask – Supply a valid Subnet Mask value.

show show addresses Display information about all configured IP addresses.





4.2.3.7 The monitor CommandThe monitor command is used to configure monitoring on a per-port basis and also to start the monitoring process.

Note that the actual monitoring process can only be active for one port at a time.

The Protocol Monitor

The Protocol Monitor enables you to specify an Ethernet, serial, or WAN port for a detailed view of the data being sent and received. You can customize your real time report as to the protocol to observe, source and destination IP or MAC address or port, and display format.

Starting the Protocol Monitor

Start the protocol monitor by specifying a port to be monitored - in this example Ethernet port 3. Enter the following command at the MagnumDX# prompt:

MagnumDX# monitor e3

This command will result in the display of a monitor mode prompt:

MagnumDX(monitor)#

When the MagnumDX(monitor)# prompt is displayed you can enter any of the commands in the Protocol Monitor command set to control the display of information on Ethernet port 3. After you have configured the display to show the type and format of information you want, you begin the display of information with the start command. While you are in monitor mode you have exclusive access to the monitor feature.

The following example illustrates three configuration commands given in monitor mode followed by the start command. This produces the Monitor Started message that confirms that monitoring has begun:

MagnumDX(monitor)# filter display ipMagnumDX(monitor)# filter linenum 4MagnumDX(monitor)# set mode terseMagnumDX(monitor)# startMonitor Started

You can also configure and start the Protocol Monitor from the MagnumDX# prompt by preceding each command with monitor and the ID of the port to be monitored. The example below executes the same commands as the previous example but does so from the basic MagnumDX# prompt rather than the monitor mode (MagnumDX(monitor)#) prompt:

MagnumDX# monitor e3 filter display ipMagnumDX# monitor e3 filter linenum 4MagnumDX# monitor e3 set mode terseMagnumDX# monitor e3 startMonitor Started



The Protocol Monitor Command Set

Table 4-9 explains the commands available for configuring and operating the Protocol Monitor when the MagnumDX(monitor)# prompt is displayed or from the MagnumDX# prompt using a monitor prefix.

Table 4-9. Protocol Monitor Command Set

CMD Synopsis Description

filter filter [no] params... The param arguments to the filter command specify the types of information to be included. Only one filter may be configured on a single command line. In addition, only a single filter of each type may be specified.

• dstip ipaddr – Display packets that have the matching destination IP address in the IP header. The IP address is specified in standard dotted notation, for example, 192.168.1.1.

• dstmac macaddr – Display packets that have the matching destination MAC address in the Ethernet header. The MAC address is specified as hex octets separated by colons, for example, 00:20:61:54:3A:CD.

• dstport portnum – Display packets that have the matching destination port in the TCP or UDP header. The port is specified as an integer between 1 and 65535.

• srcip ipaddr – Display packets that have the matching source IP address in the IP header.

• srcmac macaddr – Display packets that have the matching source MAC address in the Ethernet header.

• srcport portnum – Display packets that have the matching source port in the TCP or UDP header.

• protocol icmp | tcp | udp – Display packets that have the matching protocol specified in the IP header.

To cancel a previously specified filtering option precede the specification with no. For example:

MagnumDX(monitor)# filter no destip



set set property param Where the possible values for property are:

•display param – Specify a type of information to be displayed from among the following possible values of param:

-ethernet – The Ethernet header is parsed into fields and the payload is displayed as a raw hex dump.

-raw – No analysis is performed. The entire packet is displayed as a raw hex dump

-ip – The Ethernet header is ignored and the IP header is parsed into fields. The payload is displayed as a raw hex dump

-ipfull – The Ethernet header is ignored and the IP header is parsed into fields. In addition, an attempt is made to parse additional fields in the payload based on its type.

-tcp – The Ethernet header is ignored and part of the IP header is parsed into fields. In addition, TCP fields such as sequence number, acknowledgement number, and window size are displayed.

• format hex | ascii – In terse mode the ascii option causes the packet payload to be dumped in ASCII. This is especially useful for textual protocols such as HTTP.

• mode terse | verbose – Verbose mode changes the display formatting so that more white-space is used. Payloads are also automatically dumped in both hex and ASCII format. In some cases it may make the monitor output more readable at the expense of more transmitted characters per packet.

• framenum enabled | disabled – When this property is enabled sequence numbers are applied to each packet.

• timestamp diff | none | rel – Apply a timestamp to each packet. When diff (differential) is specified The timestamp on the current packet corresponds to how much time elapsed between this packet and the packet before it. When rel (relative) is specified the timestamp on the current packet corresponds to how much time has elapsed since the monitor was first started.

• lines n – Limits the total number of payload lines displayed for a packet. If set to zero, the entire packet is displayed. n can be an integer value from 0 to 10.

show show Display the current monitor configuration for the port being monitored. This command prints all of the configured formatting options as well as any configured filters for the port.





4.2.3.8 Protocol Monitor Output ExampleFor an Ethernet port with the Protocol Monitor configured as shown in Figure 4-95:

Figure 4-95. Protocol Monitor Example Configuration

Sample output is illustrated in Figure 4-96.

Figure 4-96. Protocol Monitor Example Output

start start Begin monitoring. Once the command has been issued, packets will be displayed. You can pause the display by pressing the Enter key. You can abort the monitor and return to the CLI by pressing the ESC key:





4.2.3.9 The ping CommandTable 4-10 explains the ping command. This command is available from the MagnumDX# prompt.

Table 4-10. CLI ping Command


ping ping ipaddress Test the accessibility of another device at ipaddress.



4.2.3.10 The rstp CommandTable 4-11 explains the commands available for managing and monitoring Rapid Spanning Tree Protocol (RSTP) functionality when the MagnumDX(rstp)# prompt is displayed or from the MagnumDX# prompt using an rstp prefix.

For example:

MagnumDX# rstp set bridge hello 20orMagnumDX(rstp)# show port e1 settings

Table 4-11. CLI rstp Commands


set set bridge | port portnum params...

Specify RSTP settings for a bridge or port, where portnum is an Ethernet port designated E1, E2, etc.

The available bridge parameters are:

• age n – Specify the maximum age of STP information before discard in a range of 6 - 40 seconds.

• cstyle 16-bit | 32-bit – Specify 16-bit (STP) cost style or 32-bit (RSTP) cost style.

• delay n – Specify a delay before forwarding state or topology change information in a range of 4 - 30 seconds.

• hello n – Specify interval between transmission of configuration BPDUs.

• mode enable | disable – Enable or disable RSTP on this bridge.

• priority n – Specify a priority value for this bridge in the range of 0 (highest priority) to 65535,

The available port parameters are:

• mode edge | legacy | point | auto – Specify one of the following modes:

-edge – For an RSTP-enabled port connected to an end system.

-legacy – For a port that uses STP only.

-point – For an RSTP-enabled port connected to another switch.

-auto – The port automatically determines the correct mode based on received BPDUs.



For more information see the description of RSTP functionality in Section 3.3.3, “RSTP” and in Section 5.6, “RSTP”.

show show param... Display information about the settings or status of the bridge or ports.


• bridge settings – Display information about bridge RSTP settings.

• bridge status – Display information about bridge RSTP status.

• all port settings – Display information about the RSTP settings of all ports.

• all port status – Display information about the RSTP status of all ports.

• show port portnum settings – Display information about the RSTP settings of the port identified by portnum.

• show port portnum status – Display information about the RSTP status of the port identified by portnum.

Table 4-11. CLI rstp Commands




4.2.3.11 The session CommandTable 4-12 explains the commands available for managing sessions when the MagnumDX(session)# prompt is displayed or from the MagnumDX# prompt using a session prefix.

For example:

MagnumDX# session set timeout 30minorMagnumDX(session)# show active

For more information see the description of session management in Section 3.1.6, “Sessions”.

Table 4-12. CLI session Commands


delete delete sessionID Delete the session identified by sessionID.

set set timeout duration Specify the number of minutes a session may be idle before being automatically ended, where duration can be:

•none

•5min

•30min

•1hour

•24hour

show show active | policies Display information of active sessions or on configured policies.



4.2.3.12 The ssh CommandTable 4-13 explains the commands available for viewing and managing Secure Shell (SSH) functionality when the MagnumDX(ssh)# prompt is displayed or from the MagnumDX# prompt using an ssh prefix.

For example:

MagnumDX# ssh set mode sshonlyorMagnumDX(ssh)# show

For more information see the description of CLI security management in Section 3.7.5, “CLI”.

Table 4-13. CLI ssh Commands


set set mode telnet | sshonly Specify the security mode of the command line interface:

• telnet – Allow port 23 (telnet) and port 22 (SSH) connections.

• sshonly – Allow only SSH connections. If a client attempts a telnet connection the server will send a message indicating that telnet access is not allowed and then shut down the connection.

show show Show current SSH server setting and state:

• CLI Mode–Possible values are Allow Telnet and SSH Only.

• SSH Server State – Possible values are No Key and Running.No Key is seen only when no Digital Signature Algorithm (DSA) key has been generated for the SSH server with the ssh keygen command or when a complete reformat of the DX flash has eliminated a previously generated key.

keygen keygen Generate a Digital Signature Algorithm (DSA) key. This must be done once to start the SSH server.



4.2.3.13 The system CommandTable 4-8 explains the commands available for basic system information management when the MagnumDX(system)# prompt is displayed or from the MagnumDX# prompt using a system prefix.

For example:

MagnumDX# system set location North AndoverorMagnumDX(system)# show

For more information see the description of basic system information management in Section 3.1.1, “System Information”.

4.2.3.14 The vlan CommandTable 4-15 explains the commands available for viewing and managing VLANs when the MagnumDX(vlan)# prompt is displayed or from the MagnumDX# prompt using a vlan prefix.

For example:

MagnumDX# vlan add vid 22 name substation_22orMagnumDX(vlan)# show all ports

Table 4-14. CLI system Commands


set set name | location | contact


• name sysname – Where sysname is a name for the system under configuration.

• location placename – Where placename is the name of the place where the system under configuration is located.

• contact identinfo – Where identinfo is a name or contact information for a person responsible for management of the system under configuration.

show show addresses Display basic system information.



add add vid n name vlan_name Add a VLAN with VID n (a number in the range 1 -4094) and the name vlan_name (up to 24 printable characters).

delete delete vid n Delete the VLAN identified by VID n.



For more information see the description of VLAN functionality in Section 3.3.4, “VLAN” and in Section 5.7, “VLAN”.

edit edit vid n name new_name Change the name of the VLAN identified by VID n to the name specified in new_name (up to 24 printable characters).

set set mode | port En param... 1. mode enable | disable – Enable or disable VLAN awareness on the switch.

2. port portID – Set the following VLAN properties on the Ethernet port identified by En:

• mode access | trunk – An access port is typically connected to an end station and supports a single VLAN. A trunk port is typically connected to another switch and by default supports all configured VLANs.

• pvid – The ID number of the native VLAN assigned to this port.

• tagged y | n – If "y" the port ensures that a VLAN tag is present in a frame before transmission. If "n" the port strips all VLAN tags before transmitting frames.

• prohibit – A list of VLANs to prohibit from a Trunk port. Enter the VID numbers of prohibited VLANs separated by commas. A continuous range of VIDs can be indicated by a dash. For example: 4, 6-8, 12, 15.

show show all ports | mode | port En | vid n

Display information specified by the following parameters:

• all ports – Settings of all VLAN-configured ports.

• mode – Whether VLAN awareness is enabled or disabled on the switch.

• port En – VLAN settings of the port identified by En.

• vid n – Settings of the VLAN identified by vid n.





4.2.3.15 The wan CommandTable 4-16 explains the commands available for configuration of your DX device’s WAN (Wide Area Network) port when the MagnumDX(wan)# prompt is displayed or from the MagnumDX# prompt using a wan prefix.

For example:

MagnumDX# wan set port W1 HQWan bandwidth 56k clock received admin enabledorMagnumDX(wan)# show port W1 settings

Table 4-16. CLI wan Commands


set set param... Set the IP address for an interface.

The possible parameters are for either a DDS or T1/E1 connection are:

• port portID – Where portID specifies the WAN port being configured.

• name portname – Where portname is a user-supplied name of up to 15 printable characters for this WAN port.

• bandwidth 56k | 64k – Specify a connection speed of either 56k (typical for carrier-supplied connections) or 64k (available for private networks and all E1 circuits).

• clock local | received – Specify the source of the data clock. (Default value is received.)

• admin enabled | disabled – Specify the administrative status of this port.

Possible parameters are for T1/E1 connections only are:

• mode – Specify whether this connection is T1 or E1.

• timeslots – Specify which available time slots are used by this port. Separate single slot numbers with commas and specify a range of slots with a hyphen. For example: 1,3, 5-6.

• frame – Specify the frame type for this port.

-For T1: ESF (default) or D4.

-For E1: FAS or CAS.

• code – Specify the line code for this port.

-For T1: AMI or B8ZS (default).

-For E1: AMI or HDB3.



For more information see the descriptions of WAN port configuration in Section 3.5, “WAN Tasks”.

4.2.3.16 The web CommandTable 4-17 explains the web command, which enables you to configure security settings on the embedded web server. This command is available from the MagnumDX# prompt.

For more information see the description of web server security management in Section 3.7.4, “Web Server”.

show show param...

Display information about all configured WAN ports or about a specified WAN port.

• all port settings – Display settings for all WAN ports.

• port portID settings – Display the settings for the WAN port specified by portID.

• all port status – Display status information for all WAN ports.

• port portID status – Display status information for the WAN port specified by portID.

Table 4-17. CLI web Commands


set set mode http | sslonly Specify whether the server will accept non-secure HTTP requests:

• http – Accept both non-secure HTTP (port 80) requests and secure SSL (port 443) requests.

• sslonly – Accept only secure requests.

show show Display the current security setting of the embedded web server.

Table 4-16. CLI wan Commands



Chapter 5Operational Guide

5.1 Frame RelayThe Frame Relay protocol is supported on some DX devices.

5.1.1 Wide Area Network PortsA Wide Area Network (WAN) port supports Digital Data Service (DDS) and has the following user configurable parameters.

• Name• Speed – 56 or 64 kbps• Local Management Interface (LMI) type – LMI, CCIT, ANSI, or None• LMI mode – User or Net• Fragment Size (see Section 5.1.3, “Quality of Service”)

You can view WAN port status and statistics, including:

• state• received packets• sent packets• received octets• sent octets

5.1.2 Data Link Channel IdentifiersYou can configure a list of Data Link Channel Identifiers (DLCIs) with the following parameters:

• Name• DLCI• Committed Information Rate (CIR)

Once in the list a DLCI is an IP interface and may have an IP address and subnet mask set as with other interfaces, for example, VLANs and Ethernet ports that are not bridged. IP packets traversing the attached frame relay network are encapsulated in compliance with RFC-1490, and (possibly) fragmented as specified by FRF.12. (See Section 5.1.3, “Quality of Service”.)


CHAPTER 5 - Operational GuideIP Addressing and Routing

5.1.3 Quality of ServiceQuality of Service is controlled by the combination of Differential Services (DiffServ - RFC 2474) information in IP packets being forwarded out of a frame relay port and the settings of the fragment size for the port and CIR of the DLCI. The DiffServ value may be configured for a Terminal Server connection to Expedited Forwarding (EF - RFC-2598), which requires a Per Hop forwarding Behavior (PHB) that yields low-loss, low-latency, low-jitter, and assured bandwidth (given by the CIR). Then, packets marked EF are queued for forwarding out the WAN port ahead of other packets. Also, large packets are fragmented according to the settings of the port, so that EF packets do not have to wait for an entire large packet with some other DiffServ value to finish transmission when started before the EF packet is queued, but only for a fragment of the other to be sent.

Note that the network must be designed so that only EF packets will be forwarded on any DLCI where any EF packet is forwarded, since the fragmentation standard does not permit interleaving of fragments from different packets over the same DLCI.

5.2 IP Addressing and RoutingEach Ethernet port is configured as either a bridged or non-bridged (that is, routed) interface. An IP packet that is received on a routed interface is never bridged and can only be forwarded at Layer 3 by the Router. An IP packet that is received on a bridged port may be forwarded at Layer 2 but may also be handled at Layer 3 if the packet's destination MAC address equals the Router's MAC address. Each routed Ethernet and VLAN interface in the system may be assigned its own IP address. In the special case where VLANs are disabled and all of the system's Ethernet interfaces are configured as bridged, the DX40/800 may only be assigned a single system IP address.

5.2.1 Default ConfigurationBy default, the product operates as a non VLAN-aware bridge. In this configuration, a single IP address may be assigned to the system for accessing the product's management and terminal server functions. This IP address is assigned to the special "System/VID1" interface in the IP address table.

5.2.2 Router InterfacesSome or all of the system's Ethernet ports may be configured as Routed interfaces. In this configuration, the ports configured as Routed interfaces are isolated from the Ethernet switch and are connected directly to the system's Routing function. Each Routed interface may be assigned its own IP address. These IP addresses are assigned to "Ex" interfaces in the IP address table.

5.2.3 VLAN InterfacesWhen VLANs are enabled, each VLAN that is added to the system becomes a virtual Ethernet interface that is accessible to the Router. Each VLAN may be assigned its own IP address. These IP addresses are assigned to "VIDx" interfaces in the IP address table.


CHAPTER 5 - Operational GuideNetwork Address Port Translation

5.2.4 IP Address TableThe IP address table contains one entry for each assigned IP address. An entry in the table contains three columns: interface name, IP address, and subnet mask. The interface name may be "System/VID1", the port ID of a non-bridged (routed) Ethernet interface (e.g. "E1"), or the VLAN ID of a virtual Ethernet interface (for example, "VID52"). Only a single System interface entry exists and it may not be deleted. When VLANs are disabled, the System IP address is directly reachable via any bridged Ethernet port and indirectly reachable (via routing) through any non-bridged Ethernet port. When VLANs are enabled, the IP address assigned to this interface becomes the IP address assigned to the default VLAN (VID 1).

5.2.5 Routing TableThe system's IP routing table can be accessed through the user interface (see Section 3.6.2, “Static Routes”). The table includes routes that have been learned through the operation of RIP or routes that have been statically configured by a user. The routing table is used to make IP packet forwarding decisions.

5.2.6 Routing Information ProtocolMNS-DX supports RIP, RIP-II, and RIP-II with multicasting as specified in RFCs 1058 and 1388.

5.3 Network Address Port TranslationMNS-DX supports Network Address Port Translation (NAT in this document and the MNS-DX interface, also called NAPT and NAT/PAT) where one IP interface is designated to be the "public" interface and the other IP interfaces are the "local" interfaces. Configured translations result in the mapping, on ingress of IP packets over the global interface, of destination IP address and protocol port numbers, and likewise the mapping of source IP address and protocol port numbers on egress.

5.4 DHCP ServerMNS-DX supports manual and dynamic allocation of IP addresses as defined in RFC 2131 (Dynamic Host Configuration Protocol). Manual (static) allocation creates a permanent, static mapping between a host's MAC address and an IP address and subnet mask. In this case the purpose of the DHCP server is simply to tell a host what its IP address is when its network interface comes online. Dynamic allocation allows automatic reuse of addresses by granting temporary address leases to hosts as they are requested. When a lease expires, the host must renew the lease with the server. If a lease is not renewed, that address may be allocated to a new host. For dynamic allocation a set of address pools are configured on the server and new addresses are selected from these pools.


CHAPTER 5 - Operational GuideSNMP

You can define up to 16 dynamic address ranges and up to 100 static addresses. The total number of reserved addresses (both static and dynamic) cannot exceed 100.

The DHCP supports the ability to send additional host parameters to each client. The parameters supported for this release are gateway, primary and secondary DNS servers, and the DNS domains suffix.

5.5 SNMPThe Simple Network Management Protocol (SNMP) is a protocol for managing network devices. It includes a central manager, an agent monitoring each device, and a database of information called a Management Information Base (MIB). The MNS-DX part of this framework is the agent part. You can configure the SNMP agent with the SNMP: Global Settings screen described in Section 3.1.4.1. This screen will also enable you to specify up to four management stations to which the agent can supply trap information. The monitoring of the gathered information is a task for your Network Management System.

5.5.1 Version SupportMNS-DX supports features of SNMP versions 1 and 2. These are described in the following RFCs, available at the www.ietf.org web site:

• SNMPv1: RFC1155, RFC1157, RFC1212, RFC1215 • SNMPv2: RFC2578, RFC2579, RFC2580, RFC3416

Specifically, MNS-DX version 1.1 supports:

• SNMP v1/v2 agent• SNMPv2 Standard Traps• MIB-II

5.6 RSTPThe Rapid Spanning Tree Protocol (RSTP) constructs a system linking the elements of a bridged local area network so as to supply redundancy, provide for quick recovery from failure of a segment, and eliminate loops. The protocol can be said to be "spanning" in that it connects all elements in the system and to be a "tree" in that it connects these elements while remaining implicitly free of loops.

The original Spanning Tree Protocol (STP) was defined by IEEE standard 802.1D. The faster RSTP was first defined in IEEE 802.1W and RSTP supersedes STP in IEEE 802.1D (2004). STP consumes 45 to 60 seconds to recover from a failure because it needs to recalculate the entire tree after a failure. RSTP can recover in less than one second because it enables ports to actively communicate information about special conditions. MNS-DX supports both protocols, so that you can configure a port to use the older STP if it is necessary to accommodate a legacy bridge.


CHAPTER 5 - Operational GuideRSTP

This appendix provides a high-level summary of the protocol to enable understanding of your options in configuring RSTP. For a more detailed understanding see the freely available IEEE 802.1D (2004) standard.

Access RSTP functionality in MNS-DX with the following screens:

• RSTP: Bridge Settings, described in Section 3.3.3.1.• RSTP: Port Settings, described in Section 3.3.3.2.• RSTP: Bridge Status, described in Section 3.3.3.3.• RSTP: Port Status, described in Section 3.3.3.4.

5.6.1 RSTP SetupWhen first configured with RSTP the bridges in a system exchange messages with one another to elect a root bridge and to discover the shortest path from each bridge to the root bridge. The ports that enable the shortest paths are put into forwarding mode. All other ports are assigned backup or alternate roles. When a stable tree has been established and traffic is being transmitted the system is said to have achieved convergence.

Figure 5-1. Port Roles in a Rapid Spanning Tree Network

5.6.1.1 BPDUsThe messages exchanged by the bridges are special data frames called Bridge Protocol Data Units (BPDUs). The BPDUs contain identifying information and information about the root path cost. The best path from a bridge to the root has the lowest path cost. (The measurement takes into account the bandwidth on intervening segments.) When the spanning tree is being calculated the bridges exchange configuration BPDUs. Other types of BPDUs are exchanged during normal operation.

MNS-DX supports a choice of cost style.

R

R

R

B

B

A

DesignatedBridge

DesignatedBridge

DesignatedBridge

RootBridge

R

E

A

DRoot port

B Backup portAlternate port D

R BDesignated port

D

D

D

Bridge



5.6.1.2 Bridge RolesEach configured spanning tree has a single root bridge. All other bridges active in the system are designated bridges. For each segment the connected bridge that provides the shortest path to the root bridge is that segment’s designated bridge.

5.6.1.3 Port RolesAfter convergence each port in the tree is assigned one of four roles:

5.6.1.4 Edge Ports and Point-to-Point LinksThere are two other ways of classifying ports that can enable a quick transfer to the forwarding state and thus faster convergence:

• Edge Port – This is a port that connects directly to an end station. Since it connects to a single host it is incapable of forming loops, so may be safely placed in a forwarding state without going through the listening and learning stages.

• Point-to-Point Links – When a port connects directly to another switch it can safely be placed in forwarding mode.

Table 5-1. RSTP Port Roles

Port Role

Root: Each bridge (except the root bridge) has a single root port. This is the port with the lowest root path cost (the best way to the root.).

All traffic to and from the root bridge passes through the root port of the designated bridge.

Designated: Each bridge (except the root bridge) has at least one designated port. If only one port is connected to the segment it is the designated port. If more than one port is connected to the segment then the port with the best priority value in its ID is the designated port for the segment.

Any port on the root bridge that is connected to a segment is a designated port.

All Traffic to and from a specific segment passes through the designated port of the designated bridge.

Backup: A port on a designated bridge that is connected to the same segment as the designated port on that bridge. In the event of failure in the designated port the backup port would become the designated port. A backup port is blocked (inactive).

Alternate: A port that connects to a different segment than the root port on the same bridge. An alternate port provides an alternate path to the root that is inferior to the path provided by the root port. In the event of failure in the root port the alternate port would become the root port. An alternate port is blocked (inactive).



5.6.1.5 Port StatesThe MNS-DX implementation of RSTP supports four operational states for a port:

Blocking – The port does not transmit or receive data frames, but the port does continue to receive BPDUs.

Listening – The port can send and receive BPDUs, but it is not learning MAC addresses or forwarding data frames.

Learning – The port is receiving BPDUs and is learning MAC addresses but it s not forwarding data frames.

Forwarding – The port is sending and receiving all packets.

Once the RSTP network is functioning all traffic is by definition handled by the ports in the forwarding state.

5.6.2 RSTP Normal OperationAfter initial configuration RSTP functions by circulating BPDUs through the system. When these BPDUs indicate a change in the topology, such as failure of a link or the addition of a new node, the system is reconfigured.

System maintenance is carried out by the traffic in BPDUs among the bridges. Maintenance is managed under certain configurable constraints:

Hello Time – The amount of time between the transmission of configuration BPDUs on any port. Valid Range = 1-10 seconds Default value = 2 seconds. A connection is considered to be lost if hellos are not received for three consecutive times (by default this is six seconds).

Forward Delay – Controls how long the bridge waits after any state or topology change before forwarding the information to the network. Valid Range = 4-30 seconds Default value = 15 seconds

Maximum Age – The length of time a configuration BPDU remains valid before it is discarded.

5.6.3 Design ConsiderationsThe RSTP protocol can make network decisions automatically. In fact, in the absence of manual intervention the protocol will completely configure the network; however you may want to specify the settings for some or all of your bridges and ports. For instance, you may want to ensure that a particular bridge is the root bridge or that a certain port on a bridge is the designated port.

Note that you should use the Port: Settings screen to ensure that ports connecting to end stations are specified as edge ports, and that ports that connect to other bridges using RSTP are specified as Point ports (also known as Point-to-Point ports).



5.6.3.1 Configuring Bridge SettingsUse the RSTP: Bridge Settings screen, described in Section 3.3.3.1 to configure the following parameters:

• Enabled – Any bridge active in the system must have the Disabled/Enabled value set to Enabled.

• Priority – The default priority value is 32768 (in a valid range of 0-65535). If you know that you want a specific bridge to be the root bridge, then set this value on that bridge low - lower than any other bridge in the system. You can also effectively specify a bridge as an alternate root bridge, to take over in the event of failure of the original root bridge, by giving it a priority value only slightly higher than that of the root bridge. When you have more than one bridge connecting to the same LAN you can determine which bridge will become the designated bridge by setting its priority value low.

• Hello Time – The default Hello Time value is 2 seconds (in a valid range of 1-10). The manually configurable Hello Time value applies to the root bridge. A smaller Hello Time value will result in quicker detection of topology changes but it will also result in increased traffic on the system. Designated bridges use a Hello Time learned from BPDUs sent from the root bridge.

• Forward Delay – The default Forward Delay value is 15 seconds (in a valid range of 4-30). A shorter Forward Delay may result in quicker adaptation to topology changes. Designated bridges use a Forward Delay learned from BPDUs sent from the root bridge.

• Maximum Age – The default Maximum Age value is 20 seconds (in a valid range of 6-40). In a network that includes some slow links it could be useful to set a higher value for Maximum Age.

• Cost Style – Specifies whether 16-bit (STP-style) or 32-bit (RSTP-style) path cost values are used.

5.6.3.2 Configuring Port SettingsUse the RSTP: Port Settings screen, described in Section 3.3.3.2 to configure the following parameters:

• Mode – • Point – Specify that any port that connects to another switch that

uses RSTP is a point port.• Edge – Specify that any port that connects to and end station is an

Edge port. This allows direct transition to forwarding and prevents unnecessary topology change messages.

• Legacy – Specify that a port that uses STP only is a legacy port.• Port Priority – The default Port Priority value is 128 (in a valid range of 0-

255). The RSTP protocol will select root, designated, and backup ports from among redundant ports on a bridge based on the port ID and the priority settings. To force the selection of a specific port as the root port give it a low priority value.


CHAPTER 5 - Operational GuideVLAN

5.7 VLANVLAN (Virtual Local Area Network) configuration is a technique for segmenting ports on an Ethernet switch into logical groupings. Each logical grouping behaves as if it were a separate physical LAN. A VLAN may also span multiple physical Ethernet switches through the use of frame tagging. The DX40/800 supports VLAN as specified in IEEE 802.1Q (2003). This appendix describes the VLAN implementation on the DX40/800.

5.7.1 Adding VLANsBefore you can use a VLAN you must explicitly add it to the switch configuration using the form provided in the VLAN: VIDs screen described in Section 3.3.4.2.

5.7.1.1 VLAN IDsYou can configure up to 16 VLANs, associating each with a VLAN ID (VID) in the range 1 through 4094 (the value 4095 is reserved), subject to the following limitations:

• VID 1 is the default VLAN• VID 0 is defined as the NULL VID that is used in priority-tagged frames

Add a VLAN to the switch in the following steps:

1. Go to the VLAN: VIDs screen described in Section 3.3.4.2.

2. Enter a valid VID and VLAN Name in the fields provided in the Add VLAN form.

3. Click the Apply Settings button.

5.7.2 Configuring Ports for VLAN MembershipEach port to be included in a VLAN must be assigned a VID. They can also be configured to expect tagged or untagged frames and filtered to include or exclude specific VLANs.

5.7.2.1 Port VLAN IDsA Port VLAN ID (PVID) is a user-configurable parameter that associates a native VLAN with a port. Each port is assigned exactly one PVID. By default, each port is assigned PVID 1.

5.7.2.2 TaggingAn Ethernet port in MNS-DX can be configured to expect tagged or untagged frames by setting the “Tagged?” field appropriately in the VLAN: Port Settings screen described in Section 3.3.4.3.

Tagged Field Set to No

When a port has its “Tagged?” field set to “No”, that port will:

• Admit all untagged or priority-tagged frames and mark them with the port's PVID



• Admit tagged frames if and only if the tagged VID matches the port's PVID. All other tagged frames will be dropped

• Strip all tag information (including VID and priority fields) from the frame before transmission

Tagged Field Set to Yes

When a port has its “Tagged?” field set to “Yes”, that port will:

• Admit untagged or priority-tagged frames and mark them with the port’s PVID

• Admit tagged frames if and only if the tagged VID matches the port's PVID or one of the VLANs assigned to that port. All other tagged frames will be dropped

• Transmit all frames with an appropriate VLAN tag

5.7.2.3 FilteringBy default a trunk port is a member of all VLANs. It may optionally prohibit traffic from a list of VLANs which you can configure using the VLAN: Port Settings screen described in Section 3.3.4.3.

An access port only passes traffic associated with its native VLAN.

5.7.2.4 Frame Classification and ForwardingFrames that are admitted to the switch are always tagged (with either the frame's original VID or with the PVID of the port upon which it entered) and the frame's VLAN tag is included as part of the criteria used by the bridge forwarding process. Specifically, a frame will only be forwarded on a port that is a member of its tagged VLAN. Note that other criteria, such as destination MAC address and port state may prevent a frame from being forwarded on a port even if it has a matching VID.

Default Configuration

By default, all ports are configured with “Tagging” set to “No,” “Mode” set to “Access,” and nothing configured in Prohibited VLANs field. The default PVID is 1. In this configuration, the switch accepts untagged and priority-tagged frames as well as frames that are tagged with the default VLAN (VID 1). All other tagged frames are dropped.

Port-based VLANs

Port-based VLAN functionality may be emulated by making all ports untagged. Each VLAN operates as a virtual bridge within the larger physical switch. The VLANs have only local significance since tags are always stripped before a frame is transmitted.

Configure the switch for port-based VLANs by adding a VLAN for each port group in the following steps:


a. Add a VLAN for each group.

b. Click the Apply Settings button.



2. Go to the VLAN: Port Settings screen described in Section 3.3.4.3.

a. For each port, select the appropriate PVID based on the desired group (VLAN) membership.


Tagged VLANs

The software supports tag-based VLAN operation. In this mode each port is either an access (admitting only untagged frames or frames tagged with its PVID) or a trunk (allowing all frames on the configured VLANs). Tags allow VLANs to span multiple physical bridges.

Configure tagged VLANs using the following steps:


a. Add a VLAN for each group.


1. Go to the VLAN: Port Settings screen described in Section 3.3.4.3.

a. For each port that will be connected to an end device, set the “Mode” to “Access” and select the port’s PVID.

b. For each port that will be connected to another switch, set the “Mode” to “Trunk”. This will automatically set the Tagging field to “Yes” and enable the Prohibit field. If you want to specify VLANS to be filtered from this trunk, do so now.

c. Click the Apply Settings button.

5.7.3 VLANs and Serial PortsThis section describes the concept of Serial VLANs, a network design in which SCADA traffic is segregated from other network traffic by placing it on a separate VLAN. It also presents an example network application.

MagnumDX products offer the capability of segregating serial traffic from other network traffic using VLANs. Because the terminal server application encapsulates serial traffic in IP packets, it cannot directly assign serial ports to a VLAN. Instead, IP addresses are assigned to VLANs (creating virtual IP interfaces) and serial ports are in turn associated with local and/or remote IP addresses.

Serial IP packets transmitted by MagnumDX will include an 802.1q VLAN tag if the following two conditions are met:

1. To reach a particular remote host, an IP packet must be sent over a virtual IP interface.

2. The selected physical transmission port (chosen based on VLAN assignments and MAC learning) is configured for VLAN tagging.



5.7.3.1 Example ScenarioRefer to Figure 5-2 for a depiction of the network configuration on which the following example is based.

Figure 5-2. Serial Ports and VLANs

In this example, two serial IEDs are connected to remote management stations on different IP subnets and the serial traffic is carried (for a portion of its trip) over separate tagged VLANs.

Configuration

The DXs illustrated in Figure 5-2 are configured as follows:

• DX-1 is configured with VLANs enabled and two VLANs defined. Each VLAN becomes a virtual IP interface on the switch. VLAN 1 (marked by a blue dashed line ) and its IP interface is assigned the address 192.168.1.10. VLAN 2 (marked by a green dotted line

) and its IP interface is assigned the address 192.168.2.10. Port E1 is configured as a VLAN trunk that carries tagged traffic for both VLANs.

• DX-2 is configured with VLANs enabled and the same two VLANs defined as for DX-1. Port E1 is also configured as a trunk. Port E2 is configured as an untagged access port assigned to the VLAN 1 and port E3 is configured as an untagged access port assigned to the VLAN 2.

• DX-3 is configured as a router. Port E1 is assigned the IP address 192.168.1.1. Port E2 is assigned the IP address 192.168.3.1.

The Serial IEDs illustrated in Figure 5-2 are configured as follows:

• Serial IED 1 is connected to serial port S1 on DX-1 and is bound to the local IP address 192.168.1.10.

192.168.1.1

E1

S1

VLAN 1: 192.168.1.10

Tagged Ethernet Network

Serial IED 1 Serial IED 2

VLAN 2: 192.168.2.10

S2

192.168.3.1

Host 1192.168.3.101

Host 2 192.168.2.101

E1

E2 E3

DX-1 DX-2

DX-3

Ethernet VLAN 1 VLAN 2


CHAPTER 5 - Operational GuideSecurity

• Serial IED2 is connected to serial port S2 on DX-1 and is bound to the local IP address 192.168.2.10.

The hosts illustrated in Figure 5-2 are configured as follows:

• HOST1 is a management station assigned the IP address 192.168.3.101. It communicates with Serial IED 1.

• HOST2 is a management station assigned the IP address 192.168.2.101. It communicates with Serial IED 2.

Traffic Flow

Assume that all routing tables have been statically configured or that there is a routing protocol running. HOST1 initiates a TCP connection for communication with Serial IED 1 (192.168.3.101 ' 192.168.1.10) and HOST2 initiates a TCP connection for communication with Serial IED 2 (192.168.2.101 ' 192.168.2.10).

When HOST1 sends a request packet to Serial IED 1, the packet is forwarded to the router at 192.168.3.1. The router then forwards the packet on its 192.168.1.1 interface to DX-1 at 192.168.1.10. The packet is transmitted out DX-3's port E1 and received by DX-2's port E2 where it is classified as belonging to VLAN 1. Because the frame must be switched out port E1 and that port is a tagged VLAN trunk, an 802.1q tag for VLAN 1 is added to the Ethernet frame before transmission. The tagged frame is then passed through a tagged Ethernet cloud and eventually is received on port E1 of DX-1 where the encapsulating Ethernet and TCP/IP headers are removed and the serial data is transmitted out port S1. When Serial IED 1 responds, a similar flow occurs in the opposite direction.

When HOST2 sends a request packet to Serial IED 2, the packet is forwarded directly to DX-1 at 192.168.2.10. The packet is transmitted by HOST2 and received by DX-2's port E3 where it is classified as belonging to VLAN 2. Because the frame must be switched out port E1 and that port is a tagged VLAN trunk, an 802.1q tag for VLAN 2 is added to the Ethernet frame before transmission. The tagged frame is then passed through a tagged Ethernet cloud and eventually is received on port E1 of DX-1 where the encapsulating Ethernet and TCP/IP headers are removed and the serial data is transmitted out port S2. When Serial IED 2 responds, a similar flow occurs in the opposite direction.

5.8 SecurityThe following sections briefly describes the security features of MNS-DX.

5.8.1 Ethernet Port SecurityMNS-DX offers the ability to disable Ethernet ports upon access by an unauthorized station. Each port may be placed in either of two different security modes: address locking or link locking.



5.8.1.1 Address LockingIn address locking mode, a port detects an unauthorized station by comparing the source MAC address in the frames that it receives to a list of authorized MACs. If the source MAC is not in the authorized list the port is locked out, which effectively disables the port by electrically isolating its PHY. Once a port is locked out it will not be re-enabled until it is explicitly unlocked by an administrator. Lock-outs persist across resets.

When static MAC addresses have been configured on a port by an administrator those addresses are treated as the list of authorized MACs. If no static MAC addresses are configured, the port will "learn" the source address of the first frame it receives and treat that MAC address as the single authorized MAC for the port. Learned authorized MACs persist across resets.

If a static MAC is configured after a port has learned an authorized MAC, the learned MAC is forgotten and the configured static MACs are treated as the list of authorized MACs. If all static MACs are removed from a port, the port will learn a new authorized MAC.

5.8.1.2 Link LockingIn link locking mode a port is locked out if it loses link. Note that if a port is configured for link locking while it is down it is not automatically locked out. It waits for the link to go up and then down before locking out.

5.8.2 Serial Port SecurityMNS-DX supports the ability to carry serial data over authenticated, encrypted TCP connections using the SSL protocol (SSLv3 or TLSv1).

RSA public key cryptography and X.509 certificates are used to verify the authenticity of a connecting entity. Once a connection has been established, any of a number of encryption algorithms may be employed including DES, 3DES, AES (128 or 256 bit), or RC-4 (128 bit). Either MD5 or SHA-1 may be used for generating message authentication codes.

5.8.2.1 Serial Data Over SSLSSL is a cryptographic protocol that creates a secure data transfer session over a standard TCP connection. It provides both authentication and privacy and supports a large number of cryptographic algorithms.

When an SSL connection is first established, a handshake protocol is executed. The handshake accomplishes the following:

• negotiates connection parameters• optionally authenticates the peer• determines a shared master secret

If the handshake succeeds, data transferred over the connection is now encrypted using the negotiated encryption algorithm and the shared master secret.



For more detailed information on SSL see the following texts:

Rescorla, Eric. SSL and TLS: Designing and Building Secure Systems, Addison Wesley, ISBN 0201615983.

Viega, John. Messier, Matt. Pravir, Chandra. Network Security with OpenSSL, O'Reilly Media Inc., ISBN 0-596-00270-X.

5.8.2.2 MNS-DX SSL Version SupportEach terminal server connection on a MagnumDX product may be authenticated and encrypted using SSL. The product supports the following versions of SSL:

• SSLv3• TLSv1

SSLv2 has many known vulnerabilities and is not supported.

5.8.2.3 Secure Web Server using HTTP over SSL (https://)Secure Sockets Layer (SSL) and its successor, Transport Layer Security, defined in RFC 2246, (TLS) are cryptographic protocols to protect traffic on the Internet.

SSL and non-SSL access to the web server is always available. The system is shipped with a default web server key and certificate. We recommend that you generate and install a new key file. You can do this by uploading the file to the keys page and then selecting the new key on the web server configuration page. No reboot is necessary for the change to take effect.

5.8.3 Keys and CertificatesMNS-DX supports RSA public key encryption and x.509 certificates. RSA is a widely-used algorithm for public key encryption. X.509 is an International Telecommunication Union Telecommunication Standardization Sector (ITU-T) standard for public key infrastructure (PKI).

MNS-DX uses keys and certificates encoded using the Privacy enhanced Mail (PEM) format. These files conventionally use the .pem extension.

A PEM file containing both a valid X.509 certificate chain and a valid RSA private key is treated as a certificate file. Manage these files with the Certificates: Local screen described in Section 3.7.1.1 and the Certificates: Trusted described in Section 3.7.1.2.

For an extended discussion and examples of key file and certificate file generation see Section 5.8.3.9, “Certificate and Key File Generation”.



5.8.3.1 RSA Public Key CryptographyRSA public key cryptography is the most popular of the so-called asymmetric cryptography algorithms. Unlike symmetric cryptography, which uses a single key for encryption and decryption operations, asymmetric cryptography uses a pair of keys. One of the keys is published and well-known while the other is private and is known only to its owner. Information encrypted by the public key can only be decrypted by the private key and vice versa. This special property is what allows us to use asymmetric cryptography as a way of creating digital signatures.

5.8.3.2 Digital SignaturesDigital signatures provide a way of verifying that an electronic document was generated by a certain entity. Digital signatures protect electronic documents against tampering and forgery.

Digital signatures may be created using RSA public key cryptography. The basic technique involves creating a message digest of a plaintext document and then encrypting the result with the author’s private key. The original plaintext document and the digested/encrypted version (the signature) are passed to a recipient who then decrypts the signature using the author’s public key and compares the result to the message digest of the original plaintext document. If there is a match, the signature is valid.

SSL authentication involves validating the digital signature on an electronic document known as an X.509 certificate.

5.8.3.3 X.509 CertificatesAn X.509 certificate is an electronic document used to publish a public key. It generally contains additional information that describes the certificate owner’s name, organization, and contact information. The certificate is digitally signed by a trusted third-party to prove its authenticity. Certificates may be chained, with each certificate in the chain holding the RSA public key of the entity that signed the previous certificate. In this way, a “chain of trust” is established from the entity being authenticated to a mutually trusted third party known as a Certificate Authority.

5.8.3.4 Certificate AuthorityA Certificate Authority (CA) is usually a well-known, trusted entity that issues signed certificates for entities that wish to distribute their RSA public key. You can think of a CA as the equivalent of notary public for the Internet.

A CA has its own RSA public and private key pair that it uses to sign X.509 certificates. It publishes its public key in a root X.509 certificate that is self-signed. This means that there is no way to digitally verify the authenticity of a root CA certificate. You must choose which root CA certificates to trust. Often, root CA certificates are distributed “out-of-band” or bundled with software that uses SSL.



5.8.3.5 MNS-DX Certificate FilesMNS-DX does not come with any bundled or pre-installed root CA certificates. You must generate or otherwise acquire these certificate files and install them on each unit. This is accomplished through the “Security: Certificates” screen. To use an installed certificate, you must tell the software that you trust the issuing entity by marking the “Trusted” checkbox next to the certificate name and pressing the Apply Settings button. Again, this is required because the certificate is self-signed and therefore its authenticity cannot be verified (that is, anyone can generate a self-signed certificate).

MNS-DX only understands X.509 certificates that are encoded in the Privacy Enhanced Mail (PEM) format. This is an ASCII text format that is easy to cut and paste into files or mail messages. An example PEM-encoded X.509 certificate is shown below:

-----BEGIN CERTIFICATE-----MIICyzCCAjQCCQDcC3lajBRvIDANBgkqhkiG9w0BAQUFADCBqTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1BMRYwFAYDVQQHEw1Ob3J0aCBBbmRvdmVyMRQwEgYDVQQKEwtEeW1lYywgSW5jLjEeMBwGA1UECxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRowGAYDVQQDExFNYXR0aGV3IFNjaGlja2xlcjEjMCEGCSqGSIb3DQEJARYUbXNjaGlja2xlckBkeW1lYy5jb20wHhcNMDYwNjI2MTgwNzQwWhcNMDYwNzI2MTgwNzQwWjCBqTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1BMRYwFAYDVQQHEw1Ob3J0aCBBbmRvdmVyMRQwEgYDVQQKEwtEeW1lYywgSW5jLjEeMBwGA1UECxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRowGAYDVQQDExFNYXR0aGV3IFNjaGlja2xlcjEjMCEGCSqGSIb3DQEJARYUbXNjaGlja2xlckBkeW1lYy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL/JrmUHTDPBkzENUWWnoBjo2iD1owJd/ZYrpHvLfkg8ljdLjlGNUdBlkwN7+8H6KN5J+IJWBq2C/cNfvfyUJ2/95a6TNYwt9/k/K3r70A6iuzFM0wVFpM0qH7tPOFStc9IygR36FOPasCoNxze9DofIfC8IypSf2S6B6tL6+8LXAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAEq3kTPfT5i1Z5XtXtOabwkAcWW+tCw/wDhC6DME2XY5EOnuJchpFGgTPmA1z5neUTYT9pHX50rutrk28vvj6ELn1XLD5sp6Hqxj5Wslo4jDbLFxgft46TUgISqRHiSbixWfsLSNq7lfdlyH+f3cpGjMQjWO8xtEExNDuk7NUVbM=-----END CERTIFICATE-----

5.8.3.6 MNS-DX Key FilesYou must generate or otherwise acquire key files for your system and install them on each unit. This is accomplished using the Security: Keys screen.

MNS-DX requires that a key file is assigned to any serial port that will use SSL. Note, in some connection scenarios, a key file is not strictly necessary to establish a secure connection but a key file assignment is still required by the software because these scenarios cannot always be predicted. Each port may have a different assigned key file. You can enable SSL on a port and assign key files to ports using the Security: Serial screen.

MNS-DX only understands key files that are encoded in the Privacy Enhanced Mail (PEM) format. The key file consists of multiple parts:

1. An RSA Private Key

2. The signed, X.509 Certificate that contains the matching public key for #1

3. The X.509 Certificate of the root CA that signed the certificate in #2



An example key file is shown below:

-----BEGIN RSA PRIVATE KEY-----MIICXQIBAAKBgQC8tHGfI5p2ucaY9b+GavC/WwnpOuW4sFody5e65ifeIEvvlaUEFe8epd2HBKm4u4T9llBAPZcy4Qi07zXjqGPlOvUf80QUT9/Rti3Nh3rAT837S8DnTaEJyoptixJHVmuB4KZo5T3O7t91vMXAhHmSt+7utSawCsSI5pEe0Ag6vwIDAQABAoGADcKuwmcLPXsgk0jgVYH42kteNqa317bsa13MS7G62ITMZMUpyll7HWYE+HKLmc/6y68pXPXgz7H/O4pyCI7f8dgzWArO2BVVRNj/efSCrYeWEDWSO3g7/+2TKbstlkHwi+ZQQZVPGW72XgvHMk07jevj6GHmfykeip+79VHjvGECQQDqFhUdFZ7lZ7eZ/+QhNLWy1AdBaOPHasOxUU5+nDYSCb0t22Q0zj5+prPWXErU54+UbevQiA5la4RUY7eJ182vAkEAzl7JzB3pfNLxcBpBQFBTBcbOnb0KTWe1RjcRvuDN9TgnpTtoq3iTz1Cl7g8j6yU1QRUcgjjnMoO5nXLubwE38QJBAJ8f375joh4DwTU4U9WWxSUJKN139c7rbpes05URj1f3stfnWVjkEmt52qoPFvdfaaTWjAS3WEHtMolDN9LGFhUCQAKgTi0czFXcUVo920q4OvY9229Ccpkdkr78AGvPbI+MUWTW5rQX6rmeqx3mb2yUoqLbY+t8UeTgrEIGrmYXO+ECQQDP3oWvHuBCo3bCvtao+CjYNdYd/65bhGln24w3w+WIBcjP5qaHQiihUNT+jaNW0OurhP2fctPJJVNbmtw1AcFH-----END RSA PRIVATE KEY----------BEGIN CERTIFICATE-----MIICyDCCAjECCQC+GECAdm9XLjANBgkqhkiG9w0BAQUFADCBqTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1BMRYwFAYDVQQHEw1Ob3J0aCBBbmRvdmVyMRQwEgYDVQQKEwtEeW1lYywgSW5jLjEeMBwGA1UECxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRowGAYDVQQDExFNYXR0aGV3IFNjaGlja2xlcjEjMCEGCSqGSIb3DQEJARYUbXNjaGlja2xlckBkeW1lYy5jb20wHhcNMDYwNjI2MTgxMDMxWhcNMDYwNzI2MTgxMDMxWjCBpjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1BMRYwFAYDVQQHEw1Ob3J0aCBBbmRvdmVyMRQwEgYDVQQKEwtEeW1lYywgSW5jLjEbMBkGA1UECxMSVGVjaG5pY2FsIFNlcnZpY2VzMRowGAYDVQQDExFNYXR0aGV3IFNjaGlja2xlcjEjMCEGCSqGSIb3DQEJARYUbXNjaGlja2xlckBkeW1lYy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALy0cZ8jmna5xpj1v4Zq8L9bCek65biwWh3Ll7rmJ94gS++VpQQV7x6l3YcEqbi7hP2WUEA9lzLhCLTvNeOoY+U69R/zRBRP39G2Lc2HesBPzftLwOdNoQnKim2LEkdWa4HgpmjlPc7u33W8xcCEeZK37u61JrAKxIjmkR7QCDq/AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAKjo1QpCO0nDMV85w73FhrwMvLmMObsj8q756c7u0wgQDB50CDSTX0bKWgRgD2LVORuDZ4pTTYh2Qyk9VQxB3HLEuin75uUwVHsS3Ec0LnTFgNkBh7NuGM3VlSLrk3mKuiLBkfADChx84SESSl4bGk6rRPDPLKK1/zHgGNW+CQ4k=-----END CERTIFICATE----------BEGIN CERTIFICATE-----MIICyzCCAjQCCQDcC3lajBRvIDANBgkqhkiG9w0BAQUFADCBqTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1BMRYwFAYDVQQHEw1Ob3J0aCBBbmRvdmVyMRQwEgYDVQQKEwtEeW1lYywgSW5jLjEeMBwGA1UECxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRowGAYDVQQDExFNYXR0aGV3IFNjaGlja2xlcjEjMCEGCSqGSIb3DQEJARYUbXNjaGlja2xlckBkeW1lYy5jb20wHhcNMDYwNjI2MTgwNzQwWhcNMDYwNzI2MTgwNzQwWjCBqTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1BMRYwFAYDVQQHEw1Ob3J0aCBBbmRvdmVyMRQwEgYDVQQKEwtEeW1lYywgSW5jLjEeMBwGA1UECxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRowGAYDVQQDExFNYXR0aGV3IFNjaGlja2xlcjEjMCEGCSqGSIb3DQEJARYUbXNjaGlja2xlckBkeW1lYy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL/JrmUHTDPBkzENUWWnoBjo2iD1owJd/ZYrpHvLfkg8ljdLjlGNUdBlkwN7+8H6KN5J+IJWBq2C/cNfvfyUJ2/95a6TNYwt9/k/K3r70A6iuzFM0wVFpM0qH7tPOFStc9IygR36FOPasCoNxze9DofIfC8IypSf2S6B6tL6+8LXAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAEq3kTPfT5i1Z5XtXtOabwkAcWW+tCw/wDhC6DME2XY5EOnuJchpFGgTPmA1z5neUTYT9pHX50rutrk28vvj6ELn1XLD5sp6Hqxj5Wslo4jDbLFxgft46TUgISqRHiSbixWfsLSNq7lfdlyH+f3cpGjMQjWO8xtEExNDuk7NUVbM=-----END CERTIFICATE-----



5.8.3.7 Key ExchangeSSL does not use RSA keys to actually encrypt data sent over the secure connection. Before data transmission can begin, the peer entities must agree on a shared secret key that will be used by a symmetric encryption algorithm such as 3DES or AES. This process is called key exchange. The SSL client encrypts a random secret using the server’s public RSA key and passes the result to the server. Since only the server knows the matching private key, it is the only entity that can decrypt the message and discover the shared secret.

MNS-DX does not currently support alternative key exchange algorithms such as Diffie-Hellman.

5.8.3.8 Peer AuthenticationMNS-DX supports peer authentication for both clients and servers but it is always optional and configurable by the user. By default, peer authentication is not performed. When peer authentication is required, the SSL handshake fails and the connection is closed unless the following conditions are met:

1. The entity being authenticated must prove that it owns the public key in the certificate that it presented. This is accomplished by using its private key to encrypt some data that the authenticator decrypts and verifies.

2. The signature on the supplied certificate must be valid and verifiable (that is, the signing entity’s certificate must be signed by another verifiable entity or by a trusted entity such as a CA).

3. The current system date and time must be within the supplied certificate’s valid time range.

5.8.3.9 Certificate and Key File GenerationThis section gives an example of how to create a root CA Certificate and System Key File that can be used in conjunction with MNS-DX. The example uses the OpenSSL command line tool, which is freely available software that runs under Linux, MAC OS-X, and Cygwin for Microsoft Windows. For more information on OpenSSL, see the following text:

Viega, John. Messier, Matt. Pravir, Chandra. Network Security with OpenSSL, O’Reilly Media Inc., ISBN 0-596-00270-X.

NOTE: In the following example files text in italic font is user-supplied input.



Step 1: Generate an RSA key and a certificate request for your CA

$ openssl req -newkey rsa:1024 -nodes -sha1 -keyout cakey.pem -out careq.pem

Generating a 1024 bit RSA private key.............................................................++++++.............++++++writing new private key to 'cakey.pem'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]:USState or Province Name (full name) [Some-State]:MALocality Name (eg, city) []:North AndoverOrganization Name (eg, company) [Internet Widgits Pty Ltd]:DYMEC, Inc.Organizational Unit Name (eg, section) []:Technical ServicesCommon Name (eg, YOUR name) []:SupportEmail Address []:[email protected]

Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:

Step 2: Generate a self-signed CA certificate from the request

$ openssl x509 -req -in careq.pem -sha1 -signkey cakey.pem -out cacert.pem Signature oksubject=/C=US/ST=MA/L=North Andover/O=DYMEC, Inc./OU=Technical Services/CN=Support/[email protected] Private key

Step 3: Create the CA’s Key File

$ cat cacert.pem cakey.pem > ca.pem



Step 4: Create an RSA key and a certificate request for your system

$ openssl req -newkey rsa:1024 -nodes -sha1 -keyout syskey.pem -out sysreq.pem Generating a 1024 bit RSA private key.++++++.................++++++writing new private key to 'syskey.pem'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]:USState or Province Name (full name) [Some-State]:MALocality Name (eg, city) []:North AndoverOrganization Name (eg, company) [Internet Widgits Pty Ltd]:DYMEC, Inc.Organizational Unit Name (eg, section) []:Network PlanningCommon Name (eg, YOUR name) []:PlannerEmail Address []:[email protected]

Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:

Step 5: Create the system’s certificate and have it signed by the CA

$ openssl x509 -req -in sysreq.pem -sha1 -CA ca.pem -CAkey ca.pem -CAcreateserial -out syscert.pem Signature oksubject=/C=US/ST=MA/L=North Andover/O=DYMEC, Inc./OU=Network Planning/CN=Planner/[email protected] CA Private Key

Step 6: Create the System Key File

$ cat syscert.pem syskey.pem cacert.pem > sys.pem

5.8.3.10 Certificate and Key File InstallationAfter generating your root CA certificate and key file, you must install them on your system. Use the Certificates: Local screen, described in Section 3.7.1.1, and the Certificates: Trusted screen, described in Section 3.7.1.2, to do this



5.8.4 IP FirewallYou can enable an IP firewall for each IP interface, for example, a VLAN. You can define a filter for individual interfaces or for groups of interfaces. Each filter specifies a "hole" in the firewall. Any IP packet entering the system through an interface that has the firewall enabled will be dropped unless it matches one of the filters configured for that interface. An IP packet entering the system through an interface that has the firewall disabled will be processed normally, that is, it will be forwarded according to the routing table.

For detailed information see Section 3.7.6, Firewall and the descriptions of the Firewall: IP Interfaces, Firewall: Interface Groups, and Firewall: IP Filters screens.

5.8.5 RADIUS SupportMNS-DX supports remote user authentication by a RADIUS server.

Radius is an authentication, authorization, and accounting (AAA) protocol defined in RFC 2865 and RFC 2866.

• Authentication – A RADIUS server receives requests for connections and checks that the username and password provided are authentic using a shared secret and one of two authentication schemes.

• Authorization – After successful authentication the RADIUS authorizes the requesting user to begin a session on the system.

Use the RADIUS: Global Settings screen, described in Section 3.7.7.1, and the RADIUS: Servers screen, described in Section 3.7.7.2, to add RADIUS servers and to configure them.

5.8.6 DX-Series Cipher SupportThe following list specifies the type of cipher supported by the DX-Series for each security purpose:

• Signing/Authentication – RSA• Key Exchange – RSA• Cryptographic Hashing – SHA1, MD5• Encryption – DES, 3DES, RC4, AES

The DX-Series supports the following standard cipher suites:

• SSL_RSA_EXPORT_WITH_RC4_40_MD5• SSL_RSA_WITH_RC4_128_MD5• SSL_RSA_WITH_RC4_128_SHA• SSL_RSA_WITH_DES_CBC_SHA• SSL_RSA_WITH_3DES_EDE_CBC_SHA• TLS_RSA_EXPORT_WITH_RC4_40_MD5• TLS_RSA_WITH_RC4_128_MD5• TLS_RSA_WITH_RC4_128_SHA• TLS_RSA_WITH_DES_CBC_SHA• TLS_RSA_WITH_3DES_EDE_CBC_SHA


CHAPTER 5 - Operational GuideVPN

• TLS_RSA_WITH_AES_128_CBC_SHA• TLS_RSA_WITH_AES_256_CBC_SHA

It also supports the following pre-defined cipher suite lists:

• ANY – all the cipher suites listed above• ANY_STRONG – all cipher suites listed above that have a key size of at

least 128 bits• ANY_STRONG_SSL – all cipher suites listed above that are defined by the

SSLv3 standard and have a key size of at least 128 bits• ANY_STRONG_TLS – all cipher suites listed above that are defined by the

TLSv1 standard and have a key size of at least 128 bits• ANY_AES – all cipher suites that use AES128 or AES256 for encryption

MNS-DX always uses RSA public key cryptography and X.509 certificates for key exchange and peer authentication.

The default cipher suite uses RSA public keys, 3DES encryption, and SHA1 hashing

5.9 VPNMNS-DX supports the creation of Virtual Private Networks (VPN) over a public network infrastructure using IPsec tunnels. You select one of the DX’s IP interfaces as its "public" interface. The remaining interfaces are considered to be "private" interfaces. Then, through the configuration of a security policy, an authenticated, encrypted tunnel can be established between two devices over a public IP network as shown in Figure 5-3. Devices at Remote Site A can communicate securely with devices at Remote Site B by forwarding their traffic through the MagnumDX routers.

Figure 5-3. An MNS-DX Virtual Private Network

Although a DX router might only have a single "public" interface, multiple tunnels can be established on that interface to multiple endpoints. For example, in Figure 5-4, hosts at Remote Site A can communicate securely with hosts at both site B and C.



Figure 5-4. Multiple VPNs using MNS-DX

5.9.1 Key ManagementMNS-DX supports the automatic generation of shared encryption keys using a Group 1 or Group 2 Diffie-Hellman exchange as defined by the Internet Key Exchange (IKE) protocol (RFC 2409). Note that MNS-DX does not currently support Group 5. Perfect Forward Secrecy (PFS) is always enabled.

5.9.2 Peer AuthenticationPeer authentication is achieved through the use of administratively configured pre-shared keys (PSK). If the PSKs configured on each end of the tunnel do not match, the tunnel will not be established. Certificate-based authentication is also supported.

5.9.3 Packet Integrity and ConfidentialityMNS-DX uses Encapsulating Security Payload (ESP) protocol (RFC 2406) in tunnel mode to implement secure VPN functionality. When an IP packet is forwarded through a tunnel, it is encapsulated in a new packet having the structure shown in Figure 5-5. ESP encrypts and authenticates the entire content (header and payload) of the original IP packet, but it does not afford any protection to the new, outer IP header.



Figure 5-5. Format of a Tunneled IP Packet

5.9.4 ProfilesAs defined in RFC 2401, MNS-DX VPN uses a Security Policy Database (SPD) to configure IPsec tunnels. MNS-DX simplifies the management of the SPD by implementing the concept of a profile. Each profile is a labeled set of options that specifies cryptography and security protocol parameters such as encryption and hash algorithms, tunnel lifetimes, and the strength of Diffie-Hellman key exchanges. These profiles can then be assigned to new tunnels as they are created. MNS-DX is shipped with one or more default profiles that are likely to match common customer applications.

5.9.5 TunnelsConfigure an IPsec tunnel in MNS-DX by defining a source IP address (or subnet), a destination IP address (or subnet), a gateway IP address, a profile, and a pre-shared key.

The source and destination IP addresses may be specified as an exact host address or as a subnet. When a non-IPsec packet is received its source and destination IP addresses are matched against the source and destination IP address configured for the tunnel. If a match occurs the software looks to see if an appropriate tunnel (that is, a security association as defined by the RFC) already exists. If not, IKE is used to establish the tunnel. Once a tunnel exists the packet is encapsulated according to the parameters in the assigned profile and it is sent to the gateway address found in the matching entry. When an IPsec packet belonging to a valid tunnel is received the packet is de-encapsulated and sent to its next hop as determined by the device's routing table.

5.9.6 IKEIn IPsec each tunnel is defined by a set of security associations (SA). Each SA defines a secure, unidirectional communication channel between two entities. The SAs are established via a two-phase process defined by the IKE protocol. During Phase 1 (in MNS-DX, this is a Main Mode exchange) the entities establish an initial secure channel. This exchange includes an authentication step that proves that each side knows a user-configured pre-shared key. The encrypted, authenticated Phase 1 channel is then used for communication during Phase 2 (in MNS-DX, this is a Quick Mode exchange) where the entities establish the keys that are actually used to encrypt the traffic that flows through the tunnel.

New IP Header

ESP Header

Original IP Header

Payload ESP Trailer

ESP Auth

Encrypted

Authenticated



5.9.6.1 Tunnel LifetimesMNS-DX allows the user to set the lifetime of a VPN tunnel. When the lifetime expires the peers are forced to perform a new Phase 1 or Phase 2 exchange to refresh the keying material generated in that phase. In MNS-DX the configurable lifetime is the "soft" lifetime. When the "soft" lifetime expires a Phase 1 or Phase 2 exchange is triggered. There is also a "hard" lifetime, which is defined to be 33% longer than the soft lifetime. When the "hard" lifetime expires, the keys for that phase are destroyed regardless of whether new keying material was generated after the "soft" lifetime expiration. This prevents a tunnel from staying up indefinitely.

5.9.7 Configuring a VPNThis section describes the minimum set of steps required to establish a VPN between two remote sites. One site might be an operations center while the other site could be a substation where SCADA devices are connected to a number of MagnumDX serial device routers with one DX acting as a security gateway as shown in Figure 5-6.

Figure 5-6. Example VPN Application

Assume that the DX800s in Figure 5-6 have been configured with two IP interfaces. DX-1 acts as a security gateway for the Substation while DX-2 acts as a security gateway for the Operations Center. Substation nodes are configured to use 192.168.1.1 as their default gateway. Operations Center nodes are configured to use 192.168.2.1 as their default gateway. For this VPN application, the default profile is sufficient so it is only necessary to add a tunnel configuration to each end. On the "Security : VPN : Tunnels" page on DX-1, the following entry would be added:

Source Address: 192.168.1.0 Source Mask: 255.255.255.0

Destination Address: 192.168.2.0 Destination Mask: 255.255.255.0


CHAPTER 5 - Operational GuideSSH

On DX-2, the following entry would be added:

Note, security associations are not established until a packet actually needs to be forwarded through the tunnel. At that time, the gateway that received the first packet destined for the tunnel will initiate an IKE exchange to set up the appropriate SAs.

5.10 SSHMNS-DX provides security for CLI transactions with Secure SHell (SSH) technology. Typically a key has been generated at the factory, so that your DX device is delivered with SSH enabled; that is, the SSH Server State value is “Running.” If the SSH Server State value is “No Key” you must run the keygen command in the CLI. Once a key has been generated SSH can be enabled or disabled through the browser interface or through the CLI.

5.11 ModbusMagnum DX supports client (master) and server (slave) modes of operation for the Modbus/TCP protocol as per the March 29, 1999 (Release 1.0) Open Modbus/TCP Specification written by Andy Swales of Schneider Electric.

5.11.1 Network TopologiesFigure 5-7 depicts an example Modbus/TCP network. Modbus devices (masters and slaves) are connected to MagnumDX serial device routers at the edge of the network. In addition, Modbus/TCP clients and servers may connected directly to the IP network over an Ethernet link. The Modbus serial devices are connected to the DX units via RS-232 and/or RS-485 single or multidrop interfaces. The serial Modbus masters initiate requests to the slaves. These requests are encapsulated and forwarded by the Modbus/TCP client software to the appropriate Modbus/TCP server. At the server, the request is de-

Gateway: 207.65.151.201

Profile: Default

Pre-shared Key: itsasecret

Source Address: 192.168.2.0 Source Mask: 255.255.255.0

Destination Address: 192.168.1.0 Destination Mask: 255.255.255.0

Gateway: 65.31.232.158

Profile: Default

Pre-shared Key: itsasecret


CHAPTER 5 - Operational GuideModbus

encapsulated, analyzed, and sent over the appropriate serial port to the serial Modbus slave. When the slave device responds, the response is encapsulated and sent back to the Modbus/TCP client that in turn de-encapsulates and forwards the response to the Modbus master. Device tables are kept on each DX that describe the locally connected Modbus serial devices as well as how to reach each remote device.

Figure 5-7. Example MODBUS/TCP Network

5.11.2 Serial Protocol VariantsFor serial data both the Modbus ASCII and the Modbus RTU protocol variants are supported.

Modbus ASCII (depicted in Figure 5-8) uses ASCII message encoding with a longitudinal redundancy check (LRC). Each message begins with a ':' character and end with a CRLF character sequence.

Figure 5-8. Format of a Modbus ASCII Packet

Modbus RTU (depicted in Figure 5-9) uses binary message encoding with a cyclic redundancy check (CRC). Each message begins with a silent interval of at least 3.5 characters times and ends with a similar silent interval.

MASTER

MASTER

IP

Network

SLAVE Device 100

SLAVE Device 101

SLAVE Device 102

SLAVE Device 110

SLAVE Device 111

RS-485

RS-232

S1

S1

S2

S1

S2

MASTER

Modbus/TCP Client

Modbus/TCPServer

Modbus/TCPServer

SLAVE Device 120

Modbus/TCPServer

Modbus/TCPClient

Start :

Address (2 CHARS)

Function (2 CHARS)

Data (n CHARS)

LRC Check (2 CHARS)

END CRLF



Figure 5-9. Format of a Modbus RTU Packet

5.11.3 Network ProtocolThe Modbus/TCP format (depicted in Figure 5-10) strips the message framing and LRC/CRC from the normal Modbus packet and prepends a Modbus/TCP header consisting of a 2-byte Transaction ID (set by the client and echoed by the server), a 2-byte Protocol ID (always 0-0), and a 2-byte length. The device address byte (now referred to as the unit identifier) and the function byte are preserved and are followed by a variable amount of data. This information is then delivered as the payload of a TCP/IP packet. The Modbus LRC/CRC is not included because it is redundant with the CRC provided by the link layer (that is, Ethernet).

Figure 5-10. Format of a Modbus/TCP Packet

5.11.4 Exception HandlingThe Modbus/TCP client and server on MagnumDX can optionally generate and forward Modbus exception codes when certain communication or configuration failures occur. Specifically, the client will generate a GATEWAY PATH UNAVAILABLE exception message (exception code 0x0A) and pass it back to the master device if a remote address has not been configured for the destination device. The server will generate a similar message if a local device entry has not been configured for the destination device address. The message is sent to the client, which then forwards the exception to the Modbus master device.

In addition the server will generate a GATEWAY TARGET DEVICE FAILED TO RESPOND exception message (exception code 0x0B) when the destination device does not respond to a request within a user-configured interval. This message is sent to the client, which then forwards the exception to the Modbus master device.

START T1-T2-T3-T4

Address (8 bits)

Function (8 bits)

Data (nx8 bits)

CRC Check (16 bits)

END T1-T2-T3-T4

IP Header

TCP Header

Modbus/TCP Header

ModbusHeader

Transaction ID (Bytes 0-1)

Protocol ID (Bytes 2-3)

Length (Bytes 4-5)

Unit ID (Byte 6)

Function (Byte 7)

Modbus Data



5.11.5 TCP Connection HandlingTCP connection handling performed by MagnumDX complies with the implementation guidelines spelled out in Appendix A of the Open Modbus/TCP Specification.

When the Modbus/TCP client software receives a request from an attached serial Modbus master it analyzes the packet and determines the destination device address. It checks to see if it already has an open TCP connection for the destination. If not, the client attempts to open a new TCP connection to the appropriate Modbus/TCP server. Once a connection is established the request message is sent and the client waits for a response. After the response is received it is forwarded back to the master.

After the transaction is complete the TCP connection remains open in anticipation of a subsequent request. If another request is not made within the user-configured idle time the TCP connection is closed and will be re-opened when a new request is received. The client may also be configured so that it immediately makes a connection for a configured device and keeps that connection open indefinitely. This mode eliminates the latency associated with making the TCP connection for the initial request.

If a response is not received the Modbus/TCP client will time out after a user-configured interval. After a timeout, the TCP connection is closed to eliminate the possibility of receiving an unexpected late response. In addition the GATEWAY TARGET DEVICE FAILED TO RESPOND (exception code 0x0B) exception message is sent to the Modbus Master, which can then make the decision on whether or not to retry. If the client is configured to hold connections open indefinitely a new connection will be established with the remote server immediately following the timeout; otherwise, the client waits for the next Modbus request before re-opening the connection.

The Modbus/TCP server process always listens for connections on TCP port 502.


CHAPTER 5 - Operational GuideUser Account Management

5.12 User Account ManagementMNS-DX supports three separate user groups with different privileges:

5.12.1 User Groups• Admin – An administrator can access all features.• Read/Write – A read/write operator can access all features except the

following web menu items (and any related CLI commands):• Administration / SNMP / *• Administration / Authentication / *• Administration / Sessions / *• Administration / Software Upgrade• Administration / Configuration / *• Administration / System Reboot• Events / Logs / Global Settings• Security / Keys• Security / Certificates• Security / RADIUS / *

• Read Only – read-only operator can access all features that a read/write operator can access but does not have the ability to apply or save configuration settings.


CHAPTER 5 - Operational GuideUser Account Management


Appendix ATerminal Server Application Notes

A.1 What is a Terminal Server?A Terminal Server is a device or software application that can pass data between a standard serial protocol link and an IP-based network. The Terminal Server functionality of the MagnumDX Series provides a service that encapsulates asynchronous serial data in a TCP/IP stream. Service provisioning is flexible and allows a number of different configurations as described below.

A.1.1 Serial Protocol StandardsThere are many techniques for passing serial binary data between two or more digital systems. A number of popular methods based on standards published by the ITU-T are commonly referred to as "serial" protocols. Two of the most popular of these interfaces are EIA-232 (also know as RS-232) and EIA-485 (also known as RS-485).

Interfaces that support RS-232 (or some subset of the standard) are ubiquitous and found on nearly all personal computers. They also appear on many embedded computing devices where they are used to carry streaming data or provide access to a user console. An RS-232 link provides full-duplex data and asymmetric control. One device on the link is defined as the DTE (Data Terminal Equipment) and the other device is defined as the DCE (Data Communications Equipment). Traditionally, a DTE was a computer system and a DCE was a communications device such as a modem. Handshaking signals provide for flow control as well as valid link detection. Data rates typically range from 150bps to 115Kbps over distances up to 10 meters.

Interfaces that support RS-485 are less common; however, this protocol has a number of advantages over RS-232. RS-485 can be configured as a 4-wire, full duplex channel or a 2-wire, half duplex channel. It may also be operated in point-to-point or multi-point topologies (RS-232 only supports point-to-point). Because the standard uses differential signaling over twisted pair, it can run over long distances, up to a kilometer. Maximum theoretical data transmission speeds are also higher than RS-232, up to 30Mbps over short distances.

A.1.2 Networking StandardsSerial data transfer standards like RS-232 and RS-485 are generally insufficient for implementing modern digital communication networks. In the past, these networks have been constructed using a number of available technologies but industrial applications are increasingly shifting toward running the Internet Protocol (IP) over Ethernet-based technologies. This enables the deployment of highly interoperable, reliable, and secure


APPENDIX A - Terminal Server Application Notes

high-speed networks at extremely low cost. The IEEE is responsible for publishing standards related to Ethernet. A large body of such standards exists as IEEE 802.x. Data transfer rates range from 10Mbps to 1000Mbps depending on the physical layer technology employed. Distances can run up to 100 meters on twisted pair cables and for tens of kilometers using fiber optic transceivers.

A.2 Bridging the Gap between Serial and Network CommunicationA Terminal Server is a device or software application that can pass data between a standard serial protocol link and an Ethernet-based network. Figure A-1 illustrates passing characters from an RS-232 port over a TCP/IP connection.

Figure A-1. Serial Over TCP/IP

Without a terminal server, the host system in Figure A-1 must connect to the DCE device over a serial cable. Some of the advantages of using a terminal server are:

1. The distance between the computer system and the end device is increased significantly. The effective maximum range of an RS-232 link is about 10 meters. With a terminal server, the computer system connects to the device over a network and the effective maximum range is limited only by the latency requirements of the communicating end systems.

Host

RS-232Device

RTU

Terminal Server

RTU

Management Station

Management Stations TCP/IP Packets

Serial Characters

TCP/IP

Network



2. Multiple computer systems can communicate with a single RS-232 device. This would be impossible using just an RS-232 link because it only operates in point-to-point topologies. The terminal server performs a multiplexing function that passes data from multiple endpoints over the single RS-232 link.

3. Connections between relatively large numbers of communicating end systems are supported over a common cabling infrastructure. Without a terminal server, limitations imposed by the RS-232/485 standards would likely require many dedicated lines between end systems.

A.3 Terminal Server OperationThe MagnumDX offers a terminal server function that transports serial characters over a TCP/IP network. A flexible set of connection options allows the user to configure each serial port for a different mode of operation. The terminal server functionality is organized into serial communication channels that may be added or deleted from the system. Each channel is associated with a particular serial port and operates either in passive or active mode.

A.3.1 Passive Mode ChannelsWhen a terminal server channel operates in passive (server) mode, it waits for incoming TCP connection requests. When a request is received it is accepted if the following criteria are met:

• serial port operational state is UP• maximum number of incoming connections will not be exceeded

After a connection request is accepted, the TCP connection becomes active and serial data may be transmitted and received on the channel.

A terminal server channel operates in passive mode if the “Call Direction” parameter is set to “IN."

The following configuration parameters also affect the operation of the port in passive mode:

• Local IP – the IP address at which the server listens for connections. If the system has only a single assigned IP address, this parameter defaults to the system IP address and cannot be changed. If the system has multiple assigned IP addresses, this parameter can be set to any of those addresses. In this case, the software will only accept connections destined for the configured IP address. The port will not be reachable using other IP addresses, even if they are assigned to the system.

• Local TCP – the TCP port at which the server listens for connections. The TCP port may be in the range 1000 to 65535. It is invalid to assign the same TCP port to multiple terminal server serial ports.

• Maximum Connections – the maximum number of incoming connections that will be accepted for the terminal server serial port. Up to 5 simultaneous incoming connections are supported per serial port.



A.3.2 Active Mode ChannelsWhen a terminal server port operates in active (client) mode, it actively attempts to connect to a specified remote host whenever the serial port operational state is UP.

After an outgoing connection request is accepted by the remote host, the TCP connection becomes active and serial data may be transmitted and received on the channel.

A terminal server port operates in active mode if the “Call Direction” parameter is set to “OUT".

The following configuration parameters also effect the operation of the port in active mode:

• Local IP – the IP address to which the channel binds before making an outgoing connection. This is the address used in a transmitted packet's source address IP header field.

• Local TCP– the TCP port to which the channel binds before making an outgoing connection. The TCP port may be in the range 1000 to 65535. This is the port number used in a transmitted packet's source port TCP header field. It is invalid to assign the same TCP port to multiple terminal server channels. When a channel is configured in active mode, it is also valid to assign a value of '0' for the Local TCP port. This tells the system that it can select any unused port number as the local TCP port for this connection.

• Remote IP – the IP address to which the terminal server attempts to connect• Remote TCP – the TCP port to which the terminal server attempts to

connect• Retry Time – when a connection attempt fails (for any reason), this is the

minimum amount of time the terminal server will wait before re-trying the attempt.

A.3.3 Mixed ModeYou can configure a terminal server port to operate in a mixed mode in which it simultaneously acts as both a passive server and an active client. This is accomplished by adding an "IN" channel as well as at least one "OUT" channel that uses the port. In general, this mode should be used with care. If you configure both sides of a connection with a mixed mode you can produce redundant TCP connections.

A.3.4 Session TypeEach terminal server port can be configured as a raw TCP connection or as a Telnet connection. Generally, the session type should be specified as raw (the default) unless you plan on connecting to the port using a telnet application. This may be appropriate in certain cases where you are accessing a device console port using the terminal server. Such a case is illustrated in Section A.4, “Application #1: Device Console Access”.



A.4 Application #1: Device Console AccessThe terminal server is used to remotely access the console on an RTU using telnet.

Figure A-2. Device Console Access

RTU

DX800 (192.168.1.2)

Host System (192.168.1.42)

S1

TCP/IP Packets

Serial Characters

TCP/IP

Network



The DX800 is configured as follows:

Figure A-3. Configuration for Device Console Access

Executes a telnet client application on the host system to open a connection to 192.168.1.2 on port 10201:

If serial port S1 is UP and the terminal server is reachable by the host, a TCP connection will be established:

Figure A-4. TCP Connection Confirmed



A.5 Application #2: Serial-over-TCP/IP TunnelTwo GarrettCom MagnumDX devices are used to connect a user's host system to an RTU console over a TCP/IP network. Specifically, a DX800 is configured to receive an active connection from a DX40.

Figure A-5. Serial-over-TCP/IP Tunnel

The DX800 is configured as illustrated in Figure A-6:

Figure A-6. DX800 Configured for Serial-over-TCP/IP Tunnel

TCP/IP

Network

DX800(192.168.1.2)

DX40 (192.168.1.3)

Connection Requestto 192.168.1.2 10201

from 192.168.1.3 S1 S1

TCP/IP Packets

Serial Characters

Host System RTU

S1




Figure A-7. DX40 Configured for Serial-over-TCP/IP Tunnel

When serial port S1 is UP on each unit, a TCP connection is established between the two. Confirmation of the connection is illustrated in Figure A-8.

Figure A-8. TCP Connection Established

After the connection is established, the computer system acting as a terminal can communicate with the RTU through its local serial port.

NOTE: When creating a TCP/IP tunnel between two serial ports, you shouldalways choose one node to be the client (the "OUT" channel) and the other tobe the server (the "IN" channel). Configuring a client and a server for the porton each side will result in redundant TCP connections and each serial port willend up seeing "duplicate" characters.



A.6 Application #3: Multipoint SCADAThree GarrettCom MagnumDX devices are used to connect three serial devices over a TCP/IP network. One of the serial devices is a SCADA master and the other two are slaves. The DX800 (connected to the master) is configured to make one active connection to each of the DX40s (each connected to one slave device).

Figure A-9. Multipoint SCADA




Figure A-10. DX800 Configured for Multipoint SCADA


Figure A-11. DX40s Configured for Multipoint SCADA



A.7 Using MNS-DX Secure Serial PortsFor a detailed discussion of serial port security see Section 5.8.2, “Serial Port Security”.

A.8 Application #4: Serial-over-Secure-TCP TunnelTwo GarrettCom MagnumDX devices are used to connect two serial devices over a TCP/IP network. This example is like Application #2 except that all of the serial data passing over the network is encrypted. In addition, the initial connection includes an SSL handshake that forces each side to authenticate using RSA keys and X.509 certificates. This setup not only prevents intruders from snooping on active serial sessions but it also prevents them from connecting to an open terminal server port and impersonating a host.

Figure A-12. Serial-over-Secure-TCP Tunnel

Both sides of the terminal server connection must be configured for SSL.

DX800(192.168.1.2)

DX40 (192.168.1.3) Connection Request

to 192.168.1.2 10201 from 192.168.1.3

+ SSL Handshake S1 S1

Encrypted Data

Serial Data TCP/IP

Network

Serial Terminal RTU



SSL is configured on the DX800 for serial port S1 as shown in Figure A-13:

Figure A-13. DX800 Configured for Serial-over-SSL Tunnel

SSL is configured similarly on the DX40 for serial port S1, as shown in Figure A-14:

Figure A-14. DX40 Configured for Serial-over-SSL Tunnel



The basic terminal server parameters are configured as in Application #2. When serial port S1 is UP on each side the TCP connection is established, the SSL handshake is performed, and then encrypted serial data can be passed over the network as shown in Figure A-15:

Figure A-15. Serial-over-SSL Tunnel Connection



A.9 Troubleshooting Terminal Server SSL ConnectionsIf a terminal server connection between two DX products cannot be established, use the table below to determine what is wrong.

Table A-2. Troubleshooting Terminal Server Connections

Example Symptom Problem Resolution

Connection is not made and no events appear in the event log.

The local DX unit is not attempting to connect out.

Verify that the serial port is enabled and in the UP operational state. A connection will not be attempted from a serial port that is DOWN or DISABLED.

Note: Enabling a serial port and setting “Ignore DSS” to TRUE will force a serial port into the UP state.

Event: "Serial port S1 reports that the host at 192.168.1.2 is unreachable"

Event: "Serial port S1 reports that the host at 192.168.1.2 is down"

Event: "Serial port S1 reports that the connection to the host at 192.168.1.2 (10201) was refused"

The local DX unit attempted to connect to the remote unit but it was unreachable or the TCP port is not open.

Verify that the remote unit is reachable by logging into the Command Line Interface (CLI) and using the ping command.

Verify that the specified port is open/available on the remote unit by using a PC to telnet to the port. If the connection is refused, your remote unit is probably not configured properly.

Verify that the operational state of the remote serial port is UP. A connection will not be accepted on a port that is in the DOWN or DISABLED state.

Event: "Serial port S1 experienced a problem (unsupported protocol) while connecting to the host at 192.168.1.2 (10201)"

The SSL handshake could not complete because the peer is attempting to use a protocol that we do not support.

Check your configuration. Make sure that both sides of the connection allow compatible cipher suites.

Event: "Serial port S1 experienced a problem (no shared cipher) while connecting to the host at 192.168.1.2 (10201)"

The SSL handshake could not complete because no shared cipher was available.

Check your configuration. Make sure that both sides of the connection allow compatible ciphers suites.

Event: "Serial port S1 reports that the certificate presented by the host at 192.168.1.2 (10201) was invalid (certificate has expired)"

Event: "Serial port S1 reports that the certificate presented by the host at 192.168.1.2 (10201) was invalid (certificate is not yet valid)"

The SSL handshake failed during certificate verification because the current day and time are not within the peer certificate's valid date range

Make sure your system's time and date is set properly.

Check the certificate on the other system and make it has appropriate "notBefore" and "notAfter" dates.



Event: "Serial port S1 received a notification (sslv3 alert certificate expired) from the host at 192.168.1.2 (10201)"

The SSL handshake failed during certificate verification because your certificate has expired.

Make sure the other system’s time and date are set properly.

Check your key file and make sure that the enclosed certificate file has appropriate “notBefore” and “notAfter” dates.

Event: "Serial port S1 reports that the certificate presented by the host at 192.168.1.2 (10201) was invalid (self signed certificate in certificate chain)"

The SSL handshake failed during certificate verification because an un-trusted self-signed certificate was found in the chain.

Make sure that you have installed the peer’s root CA certificate and have marked it as trusted.

Event: “SSL: Message from peer on channel SX (tlsv1 alert unknown ca)."

The SSL handshake failed during certificate verification because you presented an un-trusted self-signed certificate in your certificate chain.

Make sure that you are presenting a valid certificate chain (that is, each certificate in a valid chain is signed by the next certificate in the chain, except for the final certificate, which is a self-signed root CA certificate).

Make sure that the other system has installed your CA’s certificate and marked it as trusted.

Table A-2. Troubleshooting Terminal Server Connections

Example Symptom Problem Resolution




Appendix BPort and Type Reference

B.1 Well Known TCP/UDP Network PortsTransmission Control Protocol (TCP) and User Datagram Protocol (UDP) are members of the Internet Protocol Suite. They enable the transmission of data among networked computers by directing traffic to ports associated with specific functions.

TCP is a connection-oriented protocol; that is, it creates an identified connection from client to server for the transmission of data. TCP provides a very reliable interface to a specified port.

UDP is a simpler message-based connectionless protocol; that is, UDP simply sends a packet of data to a specified address and port. UDP does not provide the reliability of TCP but it can deliver data with less overhead.

Network port numbers are assigned to specific uses by the Internet Assigned Numbers Authority (IANA). Port numbers 0-1023 are called Well Known Ports and have standard uses, such as port 80 for HTML traffic. Port numbers 1024-49151 are reserved for Registered Ports, and port numbers 49152-65535 are the dynamic ports which can be put to any use. (These are the ports called "Public" in Section 3.6.6.2, NAT: Translations.)

Comprehensive lists of the conventional uses of all Well Known and Registered ports are available on the internet and in publications. Table B-1 is a partial list of official Well Known ports.

Table B-1. Well Known Ports

Port Description

0/TCP,UDP Reserved

1/TCP,UDP TCPMUX (TCP port service multiplexer)

5/TCP,UDP RJE (Remote Job Entry)

7/TCP,UDP ECHO protocol

9/TCP,UDP DISCARD protocol

13/TCP,UDP DAYTIME protocol

17/TCP,UDP QOTD (Quote of the Day) protocol

18/TCP,UDP Message Send Protocol

19/TCP,UDP CHARGEN (Character Generator) protocol

20/TCP,UDP FTP - data port


APPENDIX B - Port and Type Reference

21/TCP,UDP FTP - control (command) port

22/TCP,UDP SSH (Secure Shell)

23/TCP,UDP Telnet protocol

25/TCP,UDP SMTP

37/TCP,UDP TIME protocol

38/TCP,UDP Route Access Protocol

39/TCP,UDP Resource Location Protocol

41/TCP,UDP Graphics

42/TCP,UDP Host Name Server

43/TCP WHOIS protocol

49/TCP,UDP TACACS Login Host protocol

53/TCP,UDP DNS (Domain Name System)

67/UDP BOOTP (BootStrap Protocol) server; also used by DHCP (Dynamic Host Configuration Protocol)

68/UDP BOOTP client; also used by DHCP

69/UDP TFTP (Trivial File Transfer Protocol)

70/TCP Gopher protocol

79/TCP Finger protocol

80/TCP HTTP (HyperText Transfer Protocol)

88/TCP Kerberos - authenticating agent

110/TCP POP3 (Post Office Protocol version 3)

113/TCP ident

118/TCP,UDP SQL Services

119/TCP NNTP (Network News Transfer Protocol)

123/UDP NTP (Network Time Protocol)

135/TCP,UDP EPMAP / Microsoft RPC Locator Service

137/TCP,UDP NetBIOS Name Service

138/TCP,UDP NetBIOS Datagram Service

139/TCP,UDP NetBIOS Session Service

143/TCP,UDP IMAP4 (Internet Message Access Protocol 4)

156/TCP,UDP SQL Service

161/TCP,UDP SNMP (Simple Network Management Protocol)


Port Description



162/TCP,UDP SNMPTRAP

179/TCP BGP (Border Gateway Protocol)

194/TCP IRC (Internet Relay Chat)

213/TCP,UDP IPX

369/TCP,UDP Rpc2portmap

371/TCP,UDP ClearCase albd

389/TCP,UDP LDAP (Lightweight Directory Access Protocol)

401/TCP,UDP UPS Uninterruptible Power Supply

427/TCP,UDP SLP (Service Location Protocol)

443/TCP,UDP HTTPS - HTTP Protocol over TLS/SSL (encrypted transmission)

445/TCP Microsoft-DS (Active Directory, Windows shares, Sasser worm, Agobot, Zobotworm)

445/UDP Microsoft-DS SMB file sharing

464/TCP,UDP Kerberos Change/Set password

500/TCP,UDP ISAKMP, IKE-Internet Key Exchange

514/UDP syslog protocol

520/UDP Routing - RIP

524/TCP,UDP NCP (NetWare Core Protocol)

530/TCP,UDP RPC

540/TCP UUCP (Unix-to-Unix Copy Protocol)

542/TCP,UDP commerce (Commerce Applications)

554/TCP,UDP RTSP (Real Time Streaming Protocol)

563/TCP,UDP NNTP protocol over TLS/SSL (NNTPS)

587/TCP email message submission (SMTP) (RFC 2476)

591/TCP FileMaker 6.0 Web Sharing (HTTP Alternate, see port 80)

593/TCP,UDP HTTP RPC Ep Map

636/TCP,UDP LDAP over SSL (encrypted transmission)

691/TCP MS Exchange Routing

873/TCP rsync File synchronization protocol

989/TCP,UDP FTP Protocol (data) over TLS/SSL

990/TCP,UDP FTP Protocol (control) over TLS/SSL


Port Description



B.2 ICMP TypesThe Internet Control Message Protocol (ICMP) is a core protocol of the Internet protocol suite. It is mainly used to send error messages. Unlike TCP and UDP, ICMP is usually not used by network applications (with the exception of the ping application).

Table B-2 is a list of the ICMP types.

992/TCP,UDP Telnet protocol over TLS/SSL

993/TCP IMAP4 over SSL (encrypted transmission)

995/TCP POP3 over SSL (encrypted transmission)

Table B-2. ICMP Types

Port Description

0 Echo Reply

1 Unassigned

2 Unassigned

3 Destination Unreachable

4 Source Quench

5 Redirect

6 Alternate Host Address

7 Unassigned

8 Echo

9 Router Advertisement

10 Router Selection

11 Time Exceeded

12 Parameter Problem

13 Timestamp

14 Timestamp Reply

15 Information Request

16 Information Reply

17 Address Mask Request

18 Address Mask Reply


Port Description



19 Reserved (for Security)

20-29 Reserved (for Robustness Experiment)

30 Traceroute

31 Datagram Conversion Error

32 Mobile Host Redirect

33 IPv6 Where-Are-You

34 IPv6 I-Am-Here

35 Mobile Registration Request

36 Mobile Registration Reply

37 Domain Name Request

38 Domain Name Reply

39 SKIP

40 Photuris

41-255 Reserved

Table B-2. ICMP Types

Port Description




Appendix CFrame Relay Provisioning

C.1 IntroductionThe DX900 provides WAN port support. In provisioning a new WAN circuit it is helpful to make reference to the OSI 7 layer model. The sections that follow will guide you through the Frame Relay provisioning by configuring your DX device from the bottom up with respect to the OSI model:

1. The Physical Layer – Your software will automatically detect whether you have a DDS or a T1/E1 connection. You complete the physical layer configuration with the Port Settings screen, as described in Section C.2 and Section C.3.

2. The Data Link Layer – use the Frame Relay Configuration screen, described in Section C.4, to configure this layer.

3. The protocols handled in the network, transport, and other upper layers of the OSI model are addressed by configuring the screens documented in Section C.5.

Figure C-1 shows the lower OSI layers most relevant to Frame Relay provisioning.

Figure C-1. OSI Layers and the Frame Relay Provisioning

TCP/IP APPLICATIONS

TRANSPORT

NETWORK

DATA LINK

PHYSICAL

TCP

FRAME RELAY

T1, DDS

IP SERIAL-FR Apps


APPENDIX C - Frame Relay Provisioning

C.2 DDS Interface ConfigurationIf your DX device is supplied with a DDS interface the WAN: Port Settings screen will appear as illustrated in Figure C-2.

DDS circuits are normally provided by a Telecom Service Provider. In most cases they run at 56 kilobits of bandwidth and the clocking is provided by the carrier. This interface has few options and is simple to configure.

Figure C-2. WAN Port DDS Port Settings Screen

The screen enables you to give a name to the WAN port circuit. This could be the actual circuit number, for example DDS-147658A12, or simply a name that is easy to remember, such as WAN1. Other options include the circuit speed (normally 56k), clock source (usually Received), and the option to administratively enable the port.

Table C-1 provides detailed descriptions of the available options.

Table C-1. WAN: Port Settings (DDS)




Speed: Specify the usable data rate of the interface.The following values may be selected:

• 56k

• 64k (Note that an MNS-DX DDS connection can operate at 64k only if the clock is remotely supplied.)

Default value = 56k



Some options are available to be used if the DDS circuit is part of a TDM network operated by the user rather than a "Carrier" leased circuit, or if the circuit is just a bare copper connection not terminated by any other equipment. When operating over a dedicated point-to-point link one unit is nominated to be the "clock source" or "Local" and the other end "clock receive" or "Received". It does not matter which end is which, so long as one is "Local" and the other "Received".

As soon as you have finished applying and saving your settings to the WAN: Port Settings screen you can check the status of the connection by going to the WAN: Port Status screen, illustrated in Figure C-3.

Figure C-3. WAN: Port Status - LIne State OK

The Line State field should display O.K. An incorrect Speed specification (56k or 64k) will not affect this initial status message. After you have completed Frame Relay Configuration (Section C.4) a Line State status other than OK may indicate a Speed configuration error.


• Local

• Received



• Disabled (default)

• Enabled


Table C-1. WAN: Port Settings (DDS)




Table C-2 provides detailed descriptions of the possible status values.

Table C-2. WAN: Port Status



Line State: Possible values for DDS:

• OK – The line has link and is functioning properly.

• Rx Inactive – The receiver is inactive (possibly because it is being reset).

• Loss of Sig – The signal has been lost or the signal has dropped more than 6dB.

• Excess BPVs – Excessive occurrence of invalid Bipolar Violation events.

• Data Idle – Receiving Data Mode Idle.

• Cm Idle – Receiving Control Mode Idle.

• Out of Service – Receiving out of Service code

• Out of Frame – An error has been reported in the framing pattern.

• DSU Loopback – The line is in local DSU loopback. (Looping back what this interface is trying to transmit. Diagnostic only.)

• CSU Loopback – The line is in CSU loopback. (Looping back what is on the wire. Diagnostic only.)

Possible values for T1/E1:

• :OK – The line has link and is functioning properly.

• Carrier Loss – No signal received.

• Blue Alarm – Also known as Alarm Indication Signal (AIS) or an “all ones” alarm.

• Loss of Sync – The line is not synchronized to the received data stream.

• Yellow Alarm – Also known as a Remote Alarm indication (RAI). This indicates that a remote interface is encountering a problem with a signal from this interface. This could result from an equipment problem or from incompatible configurations.

• Red Alarm – The incoming signal is corrupted (wrong frame type or errors in framing).

• Loop Up – The line is looping back received data.



C.3 T1/E1 Interface ConfigurationIf your DX device is supplied with a T1/E1 interface the WAN: Port Settings screen will appear as illustrated in Figure C-4.

T1 circuits are normally provided by a Telecom Service Provider. In most cases they run at 56 kilobits of bandwidth and the clocking is provided by the carrier. If you are managing a private network you can take advantage of the 64 kilobits speed option with T1. E1 circuits always run at 64 kilobits.

Figure C-4. WAN Port T1 Port Settings Screen

In a carrier-supplied T1/E1 connection the values for Timeslots, Frame Types, and Line Codes will be determined by the carrier.

Table C-3 provides detailed descriptions of the available options.

LMI State: Possible values for the Local Management Interface (LMI) state are:

• Disabled – The LMI has been disabled.

• Down – The LMI is enabled but is down.

• Up – The LMI has successfully established communication with it’s peer.

• Suspend – The LMI has been suspended due to sequence number mismatches.

• Resume – The LMI is resuming after being suspended. This is a transient state.

Rx Packets: The number of packets received on this interface.

Rx Octets: The number of bytes received on this interface.

Tx Packets: The number of packets transmitted on this interface.

Tx Octets: The number of bytes transmitted on this interface.

Table C-2. WAN: Port Status




Table C-3. WAN: Port Settings (T1/E1)




Timeslot Bandwidth: Specify the usable data rate of the interface.The following values may be selected:

• 56k

• 64k

Default value = 56k


• Local

• Received

Default value = Local


• Disabled

• Enabled


Mode: The mode for this port. The following values may be selected:

• T1

• E1

Default value = T1

Time Slots: Specify which available time slots are used by this port. Separate single slot numbers with commas and specify a range of slots with a hyphen. For example: 1,3, 5-6.



As soon as you have finished applying and saving your settings to the WAN: Port Settings screen you can check the status of the connection by going to the WAN: Port Status screen, illustrated in Figure C-3.

C.4 Frame Relay ConfigurationProvisioning at the Frame Relay (OSI Data Link) layer is only required if you want to employ the Frame Relay Standard Link Management Protocol (LMI) as part of the overall application or if you want to use end-to-end fragmentation.

Figure C-5. WAN: Frame Relay Screen

Frame Types: The frame type for this port.


• ESF – Extended Super Framing format, consisting of 24 consecutive 193 bit frames.

• D4 – A framing format also known as SF (Super Frame), consisting of 12 consecutive 193 bit frames.


• FAS – Frame Alignment Signaling.

• CAS – Channel Associated Signaling. A method that “robs” some bits of each frame to transmit synchronization information.

Line Codes: The line code for this port.



• B8ZS – Bipolar With 8 Zero Substitution line coding.



• HDB3 – High Density Bipolar 3 line coding.

Table C-3. WAN: Port Settings (T1/E1)




C.4.1 The LMI ProtocolThe Local Management Interface (LMI protocol) provides minimal management visibility into a Frame Relay connection between the DX900 and the other end of a local connection. It adds a "ping" type function across the local connection, that is, an LMI status of "Up" confirms a local connection, and it also provides local information about available Frame Relay PVC circuits (DLCIs). Your configuration options in this screen are discussed in the following subsections and defined in Table C-4.

C.4.1.1 Fragmentation SizeThe Frame Relay standard supports data fragmentation so that circuits that share this Frame Relay interface can have more consistent end-to-end response times. This is especially important when you have applications that have different message sizes. The type of fragmentation configurable in the Wide Area Network: Frame Relay screen is the End-to-End fragmentation defined in FRF.12. The fragmentation size applies to all configured IP DLCIs (RFC1490), but not to non-IP DLCIs (used for serial over Frame). Supported fragment sizes range from 8 to 1600 bytes. The default is no fragmentation

C.4.1.2 LMI TypesFor historical reasons the "standardization" of this protocol has resulted in three variants or "Types." In North America the original version (designated "LMI") is the most common, although the ANSI standard is also used. The CCITT type is the more frequently used outside North America. You must know the specific LMI type in use for a specific application and select it from the dropdown menu in the LMI column of the Wide Area Network: Frame Relay screen.

Carrier-provided Frame Relay services typically require you to use the LMI protocol. In a private network there are probably better tools available to manage connections and you may choose to use one of them rather than LMI.

C.4.1.3 LMI ModesThe second part of the LMI protocol configuration is the specification of a Mode. The mode specification describes which peer-to-peer side of the protocol you want this DX900 to use. The end point of the Frame Relay network is usually defined as the "User." In most cases this will be the DX900 but in configurations employing a private network or bare copper circuit the DX900 may be designated "Network." As a rule of thumb: in a system using a carrier-provided Frame Relay service the DX900 should be selected as "User" and over a dedicated private wire system with two DX900's directly connected back-to-back select one end as "User" and the other end as "Network".

The Network-to-Network (NNI) option would not be employed in any configuration considered in this document.



As soon as you have finished applying and saving your settings to the WAN: Frame Relay screen you can check the status of the connection by going to the WAN: Port Status screen, illustrated in Figure C-6.

Table C-4. WAN: Frame Relay



Fragmentation Size: The maximum bytes in a frame relay fragment.

The default, 1600, is the maximum transmission unit (MTU) setting, plus frame relay overhead, for the DLCI IP interfaces.

Clearing this field turns off end-to-end fragmentation.

If fragmentation is not enabled the transmission of large IP packets on one Permanent Virtual Circuit (PVC) can obstruct traffic for other PVCs on the same line and significantly increase latency.

MNS-DX supports end-to-end fragmentation only; that is fragmentation is done at the packet’s point of origin on the PVC and reassembly is done at the packet’s termination point on the PVC, regardless of the number of links intervening.

LMI Type: Specify the Local Management Interface (LMI) type. The following values may be selected:

• None

• LMI

• CCITT

• ANSI


LMI Mode: Specify the Local Management Interface (LMI) mode. The following values may be selected:

• User

• Network

• NNI (Network to Network interface)

Default value = User



Figure C-6. WAN: Port Status - LMI State UP

The LMI State field should display Up. If the LMI State is not Up check for the correct specification of Speed (DDS -Section C.2) or Time Slots (T1/E1 - Section C.3). Other status messages are detailed in Table C-2.

C.5 Provisioning Frame Relay Applications.The DX900 supports two applications over the Frame Relay WAN port:

• IP applications• Serial Tunnel over FR

C.5.1 IP ApplicationsConfiguring the WAN port for IP applications involves two configuration areas:

• Defining the DLCI to be used over the WAN port • Configuring IP router-related items

C.5.1.1 DLCI configurationConfigure the DlCIs using the Wide Area Network: DLCI Settings entry screen (Figure C-7).

Up



Figure C-7. WAN: DLCI Settings

Specify a DLCI

Add a new entry by specifying a DLCI in the range 1-1022 (this would normally match the circuit number given to you by a Service Provider or defined within the your organization) and mark the IP box "Yes" for IP applications.

Define a CIR

A Committed Information Rate (CIR) is a "Leaky Bucket" mechanism that controls how much of the overall WAN bandwidth this DLCI is allowed to use. The CIR is expressed in bits per second. This is useful in making sure one or more DLCIs cannot starve other DLCIs sharing the same WAN interface. If this parameter is left blank then the CIR is defined as the bandwidth of the WAN port physical settings.

As soon as you have finished applying and saving your settings to the WAN: DLCI Settings screen you can check the status of the connection by going to the WAN: DLCI Status screen, illustrated in Figure C-8.



Figure C-8. WAN: DLCI Status

C.5.1.2 Configuring IP Router-Related ItemsThe primary router-related tasks to be completed are:

• Assignment of an IP address to the WAN port• Selection of router discovery mechanisms: static or dynamic

After you have assigned a Frame Relay DLCI for IP applications the Routing: IP Addresses screen will display the WAN interface. (See Figure C-9.)

Figure C-9. Routing: IP Addresses - WAN Interface



Enter the IP address and subnet mask assigned to this interface and click Apply Settings. The specified address will then display in the Routing: Table screen (Figure C-10) as a Local connection.

Figure C-10. Routing: Table

The final step in routing configuration is to determine how the DX900 router functions can use this address and/or discover other IP addresses on the network. The options are:

1. Use a default (static) route that points to the "Next Hop" gateway.

2. Turn on automatic Routing discovery using Routing Information Protocol (RIP).

Static Routes / Default Gateway

To define a Static Route entry use Routing: Static Routes screen to define a default gateway. A default gateway is a static route where the route destination is defined as 0.0.0.0 and Mask 0.0.0.0, representing any IP address. The next hop is the IP address at the other end of the Frame Relay connection; for example, 100.1.1.1 in the example above. (not the local IP address, 100.1.1.2).

If you wish to define specific destinations rather than a universal default, specify as many specific entries as required in the Add Static Route form, applying settings after each entry. Check the Routing: Table screen (Figure C-10) to confirm that each new route is present. Static entries will be shown as Management under the Protocol column.

Figure C-11. Routing: Static Routes



Automated Routing Discovery Using RIP

An alternative to adding static routes is to use the automated Routing Information Protocol (RIP). This protocol has several MNS-DX settings, including:

• RIP – RIP version 1• RIP-II – RIP version 2 with subnet broadcast (uses the subnet broadcast

address)• RIP-II multi – RIP version 2 with multicast• RIP-II Local – RIP version 2 with local broadcast (uses the local broadcast

address. Sometimes needed for compatibility with older devices.)

RIP is disabled by default. Configure this protocol on the DX900 from the Routing: RIP screen (Figure C-12).

This screen also allows you to advertise or not advertise the presence of a default gateway within the RIP message and to change the generic RIP timers.

Figure C-12. Routing: RIP: Global Settings Screen

After you have defined RIP Global Settings you must go to the Routing: RIP: Interface Settings screen (Figure C-13) to enable the settings on each of the IP interfaces.

Figure C-13. Routing: RIP: Interface Settings Screen

After you have enabled RIP you can check the Routing: Table screen for discovered routes. Figure C-14 provides an example.



Figure C-14. Routing: Table Screen - RIP Example

At this point IP applications should be able to use the WAN interface. Issue the ping command from the DX900 Command Line Interface to check the accessibility of other devices.

C.5.2 Serial Tunnel over FR (Direct to Frame) ApplicationsThe second application the DX900 supports over the WAN port is the ability to take asynchronous data streams from the local serial ports and encapsulate, or "tunnel," the stream through a Frame Relay (WAN) connection without the IP application. Once again there are a couple of steps to take:

• Define additional DLCI circuits.• Map DLCI circuits to Serial Ports.

C.5.2.1 Define Additional DLCIsIn the Wide Area Network: DLCI Settings screens use the Add DLCI form to:

1. Specify additional DlCIs circuits in the range 16-991.

2. Specify an appropriate CIR for each new DLCI.

3. Set the value in IP field to No for each new DLCI.

4. Click Apply Settings after completing each set of specifications.

Figure C-15 illustrates the Wide Area Network: DLCI Settings screen with three new DCLIs added for serial applications.



Figure C-15. WAN: DLCI Settings - Direct to Frame Example

The DLCI circuit numbers should be configured to match the circuit numbers provided by the Frame Relay service provider or, in Point-to-Point applications, to match the circuit numbers at the distant end. Check the DLCI status by viewing the Wide Area Network: DLCI Status screen. (See Figure C-16.)

Figure C-16. WAN: DLCI Status - Direct to Frame Example

C.5.2.2 Map DLCI Circuits to Serial PortsThe next step is to map these new DLCIs directly to serial ports using the Add New Channel form of the Serial: Frame Relay: Channel Settings screen (Figure C-17). For each new entry:

1. Match a Serial Port ID with the appropriate DLCI Circuit ID.



2. Select Default or Expedited priority. (See Table 3-50.)

3. Set Payload Offset to Yes or No. To interoperate with Garrettcom Dynastar DS products this value should be set to Yes.

Figure C-17. Serial: Frame Relay: Channel Settings Screen - Direct to Frame Example

You can view the status of these connections in the Frame Relay : Channel Status screen (Figure C-18).

Figure C-18. WAN: DLCI Status - Direct to Frame Example



Table C-5 describes the values you can view in the Serial: Frame Relay: Connections screen.

Table C-5. Frame Relay: Connections



Circuit ID: A unique identifier for the DLCI to which the serial port is connected. In most cases, the identifier includes the WAN port and the DLCI on that port.

TxOctets: The number of serial characters transmitted over the frame relay for the given port

RxOctets: The number of serial characters received over the frame relay for the given port.

TxDrops: The number of frames to be transmitted on the DLCI that were dropped because they could not be buffered at the WAN port.

RxDrops: The number of frames received on the DLCI that were dropped because they could not be buffered at the serial port.


Appendix DThird Party Licenses

This appendix contains the texts of required licenses for third party software.

D.1 GNU LESSER GENERAL PUBLIC LICENSEVersion 2.1, February 1999 Copyright (C) 1991, 1999 Free Software Foundation, Inc.51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USAEveryone is permitted to copy and distribute verbatim copiesof this license document, but changing it is not allowed.

PreambleThe licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public Licenses are intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users.

This license, the Lesser General Public License, applies to some specially designated software packages--typically libraries--of the Free Software Foundation and other authors who decide to use it. You can use it too, but we suggest you first think carefully about whether this license or the ordinary General Public License is the better strategy to use in any particular case, based on the explanations below.

When we speak of free software, we are referring to freedom of use, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish); that you receive source code or can get it if you want it; that you can change the software and use pieces of it in new free programs; and that you are informed that you can do these things.

To protect your rights, we need to make restrictions that forbid distributors to deny you these rights or to ask you to surrender these rights. These restrictions translate to certain responsibilities for you if you distribute copies of the library or if you modify it.

For example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights that we gave you. You must make sure that they, too, receive or can get the source code. If you link other code with the library, you must provide complete object files to the recipients, so that they can relink them with the library after making changes to the library and recompiling it. And you must show them these terms so they know their rights.

We protect your rights with a two-step method: (1) we copyright the library, and (2) we offer you this license, which gives you legal permission to copy, distribute and/or modify the library.

To protect each distributor, we want to make it very clear that there is no warranty for the free library. Also, if the library is modified by someone else and passed on, the recipients should know that what they have is not the original version, so that the original author's reputation will not be affected by problems that might be introduced by others.

Finally, software patents pose a constant threat to the existence of any free program. We wish to make sure that a company cannot effectively restrict the users of a free program by obtaining a restrictive license from a patent holder. Therefore, we insist that any patent license obtained for a version of the library must be consistent with the full freedom of use specified in this license.


APPENDIX D - Third Party Licenses

Most GNU software, including some libraries, is covered by the ordinary GNU General Public License. This license, the GNU Lesser General Public License, applies to certain designated libraries, and is quite different from the ordinary General Public License. We use this license for certain libraries in order to permit linking those libraries into non-free programs.

When a program is linked with a library, whether statically or using a shared library, the combination of the two is legally speaking a combined work, a derivative of the original library. The ordinary General Public License therefore permits such linking only if the entire combination fits its criteria of freedom. The Lesser General Public License permits more lax criteria for linking other code with the library.

We call this license the "Lesser" General Public License because it does Less to protect the user's freedom than the ordinary General Public License. It also provides other free software developers Less of an advantage over competing non-free programs. These disadvantages are the reason we use the ordinary General Public License for many libraries. However, the Lesser license provides advantages in certain special circumstances.

For example, on rare occasions, there may be a special need to encourage the widest possible use of a certain library, so that it becomes a de-facto standard. To achieve this, non-free programs must be allowed to use the library. A more frequent case is that a free library does the same job as widely used non-free libraries. In this case, there is little to gain by limiting the free library to free software only, so we use the Lesser General Public License.

In other cases, permission to use a particular library in non-free programs enables a greater number of people to use a large body of free software. For example, permission to use the GNU C Library in non-free programs enables many more people to use the whole GNU operating system, as well as its variant, the GNU/Linux operating system.

Although the Lesser General Public License is Less protective of the users' freedom, it does ensure that the user of a program that is linked with the Library has the freedom and the wherewithal to run that program using a modified version of the Library.

The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a "work based on the library" and a "work that uses the library". The former contains code derived from the library, whereas the latter must be combined with the library in order to run.

TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION0. This License Agreement applies to any software library or other program which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Lesser General Public License (also called "this License"). Each licensee is addressed as "you".

A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables.

The "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law: that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".)

"Source code" for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library.

Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does.



1. You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and distribute a copy of this License along with the Library.

You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.

2. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:

"a) The modified work must itself be a software library.

"b) You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change.

"c) You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License.

"d) If a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful.

(For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.)

These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.

Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library.

In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.

3. You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices.

Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy.

This option is useful when you wish to copy part of the code of the Library into a program that is not a library.

4. You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange.

If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code.



5. A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License.

However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables.

When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law.

If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.)

Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself.

6. As an exception to the Sections above, you may also combine or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications.

You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things:

"a) Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-readable "work that uses the Library", as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.)

"b) Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that (1) uses at run time a copy of the library already present on the user's computer system, rather than copying library functions into the executable, and (2) will operate properly with a modified version of the library, if the user installs one, as long as the modified version is interface-compatible with the version that the work was made with.

"c) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution.

"d) If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place.

"e) Verify that the user has already received a copy of these materials or that you have already sent this user a copy.

For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the materials to be distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.

It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute.



7. You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things:

"a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above.

"b) Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work.

8. You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

9. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it.

10. Each time you redistribute the Library (or any work based on the Library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties with this License.

11. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library.

If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances.

It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.

This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.

12. If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.

13. The Free Software Foundation may publish revised and/or new versions of the Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.

Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation.



14. If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.

NO WARRANTY 15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

END OF TERMS AND CONDITIONS

How to Apply These Terms to Your New LibrariesIf you develop a new library, and you want it to be of the greatest possible use to the public, we recommend making it free software that everyone can redistribute and change. You can do so by permitting redistribution under these terms (or, alternatively, under the terms of the ordinary General Public License).

To apply these terms, attach the following notices to the library. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found.

one line to give the library's name and an idea of what it does.

Copyright (C) year name of author

This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version.

This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.

You should have received a copy of the GNU Lesser General PublicLicense along with this library; if not, write to the Free Software

Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA


GlossaryThis glossary contains brief explanations of acronyms and other terms used in this manual.

Term Definition

3DES Triple Data Encryption Standard (DES). A more secure version of the DES standard in which data is encrypted three times.

AES Advanced Encryption Standard. A NIST-standard cryptographic cipher that uses a block length of 128 bits and key lengths of 128, 192 or 256 bit.

ANSI American National Standards Institute.

ARP Address Resolution Protocol. Enables discovery of a device’s MAC address when only its IP address is known.

ASCII American Standard Code for Information Interchange.

BPV Bipolar violation.

BPDU Bridge Protocol Data Units. Message units that carry the Spanning Tree Protocol information.

CBT Core Based Trees. One of the communications protocols of the Internet Protocol Suite. Builds and maintains a shared delivery tree for a multicast group.

CCITT Comité consultatif international téléphonique et télégraphique. An institution to coordinate telecommunication standards. Although the CCITT acronyms is still widely used the institution has been known since 1992 as ITU Telecommunication Standardization Sector (ITU-T).

CHAP Challenge-Handshake Authentication Protocol. A method of authentication of remote clients used by Point to Point Protocol (PPP) servers and based on a shared secret.

CIR Committed Information Rate. A guaranteed data rate negotiated with a carrier.

CFX Configuration XML File.

DCE Data Communications Equipment. Typically a communication device such as a modem. In an RS-232 link a DCE communicates with a DTE.

DDS Digital Data Service. A private line digital service from carriers other than AT&T.

DES Data Encryption Standard (DES). A NIST-standard cryptographic cipher that uses a 56-bit key.

DHCP Dynamic Host Configuration Protocol.

DLCI Data Link Connection Identifier. An identifying number for a private or switched virtual circuit in a frame relay network.


-

DSR/DTR Data Set Ready/Data Terminal Ready. RS-232 handshake signals sent from the modem to the terminal (DSR) or from the terminal to the modem (DTR) indicating readiness to accept data.

DTE Data Terminal Equipment. Typically a computer system. In an RS-232 link a DTE communicates with a DCE.

EGP Exterior Gateway Protocol. An internet routing protocol.

ESP Encapsulation Security Payload. An IPSec header extension for supporting security services.

FCS Frame Check Sequence. Extra characters added to a Frame for error detection and correction.

FEFI Far End Fault Indication.

GGP Gateway to Gateway Protocol. One of the communications protocols of the Internet Protocol Suite. Used mainly for routing datagrams.

HMI Human Machine Interface. The device that enables a person to monitor and control a machine. Typically the HMI is a computer.

HTTP HyperText Transfer Protocol.

ICMP The Internet Control Message Protocol. One of the communications protocols of the Internet Protocol Suite. Chiefly used to convey error messages.

IDRP Inter-Domain Routing Protocol.

IED A microprocessor-based device that controls power system equipment such as circuit breakers and voltage regulators.

IEEE Institute of Electrical and Electronics Engineers

IGP Interior Gateway Protocols. A set of routing protocols used within a system.

IGMP Internet Group Management Protocol. One of the communications protocols of the Internet Protocol Suite. Used to manage membership in multicast groups.

IKE Internet Key Exchange. The protocol used to set up a Security Association in the IPsec protocol suite.

IP Internet Protocol.

IPIP IP in IP encapsulation. One of the communications protocols of the Internet Protocol Suite. Encloses an inner IP header with an outer header for tunneling.

ISO-IP ISO Internetworking Protocol. A network layer protocol in an OSI network.

ITU-T See CCITT.

LMI Local Management Interface. A signaling standard used between routers and frame relay switches.

LSC Last Schema Change.

Term Definition


-

MAC Media Access Control. A MAC address is a unique identifier attached to most forms of networking equipment.

MD5 Message-Digest algorithm 5. A common cryptographic hash function.

MIB Management Information Base. A database used by SNMP to manage devices such as switches and routers in a network.

Modbus A communications protocol using master/slave architecture. A commonly available means of connecting industrial electronic devices.

NAPT See NAT.

NAT Network Address Port Translation. A method of using a single public IP address to provide internet access to multiple private IP addresses.

NNI Network to Network Interface.

OSPF Open Shortest Path First. A routing protocol to determine the best path for traffic over a TCP/IP network.

PAP Password Authentication Protocol. An authentication protocol using unencrypted ASCII passwords over a network.

Path Cost A Spanning Tree parameter that measures how close bridges are to one another. It takes into account the bandwidth of the links between bridges.

PEM Privacy Enhanced Mail File format. A standard for secure e-mail on the Internet.

PFS Perfect Forward Secrecy. A property of public key cryptography whereby the compromise of one key does not lead to the compromise of any other keys.

PoE Power over Ethernet. A technology for delivering power (along with data) to remote devices over the twisted pair cabling of an Ethernet network.

PVC A point-to-point connection that is established before its first use and maintained regardless of the level of activity.

PVID Port VID. A user configurable parameter that associates a native VLAN with a port. Each port is assigned exactly one PVID. By default, each port is assigned PVID 1.

RADIUS Remote Authentication Dial-In User Service. An AAA (authentication, authorization and accounting) protocol using a challenge/response method for authentication.

RC4 A stream cipher commonly used with SSL and in wireless networks.

RIP Routing Information Protocol. An Interior Gateway Protocol (IGP) routing protocol used on internal networks. It determines a route based on the smallest hop count between source and destination. It has a limit of 15 hops.

RS-232 A popular standard for passing serial binary data point-to-point between digital systems. Also known as EIA-232. Compare to RS-485.

Term Definition


-

RS-485 A standard for passing serial data in point-to-point or multipoint configurations among digital data systems. Also known as EIA-485. Less common but more versatile than RS-232.

RSA Rivest-Shamir-Adleman key. A two-part key. The private key is kept by the owner; the public key is published.

RSTP Rapid Spanning Tree Protocol. RSTP is a protocol that prevents loops in bridged LAN environments. It also provides for fast recovery from link failures. This product supports RSTP as specified in IEEE 802.1D (2004).

RSVP Resource reSerVation Protocol. One of the communications protocols of the Internet Protocol Suite. Used to support Quality of Service (QoS) flows.

RTS/CTS Request to Send/Clear to Send. RS-232 flow control signals sent by transmitting stations (RTS) and receiving stations (CTS).

RTU Remote Terminal Unit. A device that collects data from data acquisition equipment and sends it to the main system over a network.

SA Security Association. In IPSec an SA defines a secure, unidirectional communication channel between two entities.

SADB Security Association Database. An IPSec database containing security information specific to particular connections.Compare to SPD.

SFP Small Form-factor Pluggable Transceiver. A full-duplex serial interface converter that converts electrical signals to optical signals to run over fiber.

SHA-1 Secure Hash Algorithm 1. A common cryptographic hash function.

SNMP Simple Network Management Protocol. A network monitoring and control protocol.

SNTP Simple Network Time Protocol.

SPD Security Policies Database. An IPSec database containing security policies general to the device. Compare to SADB.

SPI Security Parameters Index. A value added to the header in IPSec tunneling that identifies a session and its encryption properties.

SSH Secure SHell. A network protocol using public key cryptography to provide secure remote login.

SSL Secure Socket Layer. A cryptographic protocol that creates a secure data transfer session over a standard TCP connection.

Station Cache A database maintained by the Ethernet bridge that tracks MAC addresses of stations on the network and the ports associated with them.

T1/E1 T1 is a widely-used T-carrier telecommunications standard capable of tranmitting 1.544 Mbits/second. The T1 designation is used in North America. The analogous system outside of North America is called E1.

TCP Transmission Control Protocol.

Term Definition


-

TLS Transport Layer Security.

UDP User Datagram Protocol. One of the communications protocols of the Internet Protocol Suite. Replaces TCP when a reliable delivery is not required.

URL Uniform Resource Locator.

VID VLAN Identifier.

VLAN Virtual Local Area Network. A logical subgroup within a local area network that is created with software rather than by physically manipulating cables.

WAN Wide Area Network.

X.509 An X.509 certificate is a message that contains an entity's credentials. Information such as the entity's name, organization, and contact information are included.

XML eXtensible Markup Language

XON/XOFF A software flow control protocol in which a receiver sends an XOFF character to a transmitter to signal that it is unable to receive data and an XON character to signal that it is able to receive data.

Term Definition


-


Magnum Network Software - DX Administrator’s

INDEX
Aaccess port 88Address Resolution Protocol, See ARPaddresses
IP 118, 184MAC 26, 73, 76

Administration Tasksscreens 25 to 55

Authentication:Files 46Authentication:Policies 41Authentication:User Accounts 44Change Password 49Configuration Files 53Configuration:Defaults 55Configuration:Files 53Sessions:Active Logins 48Sessions:Policies 47SNMP:Global Settings 32SNMP:Management Stations 34SNMP:Statistics 37SNMP:Trap Stations 35SNMP:Users 36SNTP:Global Settings 30SNTP:Servers 31Software Upgrade 49System information 25System Reset 55Time

Persistence 29Time and Date 27Zone and DST 28

Guide267

aging interval 74ARP table 122authentication 41

BBPDU 187bridge CLI command 161bridges

RSTP settings 79status 82

CCA, See certificate authoritycertificate

files 199X.509 198

certificate authority 198certificates 134, 135channels 96, 98cipher support 204CIR 116, 247CLI 141, 157

commandsbridge 161config 161ethernet 163exit 159firewall 165fr 167help 159history 159ip 169

Index

logout 159monitor 170ping 174reboot 159restore 159revert 159rstp 175save 159session 177ssh 178system 179vlan 179wan 181web 182whoami 159

navigation 159collectors, syslog 64command line interface, SeeCLIconfig CLI command 161configuration files 53cost style 79, 190cryptography 134, 195, 196, 196

DData Link Channel Identifier, See DLCIdate and time 27daylight saving time 28DDS connection 109, 238decryption 134, 195, 196, 196defaults, restoring 55DHCP server 185

dynamic addresses 131host parameters 128leases 132static addresses 129

digital signatures 198DLCI 183, 246Dynamic Host Configuration Protocol, See DHCP

Ma268

EE1/T1 connection 110, 241edge ports 80, 188, 190encryption 134, 195, 196, 196ethernet CLI command 163Ethernet ports

security 136Ethernet Tasks

screens 65 to 84Bridge:Global Settings 74Bridge:Port Settings 75Bridge:Static MACs 76Bridge:Station Cache 77Ports:Extended Statistics 69Ports:Mirroring 72Ports:Settings 65Ports:Status 67Ports:Summary Statistics 68RSTP:Bridge Settings 79RSTP:Bridge Status 82RSTP:Port Settings 80RSTP:Port Status 83VLAN:Global Settings 85VLAN:Port Settings 87VLAN:VIDs 86

eventsdefined 56logging 56types logged 56

Events Tasksscreens 56 to 64

Logs:Files 62Logs:Global Settings 60Syslog:Collectors 64Syslog:Global Settings 63

exit CLI command 159

gnum Network Software - DX Administrator’s Guide

Index

Ffiltering 192firewall 142firewall CLI command 165forward delay 79, 189, 190fr CLI command 167Frame Relay 167, 183

channel settings 101connections 103provisioning 237

Ggateway, specifying default 121, 249

Hhello time 79, 189, 190help CLI command 159history CLI command 159http/https 140

IICMP 145, 234IKE 207Internet Key Exchange, See IKEIP addresses 184ip CLI command 169IP firewall, See firewallIPSec 148

Kkey

files 199public 198


Lleases 132LMI 115, 244locked out? 137, 164logged events 56logout CLI command 159

MMAC addresses 26, 73maximum age 79, 189, 190Media Access Control addresses, See MAC addressesmirroring 72Modbus 209

connections 108local masters 104local slaves 105remote slaves 107

monitor CLI command 170monitor, protocol 157

NNAT 126, 185Network Address Port Translation, See NATnetworking standards 215

Ppassword

administrator 49user 45

PEM 134, 134, 197, 199, 199ping CLI command 174point ports 80, 188, 190point-to-point-links 80, 188, 190policies

authentication 41sessions 47

portsaccess 88configuring

Index

Ethernet 65RSTP 80, 190serial 89, 93, 193VLAN 87, 191

ethernet security 136RSTP 189trunk 88

Privacy Enhanced Mail, See PEMprotocol

monitor 157standards 215

public key cryptography 198

QQuality of Service 184

RRADIUS 145, 204reboot CLI command 159resetting the system 55restore CLI command 159revert CLI command 159RIP 123, 125, 185, 250Routing Information Protocol, See RIProuting table 121Routing Tasks

IP Addresses 118screens 118 to 133

ARP Table 122DHCP Server

Dynamic Addresses 131Host Parameters 128Leases 132Static Addresses 129

NATGlobal Settings 126Translations 127

Ma270

RIPGlobal Settings 123Interface Settings 125

StaticRoutes 120Table 121

RSA 196, 197, 198, 204RSTP 79, 186

screens 79 to 84Bridge Settings 79Bridge Status 82Port Settings 80Port Status 83

rstp CLI command 175RSTP:Port Settings 190

Ssave CLI command 159SCADA 223Secure Shell, See SSHsecurity 134, 140, 195, 196, 196Security Tasks

screens 134 to 147Certificates: Local 134Certificates: Trusted 135CLI 141Ethernet Port 136Firewall 142Firewall:Interface Groups 143Firewall:IP Filters 144Firewall:IP Interfaces 142RADIUS:Global Settings 146RADIUS:Servers 147Serial/SSL 138VPN:Details 154VPN:Global Settings 148VPN:Profiles 149, 150VPN:Status 153VPN:Tunnels 152Web Server 140

serial ports 89, 193


Index

Serial Tasksscreens 89 to 109

Frame Relay:Channel Settings 101Frame Relay:Connections 103Modbus:Connections 108Modbus:Local Masters 104Modbus:Local Slaves 105Modbus:Remote Slaves 107Ports:Profiles 89Ports:Settings 93Ports:Statistics 95Ports:Status 94Terminal Server:Channel Settings 96Terminal Server:Channel Status 98Terminal Server:Connections 100

serversRADIUS 147SNTP 31terminal 96

session CLI command 177sessions 47signatures, digital 198Simple Network Management Protocol, See SNMPSNMP 186

screens 32 to 34software, upgrading 49SSH 141, 209ssh CLI command 178SSL 138, 196, 225 to 229station cache 77syslog 63

collectors 64defined 63

system CLI command 179system reset 55

TT1/E1 connection 110, 241tagging 88, 191TCP 97, 100, 145, 231TCP/IP 100


terminal server 96, 215time and date 27time zones 28trunk port 88tunnels 152, 207, 251

UUDP 145, 146, 231unlocking 137, 164upgrading software 49users

accounts 44, 213

VVLAN

and serial ports 193screens 85 to 88

Global Settings 85Port Settings 87VIDs 86

vlan CLI command 179VPN 148, 205

WWAN

DLCI settings 116, 183DLCI status 117, 183Frame Relay 114, 243Frame Relay provisioning 237port settings 109, 110, 183Port Status 239port status 112, 183

wan CLI command 181WAN Tasks

screens 109 to 118DLCI Settings 116DLCI Status 117

Index

Frame Relay 114Port Settings 109, 110Port Status 112

web CLI command 182web server security 140whoami CLI command 159

XX.509 certificate 198

Ma272


Date post:	04-Jun-2018
Category:	Documents
Upload:	vucong
View:	233 times
Download:	0 times