7/24/2019 Product Manual 225
1/349
SecFlow-2Ruggedized SCADA-Aware Ethernet
Switch/Router
Version 3.1
INSTALLATIONAND
USER
GUIDE
7/24/2019 Product Manual 225
2/349
7/24/2019 Product Manual 225
3/349
7/24/2019 Product Manual 225
4/349
Installation and Operation Manual
ii SecFlow-2 Ver.3.10
Limited Warranty
RAD warrants to DISTRIBUTOR that the hardware in the SecFlow-2 to be delivered hereundershall be free of defects in material and workmanship under normal use and service for a periodof twelve (12) months following the date of shipment to DISTRIBUTOR.
If, during the warranty period, any component part of the equipment becomes defective byreason of material or workmanship, and DISTRIBUTOR immediately notifies RAD of such defect,RAD shall have the option to choose the appropriate corrective action: a) supply a replacementpart, or b) request return of equipment to its plant for repair, or c) perform necessary repair atthe equipment's location. In the event that RAD requests the return of equipment, each partyshall pay one-way shipping costs.
RAD shall be released from all obligations under its warranty in the event that the equipment hasbeen subjected to misuse, neglect, accident or improper installation, or if repairs ormodifications were made by persons other than RAD's own authorized service personnel, unlesssuch repairs by others were made with the written consent of RAD.
The above warranty is in lieu of all other warranties, expressed or implied. There are nowarranties which extend beyond the face hereof, including, but not limited to, warranties of
merchantability and fitness for a particular purpose, and in no event shall RAD be liable forconsequential damages.
RAD shall not be liable to any person for any special or indirect damages, including, but notlimited to, lost profits from any cause whatsoever arising from or in any way connected with themanufacture, sale, handling, repair, maintenance or use of the SecFlow-2, and in no event shallRAD's liability exceed the purchase price of the SecFlow-2.
DISTRIBUTOR shall be responsible to its customers for any and all warranties which it makesrelating to SecFlow-2 and for ensuring that replacements and other adjustments required inconnection with the said warranties are satisfactory.
Software components in the SecFlow-2 are provided "as is" and without warranty of any kind.RAD disclaims all warranties including the implied warranties of merchantability and fitness for aparticular purpose. RAD shall not be liable for any loss of use, interruption of business orindirect, special, incidental or consequential damages of any kind. In spite of the above RADshall do its best to provide error-free software products and shall offer free Software updatesduring the warranty period under this Agreement.
RAD's cumulative liability to you or any other party for any loss or damages resulting from anyclaims, demands, or actions arising out of or relating to this Agreement and the SecFlow-2 shallnot exceed the sum paid to RAD for the purchase of the SecFlow-2. In no event shall RAD beliable for any indirect, incidental, consequential, special, or exemplary damages or lost profits,even if RAD has been advised of the possibility of such damages.
This Agreement shall be construed and governed in accordance with the laws of the State ofIsrael.
Product Disposal
To facilitate the reuse, recycling and other forms of recovery of wasteequipment in protecting the environment, the owner of this RAD product isrequired to refrain from disposing of this product as unsorted municipal waste atthe end of its life cycle. Upon termination of the units use, customers shouldprovide for its collection for reuse, recycling or other form of environmentallyconscientious disposal.
7/24/2019 Product Manual 225
5/349
Installation and Operation Manual
SecFlow-2 Ver.3.10 iii
General Safety Instructions
The following instructions serve as a general guide for the safe installation and operation oftelecommunications products. Additional instructions, if applicable, are included inside themanual.
Safety Symbols
This symbol may appear on the equipment or in the text. It indicates
potential safety hazards regarding product operation or maintenance to
operator or service personnel.
Danger of electric shock Avoid any contact with the marked surface while
the product is energized or connected to outdoor telecommunication lines.
Protective ground: the marked lug or terminal should be connected to thebuilding protective ground bus.
Some products may be equipped with a laser diode. In such cases, a label
with the laser class and other warnings as applicable will be attached near
the optical transmitter. The laser warning symbol may be also attached.
Please observe the following precautions:
Before turning on the equipment, make sure that the fiber optic cable is
intact and is connected to the transmitter.
Do not attempt to adjust the laser drive current.
Do not use broken or unterminated fiber-optic cables/connectors or look
straight at the laser beam.
The use of optical devices with the equipment will increase eye hazard.
Use of controls, adjustments or performing procedures other than those
specified herein, may result in hazardous radiation exposure.
ATTENTION: The laser beam may be invisible
In some cases, the users may insert their own SFP laser transceivers into the product. Users arealerted that RAD cannot be held responsible for any damage that may result if non-compliant
transceivers are used. In particular, users are warned to use only agency approved products thatcomply with the local laser safety regulations for Class 1 laser products.
Always observe standard safety precautions during installation, operation and maintenance ofthis product. Only qualified and authorized service personnel should carry out adjustment,maintenance or repairs to this product. No installation, adjustment, maintenance or repairsshould be performed by either the operator or the user.
Warning
Warning
7/24/2019 Product Manual 225
6/349
Installation and Operation Manual
iv SecFlow-2 Ver.3.10
Handling Energized Products
General Safety Practices
Do not touch or tamper with the power supply when the power cord is connected. Line voltagesmay be present inside certain products even when the power switch (if installed) is in the OFFposition or a fuse is blown. For DC-powered products, although the voltages levels are usuallynot hazardous, energy hazards may still exist.
Before working on equipment connected to power lines or telecommunication lines, removejewelry or any other metallic object that may come into contact with energized parts.
Unless otherwise specified, all products are intended to be grounded during normal use.Grounding is provided by connecting the mains plug to a wall socket with a protective groundterminal. If a ground lug is provided on the product, it should be connected to the protectiveground at all times, by a wire with a diameter of 18 AWG or wider. Rack-mounted equipmentshould be mounted only in grounded racks and cabinets.
Always make the ground connection first and disconnect it last. Do not connect
telecommunication cables to ungrounded equipment. Make sure that all other cables aredisconnected before disconnecting the ground.
Some products may have panels secured by thumbscrews with a slotted head. These panels maycover hazardous circuits or parts, such as power supplies. These thumbscrews should thereforealways be tightened securely with a screwdriver after both initial installation and subsequentaccess to the panels.
Connecting AC Mains
Make sure that the electrical installation complies with local codes.
Always connect the AC plug to a wall socket with a protective ground.
The maximum permissible current capability of the branch distribution circuit that supplies powerto the product is 16A (20A for USA and Canada). The circuit breaker in the building installationshould have high breaking capacity and must operate at short-circuit current exceeding 35A (40Afor USA and Canada).
Always connect the power cord first to the equipment and then to the wall socket. If a powerswitch is provided in the equipment, set it to the OFF position. If the power cord cannot bereadily disconnected in case of emergency, make sure that a readily accessible circuit breaker oremergency switch is installed in the building installation.
In cases when the power distribution system is IT type, the switch must disconnect both polessimultaneously.
Connecting DC Power
Unless otherwise specified in the manual, the DC input to the equipment is floating in referenceto the ground. Any single pole can be externally grounded.
Due to the high current capability of DC power systems, care should be taken when connectingthe DC supply to avoid short-circuits and fire hazards.
Make sure that the DC power supply is electrically isolated from any AC source and that theinstallation complies with the local codes.
7/24/2019 Product Manual 225
7/349
Installation and Operation Manual
SecFlow-2 Ver.3.10 v
The maximum permissible current capability of the branch distribution circuit that supplies powerto the product is 16A (20A for USA and Canada). The circuit breaker in the building installationshould have high breaking capacity and must operate at short-circuit current exceeding 35A (40Afor USA and Canada).
Before connecting the DC supply wires, ensure that power is removed from the DC circuit. Locatethe circuit breaker of the panel board that services the equipment and switch it to the OFF
position. When connecting the DC supply wires, first connect the ground wire to thecorresponding terminal, then the positive pole and last the negative pole. Switch the circuitbreaker back to the ON position.
A readily accessible disconnect device that is suitably rated and approved should be incorporatedin the building installation.
If the DC power supply is floating, the switch must disconnect both poles simultaneously.
Connecting Data and Telecommunications Cables
Data and telecommunication interfaces are classified according to their safety status.
The following table lists the status of several standard interfaces. If the status of a given port
differs from the standard one, a notice will be given in the manual.
Ports Safety Status
V.11, V.28, V.35, V.36, RS-530, X.21,10 BaseT, 100 BaseT, Unbalanced E1,E2, E3, STM, DS-2, DS-3, S-InterfaceISDN, Analog voice E&M
SELV Safety Extra Low Voltage:
Ports which do not present a safety hazard. Usuallyup to 30 VAC or 60 VDC.
xDSL (without feeding voltage),Balanced E1, T1, Sub E1/T1
TNV-1 Telecommunication Network Voltage-1:
Ports whose normal operating voltage is within thelimits of SELV, on which overvoltages from
telecommunications networks are possible.
FXS (Foreign Exchange Subscriber) TNV-2 Telecommunication Network Voltage-2:
Ports whose normal operating voltage exceeds thelimits of SELV (usually up to 120 VDC or telephoneringing voltages), on which overvoltages fromtelecommunication networks are not possible. Theseports are not permitted to be directly connected toexternal telephone and data lines.
FXO (Foreign Exchange Office), xDSL(with feeding voltage), U-InterfaceISDN
TNV-3 Telecommunication Network Voltage-3:
Ports whose normal operating voltage exceeds thelimits of SELV (usually up to 120 VDC or telephoneringing voltages), on which overvoltages fromtelecommunication networks are possible.
Always connect a given port to a port of the same safety status. If in doubt, seek the assistance
of a qualified safety engineer.
Always make sure that the equipment is grounded before connecting telecommunication cables.Do not disconnect the ground connection before disconnecting all telecommunications cables.
Some SELV and non-SELV circuits use the same connectors. Use caution when connecting cables.Extra caution should be exercised during thunderstorms.
7/24/2019 Product Manual 225
8/349
Installation and Operation Manual
vi SecFlow-2 Ver.3.10
When using shielded or coaxial cables, verify that there is a good ground connection at bothends. The grounding and bonding of the ground connections should comply with the local codes.
The telecommunication wiring in the building may be damaged or present a fire hazard in case ofcontact between exposed external wires and the AC power lines. In order to reduce the risk,there are restrictions on the diameter of wires in the telecom cables, between the equipmentand the mating connectors.
To reduce the risk of fire, use only No. 26 AWG or larger telecommunicationline cords.
Pour rduire les risques sincendie, utiliser seulement des conducteurs detlcommunications 26 AWG ou de section suprieure.
Some ports are suitable for connection to intra-building or non-exposed wiring or cabling only. Insuch cases, a notice will be given in the installation instructions.
Do not attempt to tamper with any carrier-provided equipment or connection hardware.
Electromagnetic Compatibility (EMC)
The equipment is designed and approved to comply with the electromagnetic regulations ofmajor regulatory bodies. The following instructions may enhance the performance of theequipment and will provide better protection against excessive emission and better immunityagainst disturbances.
A good ground connection is essential. When installing the equipment in a rack, make sure toremove all traces of paint from the mounting points. Use suitable lock-washers and torque. If anexternal grounding lug is provided, connect it to the ground bus using braided wire as short aspossible.
The equipment is designed to comply with EMC requirements when connecting it with unshieldedtwisted pair (UTP) cables. However, the use of shielded wires is always recommended, especiallyfor high-rate data. In some cases, when unshielded wires are used, ferrite cores should beinstalled on certain cables. In such cases, special instructions are provided in the manual.
Disconnect all wires which are not in permanent use, such as cables used for one-timeconfiguration.
The compliance of the equipment with the regulations for conducted emission on the data linesis dependent on the cable quality. The emission is tested for UTP with 80 dB longitudinalconversion loss (LCL).
Unless otherwise specified or described in the manual, TNV-1 and TNV-3 ports provide secondaryprotection against surges on the data lines. Primary protectors should be provided in the building
installation.The equipment is designed to provide adequate protection against electro-static discharge (ESD).However, it is good working practice to use caution when connecting cables terminated withplastic connectors (without a grounded metal hood, such as flat cables) to sensitive data lines.Before connecting such cables, discharge yourself by touching ground or wear an ESD preventivewrist strap.
Caution
Attention
7/24/2019 Product Manual 225
9/349
Installation and Operation Manual
SecFlow-2 Ver.3.10 vii
FCC-15 User Information
This equipment has been tested and found to comply with the limits of the Class A digital device,pursuant to Part 15 of the FCC rules. These limits are designed to provide reasonable protectionagainst harmful interference when the equipment is operated in a commercial environment. This
equipment generates, uses and can radiate radio frequency energy and, if not installed and usedin accordance with the Installation and Operation manual, may cause harmful interference to theradio communications. Operation of this equipment in a residential area is likely to cause harmfulinterference in which case the user will be required to correct the interference at his ownexpense.
Canadian Emission Requirements
This Class A digital apparatus meets all the requirements of the Canadian Interference-CausingEquipment Regulation.
Cet appareil numrique de la classe A respecte toutes les exigences du Rglement sur le matriel
brouilleur du Canada.
Warning per EN 55022 (CISPR-22)
This is a class A product. In a domestic environment, this product may causeradio interference, in which case the user will be required to take adequatemeasures.
Cet appareil est un appareil de Classe A. Dans un environnement rsidentiel,cet appareil peut provoquer des brouillages radiolectriques. Dans ces cas, ilpeut tre demand lutilisateur de prendre les mesures appropries.
Das vorliegende Gert fllt unter die Funkstrgrenzwertklasse A. InWohngebieten knnen beim Betrieb dieses Gertes Rundfunkstrrungenauftreten, fr deren Behebung der Benutzer verantwortlich ist.
Warning
Avertissement
Achtung
7/24/2019 Product Manual 225
10/349
Front Matter Installation and Operation Manual
viii SecFlow-2 Ver.3.10
F
i
Mise au rebut du produit
Afin de faciliter la rutilisation, le recyclage ainsi que d'autres formes dercupration d'quipement mis au rebut dans le cadre de la protection del'environnement, il est demand au propritaire de ce produit RAD de ne pas
mettre ce dernier au rebut en tant que dchet municipal non tri, une fois que leproduit est arriv en fin de cycle de vie. Le client devrait proposer des solutionsde rutilisation, de recyclage ou toute autre forme de mise au rebut de cetteunit dans un esprit de protection de l'environnement, lorsqu'il aura fini del'utiliser.
Instructions gnrales de scurit
Les instructions suivantes servent de guide gnral d'installation et d'opration scurises desproduits de tlcommunications. Des instructions supplmentaires sont ventuellementindiques dans le manuel.
Symboles de scurit
Ce symbole peut apparaitre sur l'quipement ou dans le texte. Il indique des
risques potentiels de scurit pour l'oprateur ou le personnel de service,
quant l'opration du produit ou sa maintenance.
Danger de choc lectrique Evitez tout contact avec la surface marque
tant que le produit est sous tension ou connect des lignes externes de
tlcommunications.
Mise la terre de protection : la cosse ou la borne marque devrait treconnecte la prise de terre de protection du btiment.
Avertissement
7/24/2019 Product Manual 225
11/349
Installation and Operation Manual Front Matter
SecFlow-2 Ver.3.10 ix
Certains produits peuvent tre quips d'une diode laser. Dans de tels cas,
une tiquette indiquant la classe laser ainsi que d'autres avertissements, le
cas chant, sera jointe prs du transmetteur optique. Le symbole
d'avertissement laser peut aussi tre joint.
Veuillez observer les prcautions suivantes :
Avant la mise en marche de l'quipement, assurez-vous que le cble de
fibre optique est intact et qu'il est connect au transmetteur.
Ne tentez pas d'ajuster le courant de la commande laser.
N'utilisez pas des cbles ou connecteurs de fibre optique casss ou sans
terminaison et n'observez pas directement un rayon laser.
L'usage de priphriques optiques avec l'quipement augmentera le
risque pour les yeux.
L'usage de contrles, ajustages ou procdures autres que celles
spcifies ici pourrait rsulter en une dangereuse exposition aux
radiations.
ATTENTION : Le rayon laser peut tre invisible
Les utilisateurs pourront, dans certains cas, insrer leurs propres metteurs-rcepteurs Laser SFPdans le produit. Les utilisateurs sont avertis que RAD ne pourra pas tre tenue responsable detout dommage pouvant rsulter de l'utilisation d'metteurs-rcepteurs non conformes. Plusparticulirement, les utilisateurs sont avertis de n'utiliser que des produits approuvs parl'agence et conformes la rglementation locale de scurit laser pour les produits laser declasse 1.
Respectez toujours les prcautions standards de scurit durant l'installation, l'opration et lamaintenance de ce produit. Seul le personnel de service qualifi et autoris devrait effectuerl'ajustage, la maintenance ou les rparations de ce produit. Aucune opration d'installation,d'ajustage, de maintenance ou de rparation ne devrait tre effectue par l'oprateur oul'utilisateur.
Manipuler des produits sous tension
Rgles gnrales de scurit
Ne pas toucher ou altrer l'alimentation en courant lorsque le cble d'alimentation est branch.Des tensions de lignes peuvent tre prsentes dans certains produits, mme lorsque lecommutateur (s'il est install) est en position OFF ou si le fusible est rompu. Pour les produitsaliments par CC, les niveaux de tension ne sont gnralement pas dangereux mais des risquesde courant peuvent toujours exister.
Avant de travailler sur un quipement connect aux lignes de tension ou de tlcommunications,retirez vos bijoux ou tout autre objet mtallique pouvant venir en contact avec les pices soustension.
Sauf s'il en est autrement indiqu, tous les produits sont destins tre mis la terre durantl'usage normal. La mise la terre est fournie par la connexion de la fiche principale une prisemurale quipe d'une borne protectrice de mise la terre. Si une cosse de mise la terre estfournie avec le produit, elle devrait tre connecte tout moment une mise la terre deprotection par un conducteur de diamtre 18 AWG ou plus. L'quipement mont en chssis nedevrait tre mont que sur des chssis et dans des armoires mises la terre.
Branchez toujours la mise la terre en premier et dbranchez-la en dernier. Ne branchez pas descbles de tlcommunications un quipement qui n'est pas mis la terre. Assurez-vous quetous les autres cbles sont dbranchs avant de dconnecter la mise la terre.
Avertissement
7/24/2019 Product Manual 225
12/349
Front Matter Installation and Operation Manual
x SecFlow-2 Ver.3.10
F
i
Connexion au courant du secteur
Assurez-vous que l'installation lectrique est conforme la rglementation locale.
Branchez toujours la fiche de secteur une prise murale quipe d'une borne protectrice de mise la terre.
La capacit maximale permissible en courant du circuit de distribution de la connexion alimentantle produit est de 16A (20A aux Etats-Unis et Canada). Le coupe-circuit dans l'installation dubtiment devrait avoir une capacit leve de rupture et devrait fonctionner sur courant decourt-circuit dpassant 35A (40A aux Etats-Unis et Canada).
Branchez toujours le cble d'alimentation en premier l'quipement puis la prise murale. Si uncommutateur est fourni avec l'quipement, fixez-le en position OFF. Si le cble d'alimentation nepeut pas tre facilement dbranch en cas d'urgence, assurez-vous qu'un coupe-circuit ou undisjoncteur d'urgence facilement accessible est install dans l'installation du btiment.
Le disjoncteur devrait dconnecter simultanment les deux ples si le systme de distribution decourant est de type IT.
Connexion d'alimentation CC
Sauf s'il en est autrement spcifi dans le manuel, l'entre CC de l'quipement est flottante parrapport la mise la terre. Tout ple doit tre mis la terre en externe.
A cause de la capacit de courant des systmes alimentation CC, des prcautions devraienttre prises lors de la connexion de l'alimentation CC pour viter des courts-circuits et des risquesd'incendie.
Assurez-vous que l'alimentation CC est isole de toute source de courant CA (secteur) et quel'installation est conforme la rglementation locale.
La capacit maximale permissible en courant du circuit de distribution de la connexion alimentantle produit est de 16A (20A aux Etats-Unis et Canada). Le coupe-circuit dans l'installation dubtiment devrait avoir une capacit leve de rupture et devrait fonctionner sur courant decourt-circuit dpassant 35A (40A aux Etats-Unis et Canada).
Avant la connexion des cbles d'alimentation en courant CC, assurez-vous que le circuit CC n'estpas sous tension. Localisez le coupe-circuit dans le tableau desservant l'quipement et fixez-leen position OFF. Lors de la connexion de cbles d'alimentation CC, connectez d'abord leconducteur de mise la terre la borne correspondante, puis le ple positif et en dernier, leple ngatif. Remettez le coupe-circuit en position ON.
Un disjoncteur facilement accessible, adapt et approuv devrait tre intgr l'installation dubtiment.
Le disjoncteur devrait dconnecter simultanment les deux ples si l'alimentation en courant CCest flottante.
7/24/2019 Product Manual 225
13/349
SecFlow-2 Ver.1.00 i
Contents
Installation Guide
Chapter 1 Introduction
Chapter 2 Key FeaturesChapter 3 Using This Document
Chapter 4 Safety Information
User Guide
Chapter 1 Introduction
Chapter 2 System
Chapter 3 Ports
Chapter 4 MAC-Address Table (FDB)
Chapter 5 VLAN and IP Interface
Chapter 6 SNTP
Chapter 7 QOS
Chapter 8 CFM
Chapter 9 Resiliency
Chapter 10 Spanning Tree and Routing
Chapter 11 Applicatio n IP Interface
Chapter 12 Management
Chapter 13 Transparent Tunneling
Chapter 14 Protocol Gateway IEC 101 to IEC 104Chapter 15 Protocol Gateway TG800 to IEC 104
Chapter 16 Discrete IO Tunneling
Chapter 17 VPN
7/24/2019 Product Manual 225
14/349
SecFlow-2
Ruggedized SCADA-
Aware EthernetSwitch/Router
Installation Guide
7/24/2019 Product Manual 225
15/349
Installation Guide
1-2 SecFlow-2 Ver.3.10
Chapter 1
Introduction
The SecFlow-2 ruggedized SCADA-aware industrial Ethernet switches combine a
ruggedized Ethernet platform with a unique application-aware processing engine.
As an Industrial Ethernet switch the SecFlow-2 provides a strong Ethernet and IP
feature-set with a special emphasis on the fit to the mission-critical industrial
environment such as fit to the harsh environment, high reliability and network
resiliency.
In addition the SecFlow-2 switches have unique service-aware capabilities that
enable an integrated handling of application-level requirements such as
implementation of security measures.
Such an integrated solution results in simple network architecture with anoptimized fit to the application requirements.
7/24/2019 Product Manual 225
16/349
Installation Guide
SecFlow-2 Ver.3.10 2-3
Chapter 2
Key Features
The SecFlow-2 devices offer the following features:
Wire speed, non-blocking Layer 2 switching
High-density modular system
Advanced Ethernet and IP feature-set
Application-aware firewall per port
Integrated VPN agent
Fit to harsh industrial environment
Supported by a dedicated industrial service management tool (iSIM) Multiple interfaces types
7/24/2019 Product Manual 225
17/349
Installation Guide
3-4 SecFlow-2 Ver.3.10
Chapter 3
Using This Document
Documentation Purpose
This user guide includes the relevant information for configuring then SecFlow-2
functionalities.
It provides overview syntax for the commands available in the currently-
supported software version and describes the features supplied with the device.
Intended Audience
This user guide is intended for network administrators responsible for installing
and configuring network equipment.
Users must be familiar with the concepts and terminology of Ethernet and local
area networking (LAN) to use this User Guide.
Documentation Suite
This document is just one part of the full documentation suite provided with this
product.
Document Function
Initial setup guide Provided with the device in the box. Immediate informationrequired for power up and management availability.
Installation Guide Contains information about installing the hardware and
software; including site preparation, testing, and safety
information.
User Guide Contains information on configuring and using the system.
Quick User Guide Contains basic information on configuring and using the system
for most common uses and features.
Conventions Used
The conventions below are used to inform important information:
Indicating special information to which the user needs to pay special attention.
Indicating special instructions to avoid possible damage to the product.
Note
Caution
7/24/2019 Product Manual 225
18/349
Installation Guide
SecFlow-2 Ver.3.10 3-5
Indicating special instructions to avoid possible injury or death.
The table below explains the conventions used within the document text:
Conventions Description
commands CLI and SNMP commands
command example CLI and SNMP examples
user-defined variables
[Optional Command Parameters] CLI syntax and coded examples
Warning
7/24/2019 Product Manual 225
19/349
Installation Guide
4-6 SecFlow-2 Ver.3.10
Chapter 4
Safety Information
4.1
Safety Information
Danger of electric shock Avoid any contact with the marked surface while the
product is energized or connected to outdoor telecommunication lines.
Protective earth: the marked lug or terminal should be connected to the buildingprotective earth bus.
LINE VOLTAGE
Before connecting the product to the power line, make sure the voltage of the
power source matches the requirements of the product, as marked on the label
located near the power connectors.
SecFlow-2 includes Class 1 lasers. For your safety:
Do not look directly into the optical connectors while the unit is operating.
The laser beams are invisible.
Do not attempt to adjust the laser drive current.
The use of optical instruments with this product will increase eye hazard. Laser
power up to 1 mW at 1300 nm and 1550 nm could be collected by an optical
instrument.
Use of controls or adjustment or performing procedures other than those
specified herein may result in hazardous radiation exposure.
This equipment contains Electrostatic Discharge (ESD) sensitive components. Use
ESD protection before servicing or installing components of this system.
Warning
Warning
Caution
7/24/2019 Product Manual 225
20/349
Installation Guide
SecFlow-2 Ver.3.10 4-7
Changes or modifications made to this device that are not expressly approved by
the party responsible for compliance could void the users authority to operate
the equipment.
Remove the power cord from a power-supply unit before installing it or remove itfrom the device. Otherwise, as a result, the power supply or the device could be
damaged. (The device can be running while a power supply is being installed or
removed, but the power supply itself should not be connected to a power
source.)
The unit is designated to operate in environments of up to 70 degrees ambient
temperature.
For AC units, under some conditions the housing of the unit might get hot and
direct touch should avoid.
4.2 System Description
SecFlow-2 is a compact switch with high capability in terms of L2/L3 switching
and secure servicing of industrial protocols.
That includes inside the housing the power supply module, main switching unit,
IO interface modules and optionally an additional communication interface of
xDSL or WiFi modems.
Power Supply ModuleAvailable power input versions and their respective current consumption:
Command Max current [A]
Version without POE ports
Max current [A]
Version with POE ports
24vDC 1.3 4
48vDC 0.7 2
110vDC 0.3 0.8
220vDC 0.15 0.4
110vAC 0.4 1.2
220vAC 0.2 0.6
For the DC versions two inputs for external sources are available, allowing power
redundancy to the unit.
AC Power variants hold double pole/neutral fusing
Caution
Caution
Caution
Caution
7/24/2019 Product Manual 225
21/349
Installation Guide
4-8 SecFlow-2 Ver.3.10
Input Circuit Protection
Following are maximum values of upstream fuse / circuit breaker protection:
Command Max current [A]
24vDC 10
48vDC 5
110vDC 2.5
220vDC 1.2
110vAC 6
220vAC 6
Main Switch
The Main Switch module is responsible for:
Switch management.
L2 switching.
L3 routing.
Application aware firewall and special services.
Interfaces on this module are:
Ethernet Copper RJ45 ports
SFP FO ports.
Serial console RJ45 port.
USB management port.
I/O Interface
The I/O card is holding the following user and network interfaces:
Serial Asynchrony RS232 ports.
Discrete IO inputs / outputs.
Cellular GPRS/UMTS modem.
Power connectors for DC versions.
Communication module
This is an ordering option of the device for the following interfaces:
WiFi Access Point interface.
SHDSL modem.
AC power input connector.
7/24/2019 Product Manual 225
22/349
Installation Guide
SecFlow-2 Ver.3.10 4-9
4.3 Installing SecFlow-2
This section includes the relevant information for installing the device.
Package Contents
The SecFlow-2 package includes the following items:
SecFlow-2 module
1x RS-232 console cable (white cable, CBL-SF-RJ45-CONSOLE)
Optional,1x RS-232 user port cable (gray cable, CBL-RJ45/DB9/NULL)
First installation guide
Unpacking
The package contents are factory tested and inspected prior to shipment,
however keep the shipping package until the device is installed and verified asoperational. In case of damage to the device during shipment, contact support.
Mounting SecFlow-2
The SecFlow-2 is designed as a fixed unit that is connected in its rear side to an
industry standard DIN rail and is setup with the DIN-rail mount as the default
setup.
Mounting for DIN Rail
These mounting instructions assume that a standard DIN rail has been previouslyinstalled. If one has not then use the installation instructions that come with the
DIN rail to mount the DIN rail on the wall.
Locate on the back of the device the DIN mounting brackets.
To Assemble:
Position the module with the DIN rail guide on the upper edge of the DIN rail, and
snap it in with a downward motion.
7/24/2019 Product Manual 225
23/349
Installation Guide
4-10 SecFlow-2 Ver.3.10
To Remove:
Pull the snap lever open with the aid of a screwdriver and slide the module out at
the lower edge of the DIN rail.
Please observe product installation must be vertical so that bottom side of the
device must face downwards towards the floor to enable proper natural air flow
Distance Kept For Natural Air Flow
Proper installation requires keeping 10cm distance from top and bottom between
the SecFlow-2 switch to any other neighbor device for proper cooling using
natural air flow.
Caution
7/24/2019 Product Manual 225
24/349
Installation Guide
SecFlow-2 Ver.3.10 4-11
10 cm above and below kept clear
10 cm above and below kept clear
7/24/2019 Product Manual 225
25/349
Installation Guide
4-12 SecFlow-2 Ver.3.10
Grounding
To install the grounding wire:
1. Prepare a minimum 10 American Wire Gauge (AWG) grounding wire
terminated by a crimped two-hole lug with hole diameter and spacing as
shown in the below figure. Use a suitable crimping tool to fasten the lug
securely to the wire. Adhere to your companys policy as to the wire gaugeand the number of crimps on the lug.
2. Apply some anti-oxidant onto the metal surface.
3. Mount the lug on the grounding posts, replace the spring-washers and fasten
the bolts. Avoid using excessive torque.
Do not remove the earth connection unless all power supply connections are
disconnected.
Before connecting power to the platform, make sure that the grounding posts
are firmly connected to a reliable ground, as described below.
Battery Maintanace
The system has an integrated battery used for backup of certain system values
like time.
Risk of explosion if battery is replaced by an incorrect type.
Battery replacement should be done by the manufacturer or an authorized party
on its behalf.
10 AWG
Caution
Caution
7/24/2019 Product Manual 225
26/349
Installation Guide
SecFlow-2 Ver.3.10 4-13
4.4 Connecting to a Power Source
To Wire the DC Input voltage connector:
Input voltage can be either AC or DC depending on the specific module you
purchased. Please take care to notice the label on the back of the module.
For the DC version there are 2 connection inputs, marked as "PWR A" and "PWRB". For proper operation it is only necessary to connect one power source, either
to "PWR A" or to "PWR B". However, for redundancy purposes you may connect 2
different power sources one at "PWR A" and the second to "PWR B".
For wiring the voltage, an opposite plug connector (2 pcs) is supplied.
To wire of the plug connector:
To wire the AC Input voltage connector:
For an AC product variant there is a single input connector.
Use a Brown wire for the Line (Phase) conductor, a Green/Yellow for thegrounding and a Blue wire for the Neutral conductor. use 18AWG(1mm
2) wire, withinsulated ferrules.
Wiring of the plug connector:
Use a grounding wire of at least 10 American Wire Gauge (AWG).
Attach the 10 AWG wire to an agency-approved crimp connector, crimped with
the proper tool. The crimp connector should be secured to both ground screws
on the enclosure.
Caution
7/24/2019 Product Manual 225
27/349
Installation Guide
4-14 SecFlow-2 Ver.3.10
For the input circuit to the system, make sure there is a proper circuit protection,
on the input to the terminal block. Max current consumption for each product
variant is given in this document.
The unit does not have a Power On/Off button and is automatically turned on
when the cabling is completed and the power to the feed line is turned on.
Before wiring the power plug or connecting power to the device, verify that the
power to the feed lines is turned off at the supply circuit-breaker or
disconnected from the power bus.
4.5
The Switch LED indicators
Table 4-1. Name of Table
Interface Status Meaning
PWR Off
Green
No power
Power on
Eth 1-8
Link LED
Off
Green
Port administratively Disable or no link
connected to it
Enable and link up
Eth 1-8
ACT LED
Off
Yellow (blinking)
Port administratively Disable or no link
connected to it
Traffic
SFP Off
Red
Green (static)
Green (blinking)
Port administratively Disable Enable,
no SFP present
SFP present
Traffic
Serial 1-4
Link LED
Off
Green
Disable
Enable
Serial 1-4
Link LED
Off
Yellow (blinking)
No traffic
Traffic
Cellular C1 Off
Green
Green (blinking)
GPRS disable
SIM inserted GPRS enabled
SIM connected/Traffic
Run Off
Red
Green (blinking)
Green
No power or in early boot stage
Faulty
During start-up
Normal operation,system up
Alm Off
Red
System processes ok
A System process alarm
Caution
Warning
7/24/2019 Product Manual 225
28/349
Installation Guide
SecFlow-2 Ver.3.10 4-15
4.6 Switch Configuration
Connecting to the Console Port
To Connect the device to a PC using the Console Port:
1.
Connect the RJ-45 connector of the console cable to the device's Console
Port (CON).
The console cable is colored whiteand is supplied with the device.
Other serial greycables which might be supplied with the device are for use
with the user serial port and should not be connected to the console port.
2. Connect the other side of the cable to the PC com port.
3. Configure the PC com port to 15200-N-8-1 (15200 bps, no parity,8 data
bits, 1 stop bit, no flow control) and connect.
Serial port at the switch DB-9 female connector for end device
Default user name : root
Default password : admin123
4.7 Using the Command Line Interface (CLI)
The CLI is a network management application operated through an ASCII terminal.
Note
7/24/2019 Product Manual 225
29/349
Installation Guide
4-16 SecFlow-2 Ver.3.10
Using the CLI commands, users can configure the device parameters and maintain
them, receiving text output on the terminal monitor. These system parameters
are stored in a non-volatile memory and users have to set them up only once
The device CLI is password protected.
Accessing the CLI
Accessing the CLI:
Direct connection of a PC to the devices console port
Telnet or SSH over an IP network
Once the console port is displayed, use the administrator username and
password to access the CLI.
The CLI Modes
The CLI is structured from hierarchical modes, each mode grouping relevant CLI
commands.
Its top level modes are:
Operational mode
Configuration mode
Application mode
Operational Mode
This is the initial mode that the CLI enters after a successful login to the CLI.
3180#
The Operational mode is primarily used for:
viewing the system status
controlling the CLI environment
monitoring and troubleshooting network connectivity
initiating the Configuration mode
Configuration Mode
The Configuration mode is the mode in which users can change the device
configuration.
To enter this mode from Operational mode, use the config terminal
command.
3180#config terminal
3180(config)#
The Configuration mode has various sub-modes for configuring the different
device features.
7/24/2019 Product Manual 225
30/349
Installation Guide
SecFlow-2 Ver.3.10 4-17
Application Mode
The application mode is the mode in which users can configure and manage
SecFlow-2 extended features as VPN ,Gateway ,Serial services and Firewall.
3180#application connect
Entering character mode
Escape character is '^]'.
RADiFlow Application ModuleWelcome to Radiflow industrial CLI
[/]
Committing Configuration Commands
The commands executed in the Configuration mode are applied to the devices
active configuration (the running configuration file) immediately upon entry.
These commands are applied to a copy of the active configuration.
The configuration made by the user can be saved in the Flash and can be
restored when the switch is started.
3180# write startup-config
Using the CLI
Command Keywords and Arguments
A CLI command is built up of a series of keywords and arguments:
Keywords identify the commands action
Arguments specify the commands configuration parameters
The CLI commands are not case sensitive.
The general CLI syntax is represented by the following format:
3180[(config- ...)]#keyword(s) [argument(s)] ... [keyword(s)]
[argument(s)]
In this format
3180[(config ...)]#
represents the prompt displayed by the device. This prompt includes:
the user-defined 3180
the current CLI mode
the command keywords and arguments typed by the user
Minimum Abbreviation
The CLI accepts a minimum number of characters that uniquely identify a
command; therefore abbreviations for commands and parameters can be used as
long as they contain enough letters to differentiate them from any other
available commands or parameters in the specific CLI mode.
In case of an ambiguous entry (when the CLI mode includes more than one
command matching the characters typed), the system prompts for further input.
7/24/2019 Product Manual 225
31/349
Installation Guide
4-18 SecFlow-2 Ver.3.10
Dynamic Completion of Commands
In addition to the Minimum Abbreviation functionality, the CLI can display the
commands possible completions.
To display possible command completions, type the partial command followed
immediately by or .
In case the partial command uniquely identifies a command, the CLI displays thefull command.
Otherwise the CLI displays a list of possible completions.
Getting Help
To get specific help on a command mode, keyword, or argument, use one of the
following commands or characters:
Command Purpose
hel p Provides a brief description of the help system in any
command mode.
abbr evi at ed- command
To display a commands possible completions, type the
partial command followed immediately by or
.
If the partially typed command uniquely identifies a
command, the full command name is displayed. Otherwise,
the CLI displays a list of possible completions:
command?
or
abbr evi at ed- command?
(Leave no space between the command and ?) Provides a
list and description of commands that begin with a
particular string:
? Lists all commands available in the current command mode.
4.8 Setup and Maintenance
CLI over Secure Shell (SSH) and Telnet
After the initial device IP configuration, the device can be managed remotely via
SSH or Telnet.
Establish In Band management
Follow bellow configuration example for establishing management on a certain
port/s using designated VLAN and IP.
1. Enable the required ports
7/24/2019 Product Manual 225
32/349
Installation Guide
SecFlow-2 Ver.3.10 4-19
interface fastethernet 0/1
no shutdown
switchport pvid 10
map switch default
exit
interface fastethernet 0/2
no shutdown
switchport pvid 10map switch default
exit
2. Create your VLAN and assign ports. Port 0/1 is configured as untagged ,0/2 as
tagged
Config
vlan 10
ports fastethernet 0/1-2 untagged fastethernet 0/1
exit
Create the IP interface to the vlan
interface vlan 10
shutdown
ip address 192.168.0.100 255.255.255.0no shutdown
end
write startup-config
Telnet
The device can be accessed from any platform using a Telnet application. To
connect to the device enter the IP address of the device along with the username
and password.
7/24/2019 Product Manual 225
33/349
SecFlow-2
Ruggedized SCADA-
Aware EthernetSwitch/Router
User Guide
7/24/2019 Product Manual 225
34/349
Installation and Operation Manual
1-2 SecFlow-2 Ver.3.10
Chapter 1
Introduction
The SecFlow Ruggedized SCADA-aware Industrial Ethernet switches, combine a
ruggedized Ethernet platform with a unique application-aware processing engine.
As an Industrial Ethernet switch the SecFlow switches provide a strong Ethernet
and IP feature-set with a special emphasis on the fit to the mission-critical
industrial environment such as fit to the harsh environment, high reliability and
network resiliency.
In addition the SecFlow switches have unique service-aware capabilities that
enable an integrated handling of application-level requirements such as
implementation of security measures.
Such an integrated solution results in a simple network architecture with anoptimized fit to the application requirements.
1.1 Key Features
The SecFlow-2 device offers the following features:
Wire speed, non-blocking Layer 2 switching
Compact systems with flexible ordering options of interfaces type /quantity
Advanced Ethernet and IP feature-set
Integrated Defense-in-Depth tool-set
Ethernet and Serial interfaces
Fit to harsh industrial environment
Supported by a dedicated industrial service management tool (iSIM)
7/24/2019 Product Manual 225
35/349
Installation and Operation Manual
SecFlow-2 Ver.3.10 1-3
1.2 Using This Document
Documentation Purpose
This user guide includes the relevant information for configuring the SecFlow-2
functionalities.It provides the complete syntax for the commands available in the currently-
supported software version and describes the features supplied with the device.
For more information regarding the device installation, refer to the Installation
and Maintenancechapter.
For the latest software updates, see the Release Notes for the relevant release.
If the release notes contain information that conflicts with the information in the
user guide or supplements it, follow the release notes' instructions.
Intended Audience
This user guide is intended for network administrators responsible for installing
and configuring network equipment.
Users must be familiar with the concepts and terminology of Ethernet and local
area networking (LAN) to use this User Guide.
Documentation Suite
This document is just one part of the full documentation suite provided with this
product.
You are: Document Function Function
Installation Guide Contains information about installing the hardware and
software; including site preparation, testing, and safety
information.
User Guide Contains information on configuring and using the
system.
Release Notes Contains information about the current release, including
new features, resolved issues (bug fixes), known issues,
and late-breaking information that supersedes
information in other documentation.
The table below explains the conventions used within the document text:
Conventions Description
commands CLI and SNMP commands
command example CLI and SNMP examples
user-defined variables
[Optional Command Parameters] CLI syntax and coded examples
7/24/2019 Product Manual 225
36/349
Installation and Operation Manual
1-4 SecFlow-2 Ver.3.10
7/24/2019 Product Manual 225
37/349
Installation and Operation Manual
SecFlow-2 Ver.3.10 2-5
Chapter 2
System
2.1 Command Line Interface
The CLI (Command Line Interface) is used to configure the SecFlow-2 from aconsole attached to the serial port of the switch or from a remote terminal usingTELNET. The following table lists the generic CLI command modes.
Table 3-1: Command Line Interface
Command Mode Access Method Prompt Exit Method
User EXEC This is the initial mode tostart a session.
3180> The logout method isused.
Privileged EXEC The User EXEC mode
command enable is used to
enter the Privileged EXEC
mode.
3180# To return from the
Privileged EXEC mode
to User EXEC mode,
the disable command
is used.
Global Configuration The Privileged EXEC mode
command configure terminal
is used to enter the Global
Configuration mode.
3180( conf i g) # To exit to the
Privileged EXEC mode,
the end command is
used.
Interface
Configuration
The Global Configuration
mode command interface
is used to enter the
Interface configuration
mode.
3180( conf i g- i f ) # To exit to the Global
Configuration mode,
the exit command is
used and to exit to
the Privileged EXEC
mode, the end
command is used.
Config-VLAN The Global configuration
mode command vlan vlan-id
is used to enter the Config-
VLAN mode.
3180( conf i g- vl an) # To exit to the Global
Configuration mode,
the exit command is
used and to exit to
the Privileged EXEC
mode, the end
command is used.
7/24/2019 Product Manual 225
38/349
Installation and Operation Manual
2-6 SecFlow-2 Ver.3.10
2.2 CLI Pagination
Some show commands for example might produce a long output. By default ,the
output will be interrupted after every screen length pending with the notice
more to continue.
Options
Pressing the ENTER key will progress the output by a single line.
Pressing the SPACE key will progress the output by a screen length.
Pressing the Q key will interrupt the output entirely.
Turning CLI pagination on/off iss available with following command:
3180(config)# set cli pagination on
3180(config)# set cli pagination off
An output example of a show command with pagnation set to on:
3180# show running-config
#Building configuration...
snmp trap syslog-server-status
!
no smtp authentication
!
!
queue 1 interface fastethernet 0/1 qtype 1 scheduler 1 weight 1
queue-type unicast
!
queue 3 interface fastethernet 0/1 qtype 1 scheduler 1 weight 1
priority 2 queue
-type unicast
!
--More
2.3 Configuring the Switch
Default State of Configuration
The default configuration of the switch as when depart from the factory is held in
a file called nvram.txt.
This executable comes up with a VLAN configured. This VLAN is called the default
VLAN (VLAN ID = 1). All ports in the switch are members of the default VLAN.
7/24/2019 Product Manual 225
39/349
Installation and Operation Manual
SecFlow-2 Ver.3.10 2-7
Configuration Database
By default User configuration is saved in a file called 3180.conf. Configuration
saved in this file will be available at system startup. If this file is deleted ,the
system will boot with the 3180nvram.txtfile holding factory configuration.
User Configuration is taking effect immediately upon entering. No specific
COMMIT command is required.The user can as well save his running configuration in a file with a chosen name
for backup and boot the system with this file when needed.
Multiple running configuration files can be saved with different names locally on
the flash or at an TFTP /SFTP server.
However ,configuration which will not be saved as below example ,will not be
available following system reboot.
User configuration is saved (to the 3180.conf) using the following command
3180# write startup-cfg
Building configuration ...
[OK]
Removing all user configuration and setting the switch to its factory defaults is
done by erasing the 3180.conf with the following command
3180# delete startup-config
3180# reload
3180.conf and 3180nvram .txt files are not accessible for the user to do file
operations on copy ,rename and such)
Command Hierarchy+ Rootwr i t e st ar t up- cf gdel et e start up- conf i g+ Conf i g termi nali ncrement al - save { enabl e | di sabl e }aut o-save t r i gger { enabl e | di sabl e }show nrm
Command Description
incremental-save
{ enable | disable }
Enable : Enables the incremental save feature
Disable : Disables the incremental save feature.Default : enable
aut o- save t r i gger
{ enabl e | di sabl e }
Enable : Enables the auto save trigger function.
Disable : Disables the auto save trigger
function.
Default : disable
Note
7/24/2019 Product Manual 225
40/349
Installation and Operation Manual
2-8 SecFlow-2 Ver.3.10
System Version and Running Configuration files
OS VERSION
Updating of system version is available by SFTP server and via the USB port.
Available OS files on the switch can be seen with command showed below.
Running OS file is marked with active.
Upgrading system OS from a USB drive is done under safe mode interface.
Running Configuration
The user can save his running configuration to a file with a chosen name for
backup and boot the system with this file when needed.
Multiple running configuration files can be saved with different names locally on
the flash or at an TFTP /SFTP server.
It is as well possible to import /export a running configuration file to a USB drive.
Command Hierarchy
+ Root- os- i mage show- l i st- os- i mage act i vat e f l ash: - os- i mage del ete f l ash: - os- i mage downl oad- sw sf t p: / / user: password@aa. bb. cc. dd/ f i l e_name- os- i mage downl oad- sw t f t p: / / aa. bb. cc. dd/ f i l e_name- st ar t up- conf i g {i mpor t | expor t }
[ f l ash: |sf t p: / / user : password@aa. bb. cc. dd/ |t f t p: / / aa. bb. cc. dd/ ]
- l ogs- expor t [ f l ash: |sf t p: / / user : password@aa. bb. cc. dd/ |
t f t p: / / aa. bb. cc. dd/ ]
start up- conf i g show f i l es
- r el oad
System must be rebooted following activation of a new OS image fileNote
7/24/2019 Product Manual 225
41/349
Installation and Operation Manual
SecFlow-2 Ver.3.10 2-9
Examples
Display Available OS Files
3180# os-image show-list
Versions list:
RF_3180_3.1.00.09.tar (active)
RF_3180_3.1.00.12.tar
Activating OS File
(will automatically reboot the device)
3180# os-image activate flash:RF_3180_3.1.00.12.tar
3180# os-image show-list
Versions list:
RF_3180_3.1.00.09.tar
RF_3180_3.1.00.12.tar (active)
Deleting Unneeded OS Files
3180# os-image delete flash:RF_3.1.00.09.tar
3180# os-image show-list
Versions list:
RF_3180_3.1.00.12.tar (active)
3180#
Downloading OS File from SFTP Server
Command syntax:
3180# os-image download-swsftp://user:[email protected]/file_name
Example:
3180# os-image download-swsftp://rad:[email protected]/RF_3180_3.1.00.12.tar
Exporting Configuration Database to SFTP Server
Command syntax:
3180# startup-config exportsftp://user:[email protected]/file_name.
Example:3180# startup-config exportsftp://rad:[email protected]/config_january13
2.4 Safe Mode
The system has two safe mode menus available.
7/24/2019 Product Manual 225
42/349
Installation and Operation Manual
2-10 SecFlow-2 Ver.3.10
To access safe mode ,connect to the switch via console cable ,reboot the unit
and interrupt the boot process at the safe mode prompt.
The first Safe mode is used for approved technician only and should not be used
unless specified by SecFlow. This safe mode state is available at the prompt
For safe mode Press 's'...
The second safe mode is accessible at the following prompt:
##########################
For safe mode Press 's'...
##########################
Below screenshot details the 2 safe mode menus and their options for:
1. system reset
2. Load the factory-default configuration for the device
3. Write to EEPROM (should be used only after consulting with SecFlow)
4. Recover the device's images from a package file
5. Export / Import DB (running configuration)
7/24/2019 Product Manual 225
43/349
Installation and Operation Manual
SecFlow-2 Ver.3.10 2-11
SW Image Upgrade and Recovery
In this sub menu the user can handle system version update ,activatationn or
restore.
Example for OS Image Update from a USB Stored File
Follow below steps as an example of uploading a desired OS image stored on a
local USB key and activating it.
7/24/2019 Product Manual 225
44/349
Installation and Operation Manual
2-12 SecFlow-2 Ver.3.10
7/24/2019 Product Manual 225
45/349
Installation and Operation Manual
SecFlow-2 Ver.3.10 2-13
SW Image Upgrade and Recovery
In this sub menu the user can handle the running configuration backup and
restore
2.5 System Commands
The list of CLI commands for the configuration of System commands is as follows:
7/24/2019 Product Manual 225
46/349
Installation and Operation Manual
2-14 SecFlow-2 Ver.3.10
+Root
- Help
- clear screen
- enable
- disable
- configure terminal / configure
- run script
- listuser- lock
- username
- enable password
- line
- access-list provision mode
- access-list commit
- exec-timeout
- logout
- end
- exit
- show privilege
- show line
- show aliases- show users
- show history
Command Description
Help [command] This command displays a brief description for
the given command.
To display help description for commands with
more than one word, do not provide any space
between
the word
clear screen clears all the contents from the screen.
Enable [ Enable Level] This command enters into default level
privileged mode.
If required, the user can specify the privilege
level by enabling level with a password (login
password) protection to avoid unauthorized
user.
Disable [ Enable Level] This command turns off privileged commands.
The privilege level varies between 0 and 15. This
value should be lesser than the privilege level
value given in the enable command.
configure [terminal] Enters configuration mode.
run script This command runs CLI commands from the
specified script file.
listuser This command lists all the default and newly
created users, along with their permissible
mode.
7/24/2019 Product Manual 225
47/349
Installation and Operation Manual
SecFlow-2 Ver.3.10 2-15
Command Description
Lock This command locks the CLI console. It allows
the user/system administrator to lock the
console to prevent unauthorized users from
gaining access to the CLI command shell. Enter
the login password to release the console lock
and access the CLI command shell.
username This command creates a user and sets the
enable password for that user with the privilege
level.
alias - replacement string This command replaces the given token by the
given string and the no form of the command
removes the alias created for the given string.
access-list commit This command triggers provisioning of active
filter rules to hardware based on configured
priority. This command is applicable only when
provision mode is consolidated. Traffic flowwould be impacted when filter-rules are
reprogrammed to hardware.
logout This command exits the user from the console
session. In case of a telnet session, this
command terminates the session.
end Exists the configuration mode
exit Exists the current config location to one step up
in the root
show privilege This command shows the current user privilege
level
show line This command displays TTY line information
such as EXEC timeout
show aliases This command displays all the aliases
show users This command displays the information about
the current user.
show history This command displays a list of recently
executed commands
2.6 System Features
Following cli commands allows configuration of system generic parameters
7/24/2019 Product Manual 225
48/349
Installation and Operation Manual
2-16 SecFlow-2 Ver.3.10
+ Root
+ Config terminal
default mode
default restore-file
default vlan id
default ip address
ip address
switchportdefault ip address allocation protocol
ip address - rarp/dhcp
base-mac
login authentication
login authentication-default
authorized-manager ip-source
ip http port
set ip http
archive download-sw
interface-configuration and deletion
mtu frame size
system mtu
loopback localbridge port-type
system-specific port-id
set custom-param
mac-addr
snmp trap link-status
write
copy
copy startup-config
copy running-config startup-config
copy logs
firmware upgrade
copy fileclock set
erase
cli console
flowcontrol
tunnel mode
tunnel checksum
tunnel path-mtu-discovery
tunnel udlr
shutdown - physical/VLAN/port-channel/tunnel Interface
debug interface
debug-logging
incremental-save
auto-save trigger
rollback
shutdown ospf | ospf3 | bgp | isis
start ospf | ospf3 | bgp | isis
set switch maximum threshold
set switch temperature threshold
set switch power threshold
mac-learn-rate
system contact
system location
7/24/2019 Product Manual 225
49/349
Installation and Operation Manual
SecFlow-2 Ver.3.10 2-17
clear interfaces counters
clear counters
show ip interface
show authorized-managers
show interfaces
show interfaces counters
show system-specific port-id
show custom-paramshow interface mtu
show interface bridge port-type
show nvram
show env
show system information
show flow-control
show debug-logging
show debugging
show clock
show running-config
show http server status
show system acknowledgement
show mac-learn-rateport-isolation in_vlan_ID
show port-isolation
private-vlan mapping
set timer speed
set front-panel port-count
audit-logging
audit-logging filename
audit-logging filesize
audit-logging reset
default rm-interface
vrf unq-mac
show config logmemtrace
show memtrace status
show mempool
hol blocking prevention
management vlan-list
internal-lan
show internal-lan
show iftype protocol deny table
clear line vty
tunnel hop-limit
tunnel hop-limit
login block-for
audit-logging logsize-threshold
feature telnet
show telnet server
show audit
set http authentication-scheme
set http redirection enable
http redirect
show http authentication-scheme
show http redirection
7/24/2019 Product Manual 225
50/349
Installation and Operation Manual
2-18 SecFlow-2 Ver.3.10
2.7 System Features Table
Command Description
default mode This command configures the mode by which
the default interface gets its IP address.
default restore-file
default vlan id
default ip address This command configures the IP address and
subnet mask for the default interface.
ip address This command sets the IP address for an
interface. The no form of the command resets
the IP address of the interface to its default
value.
switchport
default ip address allocation protocol This command configures the protocol used by
the default interface for acquiring its IP address.
ip address - dhcp configures the current VLAN interface to
dynamically acquire an IP address from a DHCP
server.
login authentication This command configures the authentication
method for user logins for accessing the GUI to
manage the switch.
login authentication-default configures the authentication method for user
logins for accessing the GUI to manage the
switch.
authorized-manager ip-source This command configures an IP authorized
manager and the no form of the command
removes manager from authorized managers
list.
ip http port This command sets the HTTP port. This port is
used to configure the router using the Web
interface. The value ranges between 1 and
65535. The no form of the command resets the
HTTP port to its default value.
set ip http This command enables/disables HTTP in theswitch.
archive download-sw This command performs an image download
operation on a switch stack or on a standalone
switch to download a new image from a TFTP or
SFTP from a remote location, to the switch and
to overwrite or keep the existing image.
7/24/2019 Product Manual 225
51/349
Installation and Operation Manual
SecFlow-2 Ver.3.10 2-19
Command Description
mtu frame size configures the maximum transmission unit
frame size for all the frames transmitted and
received on all the interfaces in a switch.
snmp trap link-status enables trap generation on the interface. The
no form of this command disables trapgeneration on the interface.
clock set This command manages the system clock.
Delete startup-config This command clears the contents of the
startup configuration
cli console This command enables the console CLI through
a serial port. The no form of the command
disables console CLI.
flowcontrol set the send or receive flow-control value for an
interface
[no] shutdown - physical/VLAN/port interface This command disables/enables a physical
interface / VLAN interface / port-channel
interface
debug interface This command sets the debug traces for all the
interfaces. The no form of the command resets
the configured debug traces.
debug-logging This command configures the displays of debug
logs. Debug logs are directed to the console
screen or to a buffer file, which can later be
uploaded, based on the input.
incremental-save This command enables/disables the incremental
save feature
auto-save trigger This command enables / disables the auto save
trigger function.
Rollback { enable | disable } This command enables/disables the rollback
function.
set switch maximum threshold This command sets the switch maximum
threshold values of RAM, CPU, and Flash
set switch temperature threshold This command sets the maximum and minimum
temperature threshold values of the switch in
celcius.
mac-learn-rate configures the maximum number of unicast
dynamic MAC (L2) MAC entries hardware can
learn on the system
system contact
system location
clear interfaces counters
7/24/2019 Product Manual 225
52/349
Installation and Operation Manual
2-20 SecFlow-2 Ver.3.10
Command Description
clear counters
show ip interface
show authorized-managers
show interfaces
show interfaces counters
show system-specific port-id
show custom-param
show interface mtu
show interface bridge port-type
show nvram This command displays the current information
stored in the NVRAM.
show env This command displays the status of the all the
resources like CPU, Flash and RAM usage, and
also displays the current, power and
temperature of the switch.
show system information This command displays system information.
show flow-control
show debug-logging
show debugging
show clock
show running-config
show http server status
show system acknowledgement
show mac-learn-rate
port-isolation in_vlan_ID
show port-isolation
private-vlan mapping
set timer speed
set front-panel port-count
audit-logging
audit-logging filename
audit-logging filesize
audit-logging reset
default rm-interface
7/24/2019 Product Manual 225
53/349
Installation and Operation Manual
SecFlow-2 Ver.3.10 2-21
Command Description
vrf unq-mac
show config log
memtrace
show memtrace status
show mempool
hol blocking prevention
management vlan-list
internal-lan
show internal-lan
show iftype protocol deny table
clear line vty
tunnel hop-limit
tunnel hop-limit
login block-for
audit-logging logsize-threshold
feature telnet
show telnet server
show audit
set http authentication-scheme
set http redirection enable
http redirect
show http authentication-scheme
show http redirection
audit-logging reset
default rm-interface
vrf unq-mac
show config log
memtrace
show memtrace status
show mempool
hol blocking prevention
management vlan-list
internal-lan
7/24/2019 Product Manual 225
54/349
Installation and Operation Manual
2-22 SecFlow-2 Ver.3.10
Command Description
show internal-lan
show iftype protocol deny table
clear line vty
tunnel hop-limit
tunnel hop-limit
login block-for
audit-logging logsize-threshold
feature telnet
show telnet server
show audit
set http authentication-scheme
set http redirection enable
http redirect
show http authentication-scheme
show http redirection
audit-logging reset
default rm-interface
vrf unq-mac
show config log
memtrace
show memtrace status
show mempool
hol blocking prevention
management vlan-list
internal-lan
show internal-lan
show iftype protocol deny table
clear line vty
tunnel hop-limit
tunnel hop-limit
login block-for
audit-logging logsize-threshold
feature telnet
7/24/2019 Product Manual 225
55/349
Installation and Operation Manual
SecFlow-2 Ver.3.10 2-23
Command Description
show telnet server
show audit
set http authentication-scheme
set http redirection enable
http redirect
show http authentication-scheme
show http redirection
audit-logging reset
default rm-interface
vrf unq-mac
show config log
memtrace
show memtrace status
show mempool
hol blocking prevention
management vlan-list
internal-lan
show internal-lan
show iftype protocol deny table
clear line vty
tunnel hop-limit
tunnel hop-limit
login block-for
audit-logging logsize-threshold
feature telnet
show telnet server
show audit
set http authentication-scheme
set http redirection enable
http redirect
show http authentication-scheme
show http redirection
audit-logging reset
7/24/2019 Product Manual 225
56/349
Installation and Operation Manual
2-24 SecFlow-2 Ver.3.10
Command Description
default rm-interface
vrf unq-mac
show config log
memtrace
show memtrace status
show mempool
hol blocking prevention
management vlan-list
internal-lan
show internal-lan
show iftype protocol deny table
clear line vty
tunnel hop-limit
tunnel hop-limit
login block-for
2.8 Command Hierarchy
+ Root
+ config terminal
- set switch maximum { RAM | CPU | flash } threshold
- set switch temperature {min|max} threshold }
- Show interfaces
- Show nvram
- show system information
- show env {all | temperature | fan | RAM | CPU | flash | power}
- show running-config[{ syslog | dhcp | dhcp6 | | qos | stp |
la | pnac | igs vlan ] | | vlan } | ospf | rip | |ipv6 | |
ssh | ssl | acl | ip | vrrp | snmp | radius | rmon | ospf3 |
igmp | eoam| igmp-proxy| route-map | tacacs | qosxtd | tac |sntp | entity-mib |http | lldp |ip http }]
2.9 Running a Text Script
The user can edit and run a text cli file.
7/24/2019 Product Manual 225
57/349
7/24/2019 Product Manual 225
58/349
Installation and Operation Manual
3-26 SecFlow-2 Ver.3.10
Chapter 3
Ports
3.1 Introduction
Depending on the SecFlow-2 hardware variant ordered your switch will hold
physical Ethernet and Serial ports.
Serial ,RJ 45 ports, are RS-232 supporting. Max 4 ports
Ethernet RJ45 copper ports are 10/100 FE. Max 16 ports
Ethernet SFP based ports are 100/100 FE. Max 8 ports.
Ethernet SFP based ports are 100/1000 GbE. Max 2 ports.
Graphical view of system Interfaces
3.2 Port Interfaces
Introduction
Depending on the hardware variant ordered your switch will hold physical
Ethernet and Serial ports.
7/24/2019 Product Manual 225
59/349
Installation and Operation Manual
SecFlow-2 Ver.3.10 3-27
Serial ,RJ 45 ports, are RS-232 supporting. Max 4 ports
Ethernet RJ45 copper ports are 10/100 FE. Max 16 ports
Ethernet SFP based ports are 100/100 FE. Max 8 ports.
Ethernet SFP based ports are 100/1000 GbE. Max 2 ports.
C Cellular interface
CEL1 with dual SIM GPRS/UMTS modem
3.3 Managing Ports
A Logical View of Ports
Below screen shots shown the available typical ports of a SecFlow-2 with 8
Ethernet ports.
The RS 232 ports are configured and identified within the application CLI mode
and are not seen at show vlan. See chapter Serial Interfaces for more
information.
Enabling Ports
In order to be accessible ,the required interfaces must be activated. This is done
using the no shutdown command.
Example of enabling port interface number 9
Note
7/24/2019 Product Manual 225
60/349
Installation and Operation Manual
3-28 SecFlow-2 Ver.3.10
3180(config)# interface gigabitethernet 0/9
3180(config-if)# no shutdown
3180(config-if)# end
3180# write startup-cfg
Only the interfaces that are operationally up can be used in tests.
The show interfaces command displays the complete information of all availableinterfaces.
Special Ports
Port Fastethernet 0/9 is designated for internal system functions and should not
be addressed by the user unless specifically mentioned in a configuration setup
of feature in this manual.
This port properties should not be changed from its default state.
Port Fastethernet 0/10 is a unique port in its purpose. This is not a user port but
an internal system port designated to map serial traffic to the SecFlow internal
processing unit.
The port will be an untagged member of the system vlan 4092 which will as well
be its PVID.
The use of this port should be made in accordance to configuration instructions
givven in relevant chapters of this manual.
Ports Gigabitethernet 0/3 and Gi 0/4 are as well unique ports. These are internal
system ports used for directing traffic to the Application aware firewall and
services.
These ports are similar in their purpose to the commonly known 1/3/1 and 1/3/2
of the 3080 and 3700 SecFlow series.The use of these ports should be made in accordance to configuration
instructions given in relevant chapters of this manual.
POE Ports
Depending on your hardware variant POE ports might be applicable.
Hardware supporting POE is named:
When ordering SecFlow-2 with PoE - hardware includes 8 POE support on the FEEthernet ports 1-8. All POE ports are wired as Alternative-A (PoE runs on the FEtwisted pairs)
When ordering SecFlow-2 with two PoE ports for Airmux - hardware includes 8POE support on the FE Ethernet ports 1-8. Ports 2 and 8 are wired as alternative-B (PoE runs on the spare twisted pairs)
When ordering SecFlow-2 with four PoE ports for Airmux - hardware includes 8POE support on the FE Ethernet ports 1-8. Ports 2,4,6,8 are wired as alternative-B (PoE runs on the spare twisted pairs)
Note
7/24/2019 Product Manual 225
61/349
Installation and Operation Manual
SecFlow-2 Ver.3.10 3-29
Power Management of POE
1. The 8 POE ports supports in total maximum power output of:
1. For 24Vdc powered units: 80w
2. For 48Vdc powered units: 120w
3. For AC powered units: 120w
2. The 8 POE ports divided to 2 groups ,each group supports maximum power
output of:
4. For 24Vdc powered units: 40w
5. For 48Vdc powered units: 60w
6. For AC powered units: 60w
7. The group division is as follows: Group 1: p1,p2,p3,p6
Group 2: p4,p5,p7,p8
Modes of POE
Alternative-A wired ports will supply POE power on demand. A non-POEequipment connected to such port is protected as it will not receive power overthe Fast Ethernet communication lines.
Alternative-B wired ports will supply POE power constantly (forced mode) whenenabled.
Alternate-B POE ports work in forced mode and provides constant power on thetwisted pair lines. Make sure to connect only adequate equipment to these ports
POE command Hierarchy
+ Root
+ conf i g t er mi nal
Caution
7/24/2019 Product Manual 225
62/349
Installation and Operation Manual
3-30 SecFlow-2 Ver.3.10
+ i nt erf ace
- poe f orce- mode {f or ce | det ect}
- poe admi n- st atus {enabl e | di sabl e}
- show poe- st at us por t
POE Commands
Command Description
Config terminal
Interface Enter the specific Interface.
only fastethernet ports are applicable.
Permissible values : Fastethernet
Poe Shutdown : port is POE enabled.
No shutdown : port is POE disabled.
poe poe-power Detect : POE will be available only upon
negotiation with a POE connected load device.
Manual : POE will be available constantly.
Caution : connect only POE capable load
devices to ports which are in Force mode.
Note : ports which are hardware Alternate-B
must be in manual mode.
show poe-status port Show the POE state of the port.
Port number is in the range 1-8 ,relating to
fastethernet 1-8.
Controlling Ports
Storm Control
Sets the storm control rate for broadcast, multicast
Rate Limit Output
Enables the rate limiting and burst size rate limiting by configuring the egress
packet rate of an interface and the no form of the command disables the rate
limiting and burst size rate limiting on an egress port
3.4 Port Command Hierarchy
+ Root
+ conf i g t ermi nal
+ i nt erf ace
7/24/2019 Product Manual 225
63/349
Installation and Operation Manual
SecFlow-2 Ver.3.10 3-31
- [no] descri pt i on DESCRI PTI ON
- [no] speed ( 10 | 100 | 1000 | aut o)
- [no] dupl ex (auto | f ul l | hal f )
- [no] swi t chpor t pvi d
- [no] syst em- speci f i c por t - i d
- [ no] snmp t r ap l i nk- st at us- f l owcont r ol ( r ecei ve | send) ( desi r ed | on | of f )
- mt u
- [no] shutdown
- [ no] st or m- cont rol { br oadcast | mul t i cast | dl f } l evel
- [no] r at e- l i mi t out put [ rate- l i mi t] [burst- l i mi t]
- swi t chpor t uni cast - mac l ear ni ng l i mi t
- swi t chpor t uni cast - mac l ear ni ng { enabl e | di sabl e }
cl ear i nt erf aces [ ] count erscl ear count er s [ ]- Show i nt er f aces [ ] [ vl an ]- Show i nt erf aces - show i nt er f ace mt u- show i nt erf aces st at us- show i nt er f aces count er s- show i nt erf aces capabi l i t i es- show vl an por t conf i g [ port ] - show r unni ng- conf i g i nt er f ace
3.5 Command Description
Command Description
Conf i g t er mi nal
I nter f ace
7/24/2019 Product Manual 225
64/349
Installation and Operation Manual
3-32 SecFlow-2 Ver.3.10
Command Description
mt u f r ame si ze This command configures the maximum
transmission unit frame size for all the frames
transmitted and received on all the interfaces in
a switch. The size of the MTU frame size can be
increased using this command. The value ranges
between 90 and 9216.
This value defines the largest PDU that can be
passed by the interface without any need for
fragmentation. This value is shown to the
higher interface sub-layer and should not
include size of the encapsulation or header
added by the interface. This value represents
the IP MTU over the interface, if IP is operating
over the interface.
Note: Any messages larger than the MTU are
divided into smaller packets before transmission
Default : 1500
syst em- speci f i c port - i d This command configures the system specific
index for the port. It provides a different
numbering space other than the IfIndex to
identify ports. The value ranges between 1 and
16384.
Default : 0.
[ no] snmp tr ap l i nk- st at us This command enables trap generation on the
interface. The no form of this command
disables trap generation on the interface.
The interface generated linkUp or linkDowntrap. The linkUp trap denotes that the
communication link is available and ready for
traffic flow. The linkDown trap denotes that the
communication link failed and isnot ready for
traffic flow.
Default : enable
f l owcont r ol
{ send | r ecei ve}Send: Sets the interface to send flow control
packets to a remote device
Receive: Sets the interface to receive flowcontrol packets from a remote device
7/24/2019 Product Manual 225
65/349
Installation and Operation Manual
SecFlow-2 Ver.3.10 3-33
Command Description
{ on | of f| desi r ed}
On
: If used with receive allows an interface to
operate with the attached device to send flow
control packets .If used with send the interface
sends flowcontrol packets to a remote device if
the device supports it
Off
: Turns-off the attached devices (when used
with receive) or the local ports (when used with
send) ability to send flow-control packets to an
interface or to a remote device respectively
Desired
: Allows a local port to operate with an
attached device that is required
to send flow control packets or that may send
the control packets,
when used with receive option.
Allows the local port to send administrative
status to a remote device if the remote device
supports it, when used with send option.
st or m- cont r ol sets the storm control rate for broadcast,
multicast and DLF packets
broadcast- Broadcast packets
multicast
- Multicast packets
dlf- Unicast packets
level- Storm-control suppression level as a total
number of packets per second.rate- l i mi t out put rate-value - Line rate in kbps
burst-value- Burst size value in kbps
cl ear i nt er f aces [ ] counter s
clears all the current interface counters from
the interface
3.6 GPRS/UMTS Interface
Overview
An important benefit of the SecFlow portfolio is its support of variety of medium