iS5 iSG18GFP User Manual

Intelligent flexible secure gateway iec 61850-3 and ieee 1613 compliant

page of 465

/ 465
Contents
Table of Contents
Bookmarks

Table of Contents

Quick Links

Download this manual

iSG18GFP User Manual R3.5

Intelligent Flexible Secure Gateway

IEC 61850-3 and IEEE 1613 compliant

iS5 Communications Inc.

#3-7490 Pacific Circle, Mississauga, Ontario, L5T 2A3

Tel: + 905 670 0004

Fax: + 289 401

Ver: 1.3

iSG18GFP User Manual

Version 1.2

March 2015

Website:

E-mail: support@iS5Com.com

Date: 04.28.2015

www.iS5Com.com

Table of Contents

Need help?

Do you have a question about the iSG18GFP and is the answer not in the manual?

Questions and answers

Summary of Contents for iS5 iSG18GFP

Page 1 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Intelligent Flexible Secure Gateway IEC 61850-3 and IEEE 1613 compliant iSG18GFP User Manual Version 1.2 March 2015 iS5 Communications Inc. #3-7490 Pacific Circle, Mississauga, Ontario, L5T 2A3 Tel: + 905 670 0004 Website: www.iS5Com.com...
Page 2: Copyright Notice
Date: 04.28.2015 Copyright Notice Copyright © 2013 iS5 Communications Inc. All rights reserved. No part of this publication may be reproduced in any form without the prior written consent of iS5 Communications Inc. (iS5). Trademarks iS5Com is a registered trademark of iS5. All other trademarks belong to their respective owners.
Page 3: Revision History/Approvals
This document is intended for the use of customers of IS5 Communications only for the purposes of the agreement under which the document is submitted, and no part of it may be reproduced or transmitted in any form or means without the prior written permission of IS5 Communications.
Page 4: Table Of Contents
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Contents Copyright Notice ························································································································· 2 Trademarks ································································································································· 2 Regulatory Compliance Statement ···························································································· 2 Warranty ···································································································································· 2 Disclaimer ··································································································································· 2 Contact Information ··················································································································· 2 Revision History/Approvals: ······································································································· 3 Contents ·································································································································· 4 Introduction ·························································································································· 17 Key Features ·····························································································································...
Page 5 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 GCE Commands ························································································································ 32 GCE Commands Description ····································································································· 34 ACE Commands ························································································································ 40 Main Show Commands ············································································································· 41 GCE ···································································································································· 41 ACE ···································································································································· 42 System Version and Data Base ······························································································· 44 Configuration Database ············································································································ 44 OS VERSION ······························································································································...
Page 6 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 POE command Hierarchy ·································································································· 63 POE Commands Description ····························································································· 63 Controlling Ports ······················································································································· 64 Storm Control ··················································································································· 64 Rate Limit Output ············································································································· 64 Ports command Hierarchy ········································································································ 64 Port Commands Description ···································································································· 65 Port Configuration Example ······························································································...
Page 7 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 VLAN ····································································································································· 86 VLANs of System Usage ············································································································ 86 VLAN Range of NMS Usage ······································································································ 86 VLAN Configuration Guidelines ································································································ 86 VLAN Default state············································································································ 87 Vlan ports ·························································································································· 87 Enabling VLAN ··················································································································· 88 Vlan command Hirarchy ···································································································...
Page 8 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Commands Hierarchy ····································································································· 102 Commands Description ·································································································· 103 Example ·························································································································· 103 DDM ········································································································································ 105 Commands Hierarchy ····································································································· 105 Commands Description ·································································································· 105 Example ·························································································································· 106 Debugging ······························································································································· 108 Commands Hierarchy ····································································································· 108 Commands Description ··································································································...
Page 9 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Example ·································································································································· 139 Clock and Time ···················································································································· 139 Local Clock ······························································································································ 139 Commands Hierarchy ····································································································· 139 Commands Description ·································································································· 140 Example ·························································································································· 140 SNTP ······································································································································· 140 SNTP command Hierarchy······························································································· 140 SNTP Commands Descriptions ·························································································· 142 Example ··························································································································...
Page 10 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 802.1x ································································································································· 169 802.1x Commands Hierarchy ································································································· 169 802.1x Commands Descriptions ····························································································· 170 Examples ································································································································· 175 IGMP Snooping ···················································································································· 176 IGS Commands Hierarchy ······································································································· 176 IGS Commands Descriptions ·································································································· 176 Example ·································································································································· 179 ACLs ····································································································································...
Page 11 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 STP Description ······················································································································· 220 Bridge ID and Switch Priority ·································································································· 221 Election of the Root Switch ···································································································· 221 Default state ··················································································································· 221 STP Hierarchy ························································································································· 222 Commands Descriptions ········································································································· 222 RSTP/MSTP ·························································································································· 228 RSTP Description ····················································································································...
Page 12 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 OSPF GCE Commands Descriptions ························································································ 264 OSPF ACE Commands Hierarchy····························································································· 280 OSPF ACE Commands Descriptions ························································································ 281 OSPF setup example ··············································································································· 282 VRRP ··································································································································· 286 RIP Commands Hierarchy ······································································································· 286 VRRP Commands Descriptions ······························································································· 287 Example ··································································································································...
Page 13 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Transparent Serial Tunneling ································································································ 347 Concept of Operation ············································································································· 347 Supported Network topologies ······························································································ 348 Point to Point ·················································································································· 348 Point to multipoint point ································································································ 349 Multi Point to multipoint point ······················································································ 350 Modes of Operation ···············································································································...
Page 14 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Modbus Gateway ················································································································· 375 Implementation ······················································································································ 375 Modbus Gateway Commands Hierarchy ················································································ 375 Modbus Gateway Commands Description ············································································· 376 Example ·································································································································· 377 DNP3 Gateway ····················································································································· 380 Example ·································································································································· 380 Protocol Gateway IEC 101 to IEC 104 ···················································································· 382 Modes of Operation ···············································································································...
Page 15 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 IPSec Command Association ·································································································· 404 IPSec Commands Hierarchy ···································································································· 405 IPsec Commands ···················································································································· 406 IPSec defaults ·················································································································· 410 GPRS/UMTS Interface ·········································································································· 411 Overview································································································································· 411 Hardware ································································································································ 411 Method of operation ·············································································································· 412 SIM card state ·················································································································...
Page 16 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 L2 VPN over Cellular Setup ····································································································· 437 Gateway 101/104 over L2 Cellular Setup ·············································································· 443 Terminal Server and Serial tunneling over L2 Cellular Setup ················································· 448 L3 DM-VPN over Cellular Setup ······························································································ 453 Network drawing ············································································································...
Page 17: Introduction
As an Industrial Ethernet switches the IS5 Communications switches provide a strong Ethernet and IP feature-set with a special emphasis on the fit to the miSG18GFPion-critical industrial environment such as fit to the harsh environment, high reliability and network resiliency.
Page 18: Using This Document
Using This Document Documentation Purpose This user guide includes the relevant information for configuring the IS5 Communications iSG18GFP functionalities. It provides the complete syntax for the commands available in the currently-supported software version and describes the features supplied with the device.
Page 19: Conventions Used
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Conventions Used The conventions below are used to inform important information: NOTE Indicating special information to which the user needs to pay special attention. CAUTION Indicating special instructions to avoid possible damage to the product.
Page 20: Hardware And Interfaces
Ver: 1.3 Date: 04.28.2015 Hardware and Interfaces Introduction Depending on the iSG18GFP hardware variant ordered your switch will hold physical Ethernet and Serial ports.  Serial, RJ 45 ports, are RS-232 supporting. Max 4 ports  Ethernet RJ45 copper ports are 10/100 FE. Max 16 ports ...
Page 21: Graphical View Of Hardware
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Graphical view of Hardware Figure 1: iES18GFP variant Front Panel Product description: Port Description 8 x 10/100 Base TX RJ45 or 8 x 10/100 Base TX RJ45 PoE Ports 30W Max per port...
Page 22: Rear
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Rear The image below shows the DIN bracket on the back of the router. Circled in red are the mounting holes for the Panel bracket mounting option. Bottom The image below shows the 10 position terminal block and ground lug of the iSG4F.
Page 23: Logical System View
Command Line Interface The CLI (Command Line Interface) is used to configure the iSG18GFP from a console attached to the serial port of the switch or from a remote terminal using Telnet or SSH. The following table lists the CLI environments and modes.
Page 24 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Mode Access Method Prompt Exit Method Root Following user log in this iSG18GFP# To exit this mode mode is available to the would mean the user. user to log out from the system.
Page 25: Supported Functionalities
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Supported Functionalities The iSG18GFP is a feature rich industrial units supporting:  L2 Ethernet switching.  L3 dynamic and static Routing.  SCADA services.  Firewall.  Secure networking. The below table gives a high level view of the supported feature sets and their corresponding configuration environment.
Page 26 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 The below table details the iSG18GFP supported feature and its corresponding configuration environment. Group Feature Interfaces Cellular modem with 2 SIM cards FE RJ45 Ports Fiber Optic ports Gigabit ports POE ports...
Page 27 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Group Feature Telnet Client Telnet server TFTP Client Web management interface Networking LLDP OAM CFM ITU-T Y.1731 Protection Conditioned/ scheduled system reboot ITU-T G.8032v2 Ethernet ring Link Aggregation with LACP MSTP IEEE 802.1s...
Page 28 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Group Feature Time Local Time settings Diagnostics Counters & statistics per Port Led diagnostics Ping Port mirroring Relay Alarm Contact RMON Trace Route Serial IEC 101/104 gateway Gateway IEC 104 Firewall Serial Transparent Tunneling...
Page 29: System Default State
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 System Default state The following table details the default state of features and interfaces. Feature Default state Ethernet Ports All ports are enabled Serial interfaces Disabled Cellular modem Disabled Vlan 1 Enabled. All ports are members...
Page 30 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 - clear screen - enable - disable - configure terminal / configure - run script - listuser - lock - username - enable password - line - access-list provision mode - access-list commit...
Page 31: Root Commands Description
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Root Commands Description Command Description Help [command] This command displays a brief description for the given command. To display help description for commands with more than one word, do not provide any space between...
Page 32: Gce Commands
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description show line This command displays TTY line information such as EXEC timeout show aliases This command displays all the aliases show users This command displays the information about the current user.
Page 33 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 debug interface debug-logging incremental-save rollback shutdown ospf start ospf set switch maximum – threshold set switch temperature – threshold set switch power – threshold mac-learn-rate system contact system location clear interfaces – counters...
Page 34: Gce Commands Description
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 show audit set http authentication-scheme set http redirection enable http redirect show http authentication-scheme show http redirection GCE Commands Description Command Description default mode This command configures the mode by which the default interface gets its IP address.
Page 35 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description clock set This command manages the system clock. Delete startup-cfg This command clears the contents of the startup configuration cli console This command enables the console CLI through a serial port. The no form of the command disables console CLI.
Page 36 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description show interface mtu show interface bridge port-type show nvram This command displays the current information stored in the NVRAM. show env This command displays the status of the all the...
Page 37 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description set http redirection enable http redirect show http authentication- scheme show http redirection audit-logging reset show config log clear line vty tunnel hop-limit tunnel hop-limit login block-for audit-logging logsize- threshold...
Page 38 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description feature telnet show telnet server show audit set http authentication- scheme set http redirection enable http redirect show http authentication- scheme show http redirection audit-logging reset show config log management vlan-list <port_list>...
Page 39 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description show iftype protocol deny table clear line vty login block-for iS5 Communications Inc. Page: 39 of: 465...
Page 40: Ace Commands
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 ACE Commands The Application Configuration Environment list of main CLI commands is shown below. + Application connect + Router {interface | route |static |ospf |ip |rip} + cellular { connection | continuous-echo| disable |enable| modem|...
Page 41: Main Show Commands
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Main Show Commands [System Information] os-image show-list show system information show env all [Vlan & Ports] show vlan show running-config interface fastethernet 0/<1-8> show running-config interface gigabitethernet 0/<1-2> show vlan port config...
Page 42: Ace
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 [STP] show spanning-tree detail show spanning-tree summary [ERP] show running-config ecfm show ethernet cfm domain show ethernet cfm service show ethernet cfm maintenance-point local show ethernet cfm maintenance-points remote show ethernet cfm global information...
Page 43 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 [Cellular] cellular wan show cellular settings show cellular network show cellular connection show [VPN & IPSec] application connect dm-vpn multipoint-gre dm-vpn nhrp map dm-vpn nhrp map dm-vpn nhrp route-show l2-vpn tunnel show...
Page 44: System Version And Data Base
Configuration Database By default User configuration is saved in a file called iSG18GFP.conf. Configuration saved in this file will be available at system startup. If this file is deleted, the system will boot with the iSG18GFPnvram.txt file holding factory configuration.
Page 45: Running Configuration
The iSG18GFP can hold at its disk maximum two OS image files. Before downloading a new OS file to the switch make sure the iSG18GFP has on it only one (the active) file. If needed, delete the unused file before attempting to download new.
Page 46: Example Upgrade The Os From Usb
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Example upgrade the OS from USB The following flow will demonstrate how to upgrade the OS image file from a USB. Connect to the switch via console and establish CLI management. Have a USB stick, formatted to FAT32, holding the OS version at its root directory.
Page 47: Example Upgrade The Os From Sftp
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Example upgrade the OS from SFTP The following flow will show how to upgrade the OS image file from a sftp server. 1. Display available OS files iSG18GFP# os-image show-list Versions list: IS_5018_3.5.03.11 (active)
Page 48: Example Export Db And Logs
2. Activating db file from flash iSG18GFP# startup-config import flash: db_february startup-config import Successful Reload to use new db iSG18GFP# reload Example Import db from TFTP The following flow will show how to import configuration from a tftp server 1.
Page 49: Safe Mode
To access safe mode, connect to the switch via console cable, reboot the unit and interrupt the boot process at the safe mode prompt. The first Safe mode is used for approved technician only and should not be used unless specified by IS5 Communications. This safe mode state is available at the prompt “For first safe mode Press...
Page 50: Sw Image Upgrade And Recovery
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 ----------------------------------------------------------------------------------------- |safe mode menu: reset | 1 : Reset the device defcfg | 2 : Load the factory-default configuration for the device eeprom | 3 : Write to EEPROM recover | 4 :...
Page 51: Install Os Image Update From A Usb
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Install OS image update from a USB Follow below steps as an example of uploading a desired OS image stored on a local USB key and activating it. Access second safe mode, use option 4 “recover” and list the current OS images available at the switch.
Page 52 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Delete the unused OS-Image file ----------------------------------------------------------------------------------------- |safe mode menu: reset | 1 : Reset the device defcfg | 2 : Load the factory-default configuration for the device eeprom | 3 : Write to EEPROM...
Page 53 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Device Image Recovery ######################################### ####################################################################### | 1 : Download the package file from USB | 2 : List the available application files active | 3 : Change the active working application show...
Page 54: Installing First Os Image From A Usb
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 For main menu press X 4.0.02.10 Updating bank1 with vmlinux.UBoot file, please wait ... Installing First OS image from a USB Follow below steps as an example of installing a first version from a usb. Local database and any active OS image will be deleted.
Page 55: System Database Import/ Export
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 System Database Import/ Export To import/ export system configuration database, access the second safe mode. Access second safe mode, use option 4 “recover” and list the current OS images available at the switch.
Page 56 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 | 5 : Export / Import DB continue | c : Continue in start up process help | H : Display help about this utility ######################################################### Export / Import DB ############################### #########################################################...
Page 57: Port Interfaces
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Port Interfaces Port addressing interface type port id The ports are configured as < > < > Command Description interface-type <> Specify the interface type Fastethernet gigabitethernet Port id <> Specify the port id as slot number/port number...
Page 58: A Logical View Of Ports
Ver: 1.3 Date: 04.28.2015 A logical view of ports Below screen shots shown the available typical ports of a iSG18GFP with 8 Ethernet ports. NOTE The RS 232 ports are configured and identified within the ACE CLI mode and are not seen at “show vlan”. See chapter Serial Interfaces for more information.
Page 59: Enabling Ports
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Enabling Ports In order to be accessible, the required interfaces must be activated. This is done using the no shutdown command. Example of enabling port interface number 5 iSG18GFP(config)# interface gigabitethernet 0/5...
Page 60: Vlan Assignment
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Vlan assignment The assignment of the ACE ports to a vlan is always as a tagged member. Following table summarizes the ports vlan membership depending on the network planning. Networking / port...
Page 61: Poe Ports
Depending on your hardware variant POE ports might be applicable. Hardware supporting POE is named: IS5-ISG18GFP-<P>-<T>/<E>/8PE30/<R>/<C> - hardware includes 8 POE support on the FE Ethernet ports 1-8. All POE ports are wired as Alternative-A (PoE runs on the FE twisted pairs) IS5-ISG18GFP-<P>-<T>/<E>/8PE302RW/<R>/<C>...
Page 62: Modes Of Poe
Date: 04.28.2015 The 8 POE ports divided to 2 groups ,each group supports maximum power output of: 1. For 12Vdc powered units (IS5-ISG18GFP-24../PE) : 30w 2. For 24Vdc powered units (IS5-ISG18GFP-24../PE) : 40w 3. For 48Vdc powered units (IS5-ISG18GFP-48../PE) : 60w 4.
Page 63: Poe Command Hierarchy
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 POE command Hierarchy + Root + config terminal + interface <type> <port id> poe-power { detect | manual } poe { shutdown | no shutdown } - show poe-status port <1-8> POE Commands Description...
Page 64: Controlling Ports
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Controlling Ports Storm Control Sets the storm control rate for broadcast, multicast Rate Limit Output Enables the rate limiting and burst size rate limiting by configuring the egress packet rate of an interface and the no form of...
Page 65: Port Commands Description
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 - Show interfaces <type> <port id> - show interface mtu - show interfaces status - show interfaces counters - show interfaces capabilities - show vlan port config [port <type> <port id>] - show running-config interface <type>...
Page 66 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description switchport pvid The PVID represents the VLAN ID that is to be assigned to untagged frames. The packets are processed against PVID, if the packets accepted at ingress is not having a tag.
Page 67 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description { on | off |desired} On : If used with receive allows an interface to operate with the attached device to send flow control packets .If used with send the interface...
Page 68: Port Configuration Example
100 Set a port as Trunk. Make sure to remove it from any vlan at which it is set as untagged member. iSG18GFP(config)# Vlan 1 iSG18GFP(config-vlan)# no ports fastethernet 0/1 untagged fastethernet 0/1 iSG18GFP(config-vlan)# exit iSG18GFP(config)# interface fastethernet 0/1...
Page 69: Login And Management
No-Negotiation Auto-MDIX on Fa0/3 not connected Half Auto Auto-MDIX on … iSG18GFP# show vlan port config port fastethernet 0/1 Vlan Port configuration table ------------------------------- Port Fa0/1 Bridge Port Type : Customer Bridge Port Port Vlan ID Port Acceptable Frame Type...
Page 70 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 - login authentication default - login block-for <seconds(30-600)> attempts <tries(1-10)> - username <user-name> password [8-20 char] privilege <1-15> - username <user-name> status [enable | disable] - no username <user-name> - show authorized-manager [ip-source <...
Page 71: Login Authentication Commands Description
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Login Authentication Commands Description Command Description Config terminal authorized-manager ip-source This command configures an IP authorized manager and the no form of the command removes manager from authorized managers list. <ip-address> Sets the network or host address from which the switch is managed.
Page 72 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description [no] login authentication default: Sets the default authentication method for default User Logins. [no] username Set a new user. Username: should be 1-20 charaters length. - Allowed small and capitol letters. - Allowed numbers: 0-9 - Allowed special symbols: –...
Page 73: Examples
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Examples configure user iSG18GFP(config)# username company-ceo password User#123 privilege 15 example for assignment of authorized manager iSG18GFP(config)# authorized-manager ip-source 10.10.20.20 / 32 interface fastethernet 0/1 vlan 1 service ssh snmp telnet iSG18GFP(config)# authorized-manager ip-source 10.10.10.10...
Page 74: Privilege Level
 logout Users with Privilege Level 1 can access all user-level commands with iSG18GFP> prompt. System allows to configure additional privilege levels (from level 2 to 14) to meet the needs of the users while protecting the system from unauthorized access.
Page 75: Serial Console Port
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description Password <passwd> Specifies the password to be entered by the user to login to the system. Password must contain 8-20 characters and should include at least one of each character type:...
Page 76: Cli Console Commands
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Below table details the console cable pin-out. RJ45 Male DB9 Female CLI Console Commands This command enables the console CLI through a serial port. The no form of the command disables the console CLI.
Page 77: Default State
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Default state Feature Default state Vlan 1 Active. All ports are members Layer 3 interface Interface vlan 1 is set to : 10.0.0.1/8 Enabled Telnet Disabled Http Disabled Console Enabled User User name : su...
Page 78: Commands Description
Default name is “iSG18GFP”. set welcome-banner Set the welcome banner as shown at log in screen. default is “Welcome IS5 Communications customer”. if spaces are required, place the complete title in double brackets. The switch supports ssh client allowing It to open ssh session to a remote partner.
Page 79: Example
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description line vty Set idle time out for telnet / ssh to the switch. exec-timeout : given in seconds . default : 300 seconds [no] cli This command enables the console CLI through a serial port.
Page 80 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Config vlan 10 ports fastethernet 0/1-2 untagged fastethernet 0/1 exit 2. Enable the required ports interface fastethernet 0/1 no shutdown switchport pvid 10 map switch default exit interface fastethernet 0/2 no shutdown...
Page 81: System Alias
Pressing the Q key will interrupt the output entirely.  Turning CLI pagination on/off iss available with following command: iSG18GFP(config)# set cli pagination on iSG18GFP(config)# set cli pagination off An output example of a show command with pagination set to on: iSG18GFP# show running-config #Building configuration...
Page 82: Mac-Address Table (Fdb)
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 queue 1 interface fastethernet 0/1 qtype 1 scheduler 1 weight 1 queue-type unicast queue 3 interface fastethernet 0/1 qtype 1 scheduler 1 weight 1 priority 2 queue -type unicast --More— MAC-Address Table (FDB) Port Mac Learning and limit The Administrator configures the Mac Learning Status of each port as enabled or disabled.
Page 83: Configuration Example
Otherwise will be learned at vlan 1. IP traffic will be learned with the vlan tag by default. Configuration Example 1. place a static entry iSG18GFP(config)# mac-address-table static unicast 02:20:d2:fc:1c:95 vlan 1 interface fastethernet 0/4 iSG18GFP# show mac-address-table Switch default Vlan...
Page 84: Commands Description
IP alias. Vlan <vlan-id(1-4094)> Configuration Example 1. Set timeout iSG18GFP# config iSG18GFP(config)# arp timeout 50 2. Set static entry iSG18GFP(config)# arp 172.18.212.100 00:11:22:33:44:55 Vlan 1 3. Output example iSG18GFP# show ip arp VRF Id VRF Name: default Address Hardware Address...
Page 85 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 iSG18GFP# show ip arp information ARP Configurations: ------------------- VRF Name: default Maximum number of ARP request retries is 3 ARP cache timeout is 50 seconds iS5 Communications Inc. Page: 85 of: 465...
Page 86: Vlan
VLAN Range of NMS Usage The IS5 Communications iSIM NMS uses a configurable range of Vlans for the creation and management of services. The user should take notice to avoid manipulating NMS created Vlans.
Page 87: Vlan Default State
User Manual R3.5 Ver: 1.3 Date: 04.28.2015  Mapping of forwarding database identifier (FID) to VLANs is successful only when, VLAN learning mode is hybrid.  To configure a static unicast/multicast MAC address in the forwarding database, VLAN must have been configured and member ports must have been configured for the specified VLAN.
Page 88: Enabling Vlan
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 NOTE Adding port to a vlan using the command “ports <type>..” will remove all ports from the vlan and associate only the detailed ports to the vlan. Adding port to a vlan using the command “ports <type>..”...
Page 89: Configuration Example
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Configuration Example 1. Setting all ports of the iSG18GFP to vlan 1 as untagged members config vlan 1 ports fastethernet 0/1-8 untagged fastethernet 0/1-8 ports add gigabitethernet 0/1-2 untagged gigabitethernet 0/1-2 exit...
Page 90 Static Unicast Entry requires the VLAN to be configured and the member ports for that specified VLAN must also be configured. iSG18GFP(config)# mac-address-table static unicast 22:22:22:22:22:22 VLAN 2 recv- port gigabitethernet 0/1 interface gigabitethernet 0/2 iS5 Communications Inc.
Page 91: Ip Interfaces
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 IP Interfaces The iSG18GFP supports multiple layer 3 interfaces to be set for the purposes of:  Routing.  Management.  Serial services. An IP interface is always assigned to a vlan.
Page 92: Commands Description
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 - show ip interface [vlan <vlan id>] [loopback <loopback id>] - show running-config interface vlan <vlan id> - show ip route [ { <ip-address> [<mask>] | connected |ospf | rip | static | summary...
Page 93: Default State
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description <distance> (1-254) Default state iSG18GFP# show ip interface vlan1 is up, line protocol is up Internet Address is 10.0.0.1/8 Broadcast Address 255.255.255.255 vlan4093 is up, line protocol is up Internet Address is 7.7.7.4/29 Broadcast Address 7.7.7.7...
Page 94: Static & Dynamic Switch Default Ip Address Assignment
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Broadcast Address 172.17.203.255 IP address allocation method is dynamic IP address allocation protocol is dhcp Static & Dynamic switch Default IP Address assignment + root + config terminal + default mode [dynamic | manual] + default ip address <ip-address>...
Page 95 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description subnet-mask <subnet mask> Sets the subnet mask for the configured IP address. The configured subnet mask should be in the same subnet of the network in which the switch is placed Default : 255.0.0.0...
Page 96: Ace Ip Interfaces
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 ACE IP Interfaces The following services require assignment of an IP interface and possibly routes at the Application Configuration Environment. Multiple IP interfaces are optional. The Application IP interfaces are supported on top of the layer 3 interfaces configured at the GCE and may be routed with them.
Page 97: Ace Ip Interface Commands Description
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 ACE IP Interface Commands Description Command Description Application connect Enter the industrial application menu Router Enter the application router configuration mode interface Add or Remove an IP interface for the application engine. The configuration should include: create | remove ...
Page 98: Diagnostic
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 [/]router interface show +------+----------+------------------+------------------+-------------+ | VLAN | Name IP/Subnet Purpose | Description | +======+==========+==================+==================+=============+ | 100 eth1.100 | 172.17.212.10/24 | application host | +------+----------+------------------+------------------+-------------+ [router/] static router/static> enable router/static# configure terminal router/static(config)# ip route 0.0.0.0/0 172.17.212.100...
Page 99: Environment Commands Description
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Environment Commands Description Command Description Config terminal Interface <type> <port id> [no] snmp trap link-status This command enables trap generation on the interface. The no form of this command disables trap generation on the interface.
Page 100: Rmon
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 RMON RMON (Remote Monitoring) is a standard monitoring specification that enables various network monitors and console systems to exchange network-monitoring data. The RMON specification defines a set of statistics and functions that can be exchanged between RMON-compliant console managers and network probes.
Page 101: Example
1 owner iS5 Communications iSG18GFP# show rmon statistics 1 RMON is enabled Collection 1 on Fa0/1 is active, and owned by iS5 Communications, Monitors ifEntry.1.1 which has Received 5449624 octets, 73797 packets, 73797 broadcast and 0 multicast packets,...
Page 102: Commands Description
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Commands Description Command Description Logs-export Export the logs to a server or to a usb flash drive. The usb must be fat32 formatted and must be mounted. To mound a usb drive insert it to the switch usb port and reboot the switch.
Page 103: Commands Description
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 + capture - start –i eth1.<vlan id> [-C] [-s] [-y] [expression <>] start –i eth2 {-C} [-s] [-y] [expression <>] stop delete export remote-address <destination address,A.B.C.D> show {captured-packets | status} help Commands Description...
Page 104 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 ports add fastethernet 0/5 gigabitethernet 0/3 untagged fastethernet 0/5 exit interface fastethernet 0/5 switchport pvid 20 Set an ip interface in the ACE for the vlan application connect router interface create address-prefix 172.18.212.235/24 vlan 20...
Page 105: Ddm
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 The system supports DDM (digital diagnostics monitoring) information for Fiber SFP modules supporting this information. The SFP ports are gigabitethernet 0/1 and 0/2. Depending if the SFP itself supports DDM, diagnostics is available at the CLI interface.
Page 106: Example
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Example Below is a show output of a DDM supporting SFP iSG18GFP# show sfp-port ddm ______ Diagnostic Data For gigabitethernet 0/1 ______ Diagnostics Rev 9.5 supported on SFP ______ ALARM Bits ______ WARNING Bits ______...
Page 107 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Link Length Support 2000m for 62.5/125 mm fiber link Transceiver type : Cable Connector Vendor Name MICROSENS Encoding Manufacture Date 2013/03/29 - 0 Media Serial Number 0028 0004 Tx Laser Wavelength Part Number...
Page 108: Debugging
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Debugging Debug Logging allows related logs to be displayed at the terminal. The debug logging is implemented per feature and is by default disabled on all. Commands Hierarchy + root [no]debug ring...
Page 109: Commands Description
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Commands Description Command Description debug-logging { console |file Console : Displays the debug logs in the console. |flash } File |flash : Stores the debug logs in the file. This feature is planned for R4.0 No logging Send the debug logs to the console.
Page 110: Syslog
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Syslog Syslog is a protocol used for capturing log information for devices on a network. The syslog protocol provides a transport to allow a machine to send event notification messages across IP networks to event message collectors, also known as syslog servers.
Page 111: Gce Message Format
GCE Message Format The following will describe the IS5 Communications structure of syslog messages generated by GCE processes. Console message format The message format when sent to the CLI console is, {<PRI> [Time Stamp] [Host Name] [App]} {[MSG]} Examples of messages received at the CLI <134>May...
Page 112: Ace Message Format
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 ACE Message Format The following will describe the IS5 Communications structure of syslog messages generated by ACE processes. ACE Message severity Severity S indicaror Description Emergency: system is unusable Alert: action must be taken...
Page 113 Ver: 1.3 Date: 04.28.2015 Firewall TCP SCADA Protocols The following will describe the IS5 Communications structure of syslog messages generated for firewall of IEC 104, DNP3 TCP, MODBUS TCP. Console message format The message format when sent to the CLI console is as follow,...
Page 114 Date: 04.28.2015 |ID=80|T=2014-05-12,11:52:59 |S=A|SG=3500|SRC=172.18.212.50:52011|DST=172.18.212.46:2404|LEN=56|TTL=128|PROTO=iec104| MSG=[0x101][45,0]:FW PROTOCOL protcol type missmatch| (170 bytes) Firewall Serial SCADA Protocols The following will describe the IS5 Communications structure of syslog mssages generated for firewall of IEC 101, DNP3 RTU, MODBUS RTU. IP=IP_ADDR|SLOT=SLOT_NUMBER|PORT=PORT_NUMBER|DIR=DATA_MSG_DIR|LEN=DATA_MSG _LEN|PROTO=PROTOCOL_NAME|MSG=VIOLATION_DESCR| Message fields description...
Page 115 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description VIOLATION_DESCR The FW violation description string. The following format is used: [Major Protocol Id,Minor Protocol Id]:Violation description string Major Protocol Major protocol id value, – Function Code for ModBus for IEC101/104 - Type Id...
Page 116 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description VIOLATION_DESCR The following values are available for MODBUS protocol violations: "Modbus validity: illegal function" "Modbus validity: illegal sub-function" "Modbus validity: illegal encapsulated interface" "Modbus validity: unknown device ID" "Modbus validity: illegal quantity "...
Page 117 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description SLOT_NUMBER Serial Slot number on IS5 Communications equipment PORT_NUMBER Serial port number on IS5 Communications equipment DATA_MSG_DIR The field defines data message direction. The following values are available: "access", "network", "N/A",...
Page 118 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Cellular logs The following will describe the Cellular logs. Message fields description The following will further describe the syslog message fields Syslog message Description "admin status <UP|DOWN>" Cellular enabled/disabled "Modem is busy or no ready SIM, Modem is not responsive or SIM cards are not present retrying..."...
Page 119 <134>May 13 13:32:16 iSG18GFP Cellular Only SIM in slot 1 is ready <133>May 13 13:32:20 iSG18GFP Cellular SIM[1] state chg: READY -> CONNECTING... <134>May 13 13:32:23 iSG18GFP Mgmt Handle interface DOWN, walk over upper layer devi ces via ppp0 <134>May 13 13:32:28 iSG18GFP Cellular ppp0 connected to cellcom,IP 109.253.86.77, B AND=WCDMA 850 MHz, Channel=4413 <133>May 13 13:32:28 iSG18GFP Cellular SIM[1] state chg: CONNECTING...
Page 120 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Alarm Relay logs The following will describe the Alarm Relay logs. "Got '<SET|CLEAR>' event from <Manual Alarm Test|Manual D-out1 Test|Manual D-out2 Test|CPU usage|Temperature|System Power|L2VPN|GIGA Ethernet Port 9|GIGA Ethernet Port 10|Cellular|IPSec|Serial|All>:<STRING from the module>...
Page 121: Commands Hierarchy
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Commands Hierarchy + config terminal - debug-logging [console | file | flash] +[no] logging - On - buffered <1-200> - console - facility {local0 | local1 |local2 | local3 | local4 | local5 | local6 |...
Page 122: Commands Description
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Commands Description Command Description Config terminal logging buffered - Limits Syslog messages displayed from an internal buffer. This size ranges between 1 and 200 entries. console - Limits messages logged to the console.
Page 123 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description logging-server <short(0-191)> - Sets the priority for the syslog messages. 0-lowest priority, 191-highest priority. ipv4 <ucast_addr>- Sets the server address type as internet protocol version 4. Port <integer(0-65535)> - Sets the port number through which it sends the syslog message.
Page 124: Configuration Example
128 172.17.203.35 port 1234 udp iSG18GFP(config)# logging-server 129 172.17.203.35 port 1234 udp iSG18GFP(config)# logging-server 130 172.17.203.35 port 1234 udp iSG18GFP(config)# logging-server 131 172.17.203.35 port 1234 udp iSG18GFP(config)# logging-server 132 172.17.203.35 port 1234 udp...
Page 125: Output Example
<134>May 13 14:07:46 iSG18GFP CFA Slot0/7 Link Status [DOWN] <133>May 11 09:52:21 iSG18GFP CFA IP Address change in Default vlan interface. <134>May 11 13:34:52 iSG18GFP Mgmt Got 'SET' event from GIGA Ethernet Port 9: SFP port #9 is Down (no output port) <134>May 11 13:34:52 iSG18GFP Mgmt Got 'SET' event from GIGA Ethernet Port 10: SFP port #10...
Page 126: Alarm Relay
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Alarm Relay The switch has a capability to manifest system and features alarms as a relay output. Two interfaces are available for the alarm to be set at: 1. Dedicated 3 pole mechanical relay marked “ALARM” interface.
Page 127: Supported Alarms
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Supported Alarms SFP port state Two Gigabit SFP based ports are avaiable at the unit. These are titles Gi 0/1 and Gi 0/2 (in the IF table are 9 and 10). A state of port down for these interfaces is supported as alarm trigger (relay state change) at the a chosen relay interface.
Page 128: Commands Hierarchy
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Commands Hierarchy + root + application connect Alarm-relay - Add condition { sfp_eth9| sfp_eth10| temperature| cpu-usage| l2vpn| system- power } interface { alarm| d-out1| d-out2} admin-status {enable| disable} remove condition { sfp_eth9| sfp_eth10| temperature| cpu-usage| l2vpn|...
Page 129 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description Add | update Condition : set the trigger condition for the alarm.  temperature - Alarm set if exceeds 76oC.  cpu-usage - Alarm set if exceed 95% for more than 60 sec.
Page 130: Monitor Session
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description interface : choose a target relay interface to set a static state to (not dependent on a trigger condition)  Alarm – the “ALARM” relay interface.  d-out1 – Out channel 1 at the DRY-CONTACT interface.
Page 131: Commands Description
| tx | both : monitor of tx, rx or bote. Default set mirroring Enable| disable the feature globally Example iSG18GFP# config terminal iSG18GFP(config)# monitor session 1 source interface fa 0/1 both iSG18GFP(config)# monitor session 1 destination interface fa 0/2 iSG18GFP(config)# end SNMP Supported traps The following traps are currently supported with version 1,2c,3.
Page 132 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 [no] snmp access <GroupName> {v1 | v2c | v3 {auth | noauth | priv}} [read <ReadView | none>] [write <WriteView | none>] [notify <NotifyView | none>] [{volatile | nonvolatile}] [context <string(32)> ] [no] snmp engineid <EngineIdentifier>...
Page 133: Snmp Command Description
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 SNMP command Description Command Description Config enable snmpagent This command enables SNMP agent which provides an interface between a SNMP manager and a switch. The agent processes SNMP packets received from the manager, frames the appropriate response packets and sends them to the manager.
Page 134 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description default : 80.00.08.1c.04.46.53 snmp group This command configures SNMP group details. Group Name - Creates a name for an SNMP group default : iso/initial Default: none / initial / templateMD5 / templateSHA User - Sets an user for the configured group.
Page 135 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description (SHA) packet authentication. noauth- Sets no-authentication priv - Sets both authentication and privacy read - Mentions the MIB view of the SNMP context to which read access is authorized by this entry...
Page 136 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description  SNMP engine ID is an administratively unique identifier.  Changing the value of the SNMP engine ID has significant effects.  automatically to reflect the change snmp view This command configures the SNMP view. To configure...
Page 137 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description nonvolatile - Sets the storage type as permanent. Saves the configuration to the system. The saved configuration can be viewed on restarting the system. port <integer (1-65535)> - Configures a port number through which the generated SNMP notifications are sent to the target address.
Page 138 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description snmp user This command configures the SNMP user details. User Name - Configures an user name which is the User-based Security Model dependent security ID. Auth - Sets an authentication Algorithm .
Page 139: Example
Following configuration allows snmp v2 user WR ,belonging to group corporate access to the entire tree using a view called v2all. config snmp community index iS5 Communications name iS5 Communications security none snmp user WR snmp group corporate user WR security-model v2c...
Page 140: Commands Description
The SNTP (Simple Network Time Protocol) is a simplified version or subnet of the NTP protocol. It is used to synchronize the time and date in iSG18GFP by contacting the SNTP Server. The administrator can choose whether to set the system clock manually or to enable SNTP.
Page 141 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 set sntp client addressing-mode { unicast | broadcast | multicast | manycast } set sntp client port <portno(1025-65535)> set sntp client clock-format {ampm | hours} set sntp client time-zone <+/- UTC TimeDiff in Hrs:UTC TimeDiff in Min>...
Page 142: Sntp Commands Descriptions
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 SNTP Commands Descriptions Command Description config terminal Enters the Configuration mode sntp This command enters to SNTP configuration mode which allows the user to execute all the commands that supports SNTP configuration mode.
Page 143 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description client connection. The value ranges between 1025 and 65535. The no form of this command deletes the listening port for SNTP client and sets the default value Defaults: 123 set sntp client clock-format This command sets the system clock as either AM PM format or HOURS format.
Page 144 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description public key cryptosystem. <key>: Sets the authentication code as a key value. Default: Authentication key ID not set set sntp unicast-server auto-discovery This command discovers the entire available SNTP client.
Page 145 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description Defaults: disabled set sntp broadcast-poll-timeout This command configures SNTP client poll interval in broadcast mode which is the maximum interval to wait for a poll to complete. The value ranges between 1 and 30 seconds.
Page 146 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description cause a slave to identify the server as dead. The value ranges between 1 and 10 in seconds. Default: 3 set sntp manycast-server This command configures SNTP multicast or broadcast server address in anycast mode.
Page 147: Example
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Example Following is a configuration example iSG18GFP# show clock Sat Jan 01 02:00:33 2000 config clock time source ntp sntp set sntp client enabled set sntp client version v2 set sntp client clock-summer-time Last-Sun-Mar,02:00 Last-Sun-Oct,02:00...
Page 148: Ssh
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 SSH (Secure Shell) is a protocol for secure remote login and other secure network services over an insecure network. It consists of three major components:  The Transport Layer Protocol provides server authentication, confidentiality and integrity.
Page 149 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description the corresponding MAC-list will be used for authentication. Version compatibility: Configures the version of the SSH. When set to true, it supports both SSH version- 1 and version-2. When set to false, it supports only the SSH version-2.
Page 150: Dhcp
The iSG18GFP supports the following DHCP modes: DHCP client: local interfaces can send requests to retrieve IP from DHCP server. DHCP Server: the iSG18GFP can allocate IP addresses to connected DHCP clients. DHCP Snooping: forwarding of connected clients requests. DHCP Relay: forward the DHCP packets between client and server when they are not in the same subnets.
Page 151: Dhcp Server
- show interfaces DHCP Server The iSG18GFP supports DHCP Server functionality, allowing allocation of IP addresses to its local clients. DHCP server maintains a configured set of IP address pools from which IP addresses are allocated to the DHCP clients, whenever they request the Server dynamically.
Page 152: Dhcp Relay Commands Description
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 DHCP Relay Commands Description Command Description no service dhcp-relay Disabling dhcp relay is mandatory in order to activate dhcp server [no] service dhcp-server Enable | disable dhcp server Config terminal [no] ip dhcp pool...
Page 153: Example
DHCP option with specific values for the corresponding DHCP server address pool Example Following example will demonstrate allocation of IP addresses by a iSG18GFP set as dhcp server to two different clients. DHCP Server 1. set system host name (optional) set host-name dhcp-server 2.
Page 154 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 network 172.17.203.0 255.255.255.0 excluded-address 172.17.203.1 172.17.203.10 exit 5. set a default router ip to be sent to the clients as default gateway. ip dhcp pool 1 default-router 172.17.203.100 write startup-config DHCP Client 1.
Page 155 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 DHCP server status : Enable Send Ping Packets : Disable Debug level : None Server Address Reuse Timeout : 5 secs Next Server Adress : 0.0.0.0 Boot file name dhcp-server# show ip dhcp server statistics...
Page 156 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 DHCP RELEASE DHCP INFORM DHCP OFFER DHCP ACKS IN REQ DHCP NACKS IN REQ DHCP ACKS IN RENEW DHCP NACKS IN RENEW DHCP ACKS IN REBIND DHCP NACKS IN REBIND DHCP ACKS IN REBOOT...
Page 157: Dhcp Relay
NOTE By default, DHCP-Relay is disabled. With IS5 Communications systems supporting DHCP Server (future feature) mode, the server must be disabled prior to enabling DHCP-Relay mode. DHCP Relay Command Hierarchy...
Page 158 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description Config terminal no server dhcp-server Dhcp server is not available at the system and must be disabled to activate dhcp relay function service dhcp-relay This command enables the DHCP relay agent in the switch.
Page 159 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description ip dhcp relay information option This command enables the DHCP relay agent to perform processing related to DHCP relay agent information option. The no form of the command disables the processing related to DHCP relay agent information option.
Page 160 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description ip dhcp relay information This command enables the DHCP relay agent to option perform processing related to DHCP relay agent information option. The no form of the command disables the processing related to DHCP relay agent information option.
Page 161: Example
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Example Following setup will illustrate DHCP-Relay configuration. 1. Configure vlan and ip interface towards the server config vlan 10 ports fastethernet 0/1 untagged fastethernet 0/1 name dhcp-server exit interface fastethernet 0/1 switchport pvid 10...
Page 162 5. set a circuit id to the client interface interface vlan 20 ip dhcp relay circuit-id 20 write startup-cfg 6. The configuration will result in following state iSG18GFP# sh ip dhcp relay information Dhcp Relay : Enabled Dhcp Relay Servers only : Enabled DHCP server 1 : 172.18.212.100...
Page 163: Radius
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 RADIUS RADIUS (Remote Authentication Dial-In User Service), widely used in network environments, is a Client/server protocol and software that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize their access to the requested system or service.
Page 164 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description UDP (User Datagram Protocol) destination port on this RADIUS server to be used solely for the authentication requests. The value of the auth port ranges between 1 and 65535. acct-port <integer (1- 65535)>: Configures a specific UDP destination port on this RADIUS to be solely used for accounting requests.
Page 165: Example
Example 1. configure server list and selected primary iSG18GFP(config)# radius-server host 172.18.212.65 timeout <1-120> retransmit <1- 254> key <key> primary iSG18GFP(config)# radius-server host 172.18.212.45 timeout <1-120> retransmit <1- 254> key <key>...
Page 166: Tacacs
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 TACACS TACACS (Terminal Access Controller Access Control System), widely used in network environments, is a client/server protocol that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize their access to the requested system or service.
Page 167: Tacacs Commands Descriptions
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 tacacs-server retransmit <2,(1-100)> [no] tacacs use-server address{ipv4-address } - [no] login authentication tacacs [local] show tacacs show system-information - show running-config tacacs TACACS Commands Descriptions Command Description tacacs-server host This command configures the TACACS server with the...
Page 168: Configuration Example
Continues sent, Authen. Enables sent, Authen. Aborts sent and so on) for TACACS+ client. Configuration Example 1. configure server list iSG18GFP(config)# tacacs-server host 172.18.212.210 key secretkey iSG18GFP(config)# tacacs-server host 172.18.212.49 timeout 5 key secretkey 1. configure default server iSG18GFP(config)# tacacs use-server address 172.18.212.210 2.
Page 169: 169
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 iSG18GFP(config)# login authentication tacacs local iSG18GFP(config)# end iSG18GFP# write startup-cfg 3. remove tacacs configuration config no tacacs use-server no tacacs-server host 172.18.212.210 login authentication local Output example iSG18GFP# show tacacs Server : 1 Server address : 172.18.212.49...
Page 170: 802.1X Commands Descriptions
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 - [no] dot1x local-database <username> password <password> permission {allow | deny} [<auth-timeout (value(1-7200))>] [interface <interface-type> <interface list>] - [no] dot1x system-auth-control - [no] shutdown dot1x - [no] dot1x timeout {quiet-period <value (0-65535)>...
Page 171 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description management for computers to access a network. This is mainly used for backward compatibility. tacacs+ - Configures TACACS+ as the authentication server. This feature has been included to adhere to the Industry Standard CLI syntax.
Page 172 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description Permission – allow interface-list -all dot1x system-auth-control This command enables dot1x in the switch. The dot1x is an authentication mechanism. It acts as mediator between the authentication server and the supplicant (client).
Page 173 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description between periodic re-authentication attempts can be configured manually. Default – Periodic re-authentication is disabled dot1x port-control This command configures the authenticator port control parameter. The dot1x exercises port based authentication to increase the security of the network.
Page 174 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description Default – force-authorized dot1x auth-mode This command configures the authentication mode of a port as either port-based (which is also known as multi- host) or mac-based (which is also known as single- host).
Page 175: Examples
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Examples 1. Port based authentication with RADIUS configure terminal dot1x system-auth-control aaa authentication dot1x default group radius radius-server host 172.18.212.142 timeout 20 retransmit 20 key 12345 interface fa 0/5 dot1x port-control auto 2.
Page 176: Igmp Snooping
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 IGMP Snooping Internet Group Multicast Protocol, (IGMP) is a protocol, which a host uses to inform a router when it joins (or leaves) an Internet multicast group. IGMP is only used on a local network; a router must use another multicast routing protocol to inform other routers of group membership.
Page 177 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description config terminal Enters the Configuration mode [no] shutdown snooping Enable /disable snooping at the switch. default: enabled (no shut) [no] ip igmp snooping [vlan<vlanid(1-4094)>] This command creates IP ACLs and enters the IP Access- list configuration mode.
Page 178 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description Defaults : non-router-ports ip igmp snooping report-forward This command configures the IGMP reports to be forwarded to all ports, router ports of a VLAN or non- edge ports. The configuration enables the switch to forward IGMP report messages to the selected ports thus avoiding flooding of the network.
Page 179: Example
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description globally disabled. When the fast leave feature is enabled, port information is removed from a multicast group entry immediately after fast leave message is received. ip igmp snooping mrouter This command enables IGMP snooping and configures a list of multicast router ports for a specific VLAN, when IGMP snooping is globally enabled.
Page 180 5 ip igmp snooping vlan 5 mrouter fastethernet 0/1 vlan 5 ip igmp snooping mrouter fastethernet 0/1 write startup-cfg Output result after client “join” request iSG18GFP# show ip igmp snooping forwarding-database Vlan MAC-Address Ports ---- -----------------...
Page 181: Acls
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Output result after client “leave” request iSG18GFP# show ip igmp snooping forwarding-database Vlan MAC-Address Ports ---- ----------------- ----- 01:00:5e:7f:ff:fa Fa0/1, Fa0/5 Total Group Mac entries = 1 ACLs ACLs (Access Control Lists) filter network traffic by controlling whether routed packets are forwarded or blocked at the router's interfaces.
Page 182 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 The order of execution between multiple ACGs is derived from the ACL priority set at each individual ACL If no priority is set to the ACLs, the order of ACG entry at the CLI will decide the order of execution.
Page 183: Acl Commands Hierarchy
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 ACL Commands Hierarchy + config terminal +[no] ip access-list standard <access-list-number (1-1000)>} permit { any | host <src-ip-address> | <src-ip-address> <mask> } [ {any | host <dest-ip-address> | <dest-ip-address> <mask> } ] priority <1-255>...
Page 184: Acl Commands Descriptions
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 ACL Commands Descriptions Command Description config terminal Enters the Configuration mode [no] ip access-list standard <access-list-number (1- This command creates IP ACLs and enters the IP Access- 1000)>} list configuration mode. Standard access lists create filters based on IP address and network mask only (L3 filters only).
Page 185 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description or the host that the packet is from and the network mask to use with the source IP address. any|host dest- ip-address| <network-destip> <mask>: Destination IP address can be: 'any' or the word 'host' and the dotted...
Page 186 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description <mask> } [<message-type (0- parameters. 255)>] [<message-code (0- 255)>] [priority <(1-255)>] Icmp: Internet Control Message Protocol any| host <src-ip-address>|<src-ip-address> <mask>: Source IP address can be: 'any' or the word 'host' and...
Page 187 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description be set (1), notset (2) or any (3). Tos: Type of service. Can be max-reliability, max throughput, min-delay, normal or a range of values from 0 to 7. Dscp: Differentiated services code point provides the quality of service control.
Page 188 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description  ef - Matches packets with EF DSCP (101110) priority: Higher value of implies a higher priority. Default -1 precedence: Precedence level to be used for filtering packets. This parameter is newly added in the existing command for industry standard CLI.
Page 189 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description Access-list-number: Access list number Permit| deny Main action to be set as permit or deny. any | host <src-macaddress> : Source MAC address to be matched with the packet. any | host <dest-mac-address > - Destination MAC address to be matched with the packet.
Page 190: Configuration Example
1001 in iSG18GFP(config-if)# end Example for IP ACL, allow specific IP traffic: iSG18GFP(config)# ip access-list extended 1001 iSG18GFP(config-ext-nacl)# permit ip host 10.10.10.10 host 11.11.11.11 iSG18GFP(config-ext-nacl)# exit iSG18GFP(config)# int fa 0/3 iSG18GFP(config-if)# ip access-group 1001 in iSG18GFP(config-if)# end...
Page 191 25 in iSG18GFP(config-if)# end Example TCP ACL: iSG18GFP# config terminal iSG18GFP(config)# ip access-list extended 3000 iSG18GFP(config-ext-nacl)# permit tcp any eq 502 any range 100-200 iSG18GFP(config-ext-nacl)# exit iSG18GFP(config)# interface fastethernet 0/3 iSG18GFP(config-if)# ip access-group 3000 in iSG18GFP(config-if)# end...
Page 192: Flow Example
Date: 04.28.2015 iSG18GFP(config-if)# ip access-group 2000 in iSG18GFP(config-if)# end Example how to allow ARP ACL: iSG18GFP# config terminal iSG18GFP(config)# mac access-list extended 1 iSG18GFP(config-ext-macl)# permit any any 0x0806 iSG18GFP(config-ext-macl)# exit iSG18GFP(config)# interface fa 0/3 iSG18GFP(config-if)# mac access-group 1 in iSG18GFP(config-if)# end Flow Example For the above setup, ACLs will be implemented at port fast 0/1 and traffic result will be reviewed.
Page 193: Test 2
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Results PC1 SSH management to the switch: blocked. PC1 ping to the switch: blocked. PC1 ping to the server: blocked. PC2 SSH management to the switch: blocked. PC2 ping to the switch: blocked.
Page 194: Test 3
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 PC2 ping to the server: allowed. Test 3 iSG18GFP(config)# access-list extended 1001 permit icmp priority access-list extended 1010 permit ip host 192.168.1.250 host 192.168.1.101 priority access-list extended 1020 deny host 192.168.1.101 priority...
Page 195: Test 4
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Test 4 iSG18GFP(config)# access-list extended 1001 permit icmp priority access-list extended 1010 permit ip host 192.168.1.250 host 192.168.1.101 priority mac access-list extended 10 permit any any 2054 priority mac access-list extended 100...
Page 196: Test 5
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Test 5 iSG18GFP(config)# access-list extended 1010 permit ip host 192.168.1.250 host 192.168.1.101 priority 100 mac access-list extended 10 permit any any 2054 priority mac access-list extended 100 deny any any priority interface fastethernet 0/1...
Page 197: Qos
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 QOS Commands Hierarchy config - [no] shutdown qos qos {enable | disable} qos interface <iftype> <ifnum> def-user-priority <0-7> - [no] priority-map <1-65535> + [no] class-map <1-65535> [no] set class <1-65535> [pre-color { green | yellow | red | none...
Page 198 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 - [no] queue < 1-65535> interface <iftype> <ifnum> [qtype < 1-65535>][scheduler < 1-65535>] [weight <0-1000>] [priority <0-15>] [shaper <0-65535>] - [no] queue-map CLASS <1-65535> | regn-priority {vlanPri | ipTos} <0-63>} [interface <iftype> <ifnum>] queue-id <1-65535>...
Page 199: Qos Commands Descriptions
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 QOS Commands Descriptions Command Description config terminal Enters the Configuration mode shutdown qos shuts down the QoS subsystem. The no form of the command starts the QoS subsystem {enable | disable} enables or disables the QoS subsystem.
Page 200 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description scheduler creates a Scheduler and configures the Scheduler parameters. The no form of the command deletes a scheduler. Scheduler-Id : Scheduler identifier that uniquely identifies the scheduler in the system/egress...
Page 201 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description Scheduler : Scheduler identifier that manages the specified queue. Weight : User assigned weight to the CoS queue Priority : User assigned priority for the CoS queue. Shaper : Shaper identifier that specifies the bandwidth requirements for the queue.
Page 202 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description Interface, VLAN, regenerated inner priority. in-priority-type : Type of the incoming priority. The types are: – VLAN Priority. – IP Type of Service. – IP Differentiated Services Code Point. in-priority : Incoming priority value determined for the received frame.
Page 203 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description pre-color : Color of the packet prior to metering. This can be any one of the following: – Traffic is not pre-colored. – Traffic conforms to SLAs (Service Level Agreements.
Page 204 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description eir - Excess information rate. This value ranges between 0 and 65535. ebs - Excess burst size. This value ranges between 0 and 65535. next-meter - Meter entry identifier used for applying the second/next level of conformance on the incoming packet.
Page 205 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description -cos-transmit – Sets the VLAN priority of the outgoing packet. -de-transmit – Sets the VLAN Drop Eligible indicator of the outgoing packet. -inner-vlan-pri – Sets the inner VLAN priority of the outgoing packet.
Page 206 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description – On packet arrival, an Active Queue Management algorithm is executed which may randomly drop a packet. queue-limit - Queue size. This value ranges between 1 and 65535. queue-drop-algo - Enable/disable Drop Algorithm for Congestion Management.
Page 207: Port Based Assignment Of Priority
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Port based assignment of priority 1. Following script will assign static priority to all ingress UNTAGGED traffic at ports 1 and 2. The ports are assigned the same pvid. Packets origin from these ports will be egressed at the out port in accordance to their assigned priority.
Page 208: Traffic Filtering At Ingress
Traffic Filtering at Ingress 1. this example, ICMP packets from 12.0.0.100 are filtered at ingress to port 0/1. iSG18GFP# configure terminal iSG18GFP(config)# ip access-list extended 1001 iSG18GFP(config-ext-nacl)# deny icmp host 12.0.0.100 any iSG18GFP(config-ext-nacl)# exit iSG18GFP(config)# interface gigabitethernet 0/1 iSG18GFP(config-if)# ip access-group 1001 in...
Page 209: Set Vpt Or Dscp
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Config mac access-list extended 10 permit any any exit interface fastethernet 0/1 mac access-group 10 in exit 2. create a class map to assign a queue id to packets which comply with the acl. all packets ingress at port 0/1 will thus be...
Page 210 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 policy-map 20 set policy class 200 default-priority-type ipDscp 5 exit 4. Create policer for ACL 1002 to determine vpt to 2 class-map 30 match access-group ip-access-list 1002 set class 300 exit policy-map 30...
Page 211: Link Aggregation
Tree). As shown in Figure 2-1 multiple ports are aggregated together to form a single link. IS5 Communications LA is responsible for taking frames from the aggregator and submitting them for transmission on the appropriate port. The physical port for transmission is chosen based on the selection policy in the chipset. LA is responsible for collecting the frames received on various ports of the aggregator.
Page 212 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 The user can configure a specific distribution policy for the traffic flow based on the deployment scenario. This allows the switches to get the advantage of increased bandwidth for the traffic between the hosts and the server. Also, if one of the links in the aggregation group is made down, say, for maintenance purpose, and then it will not affect the traffic between the hosts and the server.
Page 213 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Whenever a port-channel is created, it is added as an untagged member port of the default VLAN 1. For other VLANs, it needs to be explicitly configured (or dynamically learnt through GVRP) as a member port. It does not inherit the VLAN membership of its member ports.
Page 214: Lag Command Hierarchy
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 LAG command Hierarchy root config terminal -[no] shutdown port-channel set port-channel {enable | disable} channel-protocol lacp - [no] lacp system-identifier <aa:aa:aa:aa:aa:aa> port-channel load-balance ([src-mac][dest-mac][src-dest-mac][src ip][destip][src-dest-ip][vlan-id][service-instance][mac-src-vid][mac-dest vid][macsrc-dest-vid][l3-protocol][dest-l4-port][src-l4 port])[<port-channel index(1-65535)>] -[no] interface port-channel <LAG ID>...
Page 215: Lag Commands Descriptions
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 LAG Commands Descriptions Command Description config terminal Enters the Configuration mode [no] shutdown port-channel This command shuts down LA feature in the switch and releases all resources allocated to the LA feature. The...
Page 216 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description port-channel load-balance <policy> <LAG ID> This command configures the load balancing policy for all port channels created in the switch. The no form of the command resets the load balancing policy to its default value.
Page 217: Example
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Example 1. Configure port channel config set port-channel enable interface port-channel 1 no shutdown exit 2. Assign the interfaces interface fastethernet 0/1 channel-group 1 mode active exit interface fastethernet 0/2 channel-group 1 mode active Output of show commands, switch S1 1.
Page 218 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 2. show lacp neighbor S1# show lacp neighbor Flags: A - Device is in Active mode P - Device is in Passive mode Channel group 1 neighbors Port Fa0/1 ---------- Partner System ID...
Page 219: Stp
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Configuring STP (Spanning Tree Protocol) The following sections describe the configuration of the Spanning Tree Protocol. Figure 2-1: Spanning Tree Topology Switch A: MAC Address: 00:01:02:03:04:01 VLAN 1 - 10.0.0.1/255.0.0.0 Switch B: MAC Address: 00:02:02:03:04:01 VLAN 1 –...
Page 220: Stp Description
To isolate link fluctuations specific to a particular VLAN segment(s) and to provide for load balancing, IS5 Communications iSG18GFP provides support for Multiple Spanning Trees. These can be configured on a per VLAN basis or multiple VLANs can be mapped to the same spanning tree. A switch can take the role of either a root or a designated switch. Spanning tree operation provides path redundancy while preventing undesirable loops in the network that are created by multiple active paths between stations.
Page 221: Bridge Id And Switch Priority
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Forwarding: In this state, the interface receives and forwards frames received on that port or forwards frames switched from another port. This transition from blocking to forwarding takes 30 seconds. Bridge ID and Switch Priority Each switch has a unique bridge identifier (bridge ID), which determines the selection of the Root Switch.
Page 222: Stp Hierarchy
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 STP Hierarchy +root +config terminal shutdown spanning-tree -[no] spanning-tree -[no] spanning-tree mode (mst | rst | rapid-pvst) -[no] spanning-tree (forward-time | hello-time | max-age) -[no] spanning-tree [mst <instance-id>] priority <value(0-61440)> -interface <port type> <port ID>...
Page 223 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description [no]spanning-tree mode This command sets the type of spanning tree to be (mst | rst | rapid-pvst) executed, enables spanning tree operation and starts spanning tree functionality in the switch. The current selected type of spanning tree is enabled and the existing spanning tree type is disabled in the switch.
Page 224 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description [no]spanning-tree[mst This command configures the priority value that is <instance-id>] priority assigned to the switch. The no form of this command <value(0-61440)> resets the priority to its default value. The priority value is changed to its default value even if the spanning tree mode is changed.
Page 225 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description [no]spanning-tree (cost This command configures the port related spanning <value(0-200000000)>|disable tree information for all kinds of STPs. This can be |link-type(point-topoint| applied for any port, in RSTP/MSTP mode The no form...
Page 226 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description [no] spanning-tree auto-edge This command enables automatic detection of Edge port parameter of an interface. The no form of this command disables automatic detection of Edge port parameter of an interface. The automatic detection of Edge port parameter is disabled, even if the spanning tree mode is changed.
Page 227 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description show spanning-tree active This command displays spanning tree related information available in the switch for the current STP enabled in the switch. The information contains priority, address and timer details for root and bridge,...
Page 228: Rstp/Mstp
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 RSTP/MSTP RSTP Description The Rapid Spanning Tree Protocol Module is based on the IEEE 802.1D rapid reconfiguration. The existing spanning tree protocol, in particular takes significant time to re-configure and restore the service on link failure/restoration. RSTP avoids re- convergence delay by calculating an alternate root port and immediately switching over to the alternate port, if the root port becomes unavailable.
Page 229: Rapid Convergence
Whenever a BPDU is received on an edge port, it loses its edge port status and becomes a normal spanning tree port. IS5 Communications RSTP uses portfast keyword for edge port configuration. Link Types: RSTP can achieve rapid transition on point-to-point links. The link type is automatically derived from the duplex mode of a port.
Page 230: Topology Change And Topology Change Detection
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 If a new link is created between the Root and Switch A, then both the ports on this link are put in designated blocking state, until they receive a BPDU from their counterpart. When a designated port is in discarding or learning state (and only in this case), it sets the proposal bit on the BPDUs it sends out.
Page 231: Setting Spanning Tree Compatibility To Stp
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Feature Default Setting Spanning-tree port priority (configurable on a per-interface basis) Spanning-tree port cost (configurable on 200000 (For RSTP, the default value is 65535) a per-interface basis) Setting Spanning Tree Compatibility to STP When the switch comes up, spanning tree is enabled by default with MSTP operating in the switch.
Page 232 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Address 00:01:02:03:04:01 Max age is 20 sec, forward delay is 15 sec Name Role State Cost Prio Type ---- ---- ----- ---- ---- ------ Gi0/1 Designated Forwarding 200000 128 SharedLan Gi0/2 Root Forwarding 200000 128 SharedLan...
Page 233: Configuring Spanning Tree Path Cost
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Configuring Spanning Tree Path Cost When a loop occurs in the network topology, spanning tree protocol may use path cost to determine the spanning-tree states of the ports. Path cost is obtained from the speed of the interface. A user can configure lower path cost for an interface, if the port needs to be selected first or the user can configure higher path cost if the port needs to be selected last for putting it to forwarding state.
Page 234 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Max age 20 Sec, forward delay 15 Sec MST00 Spanning Tree Protocol Enabled. MST00 is executing the mstp compatible Multiple Spanning Tree Protocol Bridge Id Priority 32768 Address 00:01:02:03:04:01 Max age is 20 sec, forward delay is 15 sec...
Page 235 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Execute the no spanning-tree cost Interface Configuration mode command to set the default value of the Spanning Tree Path Cost. iSG18GFP(config-if)# no spanning-tree cost iS5 Communications Inc. Page: 235 of: 465...
Page 236: Configuring Spanning Tree Port Priority
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Configuring Spanning Tree Port Priority Switch A :VLAN 1 -10.0.0.1/255.0.0.0 Switch B :VLAN 1 – 10.0.0.2 /255.0.0.0 Switch C :VLAN 1 – 10.0.0.3/255.0.0.0 Figure 3-2: Spanning Tree Topology for Configuring Port Priority When a loop occurs in a network topology, spanning tree may use the value of port-priority of the ports to decide the port that must be put in the forwarding state.
Page 237 Interfaces can be physical interfaces and port-channel logical interfaces (port-channel port-channel-number). - Configure the port priority for spanning tree. iSG18GFP(config-if) # spanning-tree port-priority 32 For priority, the range is 0 to 240 in increments of 16. The default is 128. The lower the number, the higher the priority.
Page 238: Configuring Spanning Tree Link Type
Configuring Spanning Tree Link type If a port is configured as point-to-point link and its port role is designated, then IS5 Communications RSTP negotiates a rapid transition to forwarding with the other port by using proposal-handshake agreement mechanism to ensure that the topology is loop free.
Page 239 0/1 Valid interfaces include physical interfaces and port-channel logical interfaces (port-channel port-channel-number). - Configure link type of interface as point-to-point. iSG18GFP(config-if) # spanning-tree link-type point-to-point - Exit configuration mode. iSG18GFP(config-if)# end View the spanning tree properties of an interface.
Page 240: Configuring Spanning Tree Portfast
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Configuring Spanning Tree Portfast All ports that are directly connected to end stations cannot create bridging loops and hence can rapidly transition to forwarding, skipping the learning and listening states. A switch can be configured to automatically detect the presence of another switch connected to one of its port. If a switch receives configuration BPDUs from other switch, it can detect the presence of the other switch connected to one of its ports.
Page 241: Configuring Spanning Tree Timers
It allows protection time of 5msec per node hence significantly improving the protection time of standard RSTP. This mode is supported on ring shape network (not tree) implemented over the iSG18GFP fiber sfp ports. Enhanced RSTP is using the RSTP mechanism and port states but improves the protection time using fast diagnostic of the fiber link state.
Page 242 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Once a link fault has occurred in the ring by a fiber signal loss on an SFP ring port, the enhanced rstp control messages will indicate this state to the LBS switch. The LBS and NBS switches will set their shared link (currently in alternate state) ports to the rstp “forwarding”...
Page 243 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Figure 3: enhanced rstp typical network design iS5 Communications Inc. Page: 243 of: 465...
Page 244: Enhanced Rstp Command Hierarchy
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Example of status output ---------------Enhanced RSTP STATUS --------------- Switch Status: Blocking Switch West Link Status: Link In Forward State East Link Status: Link In Blocked State Switches In Ring: 4 Switches Link Down Counter: 2...
Page 245: Lldp
 MAC/PHY configuration/status TLV(IEEE 802.3 organizationally specific TLVs) IS5 Communications LLDP is a portable software implementation of the Link Layer Discovery Protocol (LLDP). It provides complete management capabilities using SNMP and CLI. IS5 Communications LLDP conforms to IEEE 802.1AB-2005 standard. The LLDP allows systems on an Ethernet LAN to advertise their key capabilities and also to learn about the key capabilities of other systems on the same Ethernet LAN.
Page 246: Lldp Commands Descriptions
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 -[no] shutdown lldp -set lldp {enable | disable} -[no] lldp transmit-interval <seconds(30,5-32768)> -[no] lldp holdtime-multiplier <value(4,2-10)> -[no] lldp reinitialization-delay <seconds(2,1-10)> -[no] lldp tx-delay <seconds(2,1-8192)> -[no] lldp notification-interval <seconds(5,5-3600)> lldp chassis-id-subtype { chassis-comp <string(255)> | if-alias | port-comp <string(255)>...
Page 247 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description required resources in the LLDP Default: LLDP is not shutdown in the system set lldp {enable | disable} This command transmits or receives LLDP frames from the server to the LLDP module.
Page 248 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description TxDelay should be less than or equal to (0.25 * Message Tx Interval) Default: 2 seconds [no] lldp notification-interval <seconds(5-3600)> This command sets the time interval in which the local system generates a notification-event.
Page 249 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description Local: Represents a chassis identifier based on a locally defined value. Default: mac-addr clear lldp counters This command clears the inbuilt counter which has the total count of LLDP frames that are transmitted/received.
Page 250 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description number/port number). sys-name: Configures the system name of the TLV sys-descr: Configures the system description of the TLV sys-capab: Configures the system capabilities of the TLV mgmt-addr all: Enables the transmission of all the available management address on the current interface.
Page 251 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description associated together when assigning a VID to a frame. This group ID is associated with the specific port. vlan-name: Specifies the administratively assigned string, which is used to identify the VLAN.
Page 252 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description related traces. This trace is currently not used in LLDP neigh-add - Generates debug statements for add SEM. neigh-del: Generates debug statements for delete SEM. neigh-updt: Generates debug statements for update SEM.
Page 253 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description tlv mac-phy: Generates debug statements for MAC or PHY TLV traces tlv pwr-mdi: Generates debug statements for power- through-MDI TLV traces tlv lag: Generates debug statements for link aggregation TLV traces...
Page 254 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description port-id: Configures the port number that represents the concerned aggregation port interface-type: Displays information about neighbors for the specified type of interface. The interface can be:  fastethernet – Officially referred to as 100BASE-T standard.
Page 255 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description  gigabitethernet – A version of LAN standard architecture that supports data transfer upto 1 Gigabit per second.  extreme-ethernet – A version of Ethernet that supports data transfer upto 10 Gigabits per second.
Page 256 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description and port-channel. For example: 1 represents ilan and port-channel ID. mgmt-addr: All the management addresses configured in the system and Tx enabled ports show lldp errors This command displays the information about the errors such as memory allocation failures, queue overflows and table overflow.
Page 257: Example 1
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Example 1 Following setup will demonstrate configuration and show outputs of lldp signaling. S1 configuration 1. set system hostname (not mandatory) set hostname S1 2. Enable lldp . timer values are example only...
Page 258: Show Lldp
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 S2 configuration 1. set system hostname (not mandatory) set hostname S2 2. enable lldp . timer values are example only no shutdown lldp set lldp enable lldp transmit-interval 5 lldp notification-interval 5 3.
Page 259 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Chassis ID Local Intf Hold-time Capability Port Id ---------- ---------- --------- ---------- ------- 172.18.212.51 Fa0/3 S2P3 Total Entries Displayed : 1 2. Following is the LLDP readings of switch 1 as received at switch 2...
Page 260: Example 2
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Example 2 Based on same setup, following changes in lldp configuration are made at switch 1 in order to show the updated state seen at switch 2. S1 configuration 1. set the chassis id option to be a chosen text “S1”...
Page 261: Show Lldp
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Show LLDP 1. Following is the updated LLDP readings of switch 1 as received at switch 2 S2# show lldp neighbors Capability Codes (R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device,...
Page 262: Ospf
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 OSPF OSPF (Open Shortest Path First) protocol is an Interior Gateway Protocol used to distribute routing information within a single Autonomous System. Routers use link-state algorithms to send routing information to all nodes in an inter-network by calculating the shortest path to each node based on topography of the Internet constructed by each node.
Page 263 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 -[no] ASBR Router -[no] area <AreaId> range <Network> <Mask> {summary | Type7} [{advertise | not-advertise}] [tag <value>] -[no] summary-address <Network> <Mask> <AreaId> [{allowAll | denyAll | advertise | not-advertise}] [Translation {enabled | disabled}]...
Page 264: Ospf Gce Commands Descriptions
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 -[no] debug ip ospf [vrf <name>] { pkt { hp | ddp | lrq | lsu | lsa } | module { adj_formation | ism | nsm | config | interface | restarting-...
Page 265 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description interval <Interval- Value (0 - 0x7fffffff)> and the no form of the command configures default Stability interval for NSSA. area-id: Area associated with the OSPF address range. It is specified as an IP address...
Page 266 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description Defaults: priority - 1 [no] area <area-id> default- cost <cost> This command specifies a cost for the default summary [tos <tos value(0-30)>] route sent into a stub or NSSA and the no form of the command removes the assigned default route cost.
Page 267 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description is specified as an IP address stub: Configures an area as a stub area. Nssa: Configures an area as a Not-So-Stubby Area (NSSA). [no] default-information originate This command enables generation of a default external always [metric <metric-value (0-0xffffff)>]...
Page 268 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description Message Digest 5 (MD5) authentication on the area specified by the area-id md5: The secret key which is used to create the message digest appended to the OSPF packet Defaults:...
Page 269 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description is specified as an IP address allowAll: When set to allowAll and associated areaId is 0.0.0.0 aggregated Type-5 are generated for the specified range. In addition aggregated Type-7 are generated in all attached NSSA, for the specified range...
Page 270 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description of route-maps. The length of the name ranges from 1 to [no] distribute-list route- map <name(1- This command enables inbound filtering for routes. The 20)> in no form of the command disables inbound filtering for the routes.
Page 271 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description operational prior to the graceful restart. The value ranges between 1 and 1800 seconds. The value is provided as an intimation of the grace period to all neighbors. The no form of the command resets the interval to default value.
Page 272 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description nsf ietf grlsa retrans count <grlsacout (0- This command configures the maximum number of 180)> retransmissions for unacknowledged GraceLSA. This value ranges between 0 and 180. Defaults: 2 nsf ietf restart-reason...
Page 273 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description <switch- name>]] of the command disables OSPF routing for interfaces defined and to remove the area ID of that interface. Network number: Network type Area: Area associated with the OSPF address range. It is...
Page 274 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description of the command sets default value for router priority. NOTE When two routers attached to a network attempt to become the designated router, the one with the higher router priority takes precedence.
Page 275 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description attached routers, together with the capability to address a single physical message to all of the attached routers (broadcast) non-broadcast: Networks supporting many (more than two) routers, but having no broadcast capability...
Page 276 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description Module: RTM Module debug messages adj_formation: Adjacency formation debug messages ism: Interface State Machine debug messages nsm: Neighbor State Machine debug messages config: Configuration debug messages interface: Interface restarting-router: Debug messages related to restarting...
Page 277 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description Detail: OSPF Neighbor information in detail interface-type: Interface Type interface-id: Interface Identifier Defaults: vrf - default show ip ospf [vrf <name>] request-list [<neighbor- This command displays OSPF Link state request list id>] [{ vlan <vlan-id (1- 4094)>...
Page 278 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description show ip ospf [vrf <name>] border-routers This command displays OSPF Border and Boundary Router Information. vrf<name>]: Name of the VRF instance. This value is a string of size 32. Defaults: vrf - default show ip ospf [vrf <name>] {area-range | summary-...
Page 279 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description information is about the local router itself Defaults: vrf - default show ip ospf [vrf <name>] [area-id] database { asbr- This command displays OSPF Database summary for summary | external | network | nssa-external | the LSA type.
Page 280: Ospf Ace Commands Hierarchy
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description the local router) Defaults: vrf - default show ip ospf redundancy This command displays OSPFv2 redundancy information. OSPF ACE Commands Hierarchy application connect - router interface {create | remove} <IP address> [netmask] [vlan id]...
Page 281: Ospf Ace Commands Descriptions
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 OSPF ACE Commands Descriptions Command Description Application connect Enters the Configuration mode router interface Add or Remove an IP interface for the application engine. The configuration should include: create | remove ...
Page 282: Ospf Setup Example
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 OSPF setup example Below setup example and configuration will allow L3 OSPF based protection over the closed network. S1 configuration 6. remove network ports from default vlan 1 config vlan 1 no ports fa 0/1-2 untagged fa 0/1-2 exit 7.
Page 283 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 exit 8. configure OSPF router ospf router-id 10.10.10.101 network 172.18.101.201 255.255.255.0 area 0.0.0.0 network 172.18.102.201 255.255.255.0 area 0.0.0.0 write startup-cfg S2 configuration 1. remove network ports from default vlan 1 config vlan 1...
Page 284 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 S3 configuration 1. remove network ports from default vlan 1 config vlan 1 no ports fa 0/4,0/3 untagged fa 0/3-4 exit 2. assign vlans and corresponding IP interfaces vlan 103 ports fastethernet 0/3...
Page 285 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 vlan 104 ports fastethernet 0/4 exit interface vlan 101 shutdown ip address 172.18.101.204 255.255.255.0 no shutdown exit interface vlan 104 shutdown ip address 172.18.104.204 255.255.255.0 no shutdown exit 3. configure OSPF router ospf router-id 10.10.10.104...
Page 286: Vrrp
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 VRRP Virtual Router Redundancy Protocol (VRRP)is supported at the unit providing a virtual gateway to IP hosts connected and thus achieving higher reliability and availability. RIP Commands Hierarchy +root router vrrp - auth-deprecate...
Page 287: Vrrp Commands Descriptions
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 VRRP Commands Descriptions Command Description Config Enters the Global Configuration mode router vrrp auth-deprecate VRRP auth deprecation flag. enable |disable Clear Performs clear operation Interface {vlan <id> |<type> Enter a specific interface level <id>}...
Page 288 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Switch S2 configuration (Master router) 1. Set vlans and assign ports config t no spanning-tree vlan 11 ports add gigabitethernet 0/1 untagged gigabitethernet 0/1 exit interface gigabitethernet 0/1 switchport pvid 11 exit...
Page 289 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 interface vlan 11 vrrp 1 ipv4 11.0.0.1 vrrp 1 ipv4 11.0.0.1 secondary exit interface vlan 12 vrrp 1 ipv4 12.0.0.1 vrrp 1 ipv4 12.0.0.1 secondary write startup-cfg Switch S1 configuration 1. Set vlans and assign ports...
Page 290: Ripv2
RIP (Routing Information Protocol), is a distance-vector routing protocol, which employs the hop count as a routing metric. RIPv2 protocol is supported in the application layer of the IS5 Communications switch and as such the configuration is available in the ACE mode and related to IP interfaces configured in the application.
Page 291 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description passive-interface – Suppress routing updates on an interface. given using the interface vlan id or the physical port. redistribute – Redistribute information from another routing protocol. neighbor – Specify a neighbour router. given as A.B.C.D .
Page 292: Ace Rip Commands Hierarchy
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 ACE RIP Commands Hierarchy +root application connect - router interface {create | remove} <IP address> [netmask] [vlan id] router rip enable exit show ip rip configure terminal [no] router rip - [no] network { A.B.C.D/M | <interface name ,eth1.(id)>...
Page 293: Ace Rip Commands Descriptions
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 ACE RIP Commands Descriptions Command Description Application connect Enters the Configuration mode router interface Add or Remove an IP interface for the application engine. The configuration should include: create | remove ...
Page 294: Example
If you don’t perform split-horizon on the interface, please specify no ip split-horizon. Example Following example will detail how to configure the iSG18GFP as a router using the RIP protocol at the GCE. Router configuration iS5 Communications Inc. Page: 294 of: 465...
Page 295 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 1. Set host name (optional) set host-name ROUTER 2. Create the subnet vlans config vlan 101 ports gigabitethernet 0/3 fastethernet 0/1 untagged fastethernet 0/1 exit vlan 102 ports gigabitethernet 0/3 fastethernet 0/2 untagged fastethernet 0/2...
Page 296 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 network eth1.101 network eth1.102 network eth1.111 network eth1.112 write exit commit exit show configuration and state [/] router interface show +------+----------+-------------------+------------------+-------------+ | VLAN | Name IP/Subnet Purpose | Description | +======+==========+===================+==================+=============+ | 101 | eth1.101 | 172.16.101.100/24 | application host |...
Page 297: Oam Cfm
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 router/rip> show ip rip status Routing Protocol is "rip" Sending updates every 30 seconds with +/-50%, next due in 12 seconds Timeout after 180 seconds, garbage collect after 120 seconds Outgoing update filter list for all interface is not set...
Page 298: Cfm Command Hierarchy
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 CFM Command Hierarchy +root + config terminal ethernet cfm domain name <name> level <level-id> [format service name <name> [format] [icc <code> [{vlan <vlan-id> service-instance <instance>] [mip-creationcriteria{}] [sender-id permission - set mip-creation-criteria {none | default | explicit}...
Page 299: Cfm Commands Descriptions
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 CFM Commands Descriptions Command Description config terminal Enters the Configuration mode ethernet cfm domain format Sets the format of the CFM maintenance domain. The options are: dns-like-name – Configures the domain name like string.
Page 300 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description that represents the specific VLAN created / to be created. This value ranges between 1 and 4094. when the service vlan command is executed: within a Maintenance Domain. Maintenance Association through the command ethernet cfm associate vlan-id primary-vlan-id.
Page 301 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description between 1 and 8191. Service : Indicates the service name. The maximum length of the service-name is 20. Vlan : VLAN ID. This value ranges between 1 and 4094. Following restrictions apply :...
Page 302 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description then its enclosing domain’s MHF creation parameter must be either “default or explicit”. It can be modified using the command set mip-creation-criteria. - If service (Maintenance Association) associated with the specified VLAN and level is not configured in the system, then the default MHF creation parameter must not be “none”.
Page 303 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description zero and seven. Service : Indicates the service name. The maximum length of the service-name is 20. Vlan id: VLAN ID. This value ranges between 1 and 4094. Vlan list: Indicates a list of VLANs.
Page 304 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description Restrictions : cannot be the same. with more than one Primary VLAN. mep crosscheck mpid This command statically defines an MEP (Maintenance End Point) in a Crosscheck List (MA-MEP List) within a Maintenance Association.
Page 305 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description which the trace route reply must come. The value ranges from 10 to 10000 milliseconds. show ethernet cfm domain This command displays the information about all the CFM Maintenance Domains configured on a device.
Page 306: Erps
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 ERPS ERPS (Ethernet Ring Protection Switching) is a portable software implementation that conforms to the ITU-T Standard G.8032/Y.1344 (06/2008) and its amendment ITU-T Standard G.8032/Y.1344 Amendment 1 (04/2009). The ERPS module ensures that there are no loops formed at the Ethernet layer.
Page 307 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 minutes | hours}] [guard <integer> {milliseconds | seconds | minutes | hours}] -[no] aps propagate-tc {[status {enable | disable}]} [ring-ids < ringid-range>] -aps map vlan-group <short(0-64)> -aps mac-id {<integer(1-255)>} -aps protection-type{port- based|service-based} -aps main ring id <main-ring-id>...
Page 308: Erps Commands Descriptions
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 ERPS Commands Descriptions Command Description config terminal Enters the Configuration mode Switch [default] Creates a virtual context. [no] shutdown aps ring [switch] This command shuts down the ERPS functionality in the virtual switch. The no form of the command starts the ERPS functionality in the virtual switch.
Page 309 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description group <group_id> ring name for the given ring ID and enters into the ring group configuration mode. The newly created ring entries are in inactive state. If the ring entry is already...
Page 310 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description vlan <vlan_id>: Configures the R-APS vlan for the ring. This is a unique value that represents the specific VLAN created. This value ranges from 1 to 4094. The configured VLAN should have been already activated.
Page 311 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description is allowed on both of the interconnected nodes. Defaults: Blocking of sub-ring port is disabled. aps working meg <meg-id(1- This command associates the fault monitoring entities 4294967295)> me <me-id(1- (Y.1731 specific) for each of the ring ports.
Page 312 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description to 1 Gigabit per second.  extreme-ethernet – A version of Ethernet that supports data transfer up to 10 Gigabits per second. This Ethernet supports only full duplex links.  internal-lan – Internal LAN created on a bridge per IEEE 802.1ap.
Page 313 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description Defaults: Operating mode of the protection group is set as revertive. wtr - 300000 milliseconds aps timers [periodic <integer> This command configures the interval of the periodic {milliseconds | seconds | minutes | hours}] timer, the hold-off timer and the guard timer.
Page 314 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description during the running of the guard timer will be discarded. The configured value of this timer is applicable only from the next start/re-start of the timer. The units of guard time interval are: ...
Page 315 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description based} ring. The type of protection being provided by this ring instance can be port-based or service-based. In a single virtual context one ring can run in port based protection mode and another ring can run in service based protection mode.
Page 316 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description v2: Sets the ring version as v2. Defaults: V1 [no] aps neighbor <interface_type> This command configures the given port as RPL <interface_id> neighbour port for the ring group so that the ring node becomes the RPL neighbour.
Page 317 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description Milliseconds: Sets the wtb timer in milliseconds. Seconds: Sets the wtb timer in seconds. Minutes: Sets the wtb timer in minutes. Hours: Sets the wtb timer in hours. Defaults: 5500 milliseconds...
Page 318 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description {enable | disable} APS channel in the sub-ring. Enable: Configures sub-ring to run without R-APS Virtual Channel and the traffic channel is blocked. Disable: Configures sub-ring to run with R-APS Virtual Channel and both the traffic channel and the R-APS channels are blocked.
Page 319 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description Secondary: Sets the interconnection node of the sub- ring as secondary which minimizes segmentation in interconnected rings. On detection of loss of connectivity between the two interconnection nodes, Manual switch command will be applied in the interconnection node sub-ring port.
Page 320 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description  port-channel – Logical interface that represents an aggregator which contains several ports aggregated together. <interface_id>: Configures the port as distributing port for the specified interface identifier. This is a unique value that represents the specific interface.
Page 321 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description [switch <string (32)>]} statements are generated for the configured trace levels. The no form of the command disables the tracing of the ERPS module as per the configured debug levels. The trace statements are not generated for the configured trace levels.
Page 322 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description multiple instance feature. Defaults: critical show aps ring global info [switch <context_name>] This command displays the ERPS global information for a context. show aps ring [group <group_id>] [{configuration | This command displays the protection ring group statistics | timers }] [switch <context_name>]...
Page 323: Erp Setup Example
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 ERP setup example Below setup example and configuration will allow protection over vlan 2 running the PCs traffic and switch management. The link between S1 and S2 is chosen as the RPL.
Page 324 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Common Configuration for all switches 1. Disable RSTP on all interfaces before enabling ERP Config shutdown spanning-tree no spanning-tree write startup-cfg S1 configuration 1. Set switch host-name (not mandatory) set host-name S1 2.
Page 325 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 8. Create CFM domain, name ‘domain1’ for the S1-S2 link. The system will generate this domain with index 1. An ME named ‘MA_ERPS_Ring1’ is created, common for all domains, at all 3 ring switches.
Page 326 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 13. Create Ring group, set Ring Port1 (BPR 0) and Port2 (BPR 1). In below example, Port1 is Gi 0/1, Port2 is Gi 0/2. The order of assignment is important, Port1 should relate to the interface member in CFM Domain index 1 (‘domain1’).
Page 327 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 6. Remove the ring ports from the default vlan 1 vlan 1 no ports gigabitethernet 0/1-2 fast 0/8 untagged all exit 7. CFM configuration ethernet cfm start ethernet cfm enable ethernet cfm y1731 enable ethernet cfm traceroute cache 8.
Page 328 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 The order of assignment is important, Port1 should relate to the interface member in CFM Domain index 1 (‘domain1’). Port2 should relate to the interface member in CFM Domain index 2 (‘domain2’)
Page 329 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 ethernet cfm enable ethernet cfm y1731 enable ethernet cfm traceroute cache 8. Create CFM domain, name ‘domain3’ for the S1-S3 link. The system will generate this domain with index 1. An ME named ‘MA_ERPS_Ring1’ is created, common for all domains, at all 3 ring switches.
Page 330 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 The order of assignment is important, MEG1 should relate to the MEP (31) member in CFM Domain index 1 (‘domain1’). MEG2 should relate to the MEP (32) member in CFM Domain index 2 (‘domain2’) aps working meg 1 me 1 mep 31 meg 2 me 1 mep 32 15.
Page 331 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 3500 - Local 3500 - Remote 2. Show the ERP configuration. Notice the coloring indication representing the domain index relation to the APS port configuration and MEG. CFM domain1 has index 1 (in yellow). It defines MEP 12 on interface Gi 0/1. Thus, the APS configuration should have Gi 0/1 as Port1.
Page 332 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Verifying setup state Following is a show output example for S1 1. Show the ring state using the command “show aps ring”. If no fault is present at the ring, an indication of ‘Idle’ is expected and the link status of both ring ports should be ‘Not Failed’.
Page 333 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 2. Show the state of CFM local and remote points. In Idle state, all MEPs should be ‘Up’ and the MAC addresses should be learned. S1# show ethernet cfm service ------------------------------------------- Service Name : MA_ERPS_Ring1...
Page 334 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Removing ERP and CFM configuration Example given for S1 1. Remove the ERP APS configuration config no aps ring group 1 no aps ring enable shutdown aps ring 2. Remove the MEP assignment from the ring ports...
Page 335: Serial Ports And Services
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Serial Ports and Services The serial RS-232 connects legacy serial-based industrial devices to an Ethernet network. Each of the serial ports can be configured to work in one of these modes of operation: 1.
Page 336: Serial Interfaces
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Serial interfaces Depending on hardware variant available, up to 4 RS232 ports may be available. Services configuration structure Below table group the relevant configuration areas which should be included per application type...
Page 337: Serial Commands Hierarchy
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Serial Commands Hierarchy application connect serial Service show serial local-end-point filter show card auto-recover {enable |disable |show} show port clear counters create {slot <1>} {port <1-4>} [baudrate <9600,(50-368400)>] databits {8,<5-8>} [parity {no,no| odd| even}] [stopbits <1,1|2>]...
Page 338: Serial Commands Description
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Serial Commands Description Command Description Application connect Enter the industrial application menu serial Access serial configuration hierarchy. Configuration for ports, local-end-point, and remote-end-point are available here. Service show Provides configuration state of a serial service...
Page 339 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description Create | update Slot : 1 (constant) Port : port number .1-4 Baud rate : 50,75,100,110,134,150,200,300, 600,1200,2400,4800,9600,19200, 38400,57600,115200,230400, 460800,921600,1843200,3686400 Parity: no, odd, even. Default: no. Stopbits: 1, 2. Default: 1.
Page 340 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description Create | update local-cts-delay : delay for sending the serial connected device a CTS status following the device RTS request. Setting the value 0 will result in not sending a CTS back.
Page 341 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description Create Slot : 1 (constant) Port: port number .1-4 Service id: numeric value of serial service. Position: N/A - point to point Master – point to multipoint Slave – point to multipoint...
Page 342 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description Remove Slot : 1 (constant) Port : port number .1-4 Service id: numeric value of serial service. Position: Master – point multipoint Slave – point to multipoint Application : Serial-tunnel (default)
Page 343: Declaration Of Ports
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Declaration of ports Example of serial port declaration: + root Application connect serial Port create slot 1 port 1 Port create slot 1 port 2 Port create slot 1 port 3 Port create slot 1 port 4...
Page 344 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 interface fastethernet 0/10 switchport pvid 4092 no shut exit write startup-cfg iS5 Communications Inc. Page: 344 of: 465...
Page 345: Rs- 232 Port Pin Assignment
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 RS- 232 Port Pin Assignment Below is the pin assignment of the serial ports. When using the DTR/DST control lines the following cable assembly is required to ensure DCD and DSR are connected together.
Page 346: Rs- 232 Serial Cable
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 RS- 232 Serial cable The RS-232 ports are of RJ-45 type, a cable is available as ordering option having one end of male RJ-45 and second end of female DB-9. The cable should be used when no control lines are needed.
Page 347: Transparent Serial Tunneling
In transparent tunneling mode the switch encapsulates the serial frames into UDP packets. The UDP packet is sourced with a local IP interface configured in the application layer of the iSG18GFP switch. Topologies supported are P2P, P2MP and MP2MP over a single switches or IP network.
Page 348: Supported Network Topologies
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 The communication rules, which are maintained between service-id group members, are as follow: 1. Traffic sent from a master will be received at all slaves. 2. Traffic sent from a slave will be received at all masters.
Page 349: Point To Multipoint Point
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Point to multipoint point Below picture illustrates Point-to-multipoint service at which the master and slaves are connected locally at the same switch. Figure 6: P2MP, local service Below picture illustrates Point-to-multipoint service at which the service members are spread.
Page 350: Multi Point To Multipoint Point
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Multi Point to multipoint point Below picture illustrates a typical multipoint-to-multipoint service. Figure 8: MP2MP, mixed service Modes of Operation Port Mode Of Operation The port mode-of-operation is set at the serial port configuration level and defines how serial data is collected.
Page 351: Service Buffer Mode
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Bitstream Bitstream is a mode at which serial data is sent without a distinct start bit, stop bit or a known length of data bits. At this mode, the serial processor will collect data received until one of the following conditions is met: ...
Page 352: Aware Mode
User Manual R3.5 Ver: 1.3 Date: 04.28.2015  Traffic sent from a master device will received by all slaves.  Traffic sent from a slave, will be received by all masters. Aware mode Serial data will be set to be received in frame mode. Each serial device connected to the switch is identified with its protocol unit-id.
Page 353: Reference Drawing
For ease of explanation of following terms and serial properties at this chapter, below diagram will be used as a reference to follow on the serial traffic flow. The diagram demonstrates two iSG18GFP switches, connected over an Ethernet network and sharing a transparent serial tunneling service.
Page 354: Serial Traffic Direction
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Serial Traffic Direction Transmit direction represents the serial-processor traffic towards the CE, over the serial port. Receive direction represents the traffic received at the serial-processor from the CE, over the serial port.
Page 355: Bus Idle Time
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 The serial-processor will delay transmitting the first serial byte to CE2. Following data bytes are sent without delay. Bus Idle Time This parameter determines a silence on the serial line to identify frame end.
Page 356: Bits For Sync
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Bits for Sync The parameters ‘bits-for-sync1’ and ‘bits-for-sync2’ are applicable for bitsream mode only. bits-for-sync1 Similar in purpose to Tx-delay. When transmitting, the serial processor will add number of consecutive ‘1’ bits before the data.
Page 357: Rs-232 Control Lines
Date: 04.28.2015 RS-232 Control lines The iSG18GFP support the use of the RS-232 control lines for the transparent serial tunneling service. By default, the control lines are disabled, making the active lines at the ports Tx and Rx only. The control lines are applicable for point-to-point serial services only.
Page 358: Modes Of Operation
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Modes of operation Point-to-point, remote service, CTS/RTS The below diagram illustrates a Point-to-point, remote service. RTS/CTS lines are enabled. When CE1 sends RTS, following flow will take place: 1. The switch#1 serial-processor will reply with CTS back to CE1. The reply may be with or without a configurable time delay.
Page 359 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 When CE1 sends DTR, following flow will take place: 1. The switch#1 serial-processor will reply with DSR back to CE1. The reply may be with or without a configurable time delay. 2. CE1 data will be sent and received at CE2.
Page 360 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Point-to-point, local service, CTS/RTS The below diagram illustrates a Point-to-point, local service. RTS/CTS lines are enabled. When CE1 sends RTS, the serial-processor will reply with CTS back to CE1. The reply may be with or without a configurable time delay.
Page 361 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Point-to-point, local service, DTR/DSR The below diagram illustrates a Point-to-point, local service. DTR/DSR lines are enabled. When CE1 sends DTR, the serial-processor will reply with DSR back to CE1. The reply may be with or without a configurable time delay.
Page 362: Example Serial Tunneling
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Example Serial Tunneling Below network demonstrates a P2P topology of transparent serial tunneling. Configuration both switches 1. Create a vlan for the service and tag the network port port gigabitethernet 0/3 must as well be a member.
Page 363 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Configuration switch B (Slave) 1. configure the serial port and service (values are example only) application connect router interface create address-prefix 192.168.2.202/24 vlan 2 serial port create slot 1 port 1 baudrate 9600 parity even mode-of-operation...
Page 364: Terminal Server
Terminal Server Terminal Server service IS5 Communications switches allow a special service for transposing of a TCP session to serial session. Networking: A switch acting as the terminal server can be connected to the Ethernet telnet client (management station) via: ...
Page 365: Terminal Server Commands Hierarchy
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Below is a second option at which the terminal servers are set at the remote switch where the serial devices are connected locally. the benefit in this scenario is having a TCP session over the IP network.
Page 366: Terminal Server Commands
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 show service-id <> counters [clear | show] settings restore update [low-border-telnet-port <>] [dead-peer-timeout <0-1440>] [buffer-mode <frame |byte>] show telnet-service create remote-address <A.B.C.D> service-id <1-100> telnet-port <range> null- cr-mode {off,<off|on>} remove service-id <1-100>...
Page 367 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description Show Local-end-point Create Slot : 1 (constant) Port : port number .1-4 Service id: numeric value of serial service. Application : Terminal-server Remove Slot : 1 (constant) Port : port number .1-4 Service id: numeric value of serial service.
Page 368 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description settings Manage the range of TCP ports used for the terminal server to respond to. By default the allowed range is 2001-2100. Restore: restore to the default range. Update low-border-telnet-port <>: a numeric value for the tcp port range low border.
Page 369 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description telnet-service Configuration options to be used at the switch where the terminal server is set. These fields will determine the remote side to where to draw the serial service to (the remote side is the switch at which the serial device is connected at).
Page 370: Example Local Service
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Example local Service Below example demonstrates a setup of a single switch to which the serial device is connected to directly and a s well the user PC (telnet client). 1. Create vlan for the service.
Page 371 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 2. Assign an IP to application interface and configure the serial port. The application IP Interface acting as the terminal server must be created with the service vlan ,in this case vlan 2.
Page 372 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 +=======+=========+======+======+=================+==========+==========+==========+ | terminal-server | | disable +-------+---------+------+------+-----------------+----------+----------+---------- [/] terminal-server telnet-service show +-------+------------+-------------+----------------+ | index | service id | telnet port | dest ip +=======+============+=============+================+ 2050 | 192.168.2.201 +-------+------------+-------------+----------------+ [/] terminal-server connections show...
Page 373: Example Networking
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Example Networking Left Switch 1. Create vlan for the service. port ge 0/3 must as well be a member. vlan 100 ports fastethernet 0/2 gigabitethernet 0/3 exit interface fastethernet 0/2 no shut...
Page 374 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 [/]terminal-server serial-tunnel create service-id 1 remote-address 172.18.212.230 []commit Right Switch 1. Create vlan for the service. port ge 0/3 must as well be a member. vlan 100 ports fastethernet 0/1-2 gigabitethernet 0/3 untagged fastethernet 0/2...
Page 375: Modbus Gateway
Date: 04.28.2015 Modbus Gateway The IS5 Communications capability of gateway Modbus RTU to Modbus TCP is of yet another benefit to industrial area applications. The switch allows connecting an RS232 Modbus RTU and gateway it to a remote Modbus TCP client (SCADA) over the Ethernet.
Page 376: Modbus Gateway Commands Description
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 modbus-gw show-gw-list connection [clear | show] counters clear-id {gw-id <1-5>} {unit-id <1-255>} clear-port {slot 1 port <1-4>} show-by-id gw-id <1-5>} {unit-id <1-255>} show-by-port {slot 1 port <1-4>} debug map-units-on-bus-show slot 1 port <1-4>...
Page 377: Example
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description History Show: Show latest reply from each unit and the time in seconds from that connection. Per gateway instance. Clear: Clear history table. Per gateway instance. Mapping Map a new gateway instance address-prefix: an IP address of an available ACE interface.
Page 378 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 1. set switch host name (optional) set host-name Gateway 2. set service vlan. Gigabitethernet 0/3 must be a tagged member. config vlan 40 ports fastethernet 0/1 gigabitethernet 0/3 untagged fastethernet 0/1 exit...
Page 379 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 +------+------+----------+----------+----------+----------+ [modbus-gw/] counters show-by-id gw-id 4 gwid:4 unit id:65535 +----+---------+----------+----------+----------+----------+ | Gw | Unit Id | Rx valid | Rx error | Tx valid | Tx error | +====+=========+==========+==========+==========+==========+ +----+---------+----------+----------+----------+----------+ +------+------+----------+----------+----------+----------+ | Slot | Port | Rx valid | Rx error | Tx valid | Tx error |...
Page 380: Dnp3 Gateway
DNP3 Gateway DNP3 (Distributed Network Protocol) is an important protocol set used at SCADA applications. The IS5 Communications switch supports gateway functionality between a DNP3 TCP client (master) and a DNP3 Serial RTU. Configuration of a DNP3 gateway is made using the terminal server feature with the protocol well known tcp port 20000.
Page 381 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 3. assign management IP (optional) interface vlan 40 shutdown ip address 192.168.40.1 255.255.255.0 no shut 4. access the ACE mode application connect 5. assign IP interface for the gateway router interface create address-prefix 192.168.40.10/24 vlan 40 purpose application-host 6.
Page 382: Protocol Gateway Iec 101 To Iec 104
Protocol Gateway IEC 101 to IEC 104 The IS5 Communications switch, using its application module implements the gateway for IEC101 serial devices to the IEC104 IP protocol. The IEC101 and IEC104 protocols are fully integrated in the application module thus allowing the IEC101 slave devices to be represented as a IEC104 server in the IP network and to be addressed as such by IEC104 clients located anywhere in the network.
Page 383: Iec101/104 Gateway Properties Iec 101
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 IEC101/104 Gateway properties IEC 101  System role : Controlling station definition (Master)  Network configuration : o Point-to-point o Multiple point-to-point o Multipoint-party line (planned)  Physical layer o Transmission speed in monitor & control direction: 300 – 38400bps ...
Page 384: Iec101/104 Gateway Configuration
User Manual R3.5 Ver: 1.3 Date: 04.28.2015  Three octets  Structured  Unstructured o Cause of transmission  One octet  Two octets (with originator address) IEC101/104 Gateway Configuration A gateway setup configuration should include the following parameters: ...
Page 385: Gateway 101/104 Configuration Flow
Set static or dynamic routing if needed to reach the IEC 104 Client.  Verify by following methods o Successful ping between the IEC 104 Client (SCADA) and the iSG18GFP ACE interface. o IEC 104 connection established. Use the command “iec101-gw show all” to verify connection at the switch.
Page 386: Gateway 101/104 Commands Hierarchy
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 o Verify the IEC properties are consistent between the gateway and the RTU (CA, LA, CA length, LA length, COT) Gateway 101/104 Commands Hierarchy + application connect router interface {create | remove} address-prefix <IP address>/<netmask>...
Page 387: Gateway 101/104 Commands
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 iec101 [add_ioa_trans>| remove_ioa_trans] slot <1> port <1-4> src_ioa {a1-a2-a3| a1-a2| a} trans_ioa {a1-a2-a3| a1-a2| a} iec104 {update | remove} {ip_addr <>} [clock_sync <n|y>] [orig_addr <>] <30sec,[1-255]>] <15sec,[1-255]>] <10sec,[1-255]>] <20sec,[1- 255]>] Gateway 101/104 Commands...
Page 388 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description depending if ‘common_address_field_length’ is set to one byte or two. link_addr: Should be configured as the Link address of the 101 slave. A decimal value of 1-255 or 1-65534 is allowed depending if ‘link_address_field_length’...
Page 389: Example Gateway 101/104
Example Gateway 101/104 Below example demonstrates an IEC 101 Server (slave) – IEC104 Client (SCADA) service using the iSG18GFP as the gateway. The settings for IEC101 include the serial link properties and the RTU 101 parameters for Common Address, Link address and such.
Page 390 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Create vlan for the service. Port gigabitethernet 0/3 must as well be a member. Config vlan 2 ports fastethernet 0/1 gigabitethernet 0/3 untagged fastethernet 0/1 exit interface fastethernet 0/1 switchport pvid 2 exit 2.
Page 391 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 [/] iec101-gw show iec101 state slot 1 port 1 Connection state at slot 1 and port 1 is [/] iec101-gw show all 101-104 ROUTER BALANCED MODE IEC 104: +----------------+------------+------------+----------+----+----+----+----+ | ORIG. ADDR | CLOCK SYNC | TIME TAG | T0 | T1 | T2 | T3 | +================+============+============+==========+====+====+====+====+ | 192.168.2.201...
Page 392: Vpn
When a distributed operational network uses public transport links for the inter-site connectivity, the traffic must be encrypted to ensure its confidentiality and its integrity. The IS5 Communications switches support such a VPN (Virtual Private Network) connection using GRE tunnels (RFC2 2784) over an IPSec encrypted link.
Page 393: Layer 3 Dm-Vpn
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 6. Layer 2 protection protocols as G.8032 and RSTP are supported to allow protection between a VPN uplink and a second uplink. Main advantages: 1. Easy to configure and maintain 2. Users connected at remote ends of the tunnel maintain layer 2 connectivity sharing the same Vlan and Subnet.
Page 394: L3 Dm-Vpn Commands Hierarchy
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description Application connect Enter the industrial application menu L2-vpn Enter the tunnel configuration nhrp For cellular application only Hub show For cellular application only show : show IP of currently connected cellular spokes...
Page 395: L3 Ipsec-Vpn Commands Hierarchy
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 cache-show {enable | disable} log-show route-show show protection-group {create |udate |remove} {name<>} [default-route<yes,no|yes> wait-to-restore<0- 1440>] show L3 IPSec-VPN Commands Hierarchy + root application connect ipsec-vpn tunnel {show | create | remove} crate {name <>}...
Page 396: Ipsec
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 IPSec Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and/or encrypting each IP packet of a communication session. The IPSec protocol suite includes the modules described in this chapter.
Page 397: Ike
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 First, an initial protocol exchange allows a basic set of security attributes to be agreed upon. This basic set provides protection for subsequent ISAKMP exchanges. It also indicates the authentication method and key exchange that will be performed as part of the ISAKMP protocol.
Page 398 1. Detail the preshared IDs of the VPN members and specify the id of local unit iSG18GFP#application connect ipsec isakmp update authentication-method pre_shared_key ipsec preshared create id SA.iS5 Communications.com key secretkey ipsec preshared create id SB.iS5 Communications.com key secretkey ipsec isakmp update my-id SA.iS5 Communications.com...
Page 399 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 The above configuration example will result in following show output iS5 Communications Inc. Page: 399 of: 465...
Page 400 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 RSA Signatures (X.509) Uses a digital certificate authenticated by an RSA signature. The user is required to generate certificates from a trusted source and to import these to the VPN parties (Hubs ,Spokes).
Page 401 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 The above configuration example will result in following show output iS5 Communications Inc. Page: 401 of: 465...
Page 402 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Exchange Modes Main Main mode is the more secure option for phase1 as it involves the identity protection. Session flow:  Session begins with the initiator sending a proposal to the responder describing what encryption and authentication protocols are supported, the life time of the keys, and if phase 2 perfect forward secrecy should be implemented.
Page 403: Isakmp Phase 2
Modes The common mode to use between end stations supporting IPSec (the VPN parties) is called Transport mode. This is the mode supported by IS5 Communications. Perfect forward secrecy (PFS) The PFS is a part of the key agreement session and has a purpose to ensure that a session key derived from a set of long-term public and private keys will not be compromised if one of the (long-term) private keys is compromised in the future.
Page 404: Ipsec Command Association
User Manual R3.5 Ver: 1.3 Date: 04.28.2015  symmetric algorithm  Triple Data Encryption Algorithm (3DES)  comprises of three DES keys, K1, K2 and K3, each of 56 bits  Life time o Soft – hard coded. At this threshold value the IKE starts a new phase 2 exchange.
Page 405: Ipsec Commands Hierarchy
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 IPSec Commands Hierarchy + root rsA-signature import {flash:<file name> | sftp://<user:password@<ip>/<file_name> | tftp://<ip>/<file_name> } show rsA-signature list application connect ipsec {enable | disable} flush-sa proto {ah | esp | ipsec | isakmp} rsa-signature activate {crt-file <file name>...
Page 406: Ipsec Commands
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 IPsec Commands Command Description rsA-signature import Import the X.509 certificate file and key file to the application from a connected USB drive or tftp /sftp servers. These files are mandatory for IPSec to encrypt using X.509 certificates.
Page 407 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description exchange process. The higher the group number, the stronger the key and security increases. Options: none modp768 modp1024 (default) modp1536 modp2048 modp3072 modp4096 modp6144 modp8192 dpd-delay Dead Peer Discovery delay .defines the interval between following keep alive messages.
Page 408 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description None : the units own preshared id will be the default ip interface. Address : this option is not supported in current version. fqdn : the units own preshared id will be in a domain name format.
Page 409 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description This allows the key management system to negotiate a new SA before the hard lifetime expires. Permissible values are 1-99 and represents percentage. soft lifetime = <1-99>*hard lifetime /100 rsa-sig-name...
Page 410: Ipsec Defaults
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 IPSec defaults iS5 Communications Inc. Page: 410 of: 465...
Page 411: Gprs/Umts Interface
IP from the ISP. Hardware Hub – a IS5 Communications switch iSG18GFP with application card installed and configured, or a iSG18GFP switch. The Hub requires a fixed connection to the internet with a static, public IP address assigned to its Application interface.
Page 412: Method Of Operation
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Method of operation At the spoke side, a simple configuration of the cellular modem is enough to have the spoke approach the ISP to retrieve an IP address using known link protocol PPP. Authentication versus the ISP will be made using the SIM cards and PAP protocol.
Page 413 User Manual R3.5 Ver: 1.3 Date: 04.28.2015  Not available at the slot  Cellular modem is not enabled  Cellular modem in under refresh state  Modem malfunction 2. Disabled – The modem is enabled but the SIM was not configured.
Page 414: Backup And Redundancy
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Backup and redundancy Backup between ISP (Sim cards watchdog) A properly configured SIM card along with a proper ISP service will be indicated by the modem as “ready” state. If connected, the SIM card slot will be indicates as “connected”.
Page 415 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Figure 11 : Primary active Backup between Interfaces (between GSM or Physical interface) A GSM link is by nature a high cost path and with a significant lower bandwidth then a physical channel.
Page 416 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Figure 13 : L3 protection Figure 14: resilient networking between VPN paths Modem conditional reload In case the modem is continuously unsuccessful in establishing a connection and retrieving an IP from the ISP, a reload can be trigger to the switch.
Page 417: Gprs/Umts Commands Hierarchy
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 GPRS/UMTS Commands Hierarchy + root + application connect Cellular + continuous-echo {create | update} {name <>} {dest-ip-address <ip address>} [loss-threshold <50,10-99>] [num-of-requests <3,1-100>] [rtt-threshold < 5000msec(1,000-20,000)>] [interval (60sec<1-1440>)] [request-size (100bytes<64-1500>] remove {dest-ip-address <ip address>}...
Page 418: Gprs/Umts Commands Description
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 GPRS/UMTS Commands Description Command Description Application connect Enter the industrial application menu Cellular Enter the configuration mode for the Cellular application Enable: enable application Disable: disable application continuous-echo Configure icmp traffic test to validate network connectivity to a remote host.
Page 419 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description Modem Power-up : power the modem Power-down : shut the modem Send command at+cgsn : retrieve the IMEI identifier of the modem  The modem must be enabled for these commands to take effect.
Page 420: Default State
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description Wan update Sim-slot: location of SIM to be configured, 1 or 2. Admin-status: enable/disable SIM card. Apn-name: as given by the network provider. operator-name : operator name (text) Pin: as given by the network provider.
Page 421: Example For Retrieving The Imei
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 disable disable enable Ready enable not present Blink 1 Hz enable Failed Blink 1 Hz enable PIN lock Blink 1 Hz enable enable PUK lock Blink 1 Hz enable connecting enable connected...
Page 422 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 iS5 Communications Inc. Page: 422 of: 465...
Page 423: Example Cellular Watch Dog
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Example Cellular Watch Dog In below example we will configure a watchdog to cellular modem and see how the SIM status is changing due to the failed test of the watch dog.
Page 424 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 4. Status of SIM card connection 5. Adding a second test for the watchdog. This time the destination address is reachable. [cellular/continuous-echo/] create name destination_2 dest-ip-address 80.74.102.38 loss-threshold 20 num-of-requests 3 interval 2 request-size 64 In next screenshot we see that although the remote IP 80.74.102.38 is accessible ,the echo request result did...
Page 425 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 iS5 Communications Inc. Page: 425 of: 465...
Page 426: Discrete Io Tunneling
Discrete signals are very common in industrial application to monitor alarms and indications from the field side. The IS5 Communications switch allows the most effective feature of tunneling these channels over the IP network. The status of the digital input will be available as digital output at the remote end point configured by the user.
Page 427: Services
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Services 2 services are available at the application card. The relation between the services and physical connection is as follow : Service ID 1 : relates to either digital input 1 (terminals 6,4) or digital output 1 (terminals 1,3).
Page 428: Discrete Io Tunneling Commands Hierarchy
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Above mentioned power limitations should not be exceeded. Maximum current allowed at the contacts is 1A. Discrete IO tunneling Commands Hierarchy + root + application connect discrete service create service <id> direction <in|out > remote-address <ip address >...
Page 429: Vpn Setup Examples
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 VPN Setup Examples L2 VPN over Layer 3 cloud The following example will demonstrate proper configuration of GRE over layer 3 cloud. Concept: Maintaining virtual LAN, layer 2 connectivity between two remote sites connected over layer 3 cloud.
Page 430 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 ip address 172.18.212.100 255.255.255.0 no shutdown exit 2. Create vlans: vlan 17 ports fastethernet 0/1 exit vlan 18 ports fastethernet 0/2 exit vlan 1 no ports fastethernet 0/1-2 untagged fastethernet 0/1-2 write startup-cfg SWITCH A 1.
Page 431 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Disable RSTP shutdown spanning-tree no spanning-tree write startup-cfg 4. Configure the tunnel: iSG18GFP#application connect [/] router interface create address-prefix 172.17.203.220/24 vlan 17 purpose application-host [router/] static router/static> enable router/static# configure terminal router/static(config)# ip route 172.18.212.0/24 172.17.203.100...
Page 432: Implementing Ipsec
SWITCH A 1. Configure IPSec: iSG18GFP#application connect ipsec isakmp update my-id SA.iS5 Communications.com ipsec preshared create id SA.iS5 Communications.com key secretkey ipsec preshared create id SB.iS5 Communications.com key secretkey ipsec isakmp update id-type fqdn ipsec policy create protocol gre iS5 Communications Inc.
Page 433: L3 Ipsec Vpn Over Layer 3 Cloud
SWITCH B 1. Configure IPSec: iSG18GFP#application connect ipsec isakmp update my-id SB.iS5 Communications.com ipsec preshared create id SA.iS5 Communications.com key secretkey ipsec preshared create id SB.iS5 Communications.com key secretkey ipsec isakmp update id-type fqdn ipsec policy create protocol gre ipsec enable...
Page 434: Configuration
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Configuration ROUTER (iSG18GFP switch) 1. Create IP Interfaces: config interface vlan 20 ip address 172.18.20.100 255.255.255.0 no shutdown exit interface vlan 30 ip address 172.18.30.100 255.255.255.0 no shutdown exit 2. Create vlans:...
Page 435 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 interface fastethernet 0/4 switchport pvid 20 exit 4. Assin switch management IP interface (not mandatory) interface vlan 10 shut ip address 192.168.10.10 255.255.255.0 no shut exit 5. Assign static route so switch management will be routable over the VPN ip route 192.168.0.0 255.255.0.0 192.168.10.1...
Page 436 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 exit write startup-cfg SPOKE 1. Set switch host name (not mandatory) set host-name spoke 2. Disable spanning tree and remove the ports to be used in the VPN from default vlan 1...
Page 437: L2 Vpn Over Cellular Setup
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 router interface create address-prefix 172.18.30.20/24 vlan 30 purpose general description wan 8. Assign the IPSec tunnel ipsec-vpn tunnel create remote-address 172.18.20.10 address-prefix 10.10.10.20/24 lower-layer-dev eth1.30 name test 9. Assign routes for the remote user network (192) and for the public network (172)
Page 438 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 1. The ISPs (Orange, Vodafone) should provide the Spoke, following SIM card authentication, with a publically accessible IP address. In below example the valid IP 212.8.101.10 was issued to the Spoke Vodafone SIM card by Vodafone.
Page 439 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Network drawing L2 VPN ,iSG18GFP cellular spoke - iSG18GFP hub Spoke 1. Disable spanning tree config shutdown spanning-tree no spanning-tree 2. Enable mac learning on the application port gigabiethernet 0/4 interface gi 0/4...
Page 440 [/] l2-vpn nhrp spoke update private-ip 10.10.10.10 remote-ip 80.74.102.38 commit exit 9. IPSec configuration ipsec isakmp update my-id RTU1.iS5 Communications.com ipsec preshared create id HUB.iS5 Communications.com key secretkey ipsec preshared create id RTU1.iS5 Communications.com key secretkey ipsec isakmp update id-type fqdn ipsec policy create protocol gre ipsec enable...
Page 441 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 1. Disable spanning tree Config ethernet no spanning tree 2. Create vlan NNI to direct traffic from the PC to the application. port 1/3/1 must be a tagged member at this vlan.
Page 442: Testing The Setup
+----------------+--------+----------------+-----+--------+ 5. IPSec Configuration application connect ipsec isakmp update my-id HUB.iS5 Communications.com ipsec preshared create id HUB.iS5 Communications.com key secretkey ipsec preshared create id RTU1.iS5 Communications.com key secretkey ipsec isakmp update id-type fqdn ipsec policy create protocol gre ipsec enable...
Page 443: Gateway 101/104 Over L2 Cellular Setup
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Gateway 101/104 over L2 Cellular Setup Below network demonstrates a Spoke – Hub topology. The Spoke is equipped with 2 SIM cards allowing it to operate via Orange or Vodafone depending on the RSSI values.
Page 444 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Network drawing Gateway over cellular VPN Spoke 1. Disable spanning tree config shutdown spanning-tree no spanning-tree 2. Enable mac learning on the application port gigabitethernet 0/4 interface gigabitethernet 0/4 switchport unicast-mac learning enable exit 3.
Page 445 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 shutdown ip address 192.168.10.119 255.255.255.0 no shutdown write startup-cfg 5. Enabling cellular application mode Application connect cellular enable cellular settings update default-route yes 6. Wan update menu ,SIM card configuration –slot 1...
Page 446 []exit 11. IPSec configuration iSG18GFP#application connect ipsec isakmp update my-id HUB.iS5 Communications.com ipsec preshared create id HUB.iS5 Communications.com key secretkey ipsec preshared create id RTU1.iS5 Communications.com key secretkey ipsec isakmp update id-type fqdn ipsec policy create protocol gre ipsec enable...
Page 447 Completed OK 5. IPSec Configuration iSG18GFP#application connect ipsec isakmp update my-id RTU1.iS5 Communications.com ipsec preshared create id HUB.iS5 Communications.com key secretkey ipsec preshared create id RTU1.iS5 Communications.com key secretkey ipsec isakmp update id-type fqdn ipsec policy create protocol gre ipsec enable...
Page 448: Terminal Server And Serial Tunneling Over L2 Cellular Setup
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Terminal Server and Serial tunneling over L2 Cellular Setup Below network demonstrates a Spoke – Hub topology. Implementation concepts: 1. The ISPs (Orange, Vodafone) should provide the Spoke, following SIM card authentication, with a publically accessible IP address.
Page 449 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Network drawing Terminal server and serial tunneling over cellular VPN Spoke 1. Disable spanning tree shutdown spanning-tree no spanning-tree 2. Enable mac learning on the application port gigabiethernet 0/4 interface gi 0/4...
Page 450 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 write startup-cfg 5. Enabling cellular application mode Application connect cellular enable cellular settings update default-route yes 6. Wan update menu ,SIM card configuration –slot 1 cellular wan update sim-slot 1 admin-status enable apn-name internet operator-name orange pin 4102 user-name orange password orange 7.
Page 451 []exit 13. IPSec configuration application connect ipsec isakmp update my-id HUB.iS5 Communications.com ipsec preshared create id HUB.iS5 Communications.com key secretkey ipsec preshared create id RTU1.iS5 Communications.com key secretkey ipsec isakmp update id-type fqdn ipsec policy create protocol gre ipsec enable...
Page 452 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 write startup-cfg Configuration of IP interface at the application. The NAT router must direct all traffic designated its address 212.8.101.10 towards 172.18.212.230. iSG18GFP#application connect [/] router interface create address-prefix 172.18.212.230/24 vlan 10 purpose...
Page 453: L3 Dm-Vpn Over Cellular Setup
Date: 04.28.2015 IPSec Configuration iSG18GFP#application connect ipsec isakmp update my-id RTU1.iS5 Communications.com ipsec preshared create id HUB.iS5 Communications.com key secretkey ipsec preshared create id RTU1.iS5 Communications.com key secretkey ipsec isakmp update id-type fqdn ipsec policy create protocol gre ipsec enable...
Page 454: Network Drawing
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Network drawing Figure 15 : L3 VPN, cellular spoke - iSG18GFP hub Configuration Spoke 1. Create vlan UNI 40 to direct traffic from the PC to the application. port gigabitethernet 0/3 must be a tagged member at this vlan.
Page 455 8. IPSec configuration iSG18GFP#application connect []ipsec isakmp update my-id RTU1.iS5 Communications.com []ipsec preshared create id HUB.iS5 Communications.com key secretkey []ipsec preshared create id RTU1.iS5 Communications.com key secretkey []ipsec isakmp update id-type fqdn []ipsec policy create protocol gre []ipsec enable...
Page 456 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Interface 192.168.10.1 will allow management to the switch over this vlan via the tunnel. vlan 20 will be towards the router. vlan 10 ports fastethernet 0/1 gigabitethernet 0/3 untagged fastethernet 0/1 exit...
Page 457: Testing The Setup
7. IPSec configuration iSG18GFP#application connect ipsec isakmp update my-id HUB.iS5 Communications.com ipsec preshared create id HUB.iS5 Communications.com key secretkey ipsec preshared create id RTU1.iS5 Communications.com key secretkey ipsec isakmp update id-type fqdn ipsec policy create protocol gre ipsec enable...
Page 458: Adding A Terminal Server Service
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Adding a terminal server service Spoke : 1. Create the serial port application connect serial port create slot 1 port 1 serial local-end-point create slot 1 port 1 service-id 1 application terminal-...
Page 459 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 []serial local-end-point create slot 1 port 4 service-id 2 application serial-tunnel position slave []serial remote-end-point create remote-address 192.168.10.10 service-id 2 position master commit Testing the setup: 1. From the SCADA send serial traffic over its COM port.
Page 460: Application Aware Firewall
Firewall Service flow In order for a protocol flow to be inspected by the firewall the following is achieved by the IS5 Communications NMS- iSIM. ...
Page 461: Supported Hardware
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Supported Hardware Article which are named with “S” are including the firewall capability with no further licensing required... IS5-ISG18GFPS-<P>-<T>/<E>/<PE>/<R>/<C> Articles which are named without “S” do not support this capability and are not upgradable.
Page 462: Example
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Example Below is an example of configuration made by iSIM. Set Vlan for the service. Tag the target ports and the application firewall port Gi 0/4. config vlan 3500 port add Fa 0/1 untagged Fa 0/1...
Page 463 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 mac access-group 2998 in exit Place the ACLs on the Server port interface Fa 0/2 ip access-group 2003 in ip access-group 1006 in mac access-group 1001 in mac access-group 2998 in exit write startup-cfg Create the firewall.rules file...
Page 464: Firewall Commands Hierarchy
User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Firewall Commands Hierarchy + root application connect firewall + profile - show import tftp {[filename <>] | [remote-host <ip>]} - log {show [lines-to-show(1000,<>)] |clear} + tcp - show - activate mode {disabled...
Page 465 User Manual R3.5 Ver: 1.3 Date: 04.28.2015 Command Description Create | update name : name of the test (text) dest-ip-address : ip address of a reachable (routable) host. Format aa.bb.cc.dd rtt-threshold : round trip threshold in msec. <1,000- 20,000>...

iS5 iSG18GFP User Manual

Contents

Introduction

Using this Document

Hardware and Interfaces

Configuration Environment

System Version and Data Base

Port Interfaces

Login and Management

Vlan

IP Interfaces

Diagnostic

Snmp

Clock and Time

Ssh

Dhcp

DHCP Server

DHCP Relay

Radius

Tacacs

IGMP Snooping

Acls

Qos

Link Aggregation

Stp

Rstp/Mstp

Enhanced RSTP

Lldp

Ospf

Vrrp

Ripv2

Oam Cfm

Erps

Serial Ports and Services

Transparent Serial Tunneling

Quick Links

Need help?

Questions and answers

Related Manuals for iS5 iSG18GFP

Summary of Contents for iS5 iSG18GFP