Comnet reliance RL1000GW Installation And Operation Manual

Small form factor substation-rated secure ethernet layer 3 router/gateway with optional 2g/3g/4g lte cellular radio link, and 100/1000 mbps sfp uplink port

Hide thumbs

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

page of 192

/ 192
Contents
Table of Contents
Bookmarks

Table of Contents

Quick Links

Download this manual

INSTALLATION AND OPERATION MANUAL

RL1000GW

Small Form Factor Substation-Rated Secure Ethernet

Layer 3 Router/Gateway with Optional 2G/3G/4G LTE Cellular

Radio Link, and 100/1000 Mbps SFP Uplink Port

ComNet product series RL1000GW are substation-rated and industrially hardened

layer 3 router/gateways, with a unique and highly robust packet processing SCADA-

aware security firewall for the most mission-critical and demanding cyber-security

applications. The RL1000GW is intended for deployment in environments where

high levels of electromagnetic noise and interference (EMI) and severe voltage

transients and surges are routinely encountered, such as electrical utility substations

and switchyards, heavy manufacturing facilities, track-side electronic equipment,

and other difficult out-of-plant installations. Layer 3 routing functionality allows for

the participation and foundation of a core network infrastructure. The compact-sized

DIN-rail mountable RL1000GW is ideally suited to those installations and applications

where space may be limited. These features make the RL1000GW an effective

platform for deploying a secure communications and networking gateway for remote

electrical utility sites, and other critical infrastructure applications.

The RL1000GW is an ideal platform for deploying a secure communications and

networking gateway for remote electrical utility sites, and other critical infrastructure

applications.

Table of Contents

Need help?

Do you have a question about the reliance RL1000GW and is the answer not in the manual?

Questions and answers

Summary of Contents for Comnet reliance RL1000GW

Page 1 Layer 3 Router/Gateway with Optional 2G/3G/4G LTE Cellular Radio Link, and 100/1000 Mbps SFP Uplink Port ComNet product series RL1000GW are substation-rated and industrially hardened layer 3 router/gateways, with a unique and highly robust packet processing SCADA- aware security firewall for the most mission-critical and demanding cyber-security applications.
Page 2: Table Of Contents
INSTALLATION AND OPERATION MANUAL RL1000GW Contents About This Guide Intended Audience Related Documentation About ComNet Website Support Safety Overview Introduction Key Features Hardware and Interfaces Graphic View of Hardware Distance kept for natural air flow Logical Structure Grounding Connecting to a Power Source...
Page 3 INSTALLATION AND OPERATION MANUAL RL1000GW Login and Management Serial Console Port Connecting to the Console Port CLI Terminal Commands Management Default state Commands Hierarchy Commands Description IP Interfaces Interface Assignment Rules IP interface id IP interface VLAN id IP Interface Commands Hierarchy IP Interface Commands Description Example Diagnostic...
Page 4 INSTALLATION AND OPERATION MANUAL RL1000GW Clock and Time Local Clock TACACS Default Configurations TACACS Command Hierarchy TACACS Commands Descriptions Configuration Example ACLs Flow of ACL Inspection Comments Example ACL Commands Hierarchy ACL Commands Descriptions Configuration Example QOS Commands Hierarchy QOS Commands Descriptions Networking NAT Commands Hierarchy NAT Commands Description...
Page 5 INSTALLATION AND OPERATION MANUAL RL1000GW Declaration of ports Default State RS- 232 Port Pin Assignment RS-232 Serial cable RS-485 Port Pin Assignment LED States Transparent Serial Tunneling Concept of Operation Supported Network topologies Point to multipoint point Multi Point to multipoint point Modes of Operation Reference drawing Serial Traffic Direction...
Page 6 INSTALLATION AND OPERATION MANUAL RL1000GW Modbus Gateway Implementation Modbus Gateway Commands Hierarchy Modbus Gateway Commands Description Example DNP3 Gateway Example Background Modes supported Layer 3 DM-VPN Layer 3 IPSec-VPN DM-VPN Commands Hierarchy IPSec-VPN Commands Hierarchy IPSec Applications Authentication Header (AH) Encapsulating Security Payload (ESP) Security Associations ISAKMP...
Page 7 INSTALLATION AND OPERATION MANUAL RL1000GW Default State LED States Example for retrieving the IMEI Example for Sim Status Discrete IO Channels Discrete channel interface Technical data Discrete IO Channels Commands Hierarchy Discrete IO Channels Commands VPN Setup Examples DM-VPN Setup Network drawing DM-VPN over Cellular Setup Network drawing...
Page 8: About This Guide
(including monetary losses), that might arise from the use of this document or the information in it. This document and the product it describes are the property of ComNet, which is the owner of all intellectual property rights therein, and are protected by copyright according to the applicable laws.
Page 9: Related Documentation
» SFP Modules Data sheet About ComNet ComNet develops and markets the next generation of video solutions for the CCTV, defense, and homeland security markets. At the core of ComNet’s solutions are a variety of high-end video servers and the ComNet IVS software, which provide the industry with a standard platform for analytics and security management systems enabling leading performance, compact and cost effective solutions.
Page 10: Overview
The ComNet Service-aware Industrial Ethernet routers combine a ruggedized Ethernet platform with a unique application-aware processing engine. As an Industrial Ethernet router the ComNet RL1000GW provide a strong Ethernet and IP feature- set with a special emphasis on the fit to the mission-critical industrial environment such as fit to the harsh environment, high reliability and network resiliency.
Page 11 INSTALLATION AND OPERATION MANUAL RL1000GW Seamless & Reliable Connection to Any Network The RL1000GW provides connectivity to any copper, fiber optic, or cellular radio-based Ethernet network. Fiber optic networks are supported by the use of the optional 100/1000FX SFP uplink port.
Page 12 (PCAP) of the session. Before a user is allowed access to the network, they must log in to ComNet’s internal authentication process with their unique user name and password. Upon validation of the user profile, specific access is granted to predefined devices and functions, and each operation is logged.
Page 13 High levels of cyber-security experience are not required to successfully deploy the RL1000GW. It is fully supported by ComNet’s Reliance Product Configuration Utility and CLI, allowing the secure switch/router to be easily configured, and to diagnose network and security functions.
Page 14: Hardware And Interfaces
INSTALLATION AND OPERATION MANUAL RL1000GW Hardware and Interfaces Depending on the RL1000GW hardware variant ordered your router will hold physical Ethernet and Serial ports. » Serial, RJ 45 ports are RS-232. Max 2 ports » Serial, RJ 45 ports are RS-485. Max 1 ports »...
Page 15 Conformal Coat Add suffix ‘/C’ for Conformally Coated Circuit Boards to extend to condensation conditions SFP Modules¹ User selection of ComNet SFP (See SFP Modules data sheet for product numbers and compatibility) DINBKT3 19-inch rack mount panel adapter TECH SUPPORT: 1.888.678.9427...
Page 16: Graphic View Of Hardware
INSTALLATION AND OPERATION MANUAL RL1000GW Graphic View of Hardware Figure 2 – RL1000GW Product Table 1 – RL1000GW Physical Feature Descriptions Call-out Description Manual Reference Antenna Female Connection – SIM Card Ports 1 - 2 Power and Run LED Indicators Console Interface, Link/Activity (L/A) and Speed LED Indicators RS-232 Ports 1 - 2, Link/Activity (L/A) and Speed LED Indicators 10/100 TX Port, Link/Activity (L/A) and Speed LED Indicators...
Page 17: Distance Kept For Natural Air Flow
Distance kept for natural air flow Proper installation depends on natural air flow for cooling. You must maintain a 10cm distance above and below the ComNet switch for proper air flow. Logical Structure Figure 4 - Logical system view, illustration...
Page 18: Connecting To A Power Source
INSTALLATION AND OPERATION MANUAL RL1000GW Connecting to a Power Source Wiring AC Input voltage connector For an AC product variant there is a single input connector. Use a Brown wire for the Line (Phase) conductor, a Green/Yellow for the grounding and a Blue wire for the Neutral conductor.
Page 19: Configuration Environment
INSTALLATION AND OPERATION MANUAL RL1000GW Configuration Environment A CLI based configuration environment is available for the user. Command Line Interface The CLI (Command Line Interface) is used to configure the RL1000GW from a console attached to the serial port of the router or from a remote terminal using SSH. The following table lists the CLI environments and modes.
Page 20: Supported Functionalities
INSTALLATION AND OPERATION MANUAL RL1000GW Supported Functionalities The RL1000GW is a feature rich industrial router supporting: » L3 dynamic and static Routing. » SCADA services. » Firewall. » Secure networking. The below table gives a high level view of the supported features. Feature Set TFTP Ethernet ports...
Page 21 INSTALLATION AND OPERATION MANUAL RL1000GW The below table details the RL1000GW planned features. Group Feature Interfaces Cellular modem with 2 SIM cards FE RJ45 Ports Fiber Optic port Gigabit port RS 232 ports RS 485 4wire ports SFP Port Auto Crossing Auto Negotiation IEEE 802.3ab VLAN segregation Tagging IEEE 802.1q Backup / Restore running config...
Page 22 INSTALLATION AND OPERATION MANUAL RL1000GW Group Feature Diagnostics Counters & statistics per Port Led diagnostics Ping RMON Serial Gateway IEC 101/104 gateway IEC 104 Firewall Serial Transparent Tunneling Terminal Server L3 mGRE DM-VPN System Default state The following table details the default state of features and interfaces. Feature Default state Ethernet Ports...
Page 23 INSTALLATION AND OPERATION MANUAL RL1000GW Main Commands The Global Configuration Environment list of main CLI commands is shown below. + root + Router {interface | route |static |ospf |ip |rip} + cellular {connection | continuous-echo| disable |enable| modem| network| refresh| settings| show| wan} + commit + capture {delete |export |help |show |start |stop}...
Page 24: System Version And Data Base
INSTALLATION AND OPERATION MANUAL RL1000GW System Version and Data Base Configuration Database User Configuration is taking effect immediately upon entering. No specific COMMIT command is required. In order to have configuration changes available after system reboot a COMMIT must take place. The user can as well export his running configuration as a file with a chosen name for backup and import the file back to boot the system with when needed.
Page 25: Os Version
INSTALLATION AND OPERATION MANUAL RL1000GW OS VERSION Updating of system version is available by TFTP/SFTP server od safe mode. Available OS files on the router can be seen with command showed below. Running OS file is marked with “active”. RL1000GW#os-image show-list Versions list: RF _ RL1000GW _ 4.0.02.67.tar (active) NOTE: The RL1000GW can hold at its disk maximum two OS image files.
Page 26: Example
INSTALLATION AND OPERATION MANUAL RL1000GW Example The following flow will show how to upgrade the OS image file and export the data base. 1. Connect your PC via serial console cable to the RL1000GW console port 2. Create an IP interface over eth1 RL1000GW#router interface create address-prefix 172.18.212.231/24 physical-interface eth1 purpose application-host 3.
Page 27 INSTALLATION AND OPERATION MANUAL RL1000GW 6. downloading OS file from TFTP server Command syntax: RL1000GW# os-image download download tftp://aa.bb.cc.dd/file _ name Example: os-image download download-sw tftp://172.18.212.240/RF _ RL1000GW _ 4.0.02.67.tar 7. following download progress RL1000GW#os-image download-status In progress 3 MB RL1000GW#os-image download-status In progress 10 MB RL1000GW#os-image download-status...
Page 28: Safe Mode
Below screenshot details the 2 safe mode menus and their options for: 1. system reset 2. Load the factory-default configuration for the device 3. Write to EEPROM (should be used only after consulting with ComNet) 4. Recover the device’s images from a package file 5. Export / Import DB (running configuration) TECH SUPPORT: 1.888.678.9427...
Page 29: Safe Mode View
INSTALLATION AND OPERATION MANUAL RL1000GW Safe mode view For first safe mode Press ‘s’ ... PHY: fixed-0:02 - Link is Up - 100/Full ----------------------------------------------------------------------------------------- |safe mode menu: reset | 1 : Reset the device format | 2 : Format flash activate | 3 : Activate sw version on flash...
Page 30: Sw Image Installation
INSTALLATION AND OPERATION MANUAL RL1000GW SW Image Installation Following steps guides to software first installation. 1. Connect your PC via serial console cable to the RL1000GW console port 2. Rebott the unit and Enter safe mode. Select option 4 ----------------------------------------------------------------------------------------- |safe mode menu: reset | 1 :...
Page 31 RF _ RL1000GW _ 4.0.02.52.tar 8. OS-Image file will be downloaded and activated 01/01/70 00:03:18 downloading RF _ RL1000GW _ 4.0.02.52.tar from server 10.10.10.6 to /opt/ ComNet,try #1 ============25%===========50%===========75%=75%===========100%Version Download Complete OEM Ver RF _ RL1000GW OEM NEW _ VERSION RF _ RL1000GW _ 4.0.02.52.tar Detected OEM 3 Veryfing sw version RF _ RL1000GW _ 4.0.0252.tar...
Page 32: Ethernet Port Interfaces
INSTALLATION AND OPERATION MANUAL RL1000GW Ethernet Port Interfaces Depending on the variant ordered, your RL1000GW hardware may include the following Ethernet interfaces Fastethernet, 10/100, copper RJ45. Included at all variants. » Referred to in CLI as eth1. Gigabitethernet, SFP SGMII. Optional ordering. »...
Page 33: Show Example
INSTALLATION AND OPERATION MANUAL RL1000GW Show example RL1000GW# port show interface-table port eth1 Interface ETH1 +------------------------+--------+-------------------------+-------+ Counter Name | Value Counter Name | Value | +========================+========+=========================+=======+ | In non-unicast packets | 2670 | Out non-unicast packets | +------------------------+--------+-------------------------+-------+ In unicast packets Out unicast packets +------------------------+--------+-------------------------+-------+ In errors packets...
Page 34 INSTALLATION AND OPERATION MANUAL RL1000GW multicast Size 65-127 | 1239 +---------------+--------+----------------+-------+ align error Size 128-255 +---------------+--------+----------------+-------+ | dropped event | Size 256-511 +---------------+--------+----------------+-------+ fragmented | Size 512-1023 +---------------+--------+----------------+-------+ jabbers | Size 1024-1518 | +---------------+--------+----------------+-------+ TECH SUPPORT: 1.888.678.9427 INS_RL1000GW_REV– 15 Jul 2016 PAGE 34...
Page 35: Login And Management
INSTALLATION AND OPERATION MANUAL RL1000GW Login and Management Configuring the Login Authentication Method sets the authentication method for user logins. Default user of the system: » Name : su » Password : 1234 » Privileges : all » Available by: Console and Telnet. Serial Console Port Management over the serial console port is enabled by default.
Page 36: Cli Terminal Commands
INSTALLATION AND OPERATION MANUAL RL1000GW CLI Terminal Commands Following are commands related to the CLI terminal. + root - idle-timeout Management The router can be managed via following methods: » IP based. » Serial console port. Default state Feature Default state Layer 3 interface No default IP No available...
Page 37: Commands Hierarchy
INSTALLATION AND OPERATION MANUAL RL1000GW Commands Hierarchy + root + reload - schedule date-and-time YYYY-MM-DD,HH:MM:SS - schedule every <180 – 604800 seconds > - schedule time HH:MM:SS - schedule in <0 – 604800 seconds > - cancel - show + users - modify username su password <password>...
Page 38: Commands Description
INSTALLATION AND OPERATION MANUAL RL1000GW Commands Description Command Description reload schedule date-and-time Set specific date and time for router reload. Time format: YYYY-MM-DD,HH:MM:SS configuration which was not committed will not be available after reload! reload schedule every Set time interval for cyclic automatic system reload. Permissible range in seconds is 180 –...
Page 39: Ip Interfaces
INSTALLATION AND OPERATION MANUAL RL1000GW IP Interfaces The RL1000GW supports multiple layer 3 interfaces to be set for the purposes of: » Routing. » Management. » Serial services. IP Interfaces The following services require assignment of an IP interface. » DHCP client »...
Page 40 INSTALLATION AND OPERATION MANUAL RL1000GW » Each interface must be in a unique subnet. » Each interface must be associated to a physical interface. Either eth1 or eth2. An interface cannot be associated with both. » Physical interfaces (eth1, eth2) may be associated with more than one IP interface. Tagged packets accessing the port will be routable to a relevant vlan IP interface.
Page 41: Ip Interface Id
INSTALLATION AND OPERATION MANUAL RL1000GW IP interface id When an IP interface is created without explicitly assigned vlan tag, it will not support vlan tagging. Packet coming inward to the physical interface (eth1 or eth2 as assigned) which are holding a vlan tag will not be received by the IP interface. Packets originated from the IP interface (egress) will be without vlan tag.
Page 42: Ip Interface Commands Description
INSTALLATION AND OPERATION MANUAL RL1000GW - exit + dhcp {enable | dissable |show} - enable physical-interface {eth1| eth2} - disable physical-interface {eth1| eth2} - show physical-interface {eth1| eth2} - interface show - route show IP Interface Commands Description Command Description Router Enter the router configuration mode interface...
Page 43: Example
INSTALLATION AND OPERATION MANUAL RL1000GW Example 1. Create an IP interface with vlan 1 and static route (default gateway). RL1000GW# router interface create address-prefix 10.10.10.100/24 vlan 5 purpose application-host physical-interface eth1 commit commit ok router interface show +----+------+--------+-------------------+------+------------------+--------------+----------- | Id | VLAN | Name IP/Subnet | Mtu...
Page 44 INSTALLATION AND OPERATION MANUAL RL1000GW 2. Create an IP interface without vlan id RL1000GW# RL1000GW#router interface create address-prefix 172.17.203.100/24 physical-interface eth2 purpose application-host commit commit ok RL1000GW#router interface show +----+------+--------+-------------------+------+------------------+--------------+----------- | Id | VLAN | Name IP/Subnet | Mtu Purpose | Admin status | Description | +====+======+========+===================+======+==================+==============+=====...
Page 45 INSTALLATION AND OPERATION MANUAL RL1000GW Example 1. Enable dhcp on interface eth1 to retrieve an IP from a dhcp server RL1000GW# [/]router dhcp enable physical-interface eth1 [/]router interface show +------+------+-----+-----------+---------+-------------+ | VLAN | Name | Id | IP/Subnet | Purpose | Description | +======+======+=====+===========+=========+=============+ | N/A | eth1 | N/A |...
Page 46: Diagnostic
INSTALLATION AND OPERATION MANUAL RL1000GW Diagnostic System logs export The system logs can be exported to the flash drive as a time conditioned task. Commands Hierarchy + Root + schedule - add task-name copy-logs [day |hour |minute |month |year] - remove task-name copy-logs - show Commands Description Command...
Page 47: Capture Ethernet Service Traffic
INSTALLATION AND OPERATION MANUAL RL1000GW Capture Ethernet service traffic The system supports sniffing and capturing of Ethernet traffic for selected service IP interfaces. This capability is important in order to diagnose network traffic of a service for debugging. The capturing is available for IP interfaces set at the ACE. Captures can be displayed at the terminal or exported to a user tftp server.
Page 48 INSTALLATION AND OPERATION MANUAL RL1000GW router interface show +------+--------+-----+-----------------+------------------+-------------+ | VLAN | Name | Id IP/Subnet Purpose | Description | +======+========+=====+=================+==================+=============+ | eth2.1 | N/A | 172.18.212.232/24 | application host | +------+--------+-----+-----------------+------------------+-------------+ 2. Start capture Capture start –i eth2.1 Capture show [capture/] show status capture is running 3.
Page 49: Syslog
INSTALLATION AND OPERATION MANUAL RL1000GW Syslog Syslog is a protocol used for capturing log information for devices on a network. The syslog protocol provides a transport to allow a machine to send event notification messages across IP networks to event message collectors, also known as syslog servers. The protocol is simply designed to transport the event messages.
Page 50: The Priority Indicator
INSTALLATION AND OPERATION MANUAL RL1000GW The Priority indicator The Priority indicator is calculated as: Priority = 8x facility_coefficient + severity_level. facility coefficient facility Priority kernel messages 0x8 + level user-level messages 1x8 + level mail system 2x8 + level system daemons 3x8 + level security/authorization messages 4x8 + level...
Page 51: Message Format
INSTALLATION AND OPERATION MANUAL RL1000GW Example, Syslog message priority tag with facility local0 Level purpose Numeric level Priority (w. local0) emergencies 16x8+0=128 alerts critical errors warnings notification informational debugging Message Format The following will describe the structure of syslog messages. Message severity Severity S indicaror...
Page 52 INSTALLATION AND OPERATION MANUAL RL1000GW Firewall TCP SCADA Protocols The following will describe the ComNet structure of syslog messages generated for firewall of IEC 104, DNP3 TCP, MODBUS TCP. Console message format The message format when sent to the CLI console is as follow,...
Page 53 [45,0]:FW PROTOCOL protcol type missmatch| (170 bytes) Firewall Serial SCADA Protocols The following will describe the ComNet structure of syslog mssages generated for firewall of IEC 101, DNP3 RTU, MODBUS RTU. IP=IP _ ADDR|SLOT=SLOT _ NUMBER|PORT=PORT _ NUMBER|DIR=DATA _ MSG _ DIR|LEN=DATA _ MSG _ LEN|PROTO=PROTOCOL _ NAME|MSG=VIOLATION _ DESCR| TECH SUPPORT: 1.888.678.9427...
Page 54 INSTALLATION AND OPERATION MANUAL RL1000GW Message fields description The following will further describe the syslog message fields Command Description VLAN_ID The VLAN number SRC_IP_ADDR The pointed string source IP address. SRC_IP_PORT The source IP port number DEST_IP_ADDR The pointed string destination IP address. DEST_IP_PORT The destination IP port number DATA_MSG_LEN...
Page 55 “DNP3 validity: unused” “DNP3 validity: unused” “DNP3 validity: unused” “DNP3 validity: unused” “DNP3 validity: MAX” SLOT_NUMBER Serial Slot number on ComNet equipment PORT_NUMBER Serial port number on ComNet equipment DATA_MSG_DIR The field defines data message direction. The following values are available: “access”, “network”,...
Page 56 INSTALLATION AND OPERATION MANUAL RL1000GW DM-VPN logs The following will describe the DM-VPN logs. Message fields description The following will further describe the syslog message fields Ssylg message Description “NHRP Event:<NHS-UP|NHS-DOWN>,i/f=<MGRE IF Appears when NHS status changed in spoke, happen when NAME>,NHS=<address>”...
Page 57 INSTALLATION AND OPERATION MANUAL RL1000GW Syslog message Description “Both slots are below required threshold <RSSI>,<RSSI> Both slots are below required threshold (threshold=<Threshold>)” “<1|2> slot is above threshold as required <RSSI>>=<RSSI>. “<1|2> slot is above threshold as required Other slot <RSSI>” “disconnected...
Page 58: Commands Hierarchy
INSTALLATION AND OPERATION MANUAL RL1000GW Serial Services logs The following will describe the serial services logs. <STRING from the module> “connection with remote IP(<address>) for serial service id <SVC> is now resumed!!” “no connection with remote IP(<address>) for serial service id <SVC>” “no more missing data on Serial service id # <SVC>”...
Page 59: Output Example
INSTALLATION AND OPERATION MANUAL RL1000GW Output example A typical output of syslog at console interface May 18 19:27:48 SmartSwitch user.warn kernel: Speed 100 Duplex 1 pause 0 May 18 19:27:48 SmartSwitch user.warn kernel: adjust _ link Addr 1 link 0 speed 100 o 100 dup 1 o 1 May 18 19:27:48 SmartSwitch user.info kernel: PHY: mdio@ff724000:01 - Link is Down May 18 19:27:50 SmartSwitch user.warn kernel: adjust _ link Addr 1 link 1 speed 100 o 0 dup...
Page 60: Discrete Io Channels
INSTALLATION AND OPERATION MANUAL RL1000GW Discrete IO Channels Discrete signals are very common in industrial applications to monitor alarms and indications from the field side. Monitoring the state of discrete input channels is supported by the RL1000GW. NOTE: Software support for the DI channels will be available from R5.0 Interfaces Connection terminal are as shown in below figure.
Page 61: Technical Data
INSTALLATION AND OPERATION MANUAL RL1000GW Technical data At digital Inputs please connect a DC source in the range 12vDC at terminals 6,4 for channel 1 or 5,4 for channel 2. Digital outputs are dry mechanical relay contacts. Maximum power to be implemented at the contacts : AC: Max 250v, 37.5vA.
Page 62: Clock And Time
INSTALLATION AND OPERATION MANUAL RL1000GW Clock and Time Local time set and update is available. Local Clock Commands Hierarchy + config terminal + date {[YYYY.]MM.DD-hh:mm[:ss] | hh:mm[:ss]} - date Commands Description Command Description Config terminal date {[YYYY.]MM.DD-hh:mm[:ss] | hh:mm[:ss]} Sets the current time and date. date Show the system time 1.
Page 63: Tacacs
INSTALLATION AND OPERATION MANUAL RL1000GW TACACS TACACS (Terminal Access Controller Access Control System), widely used in network environments, is a client/server protocol that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize their access to the requested system or service.
Page 64: Tacacs Command Hierarchy
INSTALLATION AND OPERATION MANUAL RL1000GW TACACS Command Hierarchy +root - login authentication {local, local| tacacs-only| tacacs-local} - login authentication show + tacacs-server - add {host <a.b.c.d.>} {retries (1,<1-10>} [timeout <5,(1-255)>] {port <49,(1-65535)>} - remove {host <a.b.c.d.>} - tacacs-server default host {host <a.b.c.d.>} TACACS Commands Descriptions Command Description...
Page 65: Configuration Example
INSTALLATION AND OPERATION MANUAL RL1000GW Configuration Example 1. Set the authentication mode to tacacs RL1000GW# login authentication tacacs-local 2. configure server list RL1000GW# tacacs-server add host 192.168.1.250 key Ab11#59 retries 5 timeout 50 port 49 RL1000GW# tacacs-server add host 172.18.212.230 key Ab11#RF 3.
Page 66: Acls
INSTALLATION AND OPERATION MANUAL RL1000GW ACLs ACLs (Access Control Lists) filter network traffic by controlling whether routed packets are forwarded or blocked at the router’s interfaces. ACLs are used to block IP packets from being forwarded by a router. The router examines each packet to determine whether to forward or drop the packet, based on the criteria specified within the access lists.
Page 67: Acg
INSTALLATION AND OPERATION MANUAL RL1000GW » For an ACL to take effect on incoming packets, it must be asserted on an interface. The assignment of the ACL to an interface is referred to as Port Access Group (ACG). » An ACG assigns a specific ACL to an interface. »...
Page 68: Example
INSTALLATION AND OPERATION MANUAL RL1000GW Example Following example will explain the ACL inspection flow. The PC is sending udp packets. At the interface eth1, ACGs are intercepting the packets and examine them. ACG with priority 10 will take effect first, examine the packet with ACL 1050 rules. Rule 2, which has priority 50, will be the first to be examined.
Page 69 INSTALLATION AND OPERATION MANUAL RL1000GW - deny udp {acl-num <1001-65535>} [rule-name <>] [priority <1-256>] {src-ip [any| <a.b.c.d>]| <a.b.c.d/e>} {dst-ip [any| <a.b.c.d>]| <a.b.c.d/e>} [src-port <1-65535>] [dst-port <1-65535>] [src-port-range <(1-65535):(1-65535)>] [dst-port-range <(1-65535):(1-65535)>] - permit icmp {acl-num <1001-65535>} [rule-name <>] [priority <1-256>] {src-ip [any| <a.b.c.d>]| <a.b.c.d/e>} {dst-ip [any| <a.b.c.d>]| <a.b.c.d/e>} - deny icmp {acl-num <1001-65535>} [rule-name <>] [priority <1-256>] {src-ip [any| <a.b.c.d>]| <a.b.c.d/e>} {dst-ip [any| <a.b.c.d>]| <a.b.c.d/e>}...
Page 70: Acl Commands Descriptions
INSTALLATION AND OPERATION MANUAL RL1000GW ACL Commands Descriptions Command Description ip access-list extended This command enters the IP Access-list configuration mode. Create | delete acl-num <1001-65535>} : the acl main identifier. acl-name: optional name to describe the acl. Redirect: redirect traffic to the SCADA firewall. <off| on> Permit |deny tcp| udp acl-num <1001-65535>} : the acl main identifier.
Page 71: Configuration Example
INSTALLATION AND OPERATION MANUAL RL1000GW Configuration Example Example 1 RL1000GW# ip access-list extended create acl-num 1010 RL1000GW# ip access-list extended permit icmp acl-num 1010 priority 10 src-ip any dst-ip any RL1000GW# ip access-group apply acl-num 1010 interface eth1 direction in priority 10 Example 2 RL1000GW# ip access-list extended create acl-num 1010 RL1000GW# ip access-list extended permit icmp acl-num 1010 priority 10 src-ip 192.168.1.250...
Page 72: Qos
INSTALLATION AND OPERATION MANUAL RL1000GW SCADA services are still commonly using serial legacy hardware. For such applications, the RL1000GW supports services as protocol gateway, serial tunneling and terminal server. These low bandwidth application may be of high importance to the utility process and require high network availability.
Page 73: Nat
INSTALLATION AND OPERATION MANUAL RL1000GW The RL1000GW routing package supports Static and Dynamic settings of Network Address Translation. Dynamic NAT settings allow LAN members to initiate sessions with targets located at the WAN. The NAT router (RL1000GW) will use its WAN IP interface as the new source ip of the session request, hiding the original private IP of the initiating LAN device.
Page 74: Nat Commands Hierarchy
INSTALLATION AND OPERATION MANUAL RL1000GW The PC will not be able to initiate sessions towards the Server. Sessions initiated by the Server towards the PC will be received by the PC and replies of the PC will be received at the Server. »...
Page 75: Nat Commands Description
INSTALLATION AND OPERATION MANUAL RL1000GW NAT Commands Description Command Description Access the nat configuration mode Dynamic Create| remove| show interface for dynamic nat. Interface name: the IP interface on which to enable the dynamic nat. Lan packets egressing the route rover this interface will have their ‘source ip’...
Page 76 INSTALLATION AND OPERATION MANUAL RL1000GW 2. Set ACE Interface for the WAN side router interface create address-prefix 192.168.10.11/24 physical-interface eth2 description WAN purpose general 3. Set Dynamic NAT settings using the WAN ACE interface router nat dynamic create interface-name eth2:2 description wan 4.
Page 77 INSTALLATION AND OPERATION MANUAL RL1000GW ---+ | Rule-Id | Original-Dst-IP | Original-Dst-Port | Protocol | Modified-Dst-IP | Modified- Dst-Port | +=========+=================+===================+==========+=================+========== =========+ 192.168.10.11 10.10.10.10 +---------+-----------------+-------------------+----------+-----------------+---------------- ---+ 192.168.10.11 20000 10.10.10.100 20000 +---------+-----------------+-------------------+----------+-----------------+---------------- ---+ TECH SUPPORT: 1.888.678.9427 INS_RL1000GW_REV– 15 Jul 2016 PAGE 77...
Page 78: Ospf
INSTALLATION AND OPERATION MANUAL RL1000GW OSPF OSPF (Open Shortest Path First) protocol is an Interior Gateway Protocol used to distribute routing information within a single Autonomous System. Routers use link-state algorithms to send routing information to all nodes in an inter-network by calculating the shortest path to each node based on topography of the Internet constructed by each node.
Page 79: Ospf Commands Descriptions
INSTALLATION AND OPERATION MANUAL RL1000GW OSPF Commands Descriptions Command Description Router ospf enable Configure terminal Enter configuration mode Router ospf area – OSPF area parameters given in A.B.C.D format or as a metric id (0-4294967295). router-id – router-id for the OSPF process given in A.B.C.D format. network –...
Page 80 INSTALLATION AND OPERATION MANUAL RL1000GW 2. assign vlans and corresponding IP interfaces vlan 101 config vlan 2 ports fastethernet 0/2 exit vlan 4 ports fastethernet 0/1 untagged all exit interface fast 0/1 switchport pvid 4 exit interface vlan 2 ip address 192.168.2.101 255.255.255.0 no shutdown exit interface vlan 4...
Page 81 INSTALLATION AND OPERATION MANUAL RL1000GW 1. assign IP interfaces RL1000GW# router interface create address-prefix 192.168.1.102/24 purpose application-host physical-interface eth1 RL1000GW# router interface create address-prefix 192.168.2.102/24 vlan 2 purpose general physical-interface eth2 2. configure OSPF router ospf enable configure terminal router ospf router-id 192.168.1.102 network 192.168.1.102/24 area 0.0.0.0...
Page 82 INSTALLATION AND OPERATION MANUAL RL1000GW 192.168.4.101 1 Full/Backup 33.167s 192.168.2.101 eth2.2:192.168.2.102 router/ospf# show ip ospf route ============ OSPF network routing table ============ 192.168.1.0/24 [10] area: 0.0.0.0 directly attached to eth1 192.168.2.0/24 [10] area: 0.0.0.0 directly attached to eth2.2 192.168.4.0/24 [11] area: 0.0.0.0 via 192.168.2.101, eth2.2 ============ OSPF router routing table ============= ============ OSPF external routing table ===========...
Page 83: Serial Ports And Services
INSTALLATION AND OPERATION MANUAL RL1000GW Serial Ports and Services The serial interfaces connect legacy serial-based industrial devices to an Ethernet network. Each of the serial ports can be configured to work in one of these modes of operation: 1. Transparent tunneling 2.
Page 84: Serial Commands Hierarchy
INSTALLATION AND OPERATION MANUAL RL1000GW Parameter Transparent Tunneling Terminal Server 101/104 Gateway stopbits allowed-latency bus-idle-time parity dtr-dsr rts-cts local-dsr-delay local-cts-delay Serial Commands Hierarchy + serial - Service show - serial local-end-point filter show + card - auto-recover {enable |disable |show} - show + port - clear counters...
Page 85: Serial Commands Description
INSTALLATION AND OPERATION MANUAL RL1000GW + local-end-point - create [slot <1>] {port <1-2>} {service-id <1-100>} {position <master| slave>} [protocol <any>] [application {serial-tunnel |terminal-server |iec101-gw |modbus-gw}] [buffer-mode {byte| frame}] [iec101-link-address <0-65535>] [iec101-link-address-len (2,<1|2>] [iec101-originator-address {none| present}] [unit-id-len (2,<1|2>] [unit-id <0-65535>] - remove [slot <1>] {port <1-2>} {service-id <1-100>} - show + tunnel settings - update low-border-ip-port (9849, <1025- 65434>)
Page 86 INSTALLATION AND OPERATION MANUAL RL1000GW Command Description Create | update Slot : 1 (constant) Port : port number .1-2 Baud rate : 50,75,100,110,134,150,200,300,600,1200,2400,4800,9600,19200,38400,57600,115200,230400,4 60800,921600 Parity : no, odd, even Stopbits : 1,2 admin-status: up| done. Default= up. Mode of operation: transparent bus-idle-time : number of total serial bits received over the local serial link to be considered as a single message...
Page 87 INSTALLATION AND OPERATION MANUAL RL1000GW Command Description Remove Slot : 1 (constant) Port : port number .1-2 Service id: numeric value of serial service. Position: Master – point to multipoint Slave – point to multipoint Application : Serial-tunnel (default) Terminal-server iec101-gw modbus-gw show...
Page 88: Declaration Of Ports
The default state of the serial ports is non-configured. RS- 232 Port Pin Assignment Below is the pin assignment of the serial ports. ComNet RJ45 Female Port line NOTE: The serial control lines are not supported at current version TECH SUPPORT: 1.888.678.9427...
Page 89: Rs-232 Serial Cable
INSTALLATION AND OPERATION MANUAL RL1000GW RS-232 Serial cable The RS-232 ports are of RJ-45 type, a cable is available as ordering option having one end of male RJ-45 and second end of female DB-9. The cable should be used when no control lines are needed. Serial port at the router DB-9 female connector for end device Pinout for crossed cable (“CBL-RJ45/DB9/NULL”):...
Page 90: Rs-485 Port Pin Assignment
INSTALLATION AND OPERATION MANUAL RL1000GW RS-485 Port Pin Assignment The RS-485 ports are of RJ-45 type. The RS-485 supported mode is 4 wires. RJ45 Female Router port Direction B (+) A (-) B (+) A (-) LED States Each serial port has a led to indicate its state. Port created port admin state Traffic passing...
Page 91: Transparent Serial Tunneling
The UDP|TCP packet is sourced with a local IP interface. Topologies supported are P2P, P2MP and MP2MP over a single unit or IP network. The condition for transparent serial tunneling is having a ComNet router/ router at both ends of the network, connecting the devices.
Page 92: Supported Network Topologies
INSTALLATION AND OPERATION MANUAL RL1000GW Supported Network topologies Transparent serial tunneling supports following topologies: » Point to point » Point to multipoint point » Multi Point to multipoint point Point to Point Below picture illustrates Point-to-point service at which the master and slave are connected locally at the same router.
Page 93: Point To Multipoint Point
INSTALLATION AND OPERATION MANUAL RL1000GW Point to multipoint point Below picture illustrates Point-to-multipoint service at which the master and slaves are connected locally at the same router. Figure 5: P2MP, local service Below picture illustrates Point-to-multipoint service at which the service members are spread. Figure 6: P2MP, remote service TECH SUPPORT: 1.888.678.9427 INS_RL1000GW_REV–...
Page 94: Multi Point To Multipoint Point
INSTALLATION AND OPERATION MANUAL RL1000GW Multi Point to multipoint point Below picture illustrates a typical multipoint-to-multipoint service. Figure 7: MP2MP, mixed service Modes of Operation Port Mode Of Operation The port mode-of-operation is set at the serial port configuration level and defines how serial data is collected.
Page 95 INSTALLATION AND OPERATION MANUAL RL1000GW Service Buffer Mode The service buffer-mode is set at local-end-point configuration level and defines the buffer operational mode for the service-id. The default state is ‘byte’ mode. If the user keeps this field with its default state but configures the service ‘connection-mode’...
Page 96: Reference Drawing
INSTALLATION AND OPERATION MANUAL RL1000GW This mode allows higher availability for the end to end connection and traffic validation. TCP connection mode will use by default, frame mode for the service ‘buffer-mode’. That is unless ‘buffer-mode’ was explicitly set to ‘byte’ by the user. Service Port number the TCP/UDP port number used at a serial tunneling connection is defined by the values of ‘service-id’...
Page 97: Serial Traffic Direction
INSTALLATION AND OPERATION MANUAL RL1000GW Serial Traffic Direction Transmit direction represents the serial-processor traffic towards the CE, over the serial port. Receive direction represents the traffic received at the serial-processor from the CE, over the serial port. Serial ports counters The Tx and Rx counters of the serial ports are controlled by the serial-processor.
Page 98: Tx Delay
INSTALLATION AND OPERATION MANUAL RL1000GW Tx Delay Tx-delay is set in bits. It determines a delay to take place by the serial processor before transmitting serial data to the port. Depending on the baudrate chosen, and the number of bits, a time is calculated for Tx-delay. »...
Page 99 INSTALLATION AND OPERATION MANUAL RL1000GW Configuration router B (SLAVE) 1. Configure the IP interface router interface create address-prefix 192.168.1.102/24 vlan 100 purpose application-host physical-interface eth2 2. Configure the serial port and local end point serial port create port 1 baudrate 9600 parity no mode-of-operation transparent serial local-end-point create port 1 service-id 1 application serial-tunnel position slave 3.
Page 100: Example 2
INSTALLATION AND OPERATION MANUAL RL1000GW +-----+------+------+-------+-------------+------+------+--------++ | idx | slot | port | mode | baud | data | parity | | rate | bits | +=====+======+======+=======+=============+======+======+========+ | RS232 | Transparent | 9600 | None +-----+------+------+-------+-------------+------+------+--------+ RL1000GW# serial local-end-point show +---------+------+------+---------------+----------+----------+--------+----------+----------+ | service | slot | port | application...
Page 101 INSTALLATION AND OPERATION MANUAL RL1000GW 3. Configure the remote end point of the service serial remote-end-point create remote-address 192.168.1.201 service-id 1 position master commit Configuration RLGE2FE16R (MASTER) 1. Configure the network vlan and management IP interface Config vlan 100 ports gigabitethernet 0/1 ports add gigabitethernet 0/3 exit interface vlan 100...
Page 102: Modes Of Operation
RL1000GW Protocol Gateway IEC 101 to IEC 104 The ComNet router, using its application module implements the gateway for IEC101 serial devices to the IEC104 IP protocol. The IEC101 and IEC104 protocols are fully integrated in the application module thus allowing the IEC101 slave devices to be represented as a IEC104 server in the IP network and to be addressed as such by IEC104 clients located anywhere in the network.
Page 103 INSTALLATION AND OPERATION MANUAL RL1000GW » Unbalanced Mode – Up to 32 ASDU addresses behind each IEC101 server device TECH SUPPORT: 1.888.678.9427 INS_RL1000GW_REV– 15 Jul 2016 PAGE 103...
Page 104: Protocol Gateway Iec 101 To Iec
INSTALLATION AND OPERATION MANUAL RL1000GW IEC101/104 Gateway properties IEC 101 » System role : Controlling station definition (Master) » Network configuration : › Point-to-point › Multiple point-to-point › Multipoint-party line (planned) » Physical layer › Transmission speed in monitor & control direction: 300 – 38400bps »...
Page 105: Iec101/104 Gateway Configuration
INSTALLATION AND OPERATION MANUAL RL1000GW IEC101/104 Gateway Configuration The IEC101/104 gateway can be configured through the systems CLI or as part of a IEC104 network-wide service-group in the iSIM service management tool. In any case the configuration should include the following parameters: »...
Page 106: Gateway 101/104 Configuration Flow
INSTALLATION AND OPERATION MANUAL RL1000GW Gateway 101/104 Configuration Flow When attending a setup configuration, follow these below steps. 1. Ethernet connectivity towards the IEC 104 Client (SCADA) a. Set service vlan and assign relevant ports. b. Set ACE IP interface with the service vlan c.
Page 107 INSTALLATION AND OPERATION MANUAL RL1000GW for the gateway application. Usage of Tx,Rx and GND lines are allowed. e. Verify by following methods i. Use the command “iec101-gw show all” to verify the operational status (‘OP ST’) is UP. ii. Follow serial port and gateway counters to check if serial traffic is received and transmitted at the serial port.
Page 108: Gateway 101/104 Commands Hierarchy
INSTALLATION AND OPERATION MANUAL RL1000GW Gateway 101/104 Commands Hierarchy + root + serial + port - clear counters - create {slot <1>} {port <1-2>} {mode-of-operation < transparent >} [baudrate <9600,(50- 368400)>] [parity {no,no| odd| even}] [stopbits <1|2>] databits {8,<5-8>} admin-status [up| down] - update {slot <1>} {port <1-2>} {mode-of-operation <...
Page 109 INSTALLATION AND OPERATION MANUAL RL1000GW [dir_bit<AUTO,(AUTO|0|1)>] [single_char <y,(n|y)>] [test_proc <y,(n|y)>] [gen_inter <n,(n|y)>] [time_tag <n,(n|y)>] - iec101 remove [slot <1>] {port <1-2>} - iec101 [add_asdu | remove_asdu] port <1-2> {asdu_addr {(1-255)| (1-65534)}} {link address {(1-255)| (1-65534)}} - iec101 [add_ioa_trans>| remove_ioa_trans] port <1-2> src_ioa {a1-a2-a3| a1-a2| a} trans_ioa {a1-a2-a3| a1-a2| a} - iec104 {update | remove} {ip_addr <>} [clock_sync <n|y>] [orig_addr <>] [t0 <30sec,[1-255]>] [t1 <15sec,[1-255]>] [t2 <10sec,[1-255]>] [t3 <20sec,[1-255]>]...
Page 110: Gateway 101/104 Commands
INSTALLATION AND OPERATION MANUAL RL1000GW Gateway 101/104 Commands Command Description iec101-gw Configuration mode of 101/104 gateway Operation Start : activate the gateway Stop : stop the gateway *takes effect on all IEC 101 nodes connected to the switch Config gw update mode Unbalanced –...
Page 111: Example Gateway 101/104
INSTALLATION AND OPERATION MANUAL RL1000GW Command Description [add_ioa_trans>| remove_ioa_ Slot, Port: physical interface where the 101 slave is connected at. trans] src_ioa: value of the 101 server Object address as set at the 104 client. May be 1/2/3 bytes long depending on the settings of ‘ioa_length’. A value is expected as ‘byte1’-‘byte2’-‘byte3’ ‘byte1’-‘byte2’...
Page 112 INSTALLATION AND OPERATION MANUAL RL1000GW 2. Configure the serial port properties. Field ‘mode-of-operation must be set to ‘transparent’. The port properties must be in-line with the IEC 101 server device connected (same baudrate, parity, stop bits, data bits and such) serial port create port 1 mode-of-operation transparent baudrate 9600 parity even 3.
Page 113 INSTALLATION AND OPERATION MANUAL RL1000GW | 192.168.1.101 | | 30 | 15 | 10 | 20 | | 192.168.1.250 | | 30 | 15 | 10 | 20 | +---------------+------------+------------+----------+----+----+----+----+ IEC 101: +------+------+-------+----------+---------+--------------+----------+---------+---------+---- -----+---------+----------+ | SLOT | PORT | OP ST | LINK ADR | CMN ADR | CONV CMN ADR | LINK LEN | CMN LEN | COT LEN | IOA LEN | SRC IOA | CONV IOA | +======+======+=======+==========+=========+==============+==========+=========+========= +=========+=========+==========+...
Page 114: Terminal Server
» local connection at its RS-232 ports » or Over UDP connection to a remote ComNet router to which the serial device is connected directly to. » In this case there will be a “transparent serial tunneling service” over the IP network...
Page 115 INSTALLATION AND OPERATION MANUAL RL1000GW between the telnet sessions and the serial services the application will direct the traffic from the management station to the RTUs allowing each its own path for management. Below is a second option at which the terminal servers are set at the remote router where the serial devices are connected locally.
Page 116: Service Buffer Mode
INSTALLATION AND OPERATION MANUAL RL1000GW Service Buffer Mode The service buffer-mode is set at the terminal server settings and defines the buffer operational mode for all the services. Byte mode A byte is structured as [start-bit, data-bits, parity-bit, stop-bits] whereas the number of data-bits may be 5 to 8.
Page 117: Terminal Server Commands Hierarchy
INSTALLATION AND OPERATION MANUAL RL1000GW configuration per ‘service-id’. The port selected must be a member of the port range defined at the ‘terminal-server’ ‘settings’. Service Port number The TCP port number used at a terminal server service is defined explicitly at the user configuration per ‘service-id’.
Page 118 INSTALLATION AND OPERATION MANUAL RL1000GW - restore - update [low-border-telnet-tcp-port (2001,<2001-65434>] [low-border-telnet-udp-port (2001,<2001-65434>] [low-border-serial-tunnel-port (9850,<1025- 65434>] [dead-peer-timeout <min,10 (0-1440)>] [buffer-mode (frame,<frame |byte>)] - show + tcp-service - create {remote-address <A.B.C.D>} {service-id <1-100>} {telnet-port <port num>} [null-cr-mode (off,<off|on>)] [max-tcp-clients (1,<1-8>)] - remove service-id <1-100> - show + udp-service - create {remote-address <A.B.C.D>} {service-id <1-100>}...
Page 119: Terminal Server Commands
INSTALLATION AND OPERATION MANUAL RL1000GW Terminal Server Commands Command Description Application connect Enter the industrial application menu Serial port Create/update the serial port Clear counters Clear counters Create Slot : 1 (constant) Port : port number .1-2 Baud rate : 50,75,100,110,134,150,200,300,600,1200,2400,4800,9600,19200,38400,57600,115200,230 400,460800,921600.
Page 120 INSTALLATION AND OPERATION MANUAL RL1000GW Command Description settings Manage the range of TCP ports used for the terminal server to respond to. By default the allowed range is 2001-2100. Restore: restore to the default range. Update low-border-telnet-tcp-port <>: a numeric value for the tcp port range low border. The value must be >=2001.
Page 121: Example Local Service
INSTALLATION AND OPERATION MANUAL RL1000GW Command Description udp-service Configuration options to be used at the router where the terminal server is set. This option relates to a UDP service settings. Remote-address: the router own ACE ‘application-host’ interface IP address. Service-id: the serial service-id to which the terminal server serice relates to. the ‘service- id’...
Page 122 INSTALLATION AND OPERATION MANUAL RL1000GW 2. Configure the serial port to be consistent with the properties of the serial slave. The mode of operation of the serial port must be “transparent” The local end point application type must be “terminal server”. serial port create port 1 baudrate 9600 parity no databits 8 mode-of-operation transparent serial local-end-point create port 1 service-id...
Page 123 INSTALLATION AND OPERATION MANUAL RL1000GW +-------+---------+------+------+-----------------+----------+----------+----------+ RL1000GW# terminal-server settings show +-------+-------------+------------+---------------+-----------+--------+ | index | telnet-tcp | telnet-udp | serial-tunnel | dead peer | buffer | | port-range | port-range | port-range timeout mode +=======+=============+============+===============+===========+========+ | 20000:20099 | 2001:2100 9850:9949 byte +-------+-------------+------------+---------------+-----------+--------+ RL1000GW# RL1000GW# terminal-server tcp-service show...
Page 124: Example Networking
INSTALLATION AND OPERATION MANUAL RL1000GW 7. Connect your serial device to port S1 with proper serial connections. Your serial device shell will be reachable to telnet client (PC). The serial connection can be validated by following the port counters. RL1000GW#serial port show briefly slot 1 port 1 +-----+------+------+-----+-------------+------+------+--------+------+ | idx | slot | port | svc | mode...
Page 125 INSTALLATION AND OPERATION MANUAL RL1000GW ip route 192.168.1.0/24 192.168.2.101 write memory exit exit 3. Configure the serial port to be consistent with the properties of the serial slave. The mode of operation of the serial port must be “transparent” The local end point application type must be “terminal server”. serial port create port 1 baudrate 9600 parity no databits 8 mode-of-operation transparent serial local-end-point create port 1 service-id...
Page 126: Modbus Gateway
INSTALLATION AND OPERATION MANUAL RL1000GW Modbus Gateway The ComNet capability of gateway Modbus RTU to Modbus TCP is of yet another benefit to industrial area applications. The router allows connecting an RS232 Modbus RTU and gateway it to a remote Modbus TCP client (SCADA) over the Ethernet.
Page 127: Modbus Gateway Commands Hierarchy
INSTALLATION AND OPERATION MANUAL RL1000GW Modbus Gateway Commands Hierarchy + root + serial + port - create {slot <1>} {port <1-4>} {mode-of-operation < transparent >} [baudrate <>] [parity <>] [stopbits <>] admin-status [up| down] [bus <RS232| RS485>] - show + local-end-point - create create {slot <1>} {port <1-4>} {application <...
Page 128: Modbus Gateway Commands Description
INSTALLATION AND OPERATION MANUAL RL1000GW + mapping - add-gw {address-prefix <a.b.c.d/e>} {admin-status (enable| diable} {gw-id <1-5>} [timeout-period <500-100,000>] - add-id {slot 1 port <1-4>} {gw-id <1-5>} {unit-id <1-255>} - remove-gw {gw-id <1-5>} - show-ids [gw-id <1-5>] + update [admin-status (enable| diable} | timeout {gw-id <1-5> timeout-period <500- 100,000>} ] Modbus Gateway Commands Description Command...
Page 129: Example
INSTALLATION AND OPERATION MANUAL RL1000GW Example Following setup demonstrates Modbus gateway configuration. 1. assign IP interface for the gateway router interface create address-prefix 192.168.40.10/24 physical-interface eth1 description client admin-status enable purpose application-host 2. assign a serial port to be used for connecting the Modbus rtu slave serial port create slot 1 port 1 serial local-end-point create slot 1 port 1 service-id 1 protocol modbus _ rtu application modbus-gw...
Page 130 INSTALLATION AND OPERATION MANUAL RL1000GW Operation in process [modbus-gw/] counters show-by-port +------+------+----------+----------+----------+----------+ | Slot | Port | Rx valid | Rx error | Tx valid | Tx error | +======+======+==========+==========+==========+==========+ +------+------+----------+----------+----------+----------+ [modbus-gw/] counters show-by-id gw-id 4 gwid:4 unit id:65535 +----+---------+----------+----------+----------+----------+ | Gw | Unit Id | Rx valid | Rx error | Tx valid | Tx error | +====+=========+==========+==========+==========+==========+ +----+---------+----------+----------+----------+----------+...
Page 131 INSTALLATION AND OPERATION MANUAL RL1000GW Serial points: slot:1, port:1, pointer:0x1007c408 [modbus-gw/] debug show-server-points Server points: IP addr:192.168.40.10, GwId:4, Subnet mask:255.255.255.0, pointer:0x10081580, [modbus-gw/] debug map-units-on-bus-show List of units for slot[1] port[1]: Port mapping ended TECH SUPPORT: 1.888.678.9427 INS_RL1000GW_REV– 15 Jul 2016 PAGE 131...
Page 132: Dnp3 Gateway
DNP3 Gateway DNP3 (Distributed Network Protocol) is an important protocol set used at SCADA applications. The ComNet switch supports gateway functionality between a DNP3 TCP client (master) and a DNP3 Serial RTU. Configuration of a DNP3 gateway is made using the terminal server feature with the protocol well known tcp port 20000.
Page 133: Vpn
INSTALLATION AND OPERATION MANUAL RL1000GW Background When a distributed operational network uses public transport links for the inter-site connectivity, the traffic must be encrypted to ensure its confidentiality and its integrity. The RADiFlow switches support such a VPN (Virtual Private Network) connection using GRE tunnels (RFC2 2784) over an IPSec encrypted link.
Page 134: Layer 3 Dm-Vpn
INSTALLATION AND OPERATION MANUAL RL1000GW Layer 3 DM-VPN The DM-VPN mGRE mode is routing based and supports more complex networking and protection, providing higher scalability. Topologies supported and guidelines 1. Multiple Hubs vs Multiple Spokes 2. Multiple Clouds 3. Multiple tunnels allowed at the hub. 4.
Page 135: Layer 3 Ipsec-Vpn
INSTALLATION AND OPERATION MANUAL RL1000GW Layer 3 IPSec-VPN IPSec VPN is designated for simple P2P networking where encryption is required. The mode supported is ‘transport’ which is route based. A Tunnel logical interface is created at the routing table. User traffic which is designated to be encrypted is routed over the tunnel interface.
Page 136: Dm-Vpn Commands Hierarchy
INSTALLATION AND OPERATION MANUAL RL1000GW DM-VPN Commands Hierarchy + root + vpn gre + tunnel - create {name <>} {address-prefix <A.B.C.D/M>} {lower-layer-dev <ppp0| eth0| eth1.(vlan-id) | eth2.(vlan-id)>} {key <0.0.0.0,<a.b.c.d>} [ttl <64,0-255>] [holding-time<7200,1-65535>] [mtu (1418,<128-9600>)] [tos (inherint,<hex(0-255)>)][cisco-authentication <>] [tunnel-destination <>][tunnel-source <>] - remove {name<>} - show [name<>] + nhrp...
Page 137: Ipsec-Vpn Commands Hierarchy
INSTALLATION AND OPERATION MANUAL RL1000GW IPSec-VPN Commands Hierarchy + root + vpn ipsec + tunnel - crate {name <>} {address-prefix <A.B.C.D/M>} {lower-layer-dev <ppp0| eth0| eth1.(vlan-id) | eth2.(vlan-id)>} {remote-address<A.B.C.D>} [mtu<1400,128-1500>] [tos (inherint,<hex(0-255)>)] [ttl <64,0-255>] - remove {name<>} - show [name<>] TECH SUPPORT: 1.888.678.9427 INS_RL1000GW_REV–...
Page 138: Ipsec
INSTALLATION AND OPERATION MANUAL RL1000GW IPSec Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and/or encrypting each IP packet of a communication session. The IPSec protocol suite includes the modules described in this chapter. Applications IPSec should be configured when a VPN is used: 1.
Page 139: Security Associations
INSTALLATION AND OPERATION MANUAL RL1000GW Security Associations A Security Association (SA) is a relationship between two or more entities that describes how the entities will utilize security services to communicate securely. These entities are the VPN Hubs and Spokes. This relationship is represented by a set of information that can be considered a contract between the entities.
Page 140 INSTALLATION AND OPERATION MANUAL RL1000GW Phase 1 is where the two ISAKMP VPN peers establish a secure, authenticated channel with which to communicate. This is called the ISAKMP Security Association (SA)or IKE Security Association. The authentication is supported with Pre-Shared Keys or Digital Signatures (X.509) Diffie and Hellman Diffie and Hellman describe a means for two parties to agree upon a shared secret.
Page 141 INSTALLATION AND OPERATION MANUAL RL1000GW The PSK can be set as one of two forms: 1. IP address form A.B.C.D. a. Allowed in bot Main and Aggressive IKE modes b. The PSK of all members should be taken as their VPN network IP address. 2.
Page 142 INSTALLATION AND OPERATION MANUAL RL1000GW The above configuration example will result in following show output TECH SUPPORT: 1.888.678.9427 INS_RL1000GW_REV– 15 Jul 2016 PAGE 142...
Page 143 INSTALLATION AND OPERATION MANUAL RL1000GW RSA Signatures (X.509) Uses a digital certificate authenticated by an RSA signature. The user is required to generate certificates from a trusted source and to import these to the VPN parties (Hubs, Spokes). Two files are required, one is the certificate itself and the other is the key. The files should have extensions of .crt and .key.
Page 144 INSTALLATION AND OPERATION MANUAL RL1000GW The above configuration example will result in following show output TECH SUPPORT: 1.888.678.9427 INS_RL1000GW_REV– 15 Jul 2016 PAGE 144...
Page 145 INSTALLATION AND OPERATION MANUAL RL1000GW Exchange Modes Main Main mode is the more secure option for phase1 as it involves the identity protection. Session flow: » Session begins with the initiator sending a proposal to the responder describing what encryption and authentication protocols are supported, the life time of the keys, and if phase 2 perfect forward secrecy should be implemented.
Page 146 INSTALLATION AND OPERATION MANUAL RL1000GW Pre-shared key When used in Aggressive mode the PSK may be either in the form of IP address or fqdn. The PSK doesn’t have to be the actual IP addresses of the VPN network interfaces as it considers the enter value as text (in the format of IP) and not as a valid IP address.
Page 147: Isakmp Phase 2
Modes The common mode to use between end stations supporting IPSec (the VPN parties) is called Transport mode. This is the mode supported by ComNet. Perfect forward secrecy (PFS) The PFS is a part of the key agreement session and has a purpose to ensure that a session key derived from a set of long-term public and private keys will not be compromised if one of the (long-term) private keys is compromised in the future.
Page 148: Ipsec Command Association
INSTALLATION AND OPERATION MANUAL RL1000GW IPSec Command Association In below are detailed the configuration fields of the IPSec in their respective association to the ISAKMP structure. Highlighted in blue are the CLI names of the configurable fields. Enable IPSec {enable |disable} Settings Log level (log-level) Dead Peer Discovery...
Page 149 INSTALLATION AND OPERATION MANUAL RL1000GW Life Time (phase2-lifetime) IPSec Policy Name (notes) Source address (src-address-prefix) Destination address (dst-address-prefix) Source protocol port (src-port) Destination protocol port (src-port) Protocol (protocol) Preshared Keys Key : (key) Own PSK id : (id) Partner PSK id : (id) Partner PSK id : (id) Certificates X.509 Import crt file (flush-sa proto)
Page 150: Ipsec Commands Hierarchy
INSTALLATION AND OPERATION MANUAL RL1000GW IPSec Commands Hierarchy + root - rsA-signature import {flash:<file name> | sftp://<user:password@<ip>/<file_name> | tftp://<ip>/<file_name> } - show rsA-signature list + ipsec {enable | disable} - flush-sa proto {ah | esp | ipsec | isakmp} - rsa-signature activate {crt-file <file name> | key-file <file name> |rsa-sig-name <name>} + isakmp update - authentication-method {pre_shared_key | rsasig} - dh-group <none | modp768 | modp1024 | modp1536 | modp2048 | modp3072...
Page 151 INSTALLATION AND OPERATION MANUAL RL1000GW + show - log {grep| num-of-lines } - global-defs - policy - preshared - rsa-signature-file - sa [proto {ah | esp | ipsec | isakmp}] TECH SUPPORT: 1.888.678.9427 INS_RL1000GW_REV– 15 Jul 2016 PAGE 151...
Page 152: Ipsec Commands
INSTALLATION AND OPERATION MANUAL RL1000GW IPsec Commands Command Description rsA-signature import Import the X.509 certificate file and key file to the application from a connected USB drive or tftp /sftp servers. These files are mandatory for IPSec to encrypt using X.509 certificates. These files are not required if IPSec is used with preshared keys.
Page 153 INSTALLATION AND OPERATION MANUAL RL1000GW Command Description log-level Syslog warnings levels to be logged. error warning notify info (default) debug debug2 my-id Own preshared id. Dependent on “id-type” set ,my-id can be in either domain name format or ipv4 format. If “id-type”...
Page 154 INSTALLATION AND OPERATION MANUAL RL1000GW Command Description soft-lifetime When a dynamic IPSec SA is created, two types of lifetimes are used: hard and soft. The hard lifetime specifies the lifetime of the SA. The soft lifetime, which is derived from the hard lifetime, informs the IPSec key management system that the SA is about to expire.
Page 155: Ipsec Defaults
INSTALLATION AND OPERATION MANUAL RL1000GW IPSec defaults TECH SUPPORT: 1.888.678.9427 INS_RL1000GW_REV– 15 Jul 2016 PAGE 155...
Page 156: Cellular Modem
INSTALLATION AND OPERATION MANUAL RL1000GW Cellular Modem Cellular coverage is widely spread nowadays and has become quite a reliable medium. Hence an integrated cellular modem interface is of great benefit especially in utility applications where small sites require a backup traffic path on top of the physical line. As well it might be the case that the customer installation is at a remote site or not permanent at a fixed location.
Page 157 INSTALLATION AND OPERATION MANUAL RL1000GW FREQUENCY 2600 BANDS FREQUENCY BANDS FREQUENCY BANDS FREQUENCY BANDS FREQUENCY BANDS FREQUENCY 1900 BANDS FREQUENCY 2600 BANDS FREQUENCY 2300 BANDS FREQUENCY BANDS TECH SUPPORT: 1.888.678.9427 INS_RL1000GW_REV– 15 Jul 2016 PAGE 157...
Page 158: Gprs/Umts Modem
INSTALLATION AND OPERATION MANUAL RL1000GW GPRS/UMTS Modem Following modes and spectrums are supported: » 3G UMTS– HSDPA. cat 5/6 › Triple band : 2100/1900/900 MHz › Triple band : 2100/1900/850 MHz » 2G GSM- EDGE / GPRS. class 12 › Quad band :850/900/1800/1900 MHz The maximum data throughput is determined according to the cellular service and might be different for down-stream and up-stream.
Page 159: Method Of Operation
INSTALLATION AND OPERATION MANUAL RL1000GW Method of operation At the RL1000GW spoke side, a simple configuration of the cellular modem is enough to have the spoke approach the ISP to retrieve an IP address using known link protocol PPP. Authentication versus the ISP will be made using the SIM cards and PAP protocol.
Page 160: Sim Card State
INSTALLATION AND OPERATION MANUAL RL1000GW SIM card state The modem can occupy 2 different SIMs. The SIMs may be of the same ISP or not. At a given moment a connection can be available via a single SIM. Redundancy can be achieved using RSSI measurements and echo tests to determine which SIM is preferred to be used.
Page 161 INSTALLATION AND OPERATION MANUAL RL1000GW SIM state example 1. Below is an example of SIMs admin state. SIM in slot 1 had been enabled while SIM in slot 2 is disabled. The show command used is cellular wan show. 2. SIM 1 is connected following the modem enable and the SIM properties configured.SIM 2 is configured an in READY state.
Page 162: Backup And Redundancy
INSTALLATION AND OPERATION MANUAL RL1000GW Backup and redundancy Backup between Interfaces (between GSM or Physical interface) A cellular link is by nature a high cost path and with a significant lower bandwidth then a physical channel. When the cellular link is to be used for backup to a physical link then resilient routing protocols can determine the primary and backup paths.
Page 163: Cellular Commands Hierarchy
INSTALLATION AND OPERATION MANUAL RL1000GW NOTE: In case of a single SIM card is used, the ‘continuous-echo’ test will result in action of ‘cellular modem refresh’ in case the test fails. If the modem is in ‘conencted’ state but the echo test fails to meet the configured criterias (ping loss/ rtt..) the router will refresh the modem as attempt to recover.
Page 164: Cellular Commands Description
INSTALLATION AND OPERATION MANUAL RL1000GW - show - refresh - network {show} - Connection {show} - enable - disable - show Cellular Commands Description Command Description Cellular Enter the configuration mode for the Cellular application Enable: enable application Disable: disable application continuous-echo Configure icmp traffic test to validate network connectivity to a remote host.
Page 165 INSTALLATION AND OPERATION MANUAL RL1000GW Command Description Settings update quality check: define time interval in seconds for internal RSSI check of active SIM.<0-604800>. 0 –disable RSSI check. backoff1 : minimum time to stay on a SIM after any fail over. <...
Page 166: Default State
INSTALLATION AND OPERATION MANUAL RL1000GW Default State The default state of the cellular modem is “disabled”. The settings default state is as shown in below table. LED States The modem has a led indicator for each SIM slot to represent the SIM cad state. Modem admin state SIM admin state SIM Operation state...
Page 167: Example For Retrieving The Imei
INSTALLATION AND OPERATION MANUAL RL1000GW Example for retrieving the IMEI Below is an example of retrieving the IMEI identifier of the modem. RL1000GW# cellular disable cellular modem power-up Completed OK cellular modem send command at+cgsn send : at+cgsn reply : +cgsn 357524040483438 TECH SUPPORT: 1.888.678.9427 INS_RL1000GW_REV–...
Page 168: Example For Sim Status
INSTALLATION AND OPERATION MANUAL RL1000GW Example for Sim Status Below is a configuration example of 2 SIM cards and their permissible state status. cellular wan update admin-status enable apn-name internetg sim-slot 1 operator-name cellcom user-name guest password guest cellular wan update admin-status enable apn-name internet.pelephone.net.il sim-slot 2 operator-name pelephone user-name pcl@3g password pcl cellular enable commit...
Page 169: Discrete Io Channels
INSTALLATION AND OPERATION MANUAL RL1000GW Discrete IO Channels Discrete channel interface Discrete signals are very common in industrial application to monitor alarms and indications from the field side. The status of the digital input can be read so the operator can decide if any action is required. Digital output channels are not supported at current version.
Page 170: Discrete Io Channels Commands Hierarchy
INSTALLATION AND OPERATION MANUAL RL1000GW Discrete IO Channels Commands Hierarchy + root + discrete in - no-shutdown - shutdown - set name <> - clear - show Discrete IO Channels Commands Command Description Discrete in Shutdown: disable the input channels no-shutdown: enable the input channels Set name Set a name to describe each channel...
Page 171: Vpn Setup Examples
INSTALLATION AND OPERATION MANUAL RL1000GW VPN Setup Examples DM-VPN Setup Below network demonstrates a Spoke – Hub networking over a fixed connection topology. Implementation concepts: 1. The spoke and Hub will establish connection over the shared link. At below examples see vlan 20, subnet 172.18.20.x.
Page 172: Network Drawing
INSTALLATION AND OPERATION MANUAL RL1000GW Network drawing HUB (RLGE2FE16R) 1. Set router host name (not mandatory) set host-name hub 2. Disable spanning tree and remove the ports to be used in the VPN from default vlan 1 config terminal no spanning-tree vlan 1 no ports fastethernet 0/1,0/8 gigabitethernet 0/3 untagged fastethernet 0/1,0/8 exit...
Page 173 INSTALLATION AND OPERATION MANUAL RL1000GW interface fastethernet 0/8 alias NNI switchport pvid 20 exit 4. Assign GCE IP interface for management (not mandatory) interface vlan 10 shut ip address 192.168.10.101 255.255.255.0 no shut exit 5. Assign static route so router management will be routable over the VPN ip route 0.0.0.0 0.0.0.0 192.168.10.201 1 commit 6.
Page 174 INSTALLATION AND OPERATION MANUAL RL1000GW ip route 192.168.40.0/24 10.10.10.20 write exit exit 10. Configure IPSec ipsec isakmp update my-id HUB.radiflow.com ipsec preshared create id HUB.radiflow.com key secretkey ipsec preshared create id RTU1.radiflow.com key secretkey ipsec isakmp update id-type fqdn ipsec policy create protocol gre ipsec disable ipsec enable exit...
Page 175 INSTALLATION AND OPERATION MANUAL RL1000GW router static Enable configure terminal ip route 192.168.10.0/24 10.10.10.10 write exit exit 5. Configure IPSec ipsec isakmp update my-id RTU1.radiflow.com ipsec preshared create id HUB.radiflow.com key secretkey ipsec preshared create id RTU1.radiflow.com key secretkey ipsec isakmp update id-type fqdn ipsec policy create protocol gre ipsec disable...
Page 176: Dm-Vpn Over Cellular Setup
INSTALLATION AND OPERATION MANUAL RL1000GW DM-VPN over Cellular Setup Below network demonstrates a Spoke – Hub topology. Implementation concepts: 1. The spoke will retrieve via PPP an IP from the cellular ISP. In below example the valid IP 46.210.228.96 was issued to the Spoke from the ISP “Cellcom”. 2.
Page 177: Network Drawing
INSTALLATION AND OPERATION MANUAL RL1000GW Network drawing Figure 12 : L3 VPN, cellular spoke - RL1000GW hub Configuration Spoke (RL1000GW) 1. Create an interface to route the lan traffic coming at port eth1 RL1000GW# router interface create address-prefix 192.168.40.10/24 physical-interface eth1 description UNI purpose application-host admin-status enable 2.
Page 178 INSTALLATION AND OPERATION MANUAL RL1000GW 5. Describe the tunnel remote end private interface behind the hub public address. vpn gre nhrp map create multipoint-gre-name mgre1 protocol-address-prefix 10.10.10.10/24 nbma-address 80.74.102.38 6. Describe the tunnel remote end private interface behind the hub public address. vpn gre nhrp disable vpn gre nhrp enable commit...
Page 179 INSTALLATION AND OPERATION MANUAL RL1000GW vlan 10 ports fastethernet 0/1 gigabitethernet 0/3 untagged fastethernet 0/1 exit vlan 20 ports fastethernet 0/8 gigabitethernet 0/3 untagged fastethernet 0/8 exit interface fastethernet 0/1 alias UNI routerport pvid 10 exit interface fastethernet 0/8 alias NNI routerport pvid 20 exit interface vlan 10...
Page 180 INSTALLATION AND OPERATION MANUAL RL1000GW 5. Enable nhrp dm-vpn nhrp enable 6. assign static route to the remote user subnet 192.168.40.x behind the spoke via the tunnel remote end 10.10.10.20 router static enable configure terminal ip route 192.168.40.0/24 10.10.10.20 ip route 0.0.0.0/0 172.18.212.100 write exit...
Page 181: Testing The Setup
INSTALLATION AND OPERATION MANUAL RL1000GW Testing the setup 1. Use show commands to check configuration a. Spoke RL1000GW# router interface show cellular show cellular wan show cellular Connection show ipsec show b. Hub RLGE2FE16R(hub)#Show vlan []router interface show 2. Make sure both the IP of the hub and the one of the spoke are each accessible from the internet.
Page 182 INSTALLATION AND OPERATION MANUAL RL1000GW Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 0.0.0.0 0.0.0.0 0 ppp0 10.10.10.0 0.0.0.0 255.255.255.0 0 mgre1 192.168.10.0 10.10.10.10 255.255.255.0 0 mgre1 192.168.40.0 0.0.0.0 255.255.255.0 0 eth1 Completed OK RL1000GW#cellular connection show +-----------+---------------+---------+--------+----------+--------+ | interface | local ip...
Page 183 INSTALLATION AND OPERATION MANUAL RL1000GW esp-udp mode=transport spi=27166054(0x019e8566) reqid=0(0x00000000) E: 3des-cbc 7b9bb5bb e8e16e18 d48af2f6 cd22aab5 d357dc07 cdf0c300 A: hmac-md5 16bc188c 6f7b7f9f 54025146 8963f9c8 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: May 18 13:09:36 2014 current: May 18 13:29:15 2014 diff: 1179(s) hard: 86400(s) soft: 69120(s) last: May 18 13:09:47 2014 hard: 0(s)
Page 184: Adding A Terminal Server Service
INSTALLATION AND OPERATION MANUAL RL1000GW Adding a terminal server service Spoke : 1. Create the serial port serial port create port 1 baudrate 9600 parity no databits 8 mode-of-operation transparent serial local-end-point create port 1 service-id 1 application terminal-server commit 2.
Page 185: Adding A Transparent Serial Tunneling Service
INSTALLATION AND OPERATION MANUAL RL1000GW Adding a transparent serial tunneling service Hub : 1. Create the serial port and transparent serial tunneling service application connect serial port create slot 1 port 1 mode-of-operation transparent serial local-end-point create slot 1 port 1 service-id 2 application serial-tunnel position master serial remote-end-point create remote-address 192.168.40.10 service-id 2 position slave exit...
Page 186: Application Aware Firewall
Firewall Service flow In order for a protocol flow to be inspected by the firewall the following is achieved by the ComNet NMS- iSIM. » A designated service vlan is created and the ports are tagged. » ACLs are placed on the relevant access port and network ports to redirect the traffic flow to service vlan and to the firewall process.
Page 187: Firewall Flow Illustration
INSTALLATION AND OPERATION MANUAL RL1000GW Firewall Flow Illustration Supported Hardware All RL1000GW variants support the firewall as an option Configuration The firewall configuration consists of two parts 1. Access lists at the ports, filtering L3-L4 traffic and directing the designated SCADA service to the firewall DPI process.
Page 188: Example
INSTALLATION AND OPERATION MANUAL RL1000GW Example Below is an example of an IEC 104 firewall setup. 1. Create IP interfaces for routing and management RL1000GW# router interface create address-prefix 192.168.1.101/24 physical-interface eth1 Completed OK RL1000GW# router interface create address-prefix 192.168.2.101/24 physical-interface eth2 Completed OK RL1000GW# 2.
Page 189: Firewall Commands Hierarchy
INSTALLATION AND OPERATION MANUAL RL1000GW 4. Assign the ACLs to the corresponding ports RL1000GW#ip access-group apply acl-num 1101 interface eth2 direction in priority 10 completed ok RL1000GW#ip access-group apply acl-num 1102 interface eth1 direction in priority 10 completed ok 5. Create the firewall.rules file Done only with EMS 6.
Page 190: Firewall Commands
INSTALLATION AND OPERATION MANUAL RL1000GW Firewall Commands Command Description firewall Enter the configuration mode for the Cellular application Enable: enable application Disable: disable application Profile show Display the content of the firewall.rules file Log show show : Display the firewall log clear : clears the log Show : status of the firewall is displayed Tcp activate mode...
Page 191 INSTALLATION AND OPERATION MANUAL RL1000GW TECH SUPPORT: 1.888.678.9427 INS_RL1000GW_REV– 15 Jul 2016 PAGE 191...
Page 192 T: 203.796.5300 | F: 203.796.5303 | TECH SUPPORT: 1.888.678.9427 | INFO@COMNET.NET 8 TURNBERRY PARK ROAD | GILDERSOME | MORLEY | LEEDS, UK LS27 7LE T: +44 (0)113 307 6400 | F: +44 (0)113 253 7462 | INFO-EUROPE@COMNET.NET © 2016 Communications Networks Corporation. All Rights Reserved. “ComNet” and INS_RL1000GW_REV–...

Comnet reliance RL1000GW Installation And Operation Manual

About this Guide

Overview

Hardware and Interfaces

Configuration Environment

System Version and Data Base

Ethernet Port Interfaces

Login and Management

Diagnostic

Discrete IO Channels

Clock and Time

Tacacs

Acls

Qos

Nat

Ospf

Serial Ports and Services

Transparent Serial Tunneling

Protocol Gateway IEC 101 to IEC

Terminal Server

Modbus Gateway

DNP3 Gateway

Vpn

Ipsec

Cellular Modem

Discrete IO Channels

VPN Setup Examples

Application Aware Firewall

Quick Links

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Comnet reliance RL1000GW

Summary of Contents for Comnet reliance RL1000GW