Page 1 RedFox Series Wolverine Series Lynx Series Falcon Series Westermo OS Viper Series Management Guide 6101-3201 WeOS www.westermo.com...
Page 2: Legal Information
ﬁtness for a particular purpose, are made in relation to the accuracy and reliability or contents of this document. Westermo reserves the right to revise this document or withdraw it at any time without prior notice.
Page 3: Table Of Contents
I Introduction to WeOS and its Management Methods 1 Introduction 1.1 Westermo and its WeOS products ..... 1.2 Getting Started .
Page 8 41.1 Managing Modbus Gateway via the web interface ..1048 41.2 Managing Modbus Gateway via the CLI interface ... 1052 © 2018 Westermo Teleindustri AB...
Page 9 43.2 Managing TTDP settings via the CLI ....1099 VII Appendixes 1106 Acronyms and abbreviations 1107 References 1111 Index 1116 © 2018 Westermo Teleindustri AB...
Page 10: I Introduction To Weos And Its Management Methods
Westermo OS Management Guide Version 4.24.1-0 Part I Introduction to WeOS and its Management Methods © 2018 Westermo Teleindustri AB...
Page 11: Introduction
Chapter 1 Introduction 1.1 Westermo and its WeOS products Westermo provides an extensive set of network products for robust industrial data communications, managed as well as unmanaged products. Westermo’s products are found in diverse set of harsh environment applications, and where robustness and reliability are vital properties.
Page 12: Introduction To Weos
Westermo OS Management Guide Version 4.24.1-0 1.3 Introduction to WeOS Westermo OS (WeOS) is a network operating system delivering an extensive set of functionality including layer-2 (basic switching, VLAN, IGMP snooping, etc.), layer-3 (routing, ﬁrewall, NAT, etc.), and higher-level services (DHCP, DNS, etc.).
Page 13 These features apply to WeOS products with serial ports, both for WeOS Standard and WeOS Extended. – Chapter 40 describes Serial Over IP and Modem Replacement function- ality – Chapters 41-42 cover Modbus Gateway and Microlok Gateway support. © 2018 Westermo Teleindustri AB...
Page 14: Westermo Products Running Weos
Protocol (TTDP)[14]. TTDP support is limited to RFR-212-FB products[57] (Corazon platform). 1.5 Westermo products running WeOS Below you ﬁnd the list of Westermo products running WeOS, as well as references to their respective User Guide: ˆ Falcon: User Guide [48] (FDV-206-1D1S). (”Basis” platform) ˆ...
Page 15 1.5.1 Product hardware details affecting WeOS functionality The WeOS functionality described in the Management Guide generally applies to all Westermo products running WeOS of the appropriate software level (Standard or Extended). However, where functionality assumes the presence of certain hardware (such as a USB port), those functions are limited to products including that hardware.
Page 16 Bypass Relay is available on DDW-x42-BP, and RedFox Rail models ”RFR-12 FB” and ”RFR- 212 FB”. See the related User Guides, listed in section 1.5, for more information on bypass relay functionality. The DDW-x42 SHDSL ports have support for PAF (SHDSL link bonding). © 2018 Westermo Teleindustri AB...
Page 17: Quick Start
On Falcon series of switches, all Ethernet ports belong to the default VLAN (VLAN 1), while the xDSL port belongs to a separate VLAN (VLAN 1006). That is, by factory default Falcon operates as a router. See chapter 13 for more details. © 2018 Westermo Teleindustri AB...
Page 18: Modifying The Ip Setting
IP settings of the switch. In addition, the unit will autoconﬁgure itself with a link-local address in the 169.254.x.x range, where ’x’ is in interval 0-255. See section 22.2.6 for more information. © 2018 Westermo Teleindustri AB...
Page 19 ˆ WeConﬁg: is Westermo’s Network conﬁguration management tool (NCM) made for commissioning and maintenance of components in a network. It replaces the former Westermo tool known as IPConﬁg. For further informa- tion on WeConﬁg’s features and how to use the tool, see the WeConﬁg User Guide[65].
Page 20 3. Access switch via web browser: Open your web browser and enter URL http://192.168.2.200 in the browser’s address ﬁeld. You will be asked to enter a username and a password. Use the factory default account settings shown below: ˆ Login username: admin ˆ Password: westermo © 2018 Westermo Teleindustri AB...
Page 21 192.168.55.1. Click the Apply button. Your switch is conﬁgured with a new default gateway. 6. Open Interface Conﬁguration Page: Click on the Configuration top-menu and then on the Network sub-menu and then the Interface sub menu. In © 2018 Westermo Teleindustri AB...
Page 22 ˆ PC IP address: 192.168.55.35 ˆ PC Netmask: 255.255.255.0 ˆ PC Default Gateway: 192.168.55.1 Further management of the switch can be performed via any of the available management tools - WeConﬁg, Web, SSH/Telnet/CLI or SNMP. © 2018 Westermo Teleindustri AB...
Page 23 Important notice for WeOS Switches equipped with a con- sole port See the User Guide of your speciﬁc product (section 1.5) for information on what Diagnostic Cable to use when connecting to the console port of your speciﬁc product. © 2018 Westermo Teleindustri AB...
Page 24 \ __ /\ __ /| _____ . _____ | | __ | | _____ | __ | | __ | __ | __ | _____ | info@westermo.se Robust Industrial Data Communications -- Made Easy \\/ Westermo WeOS v4.15.0 4.15.0 -- Jun 16 19:10 CEST 2014 Type: ’help’ for help with commands, ’exit’ to logout or leave a context. example:/#>...
Page 25 ---- ------------------ ----- --------------------------- 127.0.0.1/8 16436 vlan1 192.168.55.100/24 1500 00:07:7c:10:de:e1 ------------------------------------------------------------------------------ example:/#> 7. Set default gateway IP address: The ﬁgure below shows the same network setup, but with a router attached to the IP subnet. © 2018 Westermo Teleindustri AB...
Page 26 ˆ After the IP settings have been changed on the switch, the PC is likely to loose contact with the switch. The PC must therefore change its IP address again, and login to the switch again in order to copy the running conﬁgura- tion to the startup conﬁguration. © 2018 Westermo Teleindustri AB...
Page 27 The procedure to connect may vary slightly depending on what SSH client you are using. The example below show the connection procedure using Unix OpenSSH . (On Windows one can use Putty OpenSSH, http://www.openssh.com http://www.chiark.greenend.org.uk/~sgtatham/putty/ Putty, © 2018 Westermo Teleindustri AB...
Page 28 \ __ /\ __ /| _____ . _____ | | __ | | _____ | __ | | __ | __ | __ | _____ | info@westermo.se Robust Industrial Data Communications -- Made Easy \\/ Westermo WeOS v4.15.0 4.15.0 -- Jun 16 19:10 CEST 2014 Type: ’help’ for help with commands, ’exit’ to logout or leave a context. example:/#>...
Page 29 \ __ /\ __ /| _____ . _____ | | __ | | _____ | __ | | __ | __ | __ | _____ | info@westermo.se Robust Industrial Data Communications -- Made Easy \\/ Westermo WeOS v4.15.0 4.15.0 -- Jun 16 19:10 CEST 2014 Type: ’help’ for help with commands, ’exit’ to logout or leave a context. example:/#> copy running-conﬁg startup-conﬁg example:/#>...
Page 30: Overview Of Management Methods
ˆ WeConﬁg: is Westermo’s Network conﬁguration management tool (NCM) made for commissioning and maintenance of components in a network. It replaces the former Westermo tool known as IPConﬁg. For further informa- tion on WeConﬁg’s features and how to use the tool, see the WeConﬁg User Guide[65].
Page 31: When To Use The Weconﬁg Tool
3.1 When to use the WeConﬁg tool The Westermo conﬁguration management tool, WeConﬁg, is used for basic con- ﬁguration and maintenance of WeOS products. It is an ideal tool to upgrade ﬁrmware and manage conﬁguration ﬁles (backup and restore) of a large set of WeOS devices.
Page 32: When To Use The Cli
Westermo OS Management Guide Version 4.24.1-0 ˆ Discover other Westermo Switches: The Web contains a discovery service (IPconﬁg) similar to what WeConﬁg provides. (Note, you must still be able to login to one switch in order to make use of this service.) To use the Web interface, you must know the IP address of your switch.
Page 33 IP address). To ﬁnd out the switch IP address you may need to use the WeConﬁg tool, but once you know it you can do the rest of the management via SSH/CLI. The WeOS CLI is introduced in chapter © 2018 Westermo Teleindustri AB...
Page 34: Management Via Web Interface
Other pages and settings are described per topic in chapter 8 following chapters. For HTTPS server authentication, a self-signed certiﬁcate is used as of WeOS v4.24.1. JavaScript is a trademark of Oracle Corporation. © 2018 Westermo Teleindustri AB...
Page 35: Document Conventions
The button may be an icon. In this case the icon is shown. Addition- ally in parenthesis a sub-context (ctx) may be described which will identify a context on the page, normally identiﬁed by its header. © 2018 Westermo Teleindustri AB...
Page 36: Logging In
ˆ Login: admin ˆ Password: westermo Your web session will last for ten (10) minutes after your latest ”web action”. Clicking a link or button at least every 10 minutes will let you keep the session © 2018 Westermo Teleindustri AB...
Page 37 10 minutes or shorter is selected. Only one user at a time can be logged into the switch Web Management Tool. If a new user tries to log in the currently logged in user will automatically be logged out. © 2018 Westermo Teleindustri AB...
Page 38: Navigation
ˆ Status - This is where you ﬁnd status information of the running system (port status, protocol status, etc.) ˆ Conﬁguration - This is where you conﬁgure the unit ˆ Maintenance - This is where you do ﬁrmware upgrades, conﬁguration ﬁle backups, view log ﬁles, manage port monitoring, etc. © 2018 Westermo Teleindustri AB...
Page 39 ﬁg. 4.4. When hovering a highlighted port the additional information is displayed in a pop-up. Inside a drop-down menu, the ports are also highlighted, but no pop-ups are presented. © 2018 Westermo Teleindustri AB...
Page 40 Westermo OS Management Guide Version 4.24.1-0 Figure 4.4: Sample web page with port information pop-up. © 2018 Westermo Teleindustri AB...
Page 41: System Overview
An arbitrary name to identify this unit. Location An arbitrary description to identify where the unit is located. ADSL/VDSL Status Current ADSL/VDSL connection status. Displays ne- gotiation status, IP-address, up/down speed and DSL uptime. Continued on next page © 2018 Westermo Teleindustri AB...
Page 42 Link alarms are only shown for ports where link alarm is enabled and when the link is down. FRNT alarms are only shown for FRNT ports with link down. Interfaces Displays the interfaces and their primary addresses. © 2018 Westermo Teleindustri AB...
Page 43: Version
The batch identiﬁcation of the card in the speciﬁed slot. Revision The revision of the card in the speciﬁed slot. Enabled Redun- A list of the redundancy protocols currently enabled dancy Protocol(s) on the unit. Continued on next page © 2018 Westermo Teleindustri AB...
Page 44 FRNT ports where link alarm is en- abled and when the link is down. Conﬁguration Hash A SHA-1 hash of the running conﬁguration and the saved startup conﬁguration. © 2018 Westermo Teleindustri AB...
Page 45 Westermo OS Management Guide Version 4.24.1-0 Figure 4.6: Detailed system overview page. © 2018 Westermo Teleindustri AB...
Page 46 Load The load average is a standard Linux way of measuring system Average load. Memory A snapshot of RAM (Random Access Memory) usage as per- Usage (%) centage of total RAM. Continued on next page © 2018 Westermo Teleindustri AB...
Page 47 SFP should not be compared. DDM/DOM diagnostic information is only available for Westermo DDM SFPs, see the SFP Transceiver Datasheet of your WeOS product (www.westermo.com).
Page 48: Management Via Cli
The WeOS CLI is organised in a hierarchical structure. For management purposes, the use of a hierarchical structure limits the available commands to those rele- vant for a certain topic. This in turn simpliﬁes switch operation. Telnet server is by default disabled, see also section 8.3.34. © 2018 Westermo Teleindustri AB...
Page 49 A simple example on CLI usage is given below. There you can see how the CLI prompt changes to match the current context. Example example:/#> conﬁgure example:/config/#> vlan 100 example:/config/vlan-100/#> untagged 1,2 example:/config/vlan-100/#> end example:/config/#> end example:/#> © 2018 Westermo Teleindustri AB...
Page 50: Accessing The Cli
Stop bits Parity None Flow control None The example in below shows how to login via the console port using the PuTTY ap- plication. Once you have installed and started PuTTY, conﬁgure the appropriate Serial settings. © 2018 Westermo Teleindustri AB...
Page 51 Select Serial as Connection type as shown in the ﬁgure below. To start the serial connection, press the Open button. The ﬁgure below shows the console prompt when logging in to the CLI via the console on a unit named example. © 2018 Westermo Teleindustri AB...
Page 52 \ __ /\ __ /| _____ . _____ | | __ | | _____ | __ | | __ | __ | __ | _____ | info@westermo.se Robust Industrial Data Communications -- Made Easy \\/ Westermo WeOS v4.15.0 4.15.0 -- Jun 16 19:10 CEST 2014 Type: ’help’ for help with commands, ’exit’ to logout or leave a context. example:/#>...
Page 53 \ __ /\ __ /| _____ . _____ | | __ | | _____ | __ | | __ | __ | __ | _____ | info@westermo.se Robust Industrial Data Communications -- Made Easy \\/ Westermo WeOS v4.15.0 4.15.0 -- Jun 16 19:10 CEST 2014 Type: ’help’ for help with commands, ’exit’ to logout or leave a context. example:/#>...
Page 54: Using The Cli
ﬁg. 5.2). First the context speciﬁc conﬁgu- ration commands are shown, followed by the commands to show the current conﬁguration settings. At the end, commands available in all contexts are shown (see also section 5.4.). © 2018 Westermo Teleindustri AB...
Page 55 Short forms of commands are possible, see the tutorial for more help. example:/config/vlan-100/#> Figure 5.2: Use of the ”help” command to list available commands (here in the VLAN context). The ”help” command can also be used to get information on a speciﬁc command as shown below. © 2018 Westermo Teleindustri AB...
Page 56 ”configure” To enter Global Conﬁguration context from Admin Exec command is used. From Global Conﬁguration context one can reach several spe- ciﬁc conﬁguration contexts, and the command to enter them is context speciﬁc, e.g.,: © 2018 Westermo Teleindustri AB...
Page 57 ”copy” com- mand, see also chapter It is also possible to leave the conﬁguration contexts without updating the running- conﬁguration. The commands to leave a context are listed below. More informa- © 2018 Westermo Teleindustri AB...
Page 58 ˆ show iface [IFNAMELIST] Convention Description command syntax Command syntax is generally written in typewriter style (ﬁxed width) ”command syntax” Commands described in running text use bold type- writer style enclosed by quotation marks. Continued on next page © 2018 Westermo Teleindustri AB...
Page 59 Vertical bar. Used to separate alternative (mutually ex- clusive) parameters. < > Angle brackets. Encloses a mandatory parameter. Squared brackets. Encloses an optional parameter. [< >] Angle brackets within squared brackets. Encloses a mandatory parameter within an optional choice. © 2018 Westermo Teleindustri AB...
Page 60: General Cli Commands
(NTP client context) sets the NTP polling-interval to its default value (600 seconds). The ”no” command can also be used to negate/disable certain commands outside the conﬁguration context, e.g., to disable debugging or port moni- toring. Default values Not applicable © 2018 Westermo Teleindustri AB...
Page 61 Usage Leave this context and return to the Admin Exec context. If this command is issued within any of the conﬁguration contexts, the command implies that the conﬁguration changes conducted are conﬁrmed, and the running- conﬁguration is updated. Default values Not applicable © 2018 Westermo Teleindustri AB...
Page 62 Default values Not applicable 5.4.7 Repeat a command Syntax repeat <COMMAND> Context Admin Exec context Usage Repeat COMMAND every second until Ctrl-C is pressed. Default values Not applicable 5.4.8 On-line help Syntax help <COMMAND> Context All contexts © 2018 Westermo Teleindustri AB...
Page 63 ﬁles into the terminal. Pasting in conﬁguration ﬁles can also be done with the copy command as copy con run to copy console to running-conﬁg. Default values Interactive mode (i.e. the ”terminal” argument does not apply by default) © 2018 Westermo Teleindustri AB...
Page 64: Weos Snmp Support
SNMP agent on the manage- ment unit. The WeOS SNMP agent supports SNMP v1, v2c and v3. An SNMP manager: ˆ can send SNMP GET messages to poll status and conﬁguration information from an SNMP agent. © 2018 Westermo Teleindustri AB...
Page 65 . Three types of communities are supported: ˆ Read community: The SNMP read community is used by a manager to read SNMP MIB objects from a managed station. Default read community: public section 6.1.4 for secure management using SNMPv3. © 2018 Westermo Teleindustri AB...
Page 66 SNMP traps are only generated if there is at least one Trap Host (i.e., SNMP man- agement station) deﬁned. Up to three Trap Hosts can be deﬁned. If two or more Trap Hosts are conﬁgured, traps will be sent to all of them. © 2018 Westermo Teleindustri AB...
Page 67 Digital-In High OID: iso(1).org(3).dod(6).internet(1).private(4). enterprises(1).westermo(16177).common(2).weos(1).notiﬁcations(6). sensorNotiﬁcations(1).sensorNotiﬁcationPreﬁx(0).digitalInHigh(1) Digital-In Low OID: iso(1).org(3).dod(6).internet(1).private(4). enterprises(1).westermo(16177).common(2).weos(1).notiﬁcations(6). sensorNotiﬁcations(1).sensorNotiﬁcationPreﬁx(0).digitalInLow(2) ˆ Power Supply: A trap is generated when the voltage level on any of the power feeds changes from high to low, or low to high. © 2018 Westermo Teleindustri AB...
Page 68 RiCo/Dual-Homing Uplink Up OID: iso(1).org(3).dod(6).internet(1).private(4). enterprises(1).westermo(16177).common(2).weos(1).notiﬁcations(6). riCoNotiﬁcations(8).riCoNotiﬁcationPreﬁx(0).riCoUplinkUp(1) RiCo/Dual-Homing Uplink Down OID: iso(1).org(3).dod(6).internet(1).private(4). enterprises(1).westermo(16177).common(2).weos(1).notiﬁcations(6). riCoNotiﬁcations(8).riCoNotiﬁcationPreﬁx(0).riCoUplinkDown(2) ˆ SNR-margin: On units with a SHDSL/xDSL port traps are generated when the SNR margin falls below (or rises above) a conﬁgurable threshold. © 2018 Westermo Teleindustri AB...
Page 69 (with details). Cleared, a conﬂict is cleared (with details). Warning, at least one conﬂict. OK, no conﬂict is detected. Address Conﬂict Detected OID: iso(1).org(3).dod(6).internet(1).private(4). enterprises(1).westermo(16177).common(2).weos(1).notiﬁcations(6). addressConﬂictNotiﬁcations(6)).addressConﬂictNotiﬁcationsPreﬁx(0). AddressConﬂictDetected(1) Address Conﬂict Cleared OID: iso(1).org(3).dod(6).internet(1).private(4). enterprises(1).westermo(16177).common(2).weos(1).notiﬁcations(6). addressConﬂictNotiﬁcations(6)).addressConﬂictNotiﬁcationsPreﬁx(0). AddressConﬂictCleared(2) Address Conﬂict OK OID: iso(1).org(3).dod(6).internet(1).private(4). enterprises(1).westermo(16177).common(2).weos(1).notiﬁcations(6). © 2018 Westermo Teleindustri AB...
Page 70 Summary Alarm OK OID: iso(1).org(3).dod(6).internet(1).private(4). enterprises(1).westermo(16177).common(2).weos(1).notiﬁcations(6). genericNotiﬁcations(4).genericNotiﬁcationPreﬁx(0).summaryAlarmOK(1) Summary Alarm Warning OID: iso(1).org(3).dod(6).internet(1).private(4). enterprises(1).westermo(16177).common(2).weos(1).notiﬁcations(6). genericNotiﬁcations(4).genericNotiﬁcationPreﬁx(0). summaryAlarmWarning(2) The summary alarm status can be read at the following OID: iso(1).org(3).dod(6).internet(1).private(4).enterprises(1).westermo(16177). common(2).weos(1).system(5).eventSystem(2).summaryAlarmStatus(1) © 2018 Westermo Teleindustri AB...
Page 71 SNMPv3 users created at level authPriv, may be implemented in future releases of WeOS. ˆ Encryption protocol: WeOS offers SNMPv3 data encryption using DES and AES-128. ˆ Authentication protocol: WeOS offers SNMPv3 data integrity using using MD5 and SHA1. © 2018 Westermo Teleindustri AB...
Page 72 ”walk” is limited to the mib-2 system’s group). Example mypc:~$ snmpwalk -v3 -u alice -l authNoPriv -a SHA -A alicepwd 192.168.2.200 system SNMPv2-MIB::sysDescr.0 = STRING: Westermo RedFox Industrial, primary: v4.4.0, backup: v4. bootloader: v2.01, fpga: v20080626 SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.16177 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (94018) 0:15:40.18...
Page 73 SysGroup of IEEE 802.1AB-2005 LLDP MIB. Indications of level of support for each MIB is shown in the list of supported MIBs. For some MIBs, you ﬁnd more detailed MIB conformance information in the WeOS release zip-archive. © 2018 Westermo Teleindustri AB...
Page 74 This MIB can be used to monitor system memory usage, and is maintained by the Net-SNMP Project 6.1.5.2 Private MIB To use the WeOS private MIB, two Westermo speciﬁc MIB ﬁles should be loaded into your SNMP management software (see section 6.1.6...
Page 75 – Ethernet and DSL ports: Ethernet/DSL ports have ﬁxed allocation ifIndexes starting from 4096. Indexes are allocated in ascending order (4096, 4097, . . . , ”4096+NB_OF_PORTS-1”). http://www.castlerock.com/. SNMPc is a trademark of Castlerock Computing. © 2018 Westermo Teleindustri AB...
Page 76 1 Virtual ifIndex was automatically adjusted to 19 example:/config/snmp/#> show iﬁndex-start Physical 1, Virtual 19 example:/config/snmp/#> In this example, the ifIndex start for virtual interfaces automatically adjusted to avoid overlap with the physical interfaces. © 2018 Westermo Teleindustri AB...
Page 77: Managing Snmp Via The Web Interface
Write Community A community identiﬁer for read/write access. Leave blank to disable write community. Trap Community A community identiﬁer for traps. Defaults to community identiﬁer trap. Continued on next page © 2018 Westermo Teleindustri AB...
Page 78 None, one , two or three ad- dresses may be ﬁlled in. Leave all blank to dis- able SNMP traps. ifIndex Start The start values for ifIndex (Physical and vir- tual). Select override to change default values © 2018 Westermo Teleindustri AB...
Page 79 Click this icon to remove a the SNMP v3 user in that table row. New User Click on this button to create a new SNMP v3 user. When clicking the New User button, the SNMP v3 user edit page will be displayed. © 2018 Westermo Teleindustri AB...
Page 80 Westermo OS Management Guide Version 4.24.1-0 Figure 6.3: New SNMP v3 user. See table above for description of ﬁelds. © 2018 Westermo Teleindustri AB...
Page 81: Manage Snmp Settings Via The Cli
”snmp-server” command. Use ”no snmp-server” to disable the SNMP server. Use ”show snmp-server” to show all SNMP server settings. (Also available as ”show” command within the SNMP Server Conﬁguration context.) Default values Enabled. © 2018 Westermo Teleindustri AB...
Page 82 Usage Conﬁgure the SNMP Trap Community string. ”no trapcommunity” will reset the trap community to the default string (”trapcommunity trap”). Use ”show trapcommunity” to show the SNMP Trap Community setting. Default values trap 6.3.5 Manage SNMP Trap Hosts Syntax [no] host <IPV4ADDRESS|FQDN> © 2018 Westermo Teleindustri AB...
Page 83 8-16 characters. ASCII characters 33-126 except ’#’ (ASCII 35) are allowed. ˆ Encryption: Achieve message privacy by specifying DES or AES128 message encryption. The encryption password is a string of 8-16 char- acters. ASCII characters 33-126 except ’#’ (ASCII 35) are allowed. © 2018 Westermo Teleindustri AB...
Page 84 Use ”show rwuser” show settings for conﬁgured SNMPv3 read-write users. Default values Disabled. Examples See section 6.3.7. 6.3.9 Show SNMP server status Syntax show snmp-server Context Admin Exec context. Usage Show whether SNMP server is running or not. Examples SNMP server enabled © 2018 Westermo Teleindustri AB...
Page 85 Westermo OS Management Guide Version 4.24.1-0 Example example:/#> show snmp-server SNMP server running as PID: 540 example:/#> SNMP server disabled (see ”no snmp-server” in section 6.3.1). Example example:/#> show snmp-server No SNMP server currently running example:/#> © 2018 Westermo Teleindustri AB...
Page 86: Common Switch Services
Westermo OS Management Guide Version 4.24.1-0 Part II Common Switch Services © 2018 Westermo Teleindustri AB...
Page 87: General Switch Maintenance
Manage Cable Factory Reset Section 7.1.2.2 Conﬁguration File Media -”- BOOTP Bootstrap Settings -”- USB Bootstrap Settings -”- Login Account management Set Admin Password Section 9.1.1.1 Recover from lost Admin Password Section 7.1.3 Continued on next page © 2018 Westermo Teleindustri AB...
Page 88 Set (non-default) Label -”- Protocol License Management Upload License ﬁle Section 7.1.9 Maintenance and diagnostic tools Ping Section 7.1.10 Traceroute -”- IPConﬁg Client -”- Port Monitoring -”- Wake-On-LAN -”- SSH Client Continued on next page © 2018 Westermo Teleindustri AB...
Page 89 ﬁrmwares interpret the conﬁguration the same way. The ﬂash partition table can only be updated on early RedFox units (RFI and RFR), in order to upgrade to WeOS 4.3.0 or later. See section 7.1.11 for details. © 2018 Westermo Teleindustri AB...
Page 90 ﬁles. 7.1.1.1 Upgrading ﬁrmware and bootloader WeOS ﬁrmware and bootloader can be downloaded from www.westermo.com. The method to upgrade ﬁrmware and bootloader differs somewhat if the unit to upgrade is running WeOS 4.13.1 (or later), as compared to units running releases before 4.13.1.
Page 91 ”pkg” ﬁles are supported, you must ﬁrst upgrade to 4.13.1 (or some later 4.13.x release) using ”img” ﬁles WeOS 4.13.1 and later 4.13.x releases are available both as ”img” and ”pkg” ﬁles, while only © 2018 Westermo Teleindustri AB...
Page 92 (bootﬁle or ﬁrmware) on any type of WeOS product.The table below lists the ﬁrmware used upgrade system ﬁrmware and bootloader. Product Family System Firmware Bootloader Firmware (Primary/Secondary Image) All WeOS products WeOS-X.X.X.pkg WeOS-X.X.X.pkg (e.g., WeOS-4.24.1.pkg) (e.g., WeOS-4.24.1.pkg) ”pkg” ﬁles are available from WeOS4.14.0 and onward. © 2018 Westermo Teleindustri AB...
Page 93 4.24.1 from a FTP server (or TFTP server) at 192.168.3.10.: Example example:/#> upgrade primary 192.168.3.10 WeOS-4.24.1.pkg ˆ Upgrading bootloader via CLI: Here we upgrade to the bootloader from a FTP server (or TFTP server) at 192.168.3.10.): Example example:/#> upgrade boot 192.168.3.10 WeOS-4.24.1.pkg © 2018 Westermo Teleindustri AB...
Page 94 From WeOS 4.15.0 and onward, this step is no longer necessary, as the startup conﬁguration will then automatically be updated in-line with the current ﬁrmware version. See also section 7.1.4. WeOS 4.13.1 and later 4.13.x releases are available both in ”pkg” and ”img” format. © 2018 Westermo Teleindustri AB...
Page 95 2. To upgrade the backup ﬁrmware (to WeOS 4.13.4), ei- ther use the Web upgrade facility, see section 7.2.1, or use the CLI ”upgrade” command, see section 7.3.1. The example below shows an upgrade of the backup ﬁrmware from a FTP/TFTP server at 192.168.3.10. © 2018 Westermo Teleindustri AB...
Page 96 After logging in again, do the following steps: (a) Verify conﬁguration: Verify that the unit works as expected, doing what- ever tests you ﬁnd necessary for your use case. If the unit does not © 2018 Westermo Teleindustri AB...
Page 97 WeOS version (here 4.14.1). For this you can use the Web upgrade facility, see section 7.2.1, or the CLI ”upgrade” command, e.g., ”upgrade secondary 192.168.3.10 WeOS-4.14.1.pkg” to upgrade the sec- ondary ﬁrmware from a FTP/TFTP server at 192.168.3.10. Compare with the example in step © 2018 Westermo Teleindustri AB...
Page 98 From the boot-menu you can select which system ﬁrmware image (WeOS) to load (primary or secondary image on ﬂash), but you can also choose to download a ﬁrmware remotely via TFTP into RAM, by entering the rescue-mode (System Recovery). © 2018 Westermo Teleindustri AB...
Page 99 ˆ Corazon: Products based on the Corazon platform use the Barebox or U- boot bootloader. Barebox is supported from WeOS 4.15.2, and is now the preferred bootloader for Corazon products. ˆ Coronet: Products based on the Coronet platform use the Barebox boot- loader. © 2018 Westermo Teleindustri AB...
Page 100 USB stick. – Flash: By default the WeOS unit boots using conﬁguration ﬁles (startup- conﬁguration, VPN certiﬁcates, etc.) from the (on-board) ﬂash. The conﬁguration on ﬂash is also used as fall-back when other methods fail. © 2018 Westermo Teleindustri AB...
Page 101 As a technology preview feature, there is also a boot media option referred to as ”boot from USB”. See WeOS release notes for more information on WeOS technology previews in general and for speciﬁc information on the ”boot from USB” function. © 2018 Westermo Teleindustri AB...
Page 102 Status : Disabled Timeout : Disabled example:/boot/usb/#> leave example:/#> ˆ Barebox boot-menu options: Boot options related to the Barebox boot-menu (boot-menu password, rescue console settings, etc.) are described in sec- tions 7.3.16-7.3.21. © 2018 Westermo Teleindustri AB...
Page 103 – Factory Reset: By resetting to factory defaults, the switch conﬁgura- tion (including the ”admin” password) will be reset . I.e., the ”admin” password is restored to ”westermo”, enabling you to login again. The way to accomplish a factory reset may differ if the switch has a con- sole port (section 7.1.3.2) or if it lacks a console port...
Page 104 Table 7.4: Factory Default IP settings. There are several ways to discover the IP address of a product: 1. WeConﬁg (from PC): The WeConﬁg tool is designed to scan for (Westermo) switches on the local network. See the WeConﬁg User Guide[65] for de- tails on how to use the WeConﬁg tool.
Page 105 ˆ Admin password reset: It is possible to recover from a lost admin password by using the following login and password from the console port. The admin password will be reset to its default value (westermo), and thereby enable you to login to the switch again.
Page 106 ﬂashing indicates ready to reset. You can now go ahead with the factory reset, or abort the procedure. ˆ Go ahead with factory reset: Acknowledge the factory reset by unplug- ging (one of) the cable(s). The ON LED stops ﬂashing. © 2018 Westermo Teleindustri AB...
Page 107 ˆ Abort the factory reset: Simply wait for the procedure to time out, do not remove any of the cables. This takes approximately 30 seconds after the ON LED started ﬂashing RED. The switch will conduct a normal boot with the current startup conﬁg. © 2018 Westermo Teleindustri AB...
Page 108 ﬁles on the switch, which enables easy swapping between alternate conﬁgurations. As described in section 7.1.5, it is possible to keep several conﬁguration ﬁles on ﬂash. The startup conﬁguration ﬁle is actually a symbolic name for one of the stored conﬁguration ﬁles. © 2018 Westermo Teleindustri AB...
Page 109 ˆ Regularly read out the hash(es) from your management PC and compare with the stored value. Note These hashes cover WeOS conﬁguration only. They do not bootstrap options (section 7.1.2.2), certiﬁcates (section 7.1.8) or licenses (section 7.1.9). © 2018 Westermo Teleindustri AB...
Page 110 ’.cfg’ as extension. As mentioned in section 7.1.4 there are also three special conﬁguration ﬁles: – Running Conﬁguration: The running conﬁguration is only stored in RAM, thus, it is not kept over a reboot. © 2018 Westermo Teleindustri AB...
Page 111 In order to copy ﬁles to/from a USB memory stick attached to USB port of the WeOS product , the USB memory stick must: For information on WeOS products equipped with a USB port, see section 1.5.1, or the User Guide of your WeOS product (see section 1.5). © 2018 Westermo Teleindustri AB...
Page 112 ˆ be formatted as EXT3, VFAT or FAT on the ﬁrst partition As of WeOS v4.24.1 the following USB stick(s) are veriﬁed for use with WeOS products: Westermo USB stick 3641-0190 (Serial number 1195 or higher) for RedFox Rail and Viper, see user guides in section 1.5.
Page 113 Westermo OS Management Guide Version 4.24.1-0 Example with remote ﬁle upload: Example unix> scp conﬁg1.cfg admin@myswitch.example.com:/cfg/ Password for admin@myswitch.example.com: unix> Example with remote ﬁle download: Example unix> scp admin@myswitch.example.com:/log/messages . Password for admin@myswitch.example.com: unix> © 2018 Westermo Teleindustri AB...
Page 114 ˆ Insert USB stick: Insert the USB stick into WeOS unit and power it up. ˆ Log in to CLI: Log into the unit (CLI), either via console port or remotely via SSH (see section 5.2). ˆ Activate auto-backup: Run the CLI ”backup” command. © 2018 Westermo Teleindustri AB...
Page 115 Performing initial backup... Backup done. example/#> The conﬁguration ﬁles (including certiﬁcates and private keys) are now backed up to sub-directories under ”/usb/westermo/backup/” (see section 7.1.6.3). ˆ Keep USB inserted: The USB memory stick should stay attached to the WeOS unit. Any changes to the conﬁguration ﬁles on unit ﬂash will be continuously backed-up to USB.
Page 116 10 seconds, use the following commands: Only ﬁles on unit ﬂash (conﬁguration ﬁle(s), IPsec certiﬁcates, etc.) will be affected by the factory reset. Files on an attached USB stick (if present) will not be affected. © 2018 Westermo Teleindustri AB...
Page 117 Starting DHCP/DNS Server ........[ OK ] example:/#> The restore operation is not conducted if ”auto-backup” is already activated on the WeOS unit and the ”gen.id” counter on the USB and unit ﬂash have the same value, see also section 7.1.6.3. © 2018 Westermo Teleindustri AB...
Page 118 <-- Configuration files +-- crt/ <-- Certificates and keys Additional details: The ”/usb/westermo/backup/cfg/” directory will contain some additional ﬁles: ”startup-config.lnk” speciﬁes which conﬁg ﬁle is used as ”startup-configuration”, and ”gen.id” contains a counter. The correspond- ing ”gen.id” ﬁle on unit ﬂash is incremented every time a change on unit ﬂash is detected.
Page 119 USB during boot-up. USB con- ﬁguration deployment has precedence over USB auto-backup and restore. That is, if the USB memory stick contains both a ”westermo/deploy/” and a ”westermo/backup/” directory, the conﬁguration deployment function will be activated.
Page 120 It is still recommended to use a custom certiﬁ- cate with the Web server, as the generated certiﬁcate is self-signed. See sec- tion 7.2.6.1 (Web) and 7.3.30 (CLI) for uploading certiﬁcates, and section 8.1.2 for applying a custom certiﬁcate to the Web server. © 2018 Westermo Teleindustri AB...
Page 121 PC tool for discovery and rudimentary management of Westermo switches. The CLI and the Web provides a similar mechanism (IPConﬁg client), i.e., once logged into the switch, it is possible to scan for other Westermo units on the same LAN.
Page 122 – Main partition of size 8.5 MB (hex 0x00880000) and backup of size 7 MB (hex 0x00700000) means the old partition table is used. WeOS 4.3.x refers to all patch releases (4.3.0, 4.3.1, . . . ) of the WeOS 4.3 feature branch. © 2018 Westermo Teleindustri AB...
Page 123: Version 4.24
Updating the ﬂash partition table will corrupt your system! Conﬁgura- tion ﬁles, certiﬁcates and backup image will be destroyed. Although this update facility has been tested extensively by Westermo there are no guarantees it will work ﬂawlessly for all use cases.
Page 124 Westermo OS Management Guide Version 4.24.1-0 4. Restore conﬁguration ﬁles, any necessary certiﬁcates and the system backup image. © 2018 Westermo Teleindustri AB...
Page 125: Maintenance Via The Web Interface
The IP address of the FTP/TFTP server. Upgrade Click the Upgrade button to initiate ﬁrmware upgrade. Note If you use TFTP for upgrading with ”pkg” ﬁles, make sure your TFTP server supports large ﬁles as deﬁned in RFC2347[28]. © 2018 Westermo Teleindustri AB...
Page 126 Source Ports (Sniff Ports) Select one or more ports to monitor by se- lecting the ports desired sniff mode. Avail- able modes are: Inbound (ingress) trafﬁc. Outbound (egress) trafﬁc. Both Both inbound and outbound trafﬁc. © 2018 Westermo Teleindustri AB...
Page 127 Click the Browse button to browse for the ﬁle. The behaviour of the ﬁle selection is browser speciﬁc. Restore Click this button to restore the conﬁguration the conﬁguration described in the ﬁle you selected in File Path. © 2018 Westermo Teleindustri AB...
Page 128 Factory reset To conduct a factory reset, press the Reset button. Only conﬁguration ﬁles on unit ﬂash will be affected by a factory reset. Files on an attached USB stick (if present) will not be affected. © 2018 Westermo Teleindustri AB...
Page 129 Private (a private key belonging to a regular certiﬁcate), CA (a CA certiﬁcate), or OpenVPN (an OpenVPN static key). Label A label identifying the certiﬁcate/key. Unique per certiﬁcate ﬁle type (Public, Private, CA and OpenVPN). Continued on next page © 2018 Westermo Teleindustri AB...
Page 130 Browse your ﬁle system for the ﬁle to import by clicking the Browse ... button. Type of (Only for PEM ﬁles) Declare the type of PEM ﬁle to upload: Certiﬁcate Public (regular certiﬁcate), Private (a private key), or CA (a CA certiﬁcate). Continued on next page © 2018 Westermo Teleindustri AB...
Page 131 The common name (CN) part of the distinguished name (DN) found in the imported certiﬁcate subject. Certiﬁcate Dump A raw dump of the certiﬁcate. To exit the details page, select a menu option in the navigation menu. © 2018 Westermo Teleindustri AB...
Page 132 WeOS product the license is valid for. Delete Click this icon to remove a license. You will be asked to ac- knowledge the removal before it is actually executed. Import Click this button to import a license. © 2018 Westermo Teleindustri AB...
Page 133 When clicking the Import button you will be presented to the license import page where you can import a license ﬁle. Licence ﬁle Browse your ﬁle system for the ﬁle to import by clicking the Browse ... button. © 2018 Westermo Teleindustri AB...
Page 134 The network host to send ICMP ECHO RE- QUEST packets to Ping Count Deﬁnes the number of ICMP packets to send. Packet Size Alters the default size of the ICMP packets. This only only increases the empty payload of the packet © 2018 Westermo Teleindustri AB...
Page 135 Menu path: Tools Trace Address The network host Maximum Hops Max time-to-live (number of hops). Maximum Wait time Set the delay, in seconds, before timing out a probe packet © 2018 Westermo Teleindustri AB...
Page 136 If the command takes too long to execute the web page may time out. Menu path: Tools IPConﬁg Interface The interface to scan Flash On LED. If enabled, this unit will ﬂash the on LED, while scanning © 2018 Westermo Teleindustri AB...
Page 137 The Wake-On-LAN (WOL) allows computers to be turned on or woken up by a network message (magic packet). Menu path: Tools Interface The interface to send the magic packet on. MAC Addresses The MAC Addresses of the computers to wake © 2018 Westermo Teleindustri AB...
Page 138 The Tech support ﬁle consist of a number of text ﬁles. Conﬁguration ﬁles can be found in the /cfg directory of the archive, and log ﬁles under the /var/log sub- directory. © 2018 Westermo Teleindustri AB...
Page 140: Maintenance Via The Cli
<cfg:// | log:// | usb://> Section 7.3.22 copy <FROM_FILE> <TO_FILE> Section 7.3.23 erase <ﬁle> Section 7.3.24 show <running-conﬁg | startup-conﬁg | Section 7.3.25 Continued on next page See command description for details and exceptions. © 2018 Westermo Teleindustri AB...
Page 141 [[YYYY-MM-DD ]hh:mm[:ss]] Section 8.3.7 [no] timezone <TIMEZONE> Section 8.3.5 show timezone [QUERY|SUBSTRING] Section 8.3.8 show env Section 7.3.43 show uptime Section 7.3.44 show memory Section 7.3.45 show processes Section 7.3.46 Continued on next page © 2018 Westermo Teleindustri AB...
Page 142 CRC, it is possible to abort the upgrade using Ctrl-C (BREAK). However, once the actual ﬂashing starts the BREAK signal, and other blockable signals, is completely disabled to prevent acci- dental destruction of the device partition and image contents. © 2018 Westermo Teleindustri AB...
Page 143 FTP/TFTP server with 192.168.1.1. ”upgrade pri usb://WeOS-4.15.1.pkg” upgrades primary ﬁrmware on a WeOS unit using pkg ﬁle WeOS-4.15.1.pkg present on a USB stick. Check if the USB stick has been mounted ﬁrst using the ”dir usb://” command. © 2018 Westermo Teleindustri AB...
Page 144 Article no : 5013-1010 Revision Batch id : 140915-01274960-00001 Channel interfaces : 2 Bandwidth limit : Disabled (for CPU channels) ... (More info follows) example:/#> 7.3.3 Manage Boot Options Syntax boot Context Admin Exec context © 2018 Westermo Teleindustri AB...
Page 145 Use ”cable-reset” to enable and ”no cable-reset” to disable cable fac- tory reset. Use ”show cable-reset” to show the current setting. Default values Enabled © 2018 Westermo Teleindustri AB...
Page 146 Use ”show boot-order” to view the conﬁgured boot order. Flash will listed as second choice if ”boot-order bootp” is set. Default values Flash Future versions of WeOS may include support for boot order of software image ﬁles. © 2018 Westermo Teleindustri AB...
Page 147 60 seconds. The BOOTP client will wait one extra back-off interval after the last transmit- ted request, thus the actual timeout can be roughly 60 seconds longer than conﬁgured. © 2018 Westermo Teleindustri AB...
Page 148 Use ”no mac” to reset the BOOTP MAC setting to default. Use ”show mac” to show the BOOTP MAC setting. Default values offset 1 (or more generally, the offset equals the number of CPU channels of the product.) © 2018 Westermo Teleindustri AB...
Page 149 Use ”no vfs-target” to disable the setting to get the default behaviour where the ﬁle is stored in RAM only. Use ”show vfs-target” to show the VFS target setting. Default values Disabled (i.e., store in RAM only) 7.3.10 Manage Console Settings Syntax [no] console © 2018 Westermo Teleindustri AB...
Page 150 Password reset : Enabled Factory reset : Disabled example:/boot/#> console example:/boot/console/#> no password-reset example:/boot/console/#> show Password reset : Disabled Factory reset : Disabled example:/boot/console/#> 7.3.12 Enable/Disable Console Factory Reset Syntax [no] factory-reset Context System Bootstrap Console context © 2018 Westermo Teleindustri AB...
Page 151 Use ”show usb” to list conﬁgured USB settings (also available as ”show” command within the System Bootstrap USB context. Default values N/A 7.3.14 Enable/disable USB Bootstrap Services Syntax [no] enable Context System Bootstrap USB context © 2018 Westermo Teleindustri AB...
Page 152 The system bootup time will be prolonged up to the given timeout, unless the system discovers the USB stick before. Default values Disabled (no timeout) ”no enable” also disables the technology preview feature ”boot from USB”, see also sec- tion 7.3.5 © 2018 Westermo Teleindustri AB...
Page 153 Use ”show loader” to list all bootloader settings (also available as ”show” command within the System Bootloader context. Default values N/A Example example:/boot/#> show loader Device Bootloader Configuration: Login Password: Disabled Rescue Mode Settings: Address: 192.168.2.200 Netmask: 255.255.255.0 Peer : 192.168.2.1 Port : 6000 example:/boot/#> © 2018 Westermo Teleindustri AB...
Page 154 12345”. This is used as the local and remote port number for the UDP rescue console. Defaults to UDP port 6000. Use ”no rescue-port” to reset UDP port to the default (6000). Use ”show rescue-port” to show the conﬁgured UDP port. Default values 6000 © 2018 Westermo Teleindustri AB...
Page 155 This netmask is also used as default rescue interface netmask when select- ing TFTP boot-image download (technology preview) within the boot-menu (at startup). Default values 255.255.255.0 7.3.21 Setting rescue console peer IP address (Barebox) Syntax [no] rescue-peer <IPADDR> Context System Bootloader context © 2018 Westermo Teleindustri AB...
Page 156 --> startup-config config1.cfg example:/#> 7.3.23 Copy, Store, Restore or Paste Files Syntax copy <FROM _ FILE> <TO _ FILE> Several methods are available to specify <FROM_FILE> and <TO_FILE>. Lo- cal ﬁle access methods are listed below: © 2018 Westermo Teleindustri AB...
Page 157 When issuing this command you are presented with a paste area where you can safely type in or paste parts of, or full, conﬁguration ﬁles. However, when pasting in partial ”.cfg” ﬁle snippets the system will use WeOS defaults for unspeciﬁed settings. © 2018 Westermo Teleindustri AB...
Page 158 3. Copy conﬁguration ﬁle from USB to local conﬁguration ﬁle conﬁg3. Example example:/#> copy usb://myconﬁg.cfg conﬁg3 Copying myconfig.cfg to config3 ... Done. example:/#> 4. Copy conﬁguration ﬁle onto remote server using FTP. Example example:/#> copy cfg://conﬁg0.cfg ftp://mylogin:mypw@192.168.2.99/myconﬁg example:/#> © 2018 Westermo Teleindustri AB...
Page 159 Usage Show content of a conﬁguration ﬁle, log ﬁle, or ﬁle on a mounted USB memory. Special ﬁles are running-conﬁg, startup-conﬁg and factory-conﬁg. Use the ”dir” command to list ﬁles (section 7.3.22). Default values ”cfg” is the default ﬁle system. © 2018 Westermo Teleindustri AB...
Page 160 Syntax backup (applicable on units with USB port) Context Admin Exec Usage This command activates WeOS automatic backup and restore for USB media. The directory ”/usb/westermo/backup” is used for this purpose. section 7.1.6 for details. Default values Not applicable. 7.3.27 Manual Restore from USB...
Page 161 ﬁle name. Examples: ˆ ”cert import pkcs password "secret" ftp://1.2.3.4/bundle.p12” ˆ ”cert import pem type public usb://remote.crt” ˆ ”cert import ovpn ftp://1.2.3.4/tls-auth.key label tls” To remove/delete a certiﬁcate by label, use ’force’ to avoid questions: © 2018 Westermo Teleindustri AB...
Page 162 ﬁle for a speciﬁc protocol/service. For example, ”no license mrp” would remove an MRP licensee ﬁle if present. Use ”show license” to show installed protocol licenses on this product. Default values Not applicable. © 2018 Westermo Teleindustri AB...
Page 163 64 bytes from 192.168.131.1: seq=2 ttl=64 time=0.810 ms 64 bytes from 192.168.131.1: seq=3 ttl=64 time=0.823 ms --- 192.168.131.1 ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 0.810/1.825/4.832 ms example:/#> © 2018 Westermo Teleindustri AB...
Page 164 Default values Default user ”admin”, default (TCP) port number ”22”. 7.3.36 Remote Login to another device (Telnet Client) Syntax telnet <IPADDR|DOMAINNAME>[:PORT] Context Admin Exec context. Usage Login to remote device using Telnet. Default values Default (TCP) port number ”23”. © 2018 Westermo Teleindustri AB...
Page 165 Usage The command has two purposes: ˆ Scan the network for IPConﬁg neighbours on the given interface, i.e., scan for other Westermo devices with the IPConﬁg service enabled (see section 8.3.31). ˆ Show status of the IPConﬁg process on the own device, if enabled.
Page 166 ”no monitor” will disable port monitoring (in the same way as ”no enable” within the Port Monitoring context, see section 7.3.40). Use ”show monitoring” to show port monitoring settings (also available as ”show” command within the Port Monitoring context). Default values Not applicable. © 2018 Westermo Teleindustri AB...
Page 167 Use ”show source” to show current set of ports being monitored. Default values By default there are no source ports. Commands apply both to ”ingress” and ”egress” if neither is speciﬁed. 7.3.43 Show System Environment Sensors Syntax show env Context Admin Exec context. © 2018 Westermo Teleindustri AB...
Page 168 Admin Exec context. Usage Show a list of currently running processes. Default values Not applicable. DDM/DOM diagnostic information is only available for Westermo DDM SFPs, see the SFP Transceiver Datasheet of your WeOS product (www.westermo.com). © 2018 Westermo Teleindustri AB...
Page 169 6.2 MiB mtd4 BareboxEnv 256.0 KiB example:/#> ˆ Example with a WeOS unit (Basis platform) with RedBoot bootloader (see partition mtd0). Note, Barebox is now the preferred bootloader for the Basis platform (see example above). © 2018 Westermo Teleindustri AB...
Page 170 Corazon platform (see example above). Example example:/#> show partitions Partition Name Size =============================================================================== Linux _ main mtd0 56.0 MiB Linux _ backup mtd1 56.0 MiB mtd2 Config 15.0 MiB mtd3 U-Boot Config 512.0 KiB mtd4 U-Boot 512.0 KiB example:/#> © 2018 Westermo Teleindustri AB...
Page 171 Usage This command is used to update the ﬂash partition table on early RedFox units, in order to allow ﬁrmware upgrades to WeOS release 4.3.0 or later. For details, see section 7.1.11. Default values Not applicable. © 2018 Westermo Teleindustri AB...
Page 172: General System Settings
8.1 Overview of General System Features Feature General Description System Identity and Time System Hostname System Location System Contact System Time Zone System Date/Time Controlling Management Services Manage LLDP service Section 8.1.1 Continued on next page © 2018 Westermo Teleindustri AB...
Page 173 ˆ Remote port number ˆ Port identiﬁer ˆ Chassis identiﬁer ˆ Management IP address (see note below) ˆ Hostname Web conﬁguration of System Time Zone is done as part of the Network settings, see sec- tion 22.5. © 2018 Westermo Teleindustri AB...
Page 174 In WeOS the Web server runs the Web GUI. Conﬁgurable Web server settings are: ˆ Session Timeout: A user logging in via the Web GUI will automatically be logged out if inactive for this period of time. The timeout can be disabled. Default: 10 min © 2018 Westermo Teleindustri AB...
Page 175 WDT itself and a basic driver is still active to handle unexpected failure modes. This reset counter is also used for the ”SNMP engine boot counter” (OID snmpEngineBoots in the SNMP FRAMEWORK MIB). © 2018 Westermo Teleindustri AB...
Page 176: Managing System Settings Via Web
Max 64 characters. Valid characters are ASCII 32-126. ”Space” (ASCII 32) is not valid as ﬁrst or last character. Change the values to appropriate values for your switch and click the Apply button. © 2018 Westermo Teleindustri AB...
Page 177 The IP address of a time server to be used to keep the units calendar time synchronised. Leave empty if you do not want to use a time server. Timezone Select a timezone region to get adjusted local time. © 2018 Westermo Teleindustri AB...
Page 178 Version 4.24.1-0 8.2.2 Enable/disable LLDP via the web interface Menu path: Conﬁguration LLDP Edit Click this icon to edit LLDP settings Remove Click this icon to disable LLDP and remove LLDP settings. Menu path: Conﬁguration LLDP © 2018 Westermo Teleindustri AB...
Page 179 Use the icon to remove the custom TLV. Id, OUI and Subtype (Multiple ﬁelds) are mandatory. Value can be entered as ASCII string or hexadecimal sequence. Check the Hex box to enter Value as hexadecimal sequence. © 2018 Westermo Teleindustri AB...
Page 180 Westermo OS Management Guide Version 4.24.1-0 8.2.3 Show LLDP Status via the web interface Menu path: Status LLDP © 2018 Westermo Teleindustri AB...
Page 181 Change the session timeout value. Default 10 min. HTTP Port Change HTTP port. Default 80. HTTPS Port Change HTTPS port. Default 443. Custom certiﬁcate Select a custom HTTPS certiﬁcate. The certiﬁcate must have been previously imported (as described in section Section 7.2.6.1). © 2018 Westermo Teleindustri AB...
Page 182: Managing System Settings Via Cli
Section 8.3.15 [no] custom-tlv <ID> Section 8.3.16 [no] oui <OUI> Section 8.3.17 [no] subtype <0-255> Section 8.3.18 [no] value <string|hex> <VALUE> (empty) Section 8.3.19 Show LLDP status show lldp Section 8.3.20 Continued on next page © 2018 Westermo Teleindustri AB...
Page 183 ”show” command within the General System Conﬁguration). The default hostname depends on the product family, e.g., Lynx products have default host- name lynx. LLDP is enabled on all LAN ports by default, except for xDSL ports. © 2018 Westermo Teleindustri AB...
Page 184 ﬁrst or last character. ”no location” resets the location string to its default value (empty). Use ”show location” to view the conﬁgured location setting. Default values (empty) 8.3.4 System Contact Syntax contact <STRING> Context General System Conﬁguration context © 2018 Westermo Teleindustri AB...
Page 185 Usage Limit the trafﬁc sent to the CPU in kbit/s or frames per second (trafﬁc from the CPU is not affected). It is also possible use ISO modiﬁers k/M/G, e.g., 256k or 10M as speciﬁers for kbps and Mbps. © 2018 Westermo Teleindustri AB...
Page 186 Use ”no cpu-bandwidth-limit” to disable CPU bandwidth limitation. Use ”show cpu-bandwidth-limit” to view the conﬁgured CPU bandwidth limit setting. Default values Auto (”cpu-bandwidth-limit auto”) 8.3.7 Set or show System Date and Time Syntax date [[YYYY-MM-DD ]hh:mm[:ss]] Context Admin Exec context. © 2018 Westermo Teleindustri AB...
Page 187 8.3.9 Manage LLDP settings Syntax [no] lldp Context Global Conﬁguration context. Usage Enter LLDP Conﬁguration context. Use command ”lldp” to enter the LLDP Conﬁguration context. The LLDP Conﬁguration context is created if it does not exist. © 2018 Westermo Teleindustri AB...
Page 188 Eth 2 enabled Eth 3 enabled Eth 4 enabled Eth 5 enabled Eth 6 enabled Eth 7 enabled Eth 8 enabled Eth 9 enabled Eth 10 enabled example:/config/lldp/#> 8.3.11 LLDP Transmission Interval Syntax [no] tx-interval <1-300> © 2018 Westermo Teleindustri AB...
Page 189 Usage Enter LLDP Port Conﬁguration context for a port or a set of ports. Use ”port <PORTLIST>” to enter LLDP Port Conﬁguration for one or more ports, or ”port all” to enter LLDP Port Conﬁguration for all (LAN) ports. © 2018 Westermo Teleindustri AB...
Page 190 Use ”custom-tlv <ID>” to map a speciﬁc custom TLV to this port. Use ”no custom-tlv <ID>” to remove a speciﬁc custom TLV from this port, or ”no custom-tlv” to remove all custom TLVs conﬁgured for this port. Use ”show custom-tlv” to show the current setting. © 2018 Westermo Teleindustri AB...
Page 191 Conﬁguring the vendor code for the TLV is mandatory, otherwise the setting is not valid. By default the vendor code is not set. Use ”no oui” to reset the value to default, and use ”show oui” to show the current setting. © 2018 Westermo Teleindustri AB...
Page 192 ”value hex c0:ff:ee” (or ”value hex c0ffee”) will be sent as c0 ff ee. Use ”no value” to skip the value ﬁeld (zero length). This is the default. ”show subtype” to show the current setting. Default values Not applicable (empty) © 2018 Westermo Teleindustri AB...
Page 193 Capability: Location Capability: MDI/PSE Capability: MDI/PD Capability: Inventory ------------------------------------------------------------------------------- 8.3.21 Manage Watchdog settings Syntax [no] watchdog Context Global Conﬁguration context. Usage Enter Watchdog Conﬁguration context. Use command ”watchdog” to en- ter the Watchdog Conﬁguration context. © 2018 Westermo Teleindustri AB...
Page 194 Recommended to set to 1/ 3 of the kernel watchdog timeout, see section 8.3.24 ”interval 10” will set the kick interval to 10 seconds. Use ”no interval” to reset the interval to default (20). © 2018 Westermo Teleindustri AB...
Page 195 8.3.25 Show Watchdog Status Syntax show watchdog Context Admin Exec context. Usage Show watchdog status information. Default values Not applicable. Example example:/#> show watchdog Reset counter example:/#> 8.3.26 Enable/disable Web Management Interface Syntax [no] web © 2018 Westermo Teleindustri AB...
Page 196 Usage Conﬁgures the HTTP port for the Web server, e.g., ”port 8080” makes the Web server use listen to HTTP on port 8080. ”no port” resets the Web server to listen to the default port (80). ”show port” shows the current HTTP port setting. Default values 80 © 2018 Westermo Teleindustri AB...
Page 197 ”no certificate” resets the HTTPS certiﬁcate to the default, an automati- cally generated certiﬁcate. Example example:/#> show cert Type Label Common Name Expires =========================================================== custom1 device.example.com Apr 19 2017 GMT custom1 example:/#> conﬁgure example:/config/#> web example:/config/web#> certiﬁcate custom1 example:/config/web#> leave © 2018 Westermo Teleindustri AB...
Page 198 Use ”show ipconfig” to list whether IPConﬁg is enabled or disabled. Note: There is another ”show ipconfig” command available in the Admin Exec context, which is used (1) to scan for neighbour Westermo units, and (2) to list status information on the IPConﬁg server running on this device, see section 7.3.37.
Page 199 IPConﬁg, while allowing use of IPConﬁg to discover the unit and status information retrieval. Example example:/#> conﬁg example:/config/#> show ipconﬁg Ipconfig is enabled Read only mode : Disabled example:/config/ipconfig/#> read-only Setting IPconfig read only mode Enabled example:/config/ipconfig/#> end © 2018 Westermo Teleindustri AB...
Page 200 Use ”no telnet” to disable the Telnet server. Warning Then the switch cannot be managed via Telnet. Use ”show telnet” to list current Telnet conﬁguration settings (also avail- able as ”show” command within the Telnet Conﬁguration context). Default values Disabled (”no telnet”) © 2018 Westermo Teleindustri AB...
Page 201: Authentication, Authorisation And Accounting
(in addition to cer- tiﬁcates) as part of the authentication step. The username and password credentials are then veriﬁed using the WeOS AAA framework. See chap- ter 37 for more information on SSL VPN security. © 2018 Westermo Teleindustri AB...
Page 202: Overview Over Aaa
(HTTP/HTTPS) by default. See additional information below and section 9.1.2.1. password Password reset function. Only accessible from console. Can be disabled. See sections 7.1.3.2 and 7.3.11. factory Factory reset function. Only accessible from console. Can be disabled. See sections 7.1.3.2 and 7.3.12. © 2018 Westermo Teleindustri AB...
Page 203 ”maintainers” for a local database of system main- tainers. http://en.wikipedia. American Standard Code for Information Interchange (ASCII), see e.g. org/wiki/ASCII (accessed May 2009). © 2018 Westermo Teleindustri AB...
Page 204 Creating new remote server 1 example:/config/aaa/remote-server-1/#> password RADiuSseCret example:/config/aaa/remote-server-1/#> address 192.168.5.1 example:/config/aaa/remote-server-1/#> type radius example:/config/aaa/remote-server-1/#> auth-port 1812 example:/config/aaa/remote-server-1/#> end example:/config/aaa/#> Note A remote server of type TACACS+ will use chap as authentication protocol, which is not conﬁgurable. © 2018 Westermo Teleindustri AB...
Page 205 33) to protect the authentication communication is strongly recom- mended. 9.1.1.4 Authentication Chains WeOS supports use of authentication chains. An authentication chain is an or- dered list of authentication methods, and enables you handle more advanced © 2018 Westermo Teleindustri AB...
Page 206 Only if a method is unavailable (no response from a remote server or group of servers), the next method will be tried. Example example:/config/aaa/#> auth-chain 1 Creating new auth-chain 1 example:/config/aaa/auth-chain-1/#> method server 1, local-db 1 example:/config/aaa/auth-chain-1/#> no continue-on-reject example:/config/aaa/auth-chain-1/#> end © 2018 Westermo Teleindustri AB...
Page 207 AAA framework. The built-in account method is limited to the login service on purpose. The central server, local database and authentication chain methods also have limited applicability for different services, but these limitations may be removed in future versions of WeOS. © 2018 Westermo Teleindustri AB...
Page 208 WeOS unit. If the request sent to the server results in reject or timeout, the WeOS unit falls back to using the built-in accounts. Example example:/config/aaa/#> login example:/config/aaa/login/#> method server 1 example:/config/aaa/login/#> end example:/config/aaa/#> © 2018 Westermo Teleindustri AB...
Page 209 SSH and Telnet per network interface, using the WeOS management inter- face feature, see section 22.2.7. For units running WeOS Extended you can Future versions of WeOS may include support for giving different users different authorisation © 2018 Westermo Teleindustri AB...
Page 210 The WeOS AAA framework can be for authenticating IEEE 802.1X supplicants. As of WeOS v4.24.1 only the central server method, of type RADIUS, can be used for 802.1X authentication. For information on the IEEE 802.1X service in WeOS, see section 15.2. © 2018 Westermo Teleindustri AB...
Page 211: Managing Aaa Via The Web
In this section the password for the built-in account admin can be changed. New Password Enter the new password for the admin account. Repeat New Password To minimise risk of typing error, enter the new password for the admin account once again. © 2018 Westermo Teleindustri AB...
Page 212 Select login method from the drop-down box. Only conﬁgured local databases and servers/groups, of type RADIUS and TACACS+, will be visible in the box. If Disabled is selected, only the built-in admin account will be enabled. © 2018 Westermo Teleindustri AB...
Page 213 Click this icon to remove the user database. You will be asked to acknowledge the removal before it is actually executed. Click this button to add a new user database. See section 9.2.4 for details. You can create at maximum 4 databases. © 2018 Westermo Teleindustri AB...
Page 214 After pressing the Apply button, users can be added to the database. See sec- tion 9.2.6. 9.2.5 Edit a local user database Menu path: Conﬁguration Local Users DB section 9.2.4 for descriptions of the ﬁelds on this page. © 2018 Westermo Teleindustri AB...
Page 215 The users list is displayed on the edit page for the local user database. Username A username unique in this database. New User Press this button to create a new user in this database. See section 9.2.7 © 2018 Westermo Teleindustri AB...
Page 216 New User Username A username unique in this database. Password The password for this user. 9.2.8 Edit User Menu path: Conﬁguration Local Users DB (Users table) section 9.2.7 for descriptions of the ﬁelds on this page. © 2018 Westermo Teleindustri AB...
Page 217 Westermo OS Management Guide Version 4.24.1-0 9.2.9 Remote Server overview Menu path: Conﬁguration Remote Server The main page for Remote Server shows an overview of conﬁgured server groups and the remote server conﬁgurations. © 2018 Westermo Teleindustri AB...
Page 218 You will be asked to acknowledge the removal before it is actually executed. New Server Click this button to add a new remote server con- ﬁguration. See section 9.2.13 for details. You can deﬁne at maximum 6 remote server conﬁgurations. © 2018 Westermo Teleindustri AB...
Page 219 Only remote servers of the same type as the group will be added. Use the icon to remove a server from the group. You are limited to max 3 servers per group. © 2018 Westermo Teleindustri AB...
Page 220 Westermo OS Management Guide Version 4.24.1-0 9.2.11 Add a server group Menu path: Conﬁguration Remote Server New Group section 9.2.10 for descriptions of the ﬁelds on this page. You can have at maximum 2 server groups. © 2018 Westermo Teleindustri AB...
Page 221 TACACS+ but can be changed here if needed. If port number 0 is entered, the standardised port number will be conﬁgured. Secret Optional. A shared secret (password) that should be used to encrypt the communication with this server. © 2018 Westermo Teleindustri AB...
Page 222 Westermo OS Management Guide Version 4.24.1-0 9.2.13 Add a remote server Menu path: Conﬁguration Remote Server New Server section 9.2.12 for descriptions of the ﬁelds on this page. You can have at maximum 6 remote server conﬁgurations. © 2018 Westermo Teleindustri AB...
Page 223 Click this icon to remove the authentication chain. You will be asked to acknowledge the removal before it is actually executed. Click this button to add a new authentication chain. section 9.2.15 for details. You can create at maximum 4 authentication chains. © 2018 Westermo Teleindustri AB...
Page 224 Press the Apply button to store changes. 9.2.16 Edit an authentication chain Menu path: Conﬁguration Auth Chain Click the pen icon in the overview page to edit a speciﬁc chain. See section 9.2.15 for descriptions of the ﬁelds on this page. © 2018 Westermo Teleindustri AB...
Page 225 Removing an IEEE 802.1X instance will not remove the referenced RADIUS group or server. Click this button to add a new IEEE 802.1X instance. section 9.2.19 for details. You can currently only create one instance. © 2018 Westermo Teleindustri AB...
Page 226 IMPORTANT: Creating an IEEE 802.1X instance does not in itself activate authen- tication. Port access is managed in the VLAN conﬁguration. See sections 15.2 and 15.3.4. The instance here must be referenced from the port access conﬁgu- ration for it to be used! © 2018 Westermo Teleindustri AB...
Page 227 Westermo OS Management Guide Version 4.24.1-0 9.2.19 Add an IEEE 802.1X instance Menu path: Conﬁguration 802.1X section 9.2.18 for descriptions of the ﬁelds on this page. You can currently only conﬁgure one IEEE 802.1X instance. © 2018 Westermo Teleindustri AB...
Page 228 New List Click this button to add a new MAC authentication list. See section 9.2.22 for details. You can create up to 8 MAC authentication lists. © 2018 Westermo Teleindustri AB...
Page 229 Port access is managed in the VLAN conﬁguration. See sec- tions 15.2 and 15.3.4. The created MAC authentication list must be referenced from the port access conﬁguration for it to be used! © 2018 Westermo Teleindustri AB...
Page 230 Westermo OS Management Guide Version 4.24.1-0 9.2.22 Add a new MAC authentication list Menu path: Conﬁguration MAC Auth New List section 9.2.21 for descriptions of the ﬁelds on this page. © 2018 Westermo Teleindustri AB...
Page 231: Managing Aaa Via The Cli
1812 | 49 Section 9.3.13 Conﬁgure Server Groups [no] server-group <GID> [type <TYPE>] Section 9.3.14 type <radius | tacacs> radius Section 9.3.15 [no] description <STRING> Section 9.3.16 [no] server <ID|ID,ID|ID,ID,ID> Section 9.3.17 Continued on next page © 2018 Westermo Teleindustri AB...
Page 232 [limit <PORT>] [description <STRING>] Section 9.3.31 9.3.1 Manage AAA Settings Syntax aaa Context Global Conﬁguration context Usage Enter AAA Conﬁguration context (Authentication, Authorisation and Ac- counting). The AAA context is used for managing user account settings, © 2018 Westermo Teleindustri AB...
Page 233 9.3.3 Manage AAA Login Settings Syntax login Context AAA Conﬁguration Usage Enter AAA Login Conﬁguration context. The AAA Login Conﬁguration con- text is currently only used for managing the login method, see section 9.3.4. © 2018 Westermo Teleindustri AB...
Page 234 When a login method is chosen the built-in admin account will still be there, last in the authentication chain. Default values Disabled Examples ˆ Using a remote server for login authentication: © 2018 Westermo Teleindustri AB...
Page 235 1 Creating new server group 1 example:/config/aaa/server-group-1/#> server 1,2 example:/config/aaa/server-group-1/#> type tacacs example:/config/aaa/server-group-1/#> end example:/config/aaa/#> login example:/config/aaa/login/#> method group 1 example:/config/aaa/login/#> end example:/config/aaa/#> ˆ Using a local user database for login: © 2018 Westermo Teleindustri AB...
Page 236 To list all conﬁgured databases, use ”show local-db”. Default values The ”TYPE” parameter is ”plain” by default. 9.3.6 Add/Delete User in Local Database List Syntax [no] username <USERNAME> <SECRET> Context Local User Database Conﬁguration context © 2018 Westermo Teleindustri AB...
Page 237 Use citation marks around the string if you want to have a description con- taining space characters. To view the current description, use ”show description”. Default values Empty. Examples Example example:/config/aaa/local-db-0/#> description PPPUsers or ... example:/config/aaa/local-db-0/#> description ’’PPP Users’’ © 2018 Westermo Teleindustri AB...
Page 238 Use this command to specify the type of a remote server connector. The supported types are ”radius” and ”tacacs” Use ”show type” to show the conﬁgured remote server type. Default values ”radius” 9.3.10 Conﬁgure Remote Server Description Syntax [no] description <STRING> © 2018 Westermo Teleindustri AB...
Page 239 IP address or a name. Names will be looked up via DNS. Use ”show address” to show the conﬁgured remote server address. Default values Empty. This will reject authentication for the services using this server. Examples Example example:/config/aaa/remote-server-0/#> address 1.2.3.4 or ... example:/config/aaa/remote-server-0/#> address myserver.mydomain.se © 2018 Westermo Teleindustri AB...
Page 240 Default values 0, automatically changed to the standard port number for the chosen server type. 9.3.14 Manage Server Groups Syntax [no] server-group <GID> [type <TYPE>] Context AAA Conﬁguration context Usage Enter Server Group Conﬁguration context to create, modify or remove a server group. © 2018 Westermo Teleindustri AB...
Page 241 Context Server Group Conﬁguration context Usage Set or remove the server group description string. Use ”description <STRING>” to set a description for this group or ”no description” to remove the current description. Use citation marks © 2018 Westermo Teleindustri AB...
Page 242 Use ”show server” to show the conﬁgured members of the server group (listed order is fall-back order). Default values Empty. This will reject authentication for the services using this group. © 2018 Westermo Teleindustri AB...
Page 243 The order of the methods is important, since the methods are queried in the order deﬁned. The ﬁrst (leftmost) method in the chain is queried ﬁrst. See section 9.1.1.4 for more information on how the methods are queried. © 2018 Westermo Teleindustri AB...
Page 244 Use ”show description” to show the conﬁgured authentication chain de- scription. Default values Empty. Examples Example example:/config/aaa/auth-chain-0/#> description MyChain or ... example:/config/aaa/auth-chain-0/#> description ’’The Chain’’ © 2018 Westermo Teleindustri AB...
Page 245 Use ”show dot1x-auth” to list all 802.1X authentication instances, or ”show dot1x-auth <ID>” to show information on a speciﬁc instance (also avail- able as ”show” command within the 802.1X Conﬁguration context). Default values Not applicable. © 2018 Westermo Teleindustri AB...
Page 246 Use ”show description” to show the conﬁgured instance description set- ting. Default values Empty. Examples Example example:/config/aaa/dot1x-auth-0/#> description My_1X_net or ... example:/config/aaa/dot1x-auth-0/#> description ’’Employees only’’ 9.3.25 Conﬁgure IEEE 802.1X authentication back-end servers Syntax [no] method <group <GID>|server <ID>> © 2018 Westermo Teleindustri AB...
Page 247 60 seconds. Use ”no active-authentication” to disable authenticator initiated authen- tication. Use ”show active-authentication” to show the current setting. Default values Enabled (interval 30 seconds) 9.3.27 Conﬁgure IEEE 802.1X reauthenticate Syntax [no] re-authenticate [INTERVAL] © 2018 Westermo Teleindustri AB...
Page 248 Use ”show mac-auth” to list all MAC authentication lists, or ”show mac-auth <ID>” to show information on a speciﬁc instance (also available as ”show” command within the MAC Authentication List Conﬁguration context). Default values Not applicable. © 2018 Westermo Teleindustri AB...
Page 249 Default values Empty. Examples Example example:/config/aaa/mac-auth-0/#> description MyMACList or ... example:/config/aaa/mac-auth-0/#> description ’’Trusted MAC addresses’’ 9.3.31 Conﬁgure MAC authentication list ﬁlters Syntax [no] mac match <MAC-PATTERN> [limit <PORT>] [description <STRING>] Context MAC Authentication List Conﬁguration context © 2018 Westermo Teleindustri AB...
Page 250 Default values Empty, no ﬁlters. Examples Example mac-auth-0/#> mac match 00:D8:AA:2C:85:01 or with wildcard... mac-auth-0/#> mac match 00:80:C8:* or with wildcard, limit filter, and description ... mac-auth-0/#> mac match 00:D8:BB:C5:* limit 1/2 description ’’Laser printers on 1/2’’ © 2018 Westermo Teleindustri AB...
Page 251: Feature Parameters
Westermo OS Management Guide Version 4.24.1-0 9.4 Feature Parameters MAX_AUTH_CHAIN_METHODS MAX_AUTH_CHAINS © 2018 Westermo Teleindustri AB...
Page 252: Ethernet Port Management
Port priority mode Section 10.1.4 Link alarm Section 10.1.5 Inbound rate limit Section 10.1.6 Rate Selection -”- Trafﬁc Selection -”- Outbound trafﬁc shaping Section 10.1.7 Bandwidth per port Section 10.1.8 MDI/MDIX Section 10.1.9 Continued on next page © 2018 Westermo Teleindustri AB...
Page 253 – one xDSL port (numbered 1), and – one serial port (numbered 1). As Ethernet and xDSL ports can be used in overlapping contexts, e.g., they can be associated with the same VLAN, a port qualiﬁer (”eth” or ”dsl”) is © 2018 Westermo Teleindustri AB...
Page 254 (middle slot), and an 8-port 10/100BaseTX card (right slot). The RedFox Industrial switches come in a two-slot and a three-slot version. Fig. 10.1 shows a sample three-slot RedFox Industrial equipped with a 4-port Gigabit/SFP © 2018 Westermo Teleindustri AB...
Page 255 ˆ Gigabit Ethernet copper ports: Gigabit Ethernet copper ports are capable to operate at 10, 100 or 1000 Mbit/s. ˆ Gigabit Ethernet ﬁbre ports: Gigabit Ethernet ﬁbre ports are capable to op- erate at 1000 Mbit/s. © 2018 Westermo Teleindustri AB...
Page 256 IP ToS bits (IPv4) or the IP TC bits (IPv6). Classiﬁcation based on the IP ToS/Diffserv bits can be used to provide higher priority to delay sensitive applications, such as IP telephony and remote login, than to bulk © 2018 Westermo Teleindustri AB...
Page 257 IP Precedence ﬁelds (RFC 1349), and IP DiffServ for best effort and control trafﬁc (RFC 2474), assured forwarding (RFC 2597) and expedited forwarding (RFC 3246). Packets sent out on a port with a VLAN tag will carry priority information (802.1p) within their VLAN tag. © 2018 Westermo Teleindustri AB...
Page 258 The alarm is indicated in multiple ways: ˆ SNMP trap: An SNMP trap will be sent when a link changes state, i.e., both when the link comes up, or when it goes down. This assumes that SNMP is © 2018 Westermo Teleindustri AB...
Page 259 The inbound rate limiting feature can be useful as a complement to layer-2 pri- ority handling (see section 10.1.4) when congestion within the network is to be avoided. There are two conﬁguration settings for inbound rate limiting: © 2018 Westermo Teleindustri AB...
Page 260 CLI. Unknown unicast trafﬁc is trafﬁc with a unicast destination MAC address not present in the switch forwarding database (see section 15.4.20). Unknown unicast trafﬁc is ﬂooded onto all ports within the (V)LAN. © 2018 Westermo Teleindustri AB...
Page 261 (broadcast, multicast and/or unknown unicast) on these Ethernet ports, there are dependencies between the settings: – Unknown unicast: Selecting ”unknown unicast” implies that ”unknown unicast”, ”multicast” and ”broadcast” trafﬁc will be subject to inbound rate limiting. © 2018 Westermo Teleindustri AB...
Page 262 ˆ Frames per second: in range 7700-1488000 frames per second Trafﬁc shaping calculations consider the layer-2 bits, i.e., from Ethernet destina- tion MAC address to CRC (interframe gap and preamble bits are not counted). © 2018 Westermo Teleindustri AB...
Page 263 RX and TX when a straight cable is used. Naturally this takes a bit of time, despite all current products today do this in dedicated PHY circuitry. © 2018 Westermo Teleindustri AB...
Page 264 IEEE back-offs and timeouts in place to protect against glitches and temporary link loss that otherwise prevent the port from going UP or DOWN. Westermo has put a great deal of effort into making sure that, when enabling Fastlink, glitches and link loss still do not occur.
Page 265 (only) associated ”tagged” with a set of VLANs. If the port’s default VID is represented within that set of VLANs, the packet will be accepted. Otherwise it will be dropped. © 2018 Westermo Teleindustri AB...
Page 266 DDM/DOM information will only be listed for enabled ports. Note DDM support in WeOS is limited to Westermo DDM SFPs, see the SFP Trans- ceiver Datasheet of your WeOS product (www.westermo.com). By comparing the TxPower on a unit with the RxPower on the unit it is connected to, the user can ﬁnd out the amount of "signal strength"...
Page 267: Managing Port Settings Via The Web Interface
Shows if the port is enable or disabled Link Link status for the port. Up or down. Type The port type: Gigabit Ethernet Fibre optic, Gigabit Ether- net, Fast Ethernet Fibre optic or Fast Ethernet. Continued on next page © 2018 Westermo Teleindustri AB...
Page 268 To change the settings for a speciﬁc port you will have to click the edit icon which will take you to the port setting edit page see section 10.2.2. 10.2.2 Edit Port Settings Menu path: Conﬁguration Port Port On this page you can change the settings for the port. © 2018 Westermo Teleindustri AB...
Page 269 Link Alarm When link alarm is enabled an alarm will be generated if port link is down. Alarms trigger an SNMP trap message to be sent and alarms to be shown on the administration web. © 2018 Westermo Teleindustri AB...
Page 270 Westermo OS Management Guide Version 4.24.1-0 10.2.3 List SFP DDM/DOM diagnostics For information on how to view SFP DDM/DOM diagnostics, see section 4.4.3. © 2018 Westermo Teleindustri AB...
Page 271: Managing Port Settings Via The Cli
Section 10.3.12 [no] unshielded Unshielded Section 10.3.13 [no] low-power Low Power Section 10.3.14 [no] default-vid <VLAN_ID> Disabled Section 10.3.15 Show port status show ports Section 10.3.16 Show SFP DDM/DOM diagnostics show environment Section 7.3.43 © 2018 Westermo Teleindustri AB...
Page 272 Port Conﬁguration. Default values Not applicable for conﬁguration. For listing conﬁguration ”show port” information on all ports are listed by default. Entering port conﬁguration context for Ethernet ports 1-4: Example example:/config/#> port 1-4 example:/config/port-eth1-4/#> © 2018 Westermo Teleindustri AB...
Page 273 8/35 None None Auto =============================================================================== Serial --------------------- Data ------- Stop RTS XON ------------------------ Port Ena Type Speed bits Parity bits CTS XOFF Terminate =============================================================================== Ser 1 YES rs232 115200 None OFF OFF =============================================================================== example:/config/#> © 2018 Westermo Teleindustri AB...
Page 274 10, 100 or 1000 Mbit/s, and half or full duplex. ”no speed-duplex” will revert to default conﬁguration for the speed-duplex setting, i.e., ”speed-duplex auto”. Use ”show speed-duplex” to show the port’s speed/duplex setting. Default values auto © 2018 Westermo Teleindustri AB...
Page 275 ”no priority” will revert to default conﬁguration for the port priority set- ting, i.e., ”priority 0” (zero). Use ”show priority” to show the port’s priority setting. Default values 0 (zero) 10.3.7 Set port priority mode Syntax [no] priority-mode <tag|ip|port> © 2018 Westermo Teleindustri AB...
Page 276 Usage Use ”link-alarm” to enable and ”no link-alarm” disable link-alarm for this port. When enabled, an alarm indication is activated when the link is down. ”show link-alarm” to show the port’s link-alarm setting. Default values Disabled (”no link-alarm”) © 2018 Westermo Teleindustri AB...
Page 277 DSL ports, albeit not fps) Usage Conﬁgure outbound trafﬁc shaping in kbit/s or frames per second. It is also possible use ISO modiﬁers k/M/G, e.g., 256k or 10M as speciﬁers for kbit/s and Mbit/s. © 2018 Westermo Teleindustri AB...
Page 278 ”mdix” sets port to crossover mode (MDIX) and ”mdi” sets port to MDI mode. This command is not valid for ﬁbre ports. ”no mdix-mode” resets the MDIX mode to the default setting (”auto”). Use ”show mdix-mode” to show the port’s cable crossover setting. © 2018 Westermo Teleindustri AB...
Page 279 The low-power mode is sufﬁcient in most use cases, but for long cables or cables with speciﬁc characteristics it may be necessary to disable low-power mode. Use ”low-power” and ”no low-power” respectively to enable/disable low- power mode on this Ethernet port. © 2018 Westermo Teleindustri AB...
Page 280 Use ”show default-vid” to show the port’s ”fallback default-VID” setting. Default values Disabled/cleared (no default-vid). 10.3.16 Show port status (all ports) Syntax show ports Context Admin Exec context Usage Show Port status information for all ports. Default values Not applicable. © 2018 Westermo Teleindustri AB...
Page 281: Ethernet Statistics
Sections 11.1.1-11.1.8 give more detailed information on their meaning. Feature Description Inbound Total Bytes Section 11.1.1 Bytes Good -”- Bytes Bad -”- Mean rate -”- Total Good Packets Section 11.1.2 Unicast -”- Continued on next page © 2018 Westermo Teleindustri AB...
Page 282 ” Total Packets Section 11.1.6 Unicast -”- Multicast -”- Broadcast -”- Pause frames -”- Dropped Section 11.1.7 Filtered -”- Collisions and Busy Medium Section 11.1.8 Single -”- Multiple -”- Excessive -”- Continued on next page © 2018 Westermo Teleindustri AB...
Page 283 Unicast packets The number of good packets with a unicast MAC address re- ceived on the port. This would correspond to the Interface MIB ifInUcastPkts object. Counters listed within parenthesis (i.e., as ’(X)’) are provided implicitly. © 2018 Westermo Teleindustri AB...
Page 284 11.1.4 Erroneous Inbound Packets The following counters for received erroneous packets are provided: Undersized packet Number of packets smaller than 64 bytes, and with a valid FCS. This corresponds to the RMON MIB etherStatsUndersizePkts object. © 2018 Westermo Teleindustri AB...
Page 285 The following per port counters for outbound Ethernet packets are provided. Unicast packets The number of packets with a unicast destination MAC address sent on the port. This would correspond to the Interface MIB ifOutUcastPkts object. © 2018 Westermo Teleindustri AB...
Page 286 This would correspond to the Ether-like MIB dot3StatsMultipleCollisionFrames object. Excessive Collisions The number of packets failing (i.e., dropped) due to ex- cessive collisions (16 consecutive collisions). This would correspond to the Ether-like MIB dot3StatsExcessiveCollisions ob- ject. © 2018 Westermo Teleindustri AB...
Page 287 10 second average The average bandwidth over the last 10 seconds. 1 minute average The average bandwidth over the last minute. 10 minute average The average bandwidth over the last 10 minutes. 1 hour average The average bandwidth over the last hour. © 2018 Westermo Teleindustri AB...
Page 288: Statistics Via The Web Interface
11.2.1 Statistics Overview Menu path: Status Port On the port statistics overview page you will be presented to a selection of static data for each port. Additional statistic numbers are presented on the detailed view page. © 2018 Westermo Teleindustri AB...
Page 289 5, 15, 30 or 60 seconds. Click Off to turn off auto refresh. Refresh Click on this button to reload with updated statistics. Clear All Clear all statistics counters for all ports. © 2018 Westermo Teleindustri AB...
Page 290 Westermo OS Management Guide Version 4.24.1-0 11.2.2 Detailed Statistics Menu path: Status Port When clicking the details-icon in the overview page you will be presented to the detailed statistics page for the port. © 2018 Westermo Teleindustri AB...
Page 291 Multiple Collisions The number of packets involved in more than one collision, but ﬁnally sent successfully. Excessive Collisions The number of packets failing (i.e., dropped) due to excessive collisions (16 consecutive collisions). Continued on next page © 2018 Westermo Teleindustri AB...
Page 292 Click Off to turn off auto refresh. «Previous Goto statistics for previous port. Next» Goto statistics for next port. Refresh Click on this button to reload with updated statistics. Clear Port Clear all statistics counters for the port shown. © 2018 Westermo Teleindustri AB...
Page 293: Statistics Via The Cli
For information about what the different statistics counters represent, see section 11.1. Default values If no PORT argument is given, a summary of statistics for all Ethernet ports is presented. © 2018 Westermo Teleindustri AB...
Page 294 For information about what the different statistics counters represent, see section 11.1. Default values If no PORT argument is given, a summary of statistics for all Ethernet ports is presented. 11.3.5 Show port bandwidth statistics Syntax show port bandwidth [PORT] © 2018 Westermo Teleindustri AB...
Page 295 Note that you must enable bandwidth statistics for the port in order to see any data here. See Section 10.3.11. Default values If no PORT argument is given, bandwidth statistics for all ports is presented. © 2018 Westermo Teleindustri AB...
Page 296: Shdsl Port Management
SHDSL ports to VLANs (chapter 15), you can run link-layer redun- dancy protocols such as FRNT (chapter 16) and RSTP (chapter 18) over them, DDW-x42 refers to DDW-142 and DDW-242 products. DDW-x42-485 refers to DDW-142-485 and DDW-242-485 products. © 2018 Westermo Teleindustri AB...
Page 297 1/1 (or DSL 1) is conﬁgured as CPE and 1/2 or DSL 2 conﬁgured as CO. ˆ Data rate: For a regular SHDSL connection, data rates can be achieved in the range from 192 kbit/s up to 5696 kbit/s depending on cable characteristics © 2018 Westermo Teleindustri AB...
Page 298 (b), multi-drop (c) and ring (d). and communication distance. For products supporting turbo-SHDSL, data rates from 32 kbit/s up to 15304 kbit/s are possible. When using PAF in DDW-x42 (and DDW-x42-485), data rates up to 30608 kbit/s are possible. © 2018 Westermo Teleindustri AB...
Page 299 The setting conﬁgures a higher threshold of the G.HS idle parameter in or- der to detect idle. The SHDSL line length capability will be affected, since the G.HS idle threshold and the G.HS signals meet earlier when the G.HS Threshold is raised. © 2018 Westermo Teleindustri AB...
Page 300 Ethernet ports. The SHDSL uses Ethernet First Mile (EFM) encapsulation, thus many Ethernet settings apply to the SHDSL ports. More detailed information is found in chapter ˆ Port enable/disable: Ports can be disabled and enabled administratively. © 2018 Westermo Teleindustri AB...
Page 301 Ethernet settings for port speed/duplex mode, and MDI/MDIX mode do not apply to SHDSL ports, thus are not conﬁgurable. Note As of WeOS v4.24.1, enabling/disabling ﬂow control (as described in section section 10.1.3) has no effect on SHDSL ports. © 2018 Westermo Teleindustri AB...
Page 302: Managing Shdsl Ports Via The Web Interface
Central Ofﬁce (CO) and one has to be conﬁg- ured as Customer Premises Equipment (CPE). Default for port 1/1 is CPE, and default for port 1/2 is CO. Continued on next page © 2018 Westermo Teleindustri AB...
Page 303 When link alarm is enabled an alarm will be generated if port link is down. Alarms trigger an SNMP trap message to be sent and alarms to be shown on the administration web. Edit Click this icon to edit a port’s settings. © 2018 Westermo Teleindustri AB...
Page 304 Corresponding values to the ﬁxed value settings are [low- 750; medium-1500; high-3000] If a custom value is conﬁgured in CLI, it will be displayed in the drop-down list. Default is Disabled Continued on next page © 2018 Westermo Teleindustri AB...
Page 305 Based on the content of the IP ToS bits (IPv4) or the IP TC bits (IPv6). VLAN Tag Based on the content of the (802.1p) pri- ority ﬁeld inside the received packet’s VLAN tag. Continued on next page © 2018 Westermo Teleindustri AB...
Page 306 Bandwidth limit for outbound trafﬁc. Disabled means no Trafﬁc limiting. Shape Bandwidth Enable or disable bandwidth monitoring per port. See Statistics Section 11.2.2 for how to view the statistics that is gath- ered when this function is enabled. © 2018 Westermo Teleindustri AB...
Page 307 Click on a value to make the page reload with updated statistics automatically every 5, 15, 30 or 60 seconds. Click Off to turn off auto refresh. Refresh Click on this button to reload with updated statistics. © 2018 Westermo Teleindustri AB...
Page 308 Status of link, (Up/Down). If a link-alarm is associ- ated with this port, an alarm icon is displayed if the link-alarm is active. Link Uptime The time since link was established. Continued on next page © 2018 Westermo Teleindustri AB...
Page 309 Click Off to turn off auto refresh. <<Previous Goto statistics for previous port. Next>> Goto statistics for next port. Refresh Click on this button to reload with updated statistics. Clear Port Clear all statistics counters for the port shown. © 2018 Westermo Teleindustri AB...
Page 310: Managing Shdsl Ports Via The Cli
[no] default-vid <VLAN_ID> Disabled Section 10.3.15 Show SHDSL related status and statistics show <dsl|shdsl> Section 12.3.9 show ports Section 10.3.16 show rmon Section 11.3 12.3.1 Managing SHDSL port settings Syntax port [dsl|shdsl|...] <PORTLIST> Context Global Conﬁguration context © 2018 Westermo Teleindustri AB...
Page 311 DSL2 in CO mode (”co”). Use ”show co” to show whether the SHDSL port is conﬁgured to operate as Central Ofﬁce or Customer Premises Equipment. 12.3.3 Setting SHDSL port rate Syntax [no] speed <auto|auto-5696k|0-5696k|0-15304k> Context SHDSL Port Conﬁguration context © 2018 Westermo Teleindustri AB...
Page 312 Syntax [no] noise-margin <reliable|normal|high-speed [nonstrict]> Context SHDSL Port Conﬁguration context Usage Set SHDSL port noise-margin. Note: The noise-margin setting is only relevant when the data rate is set to auto-negotiate (”rate 0”), see sec- tion 12.3.3). Available noise-margin modes: © 2018 Westermo Teleindustri AB...
Page 313 ”high” and a custom conﬁgured value. Corresponding values to the ﬁxed value settings are [low-750; medium-1500; high-3000]. The custom conﬁgured value could be set in the range [0-32767] in steps of Use ”no ghs-threshold” to disable the G.HS threshold. © 2018 Westermo Teleindustri AB...
Page 314 This functionality is using a different SHDSL mode compared to default setting, thus the Low Jitter conﬁguration must be set on both SHDSL ports sharing the physical cable. Use ”show low-jitter” to show the SHDSL port’s low-jitter setting. Default values Disabled © 2018 Westermo Teleindustri AB...
Page 315 Use ”show emf” to show the SHDSL port’s emergency freeze setting. Default values Enabled 12.3.9 Show SHDSL port status Syntax show shdsl Context Admin Exec context. Usage Show the status of all SHDSL ports. Default values Not applicable. © 2018 Westermo Teleindustri AB...
Page 316: Adsl/Vdsl Port Management
ATM VPI/VCI Section 13.1.1-13.1.2 ATM Encapsulation Section 13.1.1-13.1.2 Restart/retrain xDSL link View xDSL port conﬁguration View xDSL port status/statistics xDSL settings in common Section 13.1.3 with Ethernet ports ISP and network settings Section 13.1.1, 13.1.4 © 2018 Westermo Teleindustri AB...
Page 317 More information on xDSL settings is found below and in sections 13.1.2-13.1.4. ˆ xDSL settings: – ADSL or VDSL: As the Falcon can be used both for ADSL and VDSL con- nections, you may have to conﬁgure the xDSL mode. Default: ADSL © 2018 Westermo Teleindustri AB...
Page 318 * Annex setting for VDSL: For VDSL it is possible to let the WeOS unit automatically probe what carrier network is used (by choosing ”Annex A-B”); if this does not work to bring up the VDSL line, one © 2018 Westermo Teleindustri AB...
Page 319 (untagged), while all Ethernet ports will be belong to VLAN 1 (untagged). If the Falcon is conﬁgured to act as xDSL/Ethernet Bridge via the Basic Setup Page (see section 13.2.1), all ports (xDSL and Ethernet) will be mapped to VLAN 1. © 2018 Westermo Teleindustri AB...
Page 320 VLAN tag, VLAN ID, port ID, IP ToS, etc. See also section 10.1.4. ˆ Port priority (level): The inbound priority associated with this port. See also section 10.1.4. ˆ Link alarm: Link status can be conﬁgured as an alarm source. See also section 10.1.5. © 2018 Westermo Teleindustri AB...
Page 321 Falcon as an xDSL router or bridge. This section describes the most common steps to conﬁgure your Falcon xDSL router to connect to your ISP. Although many conﬁguration settings are affected, setting up your ISP should be straight-forward: © 2018 Westermo Teleindustri AB...
Page 322 Falcon as a router, while section 13.1.4.1 covers on how to use Falcon as a switch (bridge). Both sections assume you have con- ﬁgured the xDSL port settings appropriately for your xDSL subscription (see also sections 13.1.1 and 13.1.2). © 2018 Westermo Teleindustri AB...
Page 323 22.2.6), in order to dynami- cally learn default gateway, DNS server and other global information via DHCP. Management services such as SSH, HTTP (Web), etc. are by default disabled to avoid unauthorised access from the public Internet. © 2018 Westermo Teleindustri AB...
Page 324 (here pppoe0), which now acts as our WAN interface. The exam- ple below shows the default setting for the PPPoE interface; the admin distance and management settings are automatically copied from the conﬁguration of interface vlan1006. © 2018 Westermo Teleindustri AB...
Page 325 Falcon to become an open DNS relay on the WAN side. Open DNS relay is considered to be a security problem and can be used for remote attacks of the ISP’s DNS server. DNS relay is enabled on all interfaces © 2018 Westermo Teleindustri AB...
Page 326 Falcon to your ISP. Notes on a few more settings are given below: – RSTP: Westermo switches running WeOS typically have RSTP enabled on all Ethernet and DSL ports. However, the xDSL port on Falcon have RSTP disabled by default.
Page 327 IP settings of interface vlan1. As an alternative to using the Basic Setup Page, you could achieve the corresponding result by removing VLAN 1006, either via the Web interface (section 15.3) or via the CLI (section 15.4) as shown below. © 2018 Westermo Teleindustri AB...
Page 328 This is usually no problem, as the Falcon by default is assigned the default IP address (192.168.2.200) on interface vlan1, and that address is not routable via the ISP. However, if limiting remote management is still a concern, you © 2018 Westermo Teleindustri AB...
Page 329 However, if you have concerns about having IP forwarding enabled, you can disable it. If you use the Basic Setup Page in the Web interface (section 13.2.1) to conﬁgure the Falcon as switch (bridge), IP forwarding will be disabled auto- matically. © 2018 Westermo Teleindustri AB...
Page 330 Westermo OS Management Guide Version 4.24.1-0 Example falcon:/#> conﬁgure falcon:/config/#> ip falcon:/config/ip/#> no forwarding falcon:/config/ip/#> leave Configuration activated. Remember "copy run start" to save to flash (NVRAM). falcon:/#> © 2018 Westermo Teleindustri AB...
Page 331: Managing Adsl/Vdsl Ports Via The Web Interface
The unit will be set up as a router with a ﬁrewall WAN Proﬁle protecting the LAN side from the WAN side. Bridged The unit will act as a plain switch. Continued on next page © 2018 Westermo Teleindustri AB...
Page 332 If the static IP mode is selected you are asked to ﬁll in the following entries. Address The IPv4 address to assign to the interface. Netmask The netmask for the IPv4 address. Identiﬁes which IP ad- dresses are located on the same subnet. Continued on next page © 2018 Westermo Teleindustri AB...
Page 333 Figure 13.5: Basic Setup PPPoE If the PPPoE mode is selected you are asked to ﬁll in the following entries. Username The username provided by the PPPoE provider. Password The password provided by the PPPoE provider. © 2018 Westermo Teleindustri AB...
Page 334 B. The annex L and M options are extensions of ADSL annex A. The annex A-B option is only available for VDSL mode. Default: Annex A (POTS) Filter External splitter or not. POTS/ISDN ﬁlter. Default: En- abled © 2018 Westermo Teleindustri AB...
Page 335 (LAN) is added. – Firewall ﬁltering rules denying inbound UDP and TCP port 53 (DNS) are added for the external interface VLAN 1006 (WAN). In addition for the PPPoE mode: – A PPPoE conﬁguration is added. © 2018 Westermo Teleindustri AB...
Page 336 ISP’s DNS server. DNS relay is enabled on all interfaces and should be ﬁltered away on all interfaces facing public networks. Normal DNS trafﬁc originating from the inside (from the LAN) will work as expected and is not affected by these rules. © 2018 Westermo Teleindustri AB...
Page 337 Click this icon to retrain the DSL ports. To change the settings for a speciﬁc xDSL port you will have to click the edit icon which will take you to the DSL port setting edit page see section 13.2.3. © 2018 Westermo Teleindustri AB...
Page 338 Specify whether the xDSL port should operate ADSL port or VDSL port. Default: ADSL ATM Encapsulation ATM encapsulation. Default: LLC ATM PVC Framing Set the appropriate VPI and VCI for the ATM PVC. Default: VPI 8, VCI 35 Continued on next page © 2018 Westermo Teleindustri AB...
Page 339 Bandwidth Enable or disable bandwidth monitoring per port. See Statistics Section 11.2.2 for how to view the statistics that is gath- ered when this function is enabled. © 2018 Westermo Teleindustri AB...
Page 340 Click on a value to make the page reload with updated statistics automatically every 5, 15, 30 or 60 seconds. Click Off to turn off auto refresh. Refresh Click on this button to reload with updated statistics. © 2018 Westermo Teleindustri AB...
Page 341 Menu path: Status Port If only one DSL port is present in the unit, or when clicking the details-icon in the overview page you will be presented to the detailed statistics page for the DSL port. © 2018 Westermo Teleindustri AB...
Page 342 Go to statistics for next port. Only shown if more than one DSL port available. Refresh Click on this button to reload with updated statis- tics. Clear Port Clear all statistics counters for the port shown. © 2018 Westermo Teleindustri AB...
Page 343: Managing Adsl/Vdsl Ports Via The Cli
[no] default-vid <VLAN_ID> Disabled Section 10.3.15 Show ADSL/VDSL related status and statistics show dsl Section 13.3.6 show ports Section 10.3.16 show rmon Section 11.3 13.3.1 Managing xDSL port settings Syntax port [dsl|xdsl|...] <PORTLIST> Context Global Conﬁguration context © 2018 Westermo Teleindustri AB...
Page 344 YES adsl llc 8/35 None None Auto =============================================================================== falcon:/config/#> 13.3.2 Setting xDSL port mode (ADSL or VDSL) and carrier type Syntax [no] mode <adsl [annex <a|b|i|j|l|m|l-m> | vdsl [annex <a|b|a-b>> Context xDSL Port Conﬁguration context © 2018 Westermo Teleindustri AB...
Page 345 Annex M (POTS) or Annex B or Annex J (ISDN). Annex I and J not supported in VDSL mode. Default values ADSL over POTS (”mode adsl annex a”) 13.3.3 Specify whether external splitter is used or not Syntax [no] filter Context xDSL Port Conﬁguration context © 2018 Westermo Teleindustri AB...
Page 346 ”pvc 8/35” is common for many other ADSL providers inside and outside Europe. Use ”no pvc” to reset the PVC to use default VPI/VCI. (In future versions of WeOS the use of ”no pvc”, as well as the default PVC setting, may change.) © 2018 Westermo Teleindustri AB...
Page 347 : 8.3 dB Signal attn : 8.2 dB Output power: N/A Upstream -------------------------- Rate : 832 kbps : 12.0 dB Line attn : 7.0 dB Signal attn : 7.0 dB Output power: 12.4 dB falcon:/#> © 2018 Westermo Teleindustri AB...
Page 348: Power Over Ethernet (Poe)
As of WeOS v4.24.1, PoE management via LLDP[22] is not supported. 14.1 Overview of Power over Ethernet (PoE) Feature General Description Per-Port PoE Conﬁguration Enable/Disable Allocation Priority Section 14.1.2 Power Limit -”- PoE Status Consumed power Allocated Power Sections 14.1.1-14.1.2 Detected PoE Units Section 14.1.1 © 2018 Westermo Teleindustri AB...
Page 349 For more details on per port power limitation and allocation, see section 14.1.2. The following additional classiﬁcation is made for the connected unit depending on resistance: ˆ Good: Ok. A PoE unit is connected. (Resistance within speciﬁcation of PoE class 0-4).) © 2018 Westermo Teleindustri AB...
Page 350 The customer should still ensure that PoE equipment attached to the WeOS PoE switch do not use more than P in total. tch,m © 2018 Westermo Teleindustri AB...
Page 351 12-port Viper PoE unit, where ports X7-X10 have been con- ﬁgured with priority critical, X5-X6 with priority high, and X1-X3 have priority low. © 2018 Westermo Teleindustri AB...
Page 352 Conﬁgured Tie-break Order Name Priority Priority 1 (highest) critical critical critical high high 8 (lowest) Table 14.2: Example of allocation preference order for a given PoE priority con- ﬁguration on a 12-port Viper PoE unit[61]. © 2018 Westermo Teleindustri AB...
Page 353: Managing Poe Via The Web Interface
The port label. (Only PoE capable Ethernet ports are listed.) PoE Enabled Shows if PoE is enabled or disabled on the port. Priority Shows the conﬁgured PoE priority (Low, High or Critical) for the port. Continued on next page © 2018 Westermo Teleindustri AB...
Page 354 Shows the conﬁgured Power Limit for the port (in Watts), or Disabled if no port speciﬁc limit has been set. Limit Mode Shows the conﬁgured Power Limit Mode setting for the ports. Edit Click this icon to edit a port’s PoE settings. © 2018 Westermo Teleindustri AB...
Page 355 Power Limit Set port speciﬁc power limit. Allowed values are 1-30 (Watts), or Disabled (i.e., no port speciﬁc power limit). Power Limit Mode Set port speciﬁc power limit mode. See section 14.1.1 details. © 2018 Westermo Teleindustri AB...
Page 356 Westermo OS Management Guide Version 4.24.1-0 14.2.3 PoE Status Menu path: Status On the PoE port status page you will be presented to global and port speciﬁc PoE status data. © 2018 Westermo Teleindustri AB...
Page 357 Click on a value to make the page reload with up- dated status automatically every 5, 15, 30 or 60 seconds. Click Off to turn off auto refresh. Refresh Click on this button to reload with updated status. © 2018 Westermo Teleindustri AB...
Page 358: Managing Poe Via The Cli Interface
”port X2”, or ”port X1-X5,X10”. Use ”port all” to conﬁgure per-port settings for all PoE ports. Use ”no port <PORTLIST>” to reset PoE port settings to their default values for the given port range. © 2018 Westermo Teleindustri AB...
Page 359 Use ”show priority” to show PoE allocation priority setting on this port. Default values Low (”priority low”) 14.3.5 Set PoE Power Limit Syntax [no] limit <1-30> © 2018 Westermo Teleindustri AB...
Page 360 PoE ports (or a given subset). Use ”show poe full” (or ”show poe full port <PORTLIST>”) to list global PoE status information, and detailed status information for all PoE ports (or a given subset). © 2018 Westermo Teleindustri AB...
Page 362: Virtual Lan
Virtual LAN (VLAN) technology is used to create a set of separate LANs over a single physical LAN infrastructure. Each VLAN constitutes a broadcast domain, and trafﬁc on one VLAN is (logically) isolated from trafﬁc on another VLAN. WeOS © 2018 Westermo Teleindustri AB...
Page 363 ˆ Each VLAN is assigned a VLAN identiﬁer, a VLAN ID (VID); in this example VIDs 1 (ADMIN), 2 (OFFICE) and 3 (MARKETING). ˆ Each VLAN is assigned a set of ports. In this example ports 1/1-1/2 are © 2018 Westermo Teleindustri AB...
Page 364 Port 1/1 is associated (untagged) with the ADMIN VLAN, Ports 2/1-2/4 are associ- ated (untagged) with the OFFICE VLAN, and ports 2/5-2/8 are associated (untagged) with the MARKETING VLAN. © 2018 Westermo Teleindustri AB...
Page 365 It is recommended that a port, which is shared between several VLANs, is associated tagged with all those VLANs, however, it is possible to conﬁgure the port untagged on one VLAN and tagged on all other VLANs without risk for ambiguity. © 2018 Westermo Teleindustri AB...
Page 366 Special restriction on DDW-x42/DDW-x42-485: On these products the limit is 60 VLANs when FRNT is conﬁgured on the unit, and 64 VLANs when FRNT is not conﬁgured. © 2018 Westermo Teleindustri AB...
Page 367 VLAN by assigning them to other VLANs. 15.1.4 VLAN Priority It is possible to assign an IEEE 802.1p priority to a VLAN. This feature can be useful when an operator likes to assign a higher priority to trafﬁc on a certain © 2018 Westermo Teleindustri AB...
Page 368 Routing performance may also be limited by CPU performance, packet size and enabled services. WeOS products with ”Corazon” or ”Coronet” platform (see section 1.5) have 1000 Mbit/s chan- nels to CPU, while others have 100 Mbit/s channels. © 2018 Westermo Teleindustri AB...
Page 369 VLAN(s) - the port will not be associated with those VLANs. Further details of the mechanism to associate VLANs dynamically to an inter- switch port are given below: © 2018 Westermo Teleindustri AB...
Page 370 ˆ Removing dynamically added VLANs: When a port loses its status as inter- switch port, all VLANs dynamically added to that port will be removed. The port will then only be associated with the VLANs it has been conﬁgured with, © 2018 Westermo Teleindustri AB...
Page 371 VLAN. The switch will automatically learn the location of stations in the LAN, by inspect- ing the source MAC address of each incoming packet. Once it knows on which © 2018 Westermo Teleindustri AB...
Page 372 IP multicast, all other types of MAC multicast is blocked. Adding static MAC ﬁlters enables the use of non-IP multicast on VLANs where IGMP snooping is enabled. This is a useful feature since it allows a site operator to enable non-standard multicast MAC protocols. © 2018 Westermo Teleindustri AB...
Page 373 The two features in concert guard against unsolicited ﬂooding of multicast, which can otherwise be a big problem for end devices in an industrial net- work. In fact, not only do they protect access ports, but the also prevent ﬂooding on shared VLAN trunks. © 2018 Westermo Teleindustri AB...
Page 374: Port-Based Network Access Control
2 has not. The ﬁrst PC is able to access the server or the Internet connection on ports 6 and 8. The second PC or anything con- nected to ports 3 or 4 will be blocked by the switch until they have authenticated themselves. © 2018 Westermo Teleindustri AB...
Page 375 Sec- tion 9.3.26) If disabled the 802.1X client (supplicant) must initiate the authenti- cation procedure to gain access The 802.1X supplicants included with Microsoft Windows, Ubuntu Linux and most other equip- ment supports supplicant initiation. © 2018 Westermo Teleindustri AB...
Page 376 The WeOS unit acts as an IEEE 802.1X authenticator, relaying the EAP messages to the RADIUS server. When conﬁguring the 802.1X authenticator in WeOS, the RADIUS server (or group of RADIUS servers) must be speciﬁed. The procedure is as follows: © 2018 Westermo Teleindustri AB...
Page 377 A MAC pattern by default applies to all ports on the VLAN the MAC list will be mapped to, however, the MAC pattern may apply to a speciﬁc port. See chapter 9 on Authentication, Authorisation and Account- © 2018 Westermo Teleindustri AB...
Page 378 As of WeOS v4.24.1 does not support MAC based authentication with a backend authentication server (e.g, RADIUS). MAC aging time is by default 5 minutes, see sections 15.1.8.1 15.4.2 for more information. © 2018 Westermo Teleindustri AB...
Page 379: Managing Vlan Settings Via The Web Interface
In the VLAN overview table a green check-mark means that IGMP snooping is enabled, and a dash means it is disabled, on a speciﬁc VLAN. See section 15.1.5 for more information. Interface A list of associated interfaces. Continued on next page © 2018 Westermo Teleindustri AB...
Page 380 VLAN. Edit Click this icon to edit a VLAN. Delete Click this icon to remove a VLAN. You will be asked to acknowl- edge the removal before it is actually executed. © 2018 Westermo Teleindustri AB...
Page 381 VLAN. To enable the VLAN - check the box, to disable un-check the box. Name The name of the VLAN. You cannot change the VLAN name using the web tool. Continued on next page © 2018 Westermo Teleindustri AB...
Page 382 15.1.1. The Forbidden check-box is used to specify that this port can not be dynamically assigned to this VLAN (see section 15.1.7 for more information on dynamic VLANs). © 2018 Westermo Teleindustri AB...
Page 383 The VLAN name will be automatically generated when using the web management tool. The name is shown directly when you change and leave the VID ﬁeld if your browser is JavaScript enabled, otherwise it will be generated when you click the Apply button. © 2018 Westermo Teleindustri AB...
Page 384 Westermo OS Management Guide Version 4.24.1-0 15.3.3 Managing Dynamic VLAN using the web interface This enables WeOS Adaptive Dynamic Trunking (AVT) on the switch. For more information on AVT in section 15.1.7. Menu path: Conﬁguration VLAN Dynamic © 2018 Westermo Teleindustri AB...
Page 385 9.2.20 for conﬁguration of MAC authentica- tion Excluded Ports List of ports on this VLAN that are excluded from port access control. Edit Click this icon to edit the port access conﬁguration for this VLAN. © 2018 Westermo Teleindustri AB...
Page 386 The name of the VLAN. 802.1X settings Enable IEEE 802.1X authentication for ports on this VLAN by selecting a 802.1X conﬁguration. See sec- tion 9.2.17 for how to create and edit the 802.1X conﬁgurations. Continued on next page © 2018 Westermo Teleindustri AB...
Page 387 1 and 2 in the above picture. This means that the current VLAN does not have this port as a member and is therefore not relevant for exclu- sion. See section 15.3.1 for managing the relations between ports and VLANs. © 2018 Westermo Teleindustri AB...
Page 388 A detailed view of the authenticated hosts is shown if you click on the magniﬁer icon for a port. This view shows all authenticated host by their MAC address. This list shows hosts that are authenticated with both IEEE 802.1X and MAC based authenticated together. © 2018 Westermo Teleindustri AB...
Page 389: Managing Vlan Settings Via The Cli
[no] except-auth <PORTLIST> Disabled Section 15.4.18 Show VLAN Status and MAC Forwarding Database Status show vlans Section 15.4.19 show fdb [full] Section 15.4.20 Show Port-based Network Access Control Status show dot1x-auth Section 15.4.21 show mac-auth Section 15.4.22 © 2018 Westermo Teleindustri AB...
Page 390 Usage Add or delete a static MAC address ﬁlter. The ”MACADDRESS” is written as a colon separated hexadecimal value, e.g., ”01:23:45:56:89:AB”. The ”PORTLIST” states the port(s) where packets with the given (destina- tion) MAC address are to be forwarded. As of WeOS v4.24.1, the static MAC © 2018 Westermo Teleindustri AB...
Page 391 15.4.20) in the Admin Exec context. Use ”no profinet” to disable PROFINET pass-through. Use ”show profinet” to show the current setting. Default values Enabled 15.4.5 Managing general VLAN settings Syntax [no] vlans Context Global Conﬁguration context © 2018 Westermo Teleindustri AB...
Page 392 Use ”no vlan <VID>” to remove an existing VLAN. The default VLAN (VLAN 1) cannot be removed. Removal of a VLAN may imply that some ports will no longer be associated with any VLAN - such ports will be conﬁgured to the default VLAN (VLAN 1) untagged. © 2018 Westermo Teleindustri AB...
Page 393 VLAN (unless they are associated with another VLAN), and any network interface associated with the VLAN will be disabled. Use ”show enable” to view the current conﬁguration. Default values enable 15.4.9 VLAN name Syntax name <ID> © 2018 Westermo Teleindustri AB...
Page 394 VLAN implies that the same port will be removed as tagged on the same VLAN (a port cannot be associated both tagged and untagged with the same VLAN). A ”PORTLIST” is a comma separated list of port ranges without intermediate spaces, e.g., ”1/1-1/3,2/3”. © 2018 Westermo Teleindustri AB...
Page 395 VLAN. Use ”show forbidden” to view ports associated forbidden with this VLAN. Default values Not applicable. A ”PORTLIST” is a comma separated list of port ranges without intermediate spaces, e.g., ”1/1-1/3,2/3”. © 2018 Westermo Teleindustri AB...
Page 396 Usage Specify CPU channel to use for this VLAN. The channel identiﬁer can take values in the range <0-CHANNELIDMAX>. The purpose of this command is to improve routing performance by mapping VLANs to different CPU chan- nels, see section 15.1.6. © 2018 Westermo Teleindustri AB...
Page 397 15.4.17 MAC based authentication Syntax [no] mac-auth <ID> Context VLAN Conﬁguration context. Usage Specify the MAC authentication conﬁguration to be used for this VLAN. Setting this enables port-based network access control for all ports untagged © 2018 Westermo Teleindustri AB...
Page 398 15.4.19 Show VLAN status (all VLANs) Syntax show vlans Context Admin Exec context Usage Show VLAN status information for all VLANs. Default values Not applicable. 15.4.20 Show Current MAC Forwarding Database Syntax show fdb [full] Context Admin Exec context © 2018 Westermo Teleindustri AB...
Page 399 PROFINET: Enabled, MAC 01:0e:cf:00:00 .. 01:0e:cf:00:05:00 FDB Aging time: 300 sec. example:/#> In the example above, PROFINET pass-through has been enabled (section 15.4.4). To see exactly which MAC addresses in the 01:0e:cf:00:0x:xx that have entries, use ”show fdb full”. © 2018 Westermo Teleindustri AB...
Page 400 There may be hosts on the network that matches the MAC authentica- tion ﬁlters, but are inactive for the moment. Inactive hosts are ﬂushed out of this list and will be re-authenticated again on resumed activity. section 15.2.2 for details. Default values Not applicable. © 2018 Westermo Teleindustri AB...
Page 401: Frnt
FRNT features via the Web or CLI, please visit sections 16.3 16.4 directly. Feature General Description Enable FRNT Section 16.1.1 Set FRNT mode (focal-point -”- or member switch) Set FRNT ring ports -”- View FRNT Status -”- FRNT bus topology -”- © 2018 Westermo Teleindustri AB...
Page 402 BLOCKED port (port ”M”) upon receiving the link down message. Focal point opens redundant path Link break Focal Member Member Member Point Figure 16.2: FRNT network operating in bus mode due to broken link. © 2018 Westermo Teleindustri AB...
Page 403 (ﬁxed) Ethernet ports. FRNT will not work correctly on SHDSL links with speed below 64 kbit/s. In earlier WeOS versions, port ”M” and ”N” have been denoted port ”1” and ”2” respectively. © 2018 Westermo Teleindustri AB...
Page 404 The main use case for conﬁguring an FRNT bus is to achieve a horseshoe topology, by using the FRNT bus together with Ring Coupling. See sec- tion 17.1.1.3 for more information on the horseshoe use case. © 2018 Westermo Teleindustri AB...
Page 405: Frnt, Rstp And Mrp Coexistence
FRNT/ FRNT/ RSTP RSTP RSTP RSTP Switch Switch Switch Switch Loop Loop handled handled by RSTP by RSTP RSTP RSTP RSTP RSTP Switch Switch Switch Switch Figure 16.4: Example of coexistence of FRNT and RSTP. © 2018 Westermo Teleindustri AB...
Page 406 FRNT and MRP links never occur if used in the same layer-2 network. The same restrictions apply to using MRP and RSTP on the same switch. © 2018 Westermo Teleindustri AB...
Page 407: Managing Frnt Settings Via The Web Interface
FRNT-ring, and the coupling uplink ports. Edit Click this icon to edit an FRNT instance. Delete Click this icon to remove an FRNT instance. If no FRNT instance is conﬁgured you may create one by clicking the New button. © 2018 Westermo Teleindustri AB...
Page 408 This section will appear after clicking the Apply when a new FRNT instance is created. To create a new Coupling instance, click the New Coupling button (visible until MAX_RING_COUPLING_INSTANCES (section 17.4) has been reached). New and existing Ring-Couplings are edited on the page below: © 2018 Westermo Teleindustri AB...
Page 409 The uplinks path cost. Used for calculating active uplink. Auto (check-box checked) indicates path-cost is automat- ically calculated (based on link speed). Delete Click this icon to remove a coupling instance. Click this icon to add a new coupling instance. © 2018 Westermo Teleindustri AB...
Page 410 FRNT port M. Port N Status of port operating as FRNT port N. Topology Number of FRNT topology changes. Change Count Time Since Time since last FRNT topology change. Last Change Continued on next page © 2018 Westermo Teleindustri AB...
Page 411 FRNT ”M” and ”N”) does not match the administratively conﬁgured FRNT ”M” and ”N” ports (see the FRNT conﬁguration page in section 16.3.1), the ports are logically swapped/aligned with the ”M” and ”N” ports of the focal-point. © 2018 Westermo Teleindustri AB...
Page 412: Managing Frnt Settings Via The Cli
Usage Conﬁgure device to act as FRNT focal point for this FRNT instance. Use ”focal-point” to conﬁgure the device to act as an FRNT focal-point, and ”[no] focal-point” to conﬁgure the device as an FRNT member switch. © 2018 Westermo Teleindustri AB...
Page 413 Use ”show ring-ports” to show conﬁgured FRNT ring port(s). Default values Not applicable 16.4.4 Show FRNT ring status Syntax show rings Context Admin Exec context. Usage Show status of conﬁgured FRNT rings. This will provide information © 2018 Westermo Teleindustri AB...
Page 414 (i.e., if the FRNT ports’ administrative M/N state equals the operational M/N state, or if ports are swapped). ˆ The status of the local FRNT ports (UP/DOWN, FORWARDING/BLOCKING). Default values Not applicable. © 2018 Westermo Teleindustri AB...
Page 415: Ring Coupling And Dual Homing
Enabling sticky uplink gives ”zero” fail-over time on link-up and mitigates possible problems with ﬂapping links. Section 17.1 presents further information on FRNT Ring Coupling and the Multi- Link Dual-Homing functionality. Web and CLI support for these features are cov- ered in sections 17.2 17.3 respectively. © 2018 Westermo Teleindustri AB...
Page 416: Overview
Only one of the uplinks is forwarding data – the active uplink, ”solid” in ﬁg. 17.1, while the other uplink(s) are hot-standby backups, ”dashed” in ﬁg. 17.1. To pre- vent trafﬁc to ﬂow over backup uplinks the RiCo nodes put all backup uplinks in BLOCKING state. © 2018 Westermo Teleindustri AB...
Page 417 Remember "copy run start" to save to flash (NVRAM). example:/#> Here, the uplink priority was given the value ”100” to make it the preferred active uplink. The default is 128, for further details see section 17.1.3. © 2018 Westermo Teleindustri AB...
Page 418 The topology can be extended even further by connecting sub-rings to sub-rings in a tree structure with a super-ring as root. Fig. 17.3 shows two examples, a ladder topology (a) and a tree topology (b). © 2018 Westermo Teleindustri AB...
Page 419 RiCo RiCo RiCo RiCo RiCo RiCo Sub−ring Sub−ring Sub−ring FRNT FRNT FRNT Figure 17.3: Examples of tree topologies: (a) shows a ”ladder” (a tree without branches), and (b) a more generic tree of FRNT rings. © 2018 Westermo Teleindustri AB...
Page 420 E.g., if you wish to transition from using ”hello-time 100” to ”hello-time 80”, all RiCo nodes will use interval 100 ms until all RiCo node’s in the FRNT ring has been conﬁgured with interval 80 ms. © 2018 Westermo Teleindustri AB...
Page 421 ˆ When you do not have the cable needed or spare ports available to connect the nodes in the ”sub-network” together in a ring. ˆ If the additional robustness and failover performance, achieved by forming the ”sub-network” as a ring, is of less importance. © 2018 Westermo Teleindustri AB...
Page 422 Creating new instance 1 example:/config/dual-homing-1/#> uplink 1 example:/config/dual-homing-1/uplink-eth1/#> priority 100 example:/config/dual-homing-1/uplink-eth1/#> end example:/config/dual-homing-1/#> uplink 2 example:/config/dual-homing-1/uplink-eth2/#> leave Starting Ring bridging/dual-homing daemon ....[ OK ] Configuration activated. Remember "copy run start" to save to flash (NVRAM). example:/#> © 2018 Westermo Teleindustri AB...
Page 423 If you wish to connect a dual-homing switch to topologies other than FRNT you need to disable the synchronised dual-homing feature in the dual-homing node. An example is given below where ports 1 and 2 are conﬁgured as uplinks to non- FRNT nodes. © 2018 Westermo Teleindustri AB...
Page 424 To ensure that the dual-homing node fail-over to the other uplink (the ’right’ uplink (port ’2’) in ﬁg. 17.6) if no RiCo node is reachable via the sub-ring, port ’2’ should be conﬁgured with better uplink priority, see also section 17.1.3. A conﬁguration example is given below. © 2018 Westermo Teleindustri AB...
Page 425 Dual Hom. Figure 17.6: Dual-Homing used in an FRNT Ring Coupling Topology. Sub−ring Super−ring Dual Hom. Dual Hom. FRNT FRNT Dual Hom. RiCo RiCo Figure 17.7: Multiple Dual-Homing nodes in an FRNT Ring Coupling Topology. © 2018 Westermo Teleindustri AB...
Page 426 RiCo and Dual-Homing nodes send Uplink Echo packets which are returned by the FRNT node at the other end of the uplink. Thus, a RiCo and Dual-Homing node will only consider an uplink to have status up if it © 2018 Westermo Teleindustri AB...
Page 427 . The cost vector consists of the following ﬁelds. The exception is dual-homing with synchronised dual-homing enabled. Then uplinks to FRNT rings with reachable Ring Coupling nodes have precedence over other uplinks, see also sec- tion 17.1.2.1. © 2018 Westermo Teleindustri AB...
Page 428 (the adjustment value) once that link is elected as active. That is, with sticky uplink conﬁgured, the effective priority of an uplink can differ from the conﬁgured priority. © 2018 Westermo Teleindustri AB...
Page 429 An exception is when connecting a Dual-Homing uplink to a non-FRNT switch, the fail-over of multicast trafﬁc will instead occur on the next reception of an IGMP Report (if IGMP snooping is enabled). See also section 17.1.2.1. © 2018 Westermo Teleindustri AB...
Page 430: Managing Via The Web
Click this icon to edit a dual-homing instance. Delete Click this icon to remove a dual-homing instance. Use the New button to create a new Dual-Homing instance. Up to MAX_DUAL_HOMING_INSTANCES (section 17.4) can be created. © 2018 Westermo Teleindustri AB...
Page 431 The uplinks path cost. Used for calculating active uplink. Auto (check-box checked) indicates path-cost is automat- ically calculated (based on link speed). Delete Click this icon to remove a dual-homing instance. Click this icon to add a new dual-homing instance. © 2018 Westermo Teleindustri AB...
Page 432 Speed duplex on the uplink port. Synchronized A green check-box indicates this uplink has been synchro- nised with its neighbour at the remote end of the uplink. Only applicable for local uplinks. Continued on next page © 2018 Westermo Teleindustri AB...
Page 433 Click on a value to make the page reload with updated statistics automatically every 5, 15, 30 or 60 seconds. Click Off to turn off auto refresh. Refresh Click on this button to reload with updated statistics. © 2018 Westermo Teleindustri AB...
Page 434: Managing Via Cli
17.3.1 Managing FRNT Ring Coupling Syntax [no] coupling [ID] Context FRNT Conﬁguration context Usage Use ”coupling ID” to enter FRNT Ring Coupling Conﬁguration context of the given Ring Coupling instance ID. Currently only a single Ring Coupling in- © 2018 Westermo Teleindustri AB...
Page 435 Usage Use ”hello-interval VALUE” to set the hello interval (in milliseconds) to be announced by his ring coupling node. Note The effective hello-interval used will be the highest interval announced by any ring coupling node in the FRNT ring. © 2018 Westermo Teleindustri AB...
Page 436 The path-cost is used when electing the active uplink – the link with the lowest cost will be the active uplink. If the costs of two uplinks are equal, their uplink priority (section 17.3.6) is considered. For more details, see section 17.1.3. © 2018 Westermo Teleindustri AB...
Page 437 A comes up again (90 < 100). ”show priority” will show the conﬁgured uplink priority. Default values priority 128 (no adjustment) 17.3.7 Set Ring Coupling Uplink Echo Interval Syntax [no] echo-time <20..1000> © 2018 Westermo Teleindustri AB...
Page 438 ”show dual-homing ID” for conﬁguration information on a speciﬁc dual-homing instance (also available as ”show” command within the Dual-Homing Conﬁguration context). Default values Default ID is 1 17.3.9 Enable/Disable Multi-Link Dual-Homing Syntax [no] enable Context Dual-Homing Conﬁguration context © 2018 Westermo Teleindustri AB...
Page 439 Up to MAX_DUAL_HOMING_UPLINKS (section 17.4) can be created. Use ”no uplink PORT” to remove the give port as uplink for this dual- homing node, or use ”no uplink” to remove all uplinks for the node. © 2018 Westermo Teleindustri AB...
Page 440 Usage Conﬁgure uplink priority, and optionally enable sticky uplink election by setting adjust value. ˆ Use ”priority VALUE” to set priority value. A lower value increases the chance for this uplink to be elected as active uplink (lower is better). © 2018 Westermo Teleindustri AB...
Page 441 Usage Use ”echo-time VALUE” to set the uplink echo interval (in milliseconds) to check the integrity of the uplink. ”no echo-time” resets the conﬁgured echo interval to the default setting (200 milliseconds). Use ”show echo-time” to show the conﬁgured echo interval. Default values 200 (msec) © 2018 Westermo Teleindustri AB...
Page 442 The active uplink is marked with >>. In this case, lowest MAC address was used as tie-breaker to elect active uplink. 17.3.16 Show Multi-Link Dual-Homing Status Syntax show dual-homing Context Admin Exec context Usage Use ”show dual-homing” to show status of Multi-Link Dual-Homing in- stances. Default values Not applicable © 2018 Westermo Teleindustri AB...
Page 443 6 128/0 ------- -------- >> 5 00:07:7c:10:df:00 eth 5 128/0 200000 100-Full example:/#> The active uplink is marked with >>. In this case, only one uplink was up in each of the dual-homing instances. © 2018 Westermo Teleindustri AB...
Page 444: Feature Parameters
Westermo OS Management Guide Version 4.24.1-0 17.4 Feature Parameters MAX_RING_COUPLING_INSTANCES MAX_RING_COUPLING_UPLINKS MAX_DUAL_HOMING_INSTANCES MAX_DUAL_HOMING_UPLINKS © 2018 Westermo Teleindustri AB...
Page 445: Spanning Tree Protocol - Rstp And Stp
18.1.1-18.1.3. 18.1.1 Spanning Tree Introduction Loops in switched networks are dangerous, since packets can loop around forever and jam the network - as opposed to IP and routed networks, Ethernet frames do © 2018 Westermo Teleindustri AB...
Page 446 RSTP has shorter convergence time than STP. (FRNT has even faster convergence, see chapter 16.) In RSTP/STP terminology, a switch is referred to as a bridge. Spanning tree is a © 2018 Westermo Teleindustri AB...
Page 447 In RSTP the Message Age ﬁeld in the Hello Messages effectively acts as a hop count, counting the distance from the Root. If the Message Age exceeds the Max Age the packet is dropped. Thus, the setting of the Max Age parameter restricts the size of the RSTP LAN. © 2018 Westermo Teleindustri AB...
Page 448 LAN infrastruc- ture. Therefore, bridges inherit these parameter values from the current root bridge, irrespective of the corresponding parameter setting in the bridge it- self. © 2018 Westermo Teleindustri AB...
Page 449 Each port is associated with a cost referred to as a path cost. Low-speed links are generally given a high cost, which increases the probability of the port ending up in blocking state (and vice versa), in case spanning tree discovers a loop. © 2018 Westermo Teleindustri AB...
Page 450 RSTP mode. When operating a network including a mix of RSTP and STP bridges, it may be necessary to conﬁgure path costs manually to get the intended spanning tree behaviour, see also section 18.1.3. © 2018 Westermo Teleindustri AB...
Page 451: Managing Rstp Via The Web Interface
Maximum Age Timeout The time the unit will wait before considering a neighbour designated bridge is down after the last Hello message was heard from the neigh- bour. Continued on next page © 2018 Westermo Teleindustri AB...
Page 452 It is recommended that this box is checked for every port where it is certain that only end hosts and routers connect. Ports which (may) connect to another switch should un-check this box. © 2018 Westermo Teleindustri AB...
Page 453 MAC Address The local MAC-address that is used for bridge ID. If local and root values are equal, this switch is root. Priority Priority value conﬁgured on the unit. Continued on next page © 2018 Westermo Teleindustri AB...
Page 454 (i.e., not another bridge), and the port is therefore put in FORWARDING state without ﬁrst verifying that the LAN is loop free. If FRNT, the port is controlled by FRNT protocol. Designated Bridge The designated bridge MAC-address. © 2018 Westermo Teleindustri AB...
Page 455: Managing Rstp Via The Cli
Use ”show spanning-tree” to view general spanning-tree settings, given that spanning-tree is enabled (also available as ”show” command within the Spanning Tree Conﬁguration context. Default values Disabled 18.3.2 Bridge Priority Setting Syntax priority <0-15|0-65535> Context Spanning Tree Conﬁguration context © 2018 Westermo Teleindustri AB...
Page 456 Syntax hello-time <1-10> Context Spanning Tree Conﬁguration context Usage Set spanning-tree hello time interval. Since bridges use the hello time conﬁgured at the root bridge, this parameter setting only matters if this bridge becomes the root bridge. © 2018 Westermo Teleindustri AB...
Page 457 ”no stp-port <PORTLIST|all>” (e.g., ”no stp-port all”) will disable span- ning tree for the speciﬁed ports. Use ”show stp-port <PORTLIST|all>” to view the spanning tree settings for the speciﬁed port(s). Default values Not applicable. © 2018 Westermo Teleindustri AB...
Page 458 It is recommended that every port where it is certain that only end hosts and routers connect (but not switches/bridges) are conﬁgured as ”admin-edge”. Port which (may) connect to another switch/bridge should be conﬁgured as ”no admin-edge”. © 2018 Westermo Teleindustri AB...
Page 459 Use ”show path-cost” to view the path cost setting for this port. Default values Automatic (”path-cost 0”) 18.3.10 Show RSTP Status Syntax show spanning-tree Context Admin Exec context. Usage Show spanning-tree status information, including current port states, root bridge ID, etc.. Default values Not applicable. © 2018 Westermo Teleindustri AB...
Page 460: Media Redundancy Protocol
BLOCKING mode. If a link or node in the ring topology goes down, the MRM will determine the ring as broken (open) and put its secondary port in FORWARDING mode. In MRP, the © 2018 Westermo Teleindustri AB...
Page 461 BLOCKING their MRP ports. Thus, interoperability is not supported with MRP implementations where MRCs are unable to block their ring ports. Although it possible to run MRP and other layer-2 redundancy protocols as FRNT © 2018 Westermo Teleindustri AB...
Page 462 Link-Down message. With react-on-link-change disabled on the MRM, it will ignore Link-Down mes- sages and instead rely its mechanism of sending and monitoring of MRP Test messages to determine whether the ring is closed or open. © 2018 Westermo Teleindustri AB...
Page 463 WeOS units. One-way transmission error means that data can be forwarded in one direction, but not the other. One example is when only one ﬁber in a ﬁber pair works. © 2018 Westermo Teleindustri AB...
Page 464 This step turns the ring into a bus. See ﬁg. 19.3b). 3. Upgrade the unit farthest away from #6 (here unit #7). Upgrade is done with Web Upload or TFTP/FTP download from the management PC. © 2018 Westermo Teleindustri AB...
Page 465 #1, and so on. At last, upgrade the unit where the management PC connects (#6). 5. After unit #6 has been upgraded successfully, (re)enable port 1 on unit #6. The MRP ring is now upgraded. © 2018 Westermo Teleindustri AB...
Page 466: Managing Mrp Settings Via The Web Interface
Click this icon to remove an MRP instance. If no MRP instance is conﬁgured you may create one by clicking the New button. When editing a new or existing instance the page below is displayed. © 2018 Westermo Teleindustri AB...
Page 467 VLAN ID. Proﬁle Set reconﬁguration time proﬁle (200 or 30 ms). React On Enable/disable React on Link Change setting. (manager only) Link Change Ring Open Select Ring Open Detect mode: Conservative or Standard Detect (manager only). © 2018 Westermo Teleindustri AB...
Page 468 Click on a value to make the page reload with updated statistics automatically every 5, 15, 30 or 60 seconds. Click Off to turn off auto refresh. Refresh Click on this button to reload with updated status. © 2018 Westermo Teleindustri AB...
Page 469: Managing Mrp Settings Via The Cli
Use ”no mrp [ID]” to remove an existing MRP instance. Use ”show mrp” to list conﬁgured MRP settings (also available as ”show” command within the MRP Conﬁguration context). Default values Default ID is 1 19.2.2 Enable/Disable an MRP instance Syntax [no] enable © 2018 Westermo Teleindustri AB...
Page 470 ”profile 30” for the 30 ms proﬁle. ”no profile” will reset the proﬁle to default (200). ”show profile” to show whether the unit is conﬁgured as 30 ms or 200 ms proﬁle. Default values 200 (ms) © 2018 Westermo Teleindustri AB...
Page 471 : Conservative example:/config/mrp-1/#> leave Starting Media Redundancy Protocol ......[ OK ] Configuration activated. Remember "copy run start" to save to flash (NVRAM). example:/#> cp run start 19.2.6 MRP VLAN encapsulation Syntax [no] vid <1-4095> © 2018 Westermo Teleindustri AB...
Page 472 MRP Conﬁguration context (manager only) Usage Conﬁgure the mode (”conservative” or ”standard” used by the MRM to determine the ring to be open (broken). Use ”show ring-open-detect” to show the conﬁgured setting. Default values Conservative © 2018 Westermo Teleindustri AB...
Page 473 : Enabled Transitions Last topology change : 0 d, 5 h, 53 m, 5 s Ring Open Detect : Conservative Primary port : Eth 6 (FORWARDING) Secondary port : Eth 4 (BLOCKING) MRM source: 02:07:7c:06:e2:20 example:/#> © 2018 Westermo Teleindustri AB...
Page 474: Link Aggregation
20.1 Link Aggregation Support in WeOS Feature General Description Enable/Disable Aggregate Section 20.1.1 Deﬁne Member Ports -”- Static Aggregation Control Section 20.1.2 LACP Aggregation Control Section 20.1.3 Timeout (Short/Long) -”- Active/Passive -”- Show Link Aggregate Status © 2018 Westermo Teleindustri AB...
Page 475 The effectiveness of this load balancing depends on several factors: ˆ The granularity by which the switch can distinguish between different trafﬁc ﬂows: WeOS units determine packet ﬂow based on the combination of the © 2018 Westermo Teleindustri AB...
Page 476 (routers typically use the same source and destination MAC for all unicast trafﬁc). Multicast ﬂows commonly utilise different destination MACs irrespective if the WeOS units are switching or routing, thus has good load balancing properties. © 2018 Westermo Teleindustri AB...
Page 477 : static Ports : 3,7 example:/config/aggregate-a1/#> end example:/config/#> 20.1.3 LACP Controlled Link Aggregates The Link Aggregation Control Protocol (IEEE 802.3ad/802.1AX [18]) is a standard method for aggregating member links that have the same speed and duplex © 2018 Westermo Teleindustri AB...
Page 478 ˆ Ports to the neighbour with the highest total bandwidth will be selected. If RSTP or FRNT are run over the aggregate, those protocols may also decide to set the ports in blocking state. © 2018 Westermo Teleindustri AB...
Page 479 20.1.4.2 Link Aggregation and Link Alarms As described in section 25.1 the operational state (Up/Down) of Ethernet and DSL ports can be used as alarm triggers, i.e., link alarms. When a port is a member of © 2018 Westermo Teleindustri AB...
Page 480 MAC of incoming packets, while multicast addresses are typically learnt dynamically via IGMP snooping (chapter 21), or entered man- ually by the operator. section 15.4.3 for CLI command to enter MAC forwarding database entries manually. © 2018 Westermo Teleindustri AB...
Page 481 =============================================================================== 01:00:5e:01:02:03 IGMP =============================================================================== FDB Aging time: 300 sec. example:/#> Similarly, trafﬁc from unicast address 00:07:7c:00:02:61 has come in on one member port, thus both member ports are automatically added to the MAC’s FDB entry. © 2018 Westermo Teleindustri AB...
Page 482 5 and 6 belonging to aggregate a1, the command ”mac 01:00:5e:00:11:22 port 5,6” is used (while ”mac 01:00:5e:00:11:22 port a1” would not work as of WeOS v4.24.1). Example example:/#> example:/#> conﬁgure example:/config/#> fdb example:/config/fdb/#> mac 01:00:5e:00:11:22 port 5,6 example:/config/fdb/#> end © 2018 Westermo Teleindustri AB...
Page 483 ˆ Link Up/Down: An aggregate is up if at least one of its member ports are considered up. An aggregate is down if all its member ports are down. Example example:/#> conﬁgure example:/config/#> spanning-tree example:/config/spanning-tree/#> stp-port A1 example:/config/spanning-tree/stp-port-A1/#> no admin-edge example:/config/spanning-tree/stp-port-A1/#> show Port Enabled Admin-Edge Path-cost ======================================================= Agg A1 AUTO © 2018 Westermo Teleindustri AB...
Page 484 WeOS v4.24.1. To use those features together with link aggregation it may be possible to specify the individual member ports in the conﬁguration, however, the behaviour is undeﬁned and its use is unsupported. © 2018 Westermo Teleindustri AB...
Page 485: Managing Link Aggregation Via The Web
Click this icon to edit an existing aggregate. Delete Click this icon to remove an aggregate. You will be asked to acknowledge the removal before it is actually executed. Click the New button to create a new link aggregate. © 2018 Westermo Teleindustri AB...
Page 486 Only send frames (LACP-PDUs) along the conﬁgured links if any LACP-PDU frames have been received. LACP Timeout Only available for type LACP. The type of the aggregate: Short 3 seconds Long 90 seconds For more information, see section 20.1. © 2018 Westermo Teleindustri AB...
Page 487 The aggregate link status. Up/Down. The aggregate MAC address. Type The type of the aggregate, Static or LACP. Port Label The port label for the ports included in the aggregate. Port Link Up/Down. Continued on next page © 2018 Westermo Teleindustri AB...
Page 488 The LACP negotiation state for this port: DETACHED, WAIT- LACP State ING, ATTACHED, COLLECTING, or DISTRIBUTING. In the DISTRIBUTING state, the port is ready to send and receive data as part of the aggregate. See section 20.1.3 or [18] for more information. © 2018 Westermo Teleindustri AB...
Page 489: Managing Link Aggregation Via Cli
”show” from there. Default values When using the ”no aggregate” form (without providing a spe- ciﬁc aggregate ID), all link aggregates are removed. Example Listing conﬁgured aggregates, and listing details for a LACP aggregate. © 2018 Westermo Teleindustri AB...
Page 490 Use ”no ports” (without providing a port list) to remove all ports from the member set. Use ”show ports” to view the currently conﬁgured list of ports. Default values When using the ”no ports” form (without providing a speciﬁc PORTLIST), all ports are removed. © 2018 Westermo Teleindustri AB...
Page 491 20.1.3). Use ”active” to select active mode and ”no active” to select passive mode. Use ”show active” to view the currently conﬁgured setting. Default values Active (”active”) 20.3.6 Conﬁgure LACP Timeout Syntax [no] timeout <short|long> © 2018 Westermo Teleindustri AB...
Page 492 Example example:/#> show aggregates Aggregate a1 MAC: 00:07:7c:00:30:b5 Type: lacp ------------------------------------------------------------------------------- Port Link Active Link State LACP State Partner ID Port ------------------------------------------------------------------------------- Eth 5 Blocking ATTACHED 00:00:00:00:00:00 Eth 6 Forwarding DISTRIBUTING 00:07:7c:00:02:61 example:/#> © 2018 Westermo Teleindustri AB...
Page 493 ’Eth 9’ is down. Example example:/#> show aggregates Aggregate a2 MAC: 00:07:7c:84:91:6b Type: static ------------------------------------------------------------------------------- Port Link Active Link State ------------------------------------------------------------------------------- Eth 7 Forwarding Eth 8 Forwarding Eth 9 DOWN example:/#> © 2018 Westermo Teleindustri AB...
Page 494: Multicast In Switched Networks
The main difference between multicast and broadcast is that multicast can be controlled. When disabling its control mechanisms, like IGMP, multicast behaves like broadcast. Thus, when distributing IP multicast data in a switched network, switches within the LAN can: © 2018 Westermo Teleindustri AB...
Page 495 Special restriction for DDW-x42 and DDW-x42-485: On these products the MAC address database can hold at most 1000 addresses in total (unicast and multicast MAC). Thus, the up- per limit for multicast addresses possible to keep track of is roughly 1000. © 2018 Westermo Teleindustri AB...
Page 496 The querier with the lowest IP address on each LAN is elected. Usually the gateway or multicast router. Proxy queries use source IP address 0.0.0.0, which is reserved and must never take part in the IGMP querier election process, as clearly stated in the standard[4]. © 2018 Westermo Teleindustri AB...
Page 497 The following ports are considered as multicast router ports: ˆ Ports conﬁgured as multicast router ports ˆ Ports where IGMP Queries are received, usually queries are sent by multicast routers, but also by IGMP snooping aware switches like WeOS © 2018 Westermo Teleindustri AB...
Page 498 An exception is when connecting a Dual-Homing uplink to a non-FRNT switch, the fail-over of multicast trafﬁc will instead occur on the next reception of an IGMP Report (if IGMP snooping is enabled). See also section 17.1.2.1. This can be seen using the CLI command ”show fdb” © 2018 Westermo Teleindustri AB...
Page 499 WeOS honours a grace period of, at most, two query intervals for the beneﬁt of multicast receivers attached on downstream port splitters (hubs or unmanaged switches). When no membership report/reply is received the multicast group will time-out within three query intervals. © 2018 Westermo Teleindustri AB...
Page 500 Only when a subscriber appears will the trafﬁc be classiﬁed as known and for- warded on the ring to the receiver. By also enabling Fast Leave, on the access port towards the receiver, the multicast overhead can be kept to a near minimum. © 2018 Westermo Teleindustri AB...
Page 501: Managing Igmp In The Web Interface
21.2 Managing IGMP in the Web Interface Global Conﬁguration Menu path: Conﬁguration IGMP When entering the IGMP conﬁguration page you will be presented with the global settings for IGMP snooping. Enabling or disabling IGMP is done per VLAN, see Section © 2018 Westermo Teleindustri AB...
Page 502 Ports on which to forward all multicast. Useful if the switch Router Ports fails to automatically detect a multicast router, or when you have a non-IGMP aware end devices. Click Apply to save and apply the changes. © 2018 Westermo Teleindustri AB...
Page 503 Westermo OS Management Guide Version 4.24.1-0 IGMP Status Menu path: Conﬁguration IGMP Status © 2018 Westermo Teleindustri AB...
Page 504: Managing Igmp In The Cli
Note: Disabling IGMP snooping globally does not change the per-VLAN IGMP setting. Hence, this setting can be used to disable IGMP snooping temporar- ily, when re-enabling it the per-VLAN settings will be used again. Default Enabled © 2018 Westermo Teleindustri AB...
Page 505 0.0.0.0 in a correct manner and this may cause all multicast to be ﬂooded in the direction of the device sending a proxy query, which in turn may lead to saturating low-bandwidth links and loss of function. © 2018 Westermo Teleindustri AB...
Page 506 ”no igmp-fast-leave-ports” all ports from the list of IGMP Fast Leave ports. Use ”show igmp-fast-leave-ports” to view conﬁgured multicast router ports. Default Disabled A ”PORTLIST” is a comma separated list of port ranges without intermediate spaces, e.g., ”1/1-1/3,2/3”. © 2018 Westermo Teleindustri AB...
Page 507 ”no multicast-router-timeout” resets the ”other IGMP Querier present” timeout to the default setting (”300”). Use ”show multicast-router-timeout” to view conﬁgured ”other IGMP Querier present” timeout. The timeout should never be set lower than the IGMP Query Interval! Default 300 (sec) © 2018 Westermo Teleindustri AB...
Page 508 Westermo OS Management Guide Version 4.24.1-0 21.3.8 Show IGMP Snooping Status Information Syntax show ip igmp Context Admin Exec context Usage Show IGMP snooping status information. Default N/A © 2018 Westermo Teleindustri AB...
Page 509: General Network Settings
The table below summarises general interface and network features. Sections 22.2- 22.3 contain further information on speciﬁc interface and network features. Feature Description Interface settings Enable/disable interface Section 22.2.1 MAC address Section 22.2.4 Continued on next page © 2018 Westermo Teleindustri AB...
Page 510: Network Interfaces
View general network conﬁg. View general network status 22.2 Network interfaces WeOS supports several kinds of network interfaces: ˆ LAN/VLAN network interfaces: A network interface is created for every VLAN conﬁgured on the switch (chapter 15). © 2018 Westermo Teleindustri AB...
Page 511 IP forwarding is not available for products running software level WeOS Stan- dard. However, it is possible to conﬁgure static (unicast) routes in WeOS Standard products as described in sections 27.2.1 (Web) and 22.7.3 (CLI). © 2018 Westermo Teleindustri AB...
Page 512 RIP, OSPF, VRRP, and more -– the pro- tocols will have to fall-back to other methods to detect link-down, e.g. hello message timeout and similar. Do not use the ”enable always” setting unless you really know what you are doing. © 2018 Westermo Teleindustri AB...
Page 513 The interface administrative distance and management interface concepts are described in sections 22.2.6 and 22.2.7. As stated earlier, Falcon has a different factory default settings than other WeOS products. The Ethernet ports are all mapped to VLAN 1 and interface vlan1 as © 2018 Westermo Teleindustri AB...
Page 514 GRE and SSL VPN interfaces (PPP, GRE and SSL VPN interfaces are available for products running software level WeOS Extended). At factory default, all management services except Telnet are allowed on interface vlan1. © 2018 Westermo Teleindustri AB...
Page 515 On new interfaces, all management services except Telnet are allowed by default. Only layer-2 SSL interfaces have MAC addresses. As of WeOS v4.24.1 the auto mode picks a random MAC address, however, this may change in the future WeOS releases. © 2018 Westermo Teleindustri AB...
Page 516 1. If the interface has been conﬁgured with a custom MAC address, use that address as the interface MAC address. 2. If the VLAN has one or more ports assigned untagged, use the MAC address of the ”lowest” untagged port as the interface MAC address. © 2018 Westermo Teleindustri AB...
Page 517 VLAN interface without any IP address. ˆ PPP interfaces: For PPP interfaces the address setting is set to dynamic, but the actual IP address assignment is handled by the PPP conﬁguration (IPCP), section 34.1.7. © 2018 Westermo Teleindustri AB...
Page 518 NTP servers can be active at one time in the system. WeOS handles this using a set of precedence rules. When setting up a device with automatic fail-over between multiple upstream connections these rules are important to be aware Assignment of link-local address can be disabled, see section 22.6.12. © 2018 Westermo Teleindustri AB...
Page 519 (DNS) and network time protocol servers (NTP) are set from that source, unless there exist statically conﬁgured settings. ˆ Statically conﬁgured DNS, domain and NTP always win, regardless of any distance. © 2018 Westermo Teleindustri AB...
Page 520 192.168.11.1 200 example:/config/#> If no DHCP server is present, an interface conﬁgured to use DHCP client for ad- dress assignment will end up without any IP address. The exception is the DHCP © 2018 Westermo Teleindustri AB...
Page 521 1 is the administrator’s local LAN with full management capabilities. VLAN 2 is another local LAN for regular in-house users, from which no management is Assignment of link-local address can be disabled, see section 22.6.12. © 2018 Westermo Teleindustri AB...
Page 522 ﬁlter. For devices with a console port As mentioned in section 22.2.2 factory default on Falcon switches include a separate VLAN for the xDSL port, and the associated interface (vlan1006) has management services disallowed for security purposes. © 2018 Westermo Teleindustri AB...
Page 523 ICMP Redirect messages, it will update its routing table and forward future packets to H2 directly via R2. In WeOS, the sending of ICMP Redirect messages can be enabled/disabled per network interface. By default sending ICMP Redirect messages is enabled. © 2018 Westermo Teleindustri AB...
Page 524 ’00:07:7c:12:34:56’ will send a Client ID as the following sequence of hexadecimal numbers: ’0100077c123456’ In WeOS each VLAN network interface is automatically assigned a MAC ad- dress according to the algorithm speciﬁed in section 22.2.4. You may also © 2018 Westermo Teleindustri AB...
Page 525 A hexadecimal number can be in range ’0-f’ corresponding to decimal values 0-15. Each num- ber is referred as a ’nibble’. Each nibble takes 4 bits, thus for every byte sent there are two hexadecimal nibbles. © 2018 Westermo Teleindustri AB...
Page 526: General Ip Settings
The switch can synchronise its clock with an external time server via the NTP pro- tocol. Up to 8 NTP servers can be conﬁgured, but it is also possible to acquire NTP server(s) via DHCP when no static NTP server is conﬁgured (see section 22.2.6). © 2018 Westermo Teleindustri AB...
Page 527 ˆ Conﬁgure your WeOS unit to use DDNS with this domain name. Note: The example below use an example provider, and dummy hostname and cre- dentials (account name and secret). © 2018 Westermo Teleindustri AB...
Page 528 AccountName AccountSecret Invalid settings: Invalid hostname. example:/config/ip/ddns/#> hostname foo.example.com example:/config/ip/ddns/#> show Provider : dyndns : Disabled Login : AccountName Password : AccountSecret Hostname : foo.example.com Interval : 600 example:/config/ip/ddns/#> leave © 2018 Westermo Teleindustri AB...
Page 529 Internet, it is recommended to disable the DNS proxy service. 22.3.4.1 Conditional Domain Forwarding The unit can also be conﬁgured to perform conditional forwarding based on the domain name in the DNS query. By specifying a domain name and the IP(v4) © 2018 Westermo Teleindustri AB...
Page 530 With these two rules, the unit will forward queries for www.sub1.example.net to address 20.20.20.20, but queries for www.example.net to address 10.10.10.10. Queries for domain names not matching any conditional domain rule will be for- warded to the default DNS server(s), see section 22.3.3. © 2018 Westermo Teleindustri AB...
Page 531: Managing Network Interfaces Via The Web
The status of the interface, Up or Down. Distance The administrative distance value used for routes acquired on this interface. Route selection is based on this number. A lower value indicates a more preferred route. Continued on next page © 2018 Westermo Teleindustri AB...
Page 532 The list of interfaces may be sorted either in a default sort order, or by the distance value. Select desired sort order and press apply button. When clicking the Edit icon for an interface you will be presented to its associated edit page. © 2018 Westermo Teleindustri AB...
Page 533 IP Address Enable has been checked. Up to eight secondary IPv4-addresses may be associated to the in- terface. Click the plus sign to add new lines. Click the to delete a row. Continued on next page © 2018 Westermo Teleindustri AB...
Page 534 This option is not available for all interface types. Override Set a non-default MTU size by entering an override value. Auto The interface will let its MTU be the de- fault MTU of the associated link type. Continued on next page © 2018 Westermo Teleindustri AB...
Page 535 IP header options are in use. Disabled Disables TCP-MSS clamping. Management Check the boxes for the services that should be accessi- Services ble from this interface. Click the Apply button to save and apply the changes. © 2018 Westermo Teleindustri AB...
Page 536 The owner is also displayed within parenthesis. Distance The administrative distance value used for routes acquired on this interface. Route selection is based on this number. A lower value indicates a more preferred route. Continued on next page © 2018 Westermo Teleindustri AB...
Page 537 Sort by The list of interfaces may be sorted either in a default sort order, or by the distance value. Select desired sort order and press apply button. © 2018 Westermo Teleindustri AB...
Page 538: Managing General Ip Settings Via The Web
The currently active default gateway in use. N/A indicates Default that no default gateway is in active use. A default gate- Gateway way cannot be active if no route to the default gateway is available. Continued on next page © 2018 Westermo Teleindustri AB...
Page 539 These settings are described further in section 22.5.2. To change the settings for a speciﬁc Interface click the associated edit icon which will take you to the interface settings edit page. Interface settings are described further in section 22.4. © 2018 Westermo Teleindustri AB...
Page 540 Check this box to enable routing, uncheck to disable. Name server 1 IP address of (primary) DNS server. Name server 2 IP address of (secondary) DNS server. Click the Apply button to save and apply the changes. © 2018 Westermo Teleindustri AB...
Page 541 Leave empty if you do not want to use a time server, or if NTP server should be acquired via DHCP or PPP. Timezone Select a timezone region to get adjusted local time. © 2018 Westermo Teleindustri AB...
Page 542 Set the interval by which DDNS veriﬁes that the IP address mapping at your DDNS provider matches the IP address of your switch. Maximum 10 days (864000 seconds). Click the Apply button to save and apply the changes. © 2018 Westermo Teleindustri AB...
Page 543 Name Server - The IPv4 address of the name server to which the queries should be conditionally for- warded. section 22.3.4.1 for more information. Click the Apply button to save and apply the changes. © 2018 Westermo Teleindustri AB...
Page 544: Managing Network Interfaces Via The Cli
By default, all management services except Telnet are allowed on newly created VLAN and PPP interfaces. By default the Client ID is formed by concatenating ’01’ and the ’MAC address’, see sec- tion 22.2.9. The Vendor Class ID defaults to the release name (WeOS v4.24.1). © 2018 Westermo Teleindustri AB...
Page 545 VLAN (or PPP instance) is not up. Use command ”enable” to conﬁgure an interface as up, and ”no enable” to conﬁgure the interface as down. Assignment of link-local address can be disabled, see section 22.6.12. © 2018 Westermo Teleindustri AB...
Page 546 IP address either as a preﬁx length (e.g. ”address 192.168.0.1/24”) or as a regular netmask (e.g., ”address 192.168.0.1 255.255.255.0”). Use ”show address” to show the IP address setting for this interface. © 2018 Westermo Teleindustri AB...
Page 547 A trigger ID may be set, e.g., for monitoring an upstream network with a ping trigger, and dynamically adjusting the default route to inﬁnite distance. Effectively switching to another upstream interface not only on link loss. For more information, see section 22.2.6. Default values 16 (no distance) Notes: © 2018 Westermo Teleindustri AB...
Page 548 22.6.7 Interface MTU Size Syntax [no] mtu <68-1500> Context Interface Conﬁguration context Usage Conﬁgure a non-default maximum transmission unit (MTU) size (in bytes) for this interface. The MTU size is the packet size a network interface will © 2018 Westermo Teleindustri AB...
Page 549 Interface Conﬁguration context Usage Enable/disable TCP-MSS clamping on this interface. TCP-MSS clamping is used to limit the packet size (or more precisely, limit the ”maximum TCP segment size”) of TCP connections over the given inter- © 2018 Westermo Teleindustri AB...
Page 550 Use ”redirect” to enable sending of ICMP Redirect, and ”no redirect” to disable it. Use ”show redirect” to show if sending of ICMP Redirect is enabled or disabled. Default values Enabled 22.6.10 DHCP Client ID Syntax [no] clientid <hex|string|rawstring> <VALUE> © 2018 Westermo Teleindustri AB...
Page 551 3d 06 63 6f 66 66 65 65 ”no clientid” > 3d 07 01 00 00 5e 00 53 01 The last example assumes the interface has the MAC address 00:00:5e:00:53:01. 22.6.11 DHCP Vendor Class ID Syntax [no] vendor-classid <hex|string> <VALUE> © 2018 Westermo Teleindustri AB...
Page 552 3c 0a 63 6f 66 66 65 65 20 6d 75 67 no vendor-classid > reset to send software release name, e.g., WeOS v4.24.1 as ASCII string. 22.6.12 Enable/disable link-local address Syntax [no] zeroconf Context Interface Conﬁguration context © 2018 Westermo Teleindustri AB...
Page 553 Use ”show mac” to show the interface MAC setting for this (VLAN) interface. For more information, see section 22.2.4. Default values Auto (no mac) Example example:/config/iface-vlan1/#> mac 00:00:5e:00:53:01 example:/config/iface-vlan1/#> 22.6.14 Show Network Interface Status Syntax show iface [IFNAME] © 2018 Westermo Teleindustri AB...
Page 554 Usage Show status information for this interface (or all interfaces). If dynamic address assignment is conﬁgured on an interface, this command will display the IP address acquired. Default values Unless a speciﬁc interface is speciﬁed, status for all interfaces will be shown. © 2018 Westermo Teleindustri AB...
Page 555: Managing General Ip Settings Via The Cli
Section 22.7.20 [no] enable Enabled Section 22.7.21 [no] poll-interval <SECONDS> 600 sec Section 22.7.22 [no] sntp (DEPRECATED) Section 22.7.23 [no] server <FQDN|IPADDR> Disabled Section 22.7.24 [no] poll-interval <SECONDS> 600 sec Section 22.7.25 Continued on next page © 2018 Westermo Teleindustri AB...
Page 556 A default route conﬁgured using this command will always get a distance of 1. With multiple upstream WAN connections using PPPoE or DHCP it is recommended to use the route command instead. Use ”show gateway” to show conﬁgured default gateway. Default values Disabled (”no default-gateway”) © 2018 Westermo Teleindustri AB...
Page 557 22.7.4 Manage IP Forwarding Syntax [no] forwarding Context IP Conﬁguration context Usage (only for WeOS Extended) Enable/disable IPv4 routing. Use ”show forwarding” to show whether IP forwarding (routing) is enabled or disabled. Default values Enabled (”forwarding”) © 2018 Westermo Teleindustri AB...
Page 558 DHCP address assignment. Use ”show domain” to show conﬁgured domain search path. Default values Disabled (”no domain”) 22.7.7 Enable/Disable DNS proxy service Syntax [no] domain-proxy Context IP Conﬁguration context © 2018 Westermo Teleindustri AB...
Page 559 64 bytes from 192.168.5.106: seq=0 ttl=64 time=1.182 ms 64 bytes from 192.168.5.106: seq=1 ttl=64 time=0.754 ms ˆC --- alice ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 0.754/0.968/1.182 ms example:/#> © 2018 Westermo Teleindustri AB...
Page 560 64 bytes from 192.168.2.140: seq=0 ttl=64 time=1.049 ms 64 bytes from 192.168.2.140: seq=1 ttl=64 time=0.627 ms ˆC --- mypc ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 0.627/0.838/1.049 ms © 2018 Westermo Teleindustri AB...
Page 561 64 bytes from 192.168.10.1: seq=0 ttl=64 time=8.291 ms 64 bytes from 192.168.10.1: seq=1 ttl=64 time=0.650 ms ˆC --- mypc ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 0.650/4.470/8.291 ms example:/#> © 2018 Westermo Teleindustri AB...
Page 562 Usage Set DDNS provider. Example of supported providers: dyndns http://www.dyndns.org, freedns http://freedns.afraid.org, and no-ip http://www.no-ip.com For a complete list of supported DDNS providers, type ”help provider”. Use ”no provider” to return to the default provider setting. Default values dyndns © 2018 Westermo Teleindustri AB...
Page 563 IP address of this your switch. When selecting ”provider freedns”, the domain name must be followed by a hash value (”hostname HOSTNAME,HASH”); the hash is provided by FreeDNS). Default values Disabled 22.7.15 Set DDNS interval Syntax [no] interval <SECONDS> © 2018 Westermo Teleindustri AB...
Page 564 Use ”no broadcast-ping” to disable responding to broadcast ping mes- sages. Use ”show broadcast-ping” to show whether the switch is conﬁgured to respond to broadcast ping messages or not. Default values Enabled (”broadcast-ping”) © 2018 Westermo Teleindustri AB...
Page 565 With the ”server <FQDN|IPADDR>” you enter the NTP Remote Server Conﬁguration context for that speciﬁc NTP server. If no (remote) NTP server is conﬁgured, the unit can acquire NTP server(s) dynamically from an interface with DHCP address assignment. © 2018 Westermo Teleindustri AB...
Page 566 Usage Set NTP server poll interval (in seconds) for this NTP server. ”no poll-interval” will reset the poll interval to its default (600 seconds). Use ”show poll-interval” to show conﬁgured poll interval. Default values 600 (seconds) 22.7.23 Manage NTP Client Settings (Deprecated) Syntax [no] sntp © 2018 Westermo Teleindustri AB...
Page 567 NTP Client Conﬁguration context is dep- recated and kept for backwards compatibility. NTP client settings for remote server is instead handled as part of other NTP settings in the NTP Remote Server Conﬁguration, see section 22.7.20. © 2018 Westermo Teleindustri AB...
Page 568 Default values Not applicable. 22.7.27 Show Name Server and Domain Search Path Status In- formation Syntax show ip name-server Context Admin Exec context Usage Show name-server and domain search path status information (statically conﬁgured or acquired dynamically) © 2018 Westermo Teleindustri AB...
Page 569 (localhost and entries for the unit’s own hostname, see section 8.3.2). Example example:/#> show ip hosts 127.0.0.1 localhost 127.0.1.1 example.local example 192.168.10.1 mypc mypc.example.org 10.0.0.1 www.anotherexample.org example:/#> 22.7.30 Show NTP Status Information Syntax show ntp [verbose] Context Admin Exec context © 2018 Westermo Teleindustri AB...
Page 570 NTP Client/Server running as PID: 805 210 Number of sources = 2 MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^ * ntp-anycast.kth.se +222us[ -916ms] +/- 22ms ^- cecar.ddg.lth.se -8317us[-8317us] +/- 81ms © 2018 Westermo Teleindustri AB...
Page 571: Feature Parameters
Westermo OS Management Guide Version 4.24.1-0 22.8 Feature Parameters MAX_CHARACTERS_CLIENTID MAX_HEX_NIBBLES_CLIENTID MAX_CHARACTERS_VENDORCLASSID MAX_HEX_NIBBLES_VENDORCLASSID MAX_DNS_HOST_RECORDS MAX_DOMAIN_FORWARD © 2018 Westermo Teleindustri AB...
Page 572: Dhcp Server
In most use cases this is ﬁne, how- ever if it necessary that the current lease table survives a reboot you are recom- mended to use a dedicated DHCP server instead. © 2018 Westermo Teleindustri AB...
Page 573: Overview Of Dhcp Server Support In Weos
Section 23.1.2.2 DNS Server Section 23.1.2.2 Domain search path Section 23.1.2.2 NTP Server -”- Hostname -”- TFTP Server Name -”- TFTP Server Address -”- TFTP File -”- Lease time -”- DHCP Server Status List current clients © 2018 Westermo Teleindustri AB...
Page 574 DHCP message, it will automatically detect which subnet the request originated from and thereby be able to hand out an address from the pool it has deﬁned for A WeOS unit acts as (proxy) DNS server by default, see section 22.3.4. © 2018 Westermo Teleindustri AB...
Page 575 IP range for the address pool. ˆ Host level: Settings at host level applies to individual DHCP clients. They override corresponding settings at global or subnet level. Some settings © 2018 Westermo Teleindustri AB...
Page 576 MAC, its DHCP client identiﬁer, or The gateway/router at global scope level is not used to set an explicit gateway/router; it only affects the default behaviour for assigning gateway/router at subnet or host level, see sec- tion 23.1.2.2. © 2018 Westermo Teleindustri AB...
Page 577 DHCP server will put its own IP address on that subnet as gate- way IP address. * Remote clients: For DHCP requests originating on remote subnets, the DHCP server will put the IP address of the relay agent as gate- © 2018 Westermo Teleindustri AB...
Page 578 NTP Servers to the DHCP client. (Leaving the setting empty implies that no NTP server is sent to the client.) ˆ Lease time (DHCP Option 51): The lease time can be conﬁgured in range 120-5256000 seconds or ”inﬁnite”. It defaults to 864000 seconds (10 days). © 2018 Westermo Teleindustri AB...
Page 579 ˆ DHCP Server Source UDP port (client port): The DHCP server will send pack- ets with source UDP port 68 by default. It is possible to set the source UDP port to a non-default value. © 2018 Westermo Teleindustri AB...
Page 580 (see comment on ”Option 82 preemption” above). – MAC address preemption: The DHCP server will treat requests from the same MAC address as being the same client unit. Thus, preemption is not relevant for static leases matching on MAC addresses. © 2018 Westermo Teleindustri AB...
Page 581 You may to assign the address based on the combination of option 82 and 61. This can be useful in situations where you have multiple hosts connected to the same port of the (WeOS) relay agent (e.g., via a external hub). As long © 2018 Westermo Teleindustri AB...
Page 582 Note: to assign IP addresses per (local) ports on the DHCP server itself in WeOS v4.24.1, you will need to setup a Relay Agent on the same unit (see section 23.1.5). To ﬁnd the base MAC of your WeOS unit, see sections 4.4.2 (Web) or 7.3.2 (CLI). © 2018 Westermo Teleindustri AB...
Page 583 ˆ Matching port (option 82) and client-id (option 61) (ﬁrst) ˆ Matching port (option 82) ˆ Matching client-id (option 61) ˆ Matching MAC address ˆ Assign address from pool (last) © 2018 Westermo Teleindustri AB...
Page 584 PC, will be assigned their IP addresses from an address pool, but the unit attached to port 6 should always be assigned IP address 192.168.5.49. This can be achieved by conﬁguring a DHCP relay agent on interface ”vlan2”, and © 2018 Westermo Teleindustri AB...
Page 585 (Web) and 24.3.9 (CLI) for more information. An example using the system name as remote-id is given ﬁg. 23.4. To ﬁnd the base MAC of your WeOS unit, see sections 4.4.2 (Web) or 7.3.2 (CLI). © 2018 Westermo Teleindustri AB...
Page 586 "Eth6" remote-id string "foobar" address 192.168.2.49 dhcp-relay iface vlan2 server 127.0.0.1 option82 discard remoteid-type system-name Figure 23.4: Conﬁguration example with DHCP relay and server on same unit, here with system hostname as Option82 Remote-ID. © 2018 Westermo Teleindustri AB...
Page 587 In WeOS you can handle this by running a DHCP relay agent on the DHCP server unit. The relay agent can be conﬁgured to drop DHCP packets not including option 82, thus only the relayed packet will be forwarded to the © 2018 Westermo Teleindustri AB...
Page 588 If the relay agent unit is a RedFox Industrial, the port labels would be written in slot/id form (1/1, 1/2, etc.). The server conﬁguration would then reﬂect this, e.g., ”match option82 circuit-id string "Eth1/2" remote-id string "10.1.1.2"” if the CCTV is connected to port 1/2. © 2018 Westermo Teleindustri AB...
Page 589: Conﬁguring Dhcp Server Settings Via The Web
Westermo OS Management Guide Version 4.24.1-0 23.2 Conﬁguring DHCP Server Settings via the Web The Web interface provides management of DHCP Server. 23.2.1 DHCP Server settings Menu path: Conﬁguration Network (IP) DHCP-Server © 2018 Westermo Teleindustri AB...
Page 590 New Lease button. Click on the Edit icon ( ) to edit the settings for an existing lease. Clicking the edit icon or the ”New Lease” button will take you to the ”Create/Edit DHCP Host Settings” page, see section 23.2.3. © 2018 Westermo Teleindustri AB...
Page 591 In some rare cases it may be useful to disable this. Default enabled Server Port Set server listening port, default 67 Continued on next page © 2018 Westermo Teleindustri AB...
Page 592 IP address for server from which the client should retrieve Address the boot ﬁle. Boot Server DNS name for server from which the client should retrieve Name the boot ﬁle. Boot File Name of the boot ﬁle to retrieve from boot server. © 2018 Westermo Teleindustri AB...
Page 593 DHCP address lease time (seconds) for addresses handed out to DHCP clients Netmask The netmask option handed to DHCP clients. Default The IP default gateway (default router) option handed to Gateway DHCP clients. Continued on next page © 2018 Westermo Teleindustri AB...
Page 594 Continued from previous page Name Servers The (DNS) name server option handed to DHCP clients. NTP Servers The time server (NTP) option handed to DHCP clients. Domain Domain name search path option handed to DHCP clients © 2018 Westermo Teleindustri AB...
Page 595 (Static DHCP) On this page you can change the settings for the Host. Lease IP address for this lease. If left empty the DHCP server will prohibit the host to be served. Continued on next page © 2018 Westermo Teleindustri AB...
Page 596 Address of the TFTP server to hand out to this host. Address Boot Server Domain name of the TFTP server to hand out to this host. Name Boot File File (at the TFTP server) to hand out to this host. © 2018 Westermo Teleindustri AB...
Page 597: Conﬁguring Dhcp Server Settings Via The Cli
[no] ﬁle <FILENAME> Disabled Section 23.3.10 [no] preempt Disabled Section 23.3.20 [no] subnet <IPADDR[/LEN] | IPADDR [MASK]> Section 23.3.21 [no] netmask <NETMASK> Section 23.3.22 [no] pool <IPADDR_START> Auto Section 23.3.23 <NUM|IPADDR_END> Continued on next page © 2018 Westermo Teleindustri AB...
Page 598 Default values Disabled (No DHCP server conﬁgured) 23.3.2 Disable DHCP Server Syntax [no] enable A pool may be created automatically. See Section 23.3.23. Empty values have special meaning here. See Section 23.3.14 Section 23.3.15. © 2018 Westermo Teleindustri AB...
Page 599 Usage Control the default behaviour of default gateway (option 3) assignment. ˆ Auto: The ”gateway auto” setting achieves default behaviour that the unit’s own IP address (local DHCP clients) or the DHCP relay agent’s IP address (remote DHCP clients) is assigned as default gateway. © 2018 Westermo Teleindustri AB...
Page 600 This setting can be overridden by setting a speciﬁc IP address as default gateway at subnet/host level (section 23.3.15). Use ”show name-server” to show the current setting. Default values Auto 23.3.6 DHCP Server Listening UDP port Syntax [no] server-port <UDPPORT> Context DHCP Server Conﬁguration context © 2018 Westermo Teleindustri AB...
Page 601 Note Using the ”tftp-server” command in DHCP Server Conﬁguration will apply to all DHCP messages from the server. Using the ”tftp-server” command in DHCP Server Host Conﬁguration will apply only to that static lease entry. © 2018 Westermo Teleindustri AB...
Page 602 The bootﬁle name is typically passed within the ﬁle ﬁeld of a BOOTP/DHCP message, but is instead sent as DHCP option 67 if option overloading applies or if the client has requested DHCP option 67. © 2018 Westermo Teleindustri AB...
Page 603 Conﬁguration context of that speciﬁc static lease. Default values Default index is 1. 23.3.12 Conﬁgure Static Lease Match Setting Syntax [no] match <mac <MACADDR> | clientid <hex|string> CLIENTID> | option82 [remote-id <hex|string> <REMOTEID>] | option82 [circuit-id <hex|string> <CIRCUITID>]> © 2018 Westermo Teleindustri AB...
Page 604 ”no address” is not a valid setting, i.e., then the host entry will not be activated. Use ”show address” to show the current address setting. Default values None 23.3.14 Conﬁgure DHCP Server Default Gateway Option Syntax [no] gateway <IPADDRESS> © 2018 Westermo Teleindustri AB...
Page 605 If no name server is speciﬁed, the setting speciﬁed at higher level (global or subnet) speciﬁes what name server(s) to assign to DHCP clients, see section 23.3.5. Use ”show name-server” to list DNS name server option settings. © 2018 Westermo Teleindustri AB...
Page 606 Use ”show domain” to list domain name option settings. Default values Disabled, the domain name option will not be used. 23.3.18 Conﬁgure NTP Server Option (DHCP Option 42) Syntax [no] ntp-server <IPADDR> Context DHCP Server Subnet Conﬁguration DHCP Server Host Conﬁguration context © 2018 Westermo Teleindustri AB...
Page 607 This setting only applies when the static lease matches on client-id (option 61), see section 23.1.3. Use command ”preempt” to enable lease preemption for this host entry. Use command ”no preempt” to disable lease preemption for this host entry. © 2018 Westermo Teleindustri AB...
Page 608 DHCP Server Subnet Conﬁguration context Usage Specify/modify the netmask for the subnet to serve, e.g., ”netmask 255.255.128.0”. Use ”no netmask” to reset the netmask to its default value. Use ”show netmask” to show the current netmask setting. © 2018 Westermo Teleindustri AB...
Page 609 Syntax show dhcp-clients Context Admin Exec context Usage Show list of current DHCP clients. Default values Not applicable Example example:/#> show dhcp-clients Lease Time MAC Address IP Address Hostname Client ID =============================================================================== 864000 00:07:7c:8a:e2:41 192.168.2.109 01:00:07:7c:8a:e2:41 example:/#> © 2018 Westermo Teleindustri AB...
Page 610: Feature Parameters
Westermo OS Management Guide Version 4.24.1-0 23.4 Feature Parameters MAX_DHCP_SUBNETS MAX_STATIC_LEASES 1024 © 2018 Westermo Teleindustri AB...
Page 611: Dhcp Relay Agent
In case you wish to hand out addresses per port on the DHCP server unit (as opposed to the DHCP relay agent), WeOS allows you to achieve this by running a relay agent on the DHCP server unit, see the chapter on DHCP server (sec- tion 23.1.5). © 2018 Westermo Teleindustri AB...
Page 612: Overview Of Dhcp Relay Agent Support
(here PC1-PC6) on the local LANs. A DHCP relay can serve a single LAN (Re- lay Agent 1 & 3) or multiple LANs (Relay Agent 2). In WeOS the LANs to serve is selected by conﬁguring which (VLAN) network interfaces the relay agent should listen on. © 2018 Westermo Teleindustri AB...
Page 613 (e.g., RA1 will set giaddr to 192.168.0.1) when forwarding requests from PC1 to the DHCP server). Based on the giaddr, the DHCP server can distinguish which pool to hand out address from (here ”A”). © 2018 Westermo Teleindustri AB...
Page 614 In WeOS the circuit ID can be set according to the following methods: – Disabled: When circuit ID is disabled, no circuit ID sub-option is passed as part of the Relay Agent Information option (DHCP option 82). © 2018 Westermo Teleindustri AB...
Page 615 8.3.2 (CLI) for information on how to conﬁgure the unit’s host- name/system name. – Manual: It is also possible to set a manual value for the Remote ID, either as a hexadecimal or string value. © 2018 Westermo Teleindustri AB...
Page 616 ﬁeld(s) included in DHCP messages returned from the DHCP The exception is when policy ”Require” is conﬁgured - then the packet will be discarded if it does not contain a relay agent information option. © 2018 Westermo Teleindustri AB...
Page 617 DHCP server does not support RFC5107[23]. Forcing DHCP server identity override is disabled by default. If more than one relay information option is included, the last option is removed. © 2018 Westermo Teleindustri AB...
Page 618 It is sent as unicast to the DHCP server, and it contains the relay agents IP address as giaddr. If the relay agent has DHCP option 82 enabled, such information is also added. © 2018 Westermo Teleindustri AB...
Page 619 DHCP relay agent – this includes broadcast and unicast DHCP packets, both DHCP requests (to server) or DHCP responses (from server) coming in on that port. Fig. 24.4b) shows the result when a broadcast DHCP packet comes in on a port with DHCP snooping enabled. © 2018 Westermo Teleindustri AB...
Page 620 As of WeOS v4.24.1, the WeOS DHCP server (chapter 23) does not provide dedicated DHCP server failover support, but you can achieve redundancy using ”static” address assignment (no address pools) with the same conﬁguration at both DHCP servers. © 2018 Westermo Teleindustri AB...
Page 621 ˆ A single DHCP server has been conﬁgured (here 10.1.2.3). As of WeOS v4.24.1, up to two DHCP servers can be conﬁgured. ˆ Option 82 is enabled, with policy discard. Option 82 information will be added to all incoming requests. Packets which already include option 82 © 2018 Westermo Teleindustri AB...
Page 622 Stopping DHCP/DNS Server ........[ OK ] Starting DHCP/DNS Server ........[ OK ] Configuration activated. Remember "copy run start" to save to flash (NVRAM). Starting DHCP Relay Agent ........[ OK ] example-relay:/#> © 2018 Westermo Teleindustri AB...
Page 623: Conﬁguring Dhcp Relay Agent Via The Web
24.2 Conﬁguring DHCP Relay Agent via the Web The Web interface provides management of the DHCP Relay Agent. 24.2.1 DHCP Relay Agent settings Menu path: Conﬁguration Network (IP) DHCP-Relay Figure 24.6: DHCP Relay Agent settings © 2018 Westermo Teleindustri AB...
Page 624 MAC uses the base MAC address of the unit. System Name uses the hostname of the system. It is also possible to set a Manual value for the Remote-ID, either as a hexadecimal or string value. © 2018 Westermo Teleindustri AB...
Page 625 24.6) will be used for this port. ˆ Manual (hex) and Manual (string): A user speciﬁed hex or string value will be used as circuit ID. Value is en- tered in the Manual Circuit ID ﬁeld. © 2018 Westermo Teleindustri AB...
Page 626: Conﬁguring Dhcp Relay Agent Via The Cli
”auto” Section 24.3.13 portdescription| manual <hex|string> <ID>> View DHCP Relay Agent Settings show dhcp-relay Section 24.3.14 dhcp-relay show port [PORTLIST] ”all” Section 24.3.15 24.3.1 Manage DHCP Relay Agent Syntax [no] dhcp-relay Context Global Conﬁguration context © 2018 Westermo Teleindustri AB...
Page 627 Default values Not applicable. 24.3.4 DHCP Servers (IP addresses) Syntax [no] server <ADDRESS> Context DHCP Relay Conﬁguration context Usage Specify the DHCP server that the relay agent will forward requests to. Default values Not applicable. © 2018 Westermo Teleindustri AB...
Page 628 Use ”force-server-identity” to enable force DHCP server override and use ”no force-server-identity” to disable it. Use ”show force-server-identity” to show the current setting. Default values Disabled 24.3.7 Option 82 Syntax [no] option82 <forward|discard|append|replace|require> Context DHCP Relay Conﬁguration context © 2018 Westermo Teleindustri AB...
Page 629 Default values portname. 24.3.9 Remote ID Type Syntax [no] remoteid-type <mac | ip | system-name | manual <hex|string> <VALUE>> © 2018 Westermo Teleindustri AB...
Page 630 Default values Not applicable. 24.3.11 Enable/disable DHCP Relay Agent per port Syntax [no] enable Context DHCP Relay Port Conﬁguration context Usage Enable or disable the DHCP Relay Agent on a port. Default values Enabled. © 2018 Westermo Teleindustri AB...
Page 631 Usage Show DHCP relay agent settings. Default values 24.3.15 Show DHCP Relay Agent Per-port Settings Syntax show port [PORTLIST] Also available as ”show” command within the DHCP Relay Port Conﬁguration context. Context DHCP Relay Conﬁguration context © 2018 Westermo Teleindustri AB...
Page 632 Circuit-ID type (Circuit ID) ============================================================================== Eth 1 auto auto (Eth1) Eth 2 auto auto (Eth2) Eth 3 auto auto (Eth3) Eth 4 auto auto (Eth4) Eth 5 auto auto (Eth5) Eth 6 auto auto (Eth6) example:/config/dhcp-relay/#> © 2018 Westermo Teleindustri AB...
Page 633: Feature Parameters
Westermo OS Management Guide Version 4.24.1-0 24.4 Feature Parameters MAX_DHCP_RELAY_IFACES © 2018 Westermo Teleindustri AB...
Page 634: Alarm Handling, Leds And Digital I/O
The WeOS alarm handling support makes use of the following terminology: In addition to monitoring alarm status via Web and CLI, there are other ways in which an operator can get notiﬁed when an alarm is triggered. © 2018 Westermo Teleindustri AB...
Page 635 Instead of mapping triggers directly to targets, a trigger is mapped to an alarm action (proﬁle). The alarm action deﬁnes what speciﬁc targets to use when an alarm event occurs. For example, a link alarm trigger for ports 1-3 © 2018 Westermo Teleindustri AB...
Page 636 Uplink Echo response are used to determine the uplink status. ˆ MRP status: The MRP ring status trigger will react when an MRP ring is bro- ken or healed (intact). Only an FRNT focal point can determine the ring status with certainty. © 2018 Westermo Teleindustri AB...
Page 637 An alarm trigger deﬁnes the rules for when alarm events should be generated for a monitored alarm source. Alarm triggers also deﬁne which alarm action to invoke when an alarm event occurs. Currently supported alarm trigger types: ˆ Power failure ˆ Link alarm © 2018 Westermo Teleindustri AB...
Page 638 ˆ Power failure: A power failure trigger can monitor one or more power feed sensors. Most WeOS products have two power feeds (single power supply), with a sensor for each power feed. Typically a single power failure trigger is used to monitor both power feed sensors. © 2018 Westermo Teleindustri AB...
Page 639 ˆ Timer: Timer triggers are conﬁgured to go off at given time interval. As of WeOS v4.24.1, only daily timers are supported, e.g., ”timeout daily 02:30”, and only apply to ”log” and ”reboot” action targets. © 2018 Westermo Teleindustri AB...
Page 640 (for that alarm source) before the value has fallen down to the falling threshold (and vice versa). Thus, the use of separate rising and falling thresholds creates a hysteresis mechanism, which avoids generating multiple alarm events when a monitored value ﬂuctuates around the alarm threshold. © 2018 Westermo Teleindustri AB...
Page 641 25.3. Additional details on threshold settings and properties: ˆ The rising threshold cannot be set lower than the falling threshold. ˆ It is possible to use the same value for the rising and falling thresholds. © 2018 Westermo Teleindustri AB...
Page 642 Alarm sources of counter type, such as RMON data trafﬁc statistics, are well suited for delta sampling. As the delta is computed over a given time interval (sample interval), the alarm thresholds should be conﬁgured with respect to the conﬁgured sample interval. © 2018 Westermo Teleindustri AB...
Page 643 25.1.5). Alarm events of sever- ity level INFO or higher are subject both to logging and SNMP trap targets. As described in chapter 26 it is possible to conduct additional ﬁltering for remote logging based on event severity. © 2018 Westermo Teleindustri AB...
Page 644 ’OK’, and open when any of the asso- ciated alarm triggers becomes active (or when the unit has no power). As of WeOS v4.24.1 there is no support for SNMP traps for timer or hardware alarms. © 2018 Westermo Teleindustri AB...
Page 645 ON LED alarm is indicated with a ’red’ light, as shown in ﬁg. 25.4. For the status relay, alarm is indicated by having the gate in ’open’ state. See sections 25.4 25.5 for general information on Digital I/O and front panel LEDs. © 2018 Westermo Teleindustri AB...
Page 646: Managing Alarms Via The Web
4.4 and 4.4.2. Fig. 25.5 shows the System Overview page when a Link Alarm is activated. Figure 25.5: The basic system overview page with a link alarm activated. © 2018 Westermo Teleindustri AB...
Page 647 Click this icon to edit a trigger. Delete Click this icon to remove a trigger. New Trigger Click this button to create a new alarm trigger. You will be presented to a form where you can conﬁgure the new trigger. © 2018 Westermo Teleindustri AB...
Page 648 Figure 25.7: The trigger type selection page. When clicking the Next button you will be presented to the New trigger page. Figure 25.8: The alarm trigger creation page. Type The type of alarm trigger. Continued on next page © 2018 Westermo Teleindustri AB...
Page 649 To get alarms for a a speciﬁc port, check the check-box located underneath the port label. In the picture above you see ports 1/1, 1/2 and 2/1 are marked as alarm sources for this link alarm trigger. © 2018 Westermo Teleindustri AB...
Page 650 The falling thresholds may be set to the same value, but by using different thresholds (rising higher than falling) one can avoid receiving multiple events when the temperature ﬂuctuates around the alarm threshold. Figure 25.9: Example of a temperature trigger. © 2018 Westermo Teleindustri AB...
Page 651 Click this icon to edit an action. Delete Click this icon to remove an action. New action Click this button to add a new alarm action. You will be presented to a form where you can conﬁgure the new action. © 2018 Westermo Teleindustri AB...
Page 652: Managing Alarms Via The Cli
Section 25.3.13 [no] action <INDEX> Section 25.3.14 [no] target <[log] [snmp] [led] > Section 25.3.15 [digout] [reboot] [custom]> [no] custom <COMMAND> Disabled Section 25.3.16 [no] summary-trap Section 25.3.17 Alarm Status alarm Section 25.3.18 show Section 25.3.19 © 2018 Westermo Teleindustri AB...
Page 653 ﬁnd the index of a trigger, which is needed to edit or remove an existing trigger, see above. Default values Not applicable. Some examples of alarm trigger conﬁgurations are given in sections 25.3.2.1- 25.3.2.14. Details of individual alarm trigger conﬁguration settings are given in sections 25.3.3-25.3.12. © 2018 Westermo Teleindustri AB...
Page 654 Created trigger 2 example:/config/alarm/trigger-2/#> port 1-2 example:/config/alarm/trigger-2/#> end example:/config/alarm/#> show Trigger Type Enabled Action Source ============================================== power link-alarm Action Targets =============================================================================== snmp log led digout =============================================================================== Summary alarm traps: Disabled example:/config/alarm/#> © 2018 Westermo Teleindustri AB...
Page 655 Created trigger 2 example:/config/alarm/trigger-2/#> end example:/config/alarm/#> show Trigger Type Enabled Action Source ============================================== power digin Action Targets =============================================================================== snmp log led digout =============================================================================== Summary alarm traps: Disabled example:/config/alarm/#> © 2018 Westermo Teleindustri AB...
Page 656 Created trigger 1 example:/config/alarm/trigger-1/#> sensor 1,2 example:/config/alarm/trigger-2/#> end example:/config/alarm/#> show Trigger Type Enabled Action Source ============================================== power Action Targets =============================================================================== snmp log led digout =============================================================================== Summary alarm traps: Disabled example:/config/alarm/#> © 2018 Westermo Teleindustri AB...
Page 657 ˆ Action: By default, the trigger is mapped to the default action proﬁle (action 1). In this example an SNR-margin trigger is created for DSL ports 1/1 and 1/2, with falling threshold 4 dB and rising threshold 6 dB. © 2018 Westermo Teleindustri AB...
Page 658 (in Admin Exec context) to list available sensors, see section 7.3.43. ˆ Alarm threshold: As of WeOS v4.24.1 the temperature falling threshold and rising threshold are both set to 0 C by default. ˆ Enable/Disable: By default, the trigger is enabled. © 2018 Westermo Teleindustri AB...
Page 659 An FRNT trigger exists in the factory default conﬁguration. Thus, when FRNT is enabled, FRNT alarms will be presented on the default alarm targets without requiring the user to create a trigger. Syntax trigger frnt © 2018 Westermo Teleindustri AB...
Page 660 Trigger Type Enabled Action Source =============================================================================== power frnt Instance 1 Action Targets =============================================================================== snmp log led digout =============================================================================== Summary alarm traps: Disabled example:/config/alarm/#> 25.3.2.7 RiCo Uplink Trigger Conﬁguration Example Syntax trigger rico-uplink © 2018 Westermo Teleindustri AB...
Page 661 Trigger Type Enabled Action Source =============================================================================== frnt Instance 1 rico-uplink Action Targets =============================================================================== snmp log led digout =============================================================================== Summary alarm traps: Disabled example:/config/alarm/#> 25.3.2.8 MRP Trigger Conﬁguration Example Syntax trigger mrp © 2018 Westermo Teleindustri AB...
Page 662 =============================================================================== Instance 1 Action Targets =============================================================================== snmp log led digout =============================================================================== Summary alarm traps: Disabled example:/config/alarm/#> 25.3.2.9 LFF Trigger Conﬁguration Example Note, this setting only applies to units equipped with SHDSL ports. Syntax trigger lff © 2018 Westermo Teleindustri AB...
Page 663 SHDSL port 1/1. Example wolverine:/config/alarm/#> trigger lff wolverine:/config/alarm/trigger-2/#> port 1/1 wolverine:/config/alarm/trigger-2/#> end wolverine:/config/alarm/#> show Trigger Type Enabled Action Source =============================================================================== frnt dsl 1/1 Action Targets =============================================================================== snmp log led digout =============================================================================== Summary alarm traps: Disabled wolverine:/config/alarm/#> © 2018 Westermo Teleindustri AB...
Page 664 Trigger Class Enabled Action Source =============================================================================== 1 frnt Instance 1 2 timer daily 02:30 Action Targets =============================================================================== snmp log led digout log reboot =============================================================================== Summary alarm traps: Disabled © 2018 Westermo Teleindustri AB...
Page 665 3 example:/config/alarm/trigger-2/#> action 2 example:/config/alarm/trigger-2/#> end example:/config/alarm/#> show Trigger Type Enabled Action Source =============================================================================== frnt Instance 1 ping peer bbc.co.uk Action Targets =============================================================================== snmp log led digout =============================================================================== Summary alarm traps: Disabled example:/config/alarm/#> © 2018 Westermo Teleindustri AB...
Page 666 Optional setting is by what interval (1-300 seconds) active ARP probing for conﬂicts should run (default 60). Note One VLAN interface per is allowed. Create an additional trigger activate address conﬂict detection on another VLAN. © 2018 Westermo Teleindustri AB...
Page 667 Additional settings for temperature triggers are listed below. The only manda- tory setting is the temperature sensor (or list of sensors) - no temperature alarm events will occur until a sensor is deﬁned. © 2018 Westermo Teleindustri AB...
Page 668 Summary alarm traps: Disabled viper:/config/alarm/#> 25.3.2.14 Microlok Trigger Conﬁguration Example Syntax trigger microlok Context Alarm Conﬁguration context Usage Create a Microlok session summary alarm trigger, and enter the Alarm Trigger Conﬁguration context for this trigger. © 2018 Westermo Teleindustri AB...
Page 669 Enabled Action Source =============================================================================== frnt Instance 1 microlok Action Targets =============================================================================== snmp log led digout log digout =============================================================================== Summary alarm traps: Disabled example:/config/alarm/#> 25.3.3 Enable/disable a Trigger Syntax [no] enable Context Alarm Trigger Conﬁguration context © 2018 Westermo Teleindustri AB...
Page 670 ”no peer” will delete the conﬁgured peer, however, having a ping trig- ger without a conﬁgured peer is not a valid setting. ˆ Use ”[no] iface <IFNAME>” to conﬁgure the VLAN interface to enable address conﬂict detection on. This is a mandatory setting for Address © 2018 Westermo Teleindustri AB...
Page 671 The examples below show how to set severity level for active and inac- tive alarm events together and how to set it individually. The ﬁnal exam- ple shows how to set severity ’NONE’ for both active and inactive events. © 2018 Westermo Teleindustri AB...
Page 672 Use ”show condition” to show the alarm condition setting for this trigger. Default values Differs for different trigger types 25.3.7 Conﬁgure Rising and Falling Thresholds Syntax threshold <NUM|[rising <NUM>]|[falling <NUM>]> Context Alarm Trigger Conﬁguration context © 2018 Westermo Teleindustri AB...
Page 673 Use command ”no interval” to reset interval to default. Default values Differs: ˆ Ping trigger: 3 (seconds) ˆ Address Conﬂict trigger: 60 (seconds) 25.3.9 Conﬁgure Ping Robustness Number Syntax [no] number <NUM> Context Alarm Trigger Conﬁguration context (ping trigger) © 2018 Westermo Teleindustri AB...
Page 674 Syntax [no] initial-state <warning|ok> Context Alarm Trigger Conﬁguration context (ping trigger) Usage Set the inital alarm state for a trigger, this only applies to ping triggers. Use command ”show initial-state” to show the conﬁgured initial-state. Default values Warning © 2018 Westermo Teleindustri AB...
Page 675 Alarm Action Conﬁguration context and create a new or update an existing action. Use ”no action <INDEX>” remove an existing action. The default action (index 1) cannot be removed, but you can disable all targets. © 2018 Westermo Teleindustri AB...
Page 676 Use command ”show target” to show the alarm target(s) conﬁgured for this action proﬁle. Default values target log (New action proﬁles has ”target log” as default. 25.3.16 Set Custom Action Target Syntax [no] custom <COMMAND> © 2018 Westermo Teleindustri AB...
Page 677 ON LED alarm target. Use ”summary-trap” to enable and ”no summary-trap” to disable a SNMP traps for the summary alarm status. Use ”show summary-trap” to show whether summary alarm traps are en- abled or disabled. Default values Disabled © 2018 Westermo Teleindustri AB...
Page 678 Context Admin Exec context Usage Enter the Alarm Status context. Default values Not applicable. 25.3.19 Show overall alarm status Syntax show Context Alarm Status context Usage Show status of all alarms. Default values Not applicable. © 2018 Westermo Teleindustri AB...
Page 679: Digital I/O
For a detailed speciﬁcation on the Digital I/O connector (deﬁnite pin-out mapping, voltage levels, etc.), see the User Guide of your speciﬁc WeOS product (section 1.5). No. 1 Status+ No. 2 Status− Westermo switch No. 3 Digital In+ No. 4 Digital In− © 2018 Westermo Teleindustri AB...
Page 680 When the switch is operating normally (the switch has booted up, and no alarm source is active), the gate is closed. © 2018 Westermo Teleindustri AB...
Page 681: Leds
Power failure on DC1 or DC2. Unit has no power. GREEN Power OK. Input voltage > 70% of minimum nominal voltage. Power failure. Input voltage < 70% of mini- mum nominal voltage. Continued on next page © 2018 Westermo Teleindustri AB...
Page 682 SNR 3-5 dB. Marginal SHDSL link. Indicator 2 GREEN SNR 6-9 dB. Normal SHDSL link. 3 GREEN SNR 10 dB or higher. Strong SHDSL link. ADSL/ No xDSL link. VDSL GREEN xDSL link established. Continued on next page © 2018 Westermo Teleindustri AB...
Page 683 Only for products with software level WeOS Extended. As of WeOS v4.24.1, the USR1/VPN LED presents VPN status as described above. Alternative (conﬁgurable) use is intended but not yet supported. Only applicable for the DDW-x42-485[44] products. © 2018 Westermo Teleindustri AB...
Page 684: Logging Support
By default, messages of severity level NOTICE or higher are forwarded to the remote syslog server(s). This threshold is conﬁgurable. As of WeOS v4.24.1 conﬁguration of logging support is only available via the CLI. © 2018 Westermo Teleindustri AB...
Page 685: Logging Support In The Web Interface
Select the log ﬁle in the drop down list and press View to the display desired log ﬁle. Menu path: Maintenance View Log Select the log ﬁle in the drop down list and press View to the display desired log ﬁle. © 2018 Westermo Teleindustri AB...
Page 686: Managing Logging Support Via The Cli
Use ”show logging” to show logging conﬁguration settings. Also available as ”show” command within the Logging Conﬁguration context. Default values Disabled 26.2.2 Logging to console port Syntax [no] console Context Logging Conﬁguration context Usage Enable or disable console logging. © 2018 Westermo Teleindustri AB...
Page 687 If enabled, the IP address(es) of the conﬁgured server(s) are pre- sented. Default values Disabled 26.2.4 Set minimum log level for remote syslog Syntax [no] severity <LEVEL> Context Logging Conﬁguration context (only available if a remote syslog server has been conﬁgured, see section 26.2.3) © 2018 Westermo Teleindustri AB...
Page 688 For example, setting ”severity warning” allows only messages of severity level warning, err, crit, alert, and emerg to be sent to a remote syslog server. Use ”show severity” to show the current setting. Default values notice © 2018 Westermo Teleindustri AB...
Page 689: Router/Gateway Services
Westermo OS Management Guide Version 4.24.1-0 Part III Router/Gateway Services © 2018 Westermo Teleindustri AB...
Page 690: Ip Routing In Weos
”hops” and long distances. A router looks at the destination IP address carried within each IP packet, consults its routing table to make a © 2018 Westermo Teleindustri AB...
Page 691 . OSPF and RIP are covered in chapters 28 respectively. As of WeOS v4.24.1, dynamic routing is limited to intra-domain (unicast) routing with RIP and OSPF. WeOS does not support dynamic inter-domain routing via BGP (Border Gateway Protocol), or © 2018 Westermo Teleindustri AB...
Page 692 Switching is performed between ports in the same VLAN, while routing is performed between IP subnets or network interfaces (please see ﬁg. 22.1 section 22.2 for information on the distinction between ports, VLANs and network dynamic multicast routing. © 2018 Westermo Teleindustri AB...
Page 693 WeOS supports static IP routing. With static routing a WeOS devices can specify the next hop router to use to reach a given IP subnet, or add additional (directly attached) subnets to a local interface. © 2018 Westermo Teleindustri AB...
Page 694 ﬂoating static route. Relevant parts of the con- ﬁguration at routers 1, 2 and 3 are shown below. Router 1 injects a default route into the OSPF area, a deﬁnes a ﬂoating static route towards 192.168.35.0/24 via Router2. © 2018 Westermo Teleindustri AB...
Page 695 Router 2 deﬁnes a ﬂoating static default route towards via Router1, and injects a default route into the OSPF area given that its ﬂoating default route is active (no ”always” attribute; compare with Router1 conﬁguration). © 2018 Westermo Teleindustri AB...
Page 696 ”192.168.0.0/24”, ”192.168.1.0/24” and ”192.168.2.0/24”, while ”192.168.3.0/24” is currently unused. As R2 has deﬁned R1 as its default route, a packet sent towards e.g., ”192.168.3.11” would bounce back and forth between R1 and R2, unless R2 deﬁnes a blackhole route. © 2018 Westermo Teleindustri AB...
Page 697 (at layer-2) and blocks some port, even though there is a ”routing barrier”, which already handles the loop. The result of RSTP blocking ports may be loss of connectivity at layer-3. © 2018 Westermo Teleindustri AB...
Page 698 ˆ disable RSTP as a whole, or ˆ disable RSTP on all ports but one VLAN, or a group of VLANs with a shared layer-2 backbone (such as a ring). Support for multiple RSTP/STP instances is planned but not yet implemented. © 2018 Westermo Teleindustri AB...
Page 699: Static Unicast Routes Via Web
The destination gateway Interface The destination interface Edit Click this icon to edit a route. Delete Click this icon to remove a route. You will be asked to ac- knowledge the removal before it is actually executed. © 2018 Westermo Teleindustri AB...
Page 700 Westermo OS Management Guide Version 4.24.1-0 Edit Menu path: Conﬁguration Routing Static Route The edit page, see table above for descriptions. © 2018 Westermo Teleindustri AB...
Page 701 Kernel route Static - A statically conﬁgured route. RIP - The route is known through the RIP protocol. OSPF - The route is known through the OSPF protocol. > Selected route FIB route © 2018 Westermo Teleindustri AB...
Page 702: Enabling Routing, Managing Static Routing, Etc., Via Cli
29.3) and, as well as other router related protocols such as VRRP (sec- tion 31.3). Use ”show router” to list general router protocol settings (also available ”show” command within the Router Protocol Conﬁguration context. © 2018 Westermo Teleindustri AB...
Page 703 Westermo OS Management Guide Version 4.24.1-0 Default values N/A Example Example example:/config/#> router example:/config/router/#> show OSPF/RIP not enabled. VRRP Instances ============================================================= Interface Router-ID Priority Address ============================================================================ vlan1 192.168.2.1 example:/config/router/#> © 2018 Westermo Teleindustri AB...
Page 704: Dynamic Routing With Ospf
Section 28.1.1.6 Inter-area ﬁltering Section 28.1.1.6 (Explicit) neighbour Section 28.1.1.7 Passive interface default Section 28.1.1.8 Per interface OSPF settings Link cost Section 28.1.1 Network type Section 28.1.1.7 Passive interface Section 28.1.1.8 Continued on next page © 2018 Westermo Teleindustri AB...
Page 705 Until the OSPF routing protocol has converged, this may cause a temporary loss of connectivity in parts of your network. 28.1.1 OSPF introduction Net−A Net−B Router−A Router−B Router−E Net−E Router−C Router−D Net−C Net−D Figure 28.1: Simple network topology with interconnected routers and networks. © 2018 Westermo Teleindustri AB...
Page 706 ﬁg. 28.2). In OSPF, a cost is associated with every link. As of WeOS v4.24.1, the default cost per link is ”10”. The link cost can be conﬁgured per interface, see section 28.3.16 for details. © 2018 Westermo Teleindustri AB...
Page 707 ˆ It is common practise to set the router-id to one of the IP addresses assigned to the router. ˆ If no router-id is conﬁgured, WeOS will pick one of the router’s conﬁgured IP addresses, and use that as router-id. © 2018 Westermo Teleindustri AB...
Page 708 The area identiﬁer is a 32 bit value, which can be stated as a decimal value, but is commonly written in dotted decimal form. E.g., ”network 10.0.1.0/24 area 0.0.0.0” is equivalent to writing ”network 10.0.1.0/24 area 0”. © 2018 Westermo Teleindustri AB...
Page 709 OSPF virtual links are not supported in WeOS v4.24.1. The reason for introducing these topology limitations is to avoid the ”counting to inﬁnity” seen in distance vector protocols (see chapter 29) problem to occur for OSPF inter-area routing.) © 2018 Westermo Teleindustri AB...
Page 710 (static routes, or routes learnt via other routing protocols such as RIP, BGP, etc.). In a stub area, routing to networks outside the OSPF domain As of WeOS v4.24.1 BGP is not supported. © 2018 Westermo Teleindustri AB...
Page 711 OSPF provides an area type known as not so stubby area (NSSA). Fig. 28.4 demonstrates a case where NSSAs can be a useful choice. Here we assume that area 0.0.0.1 and area 0.0.0.2 are preferably deﬁned as stub areas © 2018 Westermo Teleindustri AB...
Page 712 OSPF network. NSSA are created in the same way as a stub area (see section 28.1.1.4). All routers in the area must declare the area as NSSA. An example is given below. © 2018 Westermo Teleindustri AB...
Page 713 Below is and example where an ABR will ﬁlter out routes in 192.168.16.0/20 when distributing routes from area 0.0.0.2. Similarly, all routes inside area 0.0.0.2 matching 172.16.0.0/16 will be summarised to single route, when distributing routes from area 0.0.0.2. © 2018 Westermo Teleindustri AB...
Page 714 (together with a corresponding setup on the neighbour router). Example iface vlan100 inet static ... Skipping lines address 10.0.16.1/24 ospf network non-broadcast router ospf neighbor 10.0.16.2 network 10.0.16.0/24 area 0.0.0.0 © 2018 Westermo Teleindustri AB...
Page 715 (”passive”), ac- tive (”no passive”), or to automatically follow (”passive auto”) the global OSPF setting declared by the ”[no] passive-interface” setting in router ospf context. Default: Auto (”passive auto”) © 2018 Westermo Teleindustri AB...
Page 716 ˆ MD5: With MD5 authentication each OSPF message will include a crypto- graphic checksum, i.e., message authentication code (MAC), based on a se- cret only known by the system administrator. MD5 secrets are text strings of 4-16 characters. © 2018 Westermo Teleindustri AB...
Page 717 40 seconds If the interface towards that neighbour goes down (e.g., if (all) the Ethernet port(s) associated with that interface goes down), the router will react immediately instead of waiting for the dead- interval to expire. © 2018 Westermo Teleindustri AB...
Page 718 ”network” in the middle. The designated router (DR), as well as a backup designated router (BDR), are elected automatically. If no node has been elected as DR or BDR, the router with © 2018 Westermo Teleindustri AB...
Page 719 DR will give up its role if it discovers another router, which also consider itself to be DR, and if that router has higher priority (with router-id as tie). Such a situation could occur if a segmented LAN becomes connected. © 2018 Westermo Teleindustri AB...
Page 720: Ospf Web
IP subnet (NETWORK/LEN). Click on to edit settings or the icon to delete an entry. Press the Add button to add an entry. To view all settings, click on Show Advanced View (see next page). © 2018 Westermo Teleindustri AB...
Page 721 Westermo OS Management Guide Version 4.24.1-0 Router ID Click on the icon to set the OSPF router identiﬁer. The router ID is given in a dotted decimal form <a.b.c.d> or as an integer Continued on next page © 2018 Westermo Teleindustri AB...
Page 722 Press the Add button to add an entry. Protocol Distance The administrative distance used when select- ing between multiple routes to the same desti- nation. © 2018 Westermo Teleindustri AB...
Page 723 Westermo OS Management Guide Version 4.24.1-0 28.2.1 OSPF Status Page Menu path: Status Routing OSPF Show the status of OSPF. © 2018 Westermo Teleindustri AB...
Page 724: Managing Ospf Via The Cli
Sec. 28.3.12 [no] range <NETWORK/LEN> advertise Sec. 28.3.13 [<advertise|not-advertise>] Conﬁgure Interface Speciﬁc OSPF Settings interface <IFACE> [no] ospf Sec. 28.3.14 [no] passive [auto] Auto Sec. 28.3.15 [no] cost <1-65535> Sec. 28.3.16 Continued on next page © 2018 Westermo Teleindustri AB...
Page 725 Use ”no ospf” to disable OSPF and delete all existing OSPF conﬁguration. Use ”show ospf” to show a summary of all general OSPF settings. Also available as ”show” command within the Router OSPF Conﬁguration context. Default values Disabled (no ospf) © 2018 Westermo Teleindustri AB...
Page 726 ”network” entry. Use ”show network” to show the OSPF network settings. Default values Disabled, i.e., no ”network” entries exist when ﬁrst activating OSPF (see section 28.3.2). The backbone area (0.0.0.0) is used as default area. © 2018 Westermo Teleindustri AB...
Page 727 ”network” command will not run OSPF, unless OSPF is explicitly en- abled on the interface (see the ”no passive” command in section 28.3.15). Use ”show passive-interface” to show the default behaviour of OSPF in- terfaces (passive or active). Default values Active (”no passive-interface”) © 2018 Westermo Teleindustri AB...
Page 728 Use ”show how redistribute [<connected|static|rip>]” to show the OSPF redistribution settings. Use ”show redistribute” to show all redis- tribution settings, or ”show redistribute connected”, etc., to show redis- tribute settings for speciﬁc types of redistribution. Default values Disabled (”no redistribute”) © 2018 Westermo Teleindustri AB...
Page 729 <AREAID>” to show settings for a speciﬁc area. (Also available as ”show” command within the OSPF Area Conﬁguration context.) Default values Disabled (”no area”) 28.3.10 Conﬁgure an Area as Stub Syntax [no] stub [no-summary] Context OSPF Area Conﬁguration context © 2018 Westermo Teleindustri AB...
Page 730 Usage Conﬁgure the cost of the default route injected into a stub area. This setting only applies to the ABRs of a stub or NSSA area. Use ”no default-cost” to use the default value for the default cost setting. © 2018 Westermo Teleindustri AB...
Page 731 Syntax [no] ospf Context Interface Conﬁguration context Usage Enter the Interface OSPF Conﬁguration context, i.e., the context where Interface speciﬁc OSPF settings are conﬁgured. Use ”no ospf” to remove any speciﬁc OSPF settings for this interface. © 2018 Westermo Teleindustri AB...
Page 732 Use ”show cost” to show the OSPF cost setting for this interface. Default values 10 (this may be subject to change in later versions of WeOS. © 2018 Westermo Teleindustri AB...
Page 733 The dead interval setting must be the same on neighbour routers. Use ”show dead-interval” to show the OSPF dead interval setting for this interface. Default values 40 (seconds) 28.3.19 Conﬁgure Interface OSPF Network Type Syntax [no] network <broadcast|non-broadcast> © 2018 Westermo Teleindustri AB...
Page 734 Use ”no auth” to disable authentication of OSPF messages on this inter- face. Use ”show auth” to show the OSPF authentication setting for this interface. Default values Disabled 28.3.21 Conﬁgure OSPF Designated Router Priority Syntax [no] priority <0-255> © 2018 Westermo Teleindustri AB...
Page 735 Usage Show the current least-cost routes learnt via OSPF. See also the com- mand ”show ip route” (section 22.7.26), which displays the full forward- ing/routing table. Default values Not applicable 28.3.24 Show OSPF Neighbours Syntax show ip ospf neighbor [<IFACE | detail>] Context Admin Exec context. © 2018 Westermo Teleindustri AB...
Page 736 Usage Use ”show ip ospf database” to list the current OSPF database. Vari- ous keywords can be added to view speciﬁc parts of the database. Default values By default, the full database is listed. © 2018 Westermo Teleindustri AB...
Page 737: Dynamic Routing With Rip
RIP on. The router will automatically discover its neighbours and start to exchange routing information. To enable RIP on all interfaces on R1 in ﬁg. 29.1, conﬁguration shown below would sufﬁce. © 2018 Westermo Teleindustri AB...
Page 738 ”upper interface” (i.e., the interface with address 10.0.1.3/24). It is also possible to specify the interfaces explicitly; assuming the three interfaces of R1 are called vlan1, vlan2, and vlan3, the following conﬁguration would give the same result: © 2018 Westermo Teleindustri AB...
Page 739 In case a neighbour router is unable to handle IP multicast, the ”neighbor” com- mand enables the exchange of RIP messages using regular IP unicast. While RIPv2 use IP multicast, RIPv1 exchange routing information using broadcast. © 2018 Westermo Teleindustri AB...
Page 740 In some situations you may wish to include a router’s subnets as part of the RIP routing domain without running RIP on the associated network interface. To ac- complish this the network should be deﬁned in the router rip context (as usual), © 2018 Westermo Teleindustri AB...
Page 741 (”no passive”), or to automatically follow (”passive auto”) the global RIP setting declared by the ”[no] passive-interface” setting in router rip context. Default: Auto (”passive auto”) Below is an example, with the same result as above, where interfaces are passive in RIP by default. © 2018 Westermo Teleindustri AB...
Page 742 Westermo OS Management Guide Version 4.24.1-0 Example iface vlan1 inet static ... Skipping lines address 10.0.1.3/24 no passive iface vlan2 inet static ... Skipping lines address 10.0.2.1/24 no passive router passive-interface network 10.0.1.0/24 network 10.0.2.0/24 network 10.0.3.0/24 © 2018 Westermo Teleindustri AB...
Page 743: Rip Web
Select what RIP version (1 or 2) to use by de- fault RIP Networks/Interfaces Enable RIP on the speciﬁed router Net- work/Interface Click this icon to delete a RIP Network or RIP Interface. To view all settings, click on Show Advanced View (see next page). © 2018 Westermo Teleindustri AB...
Page 744 Select what RIP version (1 or 2) to use by de- fault RIP Networks/Interfaces Enable RIP on the speciﬁed router Net- work/Interface Interfaces Default Passive Deﬁne whether RIP should be run on the inter- faces deﬁned (implicitly) via the RIP Continued on next page © 2018 Westermo Teleindustri AB...
Page 745 Click this icon to delete a RIP Network or RIP Interface. Protocol Distance The administrative distance used when select- ing between multiple routes to the same desti- nation. 29.2.1 Rip Status Page Menu path: Status Routing Show the status of RIP. © 2018 Westermo Teleindustri AB...
Page 746: Managing Rip Via The Cli
[no] split-horizon [poisoned-reverse] Enabled Sec. 29.3.12 [no] send-version <1,2> Auto Sec. 29.3.13 [no] receive-version <1,2> Auto Sec. 29.3.14 [no] auth <md5 [keyid] | plain> <SECRET> Disabled Sec. 29.3.15 View RIP Status show ip rip Sec. 29.3.16 © 2018 Westermo Teleindustri AB...
Page 747 Syntax [no] timers [update <SEC>] [invalid <SEC>] [flush <SEC>] Context Router RIP Conﬁguration context Usage Several timers of the RIP protocol can be changed using the timers com- mand. All timers take a value between <5-2147483647> seconds. © 2018 Westermo Teleindustri AB...
Page 748 Usage Enable RIP on the speciﬁed router interface. The interface can be speci- ﬁed either explicitly (”network <IFACE>”) or implicitly giving the IP subnet associated with the interface (”network <NETWORK/LEN>”). Use ”no network <IFACE>” and ”no network <NETWORK/LEN>” to remove an existing ”network” entry. © 2018 Westermo Teleindustri AB...
Page 749 29.3.11). Similarly, if the setting is ”passive-interface”, the interfaces associated with the ”network” command will not run RIP, unless RIP is explicitly en- abled on the interface (see the ”no passive” command in section 29.3.11). © 2018 Westermo Teleindustri AB...
Page 750 OSPF, etc. Use ”show redistribute [<connected|static|rip>]” to show the RIP redistribution settings. Use ”show redistribute” to show all redistribution settings, or ”show redistribute connected”, etc., to show redistribute settings for speciﬁc types of redistribution. © 2018 Westermo Teleindustri AB...
Page 751 29.3.11 Conﬁgure Interface RIP Passive Settings Syntax [no] passive [auto] Context Interface RIP Conﬁguration context Usage Control whether a speciﬁc interface should be passive (”passive”), ac- tive (”no passive”), or to automatically follow (”passive auto”) the global © 2018 Westermo Teleindustri AB...
Page 752 1”), RIPv2 (”send-version 2”), or both RIPv1 and RIPv2 (”send-version 1,2”). Use ”no send-version” to remove override settings and return to auto setting. (Override can also be removed for individual versions, e.g., ”no send-version 1” to remove version 1 as override setting.) © 2018 Westermo Teleindustri AB...
Page 753 ˆ Plain: Use ”auth plain <SECRET>” to use a clear-text password as au- thentication. Plain text secrets are text strings of 4-16 characters. (The secret must be the same on neighbour routers.) © 2018 Westermo Teleindustri AB...
Page 754 Default values Disabled 29.3.16 Show RIP Status Information Syntax show ip rip (or simply ”show rip”) Context Admin Exec context. Usage Show RIP status information, e.g., active interfaces, discovered RIP neigh- bours, etc. Default values Not applicable © 2018 Westermo Teleindustri AB...
Page 755: Ip Multicast Routing
Multicast Routing Statistics -”- Related Settings Layer-2 multicast forwarding IGMP Snooping Section 30.1.3 Static Multicast Router Ports -”- Static MAC FDB entries -”- Block local ping responses Section 30.1.4 VRRP control of IP Multicast Section 31.1.6 © 2018 Westermo Teleindustri AB...
Page 756 WeOS currently only supports the latter. 30.1.2 Static multicast routing Contrary to static unicast, multicast has a separate routing table and is handled a little bit differently. To be able to route multicast you need the following: © 2018 Westermo Teleindustri AB...
Page 757 WeOS to either disable IGMP Snooping per VLAN, add a speciﬁc FDB MAC entry for the multicast group to open up additional ports in the switch, or use the multicast router port feature to forward all multicast on a given port. © 2018 Westermo Teleindustri AB...
Page 758 WeOS router sends an IGMP join for the multicast group to be routed on the given inbound interface. This has the odd side-effect that the router now also responds to local pings to that group. To disable this, see Sec. 22.7.17. © 2018 Westermo Teleindustri AB...
Page 759: Managing Multicast Routing Via Web Interface
30.2.1 Adding a Static Multicast Route Menu path: Conﬁguration Routing Static Multicast By default no static multicast routes are setup. Click on New to create a new static multicast route. Figure 30.2: No multicast routes enabled by default. © 2018 Westermo Teleindustri AB...
Page 760 Figure 30.3: Declare multicast group, inbound interface and source of sender. Add outbound interfaces to your multicast route by selecting them in the drop down and clicking Add for each one. Figure 30.4: Select an outbound interface and press Add for each one. © 2018 Westermo Teleindustri AB...
Page 761 30.2.2 Adding a Sourceless Static Multicast Route Menu path: Conﬁguration Routing Static Multicast WeOS supports ”source-less” static multicast routes as well, simply leave the Source Address ﬁeld empty. Figure 30.5: Source-less: declare only multicast group, inbound and outbound interfaces. © 2018 Westermo Teleindustri AB...
Page 762 30.2.4 Deleting a Static Multicast Route Menu path: Conﬁguration Routing Static Multicast In the overview, click the trashcan icon for the static multicast routing rule to delete. Figure 30.7: Conﬁrm deleting a static multicast route by clicking Yes. © 2018 Westermo Teleindustri AB...
Page 763 The actual kernel multicast routing table is very useful to inspect for debugging, e.g., seeing the amount of packets routed or any on-demand added ”source-less” multicast routes. Figure 30.8: Kernel multicast routing table, active multicast routes. © 2018 Westermo Teleindustri AB...
Page 764: Managing Multicast Routing Via Cli
Section 21.3.6 [no] forwarding Enabled Section 22.7.4 icmp [no] broadcast-ping Enabled Section 22.7.17 ﬁrewall [no] ﬁlter [ARGS . . . ] Section 32.3.3 [no] nat [ARGS . . . ] Section 32.3.5 Continued on next page © 2018 Westermo Teleindustri AB...
Page 765 30.3.2 Conﬁgure static multicast routes Syntax [no] mroute group <MCADDR> in <IFNAME> [src <IPADDR>] out <IFNAME-LIST> group <MCADDR> IPv4 multicast group to route in <IFNAME> Inbound interface for multicast stream src <IPADDR> Optional IPv4 sender address of multicast stream © 2018 Westermo Teleindustri AB...
Page 766 Example Assume you have conﬁgured the following mroute rules: Example example:/config/ip/#> mroute group 225.1.2.3 src 192.168.2.42 in vlan1 out vlan2,vlan3 example:/config/ip/#> mroute group 225.3.2.1 in vlan1 out vlan2,vlan3 Then the resulting kernel multicast routing table may end up looking like this: © 2018 Westermo Teleindustri AB...
Page 767 Please note that when reconﬁguring static multicast rules, or when related interfaces go up/down the statistics are reset. So do not rely on them for accurate measurements, they only exist to aid in debugging. © 2018 Westermo Teleindustri AB...
Page 768: Virtual Router Redundancy (Vrrp)
With this option enabled, the backup router will prevent the routing of (static) IP multicast routes in addition to IP unicast routing. See chapter 30 for information on support for static IP multicast routing in WeOS. © 2018 Westermo Teleindustri AB...
Page 769: Introduction To Weos Vrrp Support
ˆ A host will typically have an IP setting where the default gateway points to a speciﬁc router. An example is given in ﬁg. 31.1a, where the host (H) will send all trafﬁc towards the Internet via Router 1 (R1) with IP address © 2018 Westermo Teleindustri AB...
Page 770 VRRP enables a host to have redundant routers. For redundancy ”router to router”, dynamic routing protocols such as OSPF (chapter 28) or RIP (chap- 29) can be used. 31.1.2 Common VRRP parameters Some common VRRP parameters are listed below: © 2018 Westermo Teleindustri AB...
Page 771 VIP address (”192.168.1.3”) is separate from the addresses assigned to R1 (”192.168.1.1”) and R2 (”192.168.1.2”). Although discouraged, it would have been possible to chose ”192.168.1.1” as VIP address. Being the owner of the address, R1 must in that case © 2018 Westermo Teleindustri AB...
Page 772 (highest priority always becomes master), or a sticky behaviour where the elected master router would keep its role even when another router with higher priority later appears on the network. With preemption disabled, the second router © 2018 Westermo Teleindustri AB...
Page 773 Authentication has been removed completely in version 3 since it was considered to not provide any real security. It is mandatory that the master and the backup routers uses the same VRRP version. Default: VRRPv2 © 2018 Westermo Teleindustri AB...
Page 774 Figure 31.2: Illustrating a topology using synchronised groups. Both instances on R1 will always remain in master state as long no fault is detected (e.g. link down). On fault R1 will become backup on both instances and R2 will become master for both instances. © 2018 Westermo Teleindustri AB...
Page 775 Fig. 31.3 shows a load sharing example. Here the VIP addresses reside within the same IP subnet. However, since WeOS supports multi-netting, the VIP addresses could be on different IP subnets. © 2018 Westermo Teleindustri AB...
Page 776 Default GW: 192.168.1.3 Default GW: 192.168.1.4 (R1 Master, R2 Backup) (R2 Master, R1 Backup) Figure 31.3: Example setup where R1 and R2 share the load from IP subnet 192.168.1.0/24, and using VRRP to backup each other. © 2018 Westermo Teleindustri AB...
Page 777: Managing Vrrp Via The Web Interface
Click this icon to remove a VRRP instance. You will be asked to acknowledge the removal before it is actually executed. Button New lick this button to create a new VRRP instance. Continued on next page © 2018 Westermo Teleindustri AB...
Page 778 For synchronised fail-over - ﬁrst select one group of VRRP in- Ungroup stances and then click this button to ungroup the instances. They will be left as two individual instances that has to be removed separately. © 2018 Westermo Teleindustri AB...
Page 779 31.2.1 Create a new VRRP instance using the web interface Menu path: Conﬁguration Routing VRRP Interface The interface on which to listen for VRRP information and act as gateway. Only VLAN interfaces may be selected. Continued on next page © 2018 Westermo Teleindustri AB...
Page 780 BACKUP state. Only one VRRP instance per in- terface may be conﬁgured for controlling multicast routing. The checkbox is disabled if another instance is in control. For more information on the different settings, see section 31.1.1. © 2018 Westermo Teleindustri AB...
Page 781 31.2.2 Edit VRRP settings using the web interface Menu path: Conﬁguration Routing VRRP For description of ﬁelds, see section 31.2.1. 31.2.3 VRRP Status Page Menu path: Status Routing VRRP Show the status of all conﬁgured VRRP instances. © 2018 Westermo Teleindustri AB...
Page 782: Managing Vrrp Via The Cli
31.3.1 Create and Manage a VRRP Instance Syntax [no] vrrp <INSTANCEID> Context Router Protocol Conﬁguration context Usage Create, manage, or delete a VRRP instance. Use ”vrrp <INSTANCEID>” to enter the VRRP Instance Conﬁguration context of the speciﬁed VRRP in- © 2018 Westermo Teleindustri AB...
Page 783 VRID must be unique per switch. A virtual router identiﬁer is a mandatory setting (”no vrid” is an invalid setting). Use ”show vrid” to show the conﬁgured virtual router ID (VRID) for this VRRP instance. Default values None © 2018 Westermo Teleindustri AB...
Page 784 Syntax [no] interval <1..MAX> | <100..MAX * 1000> msec Context VRRP Instance Conﬁguration context Usage Conﬁgure VRRP advertisement interval in seconds or milliseconds. MAX (in syntax description) is depending on version and is 255 for version 2 and 40 for version 3. © 2018 Westermo Teleindustri AB...
Page 785 IP address used as VIP address, i.e., if the VIP address is assigned as an IP address to this router’s interface (see section 22.6.3). Use ”no priority” to return to the default priority setting. Use ”show priority” to show the conﬁgured VRRP priority for this VRRP instance. Default values 100 © 2018 Westermo Teleindustri AB...
Page 786 Use ”show preempt” to show the conﬁgured VRRP master preemption set- ting for this VRRP instance. Default values Disabled (”no preempt”) When enabled, the delay defaults to 0 seconds. 31.3.9 Conﬁgure VRRP Message Authentication Syntax [no] auth <plain> <SECRET> Context VRRP Instance Conﬁguration context © 2018 Westermo Teleindustri AB...
Page 787 Use ”show track” to show the conﬁgured VRRP track entries, i.e., the dy- namic VRRP priority setting. Default values Disabled Example In this example, this virtual router’s priority is lowered from 150 to 50, if the router cannot reach the host 192.168.3.11 through the (upstream) interface vlan2. © 2018 Westermo Teleindustri AB...
Page 788 Use ”show sync” to show the conﬁgured VRRP instance ID this instance is synchronized with. Default values Disabled Example In this example, virtual router instance 33 is synchronized with in- stance 35. Example example:/config/#> router example:/config/router/#> vrrp 33 example:/config/router/vrrp-33/#> sync 35 example:/config/router/vrrp-33/#> leave example:/#> copy running start © 2018 Westermo Teleindustri AB...
Page 789 Use ”show mroute-ctrl” to show the conﬁgured VRRP multicast routing control setting for this instance. Default values Disabled 31.3.13 Show VRRP Status Syntax show vrrp Context Admin Exec context Usage Show the status of all conﬁgured VRRP instances. Default values Not applicable © 2018 Westermo Teleindustri AB...
Page 790: Firewall Management
Application level gateway (ALG) helper functions can be enabled to provide connection tracking of more complex protocols, such as FTP and SIP. Section 32.1 describes the ﬁrewall functionality available in WeOS. Sections 32.2 32.3 cover ﬁrewall management via the Web Interface and via the CLI. © 2018 Westermo Teleindustri AB...
Page 791: Overview
ˆ Packet Filtering: The packet ﬁltering support is primarily used to control what trafﬁc is allowed to be routed via the switch (forward ﬁltering), but can also be used to control accessibility to services on the switch itself (input ﬁltering). © 2018 Westermo Teleindustri AB...
Page 792 FTP, which utilises a control connection to exchange information on TCP port numbers for data connections for the actual ﬁle transfers – to enable a PC to download ﬁles through a ﬁrewall from an FTP server on the Internet, the © 2018 Westermo Teleindustri AB...
Page 793 ˆ Filtering chains (input, forward, output): Filter rules can apply to – trafﬁc destined to the switch (input ﬁltering), e.g., HTTP trafﬁc to man- age the switch, – trafﬁc forwarded/routed by the switch (forward ﬁltering), or – trafﬁc generated by the switch (output ﬁltering). © 2018 Westermo Teleindustri AB...
Page 794 As of WeOS v4.24.1, the implicit IPsec VPN rules are added before the conﬁgured ﬁlter rules (for performance reasons). Thus, the implicit IPsec VPN rules can not be overridden by rules conﬁgured by the user. © 2018 Westermo Teleindustri AB...
Page 795 22.2.7) utilises ﬁrewall functionality to control which network inter- faces the unit can be managed through. ˆ Other ﬁlter rules: – Connection tracking (related/established): The WeOS ﬁrewall will allow all packets associated with established connections, as well as packets © 2018 Westermo Teleindustri AB...
Page 796 Such packets are subject to pre-routing, An example of a packet with an ”invalid” state is when a ﬁrewall sees a TCP ”SYN+ACK”, without having seen the preceding TCP ”SYN” in the other direction. © 2018 Westermo Teleindustri AB...
Page 797 IP address, or the rule could match a whole IP subnet. ˆ Destination IP Address/Subnet: The destination IP address of the packet. This can be speciﬁed as a single IP address, or the rule could match a whole IP subnet. © 2018 Westermo Teleindustri AB...
Page 798 ﬁlter evaluation lists, use the command ”show firewall” (see section 32.3.13) from the Admin Exec context. The order in which rules are inserted in the input and forward ﬁlters is described below. http://www.iana.org/assignments/protocol-numbers/ for a list of deﬁned IP protocols. © 2018 Westermo Teleindustri AB...
Page 799 ˆ VRRP: IP protocol 112 is allowed for appropriate interfaces if VRRP is conﬁgured on the unit (see chapter 31). ˆ Serial Over IP: If Serial Over IP is conﬁgured (Server, Peer or AT com- mand mode), an allow rule according to the conﬁgured (UDP/TCP) port © 2018 Westermo Teleindustri AB...
Page 800 As of WeOS v4.24.1 ”allow” rules for enabled management services are added given that the ”Default policy” for the input ﬁlter is set to ”deny”. If the default policy is changed to ”allow”, then ”deny” rules for disabled management interfaces will be inserted instead. © 2018 Westermo Teleindustri AB...
Page 801 ﬁlter rules will be added to allow the ”railway NAT” trafﬁc to pass. 8. Default Policy: Packets not matching any of the rules above will be handled according the default policy for the forwarding ﬁlter chain. © 2018 Westermo Teleindustri AB...
Page 802 ˆ Outbound Interface: The interface where the packet is sent out. ˆ Source IP Address/Subnet: The source IP address of the packet. This can be speciﬁed as a single IP address, or the rule could match a whole IP subnet. © 2018 Westermo Teleindustri AB...
Page 803 1 is used for carrying this kind of data. See ﬁg. 32.2. The IPv4 ToS octet has historically been used in different ways. Precedence Figure 32.3: ToS bits according to RFC 791 + RFC 1349 http://www.iana.org/assignments/protocol-numbers/ for a list of deﬁned IP protocols. © 2018 Westermo Teleindustri AB...
Page 804 WeOS does not support the PHB names for conﬁguration, but the table below can be used to convert PHB names to the corresponding decimal values. PHB Name DSCP value PHB Name DSCP value AF32 AF33 AF11 AF12 AF41 AF13 AF42 AF43 AF21 AF22 AF23 AF31 © 2018 Westermo Teleindustri AB...
Page 805 Enabling this ﬂag will introduce more work for the CPU inside the WeOS unit for every packet that is modiﬁed. As this decreases the maximum routing perfor- mance, it should only be enabled when necessary. © 2018 Westermo Teleindustri AB...
Page 806 ”addfilter” option as shown in the example below (here we as- sume that the interface ”Outbound/Public” side is named ”vlan2”. Example example:/config/ip/firewall/#> nat type napt out vlan2 addﬁlter Appropriate interface IP settings must be conﬁgured, and IP routing must also be enabled, see chapter © 2018 Westermo Teleindustri AB...
Page 807 (called ”new destination” in the web conﬁguration and ”to-dst” in CLI conﬁg) in routing and ﬁltering as the exter- nal network is not visible inside the unit. © 2018 Westermo Teleindustri AB...
Page 808 IP Source Inbound Interface 10.20.30.2 1−TO−1 Server Gateway IP Source 192.168.0.2 Figure 32.7: Reverse 1-to-1 NAT mapping 32.1.4.2.2 Reverse 1-to-1 NAT 1-to-1 NAT is bi-directional which means that the NAT works in the reverse direc- © 2018 Westermo Teleindustri AB...
Page 809 ”inbound” interface is located on the public Internet, use of the ”addfilter” option for ”1-to-1 NAT” is too permissive. Instead you could add explicit ﬁre- wall rules to allow trafﬁc according to your speciﬁc requirements. An example is © 2018 Westermo Teleindustri AB...
Page 810 10.0.0/16 range. If the PC sends an ARP Request for 10.0.1.33 (PLC3), WeOS Router1 will respond and announce its own MAC address in the ARP reply. Trafﬁc from the management PC (and other © 2018 Westermo Teleindustri AB...
Page 811 Chapter 30 describes WeOS support for IP multicast routing. Combining NAT and IP multicast routing is not generally supported, although there exist some speciﬁc use cases which work as of WeOS v4.24.1. Furthermore, when using © 2018 Westermo Teleindustri AB...
Page 812 Westermo OS Management Guide Version 4.24.1-0 NAT for IP multicast trafﬁc, the address translation only applies to the source IP address of the multicast packet (the source address is a unicast IP address). © 2018 Westermo Teleindustri AB...
Page 813 NAT/NAPT gateway, i.e., users on the Internet will connect to the Web server using the public IP address (here 1.2.3.4) and TCP port number (here 8080), without knowing that the trafﬁc is forwarded to a server inside the internal network. © 2018 Westermo Teleindustri AB...
Page 814 This log ﬁle can be viewed from the web interface via the ”View Log” function under the menu: ”Maintenance”. It can also be viewed in the CLI with the com- mand ”show log://kern.log”. For more information about log ﬁles and conﬁg- uration of remote syslog, please see chapter © 2018 Westermo Teleindustri AB...
Page 815 The rate is continous. This means that the allowance of log entries will be evenly distributed over the time unit. An example: “60 per hour” will allow 60 entries per hour, but distributed evenly as max one log entry per minute. © 2018 Westermo Teleindustri AB...
Page 816 ﬁgure out what speciﬁc rule was causing it. A rule position number or some other helping reference to the speciﬁc rule may be added in a later release of WeOS. © 2018 Westermo Teleindustri AB...
Page 817 Packet length and other IP header options TOS=0x00 PREC=0x00 TTL=63 ID=51588 PROTO=ICMP The IP protocol TYPE=8 The rest is protocol speciﬁc data and ﬂags, CODE=0 in this speciﬁc case an ICMP ping request ID=10941 SEQ=1 © 2018 Westermo Teleindustri AB...
Page 818 SRC=192.168.2.10 DST=192.168.2.200 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=51801 DF PROTO=TCP SPT=55631 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 Jan 15 14:49:16 example kernel: FW-DENY: IN=vlan1 OUT= MAC=00:07:7c:10:de:c1:00:80:c8:3c:25:b7:08:00:45:00:00:1c:4a:ca SRC=192.168.2.10 DST=192.168.2.200 LEN=28 TOS=0x00 PREC=0x00 TTL=64 ID=19146 PROTO=UDP SPT=2702 DPT=2000 LEN=8 © 2018 Westermo Teleindustri AB...
Page 819: Firewall Management Via The Web Interface
This can in a short time ﬁll up the log ﬁles. Limit Set the threshold rate value and time unit for the limita- tion. See section 32.1.6 for information about how the limitation operates. © 2018 Westermo Teleindustri AB...
Page 820 Active A green check-mark means the rule is active, and a dash means it is inactive. Continued on next page © 2018 Westermo Teleindustri AB...
Page 821 ”NAPT” type is pre-selected. Change the type to ”1-TO-1” to see the other view. If you have disabled JavaScript you will only see one view with all ﬁelds from both NAPT and 1-TO-1 together. © 2018 Westermo Teleindustri AB...
Page 822 Destination Mandatory. The interface that should represent Interface all IP addresses on the subnet of the internal interface. This is the external/public interface, typically the interface connected to the Internet. Continued on next page © 2018 Westermo Teleindustri AB...
Page 823 ﬁrewall settings. 32.2.2.2 New NAT Rule - 1-TO-1 NAT view Active Rule is active if checked. Type 1-TO-1. If you change to NAPT, the view will change. section 32.2.2.1. Continued on next page © 2018 Westermo Teleindustri AB...
Page 824 ﬁrewall settings. 32.2.3 Edit NAT Rule Menu path: Conﬁguration Firewall In the Edit NAT Rule conﬁguration page you can change an existing NAT rule. section 32.2.2 for description of editable ﬁelds. © 2018 Westermo Teleindustri AB...
Page 825 Active A green check-mark means the rule is active, and a dash means it is inactive. Continued on next page © 2018 Westermo Teleindustri AB...
Page 826 Selected Rules Selected rules may be modiﬁed by selecting the rules to modify and select the modiﬁcation action in the drop-down list and then click the Apply button. © 2018 Westermo Teleindustri AB...
Page 827 ﬁeld will not be displayed unless you check the subnet radio button. Destination Mandatory. The destination IP address to which the pack- Address ets will be forwarded. Continued on next page © 2018 Westermo Teleindustri AB...
Page 828 32.2.6 Edit Port Forwarding Rule Menu path: Conﬁguration Firewall Port Forwarding In the Edit Port Forwarding Rule conﬁguration page you can change an ex- isting port forwarding rule. section 32.2.5 for description of editable ﬁelds. © 2018 Westermo Teleindustri AB...
Page 829 Yes means rules are active. No means rules are deacti- Enabled vated and all trafﬁc is allowed through. Individual deacti- vation of rules override when this setting is yes (active). Edit Click this icon to edit the global settings. Continued on next page © 2018 Westermo Teleindustri AB...
Page 830 INPUT chain, i.e., trafﬁc destined to the switch itself (ICMP pings, SSH man- agement, etc.). Destination The rule will be applied to trafﬁc destined to this set of Port (UDP/TCP) ports. Continued on next page © 2018 Westermo Teleindustri AB...
Page 831 Selected Rules Selected rules may be modiﬁed by selecting the rules to modify and select the modiﬁcation action in the drop- down list and then click the Apply button. © 2018 Westermo Teleindustri AB...
Page 832 Select the policy by clicking the radio button. Filter Rules Check the box to activate the rules, or uncheck to deac- Enabled tivate the rules. Deactivation means all trafﬁc is allowed through (policy is changed to allow). © 2018 Westermo Teleindustri AB...
Page 833 The position in the list deﬁning in what order rules will be applied. Defaults to last position. Change the value to insert this rule in another position. In Interface The rule will be applied to trafﬁc entering on this inter- face. Continued on next page © 2018 Westermo Teleindustri AB...
Page 834 The rule will be applied to trafﬁc destined to this set of (UDP/TCP) ports. If JavaScript is enabled, the range start may be selected in the drop down. Only valid if Protocol TCP or UDP has been selected (see above). Continued on next page © 2018 Westermo Teleindustri AB...
Page 835 Controls if a match on this rule should be logged in the kernel log ﬁle. Nothing will be logged unless logging is also enabled under the common ﬁrewall settings. Note: Logging differs in behavior between policy Accept and Deny. See section 32.1.6 for more details. © 2018 Westermo Teleindustri AB...
Page 836 Version 4.24.1-0 32.2.10 Edit Packet Filter Rule Menu path: Conﬁguration Firewall Filter In the Edit Packet Filter Rule conﬁguration page you can change an existing packet ﬁlter rule. section 32.2.9 for description of editable ﬁelds. © 2018 Westermo Teleindustri AB...
Page 837 If the ﬁrewall is disabled or no rules have been created you will see no list, but be presented to an information message. Click this button to create a new modify rule. You will be presented to a form where you can conﬁgure the new rule. Continued on next page © 2018 Westermo Teleindustri AB...
Page 838 Selected Rules Selected rules may be modiﬁed by selecting the rules to modify and select the modiﬁcation action in the drop- down list and then click the Apply button. © 2018 Westermo Teleindustri AB...
Page 839 In Interface The rule will be applied to trafﬁc entering on this inter- face. Out Interface The rule will be applied to trafﬁc exiting on this interface. Continued on next page © 2018 Westermo Teleindustri AB...
Page 840 The DSCP value to be set for packets matching this rule. Valid values 0-63. DSCP Adjust Indicates if the modiﬁed DSCP value should be used for Priority switch internal prioritising and applied to VLAN-priority on tagged packets. Check to enable. © 2018 Westermo Teleindustri AB...
Page 841 It is also possible to move the rule to a certain position in the list by changing the Position (order) ﬁeld. The rule will be inserted on requested position and the rule currently on the position will be shifted down. section 32.2.12 for description of editable ﬁelds. © 2018 Westermo Teleindustri AB...
Page 842 ALG Helper In the ALG Helper conﬁguration page you can activate Application Level Gateway (ALG) Helpers in the ﬁrewall. Check the box for the ALG helper to activate. section 32.1.1 for description of ALG helpers. © 2018 Westermo Teleindustri AB...
Page 843: Firewall Management Via The Cli
Deny Section 32.3.9 move [ﬁlter|modify|nat|port-forward] Section 32.3.10 <FROM-POS> <TO-POS> [no] passive [ﬁlter|modify|nat|port-forward] Section 32.3.11 <POS> [no] log limit ( none | Section 32.3.12 <entries>/(second|minute|hour|day) ) [no] log [ﬁlter|nat|port-forward] <POS> Section 32.3.12 Continued on next page © 2018 Westermo Teleindustri AB...
Page 844 ﬁltering (allow/deny) rules, and the activation of the default policies. Modify, NAT, Port Forwarding, and ALG helper rules are unaffected (they are always enabled). Use ”enable” to (re)activate all conﬁgured packet ﬁltering (allow/deny) rules and the conﬁgured default policies for the input and forward ﬁlter. © 2018 Westermo Teleindustri AB...
Page 845 5, and so on. If no position argument is given, the packet ﬁlter rule will be in- serted last in the list. The position of a command can be modiﬁed using the ”move” command (see section 32.3.10). © 2018 Westermo Teleindustri AB...
Page 846 Use the ”dst <ADDR[/LEN]>” to match a single destination IP ad- dress or whole subnet. If both the ”out <IFNAME>” and the ”dst <ADDR[/LEN]>” arguments are omitted, the rule will apply to the © 2018 Westermo Teleindustri AB...
Page 847 Use the ”show modify” command to list the current modiﬁer rule list and their position numbers. Examples: * Insert rule: Use, e.g., ”modify pos 4 match in vlan2 set dscp 30” will insert a modiﬁer rule at position 4 in the list of modiﬁer © 2018 Westermo Teleindustri AB...
Page 848 ”proto udp” or ”proto tcp” is included. – Use the ”sport <PORTRANGE>” argument to specify a source UDP or TCP port number or port range (ex: 87-89). This argument is only © 2018 Westermo Teleindustri AB...
Page 849 – ”src <ADDR[/LEN]>”. Optional. Specify that packets must origi- nate from a speciﬁc IP subnet for this rule to apply. – ”addfilter”. If set, an automatic (invisible) packet ﬁlter rule will be created in the forward ﬁltering chain allowing packets matching this © 2018 Westermo Teleindustri AB...
Page 850 ˆ Delete a NAT rule Use the command ”no nat <POS>” to delete a speciﬁc NAT rule on the position POS as shown with the command ”show” or ”show nat”. Delete all NAT rules with ”no nat”. © 2018 Westermo Teleindustri AB...
Page 851 ˆ The ”log” parameter enables logging for trafﬁc that matches this port forwarding rule. Nothing will however be logged if logging is enabled here but disabled under the common settings. See section 32.3.12. Use ”show port-forward” to show conﬁgured port forwarding rules. Default values Not appliable. © 2018 Westermo Teleindustri AB...
Page 852 Use ”show spi” to show if stateful inspection is enabled or disabled. Default values Disabled. 32.3.9 Conﬁgure Forwarding and Input Default Policies Syntax policy [forward|input] <allow|deny> Context Firewall Conﬁguration context © 2018 Westermo Teleindustri AB...
Page 853 003 filter deny in vlan1 out vlan2 proto icmp example:/config/ip/firewall/#> move ﬁlter 3 1 example:/config/ip/firewall/#> show ﬁlter 001 filter deny in vlan1 out vlan2 proto icmp 002 filter allow in vlan1 out vlan2 003 filter allow in vlan1 out vlan3 © 2018 Westermo Teleindustri AB...
Page 854 32.3.12 Conﬁguration of ﬁrewall logging This command has two uses, [1] to conﬁgure logging (and limit), and [2] to toggle the log ﬂag on ﬁrewall rules. Syntax 1 [no] log limit ( none | <entries>/(second|minute|hour|day) ) © 2018 Westermo Teleindustri AB...
Page 855 Default values Logging is enabled by default when the ﬁrewall is enabled, how- ever no automatically created ﬁrewall rule will have the log parameter en- abled by default. The default logging limit is set at 5 entries per second. Examples with usage 1 © 2018 Westermo Teleindustri AB...
Page 856 Usage Show current NAT rules, Port Forwarding rules, policies and entries in the Input and Forwarding Filters and Modiﬁer rules. In addition, management in- terface conﬁguration (see section 22.2.7) will appear as entries in the Input Filter. Default values Not applicable. © 2018 Westermo Teleindustri AB...
Page 857: Virtual Private Networks And Tunnels
Westermo OS Management Guide Version 4.24.1-0 Part IV Virtual Private Networks and Tunnels © 2018 Westermo Teleindustri AB...
Page 858: Overview Of Weos Vpn And Tunnel Support
ˆ IPsec VPNs: WeOS supports IPsec VPNs with IKEv1 (shared key and certiﬁ- cates) for authentication, and ESP for encapsulation of encrypted IP packets. ˆ SSL VPN: The WeOS SSL VPN support is based on OpenVPN http://www.openvpn.net © 2018 Westermo Teleindustri AB...
Page 859: Tunneling Using Ppp
WeOS provides support for GRE tunnels (IP over GRE), which is useful in scenarios where IPsec VPNs and OSPF are used to provide secure and redundant connec- tivity between branch ofﬁces and a central ofﬁce. WeOS GRE support is covered chapter © 2018 Westermo Teleindustri AB...
Page 860: Ppp Connections
Conﬁguration of serial port is described in chapter ˆ Peer authentication: To authenticate the peer side of the PPP connection a local PPP user database is used. Conﬁguration of local user databases is © 2018 Westermo Teleindustri AB...
Page 861: Overview Of Ppp Properties And Features
ˆ PPP over Serial Link: PPP can be used as data link protocol over serial links, e.g., by connecting to units directly via a serial (null-modem) cable, or over a PSTN by use of modems. © 2018 Westermo Teleindustri AB...
Page 862 Figure 34.1: PPP Connection Establishment Phases PPP can be run over the serial port of the WeOS serial port, but not via its console port. See section 1.5.1 for information on WeOS units equipped with serial ports. © 2018 Westermo Teleindustri AB...
Page 863 PPP can start to negotiate network level settings via one or more network layer protocols. Here the PPP IP Control Protocol (IPCP[30]) is used to negotiate IP Settings. Acting as PPP client, WeOS units will use IPCP to © 2018 Westermo Teleindustri AB...
Page 864 ˆ (Optionally) Some access network are shared between multiple ISPs. In or- der to connect to the PPPoE Server of your ISP, you then need to ﬁll in the service name provided by your ISP. This step can typically be skipped. © 2018 Westermo Teleindustri AB...
Page 865 Figure 34.3: PPP - Null modem setup example To setup a null modem PPP is simple. Select null modem as mode on both sides, and change the local IP address on one side in the PPP context. © 2018 Westermo Teleindustri AB...
Page 866 The dial string is the AT-sequence that starts the connection attempt. A typical dial string is ATDnnn where nnn is the phone number to dial. If the modem uses a leased line the dial string typically is ATD. © 2018 Westermo Teleindustri AB...
Page 867 When using MPPE to encrypt your PPP session (see section 34.1.6), use of MS- CHAPv2 or MS-CHAP is required. If more than one protocol are available, a WeOS unit will propose protocols in the following preference order: CHAP, MS-CHAPv2, MS-CHAP, and ﬁnally PAP. © 2018 Westermo Teleindustri AB...
Page 868 To get trafﬁc routed through the PPP interface (and bring it up) you can use a static route. A static 0.0.0.0/0 route to the PPP interface sets it as default. © 2018 Westermo Teleindustri AB...
Page 869 Below is an example where a PPP null-modem connection is conﬁgured to get its IP address, default route and name servers from its peer. In addition, here management of the unit through this PPP interface is limited to HTTPS. © 2018 Westermo Teleindustri AB...
Page 870 1 example:/config/iface-modem0/#> no management example:/config/iface-modem0/#> management https example:/config/iface-modem0/#> end example:/config/#> end Starting Modem link monitor ........ [ OK ] Configuration activated. Remember "copy run start" to save to flash (NVRAM). example:/#> copy running startup example:/#> © 2018 Westermo Teleindustri AB...
Page 871: Managing Ppp Settings Via The Web Interface
PPP over modem/serial port (sections 34.2.3-34.2.4). 34.2.1 PPPoE overview Menu path: Conﬁguration PPPoE Figure 34.6: PPP settings overview Click on the Edit icon ( ) to edit the settings of a speciﬁc PPPoE instance. © 2018 Westermo Teleindustri AB...
Page 872 The Remote IP for this link Peer Authentication Enable authentication of peers Authentication Pro- Select authentication protocol(s) tocol Crypto Select link encryption Dial-on-demand Enable Dial-on-demand and sets disconnect time- MRU Negotiation Enable maximum receive unit (MRU) negotiation © 2018 Westermo Teleindustri AB...
Page 873 Westermo OS Management Guide Version 4.24.1-0 Figure 34.8: PPPoE advanced edit page © 2018 Westermo Teleindustri AB...
Page 874 Westermo OS Management Guide Version 4.24.1-0 34.2.3 Modem overview Menu path: Conﬁguration Modem Figure 34.9: Modem settings overview Click on the Edit icon ( ) to edit the settings of a speciﬁc Modem instance. © 2018 Westermo Teleindustri AB...
Page 875 Set the AT-sequence to dial the remote host Username Username for authenticating against the peer Password Password for authenticating against the peer Local IP The Local IP for this link Remote IP The Remote IP for this link Continued on next page © 2018 Westermo Teleindustri AB...
Page 876 Peer Authentication Enable authentication of peers Authentication Pro- Select authentication protocol(s) tocol Crypto Select link encryption Dial-on-demand Enable Dial-on-demand and sets disconnect time- MRU Negotiation Enable maximum receive unit (MRU) negotiation Modem advanced edit page © 2018 Westermo Teleindustri AB...
Page 877: Managing Ppp Settings Via The Cli
Sec. 9.3.5 . . . Table 34.3: CLI setting relevant for PPPoE management. All PPP settings are available in the ”ppp-advanced” subcontext. The most common PPP settings are (also) available in the main ”pppoe” context. © 2018 Westermo Teleindustri AB...
Page 878 Table 34.5: CLI setting relevant for management of PPP over serial ports with or without external modem. All PPP settings are available in the ”ppp-advanced” subcontext. The most common PPP settings are (also) available in the main ”mo- dem” context. © 2018 Westermo Teleindustri AB...
Page 879 Sec. 34.3.13 no aaa-method Basic Sec. 34.3.15 ppp-advanced demand 600 Enabled Sec. 34.3.18 Table 34.6: Summary of differences in default settings and in the split between basic and advanced PPP settings for different dial modes. © 2018 Westermo Teleindustri AB...
Page 880 Syntax [no] service-name <SERVICE-NAME> Context PPPoE Conﬁguration context Usage ISP name or a class of service conﬁgured on PPP. Use ”show service-name” to check the service name setting for this PPPoE instance. Default values Disabled (”no service-name”) © 2018 Westermo Teleindustri AB...
Page 881 Syntax [no] dial <in out> Context PPP Modem Conﬁguration context Usage Dial mode with external modem or null modem mode. ˆ ”no dial”: Null modem mode. ˆ ”dial in”: Dial-in. WeOS will respond to incoming calls. © 2018 Westermo Teleindustri AB...
Page 882 In other words when dial mode is one of ”dial out” or ”dial in out”. Use ”show dial-string” to view the current dial string. Default values ATD 34.3.9 PPP Enable Syntax [no] enable © 2018 Westermo Teleindustri AB...
Page 883 PPPoE Conﬁguration PPP Modem Conﬁguration contexts) above. See tables 34.3-34.6 for more information. 34.3.12 PPP Local Address Setting Syntax [no] address <ADDRESS> Context Generic PPP setting (PPPoE Conﬁguration PPP Modem Conﬁguration contexts) © 2018 Westermo Teleindustri AB...
Page 884 Use ”show auth-proto” to view the currently allowed protocols. Default values Auto, see section 34.1.5 for more details. Example Example # only accept/agree to use pap example:/config/pppoe-0/ppp-advanced/#> auth-proto pap example:/config/pppoe-0/ppp-advanced/#> # accept/agree to use pap or chap example:/config/pppoe-0/ppp-advanced/#> auth-proto pap chap example:/config/pppoe-0/ppp-advanced/#> © 2018 Westermo Teleindustri AB...
Page 885 When ”proxy-arp” is enabled, WeOS will proxy ARP requests for the peer’s address under the following conditions: ˆ The peer has an address that belongs to the same subnet as the inter- face on which the ARP request is received. © 2018 Westermo Teleindustri AB...
Page 886 Use ”no mru” to disable the MRU negotiation. No MRU parameter will be sent to the peer during the PPP link establishment phase, and any MRU parameter received from the peer will be rejected. Use ”show mru” to check the MRU setting for this PPP instance. © 2018 Westermo Teleindustri AB...
Page 888: Gre Tunnels
Show GRE Tunnel Status 35.1.1 Introduction to GRE tunnels GRE is an encapsulation method for tunnelling data packets over the IP protocol, and is speciﬁed in RFC 2784[8]. GRE can encapsulate arbitrary data packets, but © 2018 Westermo Teleindustri AB...
Page 889 GRE Hdr GRE Payload (Inner IP packet) TTL ... IP−Dst IP−Src IP−Dst IP−Src TTL Data Figure 35.1: GRE tunnel example. The GRE checksum is optional. WeOS does not include a checksum in transmitted GRE packets © 2018 Westermo Teleindustri AB...
Page 890 Internet Local Local Subnet−B Subnet−A Alice2 Bob2 Tunnel Endpoint Tunnel Endpoint IP Address a.b.c.d’’ IP Address e.f.g.h’’ Figure 35.2: Redundant VPN solutions can be achieved by running two VPN gate- ways (IPsec/GRE/OSPF) at each site. © 2018 Westermo Teleindustri AB...
Page 891 The outbound interface is then selected on a per-packet basis by consulting the routing table (just like any other IP packet). It is also possible to conﬁgure the GRE tunnel to only allow trafﬁc to go out via a speciﬁc network interface. © 2018 Westermo Teleindustri AB...
Page 892: Managing Gre Settings Via The Web Interface
Click this icon to edit a GRE instance. Delete Click this icon to remove a GRE instance. You will be asked to acknowledge the removal before it is actually executed. Click this button to create a new GRE instance. © 2018 Westermo Teleindustri AB...
Page 893 For description of ﬁelds, see section 35.2. 35.2.2 Edit GRE settings using the web interface Menu path: Conﬁguration VPN & Tunnel For description of ﬁelds, see section 35.2. The Instance ID cannot be changed after creation. © 2018 Westermo Teleindustri AB...
Page 894: Managing Gre Settings Via The Cli
Use ”show [gre [ID]]” command within the Tunnel Conﬁguration context. Also available as ”show” command within the GRE Tunnel Conﬁguration con- text, and as ”show tunnel [gre [ID]]” within the Global Conﬁguration context. Default values Not applicable. © 2018 Westermo Teleindustri AB...
Page 895 Usage Set the remote endpoint IP for the GRE packets in this tunnel. This setting is used together with the local endpoint IP to specify the outer GRE packets. More info in section 35.3.3. © 2018 Westermo Teleindustri AB...
Page 896 Use ”no ttl” to use the TTL deﬁned for the interface where the GRE packets are routed out. Use ”show ttl” to show the conﬁgured TTL value for this tunnel. Default values Inherit (”no ttl”) © 2018 Westermo Teleindustri AB...
Page 897 Syntax show tunnel gre [ID] Context Admin Exec context. Usage Show the status for all or for a speciﬁc GRE tunnel. Default values If no tunnel ID is speciﬁed, the status of all tunnels is shown. © 2018 Westermo Teleindustri AB...
Page 898: Ipsec Vpns
Road−warrior Remote Internet Secure tunnels Branch Office Central Office Remote Home Central office network Branch office network Figure 36.1: IPsec VPN tunnels can be used to securely connect hosts and net- works over the Internet. © 2018 Westermo Teleindustri AB...
Page 899: Overview Of Ipsec Vpn Management Features
ﬁg. 36.2 to explain some VPN related terminology. ˆ Peers: The two VPN gateways (Alice and Bob) are referred to as IPsec peers. The peers constitute the end-points of the secure tunnel. One of the peers © 2018 Westermo Teleindustri AB...
Page 900 Internet at various locations and still be able to establish the VPN tunnel. This is commonly referred to as Bob being a road warrior. ˆ Local and Remote Subnet: Each peer will deﬁne what trafﬁc should be al- © 2018 Westermo Teleindustri AB...
Page 901 255.255.255.255) instead of a network. As in the NETWORK-NETWORK use case, Bob’s PC can be conﬁgured as a road warrior connecting from different IP addresses, and with NAT-T enabled he can connect from behind a NAT gateway. © 2018 Westermo Teleindustri AB...
Page 902 WeOS supports IKE version 1 (IKEv1) with authentication through pre-shared keys (PSK) or certiﬁcates (RSA signature keys using X.509 certiﬁcates). In IKEv1 there are two authentication handshakes (phase-1 and phase-2): © 2018 Westermo Teleindustri AB...
Page 903 VPN tunnel is negotiated as well as the session keys used to encrypt and integrity protect the data send through the tunnel. The user can also specify whether the IKE handshake should use the main (de- © 2018 Westermo Teleindustri AB...
Page 904 When using aggressive mode, Alice and Bob should be conﬁgured to use a speciﬁc cipher suite (same at both sides). When aggressive mode is selected, WeOS by default uses the suite AES128-SHA1- DH1024. © 2018 Westermo Teleindustri AB...
Page 905 IP addresses of Charlie and Dave, and the outer IP header contains the addresses of the VPN gateways Alice and Bob. In IPsec there is also the choice by protecting the data using AH (Authentication Header), and ESP (Encapsulating Security Payload) formats. WeOS only supports © 2018 Westermo Teleindustri AB...
Page 906 The DPD settings can be conﬁgured individually on each peer. It is even possible to disable DPD on one of the peers - that peer will still respond to DPD probing messages from the other peer. © 2018 Westermo Teleindustri AB...
Page 907 IP address as peer identiﬁcation. This in turn means that IKE aggressive mode should be used if the initiator’s IP address is not ﬁxed, e.g., if Bob may change location (road warrior), or if he is using DHCP to acquire his address on © 2018 Westermo Teleindustri AB...
Page 908 (auto-mode is not possible). Simplest is to use the default settings: AES-128 for encryption, SHA1 for authentication, and automatic Difﬁe-Hellman group (for PFS) ˆ Enable PFS: Yes. ˆ DPD Delay: 30 seconds (default) ˆ DPD Timeout: 120 seconds (default) Responder speciﬁc settings (Alice): © 2018 Westermo Teleindustri AB...
Page 909 At most 25 instances can be created. ˆ Enable the VPN tunnel: Yes (default) ˆ Outbound interface: Default gateway (or ”vlan2”) ˆ Aggressive mode: No (i.e., use main mode) ˆ IKE (phase-1) cipher suite: Auto (simplest) © 2018 Westermo Teleindustri AB...
Page 910 ˆ Remote-id: Auto (or type ”IP Address”, Identiﬁer ”10.1.2.3” or ”alice.example.com”) ˆ DPD Action: Restart 36.1.8 Use of certiﬁcates for IKE authentication WeOS supports IKE authentication via certiﬁcates and pre-shared keys (PSKs), with certiﬁcate based authentication as recommended method. While PSK based © 2018 Westermo Teleindustri AB...
Page 911 Distinguished Name(ID_DER_ASN1_DN) is recommended. As stated in section 36.1.3, identity methods domain name (ID_FQDN), email (ID_USER_FQDN), and IP address (ID_IPV4_ADDR) are pos- sible too, but requires the speciﬁc identity to be included as subjectAlt- © 2018 Westermo Teleindustri AB...
Page 912 IPsec tunnel. E.g., if Alice (IPsec Responder/VPN Gateway) use DN string, C=US, O=ACME, CN=*” as remote-id, it would match certiﬁcates with different CNs (e.g., Bob or Charlie) as long as the other relative distin- © 2018 Westermo Teleindustri AB...
Page 913 In this user scenario, a VPN unit such as Alice will have to upload/import ˆ the certiﬁcate of her CA (CA ˆ her own certiﬁcate (AliceCert), and ˆ the private key associated with her certiﬁcate. © 2018 Westermo Teleindustri AB...
Page 914 DN string matches "C=US, O=ACME, CN=*". The remote certiﬁcate only needs to be speciﬁed in the trusted peer use case, see section 36.1.8.3. The default setting is ”no remote-cert”, thus this line may not be shown © 2018 Westermo Teleindustri AB...
Page 915 Bob’s CA. In this user scenario, a VPN unit such as Alice will have to upload/import ˆ the certiﬁcate of her CA (CA ˆ the certiﬁcate of Bob’s CA (CA © 2018 Westermo Teleindustri AB...
Page 916 Web interface. However, a similar service can be achieved via the trusted peer use case, see sec- tion 36.1.8.3. ˆ For comments on other settings, see the related example in section 36.1.8.1. © 2018 Westermo Teleindustri AB...
Page 917 Typically she would then upload/import her private key, her CA and own certiﬁcates as a password protected PKCS#12 bundle, while Bob’s certiﬁcate could be uploaded/imported as a PEM ﬁle. See section 7.1.8 more information on certiﬁcate management). © 2018 Westermo Teleindustri AB...
Page 918 ˆ Remote-id: As of WeOS v4.24.1, Remote-id can not use ”auto” mode (”no remote-id”). That may change in future versions of WeOS. ˆ Remote CA: The remote-ca setting does not apply when a remote certiﬁcate is speciﬁed, thus is not shown in the example. © 2018 Westermo Teleindustri AB...
Page 919 AliceCert local-cert BobCert remote-cert BobCert remote-cert AliceCert no initiator initiator dpd-action clear dpd-action restart dpd-delay 30 dpd-delay 30 dpd-timeout 120 dpd-timeout 120 sa-lifetime 28800 sa-lifetime 28800 ike-lifetime 3600 ike-lifetime 3600 © 2018 Westermo Teleindustri AB...
Page 920: Managing Vpn Settings Via The Web Interface
Specify the maximum transfer unit for IPsec packets. The setting Override affects all IPsec tunnels. Restart Click this button to restart the IPsec daemon. All IPsec tunnels will be torn down and restarted. © 2018 Westermo Teleindustri AB...
Page 921 Click this icon to edit the settings of a VPN tunnel. Delete Click this icon to remove a VPN tunnel. Note: Tun- nels which are not intended to be used should either be deleted or disabled (section 36.2.2). © 2018 Westermo Teleindustri AB...
Page 922 36.2.2 Conﬁgure new IPsec tunnel via the web interface Menu path: Conﬁguration VPN & Tunnel IPsec New IPsec Tunnel When clicking the New IPsec Tunnel button the window to conﬁgure a new IPsec tunnel appears. © 2018 Westermo Teleindustri AB...
Page 923 This option is required if the node is acting as Initiator of the VPN tunnel. This option is only possible to set if the Any checkbox is un-checked. Continued on next page © 2018 Westermo Teleindustri AB...
Page 924 DPD Timeout If a period corresponding to the DPD timeout elapses without getting any response on the DPD probe mes- sages, the VPN gateway considers the peer to be down. © 2018 Westermo Teleindustri AB...
Page 925 Label of local certiﬁcate (and associated private key). Certiﬁcate Mandatory when IKE authentication is based on certiﬁ- cates. Remote Label of remote (peer) certiﬁcate. Only used for trusted Certiﬁcate peer scenarios, see section 36.1.8.3. Continued on next page © 2018 Westermo Teleindustri AB...
Page 926 Difﬁe-Hellman group manually (see below). Note: ESP cipher auto-negotiation is only valid with main mode IKE. In case of aggressive mode, a speciﬁc ESP ci- pher suite must be conﬁgured (see below). Continued on next page © 2018 Westermo Teleindustri AB...
Page 927 IKE Lifetime(s) The maximum lifetime of the IKE (Phase 1) SA in seconds. Default is 3600 (1h). SE Lifetime(s) The maximum lifetime of the ESP (Phase 2) SA in sec- onds. Default is 28800 (8h). © 2018 Westermo Teleindustri AB...
Page 928 VPN & Tunnel IPsec (IPsec Tunnel) By clicking the Edit button in the list of IPsec tunnels, you reach the Edit IPsec Tunnel page, as shown below. For information on the available conﬁguration items, see section 36.2.2. © 2018 Westermo Teleindustri AB...
Page 929 Conﬁgured settings can also be seen by hovering the pointer over the More but- (you need JavaScript enabled it your browser to see this information). © 2018 Westermo Teleindustri AB...
Page 930: Managing Vpn Settings Via The Cli
<inet <IPADDR|DOMAIN>| name <DOMAIN|USER> | email <USER@DOMAIN> | key <ID> | dn <DNSTRING>> [no] remote-id Auto Section 36.3.18 <inet <IPADDR|DOMAIN>| name <DOMAIN|USER> | email <USER@DOMAIN> | key <ID> | dn <DNSTRING>> Continued on next page © 2018 Westermo Teleindustri AB...
Page 931 Usage Use the ”tunnel” command to enter the Tunnel Conﬁguration context. Use ”show tunnel” to list conﬁgured VPN tunnels (also available as ”show” command within the Tunnel Conﬁguration context. Default values Not applicable. 36.3.2 Enable/disable IPsec NAT Traversal Syntax [no] ipsec-nat-traversal © 2018 Westermo Teleindustri AB...
Page 932 Usage Create, delete, or modify an IPsec VPN tunnel. Use ”ipsec <INDEX>” to create a new IPsec tunnel, or to enter the IPsec Conﬁguration context of an existing IPsec tunnel. (To ﬁnd the index of conﬁgured tunnels, use ”show tunnel” as described in section 36.3.1,) © 2018 Westermo Teleindustri AB...
Page 933 Note Tunnels which are not intended to be used should either be deleted (section 36.3.4) or disabled. Default values Enabled 36.3.6 IKE phase-1 aggressive or main mode Syntax [no] aggressive Context IPsec Conﬁguration context © 2018 Westermo Teleindustri AB...
Page 934 Use ”show pfs” to show whether perfect forward secrecy is enabled or dis- abled for this tunnel. Default values Enabled (”pfs”) 36.3.8 Conﬁgure allowed crypto algorithms for IKE phase-1 Syntax [no] ike crypto <3des|aes128|...> auth <md5|sha1|sha256> dh <1024|...> Context IPsec Conﬁguration context © 2018 Westermo Teleindustri AB...
Page 935 IKE phase-1 negotiation is set to ”AES128-SHA1- DH1024” (”esp crypto aes128 auth sha1 dh 1024”). Examples The following example show the output when AES-128 is used for en- cryption, SHA-1 for message authentication, and Difﬁe-Hellman group 1024. © 2018 Westermo Teleindustri AB...
Page 936 When conﬁgured as a responder any combination of the listed algorithms will be accepted. Use ”show esp” to show the conﬁgured ESP Cipher suite for this tunnel. ”Auto” is shown if the VPN gateway is conﬁgured to auto-negotiate what ESP cipher suite to use. © 2018 Westermo Teleindustri AB...
Page 937 Valid characters are ASCII characters 33-126, except ’#’ (ASCII 35). Use ”no secret” to remove a conﬁgured pre-shared secret. Use ”show secret” to show the conﬁgured pre-shared secret (PSK) for this tunnel. Default values Empty © 2018 Westermo Teleindustri AB...
Page 938 Use ”show remote-cert” to show the remote certiﬁcate setting. Default values Disabled 36.3.14 Manage Remote CA restrictions Syntax [no] remote-ca <same|any|dn <DNSTRING>> Context IPsec Conﬁguration context (Only valid when ”method cert” and ”no remote-cert” are set.) © 2018 Westermo Teleindustri AB...
Page 939 Use ”show outbound” to show the conﬁgured outbound interface for this tunnel. ”Default Gateway” is shown if the interface leading to the default gateway should be used as outbound interface. © 2018 Westermo Teleindustri AB...
Page 940 Usage Set the identiﬁer (type and value) for the peer VPN gateway. The remote- id is used by the peer VPN gateway during the IKE handshake. Typically the ”name” type with a simple ID text string (e.g., ”bob”) can be used to identify the peer VPN gateway. © 2018 Westermo Teleindustri AB...
Page 941 Use ”show local-subnet” to show the conﬁgured local subnet for this tun- nel. ”None” is shown if no local subnet has been conﬁgured. Default values None (”no local-subnet”) 36.3.20 Conﬁgure Remote Subnet Syntax [no] remote-subnet <SUBNET/LEN | SUBNET NETMASK> [shared] Context IPsec Conﬁguration context © 2018 Westermo Teleindustri AB...
Page 942 If ”no local-protocol” is speciﬁed, all IP protocols are allow. Use ”show local-protocol” to show the local IP protocol and UDP/TCP port settings for this tunnel. Default values Disabled (”no local-protocol”), i.e., all local IP protocols al- lowed. © 2018 Westermo Teleindustri AB...
Page 943 Use ”show initiator” to show whether the VPN gateway acts as Initiator or Responder for this tunnel. Default values Responder (”no initiator”) 36.3.24 Conﬁgure Dead Peer Detection Action Syntax [no] dpd-action <clear|hold|restart> Context IPsec Conﬁguration context © 2018 Westermo Teleindustri AB...
Page 944 Use ”no dpd-delay” to return to the default setting. Use ”show dpd-delay” to show the conﬁgured DPD delay setting (in sec- onds). Default values 30 (seconds) 36.3.26 Conﬁgure Dead Peer Detection Timeout Syntax [no] dpd-timeout <SECONDS> © 2018 Westermo Teleindustri AB...
Page 945 2 negotiation will be initiated. The remote peer may use a different value. In that case, the peer with the lowest timeout will initiate the renegotiation ﬁrst. Use ”no sa-lifetime” to return to the default setting. © 2018 Westermo Teleindustri AB...
Page 946 Syntax show tunnel ipsec [ID] Context Admin Exec context. Usage Show the status for all or for a speciﬁc IPsec tunnel. Default values If no tunnel ID is speciﬁed, the status of all tunnels is shown. © 2018 Westermo Teleindustri AB...
Page 947: Feature Parameters
Westermo OS Management Guide Version 4.24.1-0 36.4 Feature Parameters MAX_IPSEC_INSTANCES © 2018 Westermo Teleindustri AB...
Page 948: Ssl Vpn
In an SSL VPN we have a VPN Server Gateway (Alice) providing secure access to a protected network (e.g., a central ofﬁce network) to one or more VPN Clients (Bob) connecting over an insecure network such as the Internet. Bob could be http://openvpn.net OpenVPN home page, (March 2014). © 2018 Westermo Teleindustri AB...
Page 949 Table 37.1: Summary of SSL VPN features a single host (a HOST-NET SSL VPN) as shown in ﬁg. 37.1, or Bob could itself be a VPN gateway with a local network attached (a NET-NET SSL VPN) as shown in ﬁg. 37.2. © 2018 Westermo Teleindustri AB...
Page 950 . As explained section 37.1.3, multiple clients can connect to the same server instance. When creating multiple SSL instances, ensure that they use different port numbers, see also section 37.1.2. © 2018 Westermo Teleindustri AB...
Page 951 TCP port 443, you should either disable Alice’ web server or conﬁgure her web server to listen for HTTPS at another port. An example where Alice listens for SSL connections on TCP port 443 is given below. © 2018 Westermo Teleindustri AB...
Page 952 Although other topologies are possible for layer-3 SSL interfaces, current WeOS support is lim- ited to the subnet topology. For more information on other possible SSL topologies not yet sup- ported by WeOS (p2p and net30), see http://openvpn.net. © 2018 Westermo Teleindustri AB...
Page 953 37.1.3.4 Below is an example of conﬁguring the SSL interface type to layer-2 at Alice in ﬁg. 37.2. Example alice:/config/#> tunnel alice:/config/tunnel/#> ssl 0 alice:/config/tunnel/ssl-0/#> type layer2 alice:/config/tunnel/ssl-0/#> leave alice:/#> © 2018 Westermo Teleindustri AB...
Page 954 Alice can either hand out addresses from a pool or by deﬁning client speciﬁc addresses: – Address pool: Alice can deﬁne an address pool to assign addresses from, see below: Example alice:/config/#> tunnel alice:/config/tunnel/#> ssl 0 alice:/config/tunnel/ssl-0/#> pool start 10.0.2.100 end 10.0.2.110 alice:/config/tunnel/ssl-0/#> leave alice:/#> © 2018 Westermo Teleindustri AB...
Page 955 Bob can decline using these settings offered by Alice, by using the ”no pull” command. This does not affect Bob’s IP address assignment, which is instead controlled via interface settings as described in section 37.1.3.2. © 2018 Westermo Teleindustri AB...
Page 956 ﬁrewall. This is a simple approach which works both in HOST-NET and NET-NET topologies, thus can be recommended to enable client-client communication when there is no need to limit trafﬁc with ﬁre- wall ﬁlters at the SSL server. © 2018 Westermo Teleindustri AB...
Page 957 Alice can be conﬁgured with multiple SSL tunnel instances (e.g., ssl0 and ssl1) Trafﬁc between clients of different instances are handled via the regular WeOS When creating multiple SSL instances, ensure that they use different port numbers, see also section 37.1.2. © 2018 Westermo Teleindustri AB...
Page 958 37.1.6.2). The example below allows nodes in ”ssl0” to com- municate with nodes in ”ssl1” and vice versa. Example alice:/config/#> ip alice:/config/ip/#> firewall alice:/config/ip/firewall/#> filter allow in ssl0 out ssl1 alice:/config/ip/firewall/#> filter allow in ssl1 out ssl0 alice:/config/ip/firewall/#> leave alice:/#> © 2018 Westermo Teleindustri AB...
Page 959 WeOS unit(s) is via the WeOS web, see chapter 7.2.6 for more information. It is also possible to install certiﬁcates via the CLI. A CLI example http://openvpn.net OpenVPN home page, (March 2014). © 2018 Westermo Teleindustri AB...
Page 960 37.1.4.1.1 Multiple VPN clients sharing the same certiﬁcate: Typically, each VPN client will have a unique certiﬁcate issued by their CA, but it is also possible for multiple VPN clients (Bob and Dave) to be conﬁgured with the same © 2018 Westermo Teleindustri AB...
Page 961 Type : plain Description : openvpn-users Number of users Username Password ---------- ---------- builder alice:/config/aaa/local-db-1/#> end alice:/config/aaa/#> end alice:/config/#> tunnel ssl 0 alice:/config/tunnel/ssl-0/#> aaa-method local-db 1 alice:/config/tunnel/ssl-0/#> leave alice:/#> © 2018 Westermo Teleindustri AB...
Page 962 To protect the SSL tunnel, you can chose between a set of data encryption and integrity protection alternatives: ˆ Encryption: WeOS supports various encryption alternatives based on Blow- ﬁsh, DES and AES. Default is Blowﬁsh (BF-CBC). © 2018 Westermo Teleindustri AB...
Page 963 DDOS attack may potentially ﬁll up all available connection slots on the server (socket memory/ﬁle descriptors). TLS Authentication requires that a special OpenVPN Static key is imported into the system. The exact same key must be used on both ends of the tunnel for it to connect. © 2018 Westermo Teleindustri AB...
Page 964 0 alice:/config/tunnel/ssl-0/#> tls-auth label mylabel direction 0 alice:/config/tunnel/ssl-0/#> leave Configuration activated. Remember "copy run start" to save to flash (NVRAM). alice:/#> 37.1.5 Other SSL tunnel settings WeOS provides some additional SSL VPN settings: © 2018 Westermo Teleindustri AB...
Page 965 37.1), the VPN server typically pushes routing informa- tion for relevant IP subnets to the VPN clients during tunnel establishment (see also section 37.1.3.3). Below some other aspects of routing and SSL VPNs are listed: © 2018 Westermo Teleindustri AB...
Page 966 37.2, Alice will push routing information to Bob about her local network (10.0.0.0/24). She should then assign Bob a static address, as described in section 37.1.3.2. Here we assume Bob’s certiﬁcate has Common Name “bob” and that Alice assigns him address 10.0.2.2/24. © 2018 Westermo Teleindustri AB...
Page 967 The VPN gateway (Alice) is typically used as a NAT gateway towards the Internet (interface vlan2 in ﬁgs. 37.1 and 37.2). Below in an example of NAT conﬁgura- tion, where ping (ICMP) and DNS requests are blocked on the upstream Interface (vlan2). © 2018 Westermo Teleindustri AB...
Page 968 ﬁlter deny in vlan2 proto icmp alice:/config/ip/firewall/#> ﬁlter allow proto icmp alice:/config/ip/firewall/#> leave Starting ZeroConf IPv4 link-local daemon ....[ OK ] Configuration activated. Remember "copy run start" to save to flash (NVRAM). alice:/#> © 2018 Westermo Teleindustri AB...
Page 969: Managing Ssl Vpn Settings Via The Web Interface
Click this icon to edit the settings of a VPN tunnel. Delete Note: Tun- Click this icon to remove a VPN tunnel. nels which are not intended to be used should either be deleted or disabled (section 37.2.2). © 2018 Westermo Teleindustri AB...
Page 970 Menu path: Conﬁguration VPN & Tunnel SSL VPN (Instance) When clicking the New button the window to conﬁgure a new SSL VPN tunnel appears. To edit an existing tunnel, click on the Edit button for the tunnel. © 2018 Westermo Teleindustri AB...
Page 971 Common Name Setup Common Name binding. The X.509 certiﬁcate com- Binding mon name to match and the address to assign. (server mode) Continued on next page © 2018 Westermo Teleindustri AB...
Page 972 In client mode this can be overridden by the server. Renegotiate Set the renegotiation time for the data channel, this can be set on both the client and the server, if so, the lowest value will be used. © 2018 Westermo Teleindustri AB...
Page 973 Direction for TLS authentication key Interface part: IP Address Enable IPv4 address on the SSL interface Enabled IP Address Select Method for IPv4 address, static or DHCP Method IP Address The IP address for the SSL interface © 2018 Westermo Teleindustri AB...
Page 974 Menu path: Status VPN & Tunnel SSL VPN The SSL VPN Status page lists the status of conﬁgured SSL VPN tunnels. Click the Details symbol for a speciﬁc tunnel to see more verbose status information. © 2018 Westermo Teleindustri AB...
Page 975: Managing Ssl Vpn Settings Via The Cli
| server-group <ID> | local <ID>> Data Security Settings [no] crypto <aes-128-cbc|. . . > bf-cbc Section 37.3.17 [no] auth <sha1|sha256|md5> sha1 Section 37.3.18 Additional/Advanced Settings [no] protocol <tcp|udp> Section 37.3.19 Continued on next page © 2018 Westermo Teleindustri AB...
Page 976 [no] ssl <INDEX> Section 37.3.1 no server Server Section 37.3.2 [no] enable Enabled Section 37.3.3 [no] description <STRING> empty Section 37.3.4 [no] type <layer2|layer3> layer3 Section 37.3.5 [no] peer <ADDRESS|DOMAIN> empty Section 37.3.11 Continued on next page © 2018 Westermo Teleindustri AB...
Page 977 See also (Interface and Firewall Settings) iface ssl<ID> inet <static|dynamic|dhcp> Dynamic (SSL) Section 22.6.1 Various Interface settings . . . Sec. 22.6 [no] ﬁrewall Disabled Section 32.3.1 Various Firewall/NAT settings . . . Sec. 32.3 © 2018 Westermo Teleindustri AB...
Page 978 SSL VPN Conﬁguration context Usage Set the tunnel in server or client mode, use ”no server” for client mode. Default values Server 37.3.3 Enable/disable a SSL VPN tunnel Syntax [no] enable Context SSL VPN Conﬁguration context © 2018 Westermo Teleindustri AB...
Page 979 Use citation marks around the string if you want to have a description con- taining space characters. To view the current description, use ”show description”. Default values Empty. Examples Example example:/config/tunnel/ssl-19/#> description secrets or ... example:/config/tunnel/ssl-19/#> description ’’Ofﬁce tunnel’’ © 2018 Westermo Teleindustri AB...
Page 980 Note The address of the server interface will be untouched, you will need to conﬁgure it manually from the interface context for the ssl-interface Sec. 22.6.1. © 2018 Westermo Teleindustri AB...
Page 981 ASCII 32-126, except ’/’ (ASCII 47). ’Space’ (ASCII 32) cannot be used at the start or end of the string. ”no common-name” deletes the common name setting, but without a deﬁned common name the binding conﬁguration is not valid. © 2018 Westermo Teleindustri AB...
Page 982 192.168.5.43/24 Default values Not applicable 37.3.11 Change remote peer Syntax [no] peer <ADDRESS|DOMAIN> Context SSL VPN Conﬁguration context (Only valid when client) Usage Set the peer for the client to connect to. Default values Disabled © 2018 Westermo Teleindustri AB...
Page 983 Usage Enable TLS authentication. ”KEY LABEL” is the label of an OpenVPN key to be used for authentication. The direction is optional and not setting it means to use the key in both directions (bi-bidirectionally). Default values Empty (disabled) © 2018 Westermo Teleindustri AB...
Page 984 Usage This is only required if the server is conﬁgured to require an extra authen- tication layer after the certiﬁcate exchange. Section 37.3.15 Example example:/config/tunnel/ssl-19/#> identity user1 password secrets Default values Disabled 37.3.17 Change cryptographic cipher Syntax [no] crypto <bf-cbc|des-ede3-cbc|aes-128-cbc|aes-192-cbc| aes-256-cbc> Context SSL VPN Conﬁguration context © 2018 Westermo Teleindustri AB...
Page 985 443, this will allow the tunnel to pass almost all ﬁrewalls, since the trafﬁc will look like it is HTTPS. To achieve this in server mode you will have to move HTTPS on the WeOS unit to a separate port. See Section 8.3.29. © 2018 Westermo Teleindustri AB...
Page 986 Note: In server mode, this settings will also be pushed to the clients, if ”pull” is enabled in the clients, they will not need to conﬁgure keepalive settings. Use ”show keepalive” to view current keepalive settings. Default values interval 10 restart 60 © 2018 Westermo Teleindustri AB...
Page 987 No trafﬁc will be passed through the normal network stack, e.g ﬁre- wall rules will not be possible. If you want the possible to set ﬁrewall rules per client you have to create multiple server instance and route between the instances. © 2018 Westermo Teleindustri AB...
Page 988 (section 1.5), the trafﬁc load of the established tunnels as well as the conﬁguration of your unit. © 2018 Westermo Teleindustri AB...
Page 989 Syntax show tunnel ssl [ID] Context Admin Exec context. Usage Show the status for all or for a speciﬁc SSL tunnel. Default values If no tunnel ID is speciﬁed, the status of all SSL tunnels is shown. © 2018 Westermo Teleindustri AB...
Page 990: Feature Parameters
Westermo OS Management Guide Version 4.24.1-0 37.4 Feature Parameters MAX_SSL_INSTANCES MAX_SSL_PUSH_SUBNETS MAX_SSL_CN_BIND_INST © 2018 Westermo Teleindustri AB...
Page 991: Weconnect
This chapter describes the WeOS support for the Westermo WeConnect service. Westermo WeConnect is a centralised on-line connectivity service offered by Westermo as a separate product (not normally included in the purchase of a WeOS product). The idea of the service is to connect equipment and networks through the Inter- net in an easy way, but at the same time safe and encrypted using standard VPN features.
Page 992 Note WeConnect is using the IPv4 networks 198.18.0.0/16 and 198.19.0.0/16 internally for its operation. You can not use these networks, or subnets within these networks, for other purposes on your WeOS unit while using WeConnect. © 2018 Westermo Teleindustri AB...
Page 993: Installing Weconnect Via The Web
Internet and the WeConnect portal, and to check that the local time on your unit is properly set. If all goes well with the check, the rest of the input ﬁelds will be enabled: Please see the troubleshooting section if you get stuck on an error message dur- © 2018 Westermo Teleindustri AB...
Page 994 SSL VPN tunnel. Example, with the tunnel up: The warning message shown above the status information does not indicate an error, but serves as a notiﬁcation that WeConnect is already set up and the in- staller can not be run again. © 2018 Westermo Teleindustri AB...
Page 995: Installing Weconnect Via The Cli
With WeConnect users can easily and securely connect to any IP-device on the network using their normal PC, smartphone or tablet. If you do not yet have an account, contact your local Westermo reseller or visit http://www.westermo.com/ for further information.
Page 996 253 The WeOS configuration was changed as part of the installation. Run ‘‘copy run start’’ to save to flash (NVRAM). Starting RIP daemon ........[ OK ] Starting SSL tunnel daemon ......... [ OK ] © 2018 Westermo Teleindustri AB...
Page 997: Troubleshooting
This message usually means that you can not reach the Internet. You need to conﬁgure your unit so that it has Internet access in some way. Please check that you have got a DHCP lease, or if conﬁguring IP settings manually, that you © 2018 Westermo Teleindustri AB...
Page 998 ˆ The WeConnect servers had some kind of problem. Please check that you have the correct ID and password, and re-run the WeCon- nect installation. If the information seems OK but still does not work, you can © 2018 Westermo Teleindustri AB...
Page 999 The trafﬁc sent from one node is put into a VPN tunnel that is terminating at Westermo’s WeConnect servers on the Internet. It is then re-routed to the target node via the target node’s VPN tunnel. This causes a high latency for the traf- ﬁc going back and forth via this service.
Page 1000 ˆ Delete the SSL VPN tunnel with ID 253. ˆ Delete RIP conﬁguration. ˆ Delete WeConnect related certiﬁcates and keys. ˆ If you have the ﬁrewall enabled, you may need to remove ﬁrewall forward ﬁlter rules that are related to interface ssl253. © 2018 Westermo Teleindustri AB 1000...

This manual is also suitable for:

Falcon series Wolverine ddw-x42 series Wolverine ddw-x42-485 series Falcon fdv-206-1d1s Wolverine ddw-x42-bp series Lynx l106/206-f2g ... Show all

Westermo RedFox Series Management Manual

Legal Information

I Introduction to Weos and Its Management Methods

1 Introduction

2 Quick Start

3 Overview of Management Methods

4 Management Via Web Interface

5 Management Via CLI

6 Weos SNMP Support

Common Switch Services

7 General Switch Maintenance

8 General System Settings

9 Authentication, Authorisation and Accounting

10 Ethernet Port Management

11 Ethernet Statistics

12 SHDSL Port Management

13 ADSL/VDSL Port Management

14 Power over Ethernet (Poe)

15 Virtual LAN

16 Frnt

17 Ring Coupling and Dual Homing

18 Spanning Tree Protocol - RSTP and STP

19 Media Redundancy Protocol

20 Link Aggregation

21 Multicast in Switched Networks

22 General Network Settings

23 DHCP Server

24 DHCP Relay Agent

25 Alarm Handling, Leds and Digital I/O

26 Logging Support

Router/Gateway Services

27 IP Routing in Weos

28 Dynamic Routing with OSPF

29 Dynamic Routing with RIP

30 IP Multicast Routing

31 Virtual Router Redundancy (VRRP)

32 Firewall Management

Virtual Private Networks and Tunnels

33 Overview of Weos VPN and Tunnel Support

34 PPP Connections

35 GRE Tunnels

36 Ipsec Vpns

37 Ssl Vpn

38 Weconnect

Serial Port Management and Applications

39 Serial Port Management

40 Serial over IP

41 Modbus Gateway

42 Microlok II Gateway

43 Ttdp

VII Appendixes

Acronyms and Abbreviations

Index

Quick Links

Related Manuals for Westermo RedFox Series

Summary of Contents for Westermo RedFox Series