Download Print this page

Digi IX20 User Manual

Digi IX20 User Manual

Hide thumbs Also See for IX20:

User manual (1188 pages)

,

User manual (1120 pages)

,

User manual (882 pages)

Table Of Contents

page of 726

/ 726
Contents
Table of Contents
Bookmarks

Table of Contents

Advertisement

Quick Links

Download this manual

IX20

User Guide

Table of Contents

Advertisement

Table of Contents

Need help?

Need help?

Do you have a question about the IX20 and is the answer not in the manual?

Questions and answers

Summary of Contents for Digi IX20

Page 1 IX20 User Guide...
Page 2: Revision History-90002381
Revision history—90002381 Revision Date Description Initial release of the IX20 User Guide. March 2020 Release of Digi IX20 firmware version 20.5: June 2020 Support for LDAP user authentication. Preconfigured Wi-Fi SSID and password enabled by default (available for the Wi-Fi enabled IX20W model only).
Page 3 Digi Remote Manager. Added the ability to select Digi aView as the cloud service. Added the ability to duplicate firmware to copy the active firmware to the secondary firmware partition.
Page 4 Information in this document is subject to change without notice and does not represent a commitment on the part of Digi International. Digi provides this document “as is,” without warranty of any kind, expressed or implied, including, but not limited to, the implied warranties of fitness or merchantability for a particular purpose.
Page 5 Contact us at +1 952.912.3444 or visit us at www.digi.com/support. Feedback To provide feedback on this document, email your comments to techcomm@digi.com Include the document title and part number (IX20 User Guide, 90002381 C) in the subject line of your email. IX20 User Guide...
Page 6: Table Of Contents
Contents Revision history—90002381 What's new in Digi IX20 version 20.8 Digi IX20 Quick start Quick start using the Digi Remote Manager mobile app Step 1: What's in the box Step 2: Gather accessories Step 3: Connect Step 4: Power up...
Page 7 Attach to DIN rail with bracket Configuration and management Review IX20 default settings Local WebUI Digi Remote Manager Default interface configuration Other default configuration settings Change the default password for the admin user Reset default SSID and pre-shared key for the preconfigured Wi-Fi access point...
Page 8 Virtual Private Networks (VPN) IPsec IPsec data protection IPsec modes Internet Key Exchange (IKE) settings Authentication Configure an IPsec tunnel Configure IPsec failover Configure SureLink active recovery for IPsec Show IPsec status and statistics OpenVPN Configure an OpenVPN server IX20 User Guide...
Page 9 Use digidevice.datapoint to upload custom datapoints to Digi Remote Manager Use digidevice.config for device configuration Use Python to respond to Digi Remote Manager SCI requests Use digidevice runtime to access the runtime database Use Python to upload the device name to Digi Remote Manager IX20 User Guide...
Page 10 Terminal Access Controller Access-Control System Plus (TACACS+) TACACS+ user configuration TACACS+ server failover and fallback to local authentication Configure your IX20 device to use a TACACS+ server Remote Authentication Dial-In User Service (RADIUS) RADIUS user configuration RADIUS server failover and fallback to local configuration...
Page 11 Configure Digi Remote Manager Collect device health data and set the sample interval Log into Digi Remote Manager Use Digi Remote Manager to view and manage your device Add a device to Digi Remote Manager View Digi Remote Manager connection status...
Page 12 Use the ping command to troubleshoot network connections Ping to check internet connection Stop ping commands Use the traceroute command to diagnose IP routing problems Digi IX20 regulatory and safety statements RF exposure statement Federal Communication (FCC) Part 15 Class B Radio Frequency Interference (RFI) (FCC 15.105)
Page 13 The revert command Enter strings in configuration commands Example: Create a new user by using the command line Command line reference analyzer help mkdir modem modem puk status [imei STRING] [name STRING] more ping reboot show system traceroute IX20 User Guide...
Page 14: What's New In Digi Ix20 Version 20.8
Reduced data usage for reporting health metrics to Digi Remote Manager. Added Monitoring > Device Health > Only report changed values to Digi Remote Manager option to control sending metrics to Digi Remote Manager on the basis of whether the values have changed since they were last reported.
Page 15 What's new in Digi IX20 version 20.8 Enhanced SMS support: Added System > Scheduled tasks > Allow scheduled scripts parameter to allow custom python scripts to handle sending/receiving SMS messages Added the digidevice.sms python module for sending/receiving SMS messages in a custom python script.
Page 16: Digi Ix20 Quick Start
The following steps guide you through the setup of your DigiIX20 device. Quick start using the Digi Remote Manager mobile app After connecting your hardware and powering up, you can use the Digi Remote Manager mobile app to quickly install your IX20 into your Digi Remote Manager account.
Page 17 Digi IX20 Quick start Step 1: What's in the box The Digi IX20 has a product label on the bottom of the device. The label includes product identification information and the default password assigned to the device. The IX20 also includes a terminal connector for the power supply installed in the power input.
Page 18: Step 2: Gather Accessories
1. Insert your activated SIMs provided by your cellular carrier into the Digi 1002-CM CORE modem. 2. Insert the CORE modem into the IX20 by aligning the white clip. Press the modem in and then push the white clip in until it locks firmly in place.
Page 19: Step 4: Power Up
7. If you intend to configure Ethernet WAN access at this time, use an Ethernet cable to connect the IX20's WAN/ETH1 port to a hub with access to the Internet. 8. Use an Ethernet cable to connect the IX20 ETH2 port to your PC. Step 4: Power up a.
Page 20: Step 5: Configure
Wait for the power LED to stop blinking. The device is ready. Step 5: Configure a. On the PC connected to the IX20, open a browser and go to 192.168.2.1. b. Log into the IX20: User name: Use the default user name: admin.
Page 21: Digi Ix20 Hardware Reference
Two 10/100 BaseT Ethernet ports for high-speed connectivity. For a detailed list of IX20 hardware specifications, see https://www.digi.com/products/networking/cellular-routers/industrial/digi-ix20#specifications. IX20 accessories When accessories are purchased with the IX20 device, the following are provided: Cellular antennas. Wi-Fi antennas (for the IX20W device only). Power supply.
Page 22: Ix20 Leds
IX20 power supply requirements. suppy IX20 LEDs The IX20 LEDs are located on the top front panel. The number of LEDs varies by model. During bootup, the front-panel LEDs light up in sequence to indicate boot progress. IX20 User Guide...
Page 23: Power
Digi IX20 hardware reference IX20 LEDs Power No power. Solid green Device has power The WAN/ETH1 Ethernet port not connected. Flashing green The WAN/ETH1 Ethernet port is connecting. Solid green The WAN/ETH1 Ethernet port is connected and has activity. Wi-Fi Service (IX20W model only) No Wi-Fi access points or Wi-Fi clients are enabled.
Page 24: Lte
Digi IX20 hardware reference IX20 LEDs SIM2 not in use. Solid green SIM2 is in use. Indicates that the status of the ETH2 Ethernet port connection and the cellular module: Solid yellow (or orange) Solid green Initializing or starting up.
Page 25: Ethernet Link And Activity
Solid amber: 1000 Mbps link detected. Signal quality bars explained The signal status bars for the Digi IX20 measure more than simply signal strength. The value reported by the 4G LTE signal bars is calculated using an algorithm that takes into consideration the Reference...
Page 26: Ix20 Power Supply Requirements
IX20 power supply requirements IX20 is intended to be powered by a certified power supply with output rated at either 12 VDC/0.75 A or 24 VDC/0.375 A minimum. Use the included power supply (part number 24000154).
Page 27: Configuration For Extreme Thermal Conditions
10 Mpbs is acceptable.  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
Page 28 11. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 29 Digi IX20 hardware reference Configuration for extreme thermal conditions 6. Create a policy: (config firewall qos 2)> add policy end (config firewall qos 2 policy 0)> 7. Add a rule to the policy: (config firewall qos 2 policy 0)> add rule end (config firewall qos 2 policy 0 rule 0)>...
Page 30 Hardware setup This chapter contains the following topics: Install SIM cards in the Plug-in LTE modem Connect data cables Mount the IX20 device IX20 User Guide...
Page 31: Hardware Setup
2. Insert the SIM cards into the 1002-CM. Note If the IX20 device is used in an environment with high vibration levels, SIM card contact fretting may cause unexpected SIM card failures. To protect the SIM cards, Digi strongly recommends that you apply a thin layer of dielectric grease to the SIM contacts prior to installing the SIM cards.
Page 32: Tips For Improving Cellular Signal Strength
1. Remove the anchor screw. 2. Pinch the two vertical sides of the white clip. 3. Slide the CORE modem out of the IX20 device. Tips for improving cellular signal strength If the signal strength LEDs or the signal quality for your device indicate Poor or No service, try the following things to improve signal strength: Move the device to another location.
Page 33: Attach To A Mounting Surface By Using The Two Mounting Tabs
The DIN rail clip is an optional accessory included when the IX20 is purchased with accessories. 1. Attach the DIN rail clip to the bottom of the device with the screws provided. 2. Set the IX20 device onto a DIN rail and gently press until the clip snaps into the rail. IX20 User Guide...
Page 34: Attach To Din Rail With Bracket
3. Set the bracket with the clip onto a DIN rail and gently press until the clip snaps into the rail. WARNING! If being installed above head height on a wall or ceiling, ensure the device is fitted securely to avoid the risk of personal injury. Digi recommends that this device be by an accredited contractor.
Page 35: Configuration And Management
Configuration and management This chapter contains the following topics: Review IX20 default settings Change the default password for the admin user Reset default SSID and pre-shared key for the preconfigured Wi-Fi access point Configuration methods Using Digi Remote Manager Access Digi Remote Manager...
Page 36: Review Ix20 Default Settings
Configuration and management Review IX20 default settings Review IX20 default settings You can review the default settings for your IX20 device by using the local WebUI or Digi Remote Manager: Local WebUI 1. Log into the IX20 WebUI as a user with Admin access. See Using the web interface for details.
Page 37: Other Default Configuration Settings
Bridges Bridge: LAN Ethernet: Enabled Used by the ETH1 (Wi-Fi ETH2 model Wi-Fi interface only) access point: Digi Other default configuration settings Feature Configuration Digi Remote Manager enabled as the central management service. Central management IX20 User Guide...
Page 38: Change The Default Password For The Admin User
Reset default SSID and pre-shared key for the preconfigured Wi-Fi access point instructions.  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. IX20 User Guide...
Page 39 5. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 40: Reset Default Ssid And Pre-Shared Key For The Preconfigured Wi-Fi Access Point
SSID and pre-shared key for the preconfigured Wi-Fi access point.  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
Page 41 5. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 42: Configuration Methods
Shows how to perform a task by using the command line interface. Using Digi Remote Manager By default, your IX20 device is configured to use Digi Remote Manager as its central management server. No configuration changes are required to begin using the Remote Manager.
Page 43: Using The Web Interface
Using the web interface To connect to the IX20 local WebUI: 1. Use an Ethernet cable to connect the IX20's ETH2 port to a laptop or PC. 2. Open a browser and go to 192.168.2.1. 3. Log into the device using a configured user name and password.
Page 44: Log Out Of The Web Interface
Configuration and management Using the web interface Log out of the web interface On the main menu, click your user name. Click Log out. IX20 User Guide...
Page 45: Using The Command Line
Log in to the command line interface  Command line 1. Connect to the IX20 device by using a serial connection, SSH or telnet, or the Terminal in the WebUI or the Console in the Digi Remote Manager. See Access the command line interface more information.
Page 46: Exit The Command Line Interface
Admin CLI s: Shell q: Quit Select access or quit [admin] : Type a or admin to access the IX20 command line. You will now be connected to the Admin CLI: Connecting now, 'exit' to disconnect from Admin CLI ... >...
Page 47: Interfaces
Interfaces IX20 devices have several physical communications interfaces. These interfaces can be bridged in a Local Area Network (LAN) or assigned to a Wide Area Network (WAN). This chapter contains the following topics: Wide Area Networks (WANs) Local Area Networks (LANs)
Page 48: Wide Area Networks (Wans)
Interfaces Wide Area Networks (WANs) Wide Area Networks (WANs) The IX20 device is preconfigured with one Wide Area Network (WAN), named ETH1, and one Wireless Wide Area Network (WWAN), named Modem. Default Interface type Preconfigured interfaces Devices configuration Wide Area...
Page 49: Wide Area Networks (Wans) And Wireless Wide Area Networks (Wwans)
Wide Area Network (WWAN), named Modem. You can also create additional WANs and WWANs. When a WAN is initialized, the IX20 device automatically adds a default IP route for the WAN. The priority of the WAN is based on the metric of the default route, as configured in the WAN's IPv4 and IPv6 metric settings.
Page 50 For Metric, type 1. c. Click IPv6. d. For Metric, type 1. 4. Set the metrics for ETH1: a. Click Network > Interfaces > ETH1 > IPv4. b. For Metric, type 2. c. Click IPv6. d. For Metric, type 2. IX20 User Guide...
Page 51 Wide Area Networks (WANs) 5. Click Apply to save the configuration and apply the change. The IX20 device is now configured to use the cellular modem WWAN, Modem, as its highest priority WAN, and its Ethernet WAN, ETH1, as its secondary WAN.
Page 52: Wan/Wwan Failover
WAN, and its Ethernet WAN, ETH1, as its secondary WAN. WAN/WWAN failover If a connection to a WAN interface is lost for any reason, the IX20 device will immediately fail over to the next WAN or WWAN interface, based on WAN priority. See...
Page 53: Configure Surelink Active Recovery To Detect Wan/Wwan Failures
Problems can occur beyond the immediate WAN/WWAN connection that prevent some IP traffic from reaching its destination. Normally this kind of problem does not cause the IX20 device to detect that the WAN has failed, because the connection continues to work while the core problem exists somewhere else in the network.
Page 54 WebUI SureLink can be configured for both IPv4 and IPv6. 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
Page 55 Change the Interval between connectivity tests. Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}. For example, to set Interval to ten minutes, enter 10m or 600s. The default is 15 minutes. IX20 User Guide...
Page 56 Active recovery can be configured for both IPv4 and IPv6. These instructions are for IPv4; to configure IPv6 active recovery, replace ipv4 in the command line with ipv6. 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 57 (Optional) Set the amount of time that the interface can be down before this test is considered to have failed: IX20 User Guide...
Page 58 This is useful for interfaces that may regain connectivity after restarting, such as a cellular modem. c. To configure the device to reboot when the interface is considered to have failed: (config network interface my_wan ipv4 surelink)> reboot enable (config network interface my_wan ipv4 surelink> IX20 User Guide...
Page 59 (config network interface my_wan ipv4 surelink)> timeout 600s (config network interface my_wan ipv4 surelink)> The default is 15 seconds. 8. (Optional) Repeat this procedure for IPv6. 9. Save the configuration and apply the change: (config network interface my_wan ipv4 surelink)> save Configuration saved. > IX20 User Guide...
Page 60: Configure The Device To Reboot When A Failure Is Detected
Type quit to disconnect from the device. Configure the device to reboot when a failure is detected Using SureLink, you can configure the IX20 device to reboot when it has determined that an interface has failed. Required configuration items Enable SureLink.
Page 61 DNS test: Tests connectivity by sending a DNS query to the specified DNS server. HTTP test: Tests connectivity by sending an HTTP or HTTPS GET request to the URL specified in Web servers. The URL should take the format of http[s]://hostname/ [path]. IX20 User Guide...
Page 62 13. Click Apply to save the configuration and apply the change.  Command line Active recovery can be configured for both IPv4 and IPv6. These instructions are for IPv4; to configure IPv6 active recovery, replace ipv4 in the command line with ipv6. IX20 User Guide...
Page 63 Interfaces Wide Area Networks (WANs) 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 64 (config network interface my_wan ipv4 surelink target 0)> interface_down_time 600s (config network interface my_wan ipv4 surelink target 0)> The default is 60 seconds. (Optional) Set the amount of time to wait for an initial connection to the interface IX20 User Guide...
Page 65 (config network interface my_wan ipv4 surelink)> attempts num (config network interface my_wan ipv4 surelink> The default is 3. e. Set the amount of time that the device should wait for a response to a probe attempt before considering it to have failed: IX20 User Guide...
Page 66: Disable Surelink
SureLink interface test.  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces.
Page 67 7. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 68  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces.
Page 69 9. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 70: Example: Use A Ping Test For Wan Failover From Ethernet To Cellular
256 bytes to the IP host 43.66.93.111 every 10 seconds. If there are three consecutive failed responses, the IX20 device brings the ETH1 interface down and starts using the Modem interface. It continues to regularly test the connection to ETH1, and when tests on ETH1 succeed, the device falls back to ETH1.
Page 71 For Ping host, type 43.66.93.111. h. For Ping payload size, type 256. 4. Repeat the above step for Modem to enable SureLink on that interface. 5. Click Apply to save the configuration and apply the change. IX20 User Guide...
Page 72 Wide Area Networks (WANs)  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 73: Using Ethernet Devices In A Wan
Typically, you configure SIM1 of the cellular modem as the primary cellular interface, and SIM2 as the backup cellular interface. In this way, if the IX20 device cannot connect to the network using SIM1, it automatically fails over to SIM2. IX20 devices automatically use the correct cellular module firmware for each carrier when switching SIMs.
Page 74 PAP: Uses the Password Authentication Profile (PAP) to authenticate. If Automatic, CHAP, or PAP is selected, enter the Username and Password required to authenticate. The default is None. 7. To add additional APNs, for Add APN, click  and repeat the preceding instructions. IX20 User Guide...
Page 75 9. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 76 You can view a summary status for all cellular modems, or view detailed status and statistics for a specific modem.  WebUI 1. Log into the IX20 WebUI as a user with Admin access. 2. On the menu, click Status. 3. Under Connections, click Modems. The modem status window is displayed...
Page 77 Wide Area Networks (WANs)  Command line 1. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 78 Command line To unlock a SIM card: 1. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 79 To run AT commands from the IX20 command line:  Command line 1. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 80 Using an AT&T SIM with the Telit LE910-NAv2 module is supported. The Telit LE910-NAv2 module is used in the 1002-CM04 CORE modem.  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. IX20 User Guide...
Page 81 For Zone, select External. e. For Device, select Modem . f. (Optional): Configure the public APN. If the public APN is not configured, the IX20 will attempt to determine the APN. i. Click to expand APN list > APN.
Page 82 For APN, type the private APN provided to you by your cellular carrier. 5. Create the routing policies. For example, to route all traffic from LAN1 through the public APN, and LAN2 through the private APN: IX20 User Guide...
Page 83 Configure the source address: i. Click to expand Source address. ii. For Type, select Interface. iii. For Interface, select LAN2. k. Configure the destination address: i. Click to expand Destination address. ii. For Type, select Interface. IX20 User Guide...
Page 84 Set the modem device: (config network interface WWANPublic)> modem device modem (config network interface WWANPublic)> d. (Optional): Set the public APN. If the public APN is not configured, the IX20 will attempt to determine the APN. IX20 User Guide...
Page 85 Set the label that will be used to identify this route policy: (config network route policy 0)> label "Route through public apn" (config network route policy 0)> c. Set the interface: (config network route policy 0)> interface /network/interface/WWANPublic (config network route policy 0)> IX20 User Guide...
Page 86 (config network route policy 1)> interface /network/interface/WWANPrivate (config network route policy 1)> j. Configure the source address: i. Set the source type to interface: (config network route policy 1)> src type interface (config network route policy 1)> IX20 User Guide...
Page 87 (config network route policy 1)> save Configuration saved. > 7. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 88: Configure A Wide Area Network (Wan)
Configure SureLink active recovery to detect WAN/WWAN failures for further information. MAC address blacklist and whitelist. To create a new WAN or edit an existing WAN:  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. IX20 User Guide...
Page 89 7. For Device, select an Ethernet device, a Wi-Fi client, or a bridge. See Bridging for more information about bridging. 8. Configure IPv4 settings: a. Click to expand IPv4. IPv4 support is enabled by default. b. For Type, select DHCP address. c. Optional IPv4 configuration items: IX20 User Guide...
Page 90 Never: Never use DNS servers for this interface. vi. Enable DHCP Hostname to instruct the IX20 device to include the device's system name with DHCP requests as the Client FQDN option. The DHCP server can then be configured to register the device's hostname and IP address with an associated DNS server.
Page 91 Never: Never use DNS servers for this interface. k. Enable DHCP Hostname to instruct the IX20 device to include the device's system name with DHCP requests as the Client FQDN option. The DHCP server can then be configured to register the device's hostname and IP address with an associated DNS server.
Page 92 IPv4 support is enabled by default. To disable: (config network interface my_wan)> ipv4 enable false (config network interface my_wan)> Configure the WAN to be a DHCP client: (config network interface my_wan)> ipv4 type dhcp (config network interface my_wan)> IX20 User Guide...
Page 93 Never use DNS servers for this interface. vi. Enable DHCP Hostname to instruct the IX20 device to include the device's system name with DHCP requests as the Client FQDN option. The DHCP server can then be configured to register the device's hostname and IP address with an associated DNS server.
Page 94 Interfaces Wide Area Networks (WANs) Configure system information for information about setting the IX20 device's system name. b. See Configure SureLink active recovery to detect WAN/WWAN failures for information about configuring active recovery. 7. (Optional) Configure IPv6 settings: a. Enable IPv6 support: (config network interface my_wan)>...
Page 95: Configure A Wireless Wide Area Network (Wwan)
The IPv6 management priority of the WAN. The active interface with the highest management priority will have its address reported as the preferred contact address for central management and direct device access. The IPv6 Maximum Transmission Unit (MTU) of the WAN. IX20 User Guide...
Page 96  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces.
Page 97 The default setting is When primary default route. f. SIM failover is enabled by default, which means that the modem will automatically fail over from the active SIM to the next available SIM when the active SIM fails to connect. If IX20 User Guide...
Page 98 Reboot device: The device will reboot if automatic SIM switching is unavailable. 9. For APN list and APN list only, the IX20 device uses a preconfigured list of Access Point Names (APNs) when attempting to connect to a cellular carrier for the first time. After the device has successfully connected, it will remember the correct APN.
Page 99 2. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 100 Match SIM carrier: The SIM carrier match criteria. This interface is applied when the SIM card is provisioned from the carrier. Format: AT&T Rogers Sprint T-Mobile Telstra Verizon Vodafone other Default value: AT&T Current value: AT&T (config network interface my_wwan)> IX20 User Guide...
Page 101 Normally, this should be left blank. It is only necessary to complete this field if the SIM does not have a phone number or if the phone number is incorrect. d. Roaming is enabled by default. To disable: (config network interface my_wwan)> modem roaming false (config network interface my_wwan)> IX20 User Guide...
Page 102 The device will reboot if automatic SIM switching is unavailable. 7. The IX20 device uses a preconfigured list of Access Point Names (APNs) when attempting to connect to a cellular carrier for the first time. After the device has successfully connected, it will remember the correct APN.
Page 103 (config network interface my_wwan)> ipv4 mtu num (config network interface my_wwan)> f. See Configure SureLink active recovery to detect WAN/WWAN failures for information about configuring active recovery. 10. Optional IPv6 configuration items: a. Click IPv6 to expand. IX20 User Guide...
Page 104: Show Wan And Wwan Status And Statistics
Type quit to disconnect from the device. Show WAN and WWAN status and statistics  WebUI 1. Log into the IX20 WebUI as a user with Admin access. 2. From the menu, click Status. 3. Under Networking, click Interfaces. IX20 User Guide...
Page 105 Wide Area Networks (WANs)  Command line 1. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 106: Delete A Wan Or Wwan
4. Click the menu icon (...) next to the name of the WAN or WWAN to be deleted and select Delete. 5. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. IX20 User Guide...
Page 107 4. Save the configuration and apply the change: (config)> save Configuration saved. > 5. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 108: Local Area Networks (Lans)
Interfaces Local Area Networks (LANs) Local Area Networks (LANs) The IX20 device is preconfigured with the following Local Area Networks (LANs): Interface type Preconfigured interfaces Devices Default configuration Local Area ETH2 Ethernet: Firewall zone: Network ETH2 (non- Internal (LAN) IP address: Wi-Fi 192.168.2.1/24...
Page 109: About Local Area Networks (Lans)
A Local Area Network (LAN) connects network devices together, such as Ethernet or Wi-Fi, in a logical Layer-2 network. The following diagram shows a LAN connected to the ETH2 Ethernet device and the Digi AP access point (available for Wi-Fi enabled models only). Once the LAN is configured and enabled, the devices connected to the network interfaces can communicate with each other, as demonstrated by the ping commands.
Page 110 To create a new LAN or edit an existing LAN:  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
Page 111 For Prefix ID, type the identifier used to extend the prefix to the assigned length. Leave blank to use a random identifier. f. Set the Metric. IX20 User Guide...
Page 112 13. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 113 Set the IPv4 address and subnet of the LAN interface. Use the format IPv4_ address/netmask, for example, 192.168.2.1/24. (config network interface my_lan)> ipv4 address ip_address/netmask (config network interface my_lan)> b. Optional IPv4 configuration items: i. Set the IP metric: IX20 User Guide...
Page 114 Generally, the default settings for IPv6 support are sufficient. You can view the default IPv6 settings by using the question mark (?): (config network interface my_lan)> ipv6 ? IPv6 Parameters Current Value ----------------------------------------------------------------------- -------- enable true Enable metric Metric mgmt Management priority 1500 prefix_id Prefix ID IX20 User Guide...
Page 115: Show Lan Status And Statistics
> 9. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Show LAN status and statistics  WebUI IX20 User Guide...
Page 116 3. Under Networking, click Interfaces.  Command line 1. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 117: Delete A Lan
LAN, LAN1.  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces.
Page 118: Dhcp Servers
Type quit to disconnect from the device. DHCP servers You can enable DHCP on your IX20 device to assign IP addresses to clients, using either: The DHCP server for the device's local network, which assigns IP addresses to clients on the device's local network.
Page 119  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces.
Page 120 12. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 121 No gateway is broadcast by the DHCP server. Client destinations must be resolvable without a gateway. auto: Broadcasts the IX20 device's gateway. custom: Allows you to identify the IP address of a custom gateway to be broadcast: (config)> network interface my_lan ipv4 dhcp_server advanced gateway_custom ip_address (config)>...
Page 122 (config)> where value is one of: none: No server is broadcast. auto: Broadcasts the IX20 device's server. custom: Allows you to identify the IP address of the server. For example: (config)> network interface my_lan ipv4 dhcp_server advanced primary_dns_custom ip_address (config)>...
Page 123 To map static IP addresses:  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. IX20 User Guide...
Page 124 11. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 125 3. Under Networking, click DHCP Leases.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 126 To delete a static IP entry:  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. IX20 User Guide...
Page 127 7. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 128 Type quit to disconnect from the device. Configure DHCP options You can configure DHCP servers running on your IX20 device to send certain specified DHCP options to DHCP clients. You can also set the user class, which enables you to specify which specific DHCP clients will receive the option.
Page 129 12. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 130 If the incorrect data type is selected, the device will send the value as a string. (config network interface my_lan ipv4 dhcp_server advanced custom_option 0)> datatype value (config network interface my_lan ipv4 dhcp_server advanced custom_option 0)> where value is one of: 1byte 2byte 4byte ipv4 The default is str. IX20 User Guide...
Page 131 LAN. For the IX20 device, DHCP relay is configured by providing the IP address of a DHCP relay server, rather than an IP address range. If both the DHCP relay server and an IP address range are specified, DHCP relay is used, and the specified IP address range is ignored.
Page 132 10. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 133 Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Show DHCP server status and settings View DHCP status to monitor which devices have been given IP configuration by the IX20 device and to diagnose DHCP issues. ...
Page 134: Create A Virtual Lan (Vlan) Route
To create a VLAN:  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Virtual LAN.
Page 135 7. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 136 (config network vlan vlan1)> save Configuration saved. > 7. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 137: Bridging
Interfaces Bridging Bridging Bridging is a mechanism to create a single network consisting of multiple devices, such as Ethernet devices and wireless access points. By default, the IX20 has the following preconfigured bridges: Default Interface type Preconfigured interfaces Devices configuration...
Page 138: Edit The Preconfigured Eth2 Bridge
To edit the preconfigured LAN bridge:  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Bridges > LAN.
Page 139 7. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 140 /network/wireless/ap/digi_ap Default value: /network/bridge/lan Current value: /network/bridge/lan (config network bridge my_bridge)> ii. Add the appropriate device. For example, to add the Digi AP Wi-Fi access point: (config network bridge my_bridge)> add device end /network/wireless/ap/digi_ap (config)> 5. (Optional) Enable Spanning Tree Protocol (STP).
Page 141: Configure A Bridge
Enable Spanning Tree Protocol (STP). To create a bridge:  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. IX20 User Guide...
Page 142 8. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 143 /network/wireless/ap/digi_ap Default value: /network/bridge/lan Current value: /network/bridge/lan (config network bridge my_bridge)> b. Add the appropriate device. For example, to add the Digi AP Wi-Fi access point: (config network bridge my_bridge)> add device end /network/wireless/ap/digi_ap (config)> 6. (Optional) Enable Spanning Tree Protocol (STP).
Page 144 7. Save the configuration and apply the change: (config)> save Configuration saved. > 8. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 145: Serial Port
IX20 devices have a single serial port that provides access to the command-line interface. Use an RS-232 serial cable to establish a serial connection from your IX20 to your local laptop or PC. Use a terminal emulator program to establish the serial connection. The terminal emulator's serial connection must be configured to match the configuration of the IX20 device's serial port.
Page 146 Python applications that access the serial port. Modbus: Allows you to use the serial port for Modbus. The default is Login. 5. (Optional) For Label, enter a label that will be used when referring to this port. IX20 User Guide...
Page 147 These bytes are redisplayed when a user connects to the serial port. The default is 4000 bytes. f. For Idle timeout, type the amount of time to wait before disconnecting due to user inactivity. 3. Click to expand Monitor Settings. IX20 User Guide...
Page 148  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 149 Limit access to the serial port to a single active session: (config)> serial port1 exclusive true (config) c. Set the number of bytes of output from the serial port that are written to buffer. These bytes are redisplayed when a user connects to the serial port. IX20 User Guide...
Page 150 Set the TCP port: (config serial USB_port)> service tcp port port (config serial USB_port)> iv. (Optional) Configure the access control list to limit access to the TCP connection: To limit access to specified IPv4 addresses and networks: IX20 User Guide...
Page 151 No limit to IPv6 addresses that can access the tcp port. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: (config serial USB_port)> add service tcp acl interface end value (config serial USB_port)>...
Page 152 (config serial USB_port)> service telnet enable false (config serial USB_port)> ii. Set the telnet port: (config serial USB_port)> service telnet port port (config serial USB_port)> iii. (Optional) Configure the access control list to limit access to the telnet connection: IX20 User Guide...
Page 153 No limit to IPv6 addresses that can access the telnet port. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: (config serial USB_port)> add service telnet acl interface end value (config serial USB_port)>...
Page 154 Set the ssh port: (config serial USB_port)> service ssh port port (config serial USB_port)> iii. (Optional) Configure the access control list to limit access to the telnet connection: To limit access to specified IPv4 addresses and networks: IX20 User Guide...
Page 155 No limit to IPv6 addresses that can access the ssh port. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: (config serial USB_port)> add service ssh acl interface end value (config serial USB_port)>...
Page 156 Enable TCP access: (config)> serial port1 service tcp enable false (config)> b. Set the TCP port: (config)> serial port1 service tcp port port (config)> c. (Optional) Configure the access control list to limit access to the TCP connection: IX20 User Guide...
Page 157 No limit to IPv6 addresses that can access the tcp port. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: (config)> add serial port1 service tcp acl interface end value (config)>...
Page 158 Enable telnet access: (config)> serial port1 service telnet enable false (config)> b. Set the telnet port: (config)> serial port1 service telnet port port (config)> c. (Optional) Configure the access control list to limit access to the telnet connection: IX20 User Guide...
Page 159 No limit to IPv6 addresses that can access the telnet port. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: (config)> add serial port1 service telnet acl interface end value (config)>...
Page 160 (config)> b. Set the ssh port: (config)> serial port1 service ssh port port (config)> c. (Optional) Configure the access control list to limit access to the telnet connection: To limit access to specified IPv4 addresses and networks: IX20 User Guide...
Page 161 No limit to IPv6 addresses that can access the ssh port. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: (config)> add serial port1 service ssh acl interface end value (config)>...
Page 162: Show Serial Status And Statistics
Show serial status and statistics To show the status and statistics for the serial port:  WebUI 1. Log into the IX20 WebUI as a user with Admin access. 2. On the main menu, click Status 3. Under Connections, click Serial. ...
Page 163 Serial port Show serial status and statistics 1. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 164 Configure a Wi-Fi access point with personal security Configure a Wi-Fi access point with enterprise security Isolate Wi-Fi clients Show Wi-Fi access point status and statistics Configure a Wi-Fi client and add client networks Show Wi-Fi client status and statistics IX20 User Guide...
Page 165: Wi-Fi Configuration
The Wi-Fi-enabled IX20W device has one Wi-Fi radio. You can configure the Wi-Fi radio for Wi-Fi access point mode or Wi-Fi client mode. By default, the IX20 radio is configured to use access point mode. Default access point SSID and password By default, the IX20 device has one access point enabled.
Page 166 Digi AP Enabled or disabled Enabled SSID Digi-IX20W- serial_number SSID broadcast Enabled Encyrption WAP2 Personal (PSK) Pre-shared key The unique password printed on the bottom label of the device. Group rekey interval 10 minutes Client mode connections: none. IX20 User Guide...
Page 167: Configure The Wi-Fi Radio's Channel
For the 5.0 GHz band, only non-Dynamic Frequency Selection (DFS) channels are supported.  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
Page 168 5. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 169: Configure The Wi-Fi Radio's Band And Protocol
2.4 GHz b/g/n band.  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > WiFi.
Page 170: Configure The Wi-Fi Radio's Transmit Power
Wi-Fi Configure the Wi-Fi radio's transmit power 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 171 5. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 172: Configure A Wi-Fi Access Point With No Security
This procedure configures a Wi-Fi access point that does not require a password for client connections, and uses no security or encryption. By default, the IX20 device comes with one preconfigured access point, Digi AP. You cannot delete default access points, but you can modify them or you can create your own access points.
Page 173 To configure a Wi-Fi access point with no security:  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
Page 174 Command line Configure a new Access point 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 175 Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Edit an existing Access point 1. Log into the IX20 command line as a user with full Admin access rights. IX20 User Guide...
Page 176 (config)> network wifi ap digi_ap encryption group_rekey value (config)> where value is any number of days, hours, minutes, or seconds, and takes the format number {d|h|m|s}. For example, to set group rekey interval to ten minutes, enter either 10m or 600s: IX20 User Guide...
Page 177: Configure A Wi-Fi Access Point With Personal Security
By default, the IX20 device comes with one preconfigured access point, Digi AP. You cannot delete default access points, but you can modify them or you can create your own access points.
Page 178 Configure a Wi-Fi access point with personal security  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
Page 179 Command line Configure a new Access point 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 180 Configure a bridge for more information. The access point must be assigned to an active LAN, or a bridge that is assigned to an active LAN. 6. Save the configuration and apply the change: (config)> save Configuration saved. > IX20 User Guide...
Page 181 Type quit to disconnect from the device. Edit an existing Access point 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 182: Configure A Wi-Fi Access Point With Enterprise Security
RADIUS server, rather than using preshared key on the IX20 device. By default, the IX20 device comes with one preconfigured access point, Digi AP. You cannot delete default access points, but you can modify them or you can create your own access points.
Page 183 To configure a Wi-Fi access point with WPA2 enterprise security:  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
Page 184 For RADIUS IP/hostname, type the IP address or hostname of the RADIUS server. d. (Optional) Change the RADIUS port. The default port is 1812. e. For RADIUS secret key, type the secret key as configured on the RADIUS server. IX20 User Guide...
Page 185 Command line Configure a new Access point 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 186 The group key is shared by all in clients of the access point, and after a client has disconnected, it will be able to use the group key to decrypt broadcast packets until the key is changed. (config network wifi ap new_AP)> encryption group_rekey value (config network wifi ap new_AP)> IX20 User Guide...
Page 187 Type quit to disconnect from the device. Edit an existing Access point 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 188 Increasing the time between rekeys can improve connectivity issues in noisy environments. To disable group rekeys, set to 0. This will allow any client that has previously connected see all broadcast traffic on the wireless network until the Wi-Fi radio is restarted. The default is 10 minutes. IX20 User Guide...
Page 189: Isolate Wi-Fi Clients
Type quit to disconnect from the device. Isolate Wi-Fi clients Client isolation prevents wireless clients connected to the IX20 device from communicating with other clients. There are two mechanisms for client isolation configuration: Isolate clients connected to the same access point Isolate clients connected to different access points This section provides instructions for both mechanisms.
Page 190: Isolate Clients Connected To Different Access Points
6. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 191 The Configuration window is displayed. 3. Create a new access point. By default, the IX20 comes with one preconfigured access point, named Digi AP. In these instructions, we will use the existing Digi AP access point and create another new access point, named new_AP.
Page 192 Drag-and-drop the filter to the top of the list. 5. Create a new LAN: By default, the IX20 device comes with one preconfigured LAN, which includes the default access point. We will use that LAN for the default access point, and create a new LAN for the second access point.
Page 193 6. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 194 Firewall filters are applied in the order that they are listed. As a result, in order to drop traffic from the Internal zone to the LAN2_isolation_zone, this filter must be added before the Allow all outgoing traffic filter, which allows the Internal zone to have access IX20 User Guide...
Page 195 (config firewall filter 0)> 5. Create a new LAN: By default, the IX20 device comes with one preconfigured LAN, which includes the default access point. We will use that LAN for the default access point, and create a new LAN for the second access point.
Page 196: Show Wi-Fi Access Point Status And Statistics
To show the status and statistics for Wi-Fi access points, use the show wifi command. 1. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 197: Configure A Wi-Fi Client And Add Client Networks
To show a detailed status and statistics of a Wi-Fi access point, use the show wifi ap name name command. 1. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu.
Page 198 To configure a Wi-Fi client:  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > WiFi > Client mode connections.
Page 199 For Long interval, type the number of seconds to wait between scans for access points, when the signal strength from the access point to which the client is currently connected is stronger than the Scan threshold. IX20 User Guide...
Page 200 8. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 201 Background scanning allows the device to scan for nearby access points and to move between access points that have the same SSID that is configured for the client connection, based on the signal strength of the access points. a. Enable background scanning: IX20 User Guide...
Page 202 (config network wifi client new_client)> where value is any integer greater than 0. The default is 1. e. Configure the frequencies that will be scanned for available access points. The IX20 device has three preconfigured frequencies: 2412 MHz 2437 MHz 2462 MHz You can delete the preconfigured frequencies and add additional frequencies.
Page 203 Add the appropriate frequency. For example, to add the 2457 frequency to the end of the list: (config network wifi client new_client)> add background_scanning scan_freq end 2457 (config network wifi client new_client)> 7. Save the configuration and apply the change: (config network wireless client new_client)> save Configuration saved. > IX20 User Guide...
Page 204: Show Wi-Fi Client Status And Statistics
To show the status and statistics for Wi-Fi client, use the show wifi command. 1. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 205 > show wifi client name my_client Client : my_client Enabled : true SSID : my_SSID Status : up Signal : -43 : 91:fe:86:d1:0e:81 Channel : 48 Radio : wifi1 TX Power : 23 Link Quality : 67/70 BSSID : 6D:B9:DD:BD:EE:C4 > IX20 User Guide...
Page 206: Routing
Routing This chapter contains the following topics: IP routing Show the routing table Dynamic DNS Virtual Router Redundancy Protocol (VRRP) IX20 User Guide...
Page 207: Ip Routing
IP routing IP routing The IX20 device uses IP routes to decide where to send a packet it receives for a remote network. The process for deciding on a route to send the packet is as follows: 1. The device examines the destination IP address in the IP packet, and looks through the IP routing table to find a match for it.
Page 208: Configure A Static Route
To configure a static route:  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Routes > Static routes.
Page 209 7. For Interface, select the interface on the IX20 device that will be used with this static route. 8. (Optional) For Gateway, type the IPv4 address of the gateway used to reach the destination.
Page 210 The any keyword can also be used to route packets to any destination with this static route. 6. Set the interface on the IX20 device that will be used with this static route: a. Use the ? to determine available interfaces: (config network route static 0)>...
Page 211: Delete A Static Route
Delete a static route  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Routes > Static routes.
Page 212 IP routing  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 213: Policy-Based Routing
However, you can use policy-based routing to forward the packet based on other criteria, such as the source of the packet. For example, you can configure the IX20 device so that high-priority traffic is routed through the cellular connection, while all other traffic is routed through an Ethernet (WAN) connection.
Page 214 5. (Optional) For Label, type a label that will be used to identify this route policy. 6. For Interface, select the interface on the IX20 device that will be used with this route policy. 7. (Optional) Enable Exclusive to configure the policy to drop packets that match the policy when the gateway interface is disconnected, rather than forwarded through other interfaces.
Page 215 12. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 216 (config network route policy 0)> label "New route policy" (config network route policy 0)> 5. Set the interface on the IX20 device that will be used with this route policy: a. Use the ? to determine available interfaces: (config network route policy 0)> interface ? Interface: The network interface used to reach the destination.
Page 217 ICMP type and optional code, or set to any to match for any ICMP type. 9. Set the source address type: (config network route policy 0)> src type value (config network route policy 0)> IX20 User Guide...
Page 218 Interface: The network interface. Format: /network/interface/defaultip /network/interface/defaultlinklocal /network/interface/eth1 /network/interface/eth2 /network/interface/loopback Current value: (config network route policy 0)> src interface b. Set the interface. For example: (config network route policy 0)> src interface /network/interface/eth1 (config network route policy 0)> IX20 User Guide...
Page 219 (config network route policy 0)> dst zone ? Zone: Match the IP address to the specified firewall zone. Format: dynamic_routes edge external internal ipsec loopback setup Default value: any Current value: any (config network route policy 0)> dst zone IX20 User Guide...
Page 220 IPv6_address[/prefix_length], or any to match any IPv6 address. mac: Matches the destination MAC address to the specified MAC address. Set the MAC address to be matched: (config network route policy 0)> dst mac MAC_address (config network route policy 0)> IX20 User Guide...
Page 221: Example: Dual Wan Policy-Based Routing
Ethernet WAN interface.  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Routes > Policy-based routing.
Page 222 9. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 223 4. Save the configuration and apply the change: (config)> save Configuration saved. > 5. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 224: Example: Route Traffic To A Specific Wan Interface Based On The Client Mac Address
MAC address, while all other client devices are routed through the Ethernet WAN.  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
Page 225 5. Configure the policy-based route for traffic from the client device that will be sent over the cellular WAN: a. Click Network > Routes > Policy-based routing. b. Click the  to add a new route policy. IX20 User Guide...
Page 226 For Label, type Reject LAN traffic to cellular WAN. d. For Action, select Drop. e. For Source zone, select Internal. f. For Destination zone, select CellularWAN. 7. Click Apply to save the configuration and apply the change. IX20 User Guide...
Page 227 IP routing  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 228 Set the source destination to zone: (config network route policy 0)> dst type zone (config network route policy 0)> ii. Set the zone to CellularWAN: (config network route policy 0)> dst zone CellularWAN (config network route policy 0)> IX20 User Guide...
Page 229: Routing Services
Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Routing services Your IX20 includes support for dynamic routing services and protocols. The following routing services are supported: Service or...
Page 230: Configure Routing Services
Enable and configure the types of routing services that will be used.  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
Page 231 6. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 232 5. Save the configuration and apply the change: (config)> save Configuration saved. > 6. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 233: Show The Routing Table
To display the routing table:  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Status > Routes.
Page 234: Dynamic Dns
WAN or public IP address changes. Your IX20 device supports a number of Dynamic DNS providers as well as the ability to provide a custom provider that is not included on the list of providers.
Page 235 The number of times to retry a failed IP address update.  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
Page 236 For example, to set Retry interval to ten minutes, enter 10m or 600s. 13. (Optional) For Retry count, type the number of times to retry a failed IP address update. 14. Click Apply to save the configuration and apply the change. IX20 User Guide...
Page 237 Dynamic DNS  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 238 (config network ddns new_ddns_instance)> check_interval value (config network ddns new_ddns_instance)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set check_interval to ten minutes, enter either 10m or 600s: IX20 User Guide...
Page 239: Virtual Router Redundancy Protocol (Vrrp)
Virtual Router Redundancy Protocol (VRRP) is a standard for gateway device redundancy and failover that creates a "virtual router" with a floating IP address. Devices connected to the LAN then use this virtual router as their default gateway. Responsibility for the virtual router is assigned to one of the IX20 User Guide...
Page 240: Vrrp
For example, if a host becomes unreachable on the far end of a network link, then the physical default gateway can be changed by adjusting the VRRP priority of the IX20 device connected to the failing link. This provides failover capabilities based on the status of connections behind the router, in addition to the basic VRRP device failover.
Page 241 255 . Allowed values are from 1 and 255, and it is configured to 100 by default. 9. (Optional) For Password, type a password that will be used to authenticate this VRRP router with VRRP peers. If the password length exceeds 8 characters, it will be truncated to 8 characters. IX20 User Guide...
Page 242 12. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 243 (config network vrrp new_vrrp_instance)> save Configuration saved. > 11. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 244: Configure Vrrp
SureLink tests.  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
Page 245 VRRP master device has a priority of 100 and the backup device has a priority of 80, then the Priority modifier should be set to an amount greater than 20 so that if SureLink IX20 User Guide...
Page 246 For backup devices, enable and configure SureLink on the VRRP interface. Generally, this should be a LAN interface; VRRP+ will then monitor the LAN using SureLink to determine if the interface has network connectivity and promote a backup to master if SureLink fails. IX20 User Guide...
Page 247 11. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 248 (config)> network vrrp VRRP_test vrrp_plus monitor_master true (config)> 8. Configure the VRRP interface: a. Configure the VRRP interface's DHCP server to use a custom gateway that corresponds to one of the VRRP virtual IP addresses: IX20 User Guide...
Page 249 (config)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set interval to ten minutes, enter 5s: (config)> network interface eth2 ipv4 surelink interval 5s (config)> IX20 User Guide...
Page 250 (Optional) Set the amount of time that the interface can be down before this test is considered to have failed: IX20 User Guide...
Page 251: Example: Vrrp/Vrrp+ Configuration
10. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Example: VRRP/VRRP+ configuration This example configuration creates a VRRP pool containing two IX20 devices: IX20 User Guide...
Page 252: Configure Device One (Master Device)
 WebUI Task 1: Configure VRRP on device one 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > VRRP.
Page 253 Task 2: Configure VRRP+ on device one 1. Click to expand VRRP+. 2. Click Enable. 3. Click to expand Monitor interfaces. 4. Click  to add an interface for monitoring. 5. Select Interface: Modem. 6. For Priority modifier, type 30. IX20 User Guide...
Page 254 Command line Task 1: Configure VRRP on device one 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 255 Task 3: Configure the IP address for the VRRP interface, ETH2, on device one 1. Type ... to return to the root of the config prompt: (config network vrrp VRRP_test )> ... (config)> 2. Set the IP address for ETH2: (config)> network interface eth2 ipv4 address 192.168.3.1/24 (config)> IX20 User Guide...
Page 256: Configure Device Two (Backup Device)
 WebUI Task 1: Configure VRRP on device two 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. IX20 User Guide...
Page 257 9. Click to expand Virtual IP addresses. 10. Click  to add a virtual IP address. 11. For Virtual IP, type 192.168.3.3. Task 2: Configure VRRP+ on device two 1. Click to expand VRRP+. 2. Click Enable. 3. Click to expand Monitor interfaces. IX20 User Guide...
Page 258 6. For Ping host, type my.devicecloud.com. Task 5: Configure the DHCP server for ETH2 on device two 1. Click to expand Network > Interfaces > ETH2 > IPv4 > DHCP Server 2. For Lease range start, type 200. IX20 User Guide...
Page 259 Command line Task 1: Configure VRRP on device two 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 260 Task 3, step 2 (192.168.3.1). (config)> network interface eth2 ipv4 gateway 192.168.3.1 (config)> Task 4: Configure SureLink for ETH2 on device two 1. Enable SureLink on the ETH2 interface: (config)> network interface eth2 ipv4 surelink enable true (config)> IX20 User Guide...
Page 261 5. Save the configuration and apply the change: (config)> save Configuration saved. > 6. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 262: Show Vrrp Status And Statistics
Routing Virtual Router Redundancy Protocol (VRRP) Show VRRP status and statistics This section describes how to display VRRP status and statistics for a IX20 device. VRRP status is available from the Web UI only.  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights.
Page 263 Virtual IP address(es) : 10.10.10.1, 100.100.100.1 Current State : Master Current Priority : 100 Last Transition : Tue Jan 1 00:00:39 2019 Became Master Released Master Adverts Sent : 71 Adverts Received Priority Zero Sent Priority zero Received : 0 > IX20 User Guide...
Page 264: Virtual Private Networks (Vpn)
Virtual Private Networks (VPNs) are used to securely connect two private networks together so that devices can connect from one network to the other using secure channels. This chapter contains the following topics: IPsec OpenVPN Generic Routing Encapsulation (GRE) NEMO IX20 User Guide...
Page 265: Ipsec
Aggressive mode Aggressive mode is faster than main mode, but is not as secure as main mode, because the device and its peer exchange their IDs and hash information in clear text instead of being encrypted. IX20 User Guide...
Page 266: Authentication
Client authenticaton XAUTH (extended authentication) pre-shared key authentication mode provides additional security by using client authentication credentials in addition to the standard pre-shared key. The IX20 device can be configured to authenticate with the remote peer as an XAUTH client. RSA Signatures With RSA signatures authentication, the IX20 device uses a private RSA key to authenticate with a...
Page 267 The amount of time before the IKE phase 2 lifetime expires The lifetime margin, a randomizing amount of time before the IPsec tunnel is renegotiated.  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. IX20 User Guide...
Page 268 For example, to set NAT keep alive time to ten minutes, enter 10m or 600s. The default is 40 seconds. 5. Click to expand Tunnels. 6. For Add IPsec tunnel, type a name for the tunnel and click . The new IPsec tunnel configuration is displayed. IX20 User Guide...
Page 269 Transport: Only the payload of the IP packet is encrypted and/or authenticated. The IP header is unencrypted. 12. Select the Protocol, either: ESP (Encapsulating Security Payload): Provides encryption as well as authentication and integrity. AH (Authentication Header): Provides authentication and integrity only. IX20 User Guide...
Page 270 Type the Username and Password that the device will use to authenticate as an XAUTH client with the peer. 16. (Optional) Click Enable MODECFG client to receive configuration information, such as the private IP address, from the remote peer. IX20 User Guide...
Page 271 IPv4: The ID will be interpreted as an IPv4 address and sent as an ID_IPV4_ ADDR IKE identity. For IPv4 ID value, type an IPv4 formatted ID. This can be a fully-qualified domain name or an IPv4 address. IX20 User Guide...
Page 272 Request a network: Requests a network from the remote peer. d. For Remote network, enter the IP address and optional netmask of the remote network. The keyword any can also be used. . IX20 User Guide...
Page 273 For Hash, select the type of hash to use to verify communication integrity. iv. For Diffie-Hellman group, select the type of Diffie-Hellman group to use for key exchange. v. You can add additional Phase 1 proposals by clicking  next to Add Phase 1 Proposal. IX20 User Guide...
Page 274 24. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 275 To view a list of available zones: (config vpn ipsec tunnel ipsec_example)> zone ? Zone: The firewall zone assigned to this IPsec tunnel. This can be used by packet filtering rules and access control lists to restrict network traffic on this tunnel. Format: IX20 User Guide...
Page 276 (config vpn ipsec tunnel ipsec_example)> mgmt value (config vpn ipsec tunnel ipsec_example)> where value is any interger between 0 and 1000. 10. Set the authentication type: (config vpn ipsec tunnel ipsec_example)> auth type value (config vpn ipsec tunnel ipsec_example)> IX20 User Guide...
Page 277 (config vpn ipsec tunnel ipsec_example)> auth cert certificate (config vpn ipsec tunnel ipsec_example)> d. Set the method for verifying the peer's X.509 certificate: (config vpn ipsec tunnel ipsec_example)> auth peer_verify value (config vpn ipsec tunnel ipsec_example)> where value is either: IX20 User Guide...
Page 278 (config vpn ipsec tunnel ipsec_example)> local type value (config vpn ipsec tunnel ipsec_example)> where value is either: defaultroute: Uses the same network interface as the default route. interface: Select the Interface to be used as the local endpoint. IX20 User Guide...
Page 279 (config vpn ipsec tunnel ipsec_example)> keyid: The ID will be interpreted as a Key ID and sent as an ID_KEY_ID IKE identity. Set the key ID: (config vpn ipsec tunnel ipsec_example)> local id keyid_id id (config vpn ipsec tunnel ipsec_example)> IX20 User Guide...
Page 280 Set the ID in internet email address format: (config vpn ipsec tunnel ipsec_example)> remote id rfc822_id id (config vpn ipsec tunnel ipsec_example)> fqdn: The ID will be interpreted as FQDN (Fully Qualified Domain Name) and sent as an ID_FQDN IKE identity. IX20 User Guide...
Page 281 For example, to set phase1_lifetime to ten minutes, enter either 10m or 600s: (config vpn ipsec tunnel ipsec_example)> ike phase1_lifetime 600s (config vpn ipsec tunnel ipsec_example)> The default is three hours. IX20 User Guide...
Page 282 Set the type of hash to use during phase 1 to verify communication integrity: (config vpn ipsec tunnel ipsec_example ike phase1_proposal 0)> hash value (config vpn ipsec tunnel ipsec_example ike phase1_proposal 0)> where value is one of md5, sha1, sha256, sha384, or sha512. The default is sha1. IX20 User Guide...
Page 283 Set the type of hash to use during phase 2 to verify communication integrity: (config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)> hash value (config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)> where value is one of md5, sha1, sha256, sha384, or sha512. The default is sha1. IX20 User Guide...
Page 284 Set the number of seconds to wait for a response from a dead peer packet before assuming the tunnel has failed. The default is 90. (config)> vpn ipsec tunnel ipsec_example dpd timeout value (config)> 17. (Optional) Create a list of destination networks that require source NAT: IX20 User Guide...
Page 285 Address: The local network interface to use the address of. This field must be set when 'Type' is set to 'Address'. Format: defaultip defaultlinklocal eth1 eth2 loopback Current value: (config vpn ipsec tunnel ipsec_example policy 0)> local address IX20 User Guide...
Page 286 (config vpn ipsec tunnel ipsec_example policy 0)> remote network value (config vpn ipsec tunnel ipsec_example policy 0)> 19. (Optional) Change the NAT keep alive time: a. Change to the root of the configuration schema: IX20 User Guide...
Page 287 20. Save the configuration and apply the change: (config)> save Configuration saved. > 21. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 288: Configure Ipsec Failover
IPsec Configure IPsec failover You can configure the IX20 device to fail over from a primary IPsec tunnel to a backup tunnel. During configuration of the backup IPsec tunnel, identify the primary IPsec tunnel in the Preferred tunnel parameter. The Preferred tunnel parameter instructs the backup IPsec tunnel to start only when the preferred tunnel has been determined to have failed.
Page 289: Configure Surelink Active Recovery For Ipsec
Type quit to disconnect from the device. Configure SureLink active recovery for IPsec You can configure the IX20 device to regularly probe IPsec client connections to determine if the connection has failed and take remedial action. You can also configure the IPsec tunnel to fail over to a backup tunnel. See Configure IPsec failover further information.
Page 290 Virtual Private Networks (VPN) IPsec  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click VPN > IPsec.
Page 291 DNS test or DNS test (IPv6): Tests connectivity by sending a DNS query to the specified DNS server. HTTP test HTTP test (IPv6): Tests connectivity by sending an HTTP or HTTPS GET request to the URL specified in Web servers. The URL should take the format of http[s]://hostname/[path]. IX20 User Guide...
Page 292 14. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 293 10. Set the amount of time that the device should wait for a response to a probe attempt before considering it to have failed: (config vpn ipsec tunnel ipsec_example)> connection_monitor timeout value (config vpn ipsec tunnel ipsec_example)> IX20 User Guide...
Page 294 (config vpn ipsec tunnel ipsec_example connection_monitor target 0)> dns_server ip_address (config vpn ipsec tunnel ipsec_example connection_monitor target 0)> dns_configured (IPv4) or dns_configured6 (IPv6): Tests connectivity by sending a DNS query to the DNS servers configured for this interface. IX20 User Guide...
Page 295 For example, to set interface_timeout to ten minutes, enter either 10m or 600s: (config network interface my_wan ipv4 connection_monitor target 0)> interface_timeout 600s (config network interface my_wan ipv4 connection_monitor target 0)> The default is 60 seconds. IX20 User Guide...
Page 296: Show Ipsec Status And Statistics
 Command line 1. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 297 Virtual Private Networks (VPN) IPsec 4. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 298: Openvpn
OpenVPN clients. OpenVPN clients use Network Address Translation (NAT) to route traffic from devices connected on its LAN interfaces to the OpenVPN server. The manner in which the IP subnets are defined depends on the OpenVPN topology in use. The IX20 device supports two types of OpenVPN topology:...
Page 299: Configure An Openvpn Server
LAN interfaces to the OpenVPN server. TAP - OpenVPN managed—Also know as bridging mode. A more advanced implementation of OpenVPN. The IX20 device creates an OpenVPN interface and uses standard interface configuration (for example, a standard DHCP server configuration).
Page 300 Additional OpenVPN parameters.  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click VPN > OpenVPN > Servers.
Page 301 Certificate and username/password: Uses both certificates and a username and password for client authentication. Each client requires a public and private key, and you must create an OpenVPN authentication group and user. See Configure an OpenVPN Authentication Group and User for instructions. IX20 User Guide...
Page 302 No limit to IPv6 addresses that can access the service-type. d. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: a. Click Interfaces. b. For Add Interface, click .
Page 303 OpenVPN  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 304 80, the first client IP address will be 192.168.1.80. The default is from 80. ii. Set the last address in the range limit: (config vpn openvpn server name)> server_last_ip value (config vpn openvpn server name)> IX20 User Guide...
Page 305 (config vpn openvpn server name)> cacert value (config vpn openvpn server name)> iii. Paste the contents of the public key (for example, server.crt) into the value of the server_cert parameter: (config vpn openvpn server name)> server_cert value (config vpn openvpn server name)> IX20 User Guide...
Page 306 No limit to IPv6 addresses that can access the service-type. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: (config vpn openvpn server name)> add acl interface end value (config vpn openvpn server name)>...
Page 307 (config vpn openvpn server name)> advanced_options enable true (config vpn openvpn server name)> b. Configure whether the additional OpenVPN parameters should override default options: (config vpn openvpn server name)> advanced_options override true (config vpn openvpn server name)> IX20 User Guide...
Page 308: Configure An Openvpn Authentication Group And User
 WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. IX20 User Guide...
Page 309 Click to expand the OpenVPN node. e. Click  to add a tunnel. f. For Tunnel, select an OpenVPN tunnel to which users of this group will have access. g. Repeat to add additional OpenVPN tunnels. IX20 User Guide...
Page 310 Click to expand the Groups node. e. Click  to add a group to the user. f. Select a Group with OpenVPN access enabled. 5. Click Apply to save the configuration and apply the change. IX20 User Guide...
Page 311 OpenVPN  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 312: Configure An Openvpn Client By Using An .Ovpn File
OpenVPN active recovery.  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click VPN > OpenVPN > Clients.
Page 313 11. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 314 8. Save the configuration and apply the change: (config)> save Configuration saved. > 9. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 315: Configure An Openvpn Client Without Using An .Ovpn File
OpenVPN active recovery.  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click VPN > OpenVPN > Clients.
Page 316 13. Paste the contents of the CA certificate (usually in a ca.crt file), the Public key (for example, client.crt), and the Private key (for example, client.key) into their respective fields. The contents will be hidden when the configuration is saved. 14. (Optional) Click to expand Advanced Options to manually set additional OpenVPN parameters. IX20 User Guide...
Page 317 15. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 318 (config vpn openvpn client name)> cacert value (config vpn openvpn client name)> 12. Paste the contents of the public key (for example, client.crt) into the value of the public_cert parameter: (config vpn openvpn client name)> public_cert value (config vpn openvpn client name)> IX20 User Guide...
Page 319: Configure Active Recovery For Openvpn
Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Configure active recovery for OpenVPN You can configure the IX20 device to regularly probe OpenVPN client connections to determine if the connection has failed and take remedial action. Required configuration items A valid OpenVPN client configuration.
Page 320 To configure the IX20 device to regularly probe the OpenVPN connection:  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
Page 321 IP address specified in Ping host. You can also optionally change the number of bytes in the Ping payload size. DNS test or DNS test (IPv6): Tests connectivity by sending a DNS query to the specified DNS server. IX20 User Guide...
Page 322 14. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 323 (config vpn openvpn client openvpn_client1)> connection_monitor attempts (config vpn openvpn client openvpn_client1)> The default is 3. 10. Set the amount of time that the device should wait for a response to a probe attempt before considering it to have failed: IX20 User Guide...
Page 324 (IPv4) or dns6 (IPv6): Tests connectivity by sending a DNS query to the specified DNS server. Specify the DNS server. Allowed value is the IP address of the DNS server. (config vpn openvpn client openvpn_client1 connection_monitor target 0)> dns_server ip_address IX20 User Guide...
Page 325 (config vpn openvpn client openvpn_client1 connection_monitor target 0)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set interface_timeout to ten minutes, enter either 10m or 600s: IX20 User Guide...
Page 326: Show Openvpn Server Status And Statistics
OpenVPN server's status pane.  Command line 1. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 327: Show Openvpn Client Status And Statistics
OpenVPN client's status pane.  Command line 1. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 328 Virtual Private Networks (VPN) OpenVPN 4. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 329: Generic Routing Encapsulation (Gre)
Task One: Create a GRE loopback endpoint interface  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
Page 330 11. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 331 Task Two: Configure the GRE tunnel  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click VPN > IP Tunnels.
Page 332 Generic Routing Encapsulation (GRE)  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 333 (config vpn iptunnel gre_example)> save Configuration saved. > 9. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 334: Show Gre Tunnels
To view information about currently configured GRE tunnels:  WebUI 1. Log into the IX20 WebUI as a user with Admin access. 2. On the menu, click Status > IP tunnels. The IP Tunnelspage appears. 3. To view configuration details about a GRE tunnel, click the  (configuration) icon in the upper right of the tunnel's status pane.
Page 335: Example: Gre Tunnel Over An Ipsec Tunnel
Example: GRE tunnel over an IPSec tunnel The IX20 device can be configured as an advertised set of routes through an IPSec tunnel. This allows you to leverage the dynamic route advertisement of GRE tunnels through a secured IPSec tunnel.
Page 336 3. Create a GRE tunnel named gre_tunnel2: a. Local endpoint set to the IPsec endpoint interface, Interface: ipsec_endpoint2. b. Remote endpoint set to the IP address of the GRE tunnel on IX20-1, 172.30.0.1. 4. Create an interface named gre_interface2 and add it to the GRE tunnel: a.
Page 337 15. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 338 4. Set the pre-shared key to testkey: (config vpn ipsec tunnel ipsec_gre1)> auth secret testkey (config vpn ipsec tunnel ipsec_gre1)> 5. Set the remote endpoint to public IP address of the IX20-2 device: (config vpn ipsec tunnel ipsec_gre1)> remote hostname 192.168.101.1 (config vpn ipsec tunnel ipsec_gre1)>...
Page 339 7. Click Apply to save the configuration and apply the change.  Command line 1. At the command line, type config to enter configuration mode: > config (config)> 2. Add an interface named ipsec_endpoint1: (config)> add network interface ipsec_endpoint1 (config network interface ipsec_endpoint1)> IX20 User Guide...
Page 340 3. For Local endpoint, select the IPsec endpoint interface created in Task two (Interface: ipsec_endpoint1). 4. For Remote endpoint, type the IP address of the GRE tunnel on IX20-2, 172.30.0.2. 5. Click Apply to save the configuration and apply the change.  Command line...
Page 341 (/network/interface/ipsec_endpoint1): (config vpn iptunnel gre_tunnel1)> local /network/interface/ipsec_endpoint1 (config vpn iptunnel gre_tunnel1)> 4. Set the remote endpoint to the IP address of the GRE tunnel on IX20-2, 172.30.0.2: (config vpn iptunnel gre_tunnel1)> remote 172.30.0.2 (config vpn iptunnel gre_tunnel1)> 5. Save the configuration and apply the change: (config vpn iptunnel gre_tunnel1)>...
Page 342 5. Set 172.31.0.1/30 as the virtual IP address on the GRE tunnel: (config network interface gre_interface1)> ipv4 address 172.31.0.1/30 (config network interface gre_interface1)> 6. Save the configuration and apply the change: (config network interface gre_interface1)> save Configuration saved. > IX20 User Guide...
Page 343 3. Click VPN > IPsec > Tunnels. 4. For Add IPsec Tunnel, type ipsec_gre2 and click . 5. Click to expand Authentication. 6. For Pre-shared key, type the same pre-shared key that was configured for the IX20-1 (testkey). 7. Click to expand Remote endpoint.
Page 344 3. Add an IPsec tunnel named ipsec_gre2: (config)> add vpn ipsec tunnel ipsec_gre2 (config vpn ipsec tunnel ipsec_gre2)> 4. Set the pre-shared key to the same pre-shared key that was configured for the IX20-1 (testkey): (config vpn ipsec tunnel ipsec_gre2)> auth secret testkey (config vpn ipsec tunnel ipsec_gre2)>...
Page 345 Task two: Create an IPsec endpoint interface  WebUI 1. Click Network > Interfaces. 2. For Add Interface, type ipsec_endpoint2 and click . 3. For Zone, select Internal. 4. For Device, select Ethernet: loopback. 5. Click to expand IPv4. IX20 User Guide...
Page 346 5. Set the IPv4 address to the IP address of the local GRE tunnel, 172.30.0.2/32: (config network interface ipsec_endpoint2)> ipv4 address 172.30.0.2/32 (config network interface ipsec_endpoint2)> 6. Save the configuration and apply the change: (config vpn ipsec tunnel ipsec_endpoint2)> save Configuration saved. > Task three: Create a GRE tunnel IX20 User Guide...
Page 347 (/network/interface/ipsec_endpoint2): (config vpn iptunnel gre_tunnel2)> local /network/interface/ipsec_endpoint2 (config vpn iptunnel gre_tunnel2)> 4. Set the remote endpoint to the IP address of the GRE tunnel on IX20-1, 172.30.0.1: (config vpn iptunnel gre_tunnel2)> remote 172.30.0.1 (config vpn iptunnel gre_tunnel2)> IX20 User Guide...
Page 348 4. For Device, select the GRE tunnel created in Task three (IP tunnel: gre_tunnel2). 5. Click to expand IPv4. 6. For Address, type 172.31.1.1/30 for a virtual IP address on the GRE tunnel. 7. Click Apply to save the configuration and apply the change. IX20 User Guide...
Page 349: Nemo
Local Area Networks (LANs) on your device. NEMO creates a tunnel between the home agent on the mobile private network and the IX20 device, isolating the connection from internet traffic and advertising the IP subnets of the LANs for remote access and device management.
Page 350: Configure A Nemo Tunnel
The local network of the GRE endpoint negotiated by NEMO. If the local network is set to Interface, identify the local interface to be used.  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. IX20 User Guide...
Page 351 10. For MTU discovery, leave enabled to determine the maximum transmission unit (MTU) size. If disabled, for MTU, type the MTU size. The default MTU size for LANs on the IX20 device is 1500. The MTU size of the NEMO tunnel will be smaller, to take into account the required headers.
Page 352 14. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 353 (config vpn nemo nemo_example)> mtu_discovery false (config vpn nemo nemo_example)> If disabled, set the MTU size. The default MTU size for LANs on the IX20 device is 1500. The MTU size of the NEMO tunnel will be smaller, to take into account the required headers.
Page 354 Set the interface. For example: (config vpn nemo nemo_example)> coaddress interface eth1 (config vpn nemo nemo_example)> If ip is used, set the IP address: (config vpn nemo nemo_example)> coaddress address IP_address (config vpn nemo nemo_example)> The default is defaultroute. IX20 User Guide...
Page 355 14. Save the configuration and apply the change: (config)> save Configuration saved. > 15. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 356: Show Nemo Status
 Command line 1. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 357 Virtual Private Networks (VPN) NEMO 4. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 358 Simple Network Management Protocol (SNMP) Configure the Modbus gateway System time Configure the system time Network Time Protocol Configure the device as an NTP server Configure a multicast route Ethernet network bonding Enable service discovery (mDNS) Use the iPerf service IX20 User Guide...
Page 359: Allow Remote Access For Web Administration And Ssh
Allow remote access for web administration and SSH Allow remote access for web administration and SSH By default, only devices connected to the IX20's LAN have access to the device via web administration and SSH. To enable these services for access from remote devices: The IX20 device must have a publicly reachable IP address.
Page 360 6. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 361 Allow remote access for web administration and SSH 3. Click Configuration > Services > SSH > Access Control List > Zones. 4. For Add Zone, click . 5. Select External. 6. Click Apply to save the configuration and apply the change. IX20 User Guide...
Page 362: Configure The Web Administration Service
By default, the web administration service is enabled and uses the standard HTTPS port, 443. The default access control for the service uses the Internal firewall zone, which means that only devices connected to the IX20's LAN can access the WebUI. If this configuration is sufficient for your needs, no further configuration is required. See Allow remote access for web administration and SSH information about configuring the web administration service to allow access from remote devices.
Page 363 5. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 364 Configure the service  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Services > Web administration.
Page 365 No limit to IPv6 addresses that can access the web administration service. d. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: a. Click Interfaces.
Page 366 Configure the web administration service  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 367 4. (Optional) If you have your own signed SSL certificate, set the certificate and private key in PEM format. If not set, the device will use an automatically-generated key. (config)> service web_admin cert cert.pem (config)> Note Password-protected certificate keys are not supported. IX20 User Guide...
Page 368 9. Save the configuration and apply the change: (config)> save Configuration saved. > 10. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 369: Configure Ssh Access
Services Configure SSH access Configure SSH access The IX20's default configuration has SSH access enabled, and allows SSH access to the device from authorized users within the Internal firewall zone. If this configuration is sufficient for your needs, no further configuration is required. See Allow remote access for web administration and SSH information about configuring the SSH service to allow access from remote devices.
Page 370 5. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 371 No limit to IPv6 addresses that can access the SSH service. d. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: a. Click Interfaces.
Page 372 8. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 373 Additional Configuration --------------------------------------------------------- ---------------------- dynamic_routes edge external internal ipsec loopback setup (config)> Repeat this step to list additional firewall zones. 4. (Optional) Set the private key in PEM format. If not set, the device will use an automatically- IX20 User Guide...
Page 374 7. Save the configuration and apply the change: (config)> save Configuration saved. > 8. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 375: Use Ssh With Key Authentication
SSH public key for the user Additional configuration items If you want to access the IX20 device using SSH over a WAN interface, configure the access control list for the SSH service to allow SSH access for the External firewall zone.
Page 376 These instructions assume an existing user named temp_user. 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 377 4. Save the configuration and apply the change: (config)> save Configuration saved. > 5. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 378: Configure Telnet Access
The telnet service is disabled by default. To enable the service:  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
Page 379 5. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 380 No limit to IPv6 addresses that can access the telnet service. d. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: a. Click Interfaces.
Page 381 7. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 382 Repeat this step to list additional firewall zones. 4. (Optional) Configure Multicast DNS (mDNS) mDNS is a protocol that resolves host names in small networks that do not have a DNS server. mDNS is disabled by default. To enable: IX20 User Guide...
Page 383: Configure Dns
Type quit to disconnect from the device. Configure DNS The IX20 device includes a caching DNS server which forwards queries to the DNS servers that are associated with the network interfaces, and caches the results. This server is used within the device, and cannot be disabled.
Page 384 No limit to IPv6 addresses that can access the DNS service. d. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: a. Click Interfaces.
Page 385 11. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 386 No limit to IPv6 addresses that can access the DNS service. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: (config)> add service dns acl interface end value (config)>...
Page 387 (config)> service dns stop_dns_rebind false (config)> 7. (Optional) Allow localhost rebinding By default, localhost rebinding is enabled by default if rebind protection is enabled. This is useful for Real-time Black List (RBL) servers. To disable: (config)> service dns rebind_localhost_ok false (config)> IX20 User Guide...
Page 388 10. Save the configuration and apply the change: (config)> save Configuration saved. > 11. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 389: Simple Network Management Protocol (Snmp)
By default, the IX20 device automatically blocks SNMP packets from being received over WAN and LAN interfaces. As a result, if you want a IX20 device to receive SNMP packets, you must configure the SNMP access control list to allow the device to receive the packets. See...
Page 390 No limit to IPv6 addresses that can access the SNMP agent. d. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: a. Click Interfaces.
Page 391 13. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 392 No limit to IPv6 addresses that can access the SNMP service. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: (config)> add service snmp acl interface end value (config)>...
Page 393 (config)> service snmp privacy pwd (config)> 11. (Optional) Set the privacy protocol, either DES or AES. The default is DES. (config)> service snmp privacy_protocol AES (config)> 12. Save the configuration and apply the change: (config)> save Configuration saved. > IX20 User Guide...
Page 394: Download Mibs
4. Click Download. Configure the Modbus gateway Your IX20 supports the ability to function as a Modbus gateway, to provide serial-to-Ethernet connectivity to Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), and other industrial devices. MODBUS provides client/server communication between devices connected on different types of buses and networks, and the IX20 gateway allows for communication between buses and and networks that use the Modbus protocol.
Page 395 If connection type is set to serial: Whether to use half duplex (two wire) mode. Whether packets should be delivered to a fixed Modbus address. Whether packets should have their Modbus address adjusted downward before to delivery. IX20 User Guide...
Page 396: Configure Gateway Servers
Configure the Modbus gateway  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Services > Modbus Gateway.
Page 397 For Port, enter or select an appropriate port. The default is port 502. If Serial is selected for Connection type: a. For Serial port, select the appropriate serial port on the IX20 device. 5. For Packet mode, select RTU or RAW (if Connection typeis set to Socket) or ASCII (if Connection typeis set to Serial) for the type of packet that will be used by this connection.
Page 398: Configure Clients
No limit to IPv6 addresses that can access the web administration service. d. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: a. Click Interfaces.
Page 399 Modbus server is running. If Serial is selected for Connection type: a. For Serial port, select the appropriate serial port on the IX20 device. 5. For Packet mode, select RTU or RAW (if Connection typeis set to Socket) or ASCII (if Connection typeis set to Serial) for the type of packet that will be used by this connection.
Page 400 No limit to IPv6 addresses that can access the web administration service. d. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: a. Click Interfaces.
Page 401 17. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 402 (config servic server)> where value is any number of minutes or seconds up to a maximum of 15 minutes, and takes the format number{m|s}. For example, to set inactivity_timeout to ten minutes, enter either 10m or 600s: IX20 User Guide...
Page 403 For example, to set idle_gap to one second, enter 1000ms or 1s. iv. (Optional) Enable half-duplex (two wire) mode: (config service modbus_gateway server test_modbus_server)> serial half_duplex true (config service modbus_gateway server test_modbus_server)> c. Repeat the above instructions for additional servers. IX20 User Guide...
Page 404 1 and 65535. The default is 502. iii. Set the packet mode: (config service modbus_gateway client test_modbus_client)> socket packet_mode value (config service modbus_gateway client test_modbus_client)> where value is either rtu or ascii. The default is rtu. IX20 User Guide...
Page 405 If connection_type is set to serial: i. Set the serial port: i. Use the ? to determine available serial ports: (config service modbus_gateway client test_modbus_client)> ... serial port ? Serial Additional Configuration --------------------------------------------------------- ---------------------- port1 Port 1 (config service modbus_gateway client test_modbus_client)> IX20 User Guide...
Page 406 (config service modbus_gateway client test_modbus_client)> response_ timeout 100ms (config service modbus_gateway client test_modbus_client)> The default is 700ms. f. Configure the address filter: This filter is used by the gateway to determine if a message should be forwarded to a IX20 User Guide...
Page 407 Modbus address on different buses. For example, if there are two devices on two different buses that have the same Modbus address of 10, you can create two clients on the gateway: IX20 User Guide...
Page 408 6. Save the configuration and apply the change: (config)> save Configuration saved. > 7. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 409: System Time
The IX20 device can also be configured to use Network Time Protocol (NTP). In this configuration, the device serves as an NTP server, providing NTP services to downstream devices. See Network Time Protocol for more information about NTP server support.
Page 410 Type admin to access the Admin CLI. 2. At the command line, type config to enter configuration mode: > config (config)> 3. (Optional) Set the timezone for the location of your IX20 device. The default is UTC. IX20 User Guide...
Page 411 See Configure the device as an NTP server for more information about NTP server configuration. 5. Save the configuration and apply the change: (config)> save Configuration saved. > IX20 User Guide...
Page 412: Network Time Protocol
Network Time Protocol (NTP) enables devices connected on local and worldwide networks to synchronize their internal software and hardware clocks to the same time source. The IX20 device can be configured as an NTP server, allowing downstream hosts that are attached to the device's Local Area Networks to synchronize with the device.
Page 413 3. Click Services > NTP. 4. Enable the IX20 device's NTP service by clicking Enable. 5. (Optional) Configure the access control list to limit downstream access to the IX20 device's NTP service. To limit access to specified IPv4 addresses and networks: a.
Page 414 8. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 415 See Configure the system time more information about NTP client configuration. 5. (Optional) Configure the access control list to limit downstream access to the IX20 device's NTP service. To limit access to specified IPv4 addresses and networks: (config)>...
Page 416 Zones: A list of groups of network interfaces that can be referred to by packet filtering rules and access control lists. Additional Configuration --------------------------------------------------------- ---------------------- dynamic_routes edge external internal ipsec loopback setup (config)> Repeat this step to list additional firewall zones. IX20 User Guide...
Page 417: Configure A Multicast Route
By default, the access control list for the NTP service is empty, which means that all downstream hosts connected to the IX20 device can use the NTP service. 6. (Optional) Set the timezone for the location of your IX20 device. The default is UTC. (config)> system time timezone value (config)>...
Page 418 7. Type the Source port. Ensure the port is not used by another protocol. 8. Select a Source interface where multicast packets will arrive. 9. Select a Destination interface that the IX20 device will use to send mutlicast packets. 10. Click Apply to save the configuration and apply the change.
Page 419 Set the interface. For example: (config service multicast test)> src_interface /network/interface/eth1 (config service multicast test)> 8. Set the destination interface that the IX20 device will use to send mutlicast packets. (config service multicast test)> interface interface (config service multicast test)>...
Page 420: Ethernet Network Bonding
Type quit to disconnect from the device. Ethernet network bonding The IX20 device supports bonding mode for the Ethernet network. This allows you to configure the device so that Ethernet ports share one IP address. When both ports are being used, they act as one Ethernet network port.
Page 421 8. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 422 6. Save the configuration and apply the change: (config)> save Configuration saved. > 7. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 423: Enable Service Discovery (Mdns)
You can enable the IX20 device to use mDNS.  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
Page 424 6. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 425 No limit to IPv6 addresses that can access the mDNS service. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: (config)> add service mdns acl interface end value (config)>...
Page 426: Use The Iperf Service
Type quit to disconnect from the device. Use the iPerf service Your IX20 device includes an iPerf3 server that you can use to test the performance of your network. IPerf3 is a command-line tool that measures the maximum network throughput an interface can handle.
Page 427 Services Use the iPerf service When the iPerf server is enabled, the IX20 device will automatically configure its firewall rules to allow incoming connections on the configured listening port. You can restrict access by configuring the access control list for the iPerf server.
Page 428 7. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 429 No limit to IPv6 addresses that can access the service-type. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: (config)> add service iperf acl interface end value (config)>...
Page 430: Example Performance Test Using Iperf3
Example performance test using Iperf3 On a remote host with Iperf3 installed, enter the following command: $ iperf3 -c device_ip where device_ip is the IP address of the IX20 device. For example: $ iperf3 -c 192.168.2.1 Connecting to host 192.168.2.1, port 5201 4] local 192.168.3.100 port 54934 connected to 192.168.1.1 port 5201...
Page 431 Services Use the iPerf service [ ID] Interval Transfer Bandwidth Retr 0.00-10.00 315 MBytes 264 Mbits/sec sender 0.00-10.00 313 MBytes 262 Mbits/sec receiver iperf Done. IX20 User Guide...
Page 432 Applications The IX20 supports Python 3.6 and provides you with the ability to run Python applications on the device interactively or from a file. You can also specify Python applications and other scripts to be run each time the device system restarts, at specific intervals, or at a specified time.
Page 433: Configure Applications To Run Automatically
Whether the script should run one time only. Task one: Upload the application  WebUI 1. Log into the IX20 WebUI as a user with Admin access. 2. On the menu, click System. Under Administration, click File System. The File System page appears. IX20 User Guide...
Page 434 IX20 device. local-path is the location on the IX20 device where the copied file will be placed. For example: To upload a Python application from a remote host with an IP address of 192.168.4.1 to the /etc/config/scripts directory on the IX20 device, issue the following command: >...
Page 435: Task Two: Configure The Application To Run Automatically
Use with care.  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click System > Scheduled tasks > Custom scripts.
Page 436 Make a change to the script. Uncheck Once. 11. Sandbox is enabled by default. This option protects the script from accidentally destroying the system it is running on. 12. Click Apply to save the configuration and apply the change. IX20 User Guide...
Page 437 Configure applications to run automatically  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 438 To log script errors to the system log: (config system schedule script 0)> syslog_stderr true (config system schedule script 0)> If syslog_stdout and syslog_stderr are not enabled, only the script's exit code is written to the system log. IX20 User Guide...
Page 439: Run A Python Application At The Shell Prompt
Python applications from the command line. See Authentication groups for information about configuring authentication groups that include shell access. 1. Upload the Python application to the IX20 device:  WebUI a. Log into the IX20 WebUI as a user with Admin access. IX20 User Guide...
Page 440 IX20 device. local-path is the location on the IX20 device where the copied file will be placed. For example: To upload a Python application from a remote host with an IP address of 192.168.4.1 to...
Page 441: Start An Interactive Python Session
You can also create Python applications by using the vi command when logged in with shell access. 2. Log into the IX20 command line as a user with shell access. Depending on your device configuration, you may be presented with an Access selection menu.
Page 442 Applications Start an interactive Python session NAME digidevice - Digi device python extensions DESCRIPTION This module includes various extensions that allow Python to interact with additional features offered by the device. 4. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit().
Page 443: Digidevice Module
Use Python to respond to Digi Remote Manager SCI requests Use digidevice runtime to access the runtime database Use Python to upload the device name to Digi Remote Manager Use Python to send and receive SMS messages IX20 User Guide...
Page 444: Use Digidevice.cli To Execute Cli Commands
1. Log into the IX20 command line as a user with shell access. Depending on your device configuration, you may be presented with an Access selection menu. Type shell to access the device shell.
Page 445: Use Digidevice.datapoint To Upload Custom Datapoints To Digi Remote Manager
Help for using Python to execute IX20 CLI commands Get help executing a CLI command from Python by accessing help for cli.execute: 1. Log into the IX20 command line as a user with shell access. Depending on your device configuration, you may be presented with an Access selection menu.
Page 446 Help for using Python to upload custom datapoints to Remote Manager Get help for uploading datapoints to your Digi Remote Manager account by accessing help for datapoint.upload: 1. Log into the IX20 command line as a user with shell access.
Page 447: Use Digidevice.config For Device Configuration
Read the device configuration Use the get() method to read the device configuration: 1. Log into the IX20 command line as a user with shell access. Depending on your device configuration, you may be presented with an Access selection menu. Type shell to access the device shell.
Page 448 Modify the device configuration Use the set() and commit() methods to modify the device configuration: 1. Log into the IX20 command line as a user with shell access. Depending on your device configuration, you may be presented with an Access selection menu.
Page 449: Use Python To Respond To Digi Remote Manager Sci Requests
Remote Manager's Server Command Interface (SCI), a web service that allows users to access information and perform commands that relate to their devices. Use Remote Manager's SCI interface to create SCI requests that are sent to your IX20 device, and use the device_request module to send responses to those requests to Remote Manager.
Page 450 Ctrl-D. You can also exit the session using exit() or quit(). Task two: Create and send an SCI request from Digi Remote Manager The second step in using the device_request module is to create an SCI request that Remote Manager will forward to the device.
Page 451 Remote Manager: from digidevice import device_request from digidevice import cli import time def handler(target, request): return cli.execute("show system verbose") IX20 User Guide...
Page 452  WebUI i. Log into the IX20 WebUI as a user with full Admin access rights. ii. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. iii. Click System > Scheduled tasks > Custom scripts.
Page 453 Click Apply to save the configuration and apply the change.  Command line i. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 454 > reboot To run the application from the shell prompt: i. Log into the IX20 command line as a user with shell access. Depending on your device configuration, you may be presented with an Access selection menu. Type shell to access the device shell.
Page 455 <device_request target_name="showSystem"> 8. Click Send. You should receive a response similar to the following: <sci_reply version="1.0"> <data_service> <device id="00000000-00000000-0000FFFF-A83CF6A3"/> <requests> <device_request target_name="showSystem" status="0">Model : Digi IX20 Serial Number : IX20-000068 Hostname : IX20 : 00:40:D0:13:35:36 Hardware Version : 50001959-01 A Firmware Version : 20.8.22.32...
Page 456 : MB/MB(%) Disk /tmp Usage : 0.004MB/40.96MB(0%) Disk /var Usage : 0.820MB/32.768MB(3%)</device_request> </requests> </device> <device id="00000000-00000000-0000FFFF-485740BC"/> <requests> <device_request target_name="showSystem" status="0">Model : Digi IX20 Serial Number : IX20-000023 Hostname : IX20 : 00:40:D0:26:79:1C Hardware Version : 50001959-01 A Firmware Version : 20.8.22.32...
Page 457 </sci_request> Help for using Python to respond to Digi Remote Manager SCI requests Get help for respond to Digi Remote Manager Server Command Interface (SCI) requests by accessing help for digidevice.device_request: 1. Log into the IX20 command line as a user with shell access.
Page 458: Use Digidevice Runtime To Access The Runtime Database
Read from the runtime database Use the keys() and get() methods to read the device configuration: 1. Log into the IX20 command line as a user with shell access. Depending on your device configuration, you may be presented with an Access selection menu.
Page 459 Get help for reading and modifying the device runtime database by accessing help for digidevice.runt: 1. Log into the IX20 command line as a user with shell access. Depending on your device configuration, you may be presented with an Access selection menu.
Page 460: Use Python To Upload The Device Name To Digi Remote Manager
Use Python to upload the device name to Digi Remote Manager The name submodule can be used to upload a custom name for your device to Digi Remote Manager. When you use the name submodule to upload a custom device name to Remote Manager, the...
Page 461 Digidevice module Upload a custom name 1. Log into the IX20 command line as a user with shell access. Depending on your device configuration, you may be presented with an Access selection menu. Type shell to access the device shell.
Page 462: Use Python To Send And Receive Sms Messages
You can create Python scripts that send and receive SMS message in tandem with the Digi Remote Manager or Digi aView by using the digidevice.sms module. To use a script to send or receive SMS messages, you must also enable the ability to schedule SMS scripting.
Page 463 Digidevice module  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 464: Use Python To Access Serial Ports
Use Python to access serial ports You can use the Python serial module to access serial ports on your IX20 device that are configured to be in Application mode. See Configure the serial port for information about configuring a serial port in Application mode.
Page 465: Use The Paho Mqtt Python Library
6. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit(). Use the Paho MQTT python library Your IX20 device includes support for the Paho MQTT python library. MQTT is a lightweight messaging protocol used to communicate with various applications including cloud-based applications such as Amazon Web Services and Microsoft Azure.
Page 466 + "/system") def on_message(client, userdata, msg): """ Supporting only a single topic for now, no need for filters Expects the following message format: "cid": "<client-id>", "cmd": "<command>", "params": { <optional_parameters> Supported commands: - "fw-update" params: - "uri": "<firmware_file_URL>" IX20 User Guide...
Page 467 DHCP leases file") def publish_system(): avg1, avg5, avg15 = runt.get("system.load_avg").split(', ') ram_used = runt.get("system.ram.per") disk_opt = runt.get("system.disk./opt.per") disk_config = runt.get("system.disk./etc/config.per") msg = json.dumps({ "load_avg": { "1min": avg1, "5min": avg5, "15min": avg15 "disk_usage": { "/opt": disk_opt, "/etc/config:": disk_config, "ram": ram_used IX20 User Guide...
Page 468: Stop A Script That Is Currently Running
 Command line 1. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. Determine the name of scripts that are currently running: )>...
Page 469: Show Script Information
The Scripts page displays:  Command line 1. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 470 [ "$pri" = 'pri' ]; then default_net="$(runt dump network.route.default | grep -m 1 -o "interface_.*=" | cut -f2 -d'_' | tr -d '=')" if [ -n "$default_net" ]; then default_intf="$(runt get network.interface.${default_net}.device)" runt set network.mgmt.log.intf "$default_intf" log=$(runt log network.mgmt.log) IX20 User Guide...
Page 471 Applications Show script information accns_log network_mgmt "${log:+type=mgmt~}$log" > 3. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 472 IX20 user authentication User authentication methods Authentication groups Local users Terminal Access Controller Access-Control System Plus (TACACS+) Remote Authentication Dial-In User Service (RADIUS) LDAP Disable shell access Set the idle timeout for IX20 users Example user configuration IX20 User Guide...
Page 473: Ix20 User Authentication
User authentication IX20 user authentication IX20 user authentication User authentication on the IX20 has the following features and default configuration: Default Feature Description configuration Idle timeout 10 minutes. Determines how long a user session can be idle before the system automatically disconnects.
Page 474 TACACS+: Users authenticated by using a remote TACACS+ server for authentication. Terminal Access Controller Access-Control System Plus (TACACS+) for information about configuring TACACS+ authentication. LDAP: Users authenticated by using a remote LDAP server for authentication. LDAP for information about configuring LDAP authentication. IX20 User Guide...
Page 475: Add A New Authentication Method
To add an authentication method:  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Authentication > Methods.
Page 476 This procedure describes how to add methods to various places in the list. 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 477: Delete An Authentication Method
Delete an authentication method  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Authentication > Methods.
Page 478 5. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 479: Rearrange The Position Of Authentication Methods
To reorder these so that RADIUS is first and Local users is second: 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
Page 480: Authentication Groups
Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Authentication groups Authentication groups are used to assign access rights to IX20 users. Three types of access rights can be assigned: IX20 User Guide...
Page 481 Disable shell access for more information about the Allow shell parameter. Serial access: Users with Serial access have the ability to log into the IX20 device by using the serial console. Preconfigured authentication groups The IX20 device has two preconfigured authentication groups: The admin group is configured by default to have full Admin access and Shell access.
Page 482: Change The Access Rights For A Predefined Group
For groups assigned Admin access, you can also determine whether the Access level should be Full access or Read-only access. Full access provides users of this group with the ability to manage the IX20 device by using the WebUI or the Admin CLI.
Page 483 6. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 484: Add An Authentication Group
Access rights to captive portals, and the portals to which they have access. Access rights to query the device for Nagios monitoring. To add an authentication group:  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. IX20 User Guide...
Page 485 Full access or Read-only access. where value is either: Full access full: provides users of this group with the ability to manage the IX20 device by using the WebUI or the Admin CLI. Read-only access read-only: provides users of this group with read-only access to the WebUI and Admin CLI.
Page 486 11. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 487 (config)> where value is either: full: provides users of this group with the ability to manage the IX20 device by using the WebUI or the Admin CLI. read-only: provides users of this group with read-only access to the WebUI and Admin CLI.
Page 488: Delete An Authentication Group
Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Delete an authentication group By default, the IX20 device has two preconfigured authentication groups: admin and serial. These groups cannot be deleted. To delete an authentication group that you have created: ...
Page 489 5. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 490: Local Users
TACACS+ or RADIUS. Local user authentication is enabled by default, with one preconfiged default user. Default user At manufacturing time, each IX20 device comes with a default user configured as follows: Username: admin. Password: The default password is displayed on the label on the bottom of the device.
Page 491: Change A Local User's Password
To change a user's password:  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Authentication > Users.
Page 492: Configure A Local User
6. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 493 To configure a local user:  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Authentication > Users.
Page 494 The minimum value is 1 second, and the maximum is 15 minutes. The default is 15 minutes. 7. Add groups for the user. Groups define user access rights. See Authentication groups for information about configuring groups. a. Click to expand Groups. b. For Add Group, click . IX20 User Guide...
Page 495 For time-based verification only, in Code refresh interval, type the amount of time that a code will remain valid. Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}. For example, to set Code refresh interval to ten minutes, enter 10m or 600s. IX20 User Guide...
Page 496 10. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 497 To remove a group from a user: a. Use the show command to determine the index number of the group to be deleted: (config auth user new_user> show group 0 admin 1 serial (config auth user new_user> IX20 User Guide...
Page 498 This key should be used by an application or mobile device to generate passcodes. e. For time-based verification only, enable disallow_reuse to prevent a code from being used more than once during the time that it is valid. IX20 User Guide...
Page 499 For example, to set login_limit_period to ten minutes, enter either 10m or 600s: (config auth user name 2fa)> login_limit_period 600s (config auth user name 2fa)> The default is 30s. j. Scratch codes are emergency codes that may be used once, at any time. To add a scratch code: IX20 User Guide...
Page 500: Delete A Local User
To delete a user from your IX20:  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Authentication > Users.
Page 501 5. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 502: Terminal Access Controller Access-Control System Plus (Tacacs+)
With TACACS+ support, the IX20 device acts as a TACACS+ client, which sends user credentials and connection parameters to a TACACS+ server over TCP. The TACACS+ server then authenticates the TACACS+ client requests and sends back a response message to the device.
Page 503: Tacacs+ User Configuration
The groupname attribute is optional. If used, the value must correspond to authentication groups configured on your IX20. Alternatively, if the user is also configured as a local user on the IX20 device and the LDAP server authenticates the user but does not return any groups, the local configuration determines the list of groups.
Page 504: Tacacs+ Server Failover And Fallback To Local Authentication
$ sudo /etc/init.d/tacacs_plus restart TACACS+ server failover and fallback to local authentication In addition to the primary TACACS+ server, you can also configure your IX20 device to use backup TACACS+ servers. Backup TACACS+ servers are used for authentication requests when the primary TACACS+ server is unavailable.
Page 505 6. (Optional) For Group attribute, type the name of the attribute used in the TACACS+ server's configuration to identify the IX20 authentication group or groups that the user is a member of. For example, in TACACS+ user configuration, the group attribute in the sample tac_plus.conf...
Page 506 User authentication Terminal Access Controller Access-Control System Plus (TACACS+) the sample tac_plus.conf file is system, which is also the default setting in the IX20 configuration. 8. Add TACACS+ to the authentication methods: a. Click Authentication > Methods. b. For Add method, click .
Page 507 TACACS+ user configuration, the value of the service attribute in the sample tac_plus.conf file is system, which is also the default setting in the IX20 configuration. (config)> auth tacacs+ service service-name (config)> 6. Set the type of TLS connection used by the LDAP server: (config)>...
Page 508 (for example, dc=example,dc=com) or a sub-tree (for example. ou=People,dc=example,dc=com). (config)> auth ldap base_dn value (config)> 11. (Optional) Set the name of the user attribute that contains the list of IX20 authentication groups that the authenticated user has access to. See LDAP user configuration for further information about the group attribute.
Page 509 15. Save the configuration and apply the change: (config)> save Configuration saved. > 16. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 510: Remote Authentication Dial-In User Service (Radius)
With RADIUS support, the IX20 device acts as a RADIUS client, which sends user credentials and connection parameters to a RADIUS server over UDP. The RADIUS server then authenticates the RADIUS client requests and sends back a response message to the device.
Page 511: Radius User Configuration
(password verification) and authorization (assigning the access level of the user). Additional RADIUS servers can be configured as backup servers for user authentication. This section outlines how to configure a RADIUS server to be used for user authentication on your IX20 device.
Page 512: Configure Your Ix20 Device To Use A Radius Server
If the RADIUS servers are unavailable and the IX20 device falls back to local authentication, only users defined locally on the device are able to log in. RADIUS users cannot log in until the RADIUS servers are brought back online.
Page 513 NAS or any arbitrary string. If not set, the default value is used: If you are accessing the IX20 device by using the WebUI, the default value is for NAS ID is httpd. If you are accessing the IX20 device by using ssh, the default value is sshd.
Page 514 9. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 515 User authentication Remote Authentication Dial-In User Service (RADIUS) If you are accessing the IX20 device by using the WebUI, the default value is for NAS ID is httpd. If you are accessing the IX20 device by using ssh, the default value is sshd.
Page 516 Remote Authentication Dial-In User Service (RADIUS) (config)> auth ldap base_dn value (config)> 11. (Optional) Set the name of the user attribute that contains the list of IX20 authentication groups that the authenticated user has access to. See LDAP user configuration for further information about the group attribute.
Page 517: Ldap
When you are using LDAP authentication, you can have both local users and LDAP users able to log in to the device. To use LDAP authentication, you must set up a LDAP server that is accessible by the IX20 device prior to configuration. The process of setting up a LDAP server varies by the server environment.
Page 518: Ldap User Configuration
(password verification) and authorization (assigning the access level of the user). Additional LDAP servers can be configured as backup servers for user authentication. This section outlines how to configure a LDAP server to be used for user authentication on your IX20 device.
Page 519: Ldap Server Failover And Fallback To Local Configuration
LDAP server failover and fallback to local configuration In addition to the primary LDAP server, you can also configure your IX20 device to use backup LDAP servers. Backup LDAP servers are used for authentication requests when the primary LDAP server is unavailable.
Page 520 User authentication LDAP 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Authentication > LDAP > Servers.
Page 521 (for example, dc=example,dc=com) or a sub-tree (for example. ou=People,dc=example,dc=com). 11. (Optional) For Group attribute, type the name of the user attribute that contains the list of IX20 authentication groups that the authenticated user has access to. See LDAP user configuration for further information about the group attribute.
Page 522 User authentication LDAP 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. At the command line, type config to enter configuration mode: >...
Page 523 (for example, dc=example,dc=com) or a sub-tree (for example. ou=People,dc=example,dc=com). (config)> auth ldap base_dn value (config)> 9. (Optional) Set the name of the user attribute that contains the list of IX20 authentication groups that the authenticated user has access to. See LDAP user configuration for further information about the group attribute.
Page 524: Disable Shell Access
If shell access is disabled, re-enabling it will erase the device's configuration and perform a factory reset.  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Authentication.
Page 525: Set The Idle Timeout For Ix20 Users
5. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 526 5. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 527 User authentication Set the idle timeout for IX20 users 2. At the command line, type config to enter configuration mode: > config (config)> 3. At the config prompt, type: (config)# auth idle_timeout value where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}.
Page 528: Example User Configuration
Goal: To create a user with administrator rights who is authenticated locally on the device.  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
Page 529 7. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 530: Example 2: Radius, Tacacs+, And Local Authentication For One User
Goal: To create a user with administrator rights who is authenticated by using all three authentication methods. In this example, when the user attempts to log in to the IX20 device, user authentication will occur in the following order: 1. The user is authenticated by the RADIUS server. If the RADIUS server is unavailable, 2.
Page 531 User authentication Example user configuration This example uses a FreeRadius 3.0 server running on ubuntu, and a TACACS+ server running on ubuntu. Server configuration may vary depending on the platforms or type of servers used in your environment. IX20 User Guide...
Page 532 The authentication group on the IX20 device, admin, is identified in the groupname parameter. c. Save and close the tac_plus.conf file. 3. Log into the IX20 WebUI as a user with full Admin access rights. 4. On the menu, click System. Under Configuration, click Device Configuration. IX20 User Guide...
Page 533 6. Create the local user: a. Click Authentication > Users. b. In Add User:, type admin1 and click . c. For password, type password1. d. Assign the user to the admin group: i. Click Groups. ii. For Add Group, click . IX20 User Guide...
Page 534 In this example: The user's username is admin1. The user's password is password1. The authentication group on the IX20 device, admin, is identified in the Unix-FTP- Group-Names parameter. c. Save and close the users file. 2. Configure a user on the TACACS+ server: a.
Page 535 Save and close the tac_plus.conf file. 3. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 536 (config auth user adminuser)> save Configuration saved. > 9. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 537 Firewall This chapter contains the following topics: Firewall configuration Port forwarding rules Packet filtering Configure custom firewall rules Configure Quality of Service options IX20 User Guide...
Page 538: Firewall Configuration
IPsec: The default zone for IPsec tunnels. Dynamic routes: Used for routes learned using routing services. Port forwarding: A list of rules that allow network connections to the IX20 to be forwarded to other servers by translating the destination address.
Page 539  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 540: Configure The Firewall Zone For A Network Interface
Internal, to External.  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
Page 541 5. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 542: Delete A Custom Firewall Zone
You cannot delete preconfigured firewall zones. To delete a custom firewall zone:  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
Page 543: Port Forwarding Rules
5. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 544 To configure a port forwarding rule:  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Firewall > Port forwarding.
Page 545 13. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 546 (config firewall dnat 0)> ip_version ipv6 (config firewall dnat 0)> 6. Set the public-facing port number that network connections must use for their traffic to be forwarded. (config firewall dnat 0)> port port (config firewall dnat 0)> IX20 User Guide...
Page 547 To specify the firewall zone for white listing: (config firewall dnat 0 acl)> add zone end zone Repeat for each appropriate zone. To view a list of available zones: (config firewall dnat 0 acl)> ..zone ? IX20 User Guide...
Page 548: Delete A Port Forwarding Rule
To delete a port forwarding rule:  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. IX20 User Guide...
Page 549 5. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 550 5. Save the configuration and apply the change: (config)> save Configuration saved. > 6. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 551: Packet Filtering
By default, one preconfigured packet filtering rule, Allow all outgoing traffic, is enabled and monitors traffic going to and from the IX20 device. The predefined settings are intended to block unauthorized inbound traffic while providing an unrestricted flow of outgoing data. You can modify the default packet filtering rule and create additional rules to define how the device accepts or rejects traffic that is forwarded through the device.
Page 552 9. For Destination zone, select the firewall zone. Packets destined for network interfaces that are members of this zone will either be accepted, rejected or dropped by this rule. Firewall configuration for more information about firewall zones. 10. Click Apply to save the configuration and apply the change. IX20 User Guide...
Page 553 Packet filtering  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 554 (config firewall filter 1)> ip_version value (config firewall filter 1)> where value is one of: ipv4 ipv6 The default is any. 8. Set the protocol. (config firewall filter 1)> protocol value (config firewall filter 1)> where value is one of: icmp icmpv6 IX20 User Guide...
Page 555: Enable Or Disable A Packet Filtering Rule
To enable or disable a packet filtering rule:  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
Page 556 6. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 557: Delete A Packet Filtering Rule
4. Click the menu icon (...) next to the appropriate packet filtering rule and select Delete. 5. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. IX20 User Guide...
Page 558: Configure Custom Firewall Rules
Custom firewall rules consist of a script of shell commands that can be used to install firewall rules, ipsets, and other system configuration. These commands are run whenever system configuration changes occur that might cause changes to the firewall. To configure custom firewall rules:  WebUI IX20 User Guide...
Page 559 7. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 560: Configure Quality Of Service Options
(packet ingress). A QoS binding contains the policies and rules that apply to packets exiting the IX20 device on the binding's interface. By default, the IX20 device has two preconfigured QoS bindings, Outbound and Inbound.
Page 561 8. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 562 Type quit to disconnect from the device. Create a new binding  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. IX20 User Guide...
Page 563 9. Create a policy for the binding: At least one policy is required for each binding. Each policy can contain up to 30 rules. a. Click to expand Policy. b. For Add Policy, click . The QoS binding policy configuration window is displayed. IX20 User Guide...
Page 564 (Optional) Type a Label for the binding policy rule. iv. For Type Of Service, type the value of the Type of Service (ToS) packet header that defines packet priority. If unspecified, this field is ignored. https://www.tucny.com/Home/dscp-tos for a list of common TOS values. IX20 User Guide...
Page 565 10. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 566 (config firewall qos 2)> policy (config firewall qos 2 policy)> b. Add a policy: (config firewall qos 2 policy)> add end (config firewall qos 2 policy 0)> New QoS binding policies are enabled by default. To disable: IX20 User Guide...
Page 567 (config firewall qos 2 policy 0 rule 0)> New QoS binding policy rules are enabled by default. To disable: (config firewall qos 2 policy 0 rule 0)> enable false (config firewall qos 2 policy 0 rule 0)> IX20 User Guide...
Page 568 Only traffic from the selected interface will be matched. Set the interface: i. Use the ? to determine available interfaces: (config network qos 2 policy 0 rule 0)> src interface ? Interface: Match the IP address with the specified IX20 User Guide...
Page 569 (config network qos 2 policy 0 rule 0)> where value is one of: any: Traffic destined for anywhere will be matched. Firewall configuration for more information about firewall zones. interface: Only traffic destined for the selected Interface will be matched. Set the interface: IX20 User Guide...
Page 570 8. Save the configuration and apply the change: (config)> save Configuration saved. > 9. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 571 System administration This chapter contains the following topics: Review device status Configure system information Update system firmware Update cellular module firmware Reboot your IX20 device Reset the device to factory defaults Configuration files Schedule system maintenance tasks IX20 User Guide...
Page 572: System Administration
Show basic system information: 1. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 573: Configure System Information
Disk /var Usage : 1.765MB/256.0MB(1%) > Configure system information You can configure information related to your IX20 device, such as providing a name and location for the device. Configuration items A name for the device. The name of a contact for the device.
Page 574 8. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 575: Update System Firmware
For example, IX20-20.8.22.32.bin. Manage firmware updates using Digi Remote Manager If you have a network of many devices, you can use Digi Remote Manager Profiles to manage firmware updates. Profiles ensure all your devices are running the correct firmware version and that all newly installed devices are updated to that same version.
Page 576 4. For Version:, select the appropriate version of the device firmware. 5. Click Update Firmware. Update firmware from a local file 1. Download the IX20 operating system firmware from the Digi Support FTP site to your local machine. 2. Log into the IX20 WebUI as a user with Admin access.
Page 577 System administration Update system firmware 1. Download the IX20 operating system firmware from the Digi Support FTP site to your local machine. 2. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu.
Page 578: Dual Boot Behavior
> reboot Rebooting system > 7. Once the device has rebooted, log into the IX20's command line as a user with Admin access and verify the running firmware version by entering the show system command. > show system...
Page 579: Update Cellular Module Firmware
2. Duplicate the firmware: > system duplicate-firmware > Update cellular module firmware You can update modem firmware by downloading firmware from the Digi firmware repository, or by uploading firmware from your local storage onto the device.  WebUI This operation is available from the WebUI only. There is no equivalent functionality at the CLI.
Page 580: Reboot Your Ix20 Device
Select the firmware. 7. Click Update. Reboot your IX20 device You can reboot the IX20 device immediately or schedule a reboot for a specific time every day. Note You may want to save your configuration settings to a file before rebooting. See...
Page 581: Schedule Reboots Of Your Device
5. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 582: Reset The Device To Factory Defaults
You can reset the device in the WebUI, at the command line, or by using the Reset button on the device. You can also reset the device to the default configuration without removing scripts, keys, and logfiles by using the revert command.  WebUI IX20 User Guide...
Page 583 3. In the Erase configuration section, click ERASE. 4. Click CONFIRM. 5. After resetting the device: a. Connect to the IX20 by using the serial port or by using an Ethernet cable to connect the IX20 ETH2 port to your PC. b. Log into the IX20: User name: Use the default user name: admin.
Page 584 2. Enter the following: > system factory-erase 3. After resetting the device: a. Connect to the IX20 by using the serial port or by using an Ethernet cable to connect the IX20 ETH2 port to your PC. b. Log into the IX20: User name: Use the default user name: admin.
Page 585 The device reboots again and resets to factory defaults, as well as also removing generated certificates and keys. 3. After resetting the device: a. Connect to the IX20 by using the serial port or by using an Ethernet cable to connect the IX20 ETH2 port to your PC. b. Log into the IX20: User name: Use the default user name: admin.
Page 586: Configuration Files
Save configuration changes When you make changes to the IX20 configuration, the changes are not automatically saved. You must explicitly save configuration changes, which also applies the changes. If you do not save configuration changes, the system discards the changes.
Page 587: Save Configuration To A File
Type quit to disconnect from the device. Save configuration to a file You can save your IX20 device's configuration to a file and use this file to restore the configuration, either to the same device or to similar devices.
Page 588: Restore The Device Configuration
> scp host 192.168.4.1 user admin remote /home/admin/bin/ local /etc/config/backup-archive-0040FF800120-19.05.17-19.01.17.bin to remote Restore the device configuration You can restore a configuration file to your IX20 device by using a backup from the device, or a backup from a similar device. ...
Page 589 IX20 device. local-path is the location on the IX20 device where the copied file will be placed. IX20 User Guide...
Page 590 3. Enter the following: > system restore path [passphrase passphrase] where path is the location of configuration backup file on the IX20's filesystem (local-path in the previous step). passphrase (optional) is the passphrase to restore the configuration backup, if a passphrase was used when the backup was created.
Page 591: Schedule System Maintenance Tasks
Custom scripts that should be run as part of the configuration check.  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
Page 592 Configuration > Applications. b. For Add Script, click . The schedule script configuration window is displayed. Scheduled scripts are enabled by default. To disable, click Enable to toggle off. c. (Optional) For Label, provide a label for the script. IX20 User Guide...
Page 593 Make a change to the script. Uncheck Once. i. Sandbox is enabled by default. This option protects the script from accidentally destroying the system it is running on. 10. Click Apply to save the configuration and apply the change. IX20 User Guide...
Page 594 Schedule system maintenance tasks  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 595 (config system schedule script 0)> exit_action action (config system schedule script 0)> where action is one of the following: none: Action taken when the script exits. restart: Runs the script repeatedly. reboot: The device will reboot when the script completes. IX20 User Guide...
Page 596 Otherwise, the default shell will be used (equivalent to #!/bin/sh). e. Script logging options: To log the script's output to the system log: (config system schedule script 0)> syslog_stdout true (config system schedule script 0)> IX20 User Guide...
Page 597 5. Save the configuration and apply the change: (config)> save Configuration saved. > 6. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 598 Monitoring This chapter contains the following topics: intelliFlow Configure NetFlow Probe IX20 User Guide...
Page 599: Intelliflow
WebUI. To use intelliFlow, the IX20 must be powered on and you must have access to the local WebUI. Once you enable intelliFlow, the Status >...
Page 600 6. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 601 5. Save the configuration and apply the change: (config)> save Configuration saved. > 6. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 602: Use Intelliflow To Display Average Cpu And Ram Usage
This procedure is only available from the WebUI. To display display average CPU and RAM usage:  WebUI 1. Log into the IX20 WebUI as a user with Admin access. 2. If you have not already done so, enable intelliFlow. See Enable intelliFlow.
Page 603: Use Intelliflow To Display Top Data Usage Information
Top data usage by service To generate a top data usage chart:  WebUI 1. Log into the IX20 WebUI as a user with Admin access. 2. If you have not already done so, enable intelliFlow. See Enable intelliFlow. 3. From the menu, click Status > intelliFlow.
Page 604 5. Change the type of chart that is used to display the data: a. Click the menu icon (). b. Select the type of chart. 6. Change the number of top users displayed. You can display the top five, top ten, or top twenty data users. IX20 User Guide...
Page 605: Use Intelliflow To Display Data Usage By Host Over Time
Use intelliFlow to display data usage by host over time To generate a chart displaying a host's data usage over time:  WebUI 1. Log into the IX20 WebUI as a user with Admin access. 2. If you have not already done so, enable intelliFlow. See Enable intelliFlow.
Page 606: Configure Netflow Probe
To save the chart to your local filesystem, select Export to PNG. c. To print the chart, select Print chart. Configure NetFlow Probe NetFlow probe is used to probe network traffic on the IX20 device and export statistics to NetFlow collectors. Required configuration items Enable NetFlow.
Page 607 Configure NetFlow Probe  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Monitoring > NetFlow probe.
Page 608 12. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 609 (config)> monitoring netflow max_flows value (config)> where value is any is any number between 0 and 2000000. The default is 2000000. 9. Add collectors: a. Add a collector: (config)> add monitoring netflow collector end (config monitoring netflow collector 0)> IX20 User Guide...
Page 610 (config monitoring netflow collector 0)> save Configuration saved. > 11. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 611: Central Management
Configure Digi Remote Manager Collect device health data and set the sample interval Log into Digi Remote Manager Use Digi Remote Manager to view and manage your device Add a device to Digi Remote Manager View Digi Remote Manager connection status...
Page 612: Digi Remote Manager Support
Digi Remote Manager User Guide. Configure Digi Remote Manager By default, your IX20 device is configured to use central management using Digi Remote Manager. Additional configuration options These additional configuration settings are not typically configured, but you can set them as needed: Disable the Digi Remote Manager connection if it is not required.
Page 613 Central management Configure Digi Remote Manager IX20 User Guide...
Page 614 6. (Optional) For Management port, type the destination port for the remote cloud services connection. The default is 3199. 7. (Optional) For Retry interval, type the amount of time that the IX20 device should wait before reattempting to connect to remote cloud services after being disconnected. The default is 30 seconds.
Page 615 16. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 616 (config)> cloud drm drm_url url (config)> 6. (Optional) Set the amount of time that the IX20 device should wait before reattempting to connect to the remote cloud services after being disconnected. The minimum value is ten seconds. The default is 30 seconds.
Page 617 Central management Configure Digi Remote Manager 30 seconds to two hours. The default is 290 seconds. (config)> cloud drm cellular_keep_alive value (config)> where value is any number of hours, minutes, or seconds, and takes the format number{h|m|s}. For example, to set the cellular keep-alive interval to ten minutes, enter either 10m or 600s: (config)>...
Page 618: Collect Device Health Data And Set The Sample Interval
Collect device health data and set the sample interval You can enable or disable the collection of device health data to upload to Digi Remote Manager, and configure the interval between health sample uploads. By default, device health data upload is...
Page 619 To avoid a situation where several devices are uploading health metrics information to Remote Manager at the same time, the IX20 device includes a preconfigured randomization of two minutes for uploading metrics. For example, if Health sample interval is set to five minutes, the metrics will be uploaded to Remote Manager at a random time between five and seven minutes.
Page 620 1, 5, 15, 30, or 60, and represents the number of minutes between uploads of health sample data. 5. By default, the device will only report health metrics values to Digi Remote Manager that have changed health metrics were last uploaded. This is useful to reduce the bandwidth used to report health metrics.
Page 621: Log Into Digi Remote Manager
Central management Log into Digi Remote Manager (config)> show monitoring devicehealth tuning cellular bytes enable true bytes enable true bytes enable true bytes enable true serial bytes enable true bytes enable true cellular bytes enable true packets enable true (config)>...
Page 622 1. If you have not already done so, click here to sign up for a Digi Remote Manager account. 2. Check your email for Digi Remote Manager login instructions. 3. Go to remotemanager.digi.com. 4. Log into your Digi Remote Manager account.
Page 623: Use Digi Remote Manager To View And Manage Your Device
Use Digi Remote Manager to view and manage your device To view and manage your device: 1. If you have not already done so, connect to your Digi Remote Manager account. 2. Click Device Management to display a list of your devices.
Page 624: Add A Device To Digi Remote Manager
The same default password is also shown on the label affixed to the bottom of the device. 6. Click Add. 7. Click OK. Digi Remote Manager adds your IX20 device to your account and it appears in the Device Management view. View Digi Remote Manager connection status To view the current Digi Remote Manager configuration: ...
Page 625: Use The Digi Remote Manager Mobile App
2. Follow the prompts to complete your IX20 registration. Digi Remote Manager registers your IX20 and adds it to your Digi Remote Manager device list. You can now manage the device remotely using Digi Remote Manager.
Page 626: Configure Multiple Devices Using Profiles
Digi recommends you take advantage of Digi Remote Manager profiles to manage multiple IX20 routers. Typically, if you want to provision multiple IX20 routers: 1. Using the IX20 local WebUI, configure one IX20 router to use as the model configuration for all subsequent IX20s you need to manage.
Page 627 File system This chapter contains the following topics: The IX20 local file system Display directory contents Create a directory Display file contents Copy a file or directory Move or rename a file or directory Delete a file or directory Upload and download files...
Page 628: File System
The IX20 local file system The IX20 local file system The IX20 local file system has approximately 150 MB of space available for storing files, such as Python programs, alternative configuration files and firmware versions, and release files, such as cellular module images.
Page 629: Create A Directory
For example: 1. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 630: Display File Contents
For example:  Command line 1. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. At the Admin CLI prompt, type more /path/filename. For example, to view the contenct of the file accns.json in /etc/config:...
Page 631: Move Or Rename A File Or Directory
Command line To rename a file named test.py in /etc/config/scripts to final.py: 1. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 632: Delete A File Or Directory
Command line To delete a file named test.py in /etc/config/scripts: 1. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 633: Upload And Download Files
FileZilla. Upload and download files by using the WebUI Upload files 1. Log into the IX20 WebUI as a user with Admin access. 2. On the menu, click System. Under Administration, click File System. The File System page appears.
Page 634: Upload And Download Files By Using The Secure Copy Command
IX20 device. local-path is the location on the IX20 device where the copied file will be placed. For example: To copy firmware from a remote host with an IP address of 192.168.4.1 to the /etc/config directory on the IX20 device, issue the following command: >...
Page 635: Upload And Download Files Using Sftp
IX20 device. For example: To copy a support report from the IX20 device to a remote host at the IP address of 192.168.4.1: 1. Use the system support-report command to generate the report: >...
Page 636 File system Upload and download files $ sftp ahmed@192.168.2.1 Password: Connected to 192.168.2.1 sftp> get test.py Fetching test.py to test.py test.py 100% 0.3KB/s 00:00 sftp> exit IX20 User Guide...
Page 637 Generate a support report View system event logs Configure syslog servers Configure options for the event and system logs Analyze network traffic Use the ping command to troubleshoot network connections Use the traceroute command to diagnose IP routing problems IX20 User Guide...
Page 638: Generate A Support Report
Attach the support report to any support requests.  Command line 1. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 639: View System Event Logs
View System Logs  WebUI 1. Log into the IX20 WebUI as a user with Admin access. 2. On the main menu, click System > Logs. The system log displays: 3. Limit the display in the system log by using the Find search tool.
Page 640 Diagnostics View system event logs 5. Click  to download the system log. IX20 User Guide...
Page 641 View system event logs  Command line 1. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 642: View Event Logs
6. Click  to download the event log.  Command line 1. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 643 Nov 26 22:01:25 info user name=admin~service=cli~state=closed~remote=192.168.1.2 > 5. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 644: Configure Syslog Servers
You can configure remote syslog servers for storing event and system logs.  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
Page 645 5. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 646: Configure Options For The Event And System Logs
30 minutes. All event categories are enabled. To change or disable the heartbeat interval, or to disable event categories, and to perform other log configuration:  WebUI IX20 User Guide...
Page 647 7. Enable Preserve system logs to save the current session's system log after a reboot. By default, the IX20 device erases system logs each time the device is powered off or rebooted. IX20 User Guide...
Page 648 To disable the heartbeat interval, set the value to 0s 4. Enable preserve system logs functionality to save the current session's system log after a reboot. By default, the IX20 device erases system logs each time the device is powered off or rebooted.
Page 649 (config)> system log event dhcpserver ? DHCP server: Settings for DHCP server events. Informational events are generated when a lease is obtained or released. Status events report the current list of leases. Parameters Current Value ------------------------------------------------------------------- ------------ IX20 User Guide...
Page 650 7. Save the configuration and apply the change: (config)> save Configuration saved. > 8. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 651: Analyze Network Traffic
Analyze network traffic Analyze network traffic The IX20 device includes a network analyzer tool that captures data traffic on any interface and decodes the captured data traffic for diagnostics. You can capture data traffic on multiple interfaces at the same time and define capture filters to reduce the captured data. You can capture up to 10 MB of data traffic in two 5 MB files per interface.
Page 652: Configure Packet Capture For The Network Analyzer
To configure a packet capture configuration:  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Analyzer.
Page 653 For Save interval, type the frequency with which captured events will be saved. Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}. For example, to set Save interval to ten minutes, enter 10m or 600s. IX20 User Guide...
Page 654 8. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 655 (config network analyzer name)> save_interval value (config network analyzer name)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set save_interval to ten minutes, enter either 10m or 600s: IX20 User Guide...
Page 656: Example Filters For Capturing Data Traffic
Capture traffic from UDP port 53: ip proto udp and src port 53 Capture to and from IP host 10.0.0.1 but filter out ports 22 and 80: ip host 10.0.0.1 and not (port 22 or port 80) IX20 User Guide...
Page 657: Capture Packets From The Command Line
To start packet capture from the command line:  Command line 1. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 658: Stop Capturing Packets
To stop packet capture from the command line:  Command line 1. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 659 To show captured data traffic:  Command line 1. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 660: Save Captured Data Traffic To A File
 Command line 1. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. Type the following at the Admin CLI prompt: >...
Page 661: Download Captured Data To Your Pc
4. Select the saved analyzer report you want to download and click  (download).  Command line 1. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 662: Clear Captured Data
 Command line 1. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. Type the following at the Admin CLI prompt: >...
Page 663: Use The Ping Command To Troubleshoot Network Connections
Ping to check internet connection To check your internet connection: 1. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 664 Max wait for a response to a probe. (Default: 5) Example This example shows using traceroute to verify that the IX20 device can route to host 8.8.8.8 (www.google.com) through the default gateway. The command output shows that 15 routing hops were required to reach the host: 1.
Page 665: Digi Ix20 Regulatory And Safety Statements
Radio Frequency Interference (RFI) (FCC 15.105) The Digi IX20 has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation.
Page 666: European Community - Ce Mark Declaration Of Conformity (Doc)
The IX20 is certified for use in several European countries. For information, visit www.digi.com/resources/certifications. If the IX20 is incorporated into a product, the manufacturer must ensure compliance of the final product with articles 3.1a and 3.1b of the RE Directive (Radio Equipment Directive). A Declaration of Conformity must be issued for each of these standards and kept on file as described in the RE Directive (Radio Equipment Directive).
Page 667 Digi IX20 regulatory and safety statements European Community - CE Mark Declaration of Conformity (DoC) account of the nature of the apparatus. The CE marking must be affixed visibly, legibly, and indelibly. IX20 User Guide...
Page 668: Maximum Transmit Power For Radio Frequencies
Digi IX20 regulatory and safety statements Maximum transmit power for radio frequencies Maximum transmit power for radio frequencies The following tables show the maximum transmit power for frequency bands. Cellular frequency bands Frequency bands Maximum transmit power Cellular LTE 700 MHz...
Page 669: Rohs Compliance Statement
RoHS compliance statement RoHS compliance statement All Digi International Inc. products that are compliant with the RoHS Directive (EU Directive 2002/95/EC and subsequent amendments) are marked as RoHS COMPLIANT. RoHS COMPLIANT means that the substances restricted by the EU Directive 2002/95/EC and subsequent amendments...
Page 670: Special Safety Notes For Wireless Routers
Special safety notes for wireless routers Digi International products are designed to the highest standards of safety and international standards compliance for the markets in which they are sold. However, cellular-based products contain radio devices which require specific consideration. Take the time to read and understand the following guidance.
Page 671: Product Disposal Instructions
International EMC (Electromagnetic Compatibility) and safety standards This product complies with the requirements of the following Electromagnetic Compatibility standards. There are no user-serviceable parts inside the product. Contact your Digi representative for repair information. Certification category Standards EN 300 328 v1.8.1...
Page 672 Auto-complete commands and parameters Available commands Use the scp command Display status and statistics using the show command Device configuration using the command line interface Execute configuration commands at the root Admin CLI prompt Configuration mode Command line reference IX20 User Guide...
Page 673: Command Line Interface
Log in to the command line interface  Command line 1. Connect to the IX20 device by using a serial connection, SSH or telnet, or the Terminal in the WebUI or the Console in the Digi Remote Manager. See Access the command line interface more information.
Page 674: Exit The Command Line Interface
2. At the main menu, click Terminal. The device console appears. IX20 login: 3. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 675: Display Help For Commands And Parameters
Display help for commands and parameters The help command When executed from the root command prompt, help displays information about autocomplete operations, how to move the cursor on the IX20 command line, and other keyboard shortcuts: > help Commands ------------------------------------------------------------------------------- Show commands help <Tab>...
Page 676: Display Help For Individual Commands
Typing the space bar has similar behavior. If multiple commands are available that will match the entered text, auto-complete is not performed and the available commands are displayed instead. Auto-complete applies to these command elements only : IX20 User Guide...
Page 677 Parameter values, where the value is one of an enumeration or an on|off type; for example: (config)> serial port1 enable t<Tab> auto-completes to (config)> serial port1 enable true Auto-complete does not function for: Parameter values that are string types. Integer values. File names. Select parameters passed to commands that perform an action. IX20 User Guide...
Page 678: Available Commands
Pings a remote host using Internet Control Message Protocol (ICMP) Echo Request messages. reboot Reboots the IX20 device. Removes a file. Uses the secure copy protocol (SCP) to transfer files between the IX20 device and a remote host. Use the scp command for information about using the scp command. show Displays information about the device and the device's configuration.
Page 679: Use The Scp Command
The hostname or IP address of the remote host. The username and password of the user on the remote host. Whether the file is being copied to the IX20 device from a remote host, or to the remote host from the IX20 device.
Page 680: Display Status And Statistics Using The Show Command
IX20 device. For example: To copy a support report from the IX20 device to a remote host at the IP address of 192.168.4.1: 1. Use the system support-report command to generate the report: >...
Page 681: Show System
"445" > show system show system command displays system information and statistics for the device, including CPU usage. > show system Model : Digi IX20 Serial Number : IX20-000065 : IX20 Hostname : IX20 : DF:DD:E2:AE:21:18 Hardware Version...
Page 682: Execute Configuration Commands At The Root Admin Cli Prompt
For example, to disable the SSH service from the root prompt, enter the following command: > config service ssh enable false > The IX20 device's ssh service is now disabled. Note When the config command is executed at the root prompt, certain configuration actions that are available in configuration mode cannot be performed.
Page 683 4. Lastly, display the allowed values and other information for the enable parameter: > config service ssh enable ? Enable: Enable the service. Format: true, false, yes, no, 1, 0 Default value: true Current value: true > config service ssh enable IX20 User Guide...
Page 684: Configuration Mode
To save changes that you have made to the configuration while in configuration mode, use save. The save command automatically validates the configuration changes; the configuration will not be saved if it is not valid. Note that you can also validate configuration changes at any time while in IX20 User Guide...
Page 685: Exit Configuration Mode Without Saving Changes
See Manage elements in lists for information about using the del command with lists. Moves elements in a list. See Manage move elements in lists for information about using the move command with lists. IX20 User Guide...
Page 686: Display Command Line Help In Configuration Mode
Enter service to move to the service node: (config)> service (config service)> b. Enter ? to display help for the service node: (config service)> ? Either of these methods will display the following information: config> service ? Services Additional Configuration -------------------------------------------------------------------------- IX20 User Guide...
Page 687 Enable [private] Private key port Port Additional Configuration -------------------------------------------------------------------------- Access control list mdns (config)> service ssh 4. Lastly, to display allowed values and other information for the enable parameter, use one of the following methods: IX20 User Guide...
Page 688: Move Within The Configuration Schema
1. At the config prompt, type service to move to the service node: (config)> service (config service)> 2. Type ssh to move to the ssh node: (config service)> ssh (config service ssh)> 3. Type acl to move to the acl node: (config service ssh)> acl (config service ssh acl)> IX20 User Guide...
Page 689: Manage Elements In Lists
2. Add an authentication method by using the add index_item command. For example: To add the TACACS+ authentication method to the beginning of the list, use the index number 0: (config)> add auth method 0 tacacs+ (config)> show auth method 0 tacacs+ IX20 User Guide...
Page 690 1 tacacs+ 2 radius (config)> 2. Delete one of the authentication methods by using the del index_number command. For example: a. To delete the local authentication method, use the index number 0: (config)> del auth method 0 (config)> IX20 User Guide...
Page 691: The Revert Command
(config)> The revert command The revert command is used to revert changes to the IX20 device's configuration and restore default configuration settings. The behavior of the revert command varies depending on where in the configuration hierarchy the command is executed, and whether the optional path parameter is used.
Page 692 Move to the location in the configuration and enter the revert command without the path parameter. For example: 1. Change to the auth method node: (config)> auth method (config auth method)> 2. Enter the revert command: (config auth method)> revert (config auth method)> IX20 User Guide...
Page 693: Enter Strings In Configuration Commands
(config)> system description "Digi IX20" Example: Create a new user by using the command line In this example, you will use the IX20 command line to create a new user, provide a password for the user, and assign the user to authentication groups.
Page 694 5. List available authentication groups: (config auth user user1)> show ..group admin admin enable true nagios enable false openvpn enable false no tunnels portal enable false no portals serial enable false no ports shell enable false serial admin IX20 User Guide...
Page 695 (config auth user user1)> save Configuration saved. > 8. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 696: Command Line Reference
Command line interface Command line reference Command line reference analyzer help mkdir modem modem puk status [imei STRING] [name STRING] more ping reboot show system traceroute IX20 User Guide...
Page 697: Analyzer
Start a capture session of packets on this devices interfaces. Parameters name Name of the capture filter to use. Syntax: STRING analyzer stop name STRING Stops the traffic capture session. Parameters name Name of the capture filter to use. Syntax: STRING IX20 User Guide...
Page 698 The source file or directory to copy. Syntax: STRING destination The destination path to copy the source file or directory to. Syntax: STRING force Do not ask to overwrite the destination file if it exists. Syntax: BOOLEAN Default: False Optional: True IX20 User Guide...
Page 699: Help
Command line interface Command line reference help Show CLI editing and navigation commands. Parameters None IX20 User Guide...
Page 700 Directory listing command. ls [show-hidden] PATH List a directory. Parameters path List files and directories under this path. Syntax: STRING show-hidden Show hidden files and directories. Hidden filenames begin with '.'. Syntax: BOOLEAN Default: False Optional: True IX20 User Guide...
Page 701: Mkdir
Command line interface Command line reference mkdir mkdir PATH Create a directory. Parent directories are created as needed. Parameters path The directory path to create. Syntax: STRING IX20 User Guide...
Page 702: Modem
The configured name of the modem to execute this CLI command on. Syntax: STRING Optional: True modem pin PIN commands. pin change [imei STRING] [name STRING] OLD-PIN NEW-PIN Change the SIM's PIN code. Warning: Attempting to use an incorrect PIN code may PUK lock the SIM. IX20 User Guide...
Page 703 Enable the PIN lock on the SIM card that is active in the modem. The SIM card will need to be unlocked before each use. Warning: Attempting to use an incorrect PIN code may PUK lock the SIM. IX20 User Guide...
Page 704 SIM card automatically before use. Warning: Attempting to use an incorrect PIN code may PUK lock the SIM. Parameters The SIM's PIN code. Syntax: STRING imei The IMEI of the modem to execute this CLI command on. Syntax: STRING Optional: True IX20 User Guide...
Page 705: Modem Puk Status [Imei String] [Name String]
The PIN code to change to. Syntax: STRING imei The IMEI of the modem to execute this CLI command on. Syntax: STRING Optional: True name The configured name of the modem to execute this CLI command on. IX20 User Guide...
Page 706 The SIM slot to change to. Syntax: (1|2|show) imei The IMEI of the modem to execute this CLI command on. Syntax: STRING Optional: True name The configured name of the modem to execute this CLI command on. Syntax: STRING Optional: True IX20 User Guide...
Page 707: More
Command line interface Command line reference more path The file to view. Syntax: STRING IX20 User Guide...
Page 708 The source file or directory to move. Syntax: STRING destination The destination path to move the source file or directory to. Syntax: STRING force Do not ask to overwrite the destination file if it exists. Syntax: BOOLEAN Default: False Optional: True IX20 User Guide...
Page 709: Ping
If a hostname is defined as the value of the 'host' parameter, use the hosts IPV6 address. Syntax: BOOLEAN Default: False Optional: True size The number of bytes sent in the ICMP ping request. Syntax: INT Minimum: 0 Default: 56 IX20 User Guide...
Page 710: Reboot
Command line interface Command line reference reboot Reboot the system. Parameters None IX20 User Guide...
Page 711 Command line interface Command line reference Remove a file or directory. rm [force] PATH Parameters path The path to remove. Syntax: STRING force Force the file to be removed without asking. Syntax: BOOLEAN Default: False Optional: True IX20 User Guide...
Page 712: Scp
Syntax: STRING Copy the file from the local device to the remote host, or from the remote host to the local device. Syntax: (remote|local) user The username to use when connecting to the remote host. Syntax: STRING IX20 User Guide...
Page 713: Show
Default: False Optional: True verbose Display more information (less concise, more detail). Syntax: BOOLEAN Default: False Optional: True show cloud Show Digi Remote Manager status and statistics. Parameters None show config Show changes made to default configuration. IX20 User Guide...
Page 714 Type of event log to be displayed (status, error, info). Syntax: (status|error|info) Optional: True show hotspot [ip STRING] [name STRING] Show hotspot statistics. Parameters IP address of a specific client, to limit the status display to only this client. Syntax: STRING Optional: True IX20 User Guide...
Page 715 Filters for type of log message displayed (critical, warning, info, debug). Note, filters from the number of messages retrieved not the whole log (this can be very time consuming). If you require more messages of the filtered type, increase the number of messages retrieved using 'number'. Syntax: (critical|warning|debug|info) Optional: True IX20 User Guide...
Page 716 The configured name of the modem to execute this CLI command on. Syntax: STRING Optional: True verbose Display more information (less concise, more detail). Syntax: BOOLEAN Default: False Optional: True show nemo [name STRING] Show NEMO status and statistics. Parameters name The name of a specific NEMO instance. IX20 User Guide...
Page 717 Display all clients including disabled clients. Syntax: BOOLEAN Default: False Optional: True name Display more details and config data for a specific OpenVPN client. Syntax: STRING Optional: True openvpn server [all] [name STRING] Show OpenVPN server status and statistics. IX20 User Guide...
Page 718 Display IPv6 routes. Syntax: BOOLEAN Default: False Optional: True verbose Display more information (less concise, more detail). Syntax: BOOLEAN Default: False Optional: True show scripts Show scheduled system scripts Parameters None show serial PORT Show serial status and statistics. IX20 User Guide...
Page 719 Show firmware version. Parameters verbose Display more information (build date) Syntax: BOOLEAN Default: False Optional: True show vrrp [all|verbose] [name STRING] Show VRRP status and statistics. Parameters Display all VRRP instances including disabled instances. Syntax: {True|False} Type: boolean IX20 User Guide...
Page 720 Display more details for a specific Wi-Fi access point. Syntax: STRING Optional: True wifi client [all] [name STRING] Display details for Wi-Fi client mode connections. Parameters Display all Wi-Fi clients including disabled Wi-Fi client mode connections. Syntax: BOOLEAN Default: False Optional: True IX20 User Guide...
Page 721 Command line interface Command line reference name Display more details for a specific Wi-Fi client mode connection. Syntax: STRING Optional: True show wifi-scanner Show Wi-Fi scanner information. wifi-scanner log Show output log for the last update interval. Parameters None IX20 User Guide...
Page 722: System
Duplicate the running firmware to the alternate partition so that the device will always boot the same firmware version. Parameters None system factory-erase Erase the device to restore to factory defaults. All configuration and automatically generated keys will be erased. IX20 User Guide...
Page 723 Parameters script Script to stop. Syntax: STRING system support-report PATH Save a support report to a file and include with support requests. Parameters path The file path to save the support report to. Syntax: STRING IX20 User Guide...
Page 724: Traceroute
Specifies with what TTL to start. Syntax: INT Minimum: 1 Default: 1 gateway Tells traceroute to add an IP source routing option to the outgoing packet that tells the network to route the packet through the specified gateway Syntax: STRING Optional: True IX20 User Guide...
Page 725 Total size of the probing packet. Default 60 bytes for IPv4 and 80 for Ipv6. A value of -1 specifies that the default value will be used. Syntax: INT Minimum: -1 Default: -1 pausemsecs Minimal time interval between probes IX20 User Guide...
Page 726 For IPv6, set the Traffic Control value. A value of -1 specifies that no value will be used. Syntax: INT Minimum: -1 Default: -1 waittime Determines how long to wait for a response to a probe. Syntax: INT Minimum: 1 Default: 5 IX20 User Guide...

Save PDF