Revision history—90002399 Revision Date Description Initial release of the IX10 User Guide . October 2020 IX10 User Guide...
Page 3
Revision Date Description Release of Digi IX10 firmware version 20.11: December 2020 Modem firmware update commands added to the Admin CLI. Network bridging enhanced to use the MAC address of the first active device listed in Network > Bridges >...
Page 4
Information in this document is subject to change without notice and does not represent a commitment on the part of Digi International. Digi provides this document “as is,” without warranty of any kind, expressed or implied, including, but not limited to, the implied warranties of fitness or merchantability for a particular purpose.
Page 5
Include the document title and part number (IX10 User Guide, 90002399 B) in the subject line of your email. IX10 User Guide...
Contents Revision history—90002399 What's new in Digi IX10 version 20.11 Digi IX10 Quick start Quick start using the Digi Remote Manager mobile app Step 1: What's in the box Step 2: Gather accessories Step 3: Connect Step 4: Configure Digi IX10 hardware reference...
Page 7
Configuration and management Review IX10 default settings Local WebUI Digi Remote Manager Default interface configuration Other default configuration settings Change the default password for the admin user Configuration methods Using Digi Remote Manager Access Digi Remote Manager Using the web interface...
Page 8
Use SSH with key authentication Generating SSH key pairs Configure telnet access Configure DNS Simple Network Management Protocol (SNMP) SNMP Security Configure Simple Network Management Protocol (SNMP) Download MIBs Modbus gateway Configure the Modbus gateway Show Modbus gateway status and statistics IX10 User Guide...
Page 9
Use Python to respond to Digi Remote Manager SCI requests Use digidevice runtime to access the runtime database Use Python to upload the device name to Digi Remote Manager Use Python to send and receive SMS messages Use Python to access serial ports Use the Paho MQTT python library...
Page 10
LDAP LDAP user configuration LDAP server failover and fallback to local configuration Configure your IX10 device to use an LDAP server Disable shell access Set the idle timeout for IX10 users Example user configuration Example 1: Administrator user with local authentication...
Page 11
Configure Digi Remote Manager Collect device health data and set the sample interval Log into Digi Remote Manager Use Digi Remote Manager to view and manage your device Add a device to Digi Remote Manager View Digi Remote Manager connection status...
Page 12
Use the ping command to troubleshoot network connections Ping to check internet connection Stop ping commands Use the traceroute command to diagnose IP routing problems Digi IX10 regulatory and safety statements RF exposure statement Federal Communication (FCC) Part 15 Class B Radio Frequency Interference (RFI) (FCC 15.105)
Page 13
The revert command Enter strings in configuration commands Example: Create a new user by using the command line Command line reference analyzer help mkdir modem modem puk status [imei STRING] [name STRING] more ping reboot show system traceroute IX10 User Guide...
What's new in Digi IX10 version 20.11 Release of Digi IX10 firmware version 20.11: Modem firmware update commands added to the Admin CLI. Network bridging enhanced to use the MAC address of the first active device listed in Network > Bridges > Bridge name > Devices as the MAC address for the bridged interface.
The following steps guide you through the setup of your DigiIX10 device. Quick start using the Digi Remote Manager mobile app After connecting your hardware and powering up, you can use the Digi Remote Manager mobile app to quickly install your IX10 into your Digi Remote Manager account.
Step 2: Gather accessories Digi IX10 device The Digi IX10 has a product label on the bottom of the device. The label includes product identification information and the default password assigned to the device. The IX10 also includes a terminal connector for the power supply installed in the power input.
For high-vibration environments, apply a thin layer of dielectric grease to the SIM contacts. Note If the IX10 device is used in an environment with high vibration levels, SIM card contact fretting may cause unexpected SIM card failures. To protect the SIM cards, Digi strongly recommends that you apply a thin layer of dielectric grease to the SIM contacts prior to installing the SIM cards.
Page 18
Verify that the signal strength indicator on the front of the IX10 shows 2 or more bars. Note If your SIM card has an APN that is not recognized by the IX10 device, skip this step and configure the APN following the procedure at Configure cellular modem APNs.
Step 4: Configure Step 4: Configure This section describes how to configure the device by using the local Web UI. You can also use Digi Remote Manager to configure the device, including using a Digi RM device configuration to automatically update the device. See the Digi Remote Manager User Guide.
10/100 BaseT Ethernet port for high-speed connectivity. For a detailed list of IX10 hardware specifications, see https://www.digi.com/products/networking/cellular-routers/industrial/digi-ix10#specifications. IX10 accessories When accessories are purchased with the IX10 device, the following are provided: Cellular antennas. Power supply. Ethernet cable. DIN rail mounting bracket, DIN rail mounting clip,...
The SELECT button is used to manually toggle between the two SIM slots. 8. SIM slots See Install SIM cards for more details. IX10 LEDs The IX10 LEDs are located on the top front panel. . During bootup, the front-panel LEDs light up in sequence to indicate boot progress. IX10 User Guide...
Digi IX10 hardware reference IX10 LEDs Power (PWR) No power. Solid green DC power is connected to the device. Solid Blue Device is ON and connected to the internet. Indicates that a SIM is in use: No SIM is present Solid green SIM1 is active.
Digi IX10 hardware reference IX10 LEDs Flashing white Solid blue ETH port connection established and in Connected to the 4G LTE and also has a the process of connecting to the ETH connection. cellular network. Flashing green Alternating Red/yellow (or orange) Connected to 2G or 3G and is in the Upgrading firmware.
Solid amber: 1000 Mbps link detected. Signal quality bars explained The signal status bars for the Digi IX10 measure more than simply signal strength. The value reported by the 4G LTE signal bars is calculated using an algorithm that takes into consideration the Reference...
IX10 power supply requirements IX10 is intended to be powered by a certified power supply with output rated at either 12 VDC/0.75 A or 24 VDC/0.375 A minimum. Use the included power supply (part number 24000154).
Page 26
Hardware setup This chapter contains the following topics: Install SIM cards Connect data cables Mount the IX10 device IX10 User Guide...
4. After SIM cards are installed, replace the SIM slot cover. SIM removal The IX10 has a PUSH-PUSH SIM connector. To insert, push each SIM in until it clicks, and repeat for removal. When you push to eject, the SIM ejects back out about 1/8 inch.
The IX10 provides two types of data ports: Ethernet (RJ-45): Use a Cat 5e or Cat 6 Ethernet cable. Serial (RJ-50): Use a serial cable with an RJ-50 connector to connect to the IX10 device. See 10-pin serial cabling options for information about Digi's 10-pin RJ-50 cables.
Page 29
Attach the DIN rail clip to the back of the device with the screws provided. b. Set the IX10 device onto a DIN rail and gently press until the clip snaps into the rail. 2. Attach the DIN rail clip to the bottom of the device: a.
Page 30
Hardware setup Mount the IX10 device b. Set the IX10 device onto a DIN rail and gently press until the clip snaps into the rail. WARNING! If being installed above head height on a wall or ceiling, ensure the device is fitted securely to avoid the risk of personal injury.
Page 31
Configuration and management This chapter contains the following topics: Review IX10 default settings Change the default password for the admin user Configuration methods Using Digi Remote Manager Access Digi Remote Manager Using the web interface Using the command line Access the command line interface...
Configuration and management Review IX10 default settings Review IX10 default settings You can review the default settings for your IX10 device by using the local WebUI or Digi Remote Manager: Local WebUI 1. Log into the IX10 WebUI as a user with Admin access. See Using the web interface for details.
Packet filtering allows all outbound traffic. Security policies SSH and web administration: Enabled for local administration Firewall zone: Internal Device heath metrics uploaded to Digi Remote Manager at 60 minute Monitoring interval. SNMP: Disabled Enabled Serial port Serial mode: Remote...
Page 34
5. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Shows how to perform a task by using the command line interface. Using Digi Remote Manager By default, your IX10 device is configured to use Digi Remote Manager as its central management server. No configuration changes are required to begin using the Remote Manager.
Using the web interface To connect to the IX10 local WebUI: 1. Use an Ethernet cable to connect the IX10's ETH port to a laptop or PC. 2. Open a browser and go to 192.168.2.1. The device is also accessible at the default IP address of 192.168.210.1. However, because this IP address does not use a DHCP server, to connect to this address you must configure your local PC with an appropriate static IP address (for example, 192.168.210.2).
Configuration and management Using the web interface Log out of the web interface On the main menu, click your user name. Click Log out. IX10 User Guide...
Log in to the command line interface Command line 1. Connect to the IX10 device by using a serial connection, SSH or telnet, or the Terminal in the WebUI or the Console in the Digi Remote Manager. See Access the command line interface more information.
Admin CLI s: Shell q: Quit Select access or quit [admin] : Type a or admin to access the IX10 command line. You will now be connected to the Admin CLI: Connecting now, 'exit' to disconnect from Admin CLI ... >...
Interfaces IX10 devices have several physical communications interfaces. These interfaces can be bridged in a Local Area Network (LAN) or assigned to a Wide Area Network (WAN). This chapter contains the following topics: Wireless Wide Area Networks (WWANs) Local Area Networks (LANs)
Problems can occur beyond the immediate modem connection that prevent some IP traffic from reaching its destination. Normally this kind of problem does not cause the IX10 device to detect that the modem has failed, because the connection continues to work while the core problem exists somewhere else in the network.
Page 42
WebUI SureLink can be configured for both IPv4 and IPv6. 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
Page 43
For example, to set Response timeout to ten minutes, enter 10m or 600s. The default is 15 seconds. 11. (Optional) Repeat this procedure for IPv6. 12. Click Apply to save the configuration and apply the change. IX10 User Guide...
Page 44
Active recovery can be configured for both IPv4 and IPv6. These instructions are for IPv4; to configure IPv6 active recovery, replace ipv4 in the command line with ipv6. 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 45
(config network interface my_wwan ipv4 surelink target 0)> interface_timeout value (config network interface my_wwan ipv4 surelink target 0)> The default is 60 seconds. (Optional) Repeat to add additional test targets. 7. Optional active recovery configuration parameters: IX10 User Guide...
Page 46
Set the amount of time that the device should wait for a response to a probe attempt before considering it to have failed: (config network interface my_wwan ipv4 surelink)> timeout value (config network interface my_wwan ipv4 surelink> The default is 15 seconds. 8. (Optional) Repeat this procedure for IPv6. IX10 User Guide...
Type quit to disconnect from the device. Configure the device to reboot when a failure is detected Using SureLink, you can configure the IX10 device to reboot when it has determined that an interface has failed. Required configuration items Enable SureLink.
Page 48
Interfaces Wireless Wide Area Networks (WWANs) 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces.
Page 49
13. Click Apply to save the configuration and apply the change. Command line Active recovery can be configured for both IPv4 and IPv6. These instructions are for IPv4; to configure IPv6 active recovery, replace ipv4 in the command line with ipv6. IX10 User Guide...
Page 50
Interfaces Wireless Wide Area Networks (WWANs) 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 51
(Optional) Repeat to add additional test targets. 8. Optional active recovery configuration parameters: a. Move back two levels in the configuration by typing ..: (config network interface my_wwan ipv4 surelink target 0)> ..(config network interface my_wwan ipv4 surelink> IX10 User Guide...
If your device uses a private APN with no Internet access, or your device has a restricted wired WAN connection that doesn't allow DNS resolution, follow this procedure to disable the default SureLink connectivity tests. You can also disable DNS lookup or other internet activity, while retaining the SureLink interface test. WebUI IX10 User Guide...
Page 53
7. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 54
WebUI 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces.
Page 55
9. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Typically, you configure SIM1 of the cellular modem as the primary cellular interface, and SIM2 as the backup cellular interface. In this way, if the IX10 device cannot connect to the network using SIM1, it automatically fails over to SIM2. IX10 devices automatically use the correct cellular module firmware for each carrier when switching SIMs.
Page 57
Wireless Wide Area Networks (WWANs) WebUI 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Modems > Modem.
Page 58
12. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 59
7. Set the maximum number of interfaces. This is used when using dual-APN SIMs. The default is (config)> network modem modem max_intfs int (config)> 8. Carrier switching allows the modem to automatically match the carrier for the active SIM. Carrier switching is enabled by default. To disable: IX10 User Guide...
Page 60
Type quit to disconnect from the device. Configure cellular modem APNs The IX10 device uses a preconfigured list of Access Point Names (APNs) when attempting to connect to a cellular carrier for the first time. After the device has successfully connected, it will remember the correct APN.
Page 61
To configure the APN: WebUI 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces > Modem > APN list > APN.
Page 62
9. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 63
You can view a summary status for all cellular modems, or view detailed status and statistics for a specific modem. WebUI 1. Log into the IX10 WebUI as a user with Admin access. 2. On the menu, click Status. 3. Under Connections, click Modems. The modem status window is displayed...
Page 64
Wireless Wide Area Networks (WWANs) Command line 1. Log into the IX10 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 65
Command line To unlock a SIM card: 1. Log into the IX10 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 66
To run AT commands from the IX10 command line: Command line 1. Log into the IX10 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 67
APNs, and then use routing roles to forward traffic to the appropriate WWAN interface. WebUI 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
Page 68
For Zone, select External. e. For Device, select Modem . f. (Optional): Configure the public APN. If the public APN is not configured, the IX10 will attempt to determine the APN. i. Click to expand APN list > APN.
Page 69
Configure the source address: i. Click to expand Source address. ii. For Type, select IPv4 address. iii. For Address, type 192.168.2.101. f. Configure the destination address: i. Click to expand Destination address. ii. For Type, select Interface. IX10 User Guide...
Page 70
Set the modem device: (config network interface WWANPublic)> modem device modem (config network interface WWANPublic)> d. (Optional): Set the public APN. If the public APN is not configured, the IX10 will attempt to determine the APN. IX10 User Guide...
Page 71
Set the label that will be used to identify this route policy: (config network route policy 0)> label "Route through private apn" (config network route policy 0)> c. Set the interface: (config network route policy 0)> interface /network/interface/WWANPrivate (config network route policy 0)> IX10 User Guide...
The firewall zone: External. The cellular modem that is used by the WWAN. Additional configuration items SIM selection for this WWAN. The SIM PIN. The SIM phone number for SMS connections. Enable or disable roaming. DNS options. SIM failover configuration. IX10 User Guide...
Page 73
WebUI 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces.
Page 74
The default setting is When primary default route. f. SIM failover is enabled by default, which means that the modem will automatically fail over from the active SIM to the next available SIM when the active SIM fails to connect. If IX10 User Guide...
Page 75
Reboot device: The device will reboot if automatic SIM switching is unavailable. 9. For APN list and APN list only, the IX10 device uses a preconfigured list of Access Point Names (APNs) when attempting to connect to a cellular carrier for the first time. After the device has successfully connected, it will remember the correct APN.
Page 76
Interfaces Wireless Wide Area Networks (WWANs) 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 77
(config network interface my_wwan)> modem imsi IMSI (config network interface my_wwan)> plmn_id Set the PLMN id that must be in active for this WWAN to be used: (config network interface my_wwan)> modem plmn_id PLMN_ID (config network interface my_wwan)> IX10 User Guide...
Page 78
(config network interface my_wwan)> modem sim_failover false (config network interface my_wwan)> If enabled: i. Set the number of times that the device should attempt to connect to the active SIM before failing over to the next available SIM: IX10 User Guide...
Page 79
The device will reboot if automatic SIM switching is unavailable. 7. The IX10 device uses a preconfigured list of Access Point Names (APNs) when attempting to connect to a cellular carrier for the first time. After the device has successfully connected, it will remember the correct APN.
3. Under Networking, click Interfaces. Command line 1. Log into the IX10 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Type quit to disconnect from the device. Delete a WWAN. Follow this procedure to delete any WANs and WWANs that have been added to the system. You cannot delete the preconfigured WAN, ETH1, or the preconfigured WWAN, Modem. WebUI IX10 User Guide...
Page 82
5. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Interfaces Local Area Networks (LANs) Local Area Networks (LANs) The IX10 device is preconfigured with the following Local Area Networks (LANs): You can modify configuration settings for ETH, and you can create new LANs. This section contains the following topics:...
The IPv6 Maximum Transmission Unit (MTU) of the LAN. The IPv6 prefix length and ID. IPv6 DHCP server configuration. See DHCP servers for more information. MAC address blacklist and whitelist. To create a new LAN or edit an existing LAN: IX10 User Guide...
Page 85
Local Area Networks (LANs) WebUI 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces.
Page 86
13. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 87
These instructions assume that the LAN will use a static IP address for its IPv4 configuration. a. Set the IPv4 address and subnet of the LAN interface. Use the format IPv4_ address/netmask, for example, 192.168.2.1/24. (config network interface my_lan)> ipv4 address ip_address/netmask (config network interface my_lan)> IX10 User Guide...
Page 88
Management priority 1500 prefix_id Prefix ID prefix_length Prefix length type prefix_delegation Type weight Weight Additional Configuration ----------------------------------------------------------------------- -------- connection_monitor Active recovery dhcpv6_server DHCPv6 server (config network interface my_lan)> View default settings for the IPv6 DHCP server: IX10 User Guide...
3. Under Networking, click Interfaces. Command line 1. Log into the IX10 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Delete a LAN Follow this procedure to delete any LANs that have been added to the system. You cannot delete the preconfigured LAN, LAN1. WebUI IX10 User Guide...
Type quit to disconnect from the device. DHCP servers You can enable DHCP on your IX10 device to assign IP addresses to clients, using either: The DHCP server for the device's local network, which assigns IP addresses to clients on the device's local network.
Page 92
WebUI 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces.
Page 93
For Gateway, select either: None: No gateway is broadcast by the DHCP server. Client destinations must be resolvable without a gateway. Automatic: Broadcasts the IX10 device's gateway. Custom: Allows you to identify the IP address of a Custom gateway to be broadcast.
Page 94
Interfaces Local Area Networks (LANs) 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 95
No gateway is broadcast by the DHCP server. Client destinations must be resolvable without a gateway. auto: Broadcasts the IX10 device's gateway. custom: Allows you to identify the IP address of a custom gateway to be broadcast: (config)> network interface my_lan ipv4 dhcp_server advanced gateway_custom ip_address (config)>...
Page 96
Interfaces Local Area Networks (LANs) none: No server is broadcast. auto: Broadcasts the IX10 device's server. custom: Allows you to identify the IP address of the server. For example: (config)> network interface my_lan ipv4 dhcp_server advanced primary_dns_custom ip_address (config)> The default is auto.
Page 97
11. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 98
3. Under Networking, click DHCP Leases. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 99
To delete a static IP entry: WebUI 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces.
Page 100
7. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 101
Local Area Networks (LANs) Configure DHCP options You can configure DHCP servers running on your IX10 device to send certain specified DHCP options to DHCP clients. You can also set the user class, which enables you to specify which specific DHCP clients will receive the option.
Page 102
Local Area Networks (LANs) Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 103
LAN. For the IX10 device, DHCP relay is configured by providing the IP address of a DHCP relay server, rather than an IP address range. If both the DHCP relay server and an IP address range are specified, DHCP relay is used, and the specified IP address range is ignored.
Page 104
10. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 105
Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Show DHCP server status and settings View DHCP status to monitor which devices have been given IP configuration by the IX10 device and to diagnose DHCP issues. ...
To create a VLAN: WebUI 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Virtual LAN.
Page 107
7. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 108
Interfaces Local Area Networks (LANs) 7. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX10 User Guide...
IX10 devices have a single serial port that provides access to the command-line interface. Use an RS-232 serial cable to establish a serial connection from your IX10 to your local laptop or PC. Use a terminal emulator program to establish the serial connection. The terminal emulator's serial connection must be configured to match the configuration of the IX10 device's serial port.
Page 110
Serial port Configure the serial port 1. Log into the IX10 WebUI as a user with Admin access. 2. On the menu, click System. Under Configuration, click Serial Configuration. The Serial Configuration page is displayed. Note You can also configure the serial port by using Device Configuration > Serial. Changes made by using either Device Configuration or Serial Configuration will be reflected in both.
Page 111
Enable CTS to monitor CTS (Clear to Send) changes on this port. b. Enable DCD to monitor DCD (Data Carrier Detect) changes on this port. 8. (Optional) Copy the serial port's configuration by clicking the (copy) icon. The Copy Configuration window displays. IX10 User Guide...
Page 112
Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 113
Set the stop bits used by the device to which you want to connect: (config)> serial port1 stopbits bits (config)> e. Set the type of flow control used by the device to which you want to connect: (config)> serial port1 flow type (config) IX10 User Guide...
Page 114
(Optional) Enable monitoring of CTS (Clear to Send) changes on this port: (config)> serial port1 monitor cts true (config) f. (Optional) Enable monitoring of DCD (Data Carrier Detect) changes on this port: (config)> serial port1 monitor dcd true (config) IX10 User Guide...
Page 115
A network designation in CIDR notation, for example, 2001:db8::/48. any: No limit to IPv6 addresses that can access the tcp port. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX10 device: IX10 User Guide...
Page 116
(Optional) Enable mDNS. mDNS is a protocol that resolves host names in small networks that do not have a DNS server. (config serial USB_port)> service tcp mdns enable true (config serial USB_port)> h. Configure telnet access to this port: CAUTION! This connection is not authenticated or encrypted. IX10 User Guide...
Page 117
No limit to IPv6 addresses that can access the telnet port. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX10 device: (config serial USB_port)> add service telnet acl interface end value (config serial USB_port)>...
Page 118
(config serial USB_port)> service ssh enable false (config serial USB_port)> ii. Set the ssh port: (config serial USB_port)> service ssh port port (config serial USB_port)> iii. (Optional) Configure the access control list to limit access to the ssh connection: IX10 User Guide...
Page 119
No limit to IPv6 addresses that can access the ssh port. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX10 device: (config serial USB_port)> add service ssh acl interface end value (config serial USB_port)>...
3. Under Connections, click Serial. Command line 1. Log into the IX10 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Log serial port messages To display and configure the serial port log: WebUI 1. Log into the IX10 WebUI as a user with Admin access. 2. On the main menu, click Status 3. Under Connections, click Serial. 4. Click Log.
Routing This chapter contains the following topics: IP routing Show the routing table Dynamic DNS Virtual Router Redundancy Protocol (VRRP) IX10 User Guide...
IP routing IP routing The IX10 device uses IP routes to decide where to send a packet it receives for a remote network. The process for deciding on a route to send the packet is as follows: 1. The device examines the destination IP address in the IP packet, and looks through the IP routing table to find a match for it.
To configure a static route: WebUI 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Routes > Static routes.
Page 125
7. For Interface, select the interface on the IX10 device that will be used with this static route. 8. (Optional) For Gateway, type the IPv4 address of the gateway used to reach the destination.
The any keyword can also be used to route packets to any destination with this static route. 6. Set the interface on the IX10 device that will be used with this static route: a. Use the ? to determine available interfaces: b.
Page 127
5. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
However, you can use policy-based routing to forward the packet based on other criteria, such as the source of the packet. For example, you can configure the IX10 device so that high-priority traffic is routed through the cellular connection, while all other traffic is routed through an Ethernet (WAN) connection.
Page 129
5. (Optional) For Label, type a label that will be used to identify this route policy. 6. For Interface, select the interface on the IX10 device that will be used with this route policy. 7. (Optional) Enable Exclusive to configure the policy to drop packets that match the policy when the gateway interface is disconnected, rather than forwarded through other interfaces.
Page 130
For Domain, type the domain name. iv. Repeat to add additional domains. Default route: Matches packets destined for the default route, excluding routes for local networks. 13. Click Apply to save the configuration and apply the change. Command line IX10 User Guide...
Page 131
(config network route policy 0)> label "New route policy" (config network route policy 0)> 5. Set the interface on the IX10 device that will be used with this route policy: a. Use the ? to determine available interfaces: b. Set the interface. For example: (config network route policy 0)>...
Page 132
(config network route policy 0)> where value is one of: zone: Matches the source IP address to the selected firewall zone. Set the zone: a. Use the ? to determine available zones: (config network route policy 0)> src zone ? IX10 User Guide...
Page 133
(config network route policy 0)> src address6 value (config network route policy 0)> where value uses the format IPv6_address[/prefix_length], or any to match any IPv6 address. mac: Matches the source MAC address to the specified MAC address. Set the MAC address to be matched: IX10 User Guide...
Page 134
(config network route policy 0)> address: Matches the destination IPv4 address to the specified IP address or network. Set the address that will be matched: (config network route policy 0)> dst address value (config network route policy 0)> IX10 User Guide...
Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Routing services Your IX10 includes support for dynamic routing services and protocols. The following routing services are supported: Service or...
6. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 137
Complete the configuration of the routing service. For example, use the ? to view the available parameters for the RIP service: (config)> network route service rip ? Parameters Current Value ----------------------------------------------------------------------- -------- ecmp false Allow ECMP enable true Enable IX10 User Guide...
To display the routing table: WebUI 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Status > Routes.
WAN or public IP address changes. Your IX10 device supports a number of Dynamic DNS providers as well as the ability to provide a custom provider that is not included on the list of providers.
Page 140
Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}. For example, to set Forced update interval to ten minutes, enter 10m or 600s. The setting for Forced update interval must be larger than the setting for Check Interval. IX10 User Guide...
Page 141
14. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 142
For example, to set check_interval to ten minutes, enter either 10m or 600s: (config network ddns new_ddns_instance)> check_interval 600s (config network ddns new_ddns_instance)> The default is 10m. 11. (Optional) Set the amount of time to wait to force an update of the interface's IP address: IX10 User Guide...
Multiple IX10 devices can be configured as VRRP devices and assigned a priority. The router with the highest priority will be used as the master router. If the master router fails, then the IP address of the...
For example, if a host becomes unreachable on the far end of a network link, then the physical default gateway can be changed by adjusting the VRRP priority of the IX10 device connected to the failing link. This provides failover capabilities based on the status of connections behind the router, in addition to the basic VRRP device failover.
Page 145
For Virtual IP, type the IPv4 or IPv6 address for a virtual IP of this VRRP instance. d. (Optional) Repeat to add additional virtual IPs. 11. See Configure VRRP+ for information about configuring VRRP+. 12. Click Apply to save the configuration and apply the change. IX10 User Guide...
Page 146
Virtual Router Redundancy Protocol (VRRP) Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
VRRP+ is an extension to the VRRP standard that uses SureLink network probing to monitor connections through VRRP-enabled devices and adjust devices' VRRP priority based on the status of the SureLink tests. This section describes how to configure VRRP+ on a IX10 device. Required configuration items Both master and backup devices: A configured and enabled instance of VRRP.
Page 148
SureLink tests. WebUI 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
Page 149
VRRP virtual IP addresses: i. Click to expand DHCP Server > Advanced settings. ii. For Gateway, select Custom. iii. For Custom gateway, enter the IP address of one of the virtual IPs used by this VRRP IX10 User Guide...
Page 150
11. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 151
(config)> 8. Configure the VRRP interface: a. Configure the VRRP interface's DHCP server to use a custom gateway that corresponds to one of the VRRP virtual IP addresses: i. Set the DHCP server gateway type to custom: IX10 User Guide...
Page 152
(config)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set interval to ten minutes, enter 5s: (config)> network interface eth ipv4 surelink interval 5s (config)> IX10 User Guide...
Page 153
(Optional) Set the amount of time that the interface can be down before this test is considered to have failed: IX10 User Guide...
Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Example: VRRP/VRRP+ configuration This example configuration creates a VRRP pool containing two IX10 devices: Configure device one (master device) ...
Page 155
Virtual Router Redundancy Protocol (VRRP) Task 1: Configure VRRP on device one 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
Page 156
3. For Lease range end, type 199. 4. Click to expand Advanced settings. 5. For Gateway, select Custom. 6. For Custom gateway, enter 192.168.3.3. 7. Click Apply to save the configuration and apply the change. Command line IX10 User Guide...
Page 157
Virtual Router Redundancy Protocol (VRRP) Task 1: Configure VRRP on device one 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
> 5. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Configure device two (backup device) WebUI IX10 User Guide...
Page 159
Virtual Router Redundancy Protocol (VRRP) Task 1: Configure VRRP on device two 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
Page 160
6. For Ping host, type my.devicecloud.com. Task 5: Configure the DHCP server for ETH on device two 1. Click to expand Network > Interfaces > ETH > IPv4 > DHCP Server 2. For Lease range start, type 200. IX10 User Guide...
Page 161
Command line Task 1: Configure VRRP on device two 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 162
Task 3, step 2 (192.168.3.1). (config)> network interface eth ipv4 gateway 192.168.3.1 (config)> Task 4: Configure SureLink for ETH on device two 1. Enable SureLink on the ETH interface: (config)> network interface eth ipv4 surelink enable true (config)> IX10 User Guide...
Page 163
5. Save the configuration and apply the change: (config)> save Configuration saved. > 6. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX10 User Guide...
Routing Virtual Router Redundancy Protocol (VRRP) Show VRRP status and statistics This section describes how to display VRRP status and statistics for a IX10 device. VRRP status is available from the Web UI only. WebUI 1. Log into the IX10 WebUI as a user with full Admin access rights.
Page 165
Virtual IP address(es) : 10.10.10.1, 100.100.100.1 Current State : Master Current Priority : 100 Last Transition : Tue Jan 1 00:00:39 2019 Became Master Released Master Adverts Sent : 71 Adverts Received Priority Zero Sent Priority zero Received : 0 > IX10 User Guide...
Page 166
Virtual Private Networks (VPNs) are used to securely connect two private networks together so that devices can connect from one network to the other using secure channels. This chapter contains the following topics: IPsec OpenVPN Generic Routing Encapsulation (GRE) NEMO IX10 User Guide...
Aggressive mode Aggressive mode is faster than main mode, but is not as secure as main mode, because the device and its peer exchange their IDs and hash information in clear text instead of being encrypted. IX10 User Guide...
Client authenticaton XAUTH (extended authentication) pre-shared key authentication mode provides additional security by using client authentication credentials in addition to the standard pre-shared key. The IX10 device can be configured to authenticate with the remote peer as an XAUTH client. RSA Signatures With RSA signatures authentication, the IX10 device uses a private RSA key to authenticate with a...
Page 169
The amount of time before the IKE phase 1 lifetime expires. The amount of time before the IKE phase 2 lifetime expires The lifetime margin, a randomizing amount of time before the IPsec tunnel is renegotiated. WebUI IX10 User Guide...
Page 170
Virtual Private Networks (VPN) IPsec 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click VPN > IPsec.
Page 171
Certificate Authority: For Certificate Authority chain, paste the Certificate Authority (CA) certificates. These must include all peer certificates in the chain up to the root CA certificate, in PEM format. 15. (Optional) For Management Priority, set the priority for this IPsec tunnel. IX10 User Guide...
Page 172
19. Click to expand Remote endpoint. a. For Hostname, select either a hostname or IP address. If your device is not configured to initiate the IPsec connection (see IKE > Initiate connection), you can also use the IX10 User Guide...
Page 173
20. Click to expand Policies. Policies define the network traffic that will be encapsulated by this tunnel. a. Click to create a new policy. The new policy configuration is displayed. b. Click to expand Local network. IX10 User Guide...
Page 174
Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}. For example, to set Phase 2 lifetime to ten minutes, enter 10m or 600s. IX10 User Guide...
Page 175
NAT. 24. See Configure SureLink active recovery for IPsec for information about IPsec Active recovery. 25. Click Apply to save the configuration and apply the change. Command line IX10 User Guide...
Page 176
Virtual Private Networks (VPN) IPsec 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 177
Uses a private RSA key to authenticate with the remote peer. a. For the private_key parameter, paste the device's private RSA key in PEM format: (config vpn ipsec tunnel ipsec_example)> auth private_key key (config vpn ipsec tunnel ipsec_example)> IX10 User Guide...
Page 178
(config vpn ipsec tunnel ipsec_example)> ca: Uses the Certificate Authority chain for verification. For the ca_cert parameter, paste the Certificate Authority (CA) certificates. These must include all peer certificates in the chain up to the root CA certificate, in PEM format. IX10 User Guide...
Page 179
Set the ID type: (config vpn ipsec tunnel ipsec_example)> local id type value (config vpn ipsec tunnel ipsec_example)> where value is one of: auto: The ID will be automatically determined from the value of the tunnels endpoints. IX10 User Guide...
Page 180
(config vpn ipsec tunnel ipsec_example)> remote hostname value (config vpn ipsec tunnel ipsec_example)> If your device is not configured to initiate the IPsec connection (see initiate), you can also use the keyword any, which means that the hostname is dynamic or unknown. IX10 User Guide...
Page 181
(config vpn ipsec tunnel ipsec_example)> keyid: The ID will be interpreted as a Key ID and sent as an ID_KEY_ID IKE identity. Set the key ID: (config vpn ipsec tunnel ipsec_example)> remote id keyid_id id (config vpn ipsec tunnel ipsec_example)> IX10 User Guide...
Page 182
(config vpn ipsec tunnel ipsec_example)> ike phase2_lifetime value (config vpn ipsec tunnel ipsec_example)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set phase2_lifetime to ten minutes, enter either 10m or 600s: IX10 User Guide...
Page 183
(config vpn ipsec tunnel ipsec_example ike phase1_proposal 0)> where value is one of ecp384, modp768, modp1024, modp1536, modp2048, modp3072, modp4096, modp6144, or modp8192, . The default is modp1024. v. (Optional) Add additional phase 1 proposals: i. Move back one level in the schema: IX10 User Guide...
Page 184
(config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)> where value is one of ecp384, modp768, modp1024, modp1536, modp2048, modp3072, modp4096, modp6144, or modp8192, . The default is modp1024. vi. (Optional) Add additional phase 2 proposals: IX10 User Guide...
Page 185
(config vpn ipsec tunnel ipsec_example nat 0)> b. Set the IPv4 address and optional netmask of a destination network that requires source NAT. You can also use any, meaning that any destination network connected to the tunnel will use source NAT. IX10 User Guide...
Page 186
IPv4 address and optional netmask. The keyword any can also be used. request: Requests a network from the remote peer. d. Set the IP address and optional netmask of the remote network. The keyword any can also be used. IX10 User Guide...
Page 187
20. Save the configuration and apply the change: (config)> save Configuration saved. > 21. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX10 User Guide...
Virtual Private Networks (VPN) IPsec Configure IPsec failover There are two methods to configure the IX10 device to fail over from a primary IPsec tunnel to a backup tunnel: SureLink active recovery—You can use SureLink along with the IPsec tunnel's metric to configure two or more tunnels so that when the primary tunnel is determined to be inactive by SureLink, a secondary tunnel can begin serving traffic that the primary tunnel was serving.
Page 189
See Configure an IPsec tunnel for instructions. During configuration of the IPsec tunnel, set the metric to a value that is higher than the metric of the primary tunnel (for example, 20). Command line IX10 User Guide...
Page 190
Use the ? to view a list of available tunnels: (config vpn ipsec tunnel backup_ipsec_tunnel)> ipsec_failover ? Preferred tunnel: This tunnel will not start until the preferred tunnel has failed. It will continue to operate until the preferred tunnel returns to full operation status. IX10 User Guide...
(config vpn ipsec tunnel backup_ipsec_tunnel)> Configure SureLink active recovery for IPsec You can configure the IX10 device to regularly probe IPsec client connections to determine if the connection has failed and take remedial action. You can also configure the IPsec tunnel to fail over to a backup tunnel. See Configure IPsec failover further information.
Page 192
Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}. For example, to set Response timeout to ten minutes, enter 10m or 600s. The default is 15 seconds. IX10 User Guide...
Page 193
Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}. For example, to set Initial connection time to ten minutes, enter 10m or 600s. The default is 60 seconds. IX10 User Guide...
Page 194
14. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 195
(config vpn ipsec tunnel ipsec_example connection_monitor target 0)> test value (config vpn ipsec tunnel ipsec_example connection_monitor target 0)> where value is one of: ping (IPv4) or ping6 (IPv6): Tests connectivity by sending an ICMP echo request to a specified hostname or IP address. IX10 User Guide...
Page 196
(config vpn ipsec tunnel ipsec_example connection_monitor target 0)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set interface_down_time to ten minutes, enter either 10m or 600s: IX10 User Guide...
Show IPsec status and statistics WebUI 1. Log into the IX10 WebUI as a user with Admin access. 2. On the menu, select Status > IPsec. The IPsec page appears. 3. To view configuration details about an IPsec tunnel, click the (configuration) icon in the upper right of the tunnel's status pane.
To set the debug level to 1 by using the Admin CLI: Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 199
Use the interactive shell to set the IPsec debug level By using the interactive shell to set the debug level, you can enable the IX10 device to write additional debug messages to the system log. The command accepts the following values to set the debug level: -1 —...
Page 200
4 — Also includes sensitive material in dumps (for example, encryption keys). 3. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX10 User Guide...
OpenVPN clients. OpenVPN clients use Network Address Translation (NAT) to route traffic from devices connected on its LAN interfaces to the OpenVPN server. The manner in which the IP subnets are defined depends on the OpenVPN topology in use. The IX10 device supports two types of OpenVPN topology:...
LAN interfaces to the OpenVPN server. TAP - OpenVPN managed—Also know as bridging mode. A more advanced implementation of OpenVPN. The IX10 device creates an OpenVPN interface and uses standard interface configuration (for example, a standard DHCP server configuration).
Page 203
Additional OpenVPN parameters. WebUI 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click VPN > OpenVPN > Servers.
Page 204
For Address, enter the IPv4 address or network that can access the device's service-type. Allowed values are: A single IP address or host name. A network designation in CIDR notation, for example, 192.168.1.0/24. any: No limit to IPv4 addresses that can access the service-type. IX10 User Guide...
Page 205
12. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 206
LAN interfaces to the OpenVPN server. TAP - OpenVPN managed—Also know as bridging mode. A more advanced implementation of OpenVPN. The IX10 device creates an OpenVPN interface and uses standard interface configuration (for example, a standard DHCP server configuration).
Page 207
(config vpn openvpn server name)> port port (config vpn openvpn server name)> The default is 1194. 7. Determine the method of certificate management: a. To allow the server to manage certificates: (config vpn openvpn server name)> autogenerate true (config vpn openvpn server name)> IX10 User Guide...
Page 208
Paste the contents of the Diffie Hellman key (usually in dh2048.pem) into the value of the diffie parameter: (config vpn openvpn server name)> diffie value (config vpn openvpn server name)> 8. (Optional) Set the access control list to restrict access to the OpenVPN server: IX10 User Guide...
Page 209
No limit to IPv6 addresses that can access the service-type. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX10 device: (config vpn openvpn server name)> add acl interface end value (config vpn openvpn server name)>...
If username and password authentication is used for the OpenVPN server, you must create an OpenVPN authentication group and user. Configure an OpenVPN server for information about configuring an OpenVPN server to use username and password authentication. See IX10 user authentication for more information about creating authentication groups and users. WebUI...
Page 211
Virtual Private Networks (VPN) OpenVPN 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Add an OpenVPN authentication group: a.
Page 212
Click to expand the Groups node. e. Click to add a group to the user. f. Select a Group with OpenVPN access enabled. 5. Click Apply to save the configuration and apply the change. IX10 User Guide...
Page 213
OpenVPN Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
OpenVPN active recovery. WebUI 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click VPN > OpenVPN > Clients.
Page 215
11. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
The OpenVPN client is enabled by default. The mode used by the OpenVPN server, either routing (TUN), or bridging (TAP). The firewall zone to be used by the OpenVPN client. The IP address of the OpenVPN server. IX10 User Guide...
Page 217
OpenVPN active recovery. WebUI 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click VPN > OpenVPN > Clients.
Page 218
For OpenVPN parameters, type the additional OpenVPN parameters. For example, to override the configuration by using a configuration file, enter --config filename, for example, --config /etc/config/openvpn_config. 15. Click Apply to save the configuration and apply the change. IX10 User Guide...
Page 219
OpenVPN Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 220
(config vpn openvpn client name)> private_key value (config vpn openvpn client name)> 14. (Optional) Set additional OpenVPN parameters. a. Enable the use of additional OpenVPN parameters: (config vpn openvpn client name)> advanced_options enable true (config vpn openvpn client name)> IX10 User Guide...
Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Configure active recovery for OpenVPN You can configure the IX10 device to regularly probe OpenVPN client connections to determine if the connection has failed and take remedial action. Required configuration items A valid OpenVPN client configuration.
Page 222
Virtual Private Networks (VPN) OpenVPN 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click VPN > OpenVPN > Clients.
Page 223
Down time: The amount of time that the interface can be down before this test is considered to have failed. Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}. For example, to set Down time to ten minutes, enter 10m or 600s. IX10 User Guide...
Page 224
14. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 225
For example, to set timeout to ten minutes, enter either 10m or 600s: (config vpn openvpn client openvpn_client1)> connection_monitor interval 600s (config vpn openvpn client openvpn_client1)> The default is 15 seconds. IX10 User Guide...
Page 226
(IPv4) or http6 (IPv6): Tests connectivity by sending an HTTP or HTTPS GET request to the specified URL. Specify the url. Allowed value uses the format http[s]://hostname/[path]. (config vpn openvpn client openvpn_client1 connection_monitor target 0)> http_url url (config vpn openvpn client openvpn_client1 connection_monitor target 0)> IX10 User Guide...
Page 227
(config openvpn client openvpn_client1 connection_monitor target 0)> save Configuration saved. > 13. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX10 User Guide...
OpenVPN server's status pane. Command line 1. Log into the IX10 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
OpenVPN client's status pane. Command line 1. Log into the IX10 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Task One: Create a GRE loopback endpoint interface WebUI 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
Page 231
11. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 232
10. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 233
(config vpn iptunnel gre_example)> save Configuration saved. > 9. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX10 User Guide...
To view information about currently configured GRE tunnels: WebUI 1. Log into the IX10 WebUI as a user with Admin access. 2. On the menu, click Status > IP tunnels. The IP Tunnelspage appears. 3. To view configuration details about a GRE tunnel, click the (configuration) icon in the upper right of the tunnel's status pane.
Example: GRE tunnel over an IPSec tunnel The IX10 device can be configured as an advertised set of routes through an IPSec tunnel. This allows you to leverage the dynamic route advertisement of GRE tunnels through a secured IPSec tunnel.
Page 236
3. Create a GRE tunnel named gre_tunnel2: a. Local endpoint set to the IPsec endpoint interface, Interface: ipsec_endpoint2. b. Remote endpoint set to the IP address of the GRE tunnel on IX10-1, 172.30.0.1. 4. Create an interface named gre_interface2 and add it to the GRE tunnel: a.
Page 237
15. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 238
Task two: Create an IPsec endpoint interface WebUI 1. Click Network > Interface. 2. For Add Interface, type ipsec_endpoint1 and click . 3. For Zone, select Internal. 4. For Device, select Ethernet: loopback. 5. Click to expand IPv4. IX10 User Guide...
Page 239
5. Set the IPv4 address to the IP address of the local GRE tunnel, 172.30.0.1/32: (config network interface ipsec_endpoint1)> ipv4 address 172.30.0.1/32 (config network interface ipsec_endpoint1)> 6. Save the configuration and apply the change: (config vpn ipsec tunnel ipsec_endpoint1 policy 0)> save Configuration saved. > Task three: Create a GRE tunnel IX10 User Guide...
Page 240
(/network/interface/ipsec_endpoint1): (config vpn iptunnel gre_tunnel1)> local /network/interface/ipsec_endpoint1 (config vpn iptunnel gre_tunnel1)> 4. Set the remote endpoint to the IP address of the GRE tunnel on IX10-2, 172.30.0.2: (config vpn iptunnel gre_tunnel1)> remote 172.30.0.2 (config vpn iptunnel gre_tunnel1)> IX10 User Guide...
Page 241
4. For Device, select the GRE tunnel created in Task three (IP tunnel: gre_tunnel1). 5. Click to expand IPv4. 6. For Address, type 172.31.0.1/30 for a virtual IP address on the GRE tunnel. 7. Click Apply to save the configuration and apply the change. IX10 User Guide...
Page 242
Task one: Create an IPsec tunnel WebUI 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click VPN > IPsec > Tunnels.
Page 243
Generic Routing Encapsulation (GRE) 4. For Add IPsec Tunnel, type ipsec_gre2 and click . 5. Click to expand Authentication. 6. For Pre-shared key, type the same pre-shared key that was configured for the IX10-1 (testkey). 7. Click to expand Remote endpoint.
Page 244
3. Add an IPsec tunnel named ipsec_gre2: (config)> add vpn ipsec tunnel ipsec_gre2 (config vpn ipsec tunnel ipsec_gre2)> 4. Set the pre-shared key to the same pre-shared key that was configured for the IX10-1 (testkey): (config vpn ipsec tunnel ipsec_gre2)> auth secret testkey (config vpn ipsec tunnel ipsec_gre2)>...
Page 245
6. For Address, type the IP address of the local GRE tunnel, 172.30.0.2/32. 7. Click Apply to save the configuration and apply the change. Command line 1. At the command line, type config to enter configuration mode: > config (config)> IX10 User Guide...
Page 246
3. For Local endpoint, select the IPsec endpoint interface created in Task two (Interface: ipsec_endpoint2). 4. For Remote endpoint, type the IP address of the GRE tunnel on IX10-1, 172.30.0.1. 5. Click Apply to save the configuration and apply the change. IX10 User Guide...
Page 247
(/network/interface/ipsec_endpoint2): (config vpn iptunnel gre_tunnel2)> local /network/interface/ipsec_endpoint2 (config vpn iptunnel gre_tunnel2)> 4. Set the remote endpoint to the IP address of the GRE tunnel on IX10-1, 172.30.0.1: (config vpn iptunnel gre_tunnel2)> remote 172.30.0.1 (config vpn iptunnel gre_tunnel2)> 5. Save the configuration and apply the change: (config vpn iptunnel gre_tunnel2)>...
Page 248
3. Set the zone to internal: (config network interface gre_interface2)> zone internal (config network interface gre_interface2)> 4. Set the device to the GRE tunnel created in Task three (/vpn/iptunnel/gre_tunnel2): (config network interface gre_interface2)> device /vpn/iptunnel/gre_tunnel2 (config network interface gre_interface2)> IX10 User Guide...
Local Area Networks (LANs) on your device. NEMO creates a tunnel between the home agent on the mobile private network and the IX10 device, isolating the connection from internet traffic and advertising the IP subnets of the LANs for remote access and device management.
Page 250
10. For MTU discovery, leave enabled to determine the maximum transmission unit (MTU) size. If disabled, for MTU, type the MTU size. The default MTU size for LANs on the IX10 device is 1500. The MTU size of the NEMO tunnel will be smaller, to take into account the required headers.
Page 251
14. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 252
(config vpn nemo nemo_example)> mtu_discovery false (config vpn nemo nemo_example)> If disabled, set the MTU size. The default MTU size for LANs on the IX10 device is 1500. The MTU size of the NEMO tunnel will be smaller, to take into account the required headers.
Page 253
Set the interface. For example: (config vpn nemo nemo_example)> coaddress interface eth1 (config vpn nemo nemo_example)> If ip is used, set the IP address: (config vpn nemo nemo_example)> coaddress address IP_address (config vpn nemo nemo_example)> The default is defaultroute. IX10 User Guide...
Show NEMO status WebUI 1. Log into the IX10 WebUI as a user with Admin access. 2. On the menu, select Status > NEMO. The NEMO page appears. 3. To view configuration details about an NEMO tunnel, click the (configuration) icon in the upper right of the tunnel's status pane.
Page 255
Virtual Private Networks (VPN) NEMO 1. Log into the IX10 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. To display details about all configured NEMO tunnel, type the following at the prompt: >...
Page 256
Simple Network Management Protocol (SNMP) Modbus gateway System time Configure the system time Network Time Protocol Configure the device as an NTP server Configure a multicast route Enable service discovery (mDNS) Use the iPerf service Configure the ping responder service IX10 User Guide...
Allow remote access for web administration and SSH Allow remote access for web administration and SSH By default, only devices connected to the IX10's LAN have access to the device via web administration and SSH. To enable these services for access from remote devices: The IX10 device must have a publicly reachable IP address.
Page 258
Allow remote access for web administration and SSH Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 259
Services Allow remote access for web administration and SSH 4. For Add Zone, click . 5. Select External. 6. Click Apply to save the configuration and apply the change. IX10 User Guide...
By default, the web administration service is enabled and uses the standard HTTPS port, 443. The default access control for the service uses the Internal firewall zone, which means that only devices connected to the IX10's LAN can access the WebUI. If this configuration is sufficient for your needs, no further configuration is required. See Allow remote access for web administration and SSH information about configuring the web administration service to allow access from remote devices.
Page 261
5. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 262
Configure the service WebUI 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Services > Web administration.
Page 263
For example: 8. For Allow legacy encryption protocols, enable this option to allow clients to connect to the HTTPS session by using encryption protocols older than TLS 1.2, in addition to TLS 1.2 and later IX10 User Guide...
Page 264
11. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 265
Services Configure the web administration service To limit access to hosts connected through a specified interface on the IX10 device: (config)> add service web_admin acl interface end value (config)> Where value is an interface defined on your device. Display a list of available interfaces: Use ...
Page 267
TLS 1.2, in addition to TLS 1.2 and later protocols. This option is disabled by default, which means that only TLS 1.2 and later encryption protocols are allowed with HTTPS connections. To enable legacy encryption protocols: (config)> service web_admin legacy_encryption true (config)> 8. (Optional) Disable legacy port redirection. IX10 User Guide...
Page 268
9. Save the configuration and apply the change: (config)> save Configuration saved. > 10. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX10 User Guide...
Services Configure SSH access Configure SSH access The IX10's default configuration has SSH access enabled, and allows SSH access to the device from authorized users within the Internal firewall zone. If this configuration is sufficient for your needs, no further configuration is required. See Allow remote access for web administration and SSH information about configuring the SSH service to allow access from remote devices.
Page 270
Services Configure SSH access 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. At the command line, type config to enter configuration mode: >...
Page 271
8. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 272
No limit to IPv6 addresses that can access the SSH service. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX10 device: (config)> add service ssh acl interface end value (config)>...
Page 273
6. (Optional) Set the port number for this service. The default setting of 22 normally should not be changed. (config)> service ssh port 24 (config)> 7. Save the configuration and apply the change: (config)> save Configuration saved. > IX10 User Guide...
Page 274
Services Configure SSH access 8. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX10 User Guide...
SSH public key for the user Additional configuration items If you want to access the IX10 device using SSH over a WAN interface, configure the access control list for the SSH service to allow SSH access for the External firewall zone.
Page 276
These instructions assume an existing user named temp_user. 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
5. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 278
Configure the service WebUI 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Services > telnet.
Page 279
7. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 280
No limit to IPv6 addresses that can access the telnet service. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX10 device: (config)> add service telnet acl interface end value (config)>...
Type quit to disconnect from the device. Configure DNS The IX10 device includes a caching DNS server which forwards queries to the DNS servers that are associated with the network interfaces, and caches the results. This server is used within the device, and cannot be disabled.
Page 282
Services Configure DNS WebUI 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Services > DNS.
Page 283
11. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 284
No limit to IPv6 addresses that can access the DNS service. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX10 device: (config)> add service dns acl interface end value (config)>...
Page 285
(config service dns server 0)> c. To restrict the device's use of this DNS server based on the domain, use the domain command. If no domain are listed, then all queries may be sent to this server. IX10 User Guide...
Page 286
10. Save the configuration and apply the change: (config)> save Configuration saved. > 11. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX10 User Guide...
By default, the IX10 device automatically blocks SNMP packets from being received over WAN and LAN interfaces. As a result, if you want a IX10 device to receive SNMP packets, you must configure the SNMP access control list to allow the device to receive the packets. See...
Page 288
No limit to IPv6 addresses that can access the SNMP agent. d. Click again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX10 device: a. Click Interfaces.
Page 289
Simple Network Management Protocol (SNMP) Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 290
(config)> service snmp port port (config)> 8. (Optional) Configure Multicast DNS (mDNS) mDNS is a protocol that resolves host names in small networks that do not have a DNS server. For the SNMP agent, mDNS is disabled by default. To enable: IX10 User Guide...
To download a .zip archive of the SNMP MIBs supported by this device: WebUI 1. Log into the IX10 WebUI as a user with Admin access. 2. Enable SNMP. Configure Simple Network Management Protocol (SNMP) for information about enabling and configuring SNMP support on the IX10 device.
4. Click Download. Modbus gateway The IX10 supports the ability to function as a Modbus gateway, to provide serial-to-Ethernet connectivity to Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), and other industrial devices. MODBUS provides client/server communication between devices connected on different types of buses and networks, and the IX10 gateway allows for communication between buses and and networks that use the Modbus protocol.
The maximum time between bytes in a packets. Whether to send broadcast messages. Response timeout If connection type is set to socket: The port to use. The inactivity timeout. If connection type is set to serial: Whether to use half duplex (two wire) mode. IX10 User Guide...
Page 294
Whether packets should have their Modbus address adjusted downward before to delivery. WebUI 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
Page 295
No limit to IPv6 addresses that can access the web administration service. d. Click again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX10 device: a. Click Interfaces.
Page 296
For Remote host, type the hostname or IP address of the remote host on which the Modbus server is running. If Serial is selected for Connection type: a. For Serial port, select the appropriate serial port on the IX10 device. IX10 User Guide...
Page 297
No limit to IPv6 addresses that can access the web administration service. d. Click again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX10 device: a. Click Interfaces.
Page 298
Modbus address filter set to 20. Adjust Modbus server address set to 10. This will configure the gateway to deliver all messages that have the Modbus server address address of 20 to the device with address 10. IX10 User Guide...
Page 299
17. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 300
15 minutes, and takes the format number{m|s}. For example, to set inactivity_timeout to ten minutes, enter either 10m or 600s: (config service modbus_gateway server test_modbus_server)> inactivity_timeout 600s (config service modbus_gateway server test_modbus_server)> IX10 User Guide...
Page 301
(config service modbus_gateway server test_modbus_server)> c. Repeat the above instructions for additional servers. 5. Configure clients: a. Type ... to return to the root of the configuration: (config)> add service modbus_gateway server test_modbus_server)> ... (config)> IX10 User Guide...
Page 302
Set the maximum allowable time between bytes in a packet: (config service modbus_gateway client test_modbus_client)> socket idle_gap value (config service modbus_gateway client test_modbus_client)> where value is any number between 10 milliseconds and one second, and take the format number{ms|s}. IX10 User Guide...
Page 303
... serial port ? Serial Additional Configuration --------------------------------------------------------- ---------------------- port1 Port 1 (config service modbus_gateway client test_modbus_client)> ii. Set the port: (config service modbus_gateway client test_modbus_client)> serial port (config service modbus_gateway client test_modbus_client)> ii. Set the packet mode: IX10 User Guide...
Page 304
If it does not match the filters, the message is not forwarded. Allowed values are 1 through 255 or a hyphen-separated range. For example: To have this client filter for incoming messages that contain the Modbus address of 10, set the index 0 entry to 10: IX10 User Guide...
Page 305
Client one: filter set to 10. This will configure the gateway to deliver all messages that have the Modbus server address of 10 to this device. Client two: filter set to 20. adjust_server_address set to 10. IX10 User Guide...
Command line 1. Log into the IX10 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 308
RX Responses RX Timeouts TX Broadcasts TX Requests > 4. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX10 User Guide...
The IX10 device can also be configured to use Network Time Protocol (NTP). In this configuration, the device serves as an NTP server, providing NTP services to downstream devices. See Network Time Protocol for more information about NTP server support.
Page 310
2. At the command line, type config to enter configuration mode: > config (config)> 3. (Optional) Set the timezone for the location of your IX10 device. The default is UTC. (config)> system time timezone value (config)> Where value is the timezone using the format specified with the following command: (config)>...
Network Time Protocol (NTP) enables devices connected on local and worldwide networks to synchronize their internal software and hardware clocks to the same time source. The IX10 device can be configured as an NTP server, allowing downstream hosts that are attached to the device's Local Area Networks to synchronize with the device.
3. Click Services > NTP. 4. Enable the IX10 device's NTP service by clicking Enable. 5. (Optional) Configure the access control list to limit downstream access to the IX10 device's NTP service. To limit access to specified IPv4 addresses and networks: a.
Page 313
No limit to IPv6 addresses that can access the NTP service. d. Click again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX10 device: a. Click Interfaces.
Page 314
8. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 315
Services Configure the device as an NTP server 5. (Optional) Configure the access control list to limit downstream access to the IX10 device's NTP service. To limit access to specified IPv4 addresses and networks: (config)> add service ntp acl address end value (config)>...
By default, the access control list for the NTP service is empty, which means that all downstream hosts connected to the IX10 device can use the NTP service. 6. (Optional) Set the timezone for the location of your IX10 device. The default is UTC. (config)> system time timezone value (config)>...
Page 317
7. Type the Source port. Ensure the port is not used by another protocol. 8. Select a Source interface where multicast packets will arrive. 9. Select a Destination interface that the IX10 device will use to send mutlicast packets. 10. Click Apply to save the configuration and apply the change.
Set the interface. For example: (config service multicast test)> src_interface /network/interface/eth1 (config service multicast test)> 8. Set the destination interface that the IX10 device will use to send mutlicast packets. (config service multicast test)> interface interface (config service multicast test)>...
Page 319
No limit to IPv6 addresses that can access the mDNS service. d. Click again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX10 device: a. Click Interfaces.
Page 320
Services Enable service discovery (mDNS) 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Type quit to disconnect from the device. Use the iPerf service Your IX10 device includes an iPerf3 server that you can use to test the performance of your network. IPerf3 is a command-line tool that measures the maximum network throughput an interface can handle.
Page 322
Additional configuration Items The port that the IX10 device's iPerf server will use to listen for incoming connections. The access control list for the iPerf server. When the iPerf server is enabled, the IX10 device will automatically configure its firewall rules to allow incoming connections on the configured listening port.
Page 323
7. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 324
No limit to IPv6 addresses that can access the service-type. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX10 device: (config)> add service iperf acl interface end value (config)>...
Done. Configure the ping responder service Your IX10 device's ping responder service replies to ICMP and ICMPv6 echo requests. The service is enabled by default. You can disable the service, or you can configure the service to use an access control list to limit the service to specified IP address, interfaces, and/or zones.
Page 326
Configure the ping responder service WebUI 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Services > Ping responder.
Page 327
5. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 328
No limit to IPv6 addresses that can access the service-type. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX10 device: (config)> add service iperf acl interface end value (config)>...
Example performance test using Iperf3 On a remote host with Iperf3 installed, enter the following command: $ iperf3 -c device_ip where device_ip is the IP address of the IX10 device. For example: $ iperf3 -c 192.168.2.1 Connecting to host 192.168.2.1, port 5201 4] local 192.168.3.100 port 54934 connected to 192.168.1.1 port 5201...
Page 330
Applications The IX10 supports Python 3.6 and provides you with the ability to run Python applications on the device interactively or from a file. You can also specify Python applications and other scripts to be run each time the device system restarts, at specific intervals, or at a specified time.
Whether the script should run one time only. Task one: Upload the application WebUI 1. Log into the IX10 WebUI as a user with Admin access. 2. On the menu, click System. Under Administration, click File System. The File System page appears. IX10 User Guide...
Page 332
IX10 device. local-path is the location on the IX10 device where the copied file will be placed. For example: To upload a Python application from a remote host with an IP address of 192.168.4.1 to the /etc/config/scripts directory on the IX10 device, issue the following command: >...
Use with care. WebUI 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click System > Scheduled tasks > Custom scripts.
Page 334
12. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 335
For example, to set on_interval to ten minutes, enter either 10m or 600s: (config system schedule script 0)> on_interval 600s (config system schedule script 0)> IX10 User Guide...
Page 336
9. To run the script only once at the specified time: (config system schedule script 0)> once true (config system schedule script 0)> If once is enabled, rebooting the device will cause the script to run again. The only way to re- run the script is to: IX10 User Guide...
1. Upload the Python application to the IX10 device: WebUI a. Log into the IX10 WebUI as a user with Admin access. b. On the menu, click System. Under Administration, click File System. The File System page appears. IX10 User Guide...
Page 338
IX10 device. local-path is the location on the IX10 device where the copied file will be placed. For example: To upload a Python application from a remote host with an IP address of 192.168.4.1 to the /etc/config/scripts directory on the IX10 device, issue the following command: >...
Applications Start an interactive Python session 2. Log into the IX10 command line as a user with shell access. Depending on your device configuration, you may be presented with an Access selection menu. Type shell to access the device shell.
Use Python to respond to Digi Remote Manager SCI requests Use digidevice runtime to access the runtime database Use Python to upload the device name to Digi Remote Manager Use Python to send and receive SMS messages IX10 User Guide...
1. Log into the IX10 command line as a user with shell access. Depending on your device configuration, you may be presented with an Access selection menu. Type shell to access the device shell.
Help for using Python to execute IX10 CLI commands Get help executing a CLI command from Python by accessing help for cli.execute: 1. Log into the IX10 command line as a user with shell access. Depending on your device configuration, you may be presented with an Access selection menu.
Page 343
Help for using Python to upload custom datapoints to Remote Manager Get help for uploading datapoints to your Digi Remote Manager account by accessing help for datapoint.upload: 1. Log into the IX10 command line as a user with shell access.
Use the config Python module to access and modify the device configuration. Read the device configuration 1. Log into the IX10 command line as a user with shell access. Depending on your device configuration, you may be presented with an Access selection menu.
Page 345
Modify the device configuration Use the set() and commit() methods to modify the device configuration: 1. Log into the IX10 command line as a user with shell access. Depending on your device configuration, you may be presented with an Access selection menu.
Page 346
Get help for reading and modifying the device configuration by accessing help for digidevice.config: 1. Log into the IX10 command line as a user with shell access. Depending on your device configuration, you may be presented with an Access selection menu.
Remote Manager's Server Command Interface (SCI), a web service that allows users to access information and perform commands that relate to their devices. Use Remote Manager's SCI interface to create SCI requests that are sent to your IX10 device, and use the device_request module to send responses to those requests to Remote Manager.
Page 348
>>> In Remote Manager, you will receive a response similar to the following: <sci_reply version="1.0"> <data_service> <device id="00000000-00000000-0000FFFF-A83CF6A3"/> <requests> <device_request target_name="myTarget" status="0">OK</device_ request> </requests> </device> </data_service> </sci_request> Example: Use digidevice.cli with digidevice.device_request IX10 User Guide...
Page 349
WebUI i. Log into the IX10 WebUI as a user with full Admin access rights. ii. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. iii. Click System > Scheduled tasks > Custom scripts.
Page 350
Click Apply to save the configuration and apply the change. Command line i. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 351
> reboot To run the application from the shell prompt: i. Log into the IX10 command line as a user with shell access. Depending on your device configuration, you may be presented with an Access selection menu. Type shell to access the device shell.
Page 352
<device_request target_name="showSystem"> 8. Click Send. You should receive a response similar to the following: <sci_reply version="1.0"> <data_service> <device id="00000000-00000000-0000FFFF-A83CF6A3"/> <requests> <device_request target_name="showSystem" status="0">Model : Digi IX10 Serial Number : IX10-000068 Hostname : IX10 : 00:40:D0:13:35:36 Hardware Version : 50001959-01 A Firmware Version : 20.11.32.138...
Page 353
: MB/MB(%) Disk /tmp Usage : 0.004MB/40.96MB(0%) Disk /var Usage : 0.820MB/32.768MB(3%)</device_request> </requests> </device> <device id="00000000-00000000-0000FFFF-485740BC"/> <requests> <device_request target_name="showSystem" status="0">Model : Digi IX10 Serial Number : IX10-000023 Hostname : IX10 : 00:40:D0:26:79:1C Hardware Version : 50001959-01 A Firmware Version : 20.11.32.138...
Page 354
</sci_request> Help for using Python to respond to Digi Remote Manager SCI requests Get help for respond to Digi Remote Manager Server Command Interface (SCI) requests by accessing help for digidevice.device_request: 1. Log into the IX10 command line as a user with shell access.
Read from the runtime database Use the keys() and get() methods to read the device configuration: 1. Log into the IX10 command line as a user with shell access. Depending on your device configuration, you may be presented with an Access selection menu.
Page 356
Modify the runtime database Use the set() method to modify the runtime database: 1. Log into the IX10 command line as a user with shell access. Depending on your device configuration, you may be presented with an Access selection menu. Type shell to access the device shell.
Use Python to upload the device name to Digi Remote Manager The name submodule can be used to upload a custom name for your device to Digi Remote Manager. When you use the name submodule to upload a custom device name to Remote Manager, the...
Page 358
5. Click Send. Upload a custom name 1. Log into the IX10 command line as a user with shell access. Depending on your device configuration, you may be presented with an Access selection menu. Type shell to access the device shell.
You can create Python scripts that send and receive SMS message in tandem with the Digi Remote Manager or Digi aView by using the digidevice.sms module. To use a script to send or receive SMS messages, you must also enable the ability to schedule SMS scripting.
Page 360
5. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Use Python to access serial ports You can use the Python serial module to access serial ports on your IX10 device that are configured to be in Application mode. See Configure the serial port for information about configuring a serial port in Application mode.
6. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit(). Use the Paho MQTT python library Your IX10 device includes support for the Paho MQTT python library. MQTT is a lightweight messaging protocol used to communicate with various applications including cloud-based applications such as Amazon Web Services and Microsoft Azure.
Page 364
'r') as f: for line in f: elems = line.split() if len(elems) != 5: continue leases.append({"mac": elems[1], "ip": elems[2], "host": elems [3]}) if leases: client.publish(PREFIX_EVENT + "/leases", json.dumps(leases, separators=(',',':'))) except: print("Failed to open DHCP leases file") IX10 User Guide...
Command line 1. Log into the IX10 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. IX10 User Guide...
The Scripts page displays: Command line 1. Log into the IX10 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 367
"$default_intf" log=$(runt log network.mgmt.log) accns_log network_mgmt "${log:+type=mgmt~}$log" > 3. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX10 User Guide...
IX10 user authentication User authentication methods Authentication groups Local users Terminal Access Controller Access-Control System Plus (TACACS+) Remote Authentication Dial-In User Service (RADIUS) LDAP Disable shell access Set the idle timeout for IX10 users Example user configuration IX10 User Guide...
User authentication IX10 user authentication IX10 user authentication User authentication on the IX10 has the following features and default configuration: Default Feature Description configuration Idle timeout 10 minutes. Determines how long a user session can be idle before the system automatically disconnects.
Page 370
TACACS+: Users authenticated by using a remote TACACS+ server for authentication. Terminal Access Controller Access-Control System Plus (TACACS+) for information about configuring TACACS+ authentication. LDAP: Users authenticated by using a remote LDAP server for authentication. LDAP for information about configuring LDAP authentication. IX10 User Guide...
To add an authentication method: WebUI 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Authentication > Methods.
Page 372
This procedure describes how to add methods to various places in the list. 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
5. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
For example, the following configuration has Local users as the first method, and RADIUS as the second. To reorder these so that RADIUS is first and Local users is second: IX10 User Guide...
Page 375
7. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Disable shell access for more information about the Allow shell parameter. Serial access: Users with Serial access have the ability to log into the IX10 device by using the serial console. Preconfigured authentication groups The IX10 device has two preconfigured authentication groups: The admin group is configured by default to have full Admin access and Shell access.
For groups assigned Admin access, you can also determine whether the Access level should be Full access or Read-only access. Full access provides users of this group with the ability to manage the IX10 device by using the WebUI or the Admin CLI.
Page 378
6. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Access rights to OpenVPN tunnels, and the tunnels to which they have access. Access rights to captive portals, and the portals to which they have access. Access rights to query the device for Nagios monitoring. To add an authentication group: WebUI IX10 User Guide...
Page 380
Full access or Read-only access. where value is either: Full access full: provides users of this group with the ability to manage the IX10 device by using the WebUI or the Admin CLI. Read-only access read-only: provides users of this group with read-only access to the WebUI and Admin CLI.
Page 381
Set the access level for Admin access: (config)> auth group admin acl admin level value (config)> where value is either: full: provides users of this group with the ability to manage the IX10 device by using the WebUI or the Admin CLI. IX10 User Guide...
Page 382
24h no title (config)> ii. Add a captive portal: (config)> add auth group test acl portal portals end portal1 (config)> 6. (Optional) Configure Nagios monitoring: (config)> auth group test acl nagios enable true (config)> IX10 User Guide...
Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Delete an authentication group By default, the IX10 device has two preconfigured authentication groups: admin and serial. These groups cannot be deleted. To delete an authentication group that you have created: ...
Page 384
User authentication Authentication groups 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
TACACS+ or RADIUS. Local user authentication is enabled by default, with one preconfiged default user. Default user At manufacturing time, each IX10 device comes with a default user configured as follows: Username: admin. Password: The default password is displayed on the label on the bottom of the device.
To change a user's password: WebUI 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Authentication > Users.
User authentication Local users 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 388
To configure a local user: WebUI 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Authentication > Users.
Page 389
Check Enable to enable two-factor authentication for this user. c. Select the Verification type: Time-based (TOTP): Time-based One-Time Password (TOTP) authentication uses the current time to generate a one-time password. Counter-based (HOTP): HMAC-based One-Time Password (HOTP) uses a counter to validate a one-time password. IX10 User Guide...
Page 390
For Code, enter the scratch code. The code must be eight digits, with a minimum of 10000000. iv. Click again to add additional scratch codes. 10. Click Apply to save the configuration and apply the change. IX10 User Guide...
Page 391
Local users Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 392
Add the key by using the ssh_key command and pasting or typing a public encryption key that this user can use for passwordless SSH login: (config auth user new_user ssh_key)> ssh_key key (config auth user new_user ssh_key)> 8. (Optional) Configure two-factor authentication for SSH, telnet, and serial console login: IX10 User Guide...
Page 393
Configure the valid code window size. This represents the allowed number of concurrently valid codes. In cases where TOTP is being used, increasing the valid code window size may be necessary when the clocks used by the server and client are not synchronized. IX10 User Guide...
10. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Delete a local user To delete a user from your IX10: WebUI IX10 User Guide...
Page 395
5. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
With TACACS+ support, the IX10 device acts as a TACACS+ client, which sends user credentials and connection parameters to a TACACS+ server over TCP. The TACACS+ server then authenticates the TACACS+ client requests and sends back a response message to the device.
The groupname attribute is optional. If used, the value must correspond to authentication groups configured on your IX10. Alternatively, if the user is also configured as a local user on the IX10 device and the LDAP server authenticates the user but does not return any groups, the local configuration determines the list of groups.
$ sudo /etc/init.d/tacacs_plus restart TACACS+ server failover and fallback to local authentication In addition to the primary TACACS+ server, you can also configure your IX10 device to use backup TACACS+ servers. Backup TACACS+ servers are used for authentication requests when the primary TACACS+ server is unavailable.
Page 399
6. (Optional) For Group attribute, type the name of the attribute used in the TACACS+ server's configuration to identify the IX10 authentication group or groups that the user is a member of. For example, in TACACS+ user configuration, the group attribute in the sample tac_plus.conf...
Page 400
9. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 401
TACACS+ user configuration, the value of the service attribute in the sample tac_plus.conf file is system, which is also the default setting in the IX10 configuration. (config)> auth tacacs+ service service-name (config)> 6. Set the type of TLS connection used by the LDAP server: (config)>...
Page 402
Terminal Access Controller Access-Control System Plus (TACACS+) (config)> auth ldap base_dn value (config)> 11. (Optional) Set the name of the user attribute that contains the list of IX10 authentication groups that the authenticated user has access to. See LDAP user configuration for further information about the group attribute.
Page 403
15. Save the configuration and apply the change: (config)> save Configuration saved. > 16. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX10 User Guide...
With RADIUS support, the IX10 device acts as a RADIUS client, which sends user credentials and connection parameters to a RADIUS server over UDP. The RADIUS server then authenticates the RADIUS client requests and sends back a response message to the device.
(password verification) and authorization (assigning the access level of the user). Additional RADIUS servers can be configured as backup servers for user authentication. This section outlines how to configure a RADIUS server to be used for user authentication on your IX10 device.
If the RADIUS servers are unavailable and the IX10 device falls back to local authentication, only users defined locally on the device are able to log in. RADIUS users cannot log in until the RADIUS servers are brought back online.
Page 407
NAS or any arbitrary string. If not set, the default value is used: If you are accessing the IX10 device by using the WebUI, the default value is for NAS ID is httpd. If you are accessing the IX10 device by using ssh, the default value is sshd.
Page 408
You can use the fully-qualified domain name of the NAS or any arbitrary string. If not set, the default value is used: If you are accessing the IX10 device by using the WebUI, the default value is for NAS ID is httpd.
Page 409
(for example, dc=example,dc=com) or a sub-tree (for example. ou=People,dc=example,dc=com). (config)> auth ldap base_dn value (config)> 11. (Optional) Set the name of the user attribute that contains the list of IX10 authentication groups that the authenticated user has access to. See LDAP user configuration for further information about the group attribute.
Page 410
RADIUS to the end of the list. See User authentication methods for information about adding methods to the beginning or middle of the list. (config)> add auth method end radius (config)> 15. Save the configuration and apply the change: (config)> save Configuration saved. > IX10 User Guide...
When you are using LDAP authentication, you can have both local users and LDAP users able to log in to the device. To use LDAP authentication, you must set up a LDAP server that is accessible by the IX10 device prior to configuration. The process of setting up a LDAP server varies by the server environment.
(password verification) and authorization (assigning the access level of the user). Additional LDAP servers can be configured as backup servers for user authentication. This section outlines how to configure a LDAP server to be used for user authentication on your IX10 device.
LDAP server failover and fallback to local configuration In addition to the primary LDAP server, you can also configure your IX10 device to use backup LDAP servers. Backup LDAP servers are used for authentication requests when the primary LDAP server is unavailable.
Page 414
User authentication LDAP 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Authentication > LDAP > Servers.
Page 415
14. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 416
8. Set the distinguished name (DN) on the server to search for users. This can be the root of the directory tree (for example, dc=example,dc=com) or a sub-tree (for example. ou=People,dc=example,dc=com). (config)> auth ldap base_dn value (config)> IX10 User Guide...
Page 417
User authentication LDAP 9. (Optional) Set the name of the user attribute that contains the list of IX10 authentication groups that the authenticated user has access to. See LDAP user configuration for further information about the group attribute. (config)> auth ldap group_attribute value (config)>...
5. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
By default, the Idle timeout is set to 10 minutes. WebUI 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
Page 420
5. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Goal: To create a user with administrator rights who is authenticated locally on the device. WebUI 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
Page 422
7. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Goal: To create a user with administrator rights who is authenticated by using all three authentication methods. In this example, when the user attempts to log in to the IX10 device, user authentication will occur in the following order: 1. The user is authenticated by the RADIUS server. If the RADIUS server is unavailable, 2.
Page 424
The authentication group on the IX10 device, admin, is identified in the groupname parameter. c. Save and close the tac_plus.conf file. 3. Log into the IX10 WebUI as a user with full Admin access rights. 4. On the menu, click System. Under Configuration, click Device Configuration. IX10 User Guide...
Page 425
Assign the user to the admin group: i. Click Groups. ii. For Add Group, click . iii. For Group, select the admin group. a. Verify that the admin group has full administrator rights: i. Click Authentication > Groups. ii. Click admin. IX10 User Guide...
Page 426
In this example: The user's username is admin1. The user's password is password1. The authentication group on the IX10 device, admin, is identified in the Unix-FTP- Group-Names parameter. c. Save and close the users file. 2. Configure a user on the TACACS+ server: a.
Page 427
Save and close the tac_plus.conf file. 3. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 428
(config auth user adminuser)> save Configuration saved. > 9. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX10 User Guide...
Page 429
Firewall This chapter contains the following topics: Firewall configuration Port forwarding rules Packet filtering Configure custom firewall rules Configure Quality of Service options IX10 User Guide...
IPsec: The default zone for IPsec tunnels. Dynamic routes: Used for routes learned using routing services. Port forwarding: A list of rules that allow network connections to the IX10 to be forwarded to other servers by translating the destination address.
Page 431
Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
5. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Type quit to disconnect from the device. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
5. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
To configure a port forwarding rule: WebUI 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Firewall > Port forwarding.
Page 436
To specify firewall zones for white listing: a. Click Zones. b. For Add zone, click . c. For Zone, select the appropriate zone. d. Repeat for each additional zone. 13. Click Apply to save the configuration and apply the change. Command line IX10 User Guide...
Page 437
Firewall Port forwarding rules 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 438
To view a list of available zones: (config firewall dnat 0 acl)> ..zone ? Zones: A list of groups of network interfaces that can be referred to by packet filtering rules and access control lists. Additional Configuration --------------------------------------------------------------------- --------- IX10 User Guide...
To delete a port forwarding rule: WebUI 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Firewall > Port forwarding.
Page 440
Firewall Port forwarding rules 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
To configure a packet filtering rule: WebUI 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Firewall > Packet filtering.
Page 442
10. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 443
(config firewall filter 1)> src_zone my_zone (config firewall filter 1)> 6. Set the destination firewall zone. Packets destined for network interfaces that are members of this zone will either be accepted, rejected or dropped by this rule. IX10 User Guide...
Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Enable or disable a packet filtering rule To enable or disable a packet filtering rule: WebUI IX10 User Guide...
Page 445
6. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
To delete a packet filtering rule: WebUI 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Firewall > Packet filtering.
Firewall Configure custom firewall rules 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 448
7. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
(packet ingress). A QoS binding contains the policies and rules that apply to packets exiting the IX10 device on the binding's interface. By default, the IX10 device has two preconfigured QoS bindings, Outbound and Inbound.
Page 450
Configure Quality of Service options Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 451
Firewall Configure Quality of Service options 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Firewall > Quality of Service.
Page 452
(Optional) Type a Label for the binding policy rule. iv. For Type Of Service, type the value of the Type of Service (ToS) packet header that defines packet priority. If unspecified, this field is ignored. https://www.tucny.com/Home/dscp-tos for a list of common TOS values. IX10 User Guide...
Page 453
10. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 454
Set a value for the amount of available bandwidth allocated to the policy, relative to other policies for this binding. The larger the weight, with respect to the other policy weights, the larger portion of the maximum bandwidth is available for this policy. For example, if a binding contains three IX10 User Guide...
Page 455
(config firewall qos 2 policy 0 rule 0)> tos value (config firewall qos 2 policy 0 rule 0)> where value is a hexadecimal number. See https://www.tucny.com/Home/dscp-tos for a list of common TOS values. IX10 User Guide...
Page 456
(config network qos 2 policy 0 rule 0)> where value uses the format IPv4_address[/netmask], or any to match any IPv4 address. address6: Only traffic from the IP address typed in IPv6 address will be matched. Set the address that will be matched: IX10 User Guide...
Page 457
IPv6_address[/prefix_length], or any to match any IPv6 address. Repeat to add a new rule. Up to 30 rules can be configured. 8. Save the configuration and apply the change: (config)> save Configuration saved. > IX10 User Guide...
Page 458
Firewall Configure Quality of Service options 9. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX10 User Guide...
This chapter contains the following topics: Review device status Configure system information Update system firmware Update cellular module firmware Reboot your IX10 device Reset the device to factory defaults Configuration files Schedule system maintenance tasks Disable device encryption Configure the speed of your Ethernet port...
Show basic system information: 1. Log into the IX10 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Disk /var Usage : 1.765MB/256.0MB(1%) > Configure system information You can configure information related to your IX10 device, such as providing a name and location for the device. Configuration items A name for the device. The name of a contact for the device.
Page 462
8. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
For example, IX10-20.11.32.138.bin. Manage firmware updates using Digi Remote Manager If you have a network of many devices, you can use Digi Remote Manager Profiles to manage firmware updates. Profiles ensure all your devices are running the correct firmware version and that all newly installed devices are updated to that same version.
Page 464
4. For Version:, select the appropriate version of the device firmware. 5. Click Update Firmware. Update firmware from a local file 1. Download the IX10 operating system firmware from the Digi Support FTP site to your local machine. 2. Log into the IX10 WebUI as a user with Admin access.
Page 465
System administration Update system firmware 1. Download the IX10 operating system firmware from the Digi Support FTP site to your local machine. 2. Log into the IX10 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu.
> reboot Rebooting system > 7. Once the device has rebooted, log into the IX10's command line as a user with Admin access and verify the running firmware version by entering the show system command. > show system...
> system duplicate-firmware > Update cellular module firmware You can update modem firmware by downloading firmware from the Digi firmware repository, or by uploading firmware from your local storage onto the device. You can also schedule modem firmware updates. See Schedule system maintenance tasks for details.
Command line Update modem firmware over the air (OTA) You can update your modem firmware by querying the Digi firmware repository to determine if there is new firmware available for your modem and performing an OTA modem firmware update: 1. Log into the IX10 command line as a user with Admin access.
Page 469
Retrieving download location for modem firmware '25.20.666_CUST_067_1' > To perform an OTA firmware update by using a specific version from the Digi firmware repository, use the version parameter to identify the appropriate firmware version as determined using the modem firmware ota check or modem firmware ota list command.
Update cellular module firmware Update modem firmware by using a local firmware file You can update your modem firmware by uploading a modem firmware file to your IX10 device. Firmware should be uploaded to /opt/MODEM_MODEL/Custom_Firmware, for example, /opt/LM940/Custom_Firmware. Modem firmware can be downloaded from Digi at https://ftp1.digi.com/support/firmware/dal/carrier_firmware/.
Reboot your IX10 device Reboot your IX10 device You can reboot the IX10 device immediately or schedule a reboot for a specific time every day. Note You may want to save your configuration settings to a file before rebooting. See...
5. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 473
3. In the Erase configuration section, click ERASE. 4. Click CONFIRM. 5. After resetting the device: a. Connect to the IX10 by using the serial port or by using an Ethernet cable to connect the IX10 ETH port to your PC. b. Log into the IX10: User name: Use the default user name: admin.
Page 474
2. Enter the following: > system factory-erase 3. After resetting the device: a. Connect to the IX10 by using the serial port or by using an Ethernet cable to connect the IX10 ETH port to your PC. b. Log into the IX10: User name: Use the default user name: admin.
Page 475
You can reset the device to the default configuration without removing scripts, keys, and logfiles by using the revert command: 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Save configuration changes When you make changes to the IX10 configuration, the changes are not automatically saved. You must explicitly save configuration changes, which also applies the changes. If you do not save configuration changes, the system discards the changes.
Type quit to disconnect from the device. Save configuration to a file You can save your IX10 device's configuration to a file and use this file to restore the configuration, either to the same device or to similar devices.
> scp host 192.168.4.1 user admin remote /home/admin/bin/ local /etc/config/backup-archive-0040FF800120-19.05.17-19.01.17.bin to remote Restore the device configuration You can restore a configuration file to your IX10 device by using a backup from the device, or a backup from a similar device. ...
Page 479
IX10 device. local-path is the location on the IX10 device where the copied file will be placed. For example: > scp host 192.168.4.1 user admin remote /home/admin/bin/backup-archive- 0040FF800120-19.05.17-19.01.17.bin local /etc/config/ to local...
Page 480
System administration Configuration files path is the location of configuration backup file on the IX10's filesystem (local-path in the previous step). passphrase (optional) is the passphrase to restore the configuration backup, if a passphrase was used when the backup was created.
Custom scripts that should be run as part of the configuration check. WebUI 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
Page 482
Configuration > Applications. b. For Add Script, click . The schedule script configuration window is displayed. Scheduled scripts are enabled by default. To disable, click Enable to toggle off. c. (Optional) For Label, provide a label for the script. IX10 User Guide...
Page 483
Sandbox is enabled by default, which restricts access to the file system and available commands that can be used by the script. This option protects the script from accidentally destroying the system it is running on. IX10 User Guide...
Page 484
10. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 485
The script will run once each time the device boots. If boot is selected, set the action that will be taken when the script completes: (config system schedule script 0)> exit_action action (config system schedule script 0)> where action is one of the following: IX10 User Guide...
Page 486
If the script begins with #!, then the script will be invoked in the location specified by the path for the script command. Otherwise, the default shell will be used (equivalent to #!/bin/sh). IX10 User Guide...
Type quit to disconnect from the device. Disable device encryption You can disable the cryptography on your IX10 device. This can be used to ship unused devices from overseas without needing export licenses from the country from which the device is being shipped.
Disabling device encryption is not available in the WebUI. It can only be performed from the Admin CLI. Command line 1. Log into the IX10 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 489
Select the Properties of the relevant network connection on the Windows PC. b. Click the Internet Protocol Version 4 (TCP/IPv4) parameter. c. Click Properties. The Internet Protocol Version 4 (TCP/IPv4) Properties dialog appears. d. Configure with the following details: IP address for PC: 192.168.210.2 Subnet: 255.255.255.0 Gateway: 192.168.210.1 IX10 User Guide...
Configure the speed of your Ethernet port 2. Connect the PC's Ethernet port to the Ethernet port on your IX10 device. 3. Open a telnet session and connect to the IX10 device at the IP address of 192.168.210.1. 4. Log into the device: Username: admin Password: The default unique password for your device is printed on the device label.
Page 491
5. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 492
System administration Configure the speed of your Ethernet port 5. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX10 User Guide...
Page 493
Monitoring This chapter contains the following topics: intelliFlow Configure NetFlow Probe IX10 User Guide...
WebUI. To use intelliFlow, the IX10 must be powered on and you must have access to the local WebUI. Once you enable intelliFlow, the Status >...
Page 495
6. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 496
5. Save the configuration and apply the change: (config)> save Configuration saved. > 6. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX10 User Guide...
This procedure is only available from the WebUI. To display display average CPU and RAM usage: WebUI 1. Log into the IX10 WebUI as a user with Admin access. 2. If you have not already done so, enable intelliFlow. See Enable intelliFlow.
Top data usage by service To generate a top data usage chart: WebUI 1. Log into the IX10 WebUI as a user with Admin access. 2. If you have not already done so, enable intelliFlow. See Enable intelliFlow. 3. From the menu, click Status > intelliFlow.
Page 499
5. Change the type of chart that is used to display the data: a. Click the menu icon (). b. Select the type of chart. 6. Change the number of top users displayed. You can display the top five, top ten, or top twenty data users. IX10 User Guide...
Use intelliFlow to display data usage by host over time To generate a chart displaying a host's data usage over time: WebUI 1. Log into the IX10 WebUI as a user with Admin access. 2. If you have not already done so, enable intelliFlow. See Enable intelliFlow.
To save the chart to your local filesystem, select Export to PNG. c. To print the chart, select Print chart. Configure NetFlow Probe NetFlow probe is used to probe network traffic on the IX10 device and export statistics to NetFlow collectors. Required configuration items Enable NetFlow.
Page 502
Configure NetFlow Probe WebUI 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Monitoring > NetFlow probe.
Page 503
12. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 504
Set the IP address of the collector: (config monitoring netflow collector 0)> address ip_address (config monitoring netflow collector 0)> c. (Optional) Set the port used by the collector: (config monitoring netflow collector 0)> port port (config monitoring netflow collector 0)> IX10 User Guide...
Page 505
(config monitoring netflow collector 0)> save Configuration saved. > 11. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX10 User Guide...
Page 506
Configure Digi Remote Manager Collect device health data and set the sample interval Log into Digi Remote Manager Use Digi Remote Manager to view and manage your device Add a device to Digi Remote Manager View Digi Remote Manager connection status...
Digi Remote Manager User Guide. Configure Digi Remote Manager By default, your IX10 device is configured to use central management using Digi Remote Manager. Additional configuration options These additional configuration settings are not typically configured, but you can set them as needed: Disable the Digi Remote Manager connection if it is not required.
Page 508
6. (Optional) For Management port, type the destination port for the remote cloud services connection. The default is 3199. 7. (Optional) For Retry interval, type the amount of time that the IX10 device should wait before reattempting to connect to remote cloud services after being disconnected. The default is 30 seconds.
Page 509
16. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 510
(config)> cloud drm drm_url url (config)> 6. (Optional) Set the amount of time that the IX10 device should wait before reattempting to connect to the remote cloud services after being disconnected. The minimum value is ten seconds. The default is 30 seconds.
Page 511
Central management Configure Digi Remote Manager 30 seconds to two hours. The default is 290 seconds. (config)> cloud drm cellular_keep_alive value (config)> where value is any number of hours, minutes, or seconds, and takes the format number{h|m|s}. For example, to set the cellular keep-alive interval to ten minutes, enter either 10m or 600s: (config)>...
Collect device health data and set the sample interval You can enable or disable the collection of device health data to upload to Digi Remote Manager, and configure the interval between health sample uploads. By default, device health data upload is...
Page 513
To avoid a situation where several devices are uploading health metrics information to Remote Manager at the same time, the IX10 device includes a preconfigured randomization of two minutes for uploading metrics. For example, if Health sample interval is set to five minutes, the metrics will be uploaded to Remote Manager at a random time between five and seven minutes.
Page 514
1, 5, 15, 30, or 60, and represents the number of minutes between uploads of health sample data. 5. By default, the device will only report health metrics values to Digi Remote Manager that have changed health metrics were last uploaded. This is useful to reduce the bandwidth used to report health metrics.
1. If you have not already done so, click here to sign up for a Digi Remote Manager account. 2. Check your email for Digi Remote Manager login instructions. 3. Go to remotemanager.digi.com. 4. Log into your Digi Remote Manager account.
Use Digi Remote Manager to view and manage your device To view and manage your device: 1. If you have not already done so, connect to your Digi Remote Manager account. 2. Click Device Management to display a list of your devices.
The same default password is also shown on the label affixed to the bottom of the device. 6. Click Add. 7. Click OK. Digi Remote Manager adds your IX10 device to your account and it appears in the Device Management view. View Digi Remote Manager connection status To view the current Digi Remote Manager configuration: ...
2. Follow the prompts to complete your IX10 registration. Digi Remote Manager registers your IX10 and adds it to your Digi Remote Manager device list. You can now manage the device remotely using Digi Remote Manager.
Central management Learn more 1. Using the IX10 local WebUI, configure one IX10 router to use as the model configuration for all subsequent IX10s you need to manage. 2. Register the configured IX10 device in your Digi Remote Manager account.
Page 520
File system This chapter contains the following topics: The IX10 local file system Display directory contents Create a directory Display file contents Copy a file or directory Move or rename a file or directory Delete a file or directory Upload and download files...
The IX10 local file system The IX10 local file system The IX10 local file system has approximately TBD of space available for storing files, such as Python programs, alternative configuration files and firmware versions, and release files, such as cellular module images.
For example: 1. Log into the IX10 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
For example: Command line 1. Log into the IX10 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. At the Admin CLI prompt, type more /path/filename. For example, to view the contenct of the file accns.json in /etc/config:...
Command line To rename a file named test.py in /etc/config/scripts to final.py: 1. Log into the IX10 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Command line To delete a file named test.py in /etc/config/scripts: 1. Log into the IX10 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
FileZilla. Upload and download files by using the WebUI Upload files 1. Log into the IX10 WebUI as a user with Admin access. 2. On the menu, click System. Under Administration, click File System. The File System page appears.
IX10 device. local-path is the location on the IX10 device where the copied file will be placed. For example: To copy firmware from a remote host with an IP address of 192.168.4.1 to the /etc/config directory on the IX10 device, issue the following command: >...
IX10 device. For example: To copy a support report from the IX10 device to a remote host at the IP address of 192.168.4.1: 1. Use the system support-report command to generate the report: >...
Page 529
File system Upload and download files $ sftp ahmed@192.168.2.1 Password: Connected to 192.168.2.1 sftp> get test.py Fetching test.py to test.py test.py 100% 0.3KB/s 00:00 sftp> exit IX10 User Guide...
Page 530
Generate a support report View system and event logs Configure syslog servers Configure options for the event and system logs Analyze network traffic Use the ping command to troubleshoot network connections Use the traceroute command to diagnose IP routing problems IX10 User Guide...
Attach the support report to any support requests. Command line 1. Log into the IX10 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
View System Logs WebUI 1. Log into the IX10 WebUI as a user with Admin access. 2. On the main menu, click System > Logs. The system log displays: 3. Limit the display in the system log by using the Find search tool.
Page 533
5. Click to download the system log. Command line 1. Log into the IX10 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
6. Click to download the event log. Command line 1. Log into the IX10 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 535
Nov 26 22:01:25 info user name=admin~service=cli~state=closed~remote=192.168.1.2 > 5. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX10 User Guide...
You can configure remote syslog servers for storing event and system logs. WebUI 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
Page 537
5. Click Apply to save the configuration and apply the change. Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
30 minutes. All event categories are enabled. To change or disable the heartbeat interval, or to disable event categories, and to perform other log configuration: WebUI IX10 User Guide...
Page 539
7. Enable Preserve system logs to save the current session's system log after a reboot. By default, the IX10 device erases system logs each time the device is powered off or rebooted. Note You should only enable Preserve system logs temporarily to debug issues.
Page 540
To disable the heartbeat interval, set the value to 0s 4. Enable preserve system logs functionality to save the current session's system log after a reboot. By default, the IX10 device erases system logs each time the device is powered off or rebooted.
Page 541
Status events report the current list of leases. Parameters Current Value ------------------------------------------------------------------- ------------ info true Enable informational events status true Enable status events status_interval Status interval (config)> system log event dhcpserver IX10 User Guide...
Page 542
7. Save the configuration and apply the change: (config)> save Configuration saved. > 8. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX10 User Guide...
Analyze network traffic Analyze network traffic The IX10 device includes a network analyzer tool that captures data traffic on any interface and decodes the captured data traffic for diagnostics. You can capture data traffic on multiple interfaces at the same time and define capture filters to reduce the captured data. You can capture up to 10 MB of data traffic in two 5 MB files per interface.
To configure a packet capture configuration: WebUI 1. Log into the IX10 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Analyzer.
Page 545
Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}. For example, to set Save interval to ten minutes, enter 10m or 600s. 8. Click Apply to save the configuration and apply the change. IX10 User Guide...
Page 546
Analyze network traffic Command line 1. Log into the IX10 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 547
7. Save the configuration and apply the change: (config)> save Configuration saved. > 8. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX10 User Guide...
Example Ethernet capture filters Capture Ethernet packets to and from a host with a MAC address of 00:40:D0:13:35:36: ether host 00:40:D0:13:35:36 Capture Ethernet packets from host 00:40:D0:13:35:36: ether src 00:40:D0:13:35:36: Capture Ethernet packets to host 00:40:D0:13:35:36: ether dst 00:40:D0:13:35:36 IX10 User Guide...
To start packet capture from the command line: Command line 1. Log into the IX10 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Analyze network traffic Command line 1. Log into the IX10 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 551
See Configure packet capture for the network analyzer for more information. To determine available packet capture configurations, use the ?: > show anaylzer name ? name: Name of the capture filter to use. Format: test_capture capture_ping IX10 User Guide...
Command line 1. Log into the IX10 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. Type the following at the Admin CLI prompt: >...
Page 553
4. Select the saved analyzer report you want to download and click (download). Command line 1. Log into the IX10 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Command line 1. Log into the IX10 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. Type the following at the Admin CLI prompt: >...
Ping to check internet connection To check your internet connection: 1. Log into the IX10 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Page 556
Max wait for a response to a probe. (Default: 5) Example This example shows using traceroute to verify that the IX10 device can route to host 8.8.8.8 (www.google.com) through the default gateway. The command output shows that 15 routing hops were required to reach the host: 1.
Radio Frequency Interference (RFI) (FCC 15.105) The Digi IX10 has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation.
The IX10 is certified for use in several European countries. For information, visit www.digi.com/resources/certifications. If the IX10 is incorporated into a product, the manufacturer must ensure compliance of the final product with articles 3.1a and 3.1b of the RE Directive (Radio Equipment Directive). A Declaration of Conformity must be issued for each of these standards and kept on file as described in the RE Directive (Radio Equipment Directive).
Digi IX10 regulatory and safety statements Maximum transmit power for radio frequencies Maximum transmit power for radio frequencies The following tables show the maximum transmit power for frequency bands. Cellular frequency bands Frequency bands Maximum transmit power Cellular LTE 700 MHz...
RoHS compliance statement RoHS compliance statement All Digi International Inc. products that are compliant with the RoHS Directive (EU Directive 2002/95/EC and subsequent amendments) are marked as RoHS COMPLIANT. RoHS COMPLIANT means that the substances restricted by the EU Directive 2002/95/EC and subsequent amendments...
Special safety notes for wireless routers Digi International products are designed to the highest standards of safety and international standards compliance for the markets in which they are sold. However, cellular-based products contain radio devices which require specific consideration. Take the time to read and understand the following guidance.
International EMC (Electromagnetic Compatibility) and safety standards This product complies with the requirements of the following Electromagnetic Compatibility standards. There are no user-serviceable parts inside the product. Contact your Digi representative for repair information. Certification category Standards EN 300 328 v1.8.1...
Page 563
International EMC (Electromagnetic Compatibility) and safety standards Certification category Standards Electrical safety compliance The IX10 model 50002009-01 shall be powered using a DC power source Approved in its country of use as per ES1 [IEC 62368-1:2014(Ed.2.0)] or SELV [Safety Extra Low Voltage as per IEC 60950-1:2005(ED 2) + A1, A2.
Page 564
Auto-complete commands and parameters Available commands Use the scp command Display status and statistics using the show command Device configuration using the command line interface Execute configuration commands at the root Admin CLI prompt Configuration mode Command line reference IX10 User Guide...
Log in to the command line interface Command line 1. Connect to the IX10 device by using a serial connection, SSH or telnet, or the Terminal in the WebUI or the Console in the Digi Remote Manager. See Access the command line interface more information.
2. At the main menu, click Terminal. The device console appears. IX10 login: 3. Log into the IX10 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
Display help for commands and parameters The help command When executed from the root command prompt, help displays information about autocomplete operations, how to move the cursor on the IX10 command line, and other keyboard shortcuts: > help Commands ------------------------------------------------------------------------------- Show commands help <Tab>...
Typing the space bar has similar behavior. If multiple commands are available that will match the entered text, auto-complete is not performed and the available commands are displayed instead. Auto-complete applies to these command elements only : IX10 User Guide...
Page 569
Parameter values, where the value is one of an enumeration or an on|off type; for example: (config)> serial port1 enable t<Tab> auto-completes to (config)> serial port1 enable true Auto-complete does not function for: Parameter values that are string types. Integer values. File names. Select parameters passed to commands that perform an action. IX10 User Guide...
Pings a remote host using Internet Control Message Protocol (ICMP) Echo Request messages. reboot Reboots the IX10 device. Removes a file. Uses the secure copy protocol (SCP) to transfer files between the IX10 device and a remote host. Use the scp command for information about using the scp command. show Displays information about the device and the device's configuration.
The hostname or IP address of the remote host. The username and password of the user on the remote host. Whether the file is being copied to the IX10 device from a remote host, or to the remote host from the IX10 device.
IX10 device. For example: To copy a support report from the IX10 device to a remote host at the IP address of 192.168.4.1: 1. Use the system support-report command to generate the report: >...
"445" > show system show system command displays system information and statistics for the device, including CPU usage. > show system Model : Digi IX10 Serial Number : IX10-000065 : IX10 Hostname : IX10 : DF:DD:E2:AE:21:18 Hardware Version...
For example, to disable the SSH service from the root prompt, enter the following command: > config service ssh enable false > The IX10 device's ssh service is now disabled. Note When the config command is executed at the root prompt, certain configuration actions that are available in configuration mode cannot be performed.
Page 575
4. Lastly, display the allowed values and other information for the enable parameter: > config service ssh enable ? Enable: Enable the service. Format: true, false, yes, no, 1, 0 Default value: true Current value: true > config service ssh enable IX10 User Guide...
To save changes that you have made to the configuration while in configuration mode, use save. The save command automatically validates the configuration changes; the configuration will not be saved if it is not valid. Note that you can also validate configuration changes at any time while in IX10 User Guide...
See Manage elements in lists for information about using the del command with lists. Moves elements in a list. See Manage move elements in lists for information about using the move command with lists. IX10 User Guide...
Enter service to move to the service node: (config)> service (config service)> b. Enter ? to display help for the service node: (config service)> ? Either of these methods will display the following information: config> service ? Services Additional Configuration -------------------------------------------------------------------------- IX10 User Guide...
Page 579
Enable [private] Private key port Port Additional Configuration -------------------------------------------------------------------------- Access control list mdns (config)> service ssh 4. Lastly, to display allowed values and other information for the enable parameter, use one of the following methods: IX10 User Guide...
1. At the config prompt, type service to move to the service node: (config)> service (config service)> 2. Type ssh to move to the ssh node: (config service)> ssh (config service ssh)> 3. Type acl to move to the acl node: (config service ssh)> acl (config service ssh acl)> IX10 User Guide...
2. Add an authentication method by using the add index_item command. For example: To add the TACACS+ authentication method to the beginning of the list, use the index number 0: (config)> add auth method 0 tacacs+ (config)> show auth method 0 tacacs+ IX10 User Guide...
Page 582
1 tacacs+ 2 radius (config)> 2. Delete one of the authentication methods by using the del index_number command. For example: a. To delete the local authentication method, use the index number 0: (config)> del auth method 0 (config)> IX10 User Guide...
(config)> The revert command The revert command is used to revert changes to the IX10 device's configuration and restore default configuration settings. The behavior of the revert command varies depending on where in the configuration hierarchy the command is executed, and whether the optional path parameter is used.
Page 584
Move to the location in the configuration and enter the revert command without the path parameter. For example: 1. Change to the auth method node: (config)> auth method (config auth method)> 2. Enter the revert command: (config auth method)> revert (config auth method)> IX10 User Guide...
(config)> system description "Digi IX10" Example: Create a new user by using the command line In this example, you will use the IX10 command line to create a new user, provide a password for the user, and assign the user to authentication groups.
Page 586
5. List available authentication groups: (config auth user user1)> show ..group admin admin enable true nagios enable false openvpn enable false no tunnels portal enable false no portals serial enable false no ports shell enable false serial admin IX10 User Guide...
Page 587
(config auth user user1)> save Configuration saved. > 8. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX10 User Guide...
Command line interface Command line reference Command line reference analyzer help mkdir modem modem puk status [imei STRING] [name STRING] more ping reboot show system traceroute IX10 User Guide...
Start a capture session of packets on this devices interfaces. Parameters name Name of the capture filter to use. Syntax: STRING analyzer stop name STRING Stops the traffic capture session. Parameters name Name of the capture filter to use. Syntax: STRING IX10 User Guide...
Page 590
The source file or directory to copy. Syntax: STRING destination The destination path to copy the source file or directory to. Syntax: STRING force Do not ask to overwrite the destination file if it exists. Syntax: BOOLEAN Default: False Optional: True IX10 User Guide...
Command line interface Command line reference help Show CLI editing and navigation commands. Parameters None IX10 User Guide...
Page 592
Directory listing command. ls [show-hidden] PATH List a directory. Parameters path List files and directories under this path. Syntax: STRING show-hidden Show hidden files and directories. Hidden filenames begin with '.'. Syntax: BOOLEAN Default: False Optional: True IX10 User Guide...
Command line interface Command line reference mkdir mkdir PATH Create a directory. Parent directories are created as needed. Parameters path The directory path to create. Syntax: STRING IX10 User Guide...
Optional: True modem firmware Commands for interacting with cellular modem firmware. See Update cellular module firmware further information about using the modem firmware commands. firmware check [imei STRING] [name STRING] Inspect /opt/[MODEM_MODEL]/Custom_Firmware/ directory for new modem firmware file. IX10 User Guide...
Page 595
Commands for performing FOTA (firmware-over-the-air) interactions with cellular modem. ota check [imei STRING] [name STRING] Query the Digi firmware server for the latest remote modem firmware version. Parameters imei The IMEI of the modem to execute this CLI command on...
Page 596
Command line interface Command line reference ota list [imei STRING] [name STRING] Query the Digi firmware server for a list of modem firmware versions. Parameters imei The IMEI of the modem to execute this CLI command on Optional: True Type: string...
Page 597
[imei STRING] [name STRING] PIN Disable the PIN lock on the SIM card that is active in the modem. Warning: Attempting to use an incorrect PIN code may PUK lock the SIM. Parameters The SIM's PIN code. IX10 User Guide...
Page 598
PUK locked when there are no remaining retries Parameters imei The IMEI of the modem to execute this CLI command on. Syntax: STRING Optional: True name The configured name of the modem to execute this CLI command on. Syntax: STRING Optional: True IX10 User Guide...
Optional: True name The configured name of the modem to execute this CLI command on. Syntax: STRING Optional: True puk unlock [imei STRING] [name STRING] PUK NEW-PIN Unlock the SIM with a PUK code from the SIM provider. IX10 User Guide...
Page 600
Show or change the modem's active SIM slot. This applies only to modems with multiple SIM slots. Parameters slot The SIM slot to change to. Syntax: (1|2|show) imei The IMEI of the modem to execute this CLI command on. IX10 User Guide...
Page 601
Command line interface Command line reference Syntax: STRING Optional: True name The configured name of the modem to execute this CLI command on. Syntax: STRING Optional: True IX10 User Guide...
Command line interface Command line reference more path The file to view. Syntax: STRING IX10 User Guide...
Page 603
The source file or directory to move. Syntax: STRING destination The destination path to move the source file or directory to. Syntax: STRING force Do not ask to overwrite the destination file if it exists. Syntax: BOOLEAN Default: False Optional: True IX10 User Guide...
If a hostname is defined as the value of the 'host' parameter, use the hosts IPV6 address. Syntax: BOOLEAN Default: False Optional: True size The number of bytes sent in the ICMP ping request. Syntax: INT Minimum: 0 Default: 56 IX10 User Guide...
Page 605
Command line reference source The ping command will send a packet with the source address set to the IP address of this interface, rather than the address of the interface the packet is sent from. Syntax: STRING Optional: True IX10 User Guide...
Command line interface Command line reference reboot Reboot the system. Parameters None IX10 User Guide...
Page 607
Command line interface Command line reference Remove a file or directory. rm [force] PATH Parameters path The path to remove. Syntax: STRING force Force the file to be removed without asking. Syntax: BOOLEAN Default: False Optional: True IX10 User Guide...
Syntax: STRING Copy the file from the local device to the remote host, or from the remote host to the local device. Syntax: (remote|local) user The username to use when connecting to the remote host. Syntax: STRING IX10 User Guide...
Default: False Optional: True verbose Display more information (less concise, more detail). Syntax: BOOLEAN Default: False Optional: True show cloud Show Digi Remote Manager status and statistics. Parameters None show config Show changes made to default configuration. IX10 User Guide...
Page 610
Type of event log to be displayed (status, error, info). Syntax: (status|error|info) Optional: True show hotspot [ip STRING] [name STRING] Show hotspot statistics. Parameters IP address of a specific client, to limit the status display to only this client. Syntax: STRING Optional: True IX10 User Guide...
Page 611
Filters for type of log message displayed (critical, warning, info, debug). Note, filters from the number of messages retrieved not the whole log (this can be very time consuming). If you require more messages of the filtered type, increase the number of messages retrieved using 'number'. Syntax: (critical|warning|debug|info) Optional: True IX10 User Guide...
Page 612
The IMEI of the modem to execute this CLI command on. Syntax: STRING Optional: True name The configured name of the modem to execute this CLI command on. Syntax: STRING Optional: True verbose Display more information (less concise, more detail). Syntax: BOOLEAN Default: False IX10 User Guide...
Page 613
Display more information (less concise, more detail). Syntax: BOOLEAN Default: False Optional: True show openvpn Show OpenVPN status and statistics. openvpn client [all] [name STRING] Show OpenVPN client status statistics. Parameters Display all clients including disabled clients. Syntax: BOOLEAN Default: False Optional: True IX10 User Guide...
Page 614
Display IPv4 routes. Syntax: BOOLEAN Default: False Optional: True ipv6 Display IPv6 routes. Syntax: BOOLEAN Default: False Optional: True verbose Display more information (less concise, more detail). Syntax: BOOLEAN Default: False Optional: True show scripts Show scheduled system scripts IX10 User Guide...
Page 615
Optional: True show usb Show USB information. Parameters None show version [verbose] Show firmware version. Parameters verbose Display more information (build date) Syntax: BOOLEAN Default: False Optional: True show vrrp [all|verbose] [name STRING] Show VRRP status and statistics. IX10 User Guide...
Optional: True Type: string host The hostname or IP address of the remote host Syntax: {hostname|IPv4_address|IPv6_address} Type: string port The SSH port to use to connect to the remote host. Default: 22 Maximum: 65535 Minimum: 1 IX10 User Guide...
Page 617
Command line interface Command line reference Syntax: {Integer} Type: integer user The username to use when connecting to the remote host. Type: string IX10 User Guide...
Duplicate the running firmware to the alternate partition so that the device will always boot the same firmware version. Parameters None system factory-erase Erase the device to restore to factory defaults. All configuration and automatically generated keys will be erased. Parameters None IX10 User Guide...
Page 619
Parameters script Script to stop. Syntax: STRING system serial clear PORT Clears the serial log. Parameters port Serial port. Type: string system serial save PORT FILENAME Saves the current serial log to a file. IX10 User Guide...
Page 620
Serial port. Type: string system serial stop PORT Start logging data on a serial port. Parameters port Serial port. Type: string system support-report PATH Save a support report to a file and include with support requests. IX10 User Guide...
Page 621
Command line interface Command line reference Parameters path The file path to save the support report to. Syntax: STRING path The file path to save the backup to. Syntax: STRING IX10 User Guide...
Tells traceroute to add an IP source routing option to the outgoing packet that tells the network to route the packet through the specified gateway Syntax: STRING Optional: True icmp Use ICMP ECHO for probes. Syntax: BOOLEAN Default: False IX10 User Guide...
Page 623
Total size of the probing packet. Default 60 bytes for IPv4 and 80 for Ipv6. A value of -1 specifies that the default value will be used. Syntax: INT Minimum: -1 Default: -1 pausemsecs Minimal time interval between probes Syntax: INT Minimum: 0 Default: 0 IX10 User Guide...
Page 624
Syntax: INT Minimum: -1 Default: -1 waittime Determines how long to wait for a response to a probe. Syntax: INT Minimum: 1 Default: 5 host The host that we wish to trace the route packets for. Syntax: STRING IX10 User Guide...