Digi IX14 User Manual
  1. Manuals
  2. Brands
  3. Digi Manuals
  4. Network Router
  5. IX14
  6. User manual

Digi IX14 User Manual

Hide thumbs Also See for IX14:
1
2
3
4
5
6
7
8
Table Of Contents
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
Table of Contents

Advertisement

Quick Links

Download this manual
IX14
User Guide
Firmware version 22.2

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the IX14 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Digi IX14

Summary of Contents for Digi IX14

  • Page 1 IX14 User Guide Firmware version 22.2...

  • Page 2: Revision History-90002291

    Revision history—90002291 Revision Date Description Release of Digi IX14 firmware version 21.2: March 2021 Location services added, including: The ability to define a static latitude and longitude as a location for the device. Reporting location information as health metrics to Digi Remote Manager.
  • Page 3 Added support for over-the-air (OTA) modem firmware update to check, list, and update to new modem firmware from the Digi firmware server. Added the ability to scan for cellular carriers on the Modem status page and the ability select a particular PLMN/network to use.
  • Page 4 September 2021 Added LXC container support for running localized containers on the device. Added support for maintenance windows triggers to control when a device is available for Digi Remote Manager maintenance activity. VPN enhancements: Added support for L2TPv3 tunneling. New option to enable, disable, or force IPsec IKE fragmentation.
  • Page 5 Added ability to control if DHCP addresses are assigned sequentially or randomly (disabled by default). Added 802.1x port-based network access control, configurable per network interface. Release of Digi IX14 firmware version 21.11: December 2021 Configuration option to allow for automatic update of new firmware (disabled by default).
  • Page 6 Support for sending analog and digial I/O health metrics to Digi Remote Manager. Added show containers Admin CLI command. Release of Digi IX14 firmware version 22.2: March 2022 VPN enhancements: Renamed VPN > IPsec > Tunnels > Policies > Local network setting to Local traffic selector and added Remote traffic selector.
  • Page 7 New cat Admin CLI command for displaying file contents. Trademarks and copyright Digi, Digi International, and the Digi logo are trademarks or registered trademarks in the United States and other countries worldwide. All other trademarks mentioned in this document are the property of their respective owners.
  • Page 8 Contact us at +1 952.912.3444 or visit us at www.digi.com/support. Feedback To provide feedback on this document, email your comments to techcomm@digi.com Include the document title and part number (IX14 User Guide, 90002291 K) in the subject line of your email. IX14 User Guide...

  • Page 9: Table Of Contents

    Step 4: Sign up for Digi Remote Manager Step 5: Access the IX14 local web interface Step 6: Configure cellular connection using the web interface Step 7: Add your IX14 to your Digi Remote Manager account Next steps Reset the device to factory defaults...
  • Page 10 Access Digi Remote Manager Using the web interface Log out of the web interface Use the local REST API to configure the IX14 device Use the GET method to return device configuration information Use the POST method to modify device configuration parameters and list arrays...
  • Page 11 Terminal Access Controller Access-Control System Plus (TACACS+) TACACS+ user configuration TACACS+ server failover and fallback to local authentication Configure your IX14 device to use a TACACS+ server Remote Authentication Dial-In User Service (RADIUS) RADIUS user configuration RADIUS server failover and fallback to local configuration...
  • Page 12 Reboot your device immediately Schedule reboots of your device Erase device configuration and reset to factory defaults Configure the IX14 device to use custom factory default settings Locate the device by using the Find Me feature Configuration files Save configuration changes...
  • Page 13 Use Python to respond to Digi Remote Manager SCI requests Use digidevice runtime to access the runtime database Use Python to upload the device name to Digi Remote Manager Use Python to access the device location data Use Python to set the maintenance window...
  • Page 14 Collect device health data and set the sample interval Enable event log upload to Digi Remote Manager Log into Digi Remote Manager Use Digi Remote Manager to view and manage your device Add a device to Digi Remote Manager View Digi Remote Manager connection status...
  • Page 15 Delete a static route Policy-based routing Configure a routing policy Routing services Configure routing services Show the routing table Dynamic DNS Configure dynamic DNS Virtual Router Redundancy Protocol (VRRP) VRRP+ Configure VRRP Configure VRRP+ Example: VRRP/VRRP+ configuration IX14 User Guide...
  • Page 16 Upload and download files by using the WebUI Upload and download files by using the Secure Copy command Upload and download files using SFTP Digi IX14 regulatory and safety statements RF exposure statement Federal Communication (FCC) Part 15 Class B Radio Frequency Interference (RFI) (FCC 15.105)
  • Page 17 IX14 User Guide...
  • Page 18 IX14 User Guide...

  • Page 19: What's New In Digi Ix14 Version 22.2

    Added VPN > IPsec > Advanced > Debug level to specify the logging verbosity of IPsec messages in the device system logs. Enhancements to communications with Digi Remote Manager: Enhanced security for communications with Digi Remote Manager by using client-side certificates. The default URL for the device's Remote Manager connection is now edp12.devicecloud.com.

  • Page 20: Digi Ix14 Quick Start

    When you open the IX14 package, look for the following: Digi IX14 device The Digi IX14 has a product label on the bottom of the device. The label includes product identification information and the default password assigned to the device. The IX14 also includes a terminal connector for the power supply installed in the power input.

  • Page 21: Step 3: Connect Hardware

    Digi IX14 Quick start Step 3: Connect hardware Ethernet cable Use an Ethernet cable to connect the IX14 WAN/ETH1 port to a laptop or PC to access the local web interface via a browser or connect to a WAN. Phillips-head screwdriver Use a #1 Phillips-head screwdriver to remove and replace the SIM door when installing SIM cards.

  • Page 22: Step 4: Sign Up For Digi Remote Manager

    Click on the link in the email to log into Digi Remote Manager. Step 5: Access the IX14 local web interface a. If you have not already done so, use an Ethernet cable to connect your IX14 WAN/ETH1 port to your PC.

  • Page 23: Step 6: Configure Cellular Connection Using The Web Interface

    The same default password is also shown on the label affixed to the bottom of the device. a. Click Add. b. Click OK. Digi Remote Manager adds your IX14 to your account and it appears in the Device Management view. Next steps Congratulations! You have completed the Quick start.
  • Page 24 4. Click Confirm.    Command line 1. Log into the IX14 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 25: Digi Ix14 Hardware Reference

    Digi IX14 hardware reference IX14 features and specifications IX14 is a compact LTE CAT1 machine-to-machine (M2M) router suitable for a broad range of applications in rugged industrial environments. Key features include: Industrial grade components (operating temperatures from -29° F to +165° F/-34° C to +74° C)

  • Page 26: Ix14 Power Supply Requirements

    IX14 is intended to be powered by a certified power supply with output rated at either 12 VDC/0.75 A or 24 VDC/0.375 A minimum. If the IX14 is operated in an ambient temperature range from +0 C to +40 C, use the Digi power supply accessory kits 76002078 or 76002080 to meet the temperature criteria.

  • Page 27: Digi Ix14 Serial Connector Pinout

    100 Mbps connection; Off for no connection Solid green Valid link detected; Flashing for Ethernet activity Digi IX14 serial connector pinout The IX14 is a DTE device. The pinout for the DB9 serial connector is as follows: Direction RS232 Signal name...

  • Page 28: Ix14 Accessory Kits

    Part numbers and accessories for details. IX14 antennas IX14 obtained complete certification by using the antenna described here. Use an antenna that matches these specifications to maintain the product certification. You can use antennas of the same type but operating with a lower gain.

  • Page 29: Hardware Setup

    Hardware setup This chapter contains the following topics: Install SIM cards Attach and position antennas Connect the WAN/ETH1 port Connect the serial port Power on the IX14 QR code definition IX14 User Guide...

  • Page 30: Install Sim Cards

    1. On the IX14 front panel, use a #1 Phillips-head screwdriver to remove the SIM door. 2. If the IX14 device is used in an environment with high vibration levels, SIM card contact fretting may cause unexpected SIM card failures. To protect the SIM cards, Digi strongly recommends that you apply a thin layer of dielectric grease to the SIM contacts prior to installing the SIM cards.

  • Page 31: Attach And Position Antennas

    The IX14 does not include a power supply or antennas. See IX14 accessory kits for information on IX14 power supplies and antennas. Connect IX14-compatible antennas to the WWAN-1 and WWAN-2 antenna connectors on the back of the device. Position the antennas for best reception. IX14 User Guide...

  • Page 32: Connect The Wan/Eth1 Port

    Connect the WAN/ETH1 port Connect the WAN/ETH1 port Use an Ethernet cable to connect the IX14 to your local laptop or PC or to your local network (LAN). If you connect directly to your PC, the factory default IP address is 192.168.2.1 If you connect to a LAN that has a DHCP server, reboot the device after you connect and wait for the DHCP server to assign an IP address to the device.
  • Page 33 Configuration methods Using Digi Remote Manager Access Digi Remote Manager Using the web interface Use the local REST API to configure the IX14 device Using the command line Access the command line interface Log in to the command line interface Exit the command line interface...

  • Page 34: Configuration And Management

    To change the default password for the admin user:    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
  • Page 35 5. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 36: Configuration Methods

    With the Remote Manager, you can configure your IX14 device and use the configuration as a basis for a profile which can be applied to other similar devices. See...

  • Page 37: Using Digi Remote Manager

    Using Digi Remote Manager Using Digi Remote Manager By default, your IX14 device is configured to use Digi Remote Manager as its central management server. No configuration changes are required to begin using the Remote Manager. For information about configuring central management for your IX14 device, see Central management.

  • Page 38: Log Out Of The Web Interface

    On the main menu, click your user name. Click Log out. Use the local REST API to configure the IX14 device Your IX14 device includes a REST API that can be used to return information about the device's configuration and to make modifications to the configuration. You can view the REST API specification from your web browser by opening the URL: https://ip-address/cgi-bin/config.cgi...

  • Page 39: Use The Get Method To Return Device Configuration Information

    To determine allowed values for path from the Admin CLI: 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
  • Page 40 Configuration and management Use the local REST API to configure the IX14 device ping Ping responder snmp SNMP telnet Telnet web_admin Web administration (config)> service For example, to use curl to return the ssh configuration: $ curl -k -u admin https://192.168.210.1/cgi-bin/config.cgi/value/service/ssh -...

  • Page 41: Use The Post Method To Modify Device Configuration Parameters And List Arrays

    Configuration and management Use the local REST API to configure the IX14 device Use the POST method to modify device configuration parameters and list arrays Use the POST method to modify device configuration parameters To modify configuration parameters, use the POST method with the path and value parameters.
  • Page 42 Configuration and management Use the local REST API to configure the IX14 device where path is the path to the list item, including the list number, in dot notation (for example, service.ssh.acl.zone.4). For example, to remove the external firewall zone to the ssh service: 1.

  • Page 43: Using The Command Line

    Log in to the command line interface    Command line 1. Connect to the IX14 device by using a serial connection, SSH or telnet, or the Terminal in the WebUI or the Console in the Digi Remote Manager. See Access the command line interface more information.

  • Page 44: Exit The Command Line Interface

    Admin CLI s: Shell q: Quit Select access or quit [admin] : Type a or admin to access the IX14 command line. You will now be connected to the Admin CLI: Connecting now, 'exit' to disconnect from Admin CLI ... >...
  • Page 45 Configuration and management Exit the command line interface Type q or quit to exit. IX14 User Guide...

  • Page 46: Initial Configuration

    Initial configuration This chapter contains the following topics: Configure cellular modem APNs Change the default LAN subnet Change the LAN address type Configure SIM PIN Configure system settings Enable or disable Bluetooth service IX14 User Guide...

  • Page 47: Configure Cellular Modem Apns

    Configure cellular modem APNs Configure cellular modem APNs The IX14 device uses a preconfigured list of Access Point Names (APNs) when attempting to connect to a cellular carrier for the first time. After the device has successfully connected, it will remember the correct APN.
  • Page 48 9. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 49 The default is none. 7. (Optional) To configure the device to bypass its preconfigured APN list and only use the configured APNs: (config)> network interface modem modem apn_lock true (config)> 8. Save the configuration and apply the change: IX14 User Guide...
  • Page 50 Configure cellular modem APNs (config)> save Configuration saved. > 9. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX14 User Guide...

  • Page 51: Change The Default Lan Subnet

    Change the default LAN subnet Change the default LAN subnet You can change the IX14 default LAN subnet—192.168.2.1/24—to any range of private IPs. The local DHCP server range will also change to the range of the LAN subnet. To change the LAN subnet: ...

  • Page 52: Change The Lan Address Type

    By default, the LAN interface uses a static IP address. To configure it to use a DHCP address instead:    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
  • Page 53 5. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 54: Configure Sim Pin

    3. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 55 Initial configuration Configure system settings 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click System. 4. Provide the system information settings: Name: (Optional) Enter a name for the device.
  • Page 56 11. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 57 1 or 0 are also allowed. 5. If you want to add custom scripts, see Schedule system maintenance tasks for more information. 6. (Optional) Set the timezone for the location of your IX14 device. The default is UTC. IX14 User Guide...
  • Page 58 The status interval determines how often the status event is reported. The value of the status interval uses the format number{w|d|h|m|s}. Disable informational logging of arping events: (config)> system log event arping info false (config)> IX14 User Guide...
  • Page 59 (config)> system log event network status false (config)> system log event network status_interval value (config)> Disable status events related to OpenVPN events, or change the status interval for OpenVPN status event logging from the default of 5 minutes: IX14 User Guide...
  • Page 60 Disable informational logging of Wake-On-LAN (WOL) remote control commands: (config)> system log event wol info false (config)> 9. To keep the current system logs when the device is rebooted: (config)> system log persistent true (config)> 10. (Optional) Configure additional syslog servers: IX14 User Guide...

  • Page 61: Enable Or Disable Bluetooth Service

    Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Enable or disable Bluetooth service By default, Bluetooth service is enabled. To disable or enable Bluetooth service:    WebUI IX14 User Guide...
  • Page 62 5. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 63 Initial configuration Enable or disable Bluetooth service To disable the Bluetooth service: (config)> service bluetooth enable false (config)> IX14 User Guide...
  • Page 64 Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Note You will not see the IX14 Bluetooth service listed on your smart phone or tablet. IX14 User Guide...

  • Page 65: Interfaces

    Interfaces IX14 devices have several physical communications interfaces. These interfaces can be bridged in a Local Area Network (LAN) or assigned to a Wide Area Network (WAN). This chapter contains the following topics: Wireless Wide Area Networks (WWANs) Local Area Networks (LANs)

  • Page 66: Wireless Wide Area Networks (Wwans)

    Problems can occur beyond the immediate modem connection that prevent some IP traffic from reaching its destination. Normally this kind of problem does not cause the IX14 device to detect that the modem has failed, because the connection continues to work while the core problem exists somewhere else in the network.
  • Page 67 SureLink will: The device will: 1. First SureLink failure: Nothing will happen. 2. Second SureLink failure: The interface will restart. 3. Third SureLink failure: The modem will reset. 4. Fourth SureLink failure: The interface will restart again. IX14 User Guide...
  • Page 68   WebUI SureLink can be configured for both IPv4 and IPv6. 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
  • Page 69 For Reboot fail count, type or select the number of times that the Surelink test must fail before the device is rebooted. The default is 1. 11. Click to expand Test targets. 12. For Add Test Target, click . IX14 User Guide...
  • Page 70 For Pass threshold, type or select the number of times that the test must pass after failure, before the interface is determined to be working and is reinstated. IX14 User Guide...
  • Page 71 Active recovery can be configured for both IPv4 and IPv6. These instructions are for IPv4; to configure IPv6 active recovery, replace ipv4 in the command line with ipv6. 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
  • Page 72 1 through 5. The default is 5. 8. (Optional) Set the device to reboot when the interface is considered to have failed: (config network interface my_wwan ipv4 surelink)> reboot true (config network interface my_wwan ipv4 surelink> IX14 User Guide...
  • Page 73 (config network interface my_wwan ipv4 surelink target 0)> dns_configured: Tests connectivity by sending a DNS query to the DNS servers configured for this interface. http: Tests connectivity by sending an HTTP or HTTPS GET request to the specified URL. Specify the url: IX14 User Guide...
  • Page 74 Use the ? to determine available interfaces: (config network interface my_wan ipv4 surelink target 0)> other_interface ? Interface: The network interface. Format: /network/interface/defaultip /network/interface/defaultlinklocal /network/interface/lan /network/interface/loopback /network/interface/modem Current value: (config network interface my_wan ipv4 surelink target 0)> other_interface IX14 User Guide...
  • Page 75 (config network interface my_wwan ipv4 surelink)> attempts num (config network interface my_wwan ipv4 surelink> The default is 3. e. Set the amount of time that the device should wait for a response to a probe attempt before considering it to have failed: IX14 User Guide...

  • Page 76: Configure The Device To Reboot When A Failure Is Detected

    Type quit to disconnect from the device. Configure the device to reboot when a failure is detected Using SureLink, you can configure the IX14 device to reboot when it has determined that an interface has failed. Required configuration items Enable SureLink.
  • Page 77   WebUI SureLink can be configured for both IPv4 and IPv6. 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
  • Page 78 Initial connection time: The amount of time to wait for an initial connection to the interface before this test is considered to have failed. Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}. IX14 User Guide...
  • Page 79 Active recovery can be configured for both IPv4 and IPv6. These instructions are for IPv4; to configure IPv6 active recovery, replace ipv4 in the command line with ipv6. 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
  • Page 80 (config network interface my_wwan)> add ipv4 surelink target end (config network interface my_wwan ipv4 surelink target 0)> 8. Set the test type: (config network interface my_wwan ipv4 surelink target 0)> test value (config network interface my_wwan ipv4 surelink target 0)> IX14 User Guide...
  • Page 81 (config network interface my_wwan ipv4 surelink target 0)> The default is 60 seconds. (Optional) Set the amount of time to wait for an initial connection to the interface before this test is considered to have failed: IX14 User Guide...
  • Page 82 IP version. (config network interface my_wwan ipv4 surelink target 0)> other_ip_version value (config network interface my_wwan ipv4 surelink target 0)> where value is one of: any, both, ipv4, or ipv6. Set the expected status of the alternate interface: IX14 User Guide...
  • Page 83 (config network interface my_wwan ipv4 surelink)> save Configuration saved. > 12. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX14 User Guide...

  • Page 84: Disable Surelink

    SureLink interface test.    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces.
  • Page 85 7. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 86 Interfaces Wireless Wide Area Networks (WWANs) 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces.
  • Page 87 9. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 88: Using Cellular Modems In A Wireless Wan (Wwan)

    Typically, you configure SIM1 of the cellular modem as the primary cellular interface, and SIM2 as the backup cellular interface. In this way, if the IX14 device cannot connect to the network using SIM1, it automatically fails over to SIM2. IX14 devices automatically use the correct cellular module firmware for each carrier when switching SIMs.
  • Page 89 Interfaces Wireless Wide Area Networks (WWANs) 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Modems > Modem.
  • Page 90 11. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 91 Available options for value vary depending on the modem type. To determine available options: (config)> network modem modem access_tech ? Access technology: The cellular network technology that the modem may use. Format: Default value: all Current value: all (config)> The default is all, which uses the best available technology. IX14 User Guide...
  • Page 92 Type quit to disconnect from the device. Configure cellular modem APNs The IX14 device uses a preconfigured list of Access Point Names (APNs) when attempting to connect to a cellular carrier for the first time. After the device has successfully connected, it will remember the correct APN.
  • Page 93 7. To add additional APNs, for Add APN, click  and repeat the preceding instructions. 8. (Optional) To configure the device to bypass its preconfigured APN list and only use the configured APNs, enable APN list only. IX14 User Guide...
  • Page 94 9. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 95 You can view a summary status for all cellular modems, or view detailed status and statistics for a specific modem.    WebUI 1. Log into the IX14 WebUI as a user with Admin access. 2. On the menu, click Status. 3. Under Connections, click Modems. The modem status window is displayed ...
  • Page 96 Interfaces Wireless Wide Area Networks (WWANs) 1. Log into the IX14 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 97   Command line To unlock a SIM card: 1. Log into the IX14 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 98 To run AT commands from the IX14 command line:    Command line 1. Log into the IX14 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 99 Separation of untrusted Internet traffic from trusted internal network traffic. Secure connection to internal customer network without using a VPN. Separate billing structures for public and private traffic. Site-to-site networking, without the overhead of tunneling for each device. IX14 User Guide...
  • Page 100 APNs, and then use routing roles to forward traffic to the appropriate WWAN interface.    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
  • Page 101 For Zone, select External. e. For Device, select Modem . f. (Optional): Configure the public APN. If the public APN is not configured, the IX14 will attempt to determine the APN. i. Click to expand APN list > APN.
  • Page 102 Configure the source address: i. Click to expand Source address. ii. For Type, select IPv4 address. iii. For Address, type 192.168.2.101. f. Configure the destination address: i. Click to expand Destination address. ii. For Type, select Interface. IX14 User Guide...
  • Page 103 Set the modem device: (config network interface WWANPublic)> modem device modem (config network interface WWANPublic)> d. (Optional): Set the public APN. If the public APN is not configured, the IX14 will attempt to determine the APN. IX14 User Guide...
  • Page 104 Set the label that will be used to identify this route policy: (config network route policy 0)> label "Route through private apn" (config network route policy 0)> c. Set the interface: (config network route policy 0)> interface /network/interface/WWANPrivate (config network route policy 0)> IX14 User Guide...

  • Page 105: Configure A Wireless Wide Area Network (Wwan)

    The firewall zone: External. The cellular modem that is used by the WWAN. Additional configuration items SIM selection for this WWAN. The SIM PIN. The SIM phone number for SMS connections. Enable or disable roaming. SIM failover configuration. APN configuration. IX14 User Guide...
  • Page 106    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. IX14 User Guide...
  • Page 107 (IMSI) that must be in active for this WWAN to be used. If ICCID is selected, for Match ICCID, type the unique SIM card ICCID that must be in active for this WWAN to be used. 11. Type the PIN for the SIM. Leave blank if no PIN is required. IX14 User Guide...
  • Page 108 Reboot device: The device will reboot if automatic SIM switching is unavailable. 16. For APN list and APN list only, the IX14 device uses a preconfigured list of Access Point Names (APNs) when attempting to connect to a cellular carrier for the first time. After the device has successfully connected, it will remember the correct APN.
  • Page 109 SureLink.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 110 Use ? to determine available carriers: (config network interface my_wwan)> modem carrier Match SIM carrier: The SIM carrier match criteria. This interface is applied when the SIM card is provisioned from the carrier. Format: AT&T Rogers Sprint T-Mobile Telstra Verizon Vodafone IX14 User Guide...
  • Page 111 (config network interface my_wwan)> modem phone num (config network interface my_wwan)> Normally, this should be left blank. It is only necessary to complete this field if the SIM does not have a phone number or if the phone number is incorrect. IX14 User Guide...
  • Page 112 11. SIM failover is enabled by default, which means that the modem will automatically fail over from the active SIM to the next available SIM when the active SIM fails to connect. To disable: (config network interface my_wwan)> modem sim_failover false (config network interface my_wwan)> IX14 User Guide...
  • Page 113 The device will reboot if automatic SIM switching is unavailable. 12. The IX14 device uses a preconfigured list of Access Point Names (APNs) when attempting to connect to a cellular carrier for the first time. After the device has successfully connected, it will remember the correct APN.

  • Page 114: Show Wwan Status And Statistics

    Configure SureLink active recovery to detect modem failures for information about configuring active recovery. Show WWAN status and statistics    WebUI 1. Log into the IX14 WebUI as a user with Admin access. 2. From the menu, click Status. 3. Under Networking, click Interfaces. IX14 User Guide...
  • Page 115 Wireless Wide Area Networks (WWANs)    Command line 1. Log into the IX14 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 116: Delete A Wwan

    WAN, LAN, or the preconfigured WWAN, Modem.    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
  • Page 117 5. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 118 Interfaces Wireless Wide Area Networks (WWANs) 5. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX14 User Guide...

  • Page 119: Local Area Networks (Lans)

    Interfaces Local Area Networks (LANs) Local Area Networks (LANs) The IX14 device is preconfigured with the following Local Area Networks (LANs): You can modify configuration settings for LAN, and you can create new LANs. This section contains the following topics:...

  • Page 120: About Local Area Networks (Lans)

    The IPv6 Maximum Transmission Unit (MTU) of the LAN. When to use DNS: always, never, or only when this interface is the primary default route. IX14 User Guide...
  • Page 121 To create a new LAN or edit an existing LAN:    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
  • Page 122 7. For Device, select an Ethernet device. 8. (Optional) Click to expand 802.1x to configure 802.1x port based network access control. The IX14 can function as an 802.1x authenticator; it does not function as an 802.1x supplicant. a. Click to expand Authentication.
  • Page 123 14. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 124 These instructions assume that the LAN will use a static IP address for its IPv4 configuration. a. Set the IPv4 address and subnet of the LAN interface. Use the format IPv4_ address/netmask, for example, 192.168.2.1/24. (config network interface my_lan)> ipv4 address ip_address/netmask (config network interface my_lan)> b. Optional IPv4 configuration items: IX14 User Guide...
  • Page 125 Prefix length type prefix_delegation Type weight Weight Additional Configuration --------------------------------------------------------------------- ---------- connection_monitor Active recovery dhcpv6_server DHCPv6 server (config network interface my_lan)> View default settings for the IPv6 DHCP server: (config network interface my_lan)> ipv6 dhcpv6_server ? IX14 User Guide...
  • Page 126 Modify any of the remaining default settings as appropriate. 8. (Optional) To configure 802.1x port based network access control: Note The IX14 can function as an 802.1x authenticator; it does not function as an 802.1x supplicant. a. Enable the 802.1x authenticator on the IX14 device: (config network interface my_lan)>...

  • Page 127: Show Lan Status And Statistics

    > 12. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Show LAN status and statistics    WebUI IX14 User Guide...
  • Page 128 3. Under Networking, click Interfaces.    Command line 1. Log into the IX14 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 129: Delete A Lan

    Follow this procedure to delete any LANs that have been added to the system. You cannot delete the preconfigured LAN, LAN1.    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. IX14 User Guide...
  • Page 130 5. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 131: Dhcp Servers

    Local Area Networks (LANs) DHCP servers You can enable DHCP on your IX14 device to assign IP addresses to clients, using either: The DHCP server for the device's local network, which assigns IP addresses to clients on the device's local network. Addresses are assigned from a specified pool of IP addresses. For a local network, the device uses the DHCP server that has the IP address pool in the same...
  • Page 132 For Gateway, select either: None: No gateway is broadcast by the DHCP server. Client destinations must be resolvable without a gateway. Automatic: Broadcasts the IX14 device's gateway. Custom: Allows you to identify the IP address of a Custom gateway to be broadcast.
  • Page 133 12. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 134 No gateway is broadcast by the DHCP server. Client destinations must be resolvable without a gateway. auto: Broadcasts the IX14 device's gateway. custom: Allows you to identify the IP address of a custom gateway to be broadcast: (config)> network interface my_lan ipv4 dhcp_server advanced gateway_custom ip_address (config)>...
  • Page 135 (config)> where value is one of: none: No server is broadcast. auto: Broadcasts the IX14 device's server. custom: Allows you to identify the IP address of the server. For example: (config)> network interface my_lan ipv4 dhcp_server advanced primary_dns_custom ip_address (config)>...
  • Page 136 To map static IP addresses:    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces.
  • Page 137 11. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 138 3. Under Networking, click DHCP Leases.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 139 To delete a static IP entry:    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces.
  • Page 140 7. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 141 Type quit to disconnect from the device. Configure DHCP options You can configure DHCP servers running on your IX14 device to send certain specified DHCP options to DHCP clients. You can also set the user class, which enables you to specify which specific DHCP clients will receive the option.
  • Page 142 12. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 143 Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Configure DHCP relay DHCP relay allows a router to forward DHCP requests from one LAN to a separate DHCP server, typically connected to a different LAN. IX14 User Guide...
  • Page 144 Local Area Networks (LANs) For the IX14 device, DHCP relay is configured by providing the IP address of a DHCP relay server, rather than an IP address range. If both the DHCP relay server and an IP address range are specified, DHCP relay is used, and the specified IP address range is ignored.
  • Page 145 10. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 146 Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Show DHCP server status and settings View DHCP status to monitor which devices have been given IP configuration by the IX14 device and to diagnose DHCP issues. ...

  • Page 147: Create A Virtual Lan (Vlan) Route

    To create a VLAN:    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Virtual LAN.
  • Page 148 7. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 149: Show Surelink Status And Statistics

    To show the Surelink status all interfaces, use the show surelink interface all command: 1. Log into the IX14 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 150: Show Surelink Status For All Ipsec Tunnels

    To show the Surelink status all IPsec tunnels, use the show surelink ipsec all command: 1. Log into the IX14 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 151: Show Surelink Status For All Openvpn Clients

    1. Log into the IX14 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 152 Passed test_client1 194.43.79.75 (Ping) 5 seconds Passed > 3. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX14 User Guide...

  • Page 153: Serial Port

    Serial port IX14 devices have a single serial port that provides access to different features, depending on the serial port mode selection. Default serial port configuration You can review the default serial port configuration for your device. Serial mode options You can choose a serial mode option for each serial port, depending on the feature that you want to use.
  • Page 154 To change the configuration to match the serial configuration of the device to which you want to connect:    WebUI 1. Log into the IX14 WebUI as a user with Admin access. 2. On the menu, click System. Under Configuration, click Serial Configuration. The Serial Configuration page is displayed. Note You can also configure the serial port by using Device Configuration >...
  • Page 155    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 156: Configure Remote Access Mode

    To change the configuration to match the serial configuration of the device to which you want to connect:    WebUI 1. Log into the IX14 WebUI as a user with Admin access. 2. On the menu, click System. Under Configuration, click Serial Configuration. The Serial Configuration page is displayed. IX14 User Guide...
  • Page 157 11. Click Strip End Pattern if you want to remove the end pattern from the packet before it is sent. 12. Expand Service Settings. All service settings are disabled by default. Click available options to toggle them to enabled, and set the IP ports as appropriate. IX14 User Guide...
  • Page 158 16. Click Apply to save the configuration and apply the change. The Apply button is located at the top of the WebUI page. You may need to scroll to the top of the page to locate it. IX14 User Guide...
  • Page 159 Serial port    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 160 For example, to set idle_timeout to ten minutes, enter either 10m or 600s: (config)>path-paramidle_timeout 600s (config) The default is 15m. 11. Configure monitor settings. a. (Optional) Enable monitoring of CTS (Clear to Send) changes on this port: (config)>path-parammonitor cts true (config) IX14 User Guide...

  • Page 161: Configure Application Mode

    To change the configuration to match the serial configuration of the device to which you want to connect:    WebUI 1. Log into the IX14 WebUI as a user with Admin access. 2. On the menu, click System. Under Configuration, click Serial Configuration. The Serial Configuration page is displayed. Note You can also configure the serial port by using Device Configuration >...
  • Page 162    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 163: Configure Udp Serial Mode

    To change the configuration to match the serial configuration of the device to which you want to connect:    WebUI 1. Log into the IX14 WebUI as a user with Admin access. 2. On the menu, click System. Under Configuration, click Serial Configuration. The Serial Configuration page is displayed. Note You can also configure the serial port by using Device Configuration >...
  • Page 164 For Local port, enter the UDP port. The default is 4001 or serial port 1, 4002 for serial port 2, etc. b. (Optional) For Socket String ID, enter a string that should be added at the beginning of each packet. IX14 User Guide...
  • Page 165 For Destinations, you can configure the remote sites to which you want to send data. If you do not specify any destinations, the IX14 sends new data from the last IP address and port from which data was received. To add a destination: i.
  • Page 166 12. Set the maximum size of the packet: (config)>serial port1 framing max_count int (config) The default is 1024. 13. Set the length of time the device should wait before sending the packet: (config)>serial port1 framing idle_time value (config) IX14 User Guide...
  • Page 167 (config)> 18. Configure the remote sites to which you want to send data. If you do not specify any destinations, the IX14 send new data to the last hostname and port from which data was received. To add a destination: i.

  • Page 168: Configure Modbus Mode

    To change the configuration to match the serial configuration of the device to which you want to connect:    WebUI 1. Log into the IX14 WebUI as a user with Admin access. 2. On the menu, click System. Under Configuration, click Serial Configuration. The Serial Configuration page is displayed. Note You can also configure the serial port by using Device Configuration >...
  • Page 169 7. Click Apply to save the configuration and apply the change. The Apply button is located at the top of the WebUI page. You may need to scroll to the top of the page to locate it.    Command line IX14 User Guide...
  • Page 170 Serial port 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. At the command line, type config to enter configuration mode: >...

  • Page 171: Show Serial Status And Statistics

    3. Under Connections, click Serial.    Command line 1. Log into the IX14 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 172: Log Serial Port Messages

    Log serial port messages To display and configure the serial port log:    WebUI 1. Log into the IX14 WebUI as a user with Admin access. 2. On the main menu, click Status 3. Under Connections, click Serial. 4. Click Log.
  • Page 173 User authentication methods Authentication groups Local users Terminal Access Controller Access-Control System Plus (TACACS+) Remote Authentication Dial-In User Service (RADIUS) LDAP Configure serial authentication Disable shell access Set the idle timeout for IX14 users Example user configuration IX14 User Guide...

  • Page 174: Ix14 User Authentication

    User authentication IX14 user authentication IX14 user authentication User authentication on the IX14 has the following features and default configuration: Default Feature Description configuration Idle timeout 10 minutes. Determines how long a user session can be idle before the system automatically disconnects.
  • Page 175 TACACS+: Users authenticated by using a remote TACACS+ server for authentication. Terminal Access Controller Access-Control System Plus (TACACS+) for information about configuring TACACS+ authentication. LDAP: Users authenticated by using a remote LDAP server for authentication. LDAP for information about configuring LDAP authentication. IX14 User Guide...

  • Page 176: Add A New Authentication Method

    To add an authentication method:    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Authentication > Methods.
  • Page 177 This procedure describes how to add methods to various places in the list. 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.

  • Page 178: Delete An Authentication Method

    Type quit to disconnect from the device. Delete an authentication method    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. IX14 User Guide...
  • Page 179 5. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 180: Rearrange The Position Of Authentication Methods

    To reorder these so that RADIUS is first and Local users is second: 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
  • Page 181 7. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 182: Authentication Groups

    Disable shell access for more information about the Allow shell parameter. Serial access: Users with Serial access have the ability to log into the IX14 device by using the serial console. Preconfigured authentication groups The IX14 device has two preconfigured authentication groups: The admin group is configured by default to have full Admin access.

  • Page 183: Change The Access Rights For A Predefined Group

    For groups assigned Admin access, you can also determine whether the Access level should be Full access or Read-only access. Full access provides users of this group with the ability to manage the IX14 device by using the WebUI or the Admin CLI.
  • Page 184 6. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 185: Add An Authentication Group

    Access rights to OpenVPN tunnels, and the tunnels to which they have access. Access rights to captive portals, and the portals to which they have access. Access rights to query the device for Nagios monitoring. To add an authentication group:    WebUI IX14 User Guide...
  • Page 186 User authentication Authentication groups 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Authentication > Groups. 4. For Add, type a name for the group and click .
  • Page 187 User authentication Authentication groups Full access full: provides users of this group with the ability to manage the IX14 device by using the WebUI or the Admin CLI. Read-only access read-only: provides users of this group with read-only access to the WebUI and Admin CLI.
  • Page 188 (config)> where value is either: full: provides users of this group with the ability to manage the IX14 device by using the WebUI or the Admin CLI. read-only: provides users of this group with read-only access to the WebUI and Admin CLI.

  • Page 189: Delete An Authentication Group

    Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Delete an authentication group By default, the IX14 device has two preconfigured authentication groups: admin and serial. These groups cannot be deleted. To delete an authentication group that you have created: ...
  • Page 190 5. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 191: Local Users

    TACACS+ or RADIUS. Local user authentication is enabled by default, with one preconfiged default user. Default user At manufacturing time, each IX14 device comes with a default user configured as follows: Username: admin. Password: The default password is displayed on the label on the bottom of the device.

  • Page 192: Change A Local User's Password

    To change a user's password:    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Authentication > Users.
  • Page 193 You can also change the password for the active user by clicking the user name in the menu bar: The active user must have full Admin access rights to be able to change the password. 6. Click Apply to save the configuration and apply the change. IX14 User Guide...

  • Page 194: Configure A Local User

    Local users    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 195 To configure a local user:    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Authentication > Users.
  • Page 196 For example, to set Lockout duration to ten minutes, enter 10m or 600s. The minimum value is 1 second, and the maximum is 15 minutes. The default is 15 minutes. 8. Add groups for the user. Groups define user access rights. See Authentication groups for information about configuring groups. IX14 User Guide...
  • Page 197 For time-based verification only, in Code refresh interval, type the amount of time that a code will remain valid. Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}. For example, to set Code refresh interval to ten minutes, enter 10m or 600s. IX14 User Guide...
  • Page 198 11. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 199 (config auth user new_user)> Note Every user must be configured with at least one group. b. (Optional) Add additional groups by repeating the add group command: (config auth user new_user> add group end serial (config auth user new_user)> IX14 User Guide...
  • Page 200 Time-based One-Time Password (TOTP) authentication uses the current time to generate a one-time password. hotp: HMAC-based One-Time Password (HOTP) uses a counter to validate a one- time password. The default value is totp. (config auth user new_user 2fa)> type totp (config auth user new_user 2fa)> IX14 User Guide...
  • Page 201 (config auth user new_user 2fa)> login_limit_period value (config auth user new_user 2fa)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set login_limit_period to ten minutes, enter either 10m or 600s: IX14 User Guide...

  • Page 202: Delete A Local User

    To delete a user from your IX14:    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. IX14 User Guide...
  • Page 203 Local users 3. Click Authentication > Users. 4. Click the menu icon (...) next to the name of the user to be deleted and select Delete. 5. Click Apply to save the configuration and apply the change. IX14 User Guide...
  • Page 204 Local users    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 205: Terminal Access Controller Access-Control System Plus (Tacacs+)

    With TACACS+ support, the IX14 device acts as a TACACS+ client, which sends user credentials and connection parameters to a TACACS+ server over TCP. The TACACS+ server then authenticates the TACACS+ client requests and sends back a response message to the device.

  • Page 206: Tacacs+ User Configuration

    The groupname attribute is optional. If used, the value must correspond to authentication groups configured on your IX14. Alternatively, if the user is also configured as a local user on the IX14 device and the LDAP server authenticates the user but does not return any groups, the local configuration determines the list of groups.

  • Page 207: Tacacs+ Server Failover And Fallback To Local Authentication

    $ sudo /etc/init.d/tacacs_plus restart TACACS+ server failover and fallback to local authentication In addition to the primary TACACS+ server, you can also configure your IX14 device to use backup TACACS+ servers. Backup TACACS+ servers are used for authentication requests when the primary TACACS+ server is unavailable.
  • Page 208 Add additional TACACS+ servers in case the first TACACS+ server is unavailable.    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
  • Page 209 6. (Optional) For Group attribute, type the name of the attribute used in the TACACS+ server's configuration to identify the IX14 authentication group or groups that the user is a member of. For example, in TACACS+ user configuration, the group attribute in the sample tac_plus.conf...
  • Page 210 (config)> auth tacacs+ authoritative true (config)> 4. (Optional) Configure the group_attribute. This is the name of the attribute used in the TACACS+ server's configuration to identify the IX14 authentication group or groups that the user is a member of. For example, in TACACS+ user configuration, the group attribute in the sample tac_plus.conf file is groupname, which is also the default setting for the group_attribute in the...
  • Page 211 10. Save the configuration and apply the change: (config)> save Configuration saved. > 11. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX14 User Guide...

  • Page 212: Remote Authentication Dial-In User Service (Radius)

    To use RADIUS authentication, you must set up a RADIUS server that is accessible by the IX14 device prior to configuration. The process of setting up a RADIUS server varies by the server environment. An example of a RADIUS server is FreeRADIUS.

  • Page 213: Radius User Configuration

    (password verification) and authorization (assigning the access level of the user). Additional RADIUS servers can be configured as backup servers for user authentication. This section outlines how to configure a RADIUS server to be used for user authentication on your IX14 device.

  • Page 214: Configure Your Ix14 Device To Use A Radius Server

    If the RADIUS servers are unavailable and the IX14 device falls back to local authentication, only users defined locally on the device are able to log in. RADIUS users cannot log in until the RADIUS servers are brought back online.
  • Page 215 7. (Optional) For NAS ID, type the unique identifier for this network access server (NAS). You can use the fully-qualified domain name of the NAS or any arbitrary string. If not set, the default value is used: IX14 User Guide...
  • Page 216 User authentication Remote Authentication Dial-In User Service (RADIUS) If you are accessing the IX14 device by using the WebUI, the default value is for NAS ID is httpd. If you are accessing the IX14 device by using ssh, the default value is sshd.
  • Page 217 You can use the fully-qualified domain name of the NAS or any arbitrary string. If not set, the default value is used: If you are accessing the IX14 device by using the WebUI, the default value is for NAS ID is httpd.

  • Page 218: Ldap

    When you are using LDAP authentication, you can have both local users and LDAP users able to log in to the device. To use LDAP authentication, you must set up a LDAP server that is accessible by the IX14 device prior to configuration. The process of setting up a LDAP server varies by the server environment.

  • Page 219: Ldap User Configuration

    (password verification) and authorization (assigning the access level of the user). Additional LDAP servers can be configured as backup servers for user authentication. This section outlines how to configure a LDAP server to be used for user authentication on your IX14 device.

  • Page 220: Ldap Server Failover And Fallback To Local Configuration

    LDAP server failover and fallback to local configuration In addition to the primary LDAP server, you can also configure your IX14 device to use backup LDAP servers. Backup LDAP servers are used for authentication requests when the primary LDAP server is unavailable.
  • Page 221 User authentication LDAP 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Authentication > LDAP > Servers.
  • Page 222 If this attribute is not set, the user will be denied access. 12. (Optional) For Group attribute, type the name of the user attribute that contains the list of IX14 authentication groups that the authenticated user has access to. See LDAP user configuration for further information about the group attribute.
  • Page 223 LDAP    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 224 . If this attribute is not set, the user will be denied access. 10. (Optional) Set the name of the user attribute that contains the list of IX14 authentication groups that the authenticated user has access to. See...

  • Page 225: Configure Serial Authentication

    This section describes how to configure authentication for serial access.    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
  • Page 226 9. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 227: Disable Shell Access

    To prohibit access to the shell prompt for all authentication groups, disable the Allow shell parameter.. This does not prevent access to the Admin CLI. Note If shell access is disabled, re-enabling it will erase the device's configuration and perform a factory reset.    WebUI IX14 User Guide...
  • Page 228 5. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 229: Set The Idle Timeout For Ix14 Users

    By default, the Idle timeout is set to 10 minutes.    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
  • Page 230 5. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 231 User authentication Set the idle timeout for IX14 users where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set idle_timeout to ten minutes, enter either 10m or 600s: (config)> auth idle_timeout 600s (config)>...

  • Page 232: Example User Configuration

    Goal: To create a user with administrator rights who is authenticated locally on the device.    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
  • Page 233 7. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 234: Example 2: Radius, Tacacs+, And Local Authentication For One User

    Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Example 2: RADIUS, TACACS+, and local authentication for one user Goal: To create a user with administrator rights who is authenticated by using all three authentication methods. IX14 User Guide...
  • Page 235 User authentication Example user configuration In this example, when the user attempts to log in to the IX14 device, user authentication will occur in the following order: 1. The user is authenticated by the RADIUS server. If the RADIUS server is unavailable, 2.
  • Page 236 The authentication group on the IX14 device, admin, is identified in the groupname parameter. c. Save and close the tac_plus.conf file. 3. Log into the IX14 WebUI as a user with full Admin access rights. 4. On the menu, click System. Under Configuration, click Device Configuration. IX14 User Guide...
  • Page 237 Click  to add another new method. f. For the new method, select Local users. 6. Create the local user: a. Click Authentication > Users. b. In Add User:, type admin1 and click . c. For password, type password1. IX14 User Guide...
  • Page 238 Unix-FTP-Group-Names := "admin" In this example: The user's username is admin1. The user's password is password1. The authentication group on the IX14 device, admin, is identified in the Unix-FTP- Group-Names parameter. c. Save and close the users file. IX14 User Guide...
  • Page 239 Save and close the tac_plus.conf file. 3. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 240 (config auth user adminuser)> save Configuration saved. > 9. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX14 User Guide...

  • Page 241: Firewall

    Firewall This chapter contains the following topics: Firewall configuration Port forwarding rules Packet filtering Configure custom firewall rules Configure Quality of Service options IX14 User Guide...

  • Page 242: Firewall Configuration

    IPsec: The default zone for IPsec tunnels. Dynamic routes: Used for routes learned using routing services. Port forwarding: A list of rules that allow network connections to the IX14 to be forwarded to other servers by translating the destination address.
  • Page 243    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 244: Configure The Firewall Zone For A Network Interface

    Internal, to External.    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. IX14 User Guide...
  • Page 245 5. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 246: Delete A Custom Firewall Zone

    You cannot delete preconfigured firewall zones. To delete a custom firewall zone:    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.

  • Page 247: Port Forwarding Rules

    Port forwarding rules    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 248 To configure a port forwarding rule:    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Firewall > Port forwarding.
  • Page 249 13. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 250 7. Set the type of internet protocol . (config firewall dnat 0)> protocol value (config firewall dnat 0)> Network connections will only be forwarded if they match the selected protocol. Allowed values are custom, tcp, tcpudp, or upd. The default is tcp. IX14 User Guide...
  • Page 251 To view a list of available zones: (config firewall dnat 0 acl)> ..zone ? Zones: A list of groups of network interfaces that can be referred to by packet filtering rules and access control lists. IX14 User Guide...

  • Page 252: Delete A Port Forwarding Rule

    To delete a port forwarding rule:    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. IX14 User Guide...
  • Page 253 5. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 254 5. Save the configuration and apply the change: (config)> save Configuration saved. > 6. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX14 User Guide...

  • Page 255: Packet Filtering

    By default, one preconfigured packet filtering rule, Allow all outgoing traffic, is enabled and monitors traffic going to and from the IX14 device. The predefined settings are intended to block unauthorized inbound traffic while providing an unrestricted flow of outgoing data. You can modify the default packet filtering rule and create additional rules to define how the device accepts or rejects traffic that is forwarded through the device.
  • Page 256 9. For Destination zone, select the firewall zone. Packets destined for network interfaces that are members of this zone will either be accepted, rejected or dropped by this rule. Firewall configuration for more information about firewall zones. IX14 User Guide...
  • Page 257 10. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 258 7. Set the IP version. (config firewall filter 1)> ip_version value (config firewall filter 1)> where value is one of: ipv4 ipv6 The default is any. 8. Set the protocol. (config firewall filter 1)> protocol value (config firewall filter 1)> IX14 User Guide...

  • Page 259: Enable Or Disable A Packet Filtering Rule

    To enable or disable a packet filtering rule:    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
  • Page 260 6. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 261: Delete A Packet Filtering Rule

    To delete a packet filtering rule:    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Firewall > Packet filtering.
  • Page 262 5. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 263: Configure Custom Firewall Rules

    To configure custom firewall rules:    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Firewall > Custom rules.

  • Page 264: Configure Quality Of Service Options

    (packet ingress). A QoS binding contains the policies and rules that apply to packets exiting the IX14 device on the binding's interface. By default, the IX14 device has two preconfigured QoS bindings, Outbound and Inbound.
  • Page 265 Enable the preconfigured bindings    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Firewall > Quality of Service.
  • Page 266 Firewall Configure Quality of Service options 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 267 Create a new binding    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Firewall > Quality of Service.
  • Page 268 Select Default to identify this policy as a fall-back policy. The fall-back policy will be used for traffic that is not matched by any other policy. If there is no default policy associated with this binding, packets that do not match any policy rules will be dropped. IX14 User Guide...
  • Page 269 Interface: Only traffic destined for the selected Interface will be matched. IPv4 address: Only traffic destined for the IP address typed in IPv4 address will be matched. Use the format IPv4_address[/netmask], or use any to match any IPv4 address. IX14 User Guide...
  • Page 270 10. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 271 1 and 65535. The default is 10. e. Set the maximum delay before the transmission of packets. A lower number means that the packets will be scheduled more quickly for transmission. IX14 User Guide...
  • Page 272 Set the IP protocol matching criteria for this rule: (config firewall qos 2 policy 0 rule 0)> protocol value (config firewall qos 2 policy 0 rule 0)> where value is one of tcp, udp, or any. IX14 User Guide...
  • Page 273 (config network qos 2 policy 0 rule 0)> src interface /network/interface/LAN (config network qos 2 policy 0 rule 0)> address: Only traffic from the IP address typed in IPv4 address will be matched. Set the address that will be matched: IX14 User Guide...
  • Page 274 (config network qos 2 policy 0 rule 0)> dst interface ? Interface: Match the IP address with the specified interface's network address. Format: /network/interface/defaultip /network/interface/defaultlinklocal /network/interface/lan /network/interface/loopback /network/interface/modem Current value: (config network qos 2 policy 0 rule 0)> dst interface ii. Set the interface. For example: IX14 User Guide...
  • Page 275 8. Save the configuration and apply the change: (config)> save Configuration saved. > 9. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX14 User Guide...
  • Page 276 Review device status Configure system information Update system firmware Update cellular module firmware Reboot your IX14 device Erase device configuration and reset to factory defaults Locate the device by using the Find Me feature Configuration files Schedule system maintenance tasks...

  • Page 277: Review Device Status

    Show basic system information: 1. Log into the IX14 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 278: Configure System Information

    Disk /var Usage : 1.765MB/256.0MB(1%) > Configure system information You can configure information related to your IX14 device, such as providing a name and location for the device. Configuration items A name for the device. The name of a contact for the device.
  • Page 279 A banner that will be displayed when users access terminal services on the device. To enter system information:    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click System.

  • Page 280: Update System Firmware

    For example, IX14-22.2.9.85.bin. Manage firmware updates using Digi Remote Manager If you have a network of many devices, you can use Digi Remote Manager Profiles to manage firmware updates. Profiles ensure all your devices are running the correct firmware version and that...

  • Page 281: Certificate Management For Firmware Images

    The system firmware files are signed to ensure that only Digi-approved firmware load onto the device. The IX14 device validates the system firmware image as part of the update process and only successfully updates if the system firmware image can be authenticated.
  • Page 282 Newest firmware version available to download is '22.2.9.85' Device firmware update from '21.11.60.63' to '22.2.9.85' is needed > 3. Use the modem firmware ota list command to list available firmware on the Digi firmware repository. > system firmware ota list 21.11.60.63...
  • Page 283 Update firmware from a local file    WebUI 1. Download the IX14 operating system firmware from the Digi Support FTP site to your local machine. 2. Log into the IX14 WebUI as a user with Admin access. 3. On the main menu, click System. Under Administration, click Firmware Update.
  • Page 284 > reboot Rebooting system > 7. Once the device has rebooted, log into the IX14's command line as a user with Admin access and verify the running firmware version by entering the show system command. > show system...

  • Page 285: Dual Boot Behavior

    > Dual boot behavior By default, the IX14 device stores two copies of firmware in two flash memory banks: The current firmware version that is used to boot the device. A copy of the firmware that was in use prior to your most recent firmware update.

  • Page 286: Update Cellular Module Firmware

    > system duplicate-firmware > Update cellular module firmware You can update modem firmware by downloading firmware from the Digi firmware repository, or by uploading firmware from your local storage onto the device. You can also schedule modem firmware updates. See Schedule system maintenance tasks for details.

  • Page 287: Update Modem Firmware Over The Air (Ota)

      Command line Update modem firmware over the air (OTA) You can update your modem firmware by querying the Digi firmware repository to determine if there is new firmware available for your modem and performing an OTA modem firmware update: 1. Log into the IX14 command line as a user with Admin access.

  • Page 288: Update Modem Firmware By Using A Local Firmware File

    Type quit to disconnect from the device. Update modem firmware by using a local firmware file You can update your modem firmware by uploading a modem firmware file to your IX14 device. Firmware should be uploaded to /opt/MODEM_MODEL/Custom_Firmware, for example, /opt/LM940/Custom_Firmware.

  • Page 289: Reboot Your Ix14 Device

    Type quit to disconnect from the device. Reboot your IX14 device You can reboot the IX14 device immediately or schedule a reboot for a specific time every day. Note You may want to save your configuration settings to a file before rebooting. See...

  • Page 290: Schedule Reboots Of Your Device

    Schedule reboots of your device    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. IX14 User Guide...
  • Page 291 6. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 292: Erase Device Configuration And Reset To Factory Defaults

    With firmware release 22.2.9.x and newer, erases the client-side certificate used for communication with Digi Remote Manager. If you are using Digi Remote Manager with firmware release 22.2.9.x and newer, by default the device uses a client-side certificate for communication with Remote Manager. If the client-side certificate is erased, you must use the Remote Manager interface to reset the certificate.
  • Page 293 3. In the Erase configuration section, click ERASE. 4. Click CONFIRM. 5. After resetting the device: a. Connect to the IX14 by using the serial port or by using an Ethernet cable to connect the IX14 LAN port to your PC. b. Log into the IX14: User name: Use the default user name: admin.
  • Page 294 2. Enter the following: > system factory-erase 3. After resetting the device: a. Connect to the IX14 by using the serial port or by using an Ethernet cable to connect the IX14 LAN port to your PC. b. Log into the IX14: User name: Use the default user name: admin.

  • Page 295: Configure The Ix14 Device To Use Custom Factory Default Settings

    Configure the IX14 device to use custom factory default settings You can configure your IX14 device to use custom factory default settings. This way, when you erase the device's configuration, the device will reset to your custom configuration rather than to the original factory defaults.
  • Page 296 1. Log into the IX14 WebUI as a user with Admin access. 2. Configure your IX14 device to match the desired custom factory default configuration. For example, you may want to configure the device to use a custom APN or a particular network configuration, so that when you reset the device to factory defaults, it will automatically have your required network configuration.

  • Page 297: Locate The Device By Using The Find Me Feature

    Select the file from your local file system.    Command line 1. Log into the IX14 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 298    Command line 1. Log into the IX14 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 299: Configuration Files

    Save configuration changes When you make changes to the IX14 configuration, the changes are not automatically saved. You must explicitly save configuration changes, which also applies the changes. If you do not save configuration changes, the system discards the changes.

  • Page 300: Save Configuration To A File

    Type quit to disconnect from the device. Save configuration to a file You can save your IX14 device's configuration to a file and use this file to restore the configuration, either to the same device or to similar devices.

  • Page 301: Restore The Device Configuration

    > scp host 192.168.4.1 user admin remote /home/admin/bin/ local /etc/config/backup-archive-0040FF800120-19.05.17-19.01.17.bin to remote Restore the device configuration You can restore a configuration file to your IX14 device by using a backup from the device, or a backup from a similar device. ...
  • Page 302 IX14 device. local-path is the location on the IX14 device where the copied file will be placed. IX14 User Guide...
  • Page 303 > system restore filepath [passphrase passphrase] where filepath is the the path and filename of the configuration backup file on the IX14's filesystem (local-path in the previous step). passphrase (optional) is the passphrase to restore the configuration backup, if a passphrase was used when the backup was created.

  • Page 304: Schedule System Maintenance Tasks

    The frequency (daily, weekly, or monthly) that checks for firmware updates will run.    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
  • Page 305 For Duration window, select the amount of time that the maintenance tasks will be run. If Immediately is selected, all scheduled tasks will begin at the exact time specified in Start time. d. For Frequency, select whether the maintenance window will be started every day, or once per week. IX14 User Guide...
  • Page 306 11. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 307 (config system schedule maintenance trigger 0)> time from HH:MM (config system schedule maintenance trigger 0)> The behavior of the start time varies depending on the setting of the duration length, which is configured in the next step. IX14 User Guide...
  • Page 308 1 or 0 are also allowed. Note If your device is managed by a Digi Remote Manager configuration, the configuration manages the device's firmware version. You should not enable this option.

  • Page 309: Disable Device Encryption

    Type quit to disconnect from the device. Disable device encryption You can disable the cryptography on your IX14 device. This can be used to ship unused devices from overseas without needing export licenses from the country from which the device is being shipped.

  • Page 310: Re-Enable Cryptography After It Has Been Disabled

    Select the Properties of the relevant network connection on the Windows PC. b. Click the Internet Protocol Version 4 (TCP/IPv4) parameter. c. Click Properties. The Internet Protocol Version 4 (TCP/IPv4) Properties dialog appears. d. Configure with the following details: IP address for PC: 192.168.210.2 Subnet: 255.255.255.0 IX14 User Guide...

  • Page 311: Create A Virtual Lan (Vlan) Route

    Gateway: 192.168.210.1 2. Connect the PC's Ethernet port to the Ethernet port on your IX14 device. 3. Open a telnet session and connect to the IX14 device at the IP address of 192.168.210.1. 4. Log into the device: Username: admin Password: The default unique password for your device is printed on the device label.
  • Page 312 7. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 313: Configure The Speed Of Your Ethernet Port

    Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Configure the speed of your Ethernet port You can configure the speed of your IX14 device's Ethernet port.    WebUI...
  • Page 314 5. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 315 4. Save the configuration and apply the change: (config)> save Configuration saved. > 5. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX14 User Guide...
  • Page 316 Use SSH with key authentication Configure telnet access Configure DNS Simple Network Management Protocol (SNMP) Location information Modbus gateway System time Network Time Protocol Configure a multicast route Enable service discovery (mDNS) Use the iPerf service Configure the ping responder service IX14 User Guide...

  • Page 317: Allow Remote Access For Web Administration And Ssh

    Allow remote access for web administration and SSH Allow remote access for web administration and SSH By default, only devices connected to the IX14's LAN have access to the device via web administration and SSH. To enable these services for access from remote devices: The IX14 device must have a publicly reachable IP address.
  • Page 318 6. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 319 Allow remote access for web administration and SSH    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
  • Page 320 Services Allow remote access for web administration and SSH 6. Click Apply to save the configuration and apply the change. IX14 User Guide...

  • Page 321: Configure The Web Administration Service

    By default, the web administration service is enabled and uses the standard HTTPS port, 443. The default access control for the service uses the Internal firewall zone, which means that only devices connected to the IX14's LAN can access the WebUI. If this configuration is sufficient for your needs, no further configuration is required. See Allow remote access for web administration and SSH information about configuring the web administration service to allow access from remote devices.
  • Page 322 5. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 323 Configure the service    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Services > Web administration.
  • Page 324 No limit to IPv6 addresses that can access the web administration service. d. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX14 device: a. Click Interfaces.
  • Page 325 11. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 326 No limit to IPv6 addresses that can access the web administratrion service. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX14 device: (config)> add service web_admin acl interface end value (config)>...
  • Page 327 If SSL certificate is blank, the device will use an automatically-generated, self-signed certificate. The SSL certificate and private key must be in PEM format. The private key can use one of the following algorithms: ECDSA ECDH Note Password-protected certificate keys are not supported. Example IX14 User Guide...
  • Page 328 DQEJARYQam1jYmFuZUBkaWdpLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAOBn19AX01LO9plYtfRZq0bETwNwSCYGeEIOGJ7gHt/rihLVBJS1woYv u1Oq1ohYxIawBY1iIPBD2GtzyEJXzBZdQRhwi/dRyRi4vr7EkjGDr0Vb/NVT0L5w UzcMeT+71DYvKYm6GpcWx+LoKqFTjbMFBIze5pbBfru+SicId6joCHIuYq8Ehflx 6sy6s4MDbyTUAEN2YhsBaOljej64LNzcsHeISbAWibXWjOSsK+N1MivQq5uwIYw/ 1fsnD8KDS43Wg57+far9fQ2MIHsgnoAGz+w6PIKJR594y/MfqQffDFNCh2lJY49F hOqEtA5B9TyXRKwoa3j/lIC/t5cpIBcCAwEAAaNTMFEwHQYDVR0OBBYEFDVtrWBH E1ZcBg9TRRxMn7chKYjXMB8GA1UdIwQYMBaAFDVtrWBHE1ZcBg9TRRxMn7chKYjX MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBALj/mrgaKDNTspv9 ThyZTBlRQ59wIzwRWRYRxUmkVcR8eBcjwdBTWjSBLnFlD2WFOEEEnVz2Dzcixmj4 /Fw7GQNcYIKj+aIGJzbcKgox10mZB3VKYRmPpnpzHCkvFi4o81+bC8HJQfK9U80e vDV0/vA5OB2j/DrjvlOrapCTkuyA0TVyGvgTASx2ATu9U45KZofm4odThQs/9FRQ +cwSTb5v47KYffeyY+g3dyJw1/KgMJGpBUYNJDIsFQC9RfzPjKE2kz41hx4VksT/ q81WGstDXH++QTu2sj7vWkFJH5xPFt80HjtWKKpIfeOIlBPGeRHvdH2PQibx0OOt Sa+P5O8= -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDgZ9fQF9NSzvaZ WLX0WatGxE8DcEgmBnhCDhie4B7f64oS1QSUtcKGL7tTqtaIWMSGsAWNYiDwQ9hr c8hCV8wWXUEYcIv3UckYuL6+xJIxg69FW/zVU9C+cFM3DHk/u9Q2LymJuhqXFsfi 6CqhU42zBQSM3uaWwX67vkonCHeo6AhyLmKvBIX5cerMurODA28k1ABDdmIbAWjp Y3o+uCzc3LB3iEmwFom11ozkrCvjdTIr0KubsCGMP9X7Jw/Cg0uN1oOe/n2q/X0N jCB7D56ABs/sOjyCiUefeMvzH6kH3wxTQodpSWOPRYTqhLQOQfU8l0SsKGt4/5SA v7eXKSAXAgMBAAECggEBAMDKdi7hSTyrclDsVeZH4044+WkK3fFNPaQCWESmZ+AY i9cCC513SlfeSiHnc8hP+wd70klVNNc2coheQH4+z6enFnXYu2cPbKVAkx9x4eeI Ktx72wurpnr2JYf1v3Vx+S9T9WvN52pGuBPJQla3YdWbSf18wr5iHm9NXIeMTsFc esdjEW07JRnxQEMZ1GPWT+YtH1+FzQ3+W9rFsFFzt0vcp5Lh1RGg0huzL2NQ5EcF 3brzIZjNAavMsdBFzdc2hcbYnbv7o1uGLujbtZ7WurNy7+Tc54gu2Ds25J0/0mgf OxmqFevIqVkqp2wOmeLtI4o77y6uCbhfA6I+GWTZEYECgYEA/uDzlbPMRcWuUig0 CymOKlhEpx9qxid2Ike0G57ykFaEsKxVMKHkv/yvAEHwazIEzlc2kcQrbLWnDQYx oKmXf87Y1T5AXs+ml1PlepXgveKpKrWwORsdDBd+OS34lyNJ0KCqqIzwAaf8lcSW tyShAZzvuH9GW9WlCc8g3ifp9WUCgYEA4WSSfqFkQLA09sI76VLvUqMbb31bNgOk ZuPg7uxuDk3yNY58LGQCoV8tUZuHtBJdrBDCtcJa5sasJZQrWUlZ8y/5zgCZmqQn MzTD062xaqTenL0jKgKQrWig4DpUUhfc4BFJmHyeitosDPG98oCxuh6HfuMOeM1v IX14 User Guide...
  • Page 329 Legacy port redirection is used to redirect client HTTP requests to the HTTPS service. Legacy port redirection is enabled by default, and normally these settings should not be changed. To disable legacy port redirection: (config)> service web_admin legacy enable false (config)> IX14 User Guide...
  • Page 330 9. Save the configuration and apply the change: (config)> save Configuration saved. > 10. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX14 User Guide...

  • Page 331: Configure Ssh Access

    Services Configure SSH access Configure SSH access The IX14's default configuration has SSH access enabled, and allows SSH access to the device from authorized users within the Internal firewall zone. If this configuration is sufficient for your needs, no further configuration is required. See Allow remote access for web administration and SSH information about configuring the SSH service to allow access from remote devices.
  • Page 332 5. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 333 Configure the service    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Services > SSH.
  • Page 334 No limit to IPv6 addresses that can access the SSH service. d. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX14 device: a. Click Interfaces.
  • Page 335 Configure SSH access    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 336 Repeat this step to list additional firewall zones. 4. (Optional) Set the private key in PEM format. If not set, the device will use an automatically- generated key. (config)> service ssh key key.pem (config)> 5. (Optional) Configure Multicast DNS (mDNS) IX14 User Guide...
  • Page 337 OpenSSH sshd_config file. For example, to enable the diffie-helman-group-sha-14 key exchange algorithm: (config)> service ssh custom config_file "KexAlgorithms +diffie- hellman-group14-sha1" (config)> 8. Save the configuration and apply the change: (config)> save Configuration saved. > IX14 User Guide...
  • Page 338 Services Configure SSH access 9. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX14 User Guide...

  • Page 339: Use Ssh With Key Authentication

    SSH public key for the user Additional configuration items If you want to access the IX14 device using SSH over a WAN interface, configure the access control list for the SSH service to allow SSH access for the External firewall zone.
  • Page 340 These instructions assume an existing user named temp_user. 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
  • Page 341 4. Save the configuration and apply the change: (config)> save Configuration saved. > 5. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX14 User Guide...

  • Page 342: Configure Telnet Access

    The telnet service is disabled by default. To enable the service:    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
  • Page 343 5. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 344 No limit to IPv6 addresses that can access the telnet service. d. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX14 device: a. Click Interfaces.
  • Page 345 7. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 346 Services Configure telnet access To limit access to hosts connected through a specified interface on the IX14 device: (config)> add service telnet acl interface end value (config)> Where value is an interface defined on your device. Display a list of available interfaces: Use ...

  • Page 347: Configure Dns

    Type quit to disconnect from the device. Configure DNS The IX14 device includes a caching DNS server which forwards queries to the DNS servers that are associated with the network interfaces, and caches the results. This server is used within the device, and cannot be disabled.
  • Page 348 Services Configure DNS    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Services > DNS.
  • Page 349 Services Configure DNS To limit access to hosts connected through a specified interface on the IX14 device: a. Click Interfaces. b. For Add Interface, click . c. For Interface, select the appropriate interface from the dropdown. d. Click  again to allow access through additional interfaces.
  • Page 350 Services Configure DNS 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. At the command line, type config to enter configuration mode: >...
  • Page 351 5. (Optional) Query all servers By default, the device's DNS server queries all available DNS servers. Disabling this option may improve performance on networks with transient DNS results, when one or more DNS servers may have positive results. To disable: IX14 User Guide...
  • Page 352 9. (Optional) Add host names and their IP addresses that the device's DNS server will resolve a. Add a host: (config)> add service dns host end (config service dns host 0)> b. Set the IP address of the host: (config service dns host 0)> address ip-addr (config service dns host 0)> IX14 User Guide...

  • Page 353: Show Dns Server

       Command line Show DNS information 1. Log into the IX14 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 354: Simple Network Management Protocol (Snmp)

    By default, the IX14 device automatically blocks SNMP packets from being received over WAN and LAN interfaces. As a result, if you want a IX14 device to receive SNMP packets, you must configure the SNMP access control list to allow the device to receive the packets. See...
  • Page 355 No limit to IPv6 addresses that can access the SNMP agent. d. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX14 device: a. Click Interfaces.
  • Page 356 14. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 357 No limit to IPv6 addresses that can access the SNMP service. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX14 device: (config)> add service snmp acl interface end value (config)>...
  • Page 358 10. (Optional) Set the privacy passphrase. If not set, the password, entered above, is used. (config)> service snmp privacy pwd (config)> 11. (Optional) Set the privacy protocol, either DES or AES. The default is DES. (config)> service snmp privacy_protocol AES (config)> 12. (Optional) Enable read-only access to to SNMP version 2c. IX14 User Guide...

  • Page 359: Download Mibs

    To download a .zip archive of the SNMP MIBs supported by this device:    WebUI 1. Log into the IX14 WebUI as a user with Admin access. 2. Enable SNMP. Configure Simple Network Management Protocol (SNMP) for information about enabling and configuring SNMP support on the IX14 device.

  • Page 360: Location Information

    Location messages forwarded to the device from other location-enabled devices. You can also configure your IX14 device to forward location messages, either from the IX14 device or from external sources, to a remote host. Additionally, the device can be configured to use a geofence, to allow you to determine actions that will be taken based on the physical location of the device.

  • Page 361: Configure The Location Service

    The location service is enabled by default. You can disable it, or you can enable it if it has been disabled.    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Services > Location.
  • Page 362 (config)> To disable the module: (config)> service location gnss false (config)> 4. Set the amount of time that the IX14 device will wait before polling location sources for updated location data: (config)> service location interval value (config)> where value is any number of hours, minutes, or seconds, and takes the format number {h|m|s}.

  • Page 363: Configure The Device To Use A User-Defined Static Location

    You can configured your IX14 device to use a user-defined static location.    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
  • Page 364 10. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 365: Configure The Device To Accept Location Messages From External Sources

    You can configure the IX14 device to accept NMEA and TAIP messages from external sources. For example, location-enabled devices connected to the IX14 device can forward their location information to the device, and then the IX14 device can serve as a central repository for this location information and forward it to a remote host. See Forward location information to a remote host information about configuring the IX14 device to forward location messages.
  • Page 366 No limit to IPv6 addresses that can access the location server UDP port. d. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX14 device: a. Click Interfaces.
  • Page 367 9. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 368 No limit to IPv6 addresses that can access the location server UDP port. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX14 device: (config)> add service location source 1 acl interface end value (config)>...

  • Page 369: Forward Location Information To A Remote Host

    Type quit to disconnect from the device. Forward location information to a remote host You can configure location clients on the IX14 device that forward location messages in either NMEA or TAIP format to a remote host. Required configuration items Enable the location service.
  • Page 370 Configure the IX14 device to forward location information:    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
  • Page 371 ID. The default setting is Default, which means that the talker ID provided by the source will be used. 13. (Optional) For Prepend text, enter text to prepend to the forwarded message. Two variables can be included in the prepended text: IX14 User Guide...
  • Page 372 15. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 373 9. (Optional) Set the text to prepend to the forwarded message. Two variables can be included in the prepended text: %s: Includes the IX14 device's serial number in the prepended text. %v: Includes the vehicle ID in the prepended text.
  • Page 374 Use the add command to add the message type. For example, to add the gsa message type: (config service location forward 0 filter_nmea)> add gsa end (config service location forward 0 filter_nmea)> If the message protocol type is TAIP: IX14 User Guide...

  • Page 375: Configure Geofencing

    Type quit to disconnect from the device. Configure geofencing Geofencing is a mechanism to create a virtual perimeter that allows you configure your IX14 device to perform actions when entering or exiting the perimeter. For example, you can configure a device to...
  • Page 376 Whether the script should be executed within a sandbox that will prevent the script from affecting the system itself. Additional configuration items Update interval, which determines the amount of time that the geofence should wait between polling for updated location data.    WebUI IX14 User Guide...
  • Page 377 Services Location information 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Services > Location > Geofence.
  • Page 378 Click  again to add an additional point, and continue adding points to create the desired polygon. For example, to configure a square polygon around the Digi headquarters, configure a polygon with four points: This defines a square-shaped polygon equivalent to the following:...
  • Page 379 1MB or 1M. vi. Sandbox is enabled by default. This prevents the script from adversely affecting the system. If you disable Sandbox, the script may render the system unusable. vii. Repeat for any additional actions. IX14 User Guide...
  • Page 380 Sandbox is enabled by default. This prevents the script from adversely affecting the system. If you disable Sandbox, the script may render the system unusable. vii. Repeat for any additional actions. 8. Click Apply to save the configuration and apply the change. IX14 User Guide...
  • Page 381 Location information    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 382 (config service location geofence test_geofence coordinates 0)> where int is: For latitude, any integer between -90 and 90, with up to six decimal places. For longitude, any integer between -180 and 180, with up to six decimal places. IX14 User Guide...
  • Page 383 For longitude, any integer between -180 and 180, with up to six decimal places. Repeat for each vortex of the polygon. For example, to configure a square polygon around the Digi headquarters, configure a polygon with four points: (config service location geofence test_geofence)> add...
  • Page 384 3, the actions will not be performed until the device has been inside the geofence for three minutes. c. Add an action: i. Type ... to return to the root of the configuration: (config service location geofence test_geofence coordinates 3)> ... (config)> IX14 User Guide...
  • Page 385 (Optional) Set the maximum amount of system memory that will be available for the script and it spawned processes: (config service location geofence test_geofence on_entry action 0)> max_memory value (config service location geofence test_geofence on_entry action 0)> IX14 User Guide...
  • Page 386 Add an action: i. Type ... to return to the root of the configuration: (config service location geofence test_geofence coordinates 3)> ... (config)> ii. Add the action: (config)> add service location geofence test_geofence on_exit action end IX14 User Guide...
  • Page 387 0)> max_memory value (config service location geofence test_geofence on_exit action 0)> where value is any integer followed by one of the following: b|bytes|KB|k|MB|M|GB|G|TB|T. For example. the allocate one megabyte of memory to the script and its spawned processes: IX14 User Guide...

  • Page 388: Show Location Information

       Command line Show location information 1. Log into the IX14 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 389: Modbus Gateway

    Type quit to disconnect from the device. Modbus gateway The IX14 supports the ability to function as a Modbus gateway, to provide serial-to-Ethernet connectivity to Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), and other industrial devices. MODBUS provides client/server communication between devices connected on different types of buses and networks, and the IX14 gateway allows for communication between buses and and networks that use the Modbus protocol.

  • Page 390: Configure The Modbus Gateway

    The maximum time between bytes in a packets. Whether to send broadcast messages. Response timeout If connection type is set to socket: The port to use. The inactivity timeout. If connection type is set to serial: Whether to use half duplex (two wire) mode. IX14 User Guide...
  • Page 391 Whether packets should have their Modbus address adjusted downward before to delivery.    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
  • Page 392 For Port, enter or select an appropriate port. The default is port 502. If Serial is selected for Connection type: a. For Serial port, select the appropriate serial port on the IX14 device. 5. For Packet mode, select RTU or RAW (if Connection type is set to Socket) or ASCII (if Connection typeis set to Serial) for the type of packet that will be used by this connection.
  • Page 393 No limit to IPv6 addresses that can access the web administration service. d. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX14 device: a. Click Interfaces.
  • Page 394 Modbus server is running. If Serial is selected for Connection type: a. For Serial port, select the appropriate serial port on the IX14 device. 5. For Packet mode, select RTU or RAW (if Connection type is set to Socket) or ASCII (if Connection typeis set to Serial) for the type of packet that will be used by this connection.
  • Page 395 No limit to IPv6 addresses that can access the web administration service. d. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX14 device: a. Click Interfaces.
  • Page 396 17. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 397 Set the amount of time to wait before disconnecting the socket when it has become inactive: (config service modbus_gateway server test_modbus_server)> inactivity_timeout value (config service modbus_gateway server test_modbus_server)> where value is any number of minutes or seconds up to a maximum of 15 minutes, and takes the format number{m|s}. IX14 User Guide...
  • Page 398 (config service modbus_gateway server test_modbus_server)> serial idle_gap value (config service modbus_gateway server test_modbus_server)> where value is any number between 10 milliseconds and one second, and take the format number{ms|s}. For example, to set idle_gap to one second, enter 1000ms or 1s. IX14 User Guide...
  • Page 399 (config service modbus_gateway client test_modbus_client)> where value is either tcp or udp. ii. Set the port: (config service modbus_gateway client test_modbus_client)> socket port (config service modbus_gateway client test_modbus_client)> where port is an integer between 1 and 65535. The default is 502. IX14 User Guide...
  • Page 400 (config service modbus_gateway client test_modbus_client)> If connection_type is set to serial: i. Set the serial port: i. Use the ? to determine available serial ports: (config service modbus_gateway client test_modbus_ client)> ... serial port ? Serial Additional Configuration ------------------------------------------------------- IX14 User Guide...
  • Page 401 Set the maximum time to wait for a response to a message: (config service modbus_gateway client test_modbus_client)> response_ timeout value (config service modbus_gateway client test_modbus_client)> Allowed values are between 1 millisecond and 700 milliseconds, and take the format numberms. IX14 User Guide...
  • Page 402 Modbuss address in the message. h. To adjust the Modbus server address downward by the specified value prior to delivering the message, use adjust_server_address: (config service modbus_gateway client test_modbus_client)> adjust_ server_address value (config service modbus_gateway client test_modbus_client)> IX14 User Guide...

  • Page 403: Show Modbus Gateway Status And Statistics

       WebUI 1. Log into the IX14 WebUI as a user with Admin access. 2. On the menu, select Status > Modbus Gateway. The Modbus Gateway page appears. Statistics related to the Modbus gateway server are displayed. If the message Server connections not available is displayed, this indicates that there are no connected clients.
  • Page 404 Modbus gateway    Command line 1. Log into the IX14 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. Use the...
  • Page 405 RX Responses RX Timeouts TX Broadcasts TX Requests > 4. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX14 User Guide...

  • Page 406: System Time

    Configure the system time for details about changing the default configuration. The IX14 device can also be configured to serve as an NTP server, providing NTP services to downstream devices. See Network Time Protocol for more information about NTP server support.
  • Page 407 6. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 408 2. At the command line, type config to enter configuration mode: > config (config)> 3. (Optional) Set the timezone for the location of your IX14 device. The default is UTC. (config)> system time timezone value (config)> Where value is the timezone using the format specified with the following command: (config)>...
  • Page 409    Command line 1. Log into the IX14 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 410: Manually Set The System Date And Time

    Network Time Protocol (NTP) enables devices connected on local and worldwide networks to synchronize their internal software and hardware clocks to the same time source. The IX14 device can be configured as an NTP server, allowing downstream hosts that are attached to the device's Local Area Networks to synchronize with the device.

  • Page 411: Configure The Device As An Ntp Server

    3. Click Services > NTP. 4. Enable the IX14 device's NTP service by clicking Enable. 5. (Optional) Configure the access control list to limit downstream access to the IX14 device's NTP service. To limit access to specified IPv4 addresses and networks: a.
  • Page 412 No limit to IPv6 addresses that can access the NTP service. d. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX14 device: a. Click Interfaces.
  • Page 413 9. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 414 5. Allow the device's local system clock to be used as backup time source: (config)> service ntp local true (config)> 6. (Optional) Configure the access control list to limit downstream access to the IX14 device's NTP service. To limit access to specified IPv4 addresses and networks: (config)>...
  • Page 415 By default, the access control list for the NTP service is empty, which means that all downstream hosts connected to the IX14 device can use the NTP service. 7. (Optional) Set the timezone for the location of your IX14 device. The default is UTC. (config)> system time timezone value (config)>...

  • Page 416: Show Status And Statistics Of The Ntp Server

       Command line Show NTP information 1. Log into the IX14 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 417: Configure A Multicast Route

    To configure a multicast route:    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Services > Multicast.
  • Page 418 6. Type the Source address for the route. This must be a multicast IP address between 224.0.0.1 and 239.255.255.255. 7. Select a Source interface where multicast packets will arrive. 8. To add one or more destination interface that the IX14 device will send mutlicast packets to: a. Click to expand Destination interfaces. b. Click .

  • Page 419: Enable Service Discovery (Mdns)

    Set the interface. For example: (config service multicast test)> src_interface /network/interface/LAN (config service multicast test)> 7. Set a destination interface that the IX14 device will send mutlicast packets to: a. Use the ? to determine available interfaces: (config service multicast test)> src_interface ? Destination interface: Which interface to send the multicast packets.
  • Page 420 Enable service discovery (mDNS)    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Services > Service Discovery (mDNS).
  • Page 421 6. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 422 No limit to IPv6 addresses that can access the mDNS service. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX14 device: (config)> add service mdns acl interface end value (config)>...

  • Page 423: Use The Iperf Service

    Type quit to disconnect from the device. Use the iPerf service Your IX14 device includes an iPerf3 server that you can use to test the performance of your network. iPerf3 is a command-line tool that measures the maximum network throughput an interface can handle.
  • Page 424 Services Use the iPerf service When the iPerf server is enabled, the IX14 device will automatically configure its firewall rules to allow incoming connections on the configured listening port. You can restrict access by configuring the access control list for the iPerf server.
  • Page 425 7. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 426 No limit to IPv6 addresses that can access the service-type. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX14 device: (config)> add service iperf acl interface end value (config)>...

  • Page 427: Example Performance Test Using Iperf3

    Example performance test using iPerf3 On a remote host with iPerf3 installed, enter the following command: $ iperf3 -c device_ip where device_ip is the IP address of the IX14 device. For example: $ iperf3 -c 192.168.2.1 Connecting to host 192.168.2.1, port 5201 4] local 192.168.3.100 port 54934 connected to 192.168.1.1 port 5201...

  • Page 428: Configure The Ping Responder Service

    Done. Configure the ping responder service Your IX14 device's ping responder service replies to ICMP and ICMPv6 echo requests. The service is enabled by default. You can disable the service, or you can configure the service to use an access control list to limit the service to specified IP address, interfaces, and/or zones.
  • Page 429 No limit to IPv6 addresses that can access the ping responder. d. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX14 device: a. Click Interfaces.
  • Page 430 Services Configure the ping responder service 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 431 Additional Configuration -------------------------------------------------------- ----------------------- dynamic_routes edge external internal ipsec loopback setup (config)> Repeat this step to list additional firewall zones. 6. Save the configuration and apply the change: (config)> save Configuration saved. > IX14 User Guide...

  • Page 432: Example Performance Test Using Iperf3

    Example performance test using iPerf3 On a remote host with Iperf3 installed, enter the following command: $ iperf3 -c device_ip where device_ip is the IP address of the IX14 device. For example: $ iperf3 -c 192.168.2.1 Connecting to host 192.168.2.1, port 5201 4] local 192.168.3.100 port 54934 connected to 192.168.1.1 port 5201...

  • Page 433: Upload A New Lxc Container

    Containers The IX14 device includes support for LXC Linux containers. LXC containers are a lightweight, operating system level method of virtualization that allows you to run one or more isolated Linux instances on a the same host using the host's Linux kernal.

  • Page 434: Configure A Container

    Serial ports on the device that the container will have access to.    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
  • Page 435 8. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 436 (config system container name)> gateway IP_address (config system container name)> 7. (Optional) Assign serial ports that the container will have access to: a. Determine available serial ports: (config system container name)> ... serial Serial Additional Configuration --------------------------------------------------------------------- ---------- port1 Port 1 IX14 User Guide...

  • Page 437: Starting And Stopping The Container

    Starting a container in non-persistent mode To start the container in non-persistent mode: 1. Log into the IX14 command line as a user with shell access. Depending on your device configuration, you may be presented with an Access selection menu. Type shell to access the device shell.

  • Page 438: Stopping The Container

    To start the container in persistent mode, include the -p option at the command line. For example: 1. Log into the IX14 command line as a user with shell access. Depending on your device configuration, you may be presented with an Access selection menu.

  • Page 439: Show Status Of All Containers

    1. Log into the IX14 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu.

  • Page 440: Schedule A Script To Run In The Container

    2. Execute a ping command every ten seconds from inside the container.    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
  • Page 441 10. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 442: Create A Custom Container

    In this example, we will use a simple container file named test_lxc.tgz. You can download test_lxc.tgz from the Digi website. At the command line of a Linux host, we will unpack the file, add a simple python script, and create a new container file that includes the python script.

  • Page 443: Test The Custom Container File

    If deselected, you will need to create the configuration manually. vi. Click Apply. 2. Log into the IX14 command line as a user with shell access. Depending on your device configuration, you may be presented with an Access selection menu. Type shell to access the device shell.
  • Page 444 Containers Create a custom container 3. At the shell prompt, type: # lxc python_lxc lxc # 4. Execute the python command: lxc # python /etc/test.py Hello world. lxc # IX14 User Guide...
  • Page 445 Applications The IX14 supports Python 3.6 and provides you with the ability to run Python applications on the device interactively or from a file. You can also specify Python applications and other scripts to be run each time the device system restarts, at specific intervals, or at a specified time.

  • Page 446: Configure Scripts To Run Automatically

    Whether the script should run one time only. Task one: Upload the application    WebUI 1. Log into the IX14 WebUI as a user with Admin access. 2. On the menu, click System. Under Administration, click File System. IX14 User Guide...
  • Page 447 IX14 device. local-path is the location on the IX14 device where the copied file will be placed. For example: To upload a script from a remote host with an IP address of 192.168.4.1 to the /etc/config/scripts directory on the IX14 device, issue the following command: >...

  • Page 448: Task Two: Configure The Application To Run Automatically

    Use with care.    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click System > Scheduled tasks > Custom scripts.
  • Page 449 If neither option is selected, only the script's exit code is written to the system log. 9. For Maximum memory, enter the maximum amount of memory available to be used by the script and its subprocesses, using the format number{b|bytes|KB|k|MB|MB|M|GB|G|TB|T}. IX14 User Guide...
  • Page 450 12. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 451 If the script begins with #!, then the script will be invoked in the location specified by the path for the script command. Otherwise, the default shell will be used (equivalent to #!/bin/sh). IX14 User Guide...

  • Page 452: Configure Scripts To Run Manually

    12. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Configure scripts to run manually You can configure an scripts to be manually run. IX14 User Guide...

  • Page 453: Task One: Upload The Application

    Task one: Upload the application    WebUI 1. Log into the IX14 WebUI as a user with Admin access. 2. On the menu, click System. Under Administration, click File System. The File System page appears. 3. Highlight the scripts directory and click  to open the directory.

  • Page 454: Task Two: Configure The Application To Run Automatically

    IX14 device. local-path is the location on the IX14 device where the copied file will be placed. For example: To upload a script from a remote host with an IP address of 192.168.4.1 to the /etc/config/scripts directory on the IX14 device, issue the following command: >...
  • Page 455 If neither option is selected, only the script's exit code is written to the system log. 9. For Maximum memory, enter the maximum amount of memory available to be used by the script and its subprocesses, using the format number{b|bytes|KB|k|MB|MB|M|GB|G|TB|T}. IX14 User Guide...
  • Page 456 12. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 457 10. Sandbox is enabled by default. This option protects the script from accidentally destroying the system it is running on. (config system schedule script 0)> sandbox true (config system schedule script 0)> 11. Save the configuration and apply the change: (config)> save Configuration saved. > IX14 User Guide...

  • Page 458: Start A Manual Script

       Command line 1. Log into the IX14 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 459: Stop A Script That Is Currently Running

    3. For scripts that are currently running, click Stop Script to stop the script.    Command line 1. Log into the IX14 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 460: Show Script Information

    The Scripts page displays:    Command line 1. Log into the IX14 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 461: Run A Python Application At The Shell Prompt

    1. Upload the Python application to the IX14 device:    WebUI a. Log into the IX14 WebUI as a user with Admin access. b. On the menu, click System. Under Administration, click File System. The File System page appears. c. Highlight the scripts directory and click  to open the directory.

  • Page 462: Start An Interactive Python Session

    IX14 device. local-path is the location on the IX14 device where the copied file will be placed. For example: To upload a script from a remote host with an IP address of 192.168.4.1 to the /etc/config/scripts directory on the IX14 device, issue the following command: >...
  • Page 463 Applications Start an interactive Python session 1. Log into the IX14 command line as a user with shell access. Depending on your device configuration, you may be presented with an Access selection menu. Type shell to access the device shell.

  • Page 464: Digidevice Module

    Use Python to respond to Digi Remote Manager SCI requests Use digidevice runtime to access the runtime database Use Python to upload the device name to Digi Remote Manager Use Python to access the device location data Use Python to set the maintenance window...

  • Page 465: Use Digidevice.cli To Execute Cli Commands

    1. Log into the IX14 command line as a user with shell access. Depending on your device configuration, you may be presented with an Access selection menu. Type shell to access the device shell.

  • Page 466: Use Digidevice.datapoint To Upload Custom Datapoints To Digi Remote Manager

    Help for using Python to execute IX14 CLI commands Get help executing a CLI command from Python by accessing help for cli.execute: 1. Log into the IX14 command line as a user with shell access. Depending on your device configuration, you may be presented with an Access selection menu.
  • Page 467 For example, to use an interactive Python session to upload datapoints related to velocity, temperature, and the state of the emergency door: 1. Log into the IX14 command line as a user with shell access. Depending on your device configuration, you may be presented with an Access selection menu.
  • Page 468 Help for using Python to upload custom datapoints to Remote Manager Get help for uploading datapoints to your Digi Remote Manager account by accessing help for datapoint.upload and datapoint.upload_multiple: 1. Log into the IX14 command line as a user with shell access.

  • Page 469: Use Digidevice.config For Device Configuration

    Use the config Python module to access and modify the device configuration. Read the device configuration 1. Log into the IX14 command line as a user with shell access. Depending on your device configuration, you may be presented with an Access selection menu.
  • Page 470 Modify the device configuration Use the set() and commit() methods to modify the device configuration: 1. Log into the IX14 command line as a user with shell access. Depending on your device configuration, you may be presented with an Access selection menu.

  • Page 471: Use Python To Respond To Digi Remote Manager Sci Requests

    Get help for reading and modifying the device configuration by accessing help for digidevice.config: 1. Log into the IX14 command line as a user with shell access. Depending on your device configuration, you may be presented with an Access selection menu.
  • Page 472 Applications Digidevice module Use Remote Manager's SCI interface to create SCI requests that are sent to your IX14 device, and use the device_request module to send responses to those requests to Remote Manager. See the Digi Remote Manager Programmers Guide for more information on SCI.
  • Page 473 Remote Manager. 1. Create a Python application, called showsystem.py, that uses the digidevice.cli module to create a response containing information about device and the device_request module to respond with this information to a request from Remote Manager: IX14 User Guide...
  • Page 474 This can be done from either the WebUI or the command line:    WebUI i. Log into the IX14 WebUI as a user with full Admin access rights. ii. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. IX14 User Guide...
  • Page 475 For Label, type Show system application. vi. For Run mode, select On boot. vii. For Exit action, select Restart script. viii. For Commands, type python /etc/config/scripts/showsystem.py. ix. Click Apply to save the configuration and apply the change.    Command line IX14 User Guide...
  • Page 476 Applications Digidevice module i. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. ii. At the command line, type config to enter configuration mode: >...
  • Page 477 > reboot To run the application from the shell prompt: i. Log into the IX14 command line as a user with shell access. Depending on your device configuration, you may be presented with an Access selection menu. Type shell to access the device shell.
  • Page 478 Applications Digidevice module You should receive a response similar to the following: <sci_reply version="1.0"> <data_service> <device id="00000000-00000000-0000FFFF-A83CF6A3"/> <requests> <device_request target_name="showSystem" status="0">Model : Digi IX14 Serial Number : IX14-000068 Hostname : IX14 : 00:40:D0:13:35:36 Hardware Version : 50001959-01 A Firmware Version : 22.2.9.85...
  • Page 479 </sci_request> Help for using Python to respond to Digi Remote Manager SCI requests Get help for respond to Digi Remote Manager Server Command Interface (SCI) requests by accessing help for digidevice.device_request: 1. Log into the IX14 command line as a user with shell access.

  • Page 480: Use Digidevice Runtime To Access The Runtime Database

    Read from the runtime database Use the keys() and get() methods to read the device configuration: 1. Log into the IX14 command line as a user with shell access. Depending on your device configuration, you may be presented with an Access selection menu.
  • Page 481 Modify the runtime database Use the set() method to modify the runtime database: 1. Log into the IX14 command line as a user with shell access. Depending on your device configuration, you may be presented with an Access selection menu. Type shell to access the device shell.

  • Page 482: Use Python To Upload The Device Name To Digi Remote Manager

    5. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit(). Use Python to upload the device name to Digi Remote Manager The name submodule can be used to upload a custom name for your device to Digi Remote Manager. IX14 User Guide...
  • Page 483 5. Click Send. Upload a custom name 1. Log into the IX14 command line as a user with shell access. Depending on your device configuration, you may be presented with an Access selection menu. Type shell to access the device shell.

  • Page 484: Use Python To Access The Device Location Data

    5. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit(). Help for uploading the device name to Digi Remote Manager Get help for uploading the device name to Digi Remote Managerby accessing help for digidevice.name: 1.
  • Page 485 7. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit(). Update the location data The location submodule takes a snapshot of the current location and stores it in the runtime database. You can update this snapsot: IX14 User Guide...
  • Page 486 Applications Digidevice module 1. Log into the IX14 command line as a user with shell access. Depending on your device configuration, you may be presented with an Access selection menu. Type shell to access the device shell. 2. At the shell prompt, use the python command with no parameters to enter an interactive...
  • Page 487 Help for the digidevice location module Get help for the digidevice location module: 1. Log into the IX14 command line as a user with shell access. Depending on your device configuration, you may be presented with an Access selection menu. Type shell to access the device shell.

  • Page 488: Use Python To Set The Maintenance Window

    Schedule system maintenance tasks for more details. 1. Log into the IX14 command line as a user with shell access. Depending on your device configuration, you may be presented with an Access selection menu. Type shell to access the device shell.
  • Page 489 Help for the digidevice maintenance module Get help for the digidevice maintenance module: 1. Log into the IX14 command line as a user with shell access. Depending on your device configuration, you may be presented with an Access selection menu. Type shell to access the device shell.

  • Page 490: Use Python To Send And Receive Sms Messages

    You can create Python scripts that send and receive SMS message in tandem with the Digi Remote Manager or Digi aView by using the digidevice.sms module. To use a script to send or receive SMS messages, you must also enable the ability to schedule SMS scripting.
  • Page 491 5. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 492: Use Python To Access Serial Ports

    COND.release() my_callback.unregister_callback() Use Python to access serial ports You can use the Python serial module to access serial ports on your IX14 device that are configured to be in Application mode. See Configure Application mode for information about configuring a serial port in Application mode.

  • Page 493: Use The Paho Mqtt Python Library

    6. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit(). Use the Paho MQTT python library Your IX14 device includes support for the Paho MQTT python library. MQTT is a lightweight messaging protocol used to communicate with various applications including cloud-based applications such as Amazon Web Services and Microsoft Azure.
  • Page 494 HTTPStatus.OK CMD_HANDLERS = { "reboot": cmd_reboot, "fw-update": cmd_fwupdate def send_cmd_reply(client, cmd_path, cid, cmd, status): if not status or not cid: return if cmd_path.startswith(PREFIX_CMD): path = cmd_path[len(PREFIX_CMD):] else: print("Invalid command path ({}), cannot send reply".format(cmd_path)) IX14 User Guide...
  • Page 495 # Return if client-ID not passed return None send_cmd_reply(client, msg.topic, cid, cmd, HTTPStatus.BAD_REQUEST) try: status = CMD_HANDLERS[cmd](payload) except: print("Invalid command: {}".format(cmd)) status = HTTPStatus.NOT_IMPLEMENTED send_cmd_reply(client, msg.topic, cid, cmd, status) def publish_dhcp_leases(): leases = [] try: IX14 User Guide...
  • Page 496 PREFIX_CMD = "cmd/" + PREFIX PREFIX_RSP = "rsp/" + PREFIX client = mqtt.Client() client.on_connect = on_connect client.on_message = on_message try: client.connect("192.168.1.100", 1883, 60) client.loop_start() except: print("Failed to connect to MQTT server") sys.exit(1) while True: publish_dhcp_leases() publish_system() time.sleep(POLL_TIME) IX14 User Guide...

  • Page 497: Central Management

    Collect device health data and set the sample interval Enable event log upload to Digi Remote Manager Log into Digi Remote Manager Use Digi Remote Manager to view and manage your device Add a device to Digi Remote Manager View Digi Remote Manager connection status...

  • Page 498: Digi Remote Manager Support

    This URL is required to utilize the client-side certificate support. Prior to release 22.2.9.x, the default URL was my.devicecloud.com. If your Digi device is configured to use a non-default URL to connect to Remote Manager, updating the firmware will not change your configuration. However, if you erase the device's configuration, the Remote Manager URL will change to the default of edp12.devicecloud.com.
  • Page 499 To configure Digi Remote Manager:    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. IX14 User Guide...
  • Page 500 6. (Optional) For Management port, type the destination port for the remote cloud services connection. The default is 3199. 7. (Optional) For Retry interval, type the amount of time that the IX14 device should wait before reattempting to connect to remote cloud services after being disconnected. The default is 30 seconds.
  • Page 501 CLI. If disabled, no login prompt will be presented and the user will be logged in as admin. The default is disabled. 14. (Optional) Configure the IX14 device to communicate with remote cloud services by using SMS: a. Click to expand Short message service.
  • Page 502 (config)> cloud drm drm_url url (config)> 6. (Optional) Set the amount of time that the IX14 device should wait before reattempting to connect to the remote cloud services after being disconnected. The minimum value is ten seconds. The default is 30 seconds.
  • Page 503 (config)> cloud drm keep_alive 600s (config)> 8. (Optional) Set the amount of time that the IX14 device should wait between sending keep-alive messages to the Digi Remote Manager when using a cellular interface. Allowed values are from 30 seconds to two hours. The default is 290 seconds.
  • Page 504 If set to false, no login prompt will be presented and the user will be logged in as admin. The default is false. 13. (Optional) Configure the IX14 device to communicate with remote cloud services by using SMS: a. Enable SMS messaging: (config)>...

  • Page 505: Collect Device Health Data And Set The Sample Interval

    Collect device health data and set the sample interval You can enable or disable the collection of device health data to upload to Digi Remote Manager, and configure the interval between health sample uploads. By default, device health data upload is enabled, and the health sample interval is set to 60 minutes.
  • Page 506 1, 5, 15, 30, or 60, and represents the number of minutes between uploads of health sample data. 5. By default, the device will only report health metrics values to Digi Remote Manager that have changed health metrics were last uploaded. This is useful to reduce the bandwidth used to...
  • Page 507 (config)> When disabled, all metrics are uploaded every Health sample interval. 6. (Optional) Tuning parameters allow to you configure what data are uploaded to the Digi Remote Manager. By default, all tuning parameters are enabled. To view a list of all available tuning parameters, use the show command: (config)>...

  • Page 508: Enable Event Log Upload To Digi Remote Manager

    Type quit to disconnect from the device. Enable event log upload to Digi Remote Manager You can configure your device to upload the event log to Digi Remote Manager, and configure the interval between event log uploads. To enable the event log upload, or disable it if it has been disabled, and to change the upload interval: ...
  • Page 509 6. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 510: Log Into Digi Remote Manager

    1. If you have not already done so, click here to sign up for a Digi Remote Manager account. 2. Check your email for Digi Remote Manager login instructions. 3. Go to remotemanager.digi.com. 4. Log into your Digi Remote Manager account.

  • Page 511: Use Digi Remote Manager To View And Manage Your Device

    Use Digi Remote Manager to view and manage your device To view and manage your device: 1. If you have not already done so, connect to your Digi Remote Manager account. 2. Click Device Management to display a list of your devices.

  • Page 512: Add A Device To Digi Remote Manager

    The same default password is also shown on the label affixed to the bottom of the device. 6. Click Add. 7. Click OK. Digi Remote Manager adds your IX14 device to your account and it appears in the Device Management view. View Digi Remote Manager connection status To view the current Digi Remote Manager configuration: ...

  • Page 513: Configure Multiple Devices Using Profiles

    Digi recommends you take advantage of Digi Remote Manager profiles to manage multiple IX14 routers. Typically, if you want to provision multiple IX14 routers: 1. Using the IX14 local WebUI, configure one IX14 router to use as the model configuration for all subsequent IX14s you need to manage.

  • Page 514: Learn More

    Central management Learn more Learn more For information on using Digi Remote Manager to configure and manage IX14 routers, see the Digi Remote Manager User Guide. For information on using Digi Remote Manager APIs to develop custom applications, see the Digi Remote Manager Programmer Guide.
  • Page 515 Monitoring This chapter contains the following topics: intelliFlow Configure NetFlow Probe IX14 User Guide...

  • Page 516: Intelliflow

    WebUI. To use intelliFlow, the IX14 must be powered on and you must have access to the local WebUI. Once you enable intelliFlow, the Status >...
  • Page 517 6. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 518 5. Save the configuration and apply the change: (config)> save Configuration saved. > 6. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX14 User Guide...

  • Page 519: Use Intelliflow To Display Average Cpu And Ram Usage

    This procedure is only available from the WebUI. To display display average CPU and RAM usage:    WebUI 1. Log into the IX14 WebUI as a user with Admin access. 2. If you have not already done so, enable intelliFlow. See Enable intelliFlow.

  • Page 520: Use Intelliflow To Display Top Data Usage Information

    Top data usage by service To generate a top data usage chart:    WebUI 1. Log into the IX14 WebUI as a user with Admin access. 2. If you have not already done so, enable intelliFlow. See Enable intelliFlow. 3. From the menu, click Status > intelliFlow.
  • Page 521 5. Change the type of chart that is used to display the data: a. Click the menu icon (). b. Select the type of chart. 6. Change the number of top users displayed. You can display the top five, top ten, or top twenty data users. IX14 User Guide...

  • Page 522: Use Intelliflow To Display Data Usage By Host Over Time

    Use intelliFlow to display data usage by host over time To generate a chart displaying a host's data usage over time:    WebUI 1. Log into the IX14 WebUI as a user with Admin access. 2. If you have not already done so, enable intelliFlow. See Enable intelliFlow.

  • Page 523: Configure Netflow Probe

    To save the chart to your local filesystem, select Export to PNG. c. To print the chart, select Print chart. Configure NetFlow Probe NetFlow probe is used to probe network traffic on the IX14 device and export statistics to NetFlow collectors. Required configuration items Enable NetFlow.
  • Page 524 Configure NetFlow Probe    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Monitoring > NetFlow probe.
  • Page 525 12. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 526 1 and 1800. The default is 1800. 8. Set the maximum number of flows to probe simultaneously: (config)> monitoring netflow max_flows value (config)> where value is any is any number between 0 and 2000000. The default is 2000000. IX14 User Guide...
  • Page 527 (config monitoring netflow collector 0)> save Configuration saved. > 11. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX14 User Guide...

  • Page 528: Virtual Private Networks (Vpn)

    Virtual Private Networks (VPNs) are used to securely connect two private networks together so that devices can connect from one network to the other using secure channels. This chapter contains the following topics: IPsec OpenVPN Generic Routing Encapsulation (GRE) L2TP L2TPv3 Ethernet NEMO IX14 User Guide...

  • Page 529: Ipsec

    Authentication of data to ensure an unauthorized device has not injected it into the IPsec tunnel. IPsec mode The IX14 supports the Tunnel mode. With the Tunnel mode, the entire IP packet is encrypted and/or authenticated and then encapsulated as the payload in a new IP packet. Transport mode is not currently supported.

  • Page 530: Authentication

    Client authenticaton XAUTH (extended authentication) pre-shared key authentication mode provides additional security by using client authentication credentials in addition to the standard pre-shared key. The IX14 device can be configured to authenticate with the remote peer as an XAUTH client. RSA Signatures With RSA signatures authentication, the IX14 device uses a private RSA key to authenticate with a...
  • Page 531 Disable the padding of IKE packets. This should normally not be done except for compatibility purposes. Destination networks that require source NAT. Depending on your network and firewall configuration, you may need to add a packet filtering rule to allow incoming IPsec traffic. IX14 User Guide...
  • Page 532    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click VPN > IPsec.
  • Page 533 The metric can also be used in tandem with SureLink to configure IPsec failover behavior. See Configure IPsec failover for more information. 11. For Mode, select Tunnel mode. Transport mode is not currently supported. IX14 User Guide...
  • Page 534 SCEP certificates: Uses Simple Certificate Enrollment Protocol (SCEP) to download a private key, certificates, and an optional Certificate Revocation List (CRL) to the IX14 device from a SCEP server. You must create the SCEP client prior to configuring the IPsec tunnel. See...
  • Page 535 For IPv6 ID value, type an IPv6 formatted ID. This can be a fully-qualified domain name or an IPv6 address. RFC822/Email: The ID will be interpreted as an RFC822 (email address). For RFC822 ID value, type the ID in internet email address format. IX14 User Guide...
  • Page 536 RFC822/Email: The ID will be interpreted as an RFC822 (email address). For RFC822 ID value, type the ID in internet email address format. FQDN: The ID will be interpreted as FQDN (Fully Qualified Domain Name) and sent as an ID_FQDN IKE identity. IX14 User Guide...
  • Page 537 For Protocol, select one of the following: Any: Matches any protocol. TCP: Matches TCP protocol only. UDP: Matches UDP protocol only. ICMP: Matches ICMP requests only. Other protocol: Matches an unlisted protocol. If Other protocol is selected, type the number of the protocol. IX14 User Guide...
  • Page 538 If supported by the peer: Send oversized IKE messages in fragments, if the peer supports receiving them. Always: Always send IKEv1 messages in fragments. For IKEv2, this option is equivalent to If supported by the peer. Never: Do not send oversized IKE messages in fragments. IX14 User Guide...
  • Page 539 22. (Optional) Click to expand Dead peer detection. Dead peer detection is enabled by default. Dead peer detection uses periodic IKE transmissions to the remote endpoint to detect whether tunnel communications have failed, allowing the tunnel to be automatically restarted when failure occurs. IX14 User Guide...
  • Page 540 Configure SureLink active recovery for IPsec for information about IPsec Active recovery. 25. (Optional) Click Advanced to set various IPsec-related time out, keep alive, and related values. 26. Click Apply to save the configuration and apply the change. IX14 User Guide...
  • Page 541 IPsec    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 542 Only the payload of the IP packet is encrypted and/or authenticated. The IP header is unencrypted. The default is tunnel. 8. Set the protocol: (config vpn ipsec tunnel ipsec_example)> type protocol (config vpn ipsec tunnel ipsec_example)> where protocol is either: IX14 User Guide...
  • Page 543 Set the private key passphrase that is used to decrypt the private key. Leave blank if the private key is not encrypted. (config vpn ipsec tunnel ipsec_example)> auth private_key_ passphrase passphrase (config vpn ipsec tunnel ipsec_example)> c. For the peer_public_key parameter, paste the peer's public RSA key in PEM format: IX14 User Guide...
  • Page 544 (config vpn ipsec tunnel ipsec_example)> 11. (Optional) Configure the device to connect to its remote peer as an XAUTH client: a. Enable XAUTH client functionality: (config vpn ipsec tunnel ipsec_example)> xauth_client enable true (config vpn ipsec tunnel ipsec_example)> IX14 User Guide...
  • Page 545 Any ID will be accepted. ipv4: The ID will be interpreted as an IPv4 address and sent as an ID_IPV4_ADDR IKE identity. Set an IPv4 formatted ID. This can be a fully-qualified domain name or an IPv4 address. IX14 User Guide...
  • Page 546 Repeat for additional hostnames. b. Set the hostname selection type: (config vpn ipsec tunnel ipsec_example)> remote hostname_selection value (config vpn ipsec tunnel ipsec_example)> where value is one of: IX14 User Guide...
  • Page 547 Set the ID in internet email address format: (config vpn ipsec tunnel ipsec_example)> remote id type rfc822_ id id (config vpn ipsec tunnel ipsec_example)> fqdn: The ID will be interpreted as FQDN (Fully Qualified Domain Name) and sent as an ID_FQDN IKE identity. IX14 User Guide...
  • Page 548 Do not send oversized IKE messages in fragments, but announce support for fragmentation to the peer. The default is always. e. Padding of IKE packets is enabled by default and should normally not be disabled except for compatibility purposes. To disable: IX14 User Guide...
  • Page 549 Configure the types of encryption, hash, and Diffie-Hellman group to use during phase 1: i. Add a phase 1 proposal: (config vpn ipsec tunnel ipsec_example)> add ike phase1_proposal (config vpn ipsec tunnel ipsec_example ike phase1_proposal 0)> IX14 User Guide...
  • Page 550 (config vpn ipsec tunnel ipsec_example ike phase1_proposal)> add end (config vpn ipsec tunnel ipsec_example ike phase1_proposal 1)> Repeat the above steps to set the type of encryption, hash, and Diffie-Hellman group for the additional proposal. iii. Repeat to add more phase 1 proposals. IX14 User Guide...
  • Page 551 (config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)> ii. Set the Diffie-Hellman group type: (config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)> dh_group value (config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)> The default is modp2048. vi. (Optional) Add additional phase 2 proposals: IX14 User Guide...
  • Page 552 (config vpn ipsec tunnel ipsec_example nat 0)> b. Set the IPv4 address and optional netmask of a destination network that requires source NAT. You can also use any, meaning that any destination network connected to the tunnel will use source NAT. IX14 User Guide...
  • Page 553 Current value: (config vpn ipsec tunnel ipsec_example policy 0)> local address ii. Set the interface. For example: (config vpn ipsec tunnel ipsec_example policy 0)> local address LAN (config vpn ipsec tunnel ipsec_example policy 0)> IX14 User Guide...
  • Page 554 Set the protocol matching criteria for the local traffic selector: (config vpn ipsec tunnel ipsec_example policy 0)> local protocol value (config vpn ipsec tunnel ipsec_example policy 0)> where value is one of: any: Matches any protocol. tcp: Matches TCP protocol only. IX14 User Guide...
  • Page 555 Allowed values are an integer between 1 and 255. 19. (Optional) You can also configure various IPsec related time out, keep alive, and related values: a. Change to the root of the configuration schema: (config vpn ipsec tunnel ipsec_example policy 0)> ... (config)> IX14 User Guide...
  • Page 556 20. Save the configuration and apply the change: (config)> save Configuration saved. > 21. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX14 User Guide...

  • Page 557: Configure Ipsec Failover

    Virtual Private Networks (VPN) IPsec Configure IPsec failover There are two methods to configure the IX14 device to fail over from a primary IPsec tunnel to a backup tunnel: SureLink active recovery—You can use SureLink along with the IPsec tunnel's metric to configure two or more tunnels so that when the primary tunnel is determined to be inactive by SureLink, a secondary tunnel can begin serving traffic that the primary tunnel was serving.
  • Page 558 See Configure an IPsec tunnel for instructions. During configuration of the IPsec tunnel, set the metric to a value that is higher than the metric of the primary tunnel (for example, 20).    Command line IX14 User Guide...
  • Page 559 Use the ? to view a list of available tunnels: (config vpn ipsec tunnel backup_ipsec_tunnel)> ipsec_failover ? Preferred tunnel: This tunnel will not start until the preferred tunnel has failed. It will continue to operate until the preferred tunnel returns to full operation IX14 User Guide...

  • Page 560: Configure Surelink Active Recovery For Ipsec

    (config vpn ipsec tunnel backup_ipsec_tunnel)> Configure SureLink active recovery for IPsec You can configure the IX14 device to regularly probe IPsec tunnels to determine if the connection has failed and take remedial action. You can also configure the IPsec tunnel to fail over to a backup tunnel. See Configure IPsec failover further information.
  • Page 561 Virtual Private Networks (VPN) IPsec 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click VPN > IPsec.
  • Page 562 Ping test: Tests connectivity by sending an ICMP echo request to the hostname or IP address specified in Ping host. You can also optionally change the number of bytes in the Ping payload size. DNS test: Tests connectivity by sending a DNS query to the specified DNS server. IX14 User Guide...
  • Page 563 14. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 564 10. Set the amount of time that the device should wait for a response to a probe attempt before considering it to have failed: (config vpn ipsec tunnel ipsec_example)> surelink timeout value (config vpn ipsec tunnel ipsec_example)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. IX14 User Guide...
  • Page 565 Tests connectivity by sending an HTTP or HTTPS GET request to the specified URL. Specify the url: (config vpn ipsec tunnel ipsec_example surelink target 0)> http_url value (config vpn ipsec tunnel ipsec_example surelink target 0)> where value uses the format http[s]://hostname/[path] IX14 User Guide...
  • Page 566 (config vpn ipsec tunnel ipsec_example surelink target 0)> If other is set: Set the alternate interface to be tested: i. Use the ? to determine available interfaces: (config vpn ipsec tunnel ipsec_example surelink target 0)> other_interface ? IX14 User Guide...

  • Page 567: Show Ipsec Status And Statistics

    > 13. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Show IPsec status and statistics    WebUI IX14 User Guide...

  • Page 568: Debug An Ipsec Configuration

       Command line 1. Log into the IX14 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 569 6. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 570: Configure A Simple Certificate Enrollment Protocol Client

    Simple Certificate Enrollment Protocol (SCEP) is a mechanism that allows for large-scale X.509 certificate deployment. You can configure IX14 device to function as a SCEP client that will connect to a SCEP server that is used to sign Certificate Signing Requests (CSRs), provide Certificate Revocation Lists (CRLs), and distribute valid certificates from a Certificate Authority (CA).
  • Page 571 Virtual Private Networks (VPN) IPsec    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > SCEP Client.
  • Page 572 15. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 573 Set the Domain Component: (config network scep_client scep_client_name)> distinguished_name dc value (config network scep_client scep_client_name)> b. Set the two letter Country Code: (config network scep_client scep_client_name)> distinguished_name c value (config network scep_client scep_client_name)> c. Set the State or Province: IX14 User Guide...
  • Page 574 10. Set the number of days that the certificate enrollment can be renewed, prior to the request expiring. This value is configured on the SCEP server, and is used by the IX14 device to determine when to start attempting to auto-renew an existing certificate. The default is 7.

  • Page 575: Example: Scep Client Configuration With Fortinet Scep Server

    Virtual Private Networks (VPN) IPsec Example: SCEP client configuration with Fortinet SCEP server In this example configuration, we will configure the IX14 device as a SCEP client that will connect to a Fortinet SCEP server. Fortinet configuration On the Fortinet server: 1.
  • Page 576 On the IX14 device:    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > SCEP Client.
  • Page 577 13. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 578 Set the two letter Country Code: (config network scep_client Fortinet_SCEP_client)> distinguished_name c value (config network scep_client Fortinet_SCEP_client)> c. Set the State or Province: (config network scep_client Fortinet_SCEP_client)> distinguished_name st value (config network scep_client Fortinet_SCEP_client)> d. Set the Locality: IX14 User Guide...

  • Page 579: Disable Hardware Cryptographic Acceleration

    (config network scep_client Fortinet_SCEP_client)> 9. (Optional) Set the filename of the Certificate Revocation List (CRL) from the CA. The CRL is stored on the IX14 device in the /etc/config/scep_client/client_name directory. (config network scep_client Fortinet_SCEP_client)> crl_name name (config network scep_client Fortinet_SCEP_client)>...
  • Page 580    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 581 Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. The device must be rebooted for the change to take effect. See Reboot your IX14 device. IX14 User Guide...

  • Page 582: Openvpn

    OpenVPN clients. OpenVPN clients use Network Address Translation (NAT) to route traffic from devices connected on its LAN interfaces to the OpenVPN server. The manner in which the IP subnets are defined depends on the OpenVPN topology in use. The IX14 device supports two types of OpenVPN topology:...

  • Page 583: Configure An Openvpn Server

    Virtual Private Networks (VPN) OpenVPN OpenVPN managed—The IX14 device creates the interface and then uses its standard configuration to set up the connection (for example, its standard DHCP server configuration). Device only—IP addressing is controlled by the system, not by OpenVPN.
  • Page 584 Additional OpenVPN parameters.    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click VPN > OpenVPN > Servers.
  • Page 585 Certificate and username/password: Uses both certificates and a username and password for client authentication. Each client requires a public and private key, and you must create an OpenVPN authentication group and user. See Configure an OpenVPN Authentication Group and User for instructions. IX14 User Guide...
  • Page 586 No limit to IPv6 addresses that can access the service-type. d. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX14 device: a. Click Interfaces. b. For Add Interface, click .
  • Page 587 OpenVPN    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 588 80, the first client IP address will be 192.168.1.80. The default is from 80. ii. Set the last address in the range limit: (config vpn openvpn server name)> server_last_ip value (config vpn openvpn server name)> IX14 User Guide...
  • Page 589 (config vpn openvpn server name)> cacert value (config vpn openvpn server name)> iii. Paste the contents of the public key (for example, server.crt) into the value of the server_cert parameter: (config vpn openvpn server name)> server_cert value (config vpn openvpn server name)> IX14 User Guide...
  • Page 590 No limit to IPv6 addresses that can access the service-type. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX14 device: (config vpn openvpn server name)> add acl interface end value (config vpn openvpn server name)>...
  • Page 591 (config vpn openvpn server name)> advanced_options enable true (config vpn openvpn server name)> b. Configure whether the additional OpenVPN parameters should override default options: (config vpn openvpn server name)> advanced_options override true (config vpn openvpn server name)> IX14 User Guide...

  • Page 592: Configure An Openvpn Authentication Group And User

       WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. IX14 User Guide...
  • Page 593 Click to expand the OpenVPN node. e. Click  to add a tunnel. f. For Tunnel, select an OpenVPN tunnel to which users of this group will have access. g. Repeat to add additional OpenVPN tunnels. IX14 User Guide...
  • Page 594 Click to expand the Groups node. e. Click  to add a group to the user. f. Select a Group with OpenVPN access enabled. 5. Click Apply to save the configuration and apply the change. IX14 User Guide...
  • Page 595 OpenVPN    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 596: Configure An Openvpn Client By Using An .Ovpn File

    OpenVPN active recovery.    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click VPN > OpenVPN > Clients.
  • Page 597 11. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 598 7. Paste the content of the client.ovpn file into the value of the config_file parameter: (config vpn openvpn client name)> config_file value (config vpn openvpn client name)> 8. Save the configuration and apply the change: (config)> save Configuration saved. > IX14 User Guide...

  • Page 599: Configure An Openvpn Client Without Using An .Ovpn File

    OpenVPN active recovery.    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. IX14 User Guide...
  • Page 600 5. The OpenVPN client is enabled by default. To disable, click Enable. 6. The default behavior is to use an OVPN file for client configuration. To disable this behavior and configure the client manually, click Use .ovpn file to disable. IX14 User Guide...
  • Page 601 15. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 602 (config vpn openvpn client name)> username value (config vpn openvpn client name)> password value (config vpn openvpn client name)> 9. Set the IP address of the OpenVPN server: (config vpn openvpn client name)> server ip_address (config vpn openvpn client name)> IX14 User Guide...

  • Page 603: Configure Surelink Active Recovery For Openvpn

    Type quit to disconnect from the device. Configure SureLink active recovery for OpenVPN You can configure the IX14 device to regularly probe OpenVPN client connections to determine if the connection has failed and take remedial action. IX14 User Guide...
  • Page 604 To configure the IX14 device to regularly probe the OpenVPN connection:    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
  • Page 605 Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}. For example, to set Response timeout to ten minutes, enter 10m or 600s. The default is 15 seconds. IX14 User Guide...
  • Page 606 Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}. For example, to set Initial connection time to ten minutes, enter 10m or 600s. The default is 60 seconds. 14. Click Apply to save the configuration and apply the change. IX14 User Guide...
  • Page 607 OpenVPN    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 608 (config vpn openvpn client openvpn_client1 surelink target 0)> test value (config vpn openvpn client openvpn_client1 surelink target 0)> where value is one of: ping: Tests connectivity by sending an ICMP echo request to a specified hostname or IP address. IX14 User Guide...
  • Page 609 (config vpn openvpn client openvpn_client1 surelink target 0)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set timeout to ten minutes, enter either 10m or 600s: IX14 User Guide...
  • Page 610 Set the alternate interface to be tested: i. Use the ? to determine available interfaces: (config vpn openvpn client openvpn_client1 surelink target 0)> other_interface ? Interface: The network interface. Format: /network/interface/defaultip /network/interface/defaultlinklocal /network/interface/lan /network/interface/loopback /network/interface/modem Current value: IX14 User Guide...

  • Page 611: Show Openvpn Server Status And Statistics

    Show Surelink status and statistics for information about showing Surelink status for OpenVPN clients. Show OpenVPN server status and statistics You can view status and statistics for OpenVPN servers from either the web interface or the command line:    WebUI IX14 User Guide...

  • Page 612: Show Openvpn Client Status And Statistics

    OpenVPN server's status pane.    Command line 1. Log into the IX14 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 613 OpenVPN client's status pane.    Command line 1. Log into the IX14 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 614: Generic Routing Encapsulation (Gre)

    Task One: Create a GRE loopback endpoint interface    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
  • Page 615 11. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 616 Task Two: Configure the GRE tunnel    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. IX14 User Guide...
  • Page 617 10. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 618 (config vpn iptunnel gre_example)> save Configuration saved. > 9. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX14 User Guide...

  • Page 619: Show Gre Tunnels

    To view information about currently configured GRE tunnels:    WebUI 1. Log into the IX14 WebUI as a user with Admin access. 2. On the menu, click Status > IP tunnels. The IP Tunnelspage appears. 3. To view configuration details about a GRE tunnel, click the  (configuration) icon in the upper right of the tunnel's status pane.

  • Page 620: Example: Gre Tunnel Over An Ipsec Tunnel

    Example: GRE tunnel over an IPSec tunnel The IX14 device can be configured as an advertised set of routes through an IPSec tunnel. This allows you to leverage the dynamic route advertisement of GRE tunnels through a secured IPSec tunnel.
  • Page 621 3. Create a GRE tunnel named gre_tunnel2: a. Local endpoint set to the IPsec endpoint interface, Interface: ipsec_endpoint2. b. Remote endpoint set to the IP address of the GRE tunnel on IX14-1, 172.30.0.1. 4. Create an interface named gre_interface2 and add it to the GRE tunnel: a.
  • Page 622 15. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 623 4. Set the pre-shared key to testkey: (config vpn ipsec tunnel ipsec_gre1)> auth secret testkey (config vpn ipsec tunnel ipsec_gre1)> 5. Set the remote endpoint to public IP address of the IX14-2 device: (config vpn ipsec tunnel ipsec_gre1)> remote hostname 192.168.101.1 (config vpn ipsec tunnel ipsec_gre1)>...
  • Page 624 6. For Address, type the IP address of the local GRE tunnel, 172.30.0.1/32. 7. Click Apply to save the configuration and apply the change.    Command line 1. At the command line, type config to enter configuration mode: > config (config)> IX14 User Guide...
  • Page 625 3. For Local endpoint, select the IPsec endpoint interface created in Task two (Interface: ipsec_ endpoint1). 4. For Remote endpoint, type the IP address of the GRE tunnel on IX14-2, 172.30.0.2. 5. Click Apply to save the configuration and apply the change. IX14 User Guide...
  • Page 626 (config vpn iptunnel gre_tunnel1)> local /network/interface/ipsec_ endpoint1 (config vpn iptunnel gre_tunnel1)> 4. Set the remote endpoint to the IP address of the GRE tunnel on IX14-2, 172.30.0.2: (config vpn iptunnel gre_tunnel1)> remote 172.30.0.2 (config vpn iptunnel gre_tunnel1)> 5. Save the configuration and apply the change: (config vpn iptunnel gre_tunnel1)>...
  • Page 627 4. For Device, select the GRE tunnel created in Task three (IP tunnel: gre_tunnel1). 5. Click to expand IPv4. 6. For Address, type 172.31.0.1/30 for a virtual IP address on the GRE tunnel. 7. Click Apply to save the configuration and apply the change. IX14 User Guide...
  • Page 628 Task one: Create an IPsec tunnel    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. IX14 User Guide...
  • Page 629 3. Click VPN > IPsec > Tunnels. 4. For Add IPsec Tunnel, type ipsec_gre2 and click . 5. Click to expand Authentication. 6. For Pre-shared key, type the same pre-shared key that was configured for the IX14-1 (testkey). 7. Click to expand Remote endpoint.
  • Page 630 3. Add an IPsec tunnel named ipsec_gre2: (config)> add vpn ipsec tunnel ipsec_gre2 (config vpn ipsec tunnel ipsec_gre2)> 4. Set the pre-shared key to the same pre-shared key that was configured for the IX14-1 (testkey): (config vpn ipsec tunnel ipsec_gre2)> auth secret testkey (config vpn ipsec tunnel ipsec_gre2)>...
  • Page 631 Task two: Create an IPsec endpoint interface    WebUI 1. Click Network > Interfaces. 2. For Add Interface, type ipsec_endpoint2 and click . 3. For Zone, select Internal. 4. For Device, select Ethernet: loopback. 5. Click to expand IPv4. IX14 User Guide...
  • Page 632 5. Set the IPv4 address to the IP address of the local GRE tunnel, 172.30.0.2/32: (config network interface ipsec_endpoint2)> ipv4 address 172.30.0.2/32 (config network interface ipsec_endpoint2)> 6. Save the configuration and apply the change: (config vpn ipsec tunnel ipsec_endpoint2)> save Configuration saved. > IX14 User Guide...
  • Page 633 (config vpn iptunnel gre_tunnel2)> local /network/interface/ipsec_ endpoint2 (config vpn iptunnel gre_tunnel2)> 4. Set the remote endpoint to the IP address of the GRE tunnel on IX14-1, 172.30.0.1: (config vpn iptunnel gre_tunnel2)> remote 172.30.0.1 (config vpn iptunnel gre_tunnel2)> IX14 User Guide...
  • Page 634 4. For Device, select the GRE tunnel created in Task three (IP tunnel: gre_tunnel2). 5. Click to expand IPv4. 6. For Address, type 172.31.1.1/30 for a virtual IP address on the GRE tunnel. 7. Click Apply to save the configuration and apply the change. IX14 User Guide...

  • Page 635: L2Tp

    Your IX14 device supports PPP-over-L2TP (Layer 2 Tunneling Protocol). Configure a PPP-over-L2TP tunnel Your IX14 device supports PPP-over-L2TP (Layer 2 Tunneling Protocol). The tunnel endpoints are known as L2TP Access Concentrators (LAC) and L2TP Network Servers (LNS). Each endpoint terminates the PPP session.
  • Page 636 Optional configuration data in the format of a pppd options file.    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
  • Page 637 No limit to IPv6 addresses that can access the service-type. d. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX14 device: a. Click Interfaces. b. For Add Interface, click .
  • Page 638 For Remote IP address, type the IP address to assign to the remote peer. g. (Optional) For Authentication method, select one of the following: None: No authentication is required. Automatic: The device will attempt to connect using CHAP first, and then PAP. IX14 User Guide...
  • Page 639 8. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 640 No limit to IPv6 addresses that can access the service-type. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX14 device: (config)> add vpn l2tp acl interface end value (config)>...
  • Page 641 LACs are enabled by default. To disable: (config vpn l2tp lac lac_tunnel)> enable false (config vpn l2tp lac lac_tunnel)> b. Set the hostname or IP address of the L2TP network server: (config vpn l2tp lac lac_tunnel)> lns hostname (config vpn l2tp lac lac_tunnel)> IX14 User Guide...
  • Page 642 Format: dynamic_routes edge external internal ipsec loopback setup Current value: (config vpn l2tp lac lac_tunnel)> ii. Set the zone: (config vpn l2tp lac lac_tunnel)> zone zone (config vpn l2tp lac lac_tunnel)> h. (Optional): Custom PPP configuration: IX14 User Guide...
  • Page 643 The keyword any, which means that the server will accept connections from any IP address. c. Set the IP address of the L2TP virtual network interface: (config vpn l2tp lns lns_server)> local_address IP_address (config vpn l2tp lns lns_server)> IX14 User Guide...
  • Page 644 (config vpn l2tp lns lns_server)> zone ? Zone: The firewall zone assigned to this tunnel. This can be used by packet filtering rules and access control lists to restrict network traffic on this tunnel. Format: dynamic_routes edge external internal ipsec loopback setup IX14 User Guide...

  • Page 645: Configure Surelink Active Recovery For Ppp-Over-L2Tp

    Type quit to disconnect from the device. Configure SureLink active recovery for PPP-over-L2TP You can configure the IX14 device to regularly probe PPP-over-L2TP access concatenators to determine if the connection has failed and take remedial action. Required configuration items A valid PPP-over-L2TP configuration.
  • Page 646 To configure the IX14 device to regularly probe the PPP-over-L2TP connection:    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
  • Page 647 For example, to set Response timeout to ten minutes, enter 10m or 600s. The default is 15 seconds. 13. Add a test target: a. Click to expand Test targets. b. For Add Test target, click . IX14 User Guide...
  • Page 648 Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}. For example, to set Initial connection time to ten minutes, enter 10m or 600s. The default is 60 seconds. 14. Click Apply to save the configuration and apply the change. IX14 User Guide...
  • Page 649 L2TP    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 650 IP address. Specify the hostname or IP address: (config vpn l2tp lac lac_tunnel surelink target 0)> ping_host host (config vpn l2tp lac lac_tunnel surelink target 0)> (Optional) Set the size, in bytes, of the ping packet: IX14 User Guide...
  • Page 651 (Optional) Set the amount of time to wait for an initial connection to the interface before this test is considered to have failed: (config vpn l2tp lac lac_tunnel surelink target 0)> interface_timeout value (config vpn l2tp lac lac_tunnel surelink target 0)> IX14 User Guide...
  • Page 652 (config vpn l2tp lac lac_tunnel surelink target 0)> other_ ip_version value (config vpn l2tp lac lac_tunnel surelink target 0)> where value is one of: any, both, ipv4, or ipv6. Set the expected status of the alternate interface: IX14 User Guide...

  • Page 653: L2Tp With Ipsec

    This means that you cannot restrict traffic on the IPsec tunnel to L2TP traffic (typically UDP port 1701). While multiple L2TP clients are supported on the IX14 by configuring a separate LNS for each client, multiple clients behind a Network Address Translation (NAT) device are not supported, because they will all appear to have the same IP address.
  • Page 654 L2TP Show the status of L2TP access connectors from the Admin CLI 1. Log into the IX14 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 655: L2Tpv3 Ethernet

    Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. L2TPv3 Ethernet Your IX14 device supports Layer 2 Tunneling Protocol Version 3 (L2TPv3) static unmanaged Ethernet tunnels. Configure an L2TPv3 tunnel Your IX14 device supports Layer 2 Tunneling Protocol Version 3 (L2TPv3) static unmanaged Ethernet tunnels.
  • Page 656 Virtual Private Networks (VPN) L2TPv3 Ethernet 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click VPN > L2TPv3 ethernet.
  • Page 657 11. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 658 Set the destination UDP port to be used for the tunnel. (config vpn l2tpeth L2TPv3_example)> udp_destination_port port (config vpn l2tpeth L2TPv3_example)> c. (Optional) To calculate and check the UDP checksum: (config vpn l2tpeth L2TPv3_example)> udp_checksum true (config vpn l2tpeth L2TPv3_example)> IX14 User Guide...
  • Page 659 Add a sequence number to each outgoing packet. recv: Reorder packets if they are received out of order. both: Add a sequence number to each outgoing packet, and reorder packets if they are received out of order. The default is none. IX14 User Guide...

  • Page 660: Show L2Tpv3 Tunnel Status

       Command line 1. Log into the IX14 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 661: Nemo

    Local Area Networks (LANs) on your device. NEMO creates a tunnel between the home agent on the mobile private network and the IX14 device, isolating the connection from internet traffic and advertising the IP subnets of the LANs for remote access and device management.
  • Page 662 4. For Home IP address, type the IPv4 address of the NEMO virtual network interface. 5. For Zone, select Internal. The Internal firewall zone configures the IX14 device to trust traffic going to the tunnel and allows it through the network.
  • Page 663 10. For MTU discovery, leave enabled to determine the maximum transmission unit (MTU) size. If disabled, for MTU, type the MTU size. The default MTU size for LANs on the IX14 device is 1500. The MTU size of the NEMO tunnel will be smaller, to take into account the required headers.
  • Page 664 (config vpn nemo nemo_example)> mtu_discovery false (config vpn nemo nemo_example)> If disabled, set the MTU size. The default MTU size for LANs on the IX14 device is 1500. The MTU size of the NEMO tunnel will be smaller, to take into account the required headers.
  • Page 665 (config vpn nemo nemo_example)> zone internal (config vpn nemo nemo_example)> The Internal firewall zone configures the IX14 device to trust traffic going to the tunnel and allows it through the network. 11. Configure the Care-of-Address, the local WAN interface of the internet facing network.
  • Page 666 Add a local network to use as a virtual NEMO network interface: (config vpn nemo nemo_example)> add network end LAN (config vpn nemo nemo_example)> b. (Optional) Repeat for additional interfaces. 14. Save the configuration and apply the change: (config)> save Configuration saved. > IX14 User Guide...

  • Page 667: Show Nemo Status

       Command line 1. Log into the IX14 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 668 Virtual Private Networks (VPN) NEMO LAN2 192.168.3.1/24 Advertized > 4. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX14 User Guide...
  • Page 669 Generate a support report View system and event logs Configure syslog servers Configure options for the event and system logs Analyze network traffic Use the ping command to troubleshoot network connections Use the traceroute command to diagnose IP routing problems IX14 User Guide...

  • Page 670: Perform A Speedtest

    To perform a speedtest:    Command line 1. Log into the IX14 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 671 Attach the support report to any support requests.    Command line 1. Log into the IX14 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 672: View System And Event Logs

    View System Logs    WebUI 1. Log into the IX14 WebUI as a user with Admin access. 2. On the main menu, click System > Logs. The system log displays: 3. Limit the display in the system log by using the Find search tool.
  • Page 673 5. Click  to download the system log.    Command line 1. Log into the IX14 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 674: View Event Logs

    6. Click  to download the event log.    Command line 1. Log into the IX14 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 675 Nov 26 22:01:25 info user name=admin~service=cli~state=closed~remote=192.168.1.2 > 5. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX14 User Guide...

  • Page 676: Configure Syslog Servers

    You can configure remote syslog servers for storing event and system logs.    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
  • Page 677 5. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 678 5. Set the IP protocol to use for communication with the syslog server: (config system log remote 0)> protocol value (config system log remote 0)> where value is either tcp or udp. The default is udp. 6. Save the configuration and apply the change: (config)> save Configuration saved. > IX14 User Guide...

  • Page 679: Configure Options For The Event And System Logs

    To change or disable the heartbeat interval, or to disable event categories, and to perform other log configuration:    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. IX14 User Guide...
  • Page 680 7. Enable Preserve system logs to save the current session's system log after a reboot. By default, the IX14 device erases system logs each time the device is powered off or rebooted. Note You should only enable Preserve system logs temporarily to debug issues.
  • Page 681 To disable the heartbeat interval, set the value to 0s 4. Enable preserve system logs functionality to save the current session's system log after a reboot. By default, the IX14 device erases system logs each time the device is powered off or rebooted.
  • Page 682 (config)> system log event dhcpserver status_interval value (config)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set the status interval to ten minutes, enter either 10m or 600s: IX14 User Guide...
  • Page 683 7. Save the configuration and apply the change: (config)> save Configuration saved. > 8. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX14 User Guide...

  • Page 684: Analyze Network Traffic

    Analyze network traffic Analyze network traffic The IX14 device includes a network analyzer tool that captures data traffic on any interface and decodes the captured data traffic for diagnostics. You can capture data traffic on multiple interfaces at the same time and define capture filters to reduce the captured data. You can capture up to 10 MB of data traffic in two 5 MB files per interface.

  • Page 685: Configure Packet Capture For The Network Analyzer

    To configure a packet capture configuration:    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Analyzer.
  • Page 686 Click Ignore this IP address or network if the filter should ignore packets from this IP address/network. By default, is option is disabled, which means that the filter will capture packets from this IP address/network. vi. Click  to add additional IP address/network filters. IX14 User Guide...
  • Page 687 Click Ignore this VLAN if the filter should ignore packets that use this port. By default, is option is disabled, which means that the filter will capture packets that use this port. v. Click  to add additional VLAN filters. IX14 User Guide...
  • Page 688 Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}. For example, to set Save interval to ten minutes, enter 10m or 600s. 9. Click Apply to save the configuration and apply the change. IX14 User Guide...
  • Page 689 Analyze network traffic    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 690 (config network analyzer name filter protocol 0)> protocol ? IP protocol to capture or ignore: IP protocol to capture or ignore. Format: icmp icmpv6 igmp ospf other vrrp Current value: (config network analyzer name filter protocol 0)> IX14 User Guide...
  • Page 691 (Optional) Set the filter should ignore packets from this port: (config network analyzer name filter port 0)> ignore true (config network analyzer name filter port 0)> By default, is option is set to false, which means that the filter will capture packets from this port. IX14 User Guide...
  • Page 692 (config network analyzer name filter vlan 0)> ii. Set the VLAN that should be be captured or ignored: (config network analyzer name filter vlan 0)> vlan value (config network analyzer name filter vlan 0)> where value is number o the VLAN. IX14 User Guide...
  • Page 693 Runs the script at a specified time of the day. If set_time is set, set the time that the script should run, using the format HH:MM: (config network analyzer name)> run_time HH:MM (config network analyzer name)> maintenance_time: The script will run during the system maintenance time window. IX14 User Guide...

  • Page 694: Example Filters For Capturing Data Traffic

    BPF syntax. Example IPv4 capture filters Capture traffic to and from IP host 192.168.1.1: ip host 192.168.1.1 Capture traffic from IP host 192.168.1.1: ip src host 192.168.1.1 Capture traffic to IP host 192.168.1.1: ip dst host 192.168.1.1 IX14 User Guide...

  • Page 695: Capture Packets From The Command Line

    Save captured data traffic to a file. Clear captured data. Required configuration items A configured packet capture. See Configure packet capture for the network analyzer for packet capture configuration information. To start packet capture from the command line: IX14 User Guide...

  • Page 696: Stop Capturing Packets

    Analyze network traffic    Command line 1. Log into the IX14 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 697: Show Captured Traffic Data

    To show captured data traffic:    Command line 1. Log into the IX14 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 698: Save Captured Data Traffic To A File

       Command line 1. Log into the IX14 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. IX14 User Guide...

  • Page 699: Download Captured Data To Your Pc

    WebUI or from the command line by using the (secure copy file) command.    WebUI 1. Log into the IX14 WebUI as a user with Admin access. 2. On the menu, click System. Under Administration, click File System. The File System page appears. IX14 User Guide...

  • Page 700: Clear Captured Data

    4. Select the saved analyzer report you want to download and click  (download).    Command line 1. Log into the IX14 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 701 To determine available packet capture configurations, use the ?: > anaylzer clear name ? name: Name of the capture filter to use. Format: test_capture capture_ping > anaylzer clear name Note You can remove data traffic saved to a file using the command. IX14 User Guide...

  • Page 702: Use The Ping Command To Troubleshoot Network Connections

    Ping to check internet connection To check your internet connection: 1. Log into the IX14 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 703 Max wait for a response to a probe. (Default: 5) Example This example shows using traceroute to verify that the IX14 device can route to host 8.8.8.8 (www.google.com) through the default gateway. The command output shows that 15 routing hops were required to reach the host: 1.
  • Page 704 Routing This chapter contains the following topics: IP routing Show the routing table Dynamic DNS Virtual Router Redundancy Protocol (VRRP) IX14 User Guide...

  • Page 705: Ip Routing

    IP routing IP routing The IX14 device uses IP routes to decide where to send a packet it receives for a remote network. The process for deciding on a route to send the packet is as follows: 1. The device examines the destination IP address in the IP packet, and looks through the IP routing table to find a match for it.

  • Page 706: Configure A Static Route

    To configure a static route:    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Routes > Static routes.
  • Page 707 7. For Interface, select the interface on the IX14 device that will be used with this static route. 8. (Optional) For Gateway, type the IPv4 address of the gateway used to reach the destination.
  • Page 708 The any keyword can also be used to route packets to any destination with this static route. 6. Set the interface on the IX14 device that will be used with this static route: a. Use the ? to determine available interfaces: (config network route static 0)>...

  • Page 709: Delete A Static Route

    Type quit to disconnect from the device. Delete a static route    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. IX14 User Guide...
  • Page 710 5. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 711: Policy-Based Routing

    However, you can use policy-based routing to forward the packet based on other criteria, such as the source of the packet. For example, you can configure the IX14 device so that high-priority traffic is routed through the cellular connection, while all other traffic is routed through an Ethernet (WAN) connection.

  • Page 712: Configure A Routing Policy

    To configure a routing policy:    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Routes > Policy-based routing.
  • Page 713 5. (Optional) For Label, type a label that will be used to identify this route policy. 6. For Interface, select the interface on the IX14 device that will be used with this route policy. 7. (Optional) Enable Exclusive to configure the policy to drop packets that match the policy when the gateway interface is disconnected, rather than forwarded through other interfaces.
  • Page 714 13. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 715 Routing IP routing 5. Set the interface on the IX14 device that will be used with this route policy: a. Use the ? to determine available interfaces: (config network route policy 0)> interface ? Interface: The network interface used to reach the destination.
  • Page 716 Matches the source IP address to the selected firewall zone. Set the zone: a. Use the ? to determine available zones: (config network route policy 0)> src zone ? Zone: Match the IP address to the specified firewall zone. Format: dynamic_routes edge external internal ipsec loopback setup IX14 User Guide...
  • Page 717 Matches the source IPv6 address to the specified IP address or network. Set the address that will be matched: (config network route policy 0)> src address6 value (config network route policy 0)> where value uses the format IPv6_address[/prefix_length], or any to match any IPv6 address. IX14 User Guide...
  • Page 718 Matches the destination IP address to the selected interface's network address. Set the interface: a. Use the ? to determine available interfaces: (config network route policy 0)> dst interface ? Interface: The network interface. Format: /network/interface/defaultip /network/interface/defaultlinklocal /network/interface/lan /network/interface/loopback IX14 User Guide...

  • Page 719: Routing Services

    Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Routing services Your IX14 includes support for dynamic routing services and protocols. The following routing services are supported: IX14 User Guide...

  • Page 720: Configure Routing Services

    The Border Gateway Protocol (BGP) service supports BGP-4 ( IS-IS The IPv4 and IPv6 Intermediate System to Intermediate System (IS-IS) service. Configure routing services Required configuration items Enable routing services. Enable and configure the types of routing services that will be used. IX14 User Guide...
  • Page 721 IP routing    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Routes > Routing services.
  • Page 722 IP routing    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 723: Show The Routing Table

    To display the routing table:    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. IX14 User Guide...
  • Page 724 5. Click IPv6 Load Balance to view IPv6 load balancing.    Command line 1. Log into the IX14 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 725: Dynamic Dns

    WAN or public IP address changes. Your IX14 device supports a number of Dynamic DNS providers as well as the ability to provide a custom provider that is not included on the list of providers.
  • Page 726 The amount of time to wait to force an update of the interface's IP address. The amount of time to wait for an IP address update to succeed before retrying the update. The number of times to retry a failed IP address update. IX14 User Guide...
  • Page 727 Dynamic DNS    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Dynamic DNS.
  • Page 728 14. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 729 Use the ? to determine available services: (config network ddns new_ddns_instance)> service ? Service: The provider of the dynamic DNS service. Format: custom 3322.org changeip.com ddns.com.br dnsdynamic.org Default value: custom Current value: custom (config network ddns new_ddns_instance)> service IX14 User Guide...
  • Page 730 For example, to set force_interval to ten minutes, enter either 10m or 600s: (config network ddns new_ddns_instance)> force_interval 600s (config network ddns new_ddns_instance)> The default is 3d. IX14 User Guide...

  • Page 731: Virtual Router Redundancy Protocol (Vrrp)

    Multiple IX14 devices can be configured as VRRP devices and assigned a priority. The router with the highest priority will be used as the master router. If the master router fails, then the IP address of the virtual router is mapped to the backup device with the next highest priority.

  • Page 732: Configure Vrrp

    VRRP priorty of devices based on the status of their network connectivity.    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
  • Page 733 For Virtual IP, type the IPv4 or IPv6 address for a virtual IP of this VRRP instance. d. (Optional) Repeat to add additional virtual IPs. 11. See Configure VRRP+ for information about configuring VRRP+. 12. Click Apply to save the configuration and apply the change. IX14 User Guide...
  • Page 734 Virtual Router Redundancy Protocol (VRRP)    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 735: Configure Vrrp

    VRRP+ is an extension to the VRRP standard that uses SureLink network probing to monitor connections through VRRP-enabled devices and adjust devices' VRRP priority based on the status of the SureLink tests. This section describes how to configure VRRP+ on a IX14 device. Required configuration items Both master and backup devices: A configured and enabled instance of VRRP.
  • Page 736 SureLink tests.    WebUI 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
  • Page 737 SureLink fails on the master, it will lower its priority to below 80, and the backup device will assume the master role. 10. Configure the VRRP interface. The VRRP interface is defined in the Interface parameter of the VRRP configuration, and generally should be a LAN interface: IX14 User Guide...
  • Page 738 SureLink fails. i. Click to expand IPv4 > SureLink. ii. Click Enable. iii. For Interval, type a the amount of time to wait between connectivity tests. To guarantee seamless internet access for VRRP+ purposes, SureLink tests should occur IX14 User Guide...
  • Page 739 11. Click Apply to save the configuration and apply the change.    Command line 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 740 Configure the VRRP interface's DHCP server to use a custom gateway that corresponds to one of the VRRP virtual IP addresses: i. Set the DHCP server gateway type to custom: (config)> network interface LAN ipv4 dhcp_server advanced gateway custom (config)> IX14 User Guide...
  • Page 741 For example, to set interval to ten minutes, enter 5s: (config)> network interface LAN ipv4 surelink interval 5s (config)> iv. Create a SureLink test target: (config)> add network interface LAN ipv4 surelink target end (config network interface LAN ipv4 surelink target 0)> IX14 User Guide...
  • Page 742 (config network interface LAN ipv4 surelink target 0)> interface_down_time value (config network interface LAN ipv4 surelink target 0)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. IX14 User Guide...

  • Page 743: Example: Vrrp/Vrrp+ Configuration

    10. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Example: VRRP/VRRP+ configuration This example configuration creates a VRRP pool containing two IX14 devices: IX14 User Guide...

  • Page 744: Configure Device One (Master Device)

       WebUI Task 1: Configure VRRP on device one 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > VRRP.
  • Page 745 Task 2: Configure VRRP+ on device one 1. Click to expand VRRP+. 2. Click Enable. 3. Click to expand Monitor interfaces. 4. Click  to add an interface for monitoring. 5. Select Interface: Modem. 6. For Priority modifier, type 30. IX14 User Guide...
  • Page 746   Command line Task 1: Configure VRRP on device one 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 747 Task 3: Configure the IP address for the VRRP interface, LAN, on device one 1. Type ... to return to the root of the config prompt: (config network vrrp VRRP_test )> ... (config)> 2. Set the IP address for LAN: (config)> network interface LAN ipv4 address 192.168.3.1/24 (config)> IX14 User Guide...

  • Page 748: Configure Device Two (Backup Device)

       WebUI Task 1: Configure VRRP on device two 1. Log into the IX14 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. IX14 User Guide...
  • Page 749 7. For Router ID, leave at the default setting of 50. 8. For Priority, type 80. 9. Click to expand Virtual IP addresses. 10. Click  to add a virtual IP address. 11. For Virtual IP, type 192.168.3.3. IX14 User Guide...
  • Page 750 Task 4: Configure SureLink for LAN on device two 1. Click Network > Interfaces > LAN > IPv4 > SureLink. 2. Click Enable. 3. For Interval, type 15s. 4. Click to expand Test targets > Test target. 5. For Test Type, select Ping test. IX14 User Guide...
  • Page 751   Command line Task 1: Configure VRRP on device two 1. Log into the IX14 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 752 (config network vrrp VRRP_test )> Task 3: Configure the IP address for the VRRP interface, LAN, on device two 1. Type ... to return to the root of the config prompt: (config network vrrp VRRP_test )> ... (config)> IX14 User Guide...
  • Page 753 2. Set the start and end addresses of the DHCP pool to use to assign DHCP addresses to clients: a. Set the start address to 200: (config)> network interface LAN ipv4 dhcp_server lease_start 200 (config)> b. Set the end address to 250: (config)> network interface LAN ipv4 dhcp_server lease_end 250 (config)> IX14 User Guide...

  • Page 754: Show Vrrp Status And Statistics

    Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Show VRRP status and statistics This section describes how to display VRRP status and statistics for a IX14 device. VRRP status is available from the Web UI only. ...
  • Page 755 The Virtual Router Redundancy Protocol window is displayed.    Command line 1. Log into the IX14 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
  • Page 756 Routing Virtual Router Redundancy Protocol (VRRP) > IX14 User Guide...
  • Page 757 File system This chapter contains the following topics: The IX14 local file system Display directory contents Create a directory Display file contents Copy a file or directory Move or rename a file or directory Delete a file or directory Upload and download files...

  • Page 758: File System

    The IX14 local file system The IX14 local file system The IX14 local file system has approximately 100 MB of space available for storing files, such as Python programs, alternative configuration files and firmware versions, and release files, such as cellular module images.

  • Page 759: Create A Directory

    For example: 1. Log into the IX14 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 760: Display File Contents

    For example:    Command line 1. Log into the IX14 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. At the Admin CLI prompt, type more /path/filename. For example, to view the contenct of the file accns.json in /etc/config:...

  • Page 761: Move Or Rename A File Or Directory

      Command line To rename a file named test.py in /etc/config/scripts to final.py: 1. Log into the IX14 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 762: Delete A File Or Directory

      Command line To delete a file named test.py in /etc/config/scripts: 1. Log into the IX14 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 763: Upload And Download Files

    FileZilla. Upload and download files by using the WebUI Upload files 1. Log into the IX14 WebUI as a user with Admin access. 2. On the menu, click System. Under Administration, click File System. The File System page appears.

  • Page 764: Upload And Download Files By Using The Secure Copy Command

    IX14 device. local-path is the location on the IX14 device where the copied file will be placed. For example: To copy firmware from a remote host with an IP address of 192.168.4.1 to the /etc/config directory on the IX14 device, issue the following command: >...

  • Page 765: Upload And Download Files Using Sftp

    IX14 device. For example: To copy a support report from the IX14 device to a remote host at the IP address of 192.168.4.1: 1. Use the system support-report command to generate the report: >...
  • Page 766 File system Upload and download files $ sftp ahmed@192.168.2.1 Password: Connected to 192.168.2.1 sftp> get test.py Fetching test.py to test.py test.py 100% 0.3KB/s 00:00 sftp> exit IX14 User Guide...

  • Page 767: Digi Ix14 Regulatory And Safety Statements

    Radio Frequency Interference (RFI) (FCC 15.105) The Digi IX14 has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation.
  • Page 768 Digi IX14 regulatory and safety statements European Community - CE Mark Declaration of Conformity (DoC) Digi customers assume full responsibility for learning and meeting the required guidelines for each country in their distribution market. Refer to the radio regulatory agency in the desired countries of operation for more information.

  • Page 769: Maximum Transmit Power For Radio Frequencies

    Digi IX14 regulatory and safety statements Maximum transmit power for radio frequencies Maximum transmit power for radio frequencies The following tables show the maximum transmit power for frequency bands. Cellular frequency bands Frequency bands Maximum transmit power Cellular LTE 700 MHz...

  • Page 770: Rohs Compliance Statement

    However, cellular-based products contain radio devices which require specific consideration. Take the time to read and understand the following guidance. Digi International assumes no liability for an end user’s failure to comply with these precautions.

  • Page 771: Product Disposal Instructions

    At the end of its life this product MUST NOT be mixed with other commercial waste for disposal. Check with the terms and conditions of your supplier for disposal information. Digi International Ltd WEEE Registration number: WEE/HF1515VU IX14 User Guide...
  • Page 772 Certifications This product complies with the requirements of the following Electromagnetic Compatibility standards. There are no user-serviceable parts inside the product. Contact your Digi representative for repair information. Certification category Standards EN 300 328 v1.8.1 Electromagnetic Compatibility (EMC) compliance standards EN 301-489-17 V3.1.12017...
  • Page 773 Auto-complete commands and parameters Available commands Use the scp command Display status and statistics using the show command Device configuration using the command line interface Execute configuration commands at the root Admin CLI prompt Configuration mode Command line reference IX14 User Guide...

  • Page 774: Command Line Interface

    Log in to the command line interface    Command line 1. Connect to the IX14 device by using a serial connection, SSH or telnet, or the Terminal in the WebUI or the Console in the Digi Remote Manager. See Access the command line interface more information.

  • Page 775: Exit The Command Line Interface

    2. At the main menu, click Terminal. The device console appears. IX14 login: 3. Log into the IX14 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  • Page 776: Display Help For Commands And Parameters

    Display help for commands and parameters The help command When executed from the root command prompt, help displays information about autocomplete operations, how to move the cursor on the IX14 command line, and other keyboard shortcuts: > help Commands ------------------------------------------------------------------------------ Show commands help <Tab>...

  • Page 777: Display Help For Individual Commands

    Show firmware version. vrrp Show VRRP statistics. web-filter Show web filter information. > show 2. To display a syntax diagram and parameter information about a specific command: > show arp ? Syntax: arp [ipv4] [ipv6] [verbose] Parameters ------------------------------------------------------------------------ ------- IX14 User Guide...
  • Page 778 Command line interface Display help for commands and parameters ipv4 Display IPv4 routes. ipv6 Display IPv6 routes. verbose Display more information. > show arp IX14 User Guide...

  • Page 779: Use The Tab Key Or The Space Bar To Display Abbreviated Help

    Parameter values, where the value is one of an enumeration or an on|off type; for example: (config)> serial port1 enable t<Tab> auto-completes to (config)> serial port1 enable true Auto-complete does not function for: Parameter values that are string types. Integer values. File names. Select parameters passed to commands that perform an action. IX14 User Guide...

  • Page 780: Available Commands

    Pings a remote host using Internet Control Message Protocol (ICMP) Echo Request messages. reboot Reboots the IX14 device. Removes a file. Uses the secure copy protocol (SCP) to transfer files between the IX14 device and a remote host. Use the scp command for information about using the scp command. show Displays information about the device and the device's configuration.

  • Page 781: Use The Scp Command

    The hostname or IP address of the remote host. The username and password of the user on the remote host. Whether the file is being copied to the IX14 device from a remote host, or to the remote host from the IX14 device.

  • Page 782: Display Status And Statistics Using The Show Command

    IX14 device. For example: To copy a support report from the IX14 device to a remote host at the IP address of 192.168.4.1: 1. Use the system support-report command to generate the report: >...

  • Page 783: Show System

    "445" > show system show system command displays system information and statistics for the device, including CPU usage. > show system Model : Digi IX14 Serial Number : IX14-000065 : IX14 Hostname : IX14 MAC Address : DF:DD:E2:AE:21:18...

  • Page 784: Device Configuration Using The Command Line Interface

    For example, to disable the SSH service from the root prompt, enter the following command: > config service ssh enable false > The IX14 device's ssh service is now disabled. Note When the config command is executed at the root prompt, certain configuration actions that are available in configuration mode cannot be performed.
  • Page 785 3. Next, display help for the config service ssh command: > config service ssh ? SSH: An SSH server for managing the device. Parameters Current Value ------------------------------------------------------------------------- enable true Enable [private] Private key port Port Additional Configuration ------------------------------------------------------------------------- Access control list mdns > config service ssh IX14 User Guide...

  • Page 786: Configuration Mode

    1. At the config prompt, enter service to move to the service node: (config)> service (config service)> 2. Enter ssh to move to the ssh node: (config service)> ssh (config service ssh)> IX14 User Guide...

  • Page 787: Save Changes And Exit Configuration Mode

    Configuration actions Description cancel Discards unsaved configuration changes and exits configuration mode. save Saves configuration changes and exits configuration mode. validate Validates configuration changes. Reverts the configuration to default revert settings. See The revert command more information. IX14 User Guide...

  • Page 788: Display Command Line Help In Configuration Mode

    2. You can then display help for the additional configuration commands. For example, to display help for the config service command, use one of the following methods: At the config prompt, enter service ?: (config)> service ? IX14 User Guide...
  • Page 789 Enter service to move to the service node: (config)> service (config service)> b. Enter ssh to move to the ssh node: (config service)> ssh (config service ssh)> c. Enter ? to display help for the ssh node: (config service ssh)> ? IX14 User Guide...
  • Page 790 (config service ssh)> enable ? (config service ssh)> Either of these methods will display the following information: (config)> service ssh enable ? Enable: Enable the service. Format: true, false, yes, no, 1, 0 Default value: true Current value: true IX14 User Guide...

  • Page 791: Move Within The Configuration Schema

    You can also move back multiples nodes in the configuration by typing multiple sets of two periods: (config service ssh acl zone)> ..(config service)> Move to the root of the config prompt from anywhere within the configuration by entering three periods (...): (config service ssh acl zone)> ... (config)> IX14 User Guide...

  • Page 792: Manage Elements In Lists

    2. Use the end keyword to add the admin group to the user's configuration: (config)> add auth user new-user group end admin (config)> 3. Use the show command again to verify that the admin group has been added to the user's configuration: IX14 User Guide...
  • Page 793 (config)> show auth method 0 local 1 tacacs+ 2 radius (config)> 2. To configure the device to use TACACS+ authentication first to authenticate a user, use the move index_number_1 index_number_2 command: (config)> move auth method 1 0 (config)> IX14 User Guide...

  • Page 794: The Revert Command

    (config)> The revert command The revert command is used to revert changes to the IX14 device's configuration and restore default configuration settings. The behavior of the revert command varies depending on where in the configuration hierarchy the command is executed, and whether the optional path parameter is used.
  • Page 795 1. Change to the auth node: (config)> auth (config auth)> 2. Enter the revert command with the path set to method: (config auth)> revert method (config auth)> 3. Save the configuration and apply the change: (config auth)> save Configuration saved. > IX14 User Guide...

  • Page 796: Enter Strings In Configuration Commands

    (config)> system description "Digi IX14" Example: Create a new user by using the command line In this example, you will use the IX14 command line to create a new user, provide a password for the user, and assign the user to authentication groups.
  • Page 797 (config auth user user1)> 6. Add the user to the admin group: (config auth user user1)> add group end admin (config auth user user1)> 7. Save the configuration and apply the change: (config auth user user1)> save Configuration saved. > IX14 User Guide...
  • Page 798 Command line interface Configuration mode 8. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX14 User Guide...

  • Page 799: Command Line Reference

    IX14 User Guide...

  • Page 800: Analyzer Clear

    Clears the traffic captured by the analyzer. Syntax analyzer clear <name> IX14 User Guide...

  • Page 801: Analyzer Save

    Name of the capture filter to use. clear dhcp-lease ip-address Clear the DHCP lease for the specified IP address. Syntax clear dhcp-lease ip-address ADDRESS Parameters address: An IPv4 or IPv6 address clear dhcp-lease mac Clear the DHCP lease for the specified MAC address. IX14 User Guide...

  • Page 802: Container Create

    The source file or directory to copy. destination: The destination path to copy the source file or directory to. force: Do not ask to overwrite the destination file if it exists. help Show CLI editing and navigation commands. Syntax help IX14 User Guide...
  • Page 803 Command line interface Command line reference Parameters None IX14 User Guide...
  • Page 804 Command line interface Command line reference List a directory. Syntax ls <path> [show-hidden] Parameters path: List files and directories under this path. show-hidden: Show hidden files and directories. Hidden filenames begin with '.'. IX14 User Guide...

  • Page 805: Mkdir

    The configured name of the modem to execute this CLI command on. imei: The IMEI of the modem to execute this CLI command on. modem firmware list List modem firmware files found in the /opt/[MODEM_MODEL]/ directory. IX14 User Guide...

  • Page 806: Modem Firmware Ota Check

    The configured name of the modem to execute this CLI command on. imei: The IMEI of the modem to execute this CLI command on. modem firmware ota check Query the Digi firmware server for the latest remote modem firmware version. Syntax modem firmware ota check [name STRING] [imei STRING] Parameters name: The configured name of the modem to execute this CLI command on.

  • Page 807: Modem Pin Change

    Enable the PIN lock on the SIM card that is active in the modem. The SIM card will need to be unlocked before each use. Warning: Attempting to use an incorrect PIN code may PUK lock the SIM. Syntax modem pin enable <pin> [name STRING] [imei STRING] Parameters pin: The SIM's PIN code. IX14 User Guide...

  • Page 808: Modem Pin Status

    The configured name of the modem to execute this CLI command on. imei: The IMEI of the modem to execute this CLI command on. modem puk unlock Unlock the SIM with a PUK code from the SIM provider. Syntax modem puk unlock <puk> <new-pin> [name STRING] [imei STRING] IX14 User Guide...

  • Page 809: Modem Reset

    The SIM slot to change to. name: The configured name of the modem to execute this CLI command on. imei: The IMEI of the modem to execute this CLI command on. monitoring Commands to clear the device's status or systems. IX14 User Guide...

  • Page 810: Monitoring Metrics Upload

    The source file or directory to move. destination: The destination path to move the source file or directory to. force: Do not ask to overwrite the destination file if it exists. ping Ping a host using ICMP echo. IX14 User Guide...
  • Page 811 If a hostname is defined as the value of the 'host' parameter, use the hosts IPV6 address. size: The number of bytes sent in the ICMP ping request. (Minimum: 0, Default: 56) count: The number of ICMP ping requests to send before terminating. (Minimum: 1, Default: 100) broadcast: Enable broadcast ping functionality. IX14 User Guide...

  • Page 812: Reboot

    Command line interface Command line reference reboot Reboot the system. Parameters None IX14 User Guide...
  • Page 813 Command line interface Command line reference Remove a file or directory. Syntax rm <path> [force] Parameters path: The path to remove. force: Force the file to be removed without asking. IX14 User Guide...

  • Page 814: Scp

    Display IPv4 routes. If no IP version is specified IPv4 & IPV6 will be displayed. ipv6: Display IPv6 routes. If no IP version is specified IPv4 & IPV6 will be displayed. verbose: Display more information (less concise, more detail). show cloud Show drm status & statistics. Syntax show cloud Parameters None IX14 User Guide...

  • Page 815: Show Config

    Show all leases (active and inactive (not in etc/config/dhcp.*lease)). verbose: Display more information (less concise, more detail). show dns Show DNS servers and associated domains. Syntax show dns Parameters None show event Show event list (high level). IX14 User Guide...

  • Page 816: Show Hotspot

    Show L2TP access concentrator status & statistics. Syntax show l2tp lac [name STRING] Parameters name: Display more details for a specific L2TP access concentrator. show l2tp lns Show L2TP network server status & statistics. Syntax show l2tp lns [name STRING] IX14 User Guide...

  • Page 817: Show L2Tpeth

    (this can be very time consuming). If you require more messages of the filtered type, increase the number of messages retrieved using 'number'. show manufacture Show manufacturer information. Syntax show manufacture [verbose] Parameters verbose: Display more information (less concise, more detail). show modbus-gateway IX14 User Guide...

  • Page 818: Show Modem

    [interface STRING] [all] [verbose] Parameters interface: Display more details and config data for a specific network interface. all: Display all interfaces including disabled interfaces. verbose: Display more information (less concise, more detail). show ntp Show NTP status & statistics. IX14 User Guide...

  • Page 819: Show Openvpn Client

    Show IP routing information. Syntax show route [ipv4] [ipv6] [verbose] Parameters ipv4: Display IPv4 routes. ipv6: Display IPv6 routes. verbose: Display more information (less concise, more detail). show serial Show serial status & statistics. Syntax show serial [port STRING] IX14 User Guide...

  • Page 820: Show Scripts

    The name of a specific IPsec tunnel. all: Show all IPsec tunnels. show surelink openvpn Show SureLink status & statistics for OpenVPN clients. Syntax show surelink openvpn [client STRING] [all] Parameters client: The name of the OpenVPN client. all: Show all OpenVPN clients. IX14 User Guide...

  • Page 821: Show System

    Display more details and config data for a specific VRRP instance. all: Display all VRRP instances including disabled instances. verbose: Display all VRRP status and statistics including disabled instances. show web-filter Show web filter status & statistics. IX14 User Guide...

  • Page 822: Speedtest

    [passphrase STRING] [remove <custom-defaults>] Parameters type: The type of backup file to create. Archives are full backups including generated SSH keys and dynamic DHCP lease information. CLI configuration backups are a list of CLI commands used to build IX14 User Guide...

  • Page 823: System Disable-Cryptography

    Erase the device to restore to factory defaults. All configuration and automatically generated keys will be erased. Syntax system factory-erase Parameters None system find-me Find Me function to flash LEDs on this device to help users locate the unit. Syntax system find-me <state> IX14 User Guide...

  • Page 824: System Firmware Ota Check

    Query the Digi firmware server for the latest device firmware version. Syntax system firmware ota check Parameters None system firmware ota list Query the Digi firmware server for a list of device firmware versions. Syntax system firmware ota list Parameters None system firmware ota update Perform FOTA (firmware-over-the-air) update.

  • Page 825: System Restore

    Stop an active running script. Scripts scheduled to run again will still run again (disable a script to prevent it from running again). Syntax system script stop <script> Parameters script: Script to stop. system serial clear Clears the serial log. Syntax system serial clear <port> IX14 User Guide...

  • Page 826: System Serial Save

    <port> [size INTEGER] Parameters port: Serial port. size: Maximum size of serial log. (Default: 65536) system serial stop Start logging data on a serial port. Syntax system serial stop <port> Parameters port: Serial port. system support-report IX14 User Guide...

  • Page 827: System Time Set

    Test the configured NTP server(s) for connectivity. This test will not affect the device's current local date and time. Syntax system time test Parameters None telnet Use Telnet protocol to log into a remote server. Syntax telnet <host> [port INTEGER] IX14 User Guide...

  • Page 828: Traceroute

    Do not fragment probe packets. icmp: Use ICMP ECHO for probes. nomap: Do not try to map IP addresses to host names when displaying them. bypass: Bypass the normal routing tables and send directly to a host on an attached network. IX14 User Guide...

Table of Contents