Professional Documents
Culture Documents
INSTALLATION AND
SecFlow-1
Ruggedized SCADA-Aware Router Gateway
Version 4.1
SecFlow1
Ruggedized SCADA-Aware Router Gateway
Version 4.1
Installation and Operation Manual
Notice
This manual contains information that is proprietary to RAD Data Communications Ltd. ("RAD").
No part of this publication may be reproduced in any form whatsoever without prior written
approval by RAD Data Communications.
Right, title and interest, all information, copyrights, patents, know-how, trade secrets and other
intellectual property or other proprietary rights relating to this manual and to the SecFlow1 and
any software components contained therein are proprietary products of RAD protected under
international copyright law and shall be and remain solely with RAD.
The SecFlow-1 product name is owned by RAD. No right, license, or interest to such trademark is
granted hereunder, and you agree that no such right, license, or interest shall be asserted by
you with respect to such trademark. RAD products/technologies are protected by registered
patents. To review specifically which product is covered by which patent, please see ipr.rad.com.
The RAD name, logo, logotype, and the product names MiNID, Optimux, Airmux, IPmux, and
MiCLK are registered trademarks of RAD Data Communications Ltd. All other trademarks are the
property of their respective holders.
You shall not copy, reverse compile or reverse assemble all or any portion of the Manual or the
SecFlow1. You are prohibited from, and shall not, directly or indirectly, develop, market,
distribute, license, or sell any product that supports substantially similar functionality as the
SecFlow1, based on or derived in any way from the SecFlow1. Your undertaking in this
paragraph shall survive the termination of this Agreement.
This Agreement is effective upon your opening of the SecFlow1 package and shall continue until
terminated. RAD may terminate this Agreement upon the breach by you of any term hereof.
Upon such termination by RAD, you agree to return to RAD the SecFlow1 and all copies and
portions thereof.
For further information contact RAD at the address below or contact your local distributor.
Limited Warranty
RAD warrants to DISTRIBUTOR that the hardware in the SecFlow1 to be delivered hereunder
shall be free of defects in material and workmanship under normal use and service for a period
of twelve (12) months following the date of shipment to DISTRIBUTOR.
If, during the warranty period, any component part of the equipment becomes defective by
reason of material or workmanship, and DISTRIBUTOR immediately notifies RAD of such defect,
RAD shall have the option to choose the appropriate corrective action: a) supply a replacement
part, or b) request return of equipment to its plant for repair, or c) perform necessary repair at
the equipment's location. In the event that RAD requests the return of equipment, each party
shall pay one-way shipping costs.
RAD shall be released from all obligations under its warranty in the event that the equipment has
been subjected to misuse, neglect, accident or improper installation, or if repairs or
modifications were made by persons other than RAD's own authorized service personnel, unless
such repairs by others were made with the written consent of RAD.
The above warranty is in lieu of all other warranties, expressed or implied. There are no
warranties which extend beyond the face hereof, including, but not limited to, warranties of
merchantability and fitness for a particular purpose, and in no event shall RAD be liable for
consequential damages.
RAD shall not be liable to any person for any special or indirect damages, including, but not
limited to, lost profits from any cause whatsoever arising from or in any way connected with the
manufacture, sale, handling, repair, maintenance or use of the SecFlow1, and in no event shall
RAD's liability exceed the purchase price of the SecFlow1.
DISTRIBUTOR shall be responsible to its customers for any and all warranties which it makes
relating to SecFlow1 and for ensuring that replacements and other adjustments required in
connection with the said warranties are satisfactory.
Software components in the SecFlow1 are provided "as is" and without warranty of any kind.
RAD disclaims all warranties including the implied warranties of merchantability and fitness for a
particular purpose. RAD shall not be liable for any loss of use, interruption of business or
indirect, special, incidental or consequential damages of any kind. In spite of the above RAD
shall do its best to provide error-free software products and shall offer free Software updates
during the warranty period under this Agreement.
RAD's cumulative liability to you or any other party for any loss or damages resulting from any
claims, demands, or actions arising out of or relating to this Agreement and the SecFlow1 shall
not exceed the sum paid to RAD for the purchase of the SecFlow1. In no event shall RAD be
liable for any indirect, incidental, consequential, special, or exemplary damages or lost profits,
even if RAD has been advised of the possibility of such damages.
This Agreement shall be construed and governed in accordance with the laws of the State of
Israel.
Product Disposal
To facilitate the reuse, recycling and other forms of recovery of waste
equipment in protecting the environment, the owner of this RAD product is
required to refrain from disposing of this product as unsorted municipal waste at
the end of its life cycle. Upon termination of the unit’s use, customers should
provide for its collection for reuse, recycling or other form of environmentally
conscientious disposal.
ii SecFlow1
Installation and Operation Manual Front Matter
Safety Symbols
This symbol may appear on the equipment or in the text. It indicates
potential safety hazards regarding product operation or maintenance to
operator or service personnel.
Warning
Danger of electric shock! Avoid any contact with the marked surface while
the product is energized or connected to outdoor telecommunication lines.
Some products may be equipped with a laser diode. In such cases, a label
with the laser class and other warnings as applicable will be attached near
the optical transmitter. The laser warning symbol may be also attached.
Warning Please observe the following precautions:
• Before turning on the equipment, make sure that the fiber optic cable is
intact and is connected to the transmitter.
• Do not attempt to adjust the laser drive current.
• Do not use broken or unterminated fiber-optic cables/connectors or look
straight at the laser beam.
• The use of optical devices with the equipment will increase eye hazard.
• Use of controls, adjustments or performing procedures other than those
specified herein, may result in hazardous radiation exposure.
ATTENTION: The laser beam may be invisible!
In some cases, the users may insert their own SFP laser transceivers into the product. Users are
alerted that RAD cannot be held responsible for any damage that may result if non-compliant
transceivers are used. In particular, users are warned to use only agency approved products that
comply with the local laser safety regulations for Class 1 laser products.
Always observe standard safety precautions during installation, operation and maintenance of
this product. Only qualified and authorized service personnel should carry out adjustment,
maintenance or repairs to this product. No installation, adjustment, maintenance or repairs
should be performed by either the operator or the user.
SecFlow1 iii
Front Matter Installation and Operation Manual
Connecting AC Mains
Make sure that the electrical installation complies with local codes.
Always connect the AC plug to a wall socket with a protective ground.
The maximum permissible current capability of the branch distribution circuit that supplies power
to the product is 16A (20A for USA and Canada). The circuit breaker in the building installation
should have high breaking capacity and must operate at short-circuit current exceeding 35A (40A
for USA and Canada).
Always connect the power cord first to the equipment and then to the wall socket. If a power
switch is provided in the equipment, set it to the OFF position. If the power cord cannot be
readily disconnected in case of emergency, make sure that a readily accessible circuit breaker or
emergency switch is installed in the building installation.
In cases when the power distribution system is IT type, the switch must disconnect both poles
simultaneously.
Connecting DC Power
Unless otherwise specified in the manual, the DC input to the equipment is floating in reference
to the ground. Any single pole can be externally grounded.
Due to the high current capability of DC power systems, care should be taken when connecting
the DC supply to avoid short-circuits and fire hazards.
Make sure that the DC power supply is electrically isolated from any AC source and that the
installation complies with the local codes.
iv SecFlow1
Installation and Operation Manual Front Matter
The maximum permissible current capability of the branch distribution circuit that supplies power
to the product is 16A (20A for USA and Canada). The circuit breaker in the building installation
should have high breaking capacity and must operate at short-circuit current exceeding 35A (40A
for USA and Canada).
Before connecting the DC supply wires, ensure that power is removed from the DC circuit. Locate
the circuit breaker of the panel board that services the equipment and switch it to the OFF
position. When connecting the DC supply wires, first connect the ground wire to the
corresponding terminal, then the positive pole and last the negative pole. Switch the circuit
breaker back to the ON position.
A readily accessible disconnect device that is suitably rated and approved should be incorporated
in the building installation.
If the DC power supply is floating, the switch must disconnect both poles simultaneously.
Always connect a given port to a port of the same safety status. If in doubt, seek the assistance
of a qualified safety engineer.
Always make sure that the equipment is grounded before connecting telecommunication cables.
Do not disconnect the ground connection before disconnecting all telecommunications cables.
Some SELV and non-SELV circuits use the same connectors. Use caution when connecting cables.
Extra caution should be exercised during thunderstorms.
SecFlow1 v
Front Matter Installation and Operation Manual
When using shielded or coaxial cables, verify that there is a good ground connection at both
ends. The grounding and bonding of the ground connections should comply with the local codes.
The telecommunication wiring in the building may be damaged or present a fire hazard in case of
contact between exposed external wires and the AC power lines. In order to reduce the risk,
there are restrictions on the diameter of wires in the telecom cables, between the equipment
and the mating connectors.
Caution To reduce the risk of fire, use only No. 26 AWG or larger telecommunication
line cords.
Attention Pour réduire les risques s’incendie, utiliser seulement des conducteurs de
télécommunications 26 AWG ou de section supérieure.
Some ports are suitable for connection to intra-building or non-exposed wiring or cabling only. In
such cases, a notice will be given in the installation instructions.
Do not attempt to tamper with any carrier-provided equipment or connection hardware.
vi SecFlow1
Installation and Operation Manual Front Matter
SecFlow1 vii
Front Matter Installation and Operation Manual
Symboles de sécurité
Ce symbole peut apparaitre sur l'équipement ou dans le texte. Il indique des
risques potentiels de sécurité pour l'opérateur ou le personnel de service,
quant à l'opération du produit ou à sa maintenance.
Avertissement
viii SecFlow1
Installation and Operation Manual Front Matter
Certains produits peuvent être équipés d'une diode laser. Dans de tels cas,
Français
une étiquette indiquant la classe laser ainsi que d'autres avertissements, le
cas échéant, sera jointe près du transmetteur optique. Le symbole
d'avertissement laser peut aussi être joint.
Avertissement
Veuillez observer les précautions suivantes :
• Avant la mise en marche de l'équipement, assurez-vous que le câble de
fibre optique est intact et qu'il est connecté au transmetteur.
• Ne tentez pas d'ajuster le courant de la commande laser.
• N'utilisez pas des câbles ou connecteurs de fibre optique cassés ou sans
terminaison et n'observez pas directement un rayon laser.
• L'usage de périphériques optiques avec l'équipement augmentera le
risque pour les yeux.
• L'usage de contrôles, ajustages ou procédures autres que celles
spécifiées ici pourrait résulter en une dangereuse exposition aux
radiations.
ATTENTION : Le rayon laser peut être invisible !
Les utilisateurs pourront, dans certains cas, insérer leurs propres émetteurs-récepteurs Laser SFP
dans le produit. Les utilisateurs sont avertis que RAD ne pourra pas être tenue responsable de
tout dommage pouvant résulter de l'utilisation d'émetteurs-récepteurs non conformes. Plus
particulièrement, les utilisateurs sont avertis de n'utiliser que des produits approuvés par
l'agence et conformes à la réglementation locale de sécurité laser pour les produits laser de
classe 1.
Respectez toujours les précautions standards de sécurité durant l'installation, l'opération et la
maintenance de ce produit. Seul le personnel de service qualifié et autorisé devrait effectuer
l'ajustage, la maintenance ou les réparations de ce produit. Aucune opération d'installation,
d'ajustage, de maintenance ou de réparation ne devrait être effectuée par l'opérateur ou
l'utilisateur.
SecFlow1 ix
Front Matter Installation and Operation Manual
Connexion d'alimentation CC
Sauf s'il en est autrement spécifié dans le manuel, l'entrée CC de l'équipement est flottante par
rapport à la mise à la terre. Tout pôle doit être mis à la terre en externe.
A cause de la capacité de courant des systèmes à alimentation CC, des précautions devraient
être prises lors de la connexion de l'alimentation CC pour éviter des courts-circuits et des risques
d'incendie.
Assurez-vous que l'alimentation CC est isolée de toute source de courant CA (secteur) et que
l'installation est conforme à la réglementation locale.
La capacité maximale permissible en courant du circuit de distribution de la connexion alimentant
le produit est de 16A (20A aux Etats-Unis et Canada). Le coupe-circuit dans l'installation du
bâtiment devrait avoir une capacité élevée de rupture et devrait fonctionner sur courant de
court-circuit dépassant 35A (40A aux Etats-Unis et Canada).
Avant la connexion des câbles d'alimentation en courant CC, assurez-vous que le circuit CC n'est
pas sous tension. Localisez le coupe-circuit dans le tableau desservant l'équipement et fixez-le
en position OFF. Lors de la connexion de câbles d'alimentation CC, connectez d'abord le
conducteur de mise à la terre à la borne correspondante, puis le pôle positif et en dernier, le
pôle négatif. Remettez le coupe-circuit en position ON.
Un disjoncteur facilement accessible, adapté et approuvé devrait être intégré à l'installation du
bâtiment.
Le disjoncteur devrait déconnecter simultanément les deux pôles si l'alimentation en courant CC
est flottante.
x SecFlow1
Installation and Operation Manual Front Matter
Glossary
Address A coded representation of the origin or destination of data.
Cellular interface The air interface technology specifies the method for transmitting
information over the air between base stations and mobile units.
Channel A path for electrical transmission between two or more points. Also
called a link, line, circuit or facility.
Ethernet A local area network (LAN) technology which has extended into the
wide area networks. Ethernet operates at many speeds, including data
rates of 10 Mbps (Ethernet), 100 Mbps (Fast Ethernet), 1,000 Mbps
(Gigabit Ethernet), 10 Gbps, 40 Gbps, and 100 Gbps.
Firewall A firewall is a network security system that controls the incoming and
outgoing network traffic based on an applied rule set.
SecFlow1 xi
Front Matter Installation and Operation Manual
Link aggregation Link aggregation is a method of using two Ethernet ports in parallel to
provide trunking and network fault tolerance. Link aggregation with
trunking feature enhances connection speed beyond the limits of any
one single cable or port.
Serial Tunneling A method to exchange serial data with another device using the
internet protocol.
Service A set of related software functionalities that can be used for provision
of a discrete function within a systems environment.
Spanning Tree The Spanning Tree Protocol (STP) is a network protocol that ensures a
loop-free topology for any bridged Ethernet local area network.
xii SecFlow1
Contents
Chapter 1. Introduction
1.1 Overview .............................................................................................................................. 1-1
Product Options ................................................................................................................. 1-1
Applications ....................................................................................................................... 1-1
Features ............................................................................................................................ 1-2
Ethernet ........................................................................................................................ 1-2
VPN Gateway with IPSec ................................................................................................ 1-2
Terminal Server and Serial Tunneling ............................................................................. 1-3
Access Control List ........................................................................................................ 1-3
Network Management ................................................................................................... 1-3
Routing ......................................................................................................................... 1-3
SCADA services ............................................................................................................. 1-3
Firewall ......................................................................................................................... 1-3
Diagnostics ................................................................................................................... 1-4
1.2 New in This Version .............................................................................................................. 1-4
1.3 Physical Description ............................................................................................................. 1-4
1.4 Functional Description .......................................................................................................... 1-5
Serial Traffic ...................................................................................................................... 1-6
Ethernet Traffic ................................................................................................................. 1-6
Cellular Uplink .................................................................................................................... 1-6
1.5 Technical Specifications........................................................................................................ 1-7
SecFlow-1 i
Table of Contents Installation and Operation Manual
Chapter 5. Services
5.1 Dynamic Multipoint VPN ....................................................................................................... 5-1
5.2 Transparent Serial Tunneling ................................................................................................ 5-2
Transparent Tunneling Operation Concept ......................................................................... 5-4
Network Topologies ........................................................................................................... 5-5
Point-to-Point Application ............................................................................................. 5-5
Point-to-Multipoint Application ..................................................................................... 5-5
Multipoint-to-Multipoint Application.............................................................................. 5-6
Operation Modes ............................................................................................................... 5-7
Port Mode of Operation ................................................................................................ 5-7
Service Buffer Mode ...................................................................................................... 5-7
Service Connection Mode .............................................................................................. 5-8
Serial Traffic Direction ....................................................................................................... 5-8
Serial Ports Counters ......................................................................................................... 5-9
Rx counters ................................................................................................................... 5-9
Tx counters ................................................................................................................... 5-9
Allowed Latency ................................................................................................................. 5-9
Tx Delay ........................................................................................................................... 5-10
Bus Idle Time ................................................................................................................... 5-10
Byte Mode .................................................................................................................. 5-10
Frame Mode ................................................................................................................ 5-10
Configuring Transparent Serial Tunneling ......................................................................... 5-10
Transparent Serial Tunneling between Two SecFlow-1 Routers ................................... 5-11
Transparent Serial Tunneling between SecFlow-1 and SecFlow-2 ................................ 5-12
Chapter 6. Ports
ii SecFlow-1
Installation and Operation Manual Table of Contents
Chapter 7. Resiliency
7.1 Backup and Redundancy ...................................................................................................... 7-1
Backup of Cellular and Physical Interfaces .......................................................................... 7-1
Modem Conditional Reload ................................................................................................ 7-1
SecFlow-1 iii
Table of Contents Installation and Operation Manual
iv SecFlow-1
Installation and Operation Manual Table of Contents
SecFlow-1 v
Table of Contents Installation and Operation Manual
vi SecFlow-1
Chapter 1
Introduction
1.1 Overview
The SecFlow product line supports a large variety of capabilities that enhance
cyber security and product resiliency against external cyber attacks.
As an industrial Ethernet router, SecFlow-1 provides a strong set of Ethernet and
IP features with special emphasis on the requirements of critical infrastructure
and industrial environments, high reliability, network resiliency, secured VPN
connectivity, and an authenticated operating system.
The SecFlow-1 service-aware industrial Ethernet router combines a ruggedized
Ethernet platform with a unique application-aware processing engine.
This integrated solution features a simple network architecture that is optimized
for application requirements.
Product Options
SecFlow-1 is available in a variety of configurations. See the data sheet for
SecFlow-1 ordering options.
Applications
In a typical protocol gateway application, SecFlow-1 converts serial-based
industrial protocols to their correlating IP based variant, enabling the deployment
of a mixed network with serial-based and Ethernet-based devices. In this mode,
SecFlow-1 operates as a master on the serial bus and as a server in the IP
network for the correlating protocol.
The gateway allows the transport of legacy serial protocols over IP networks in a
secure way, with optional secure VPN services and integrated firewall on each
port, providing a network-based distributed security solution equivalent to the
use of personal firewalls on all the industrial devices.
A cellular modem (such as LTE) provides a key solution for connectivity to remote
sites. The modem supports dual SIM cards for redundancy and backup between
Internet service providers.
This modem can also be used for link protection. In case of network failure,
traffic will flow over the cellular infrastructure.
BTS/eNB
BTS/eNB
BTS/eNB
2nd IPSec
mGRE
PSN
Spoke
Video Camera
Dual-SM
Cellular HUB
Modem
RS-232 ETH 1st IPSec
(T.Server) DNP3 & T.Client
S1 mGRE FO
S4 com
S2 FO RS-232 (Tunneling)
DNP3 SecFlow-1 SecFlow-1
Switch Switch
RS-232
(Tunneling)
RTU
Figure 1-1. Remote Site Access over the Fiber Link with Cellular Network Redundancy
Features
The SecFlow-1 offers the L3 dynamic and static routing, SCADA services, Firewall,
and secure networking.
Ethernet
• Auto Crossing (MDI/MDIX)
• Autonegotiation per IEEE 802.3ab
• VLAN tagging
Network Management
SecFlow-1 can be managed with CLI, or with the iEMS SecFlow Network Manager,
integrated in the RADview server, to provide an end-to-end management system.
Routing
SecFlow-1 incorporates a router for secure and efficient Layer 3 IP connectivity
over packet switched networks.
SecFlow-1 can be set to perform static or dynamic routing using:
• IPv4 (Internet Protocol version 4)
• OSPF (Open Shortest Path First) v2 2
• RIP v2
• NAT
SCADA services
SecFlow-1 provides the secure SCADA networking towards the remote client,
enjoying the optional VPN tagging, or integrated firewall on each port, providing a
network-based distributed security solution equivalent to the use of personal
firewalls on all the industrial devices.
Firewall
Integrated DPI (Deep Packet Inspection) for SCADA IP service provides
network-based distributed security. The firewall implemented is
"application-aware", meaning that it inspects the contents of the data packets of
selected SCADA protocols according to the rules set by the user.
Using the firewall, SecFlow-1 becomes distributed Intrusion Detection System
(IDS) and enables blocking specific SCADA commands that renders SecFlow-1
service-aware.
The supported protocols are IEC 104 and DNP3-TCP.
Diagnostics
SecFlow-1 provides extensive diagnostic tools to assist operators in fault
management:
• Counters and statistics per port
• LED diagnostics on the main interfaces
• RMON v1
• DDM
• Syslog
Console
Cellular
Antenna
SIM Card
2 x Serial Ports
Ports 1, 2
FE Port
Dry Contact
(DI/DO)
Serial Traffic
Incoming serial traffic is encapsulated into IP packets. The packets are transferred
out via the Ethernet ports or the cellular uplink.
Ethernet Traffic
Ethernet ports transfer UNI traffic. User traffic is routed to the network, or
(optionally) to L3 VPN. Ethernet traffic can also be routed to the cellular uplink
using NAT or VPN.
Cellular Uplink
SecFlow-1 has an integrated cellular modem. The cellular uplink transfers traffic
from the device to a remote hub.
Type RS-232
Type GPRS/UMTS/LTE
Power Consumption 8W
Humidity Up to 95%
Danger of electric shock! Avoid any contact with the marked surface while the
product is energized or connected to outdoor telecommunication lines.
Protective earth: the marked lug or terminal should be connected to the building
protective earth bus.
LINE VOLTAGE
Before connecting the product to the power line, make sure the voltage of the
Warning power source matches the requirements of the product, as marked on the label
located near the power connectors.
Caution
This equipment contains Electrostatic Discharge (ESD) sensitive components. Use
ESD protection before servicing or installing components of this system.
Caution
Changes or modifications made to this device that are not expressly approved by
the party responsible for compliance could void the user’s authority to operate
the equipment.
Caution
Remove the power cord from a power-supply unit before installing it or remove it
from the device. Otherwise, as a result, the power supply or the device could be
damaged. (The device can be running while a power supply is being installed or
removed, but the power supply itself should not be connected to a power
source.)
Grounding
For your protection and to prevent possible damage to equipment when a fault
condition, e.g., a lightning stroke or contact with high-voltage power lines, occurs
on the lines connected to the equipment, the SecFlow-1 chassis must be properly
grounded (earthed) at any time. Any interruption of the protective (grounding)
Grounding connection inside or outside the equipment, or the disconnection of the
protective ground terminal can make this equipment dangerous. Intentional
interruption is prohibited.
Before connecting this product to a power source, make sure to read the
Handling Energized Products section at the beginning of this manual.
Warning
Caution SecFlow-1 does not have a power switch, and therefore will start operating as
soon as power is applied to one of the power supply inlets.
The external circuit breaker used to protect the input power line can be used as
an ON/OFF power switch, or an external ON/OFF switch may be installed.
Power
Available power input versions and their respective current consumption are
shown in Table 2-1.
24 VDC 9-36 8
48 VDC 36-60 8
Ambient Requirements
The ambient operating temperature range of the SecFlow-1 is -40 to 70°C
(-40 to 158°F), humidity up to 95%.
SecFlow-1 has no fans and is cooled mainly by free air convection. Cooling vents
are located in the bottom and upper covers. Do not obstruct these vents. Keep
10 cm distance from top and bottom between SecFlow-1 and any other nearby
device for proper cooling using natural air flow.
To mount SecFlow-1:
1. Place the device with the DIN rail guide on the upper edge of the DIN rail.
2. Snap it in with a downward motion.
Step 1
Step 2
2. Slide the device out and up at the lower edge of the DIN rail.
Caution Product installation must be vertical so that the device bottom side must face
downwards to enable proper natural air flow.
Step 3
Step 2
Step 1
Antenna Installation
The SecFlow-1 unit comes with two antennas.
For optimal signal performance, it is recommended to connect both the antennas
that come with the box.
The connectors are located on both sides of the device and designated ANT on
the bottom and MI/DV on the top panel. For reference, see Figure 2-3 below.
Note For the ordering option with the LTE North America modem, you must connect
both antennas; otherwise, the device will not work.
Note If you connect only one antenna, verify that it is connected to the bottom panel
(Ant.) connector.
RAD SecFlow-1
PWR RUN
ANT
C DRY CONT E2 +PWR−
O
ETH2(SFP)
N
S1
C1
S2
E Bottom Panel
T
H
1
SIM1 ETH2
LASER
SIM2 CLASS
1
MI/DV GPS
10 AWG
Caution Do not remove the earth connection unless all power supply connections are
disconnected.
Protective earth: the marked lug or terminal should be connected to the building
protective earth bus.
Before connecting any cables and before switching on this instrument, the
protective ground terminal of this instrument must be connected to the
Warning protective ground conductor. Any interruption of the protective (grounding)
conductor (inside or outside the instrument) or disconnecting the protective
ground terminal can make this instrument dangerous. Intentional interruption is
prohibited.
SecFlow-1 has the power input, marked as PWR. To wiring the voltage use the
supplied plug connector (see Figure 2-3 and Figure 2-5).
Caution Pay attention to polarity. For each source, connect the positive lead first, and the
negative lead second.
Note The supplied console cable is colored white. Do not connect the serial grey cables
supplied for the user serial port connection to the console port.
2. Place each wire lead into the appropriate TB plug terminal according
to Figure 2-6.
3. Tighten the terminal screws to close them.
4. Isolate the exposed terminal screws/wire leads using a plastic sleeve
or insulating tape to avoid a short circuit.
To turn on SecFlow-1:
1. Connect the SecFlow-1 to power (see detailed instructions in Chapter 2). The
PWR and RUN indicators light up and remain lit as long as the SecFlow-1 is
powered. The PWR indicator lights up immediately upon turning on, while the
RUN indicator lights up in about two minutes.
2. After startup ends, you may log in, using the supervision terminal.
3.2 Indicators
Figure 3-1 shows the front panel with serial and Ethernet interfaces. Table 3-1 to
Table 3-3 describe the functions of the SecFlow-1 LED indicators.
RAD SecFlow-1
PWR RUN
C
O
N
S1
C1
S2
E
T
H
1
SIM1 ETH2
LASER
SIM2 CLASS
1
The table below displays the LED states of the serial ports.
The cellular modem has a LED indicator for each SIM slot to represent the SIM
card state. The list of LED states is displayed in the table below.
Modem Admin State SIM Admin State SIM Operation State LED
Enabled Ready ON
Enabled Connecting ON
Enabled Connected ON
Modem Admin State SIM Admin State SIM Operation State LED
3.3 Startup
Default Settings
The default SecFlow-1 configuration is held in the issnvram.txt file.
Table 3-4 details the features and interfaces default state.
SSH Enabled
Telnet Disabled
Syslog Disabled
ACLs Disabled
Firewall Disabled
VPN Disabled
Configuration Database
User configuration takes effect immediately upon entering. No specific commit
command is required. Use commit command to save configuration changes and
make them available after the system reboot.
To remove all user configurations and set SecFlow-1 to the factory defaults:
SecFlow-1# delete startup-cfg
Completed OK, reboot to activate
SecFlow-1#
For additional operations with the configuration database, refer to Chapter 10.
4.1 Management
SecFlow-1 can be managed via the following methods:
• IP-based
• Serial console port
Setup
SecFlow-1 has a RS-232 port, designated CONTROL, and terminated in an RJ-45
connector. The control port continuously monitors the incoming data stream and
immediately responds to any input string received through this port. You can use
any terminal emulation program (such as HyperTerminal or PuTTY) to manage
SecFlow-1 via the control port. The following procedure shows how to start a
terminal control session using HyperTerminal.
Note The supplied console cable is colored white. Do not connect the serial grey cables
supplied for the user serial port connection to the console port.
Login
Configuring the Login Authentication Method sets the authentication method for
user logins.
Default user of the system:
• Name: su
• Password: 1234
• Privileges: all
Default Configuration
Table 4-1 describes the management parameters default state.
SSH Enabled
Console Enabled
Application Following user log in, this SecFlow-1# To exit this mode
Configuration mode is available to the user means that you log
Environment (ACE) out from the system.
Use the command
‘exit’
Standards
Relevant sections of RFC 1812.
Benefits
Service providers use ACLs to maintain network security by preventing malicious
traffic from entering the device. ACLs can be used to save network resources by
dropping unwanted packets.
When management data is marked via ACLs, service providers can apply various
traffic management techniques to the marked packets, such as allocating more
bandwidth to a certain traffic type.
Functional Description
Devices featuring ACLs can flexibly filter management traffic, by denying or
permitting IP packets to enter the host, according to the packet’s
source/destination address, protocol type, or other criteria.
ACL entries are sequentially numbered rules containing statements (Deny, Permit,
or Remark) and conditions. Remarks are free-text ACL entries used for
commenting and visually organizing ACLs.
• Each ACL has a unique identifier, acl number <1001-65535>.
• ACL may include one or more rules.
• Each rule represents a specific condition. Compliance or incompliance with
this condition results in packet forwarding or rejecting.
• Each rule is assigned to a single specific ACL.
• Each rule must have a unique priority number, specified in the range from 1
to 255. The lower priority number represents the higher priority.
• The ACL check packets using the rules in order of priorities, until the first
relevant rule is identified. Then the packet is forwarded/rejected according to
this rule.
• An ACL rule may optionally be set to perform the redirect operation. This
operation redirects the packets comply with the rule to IPS SCADA firewall.
Note When creating a new ACL, the system by default adds a rule that permits all
traffic that is not covered by the user configured rules.
Access Groups
• To activate ACL incoming packets filtering, assign it to the interface using the
Port Access Group (ACG) configuration option.
• ACG assigns the specific ACL to the specific interface.
• There is no possibility to assign the same ACL to different ACGs.
• Each ACG has a priority number, specified in the range from 1 to 255.
The lower priority number represents the higher priority.
• In case of multiple ACGs, the incoming packet is processed according to ACG
priorities until the first relevant ACG is identified. Then the packet is
forwarded/rejected (or optionally redirected).
Note The incoming packets that do not match any of the ACG criteria, are forwarded
by default.
ACL Functioning
• The ACL rule that denies ICMP, does not block TCP or UDP traffic.
• The ACL rule that denies TCP, does not block ICMP or UDP traffic.
• The ACL rule that denies UDP, does not block ICMP or TCP traffic.
• ACL cancellation automatically removes the corresponding interface ACGs (if
exists).
• A new rule can be added to the ACL, assigned to the port with ACG, with
immediately effect. There is no need to reassign the ACL to ACG.
• To delete a rule relating to ACL, the entire ACL should be deleted.
Configuring ACL
The ACL configuration tasks are performed at the ip access-list level.
To configure ACL:
1. Create an access control list.
2. Add deny and permit rules to the ACL.
3. Bind the ACL to a router interface.
4. Configure additional ACL parameters according to Table 4-3, if necessary.
Adding permit rules ip access-list extended permit tcp {acl-num acl-num <1001-65535>} : the ACL
to an ACL <1001-65535>} [rule-name <>] [priority <1- main identifier.
256>] {src-ip [any| <a.b.c.d>]| <a.b.c.d/e>} rule-name: optional name to describe
{dst-ip [any| <a.b.c.d>]| <a.b.c.d/e>} [src-port the rule
<1-65535>] [dst-port <1-65535>] [src-port-
src-ip: Any | <src-ip>| <src-ip/mask>.
range <(1-65535):(1-65535)>] [dst-port-
Source IP address can be: 'any' or
range <(1-65535):(1-65535)>]
the dotted decimal address or the IP
ip access-list extended permit udp {acl-num address of the host that the packet
<1001-65535>} [rule-name <>] [priority <1- is from and the network mask to use
128>] {src-ip [any| <a.b.c.d>]| <a.b.c.d/e>} with the source IP address.
{dst-ip [any| <a.b.c.d>]| <a.b.c.d/e>} [src-port
dst-ip: any|host <dst-ip>|<dest-
<1-65535>] [dst-port <1-65535>] [src-port-
ip/mask>. Destination IP address can
range <(1-65535):(1-65535)>] [dst-port-
be: 'any' or the dotted decimal
range <(1-65535):(1-65535)>]
address or the IP address of the host
ip access-list extended permit icmp {acl-num that the packet is destined for and
<1001-65535>} [rule-name <>] [priority <1- the network mask to use with the
128>] {src-ip [any| <a.b.c.d>]| <a.b.c.d/e>} destination IP address.
{dst-ip [any| <a.b.c.d>]| <a.b.c.d/e>}
src-port: source port number.
Adding deny rules ip access-list extended deny tcp {acl-num dst-port: destination port number.
to an ACL <1001-65535>} [rule-name <>] [priority <1-
src-port-range: source port number
128>] {src-ip [any| <a.b.c.d>]| <a.b.c.d/e>}
range min:max.
{dst-ip [any| <a.b.c.d>]| <a.b.c.d/e>} [src-port
dst-port-range: destination port
<1-65535>] [dst-port <1-65535>] [src-port-
range <(1-65535):(1-65535)>] [dst-port- number range min:max.
range <(1-65535):(1-65535)>] priority: this field determines the
rules execution order. Higher value of
ip access-list extended deny udp {acl-num
<1001-65535>} [rule-name <>] [priority <1- filter priority implies it is executed
128>] {src-ip [any| <a.b.c.d>]| <a.b.c.d/e>} first. This value ranges between 1
and 128.
{dst-ip [any| <a.b.c.d>]| <a.b.c.d/e>} [src-port
<1-65535>] [dst-port <1-65535>] [src-port-
range <(1-65535):(1-65535)>] [dst-port-
range <(1-65535):(1-65535)>]
ip access-list extended deny icmp {acl-num
<1001-65535>} [rule-name <>] [priority <1-
128>] {src-ip [any| <a.b.c.d>]| <a.b.c.d/e>}
{dst-ip [any| <a.b.c.d>]| <a.b.c.d/e>}
Removing ACL from ip access-group remove {acl-num <1001- acl-num <1001-65535>} : the ACL
an interface 65535>} {interface [eth1| eth2| cellular]} main identifier.
direction: supported direction is ‘in’.
interface: choose the target
interface.
priority: this field determines the ACL
execution order. Higher value of al
priority implies it is executed first.
This value ranges between 1 and
128.
PC 1 sends UDP packets to the eth1 interface. ACGs receive and verify the
incoming packets in the following sequence:
• ACG with priority 10 verifies the packet with the ACL 1050 rules:
Rule 2 with priority 50 verifies the packet first. Since the rule is addressed
to the TCP packets, it does not take effect.
The packet is verified with Rule 1 addressed to ICMP and irrelevant to UDP
packet.
• The packet is verified with ACL 1010, Rule 2 (priority 30). Since the rule is
addressed to ICMP, it does not take effect.
• The packet is verified with the next Rule 1 (priority 80). This rule enables UDP
packets forwarding, and the packet is permitted.
Example 2
SecFlow-1# ip access-list extended create acl-num 1010
SecFlow-1# ip access-list extended permit icmp acl-num 1010 priority 10 src-ip
192.168.1.250 dst-ip 192.168.1.101
SecFlow-11# ip access-list extended deny icmp acl-num 1010 priority 20 src-ip
192.168.1.250 dst-ip 192.168.2.101
SecFlow-1# ip access-list extended permit tcp acl-num 1010 priority 40 src-ip
any dst-ip 192.168.2.101
SecFlow-1# ip access-list extended deny tcp acl-num 1010 priority 30 src-ip
any dst-ip 192.168.1.101
Software License
The firewall service is available by ordering the enhanced security license
SF-ESEC-LIC.
The license can be added only to the devices with the S ordering option. For
more information, refer to SecFlow-1 Data Sheet.
Activating the firewall firewall tcp activate mode {disabled | disabled: firewall is disabled. Packets
enabled | simulate} are not inspected.
enabled: packets are inspected and
blocked in case of violation. Violations
are logged.
simulate: packets are inspected but
are not blocked in case of violations.
Violations are logged.
2. Set the ACL in the 104 Client ETH1 port to send traffic to the firewall.
ip access-list extended
create acl-num 1102 acl-name fw2 redirect fw
permit tcp acl-num 1101 rule-name fw1 priority 12 src-ip 172.18.212.241/32
dst-ip 172.18.212.240/32
..
..
..
ip access-group apply acl-num 1102 interface eth2 direction in priority 10
Standards
TACACS+ Protocol Version 1.78 (IETF draft-grant-tacacs-02)
Benefits
Using TACACS allows to:
• Facilitate centralized user administration
• Use TCP for transport to ensure reliable delivery
• Support inbound authentication, outbound authentication, and change
password request for the Authentication service
• Provide some level of protection against an active attacker
Factory Defaults
TCP Port 49
Retries 1
Functional Description
TACACS+ is a security application that provides centralized validation of users
attempting to gain access to a router or network access server. TACACS+ allows a
client to accept a username and password and sends a query to a TACACS+
authentication server, sometimes called TACACS+ daemon or simply TACACS+D.
Selecting the login authentication {local | local: TACACS is not used; authentication is
authentication type tacacs-only | tacacs-local} based on the local database only.
tacacs-only: The TACACS server is used for
authentication. If the server is unreachable,
fallback to local database is not supported.
tacacs-local: TACACS server is used as the
default for authentication. If the server is
unreachable, fallback to local database is
supported.
Configuring the TACACS tacacs-server add {host host <ipv4-address>: Configures the IPv4
server <a.b.c.d.>} {retries (1,<1-10>} address of the server (host).
[timeout <5,(1-255)>] {port port <tcp port (1- 65535)>: Configures the
<49,(1-65535)>} TCP port number in which the multiple
sessions are established. The value ranges
between 1 and 65535; the default is 49.
retries <(1-10)>: The number of retries to
connect to the host; the default is 1.
key <secret key>: Specifies the authentication
and encryption key for all TACACS
communications between the authenticator
and the TACACS server. The value is a string
of the maximum length of 64.
Length: 1-64 characters
May include lower case letters, upper case
letters, and special symbols
Must include numbers
Symbols allowed: @#$%^&*()-+./<\`
Setting the default server tacacs-server default host {host The default server must be preconfigured.
<a.b.c.d.>}
SecFlow-2 SecFlow-1
Define IPSec
Assign IP interface for router interface create address- The router interface is
user traffic prefix <aa.bb.cc.dd/xx> vlan the source IP of the UDP
<Vlan ID> purpose general packets.
Assign IP interface router interface create address- The router interface can
towards the WAN prefix <aa.bb.cc.dd/xx> vlan <Vlan be associated with
router ID> physical-interface eth2 previously created VLAN
SecFlow-1A SecFlow-1B
Define device Configure router interface create • The router interface is the
parameters router address-prefix vlan_id source IP of the UDP
interface packets.
• The router interface can
be associated with
previously created VLAN.
Network Topologies
Transparent serial tunneling can be used in the following topologies:
• Point-to-point
• Point-to-multipoint
• Multipoint-to-multipoint
Point-to-Point Application
Figure 5-3 illustrates point-to-point service with the master and slave units
connected locally to the same router.
Figure 5-4 illustrates point-to-point service with the master and slave units
connected to the separate routers.
Point-to-Multipoint Application
Figure 5-5 illustrates point-to-multipoint service with the master and slave units
connected locally to the same router.
The figure below illustrates point-to-multipoint service with the service-id group
members distributed on the network.
Multipoint-to-Multipoint Application
Figure 5-7 illustrates a typical multipoint-to-multipoint service.
Operation Modes
Byte Mode
The byte structure includes start-bit, data-bits, parity-bit, stop-bits. The
data-bits number may be from 5 to 8.
In the byte mode, the serial-processor collects received bytes and encapsulates
data in a UDP/TCP Ethernet frame.
The number of bytes collected to a single Ethernet packet is determined by the
following parameters:
• Bus idle time
• Allowed latency
Frame mode
Frame is a group of bytes, sent by the customer equipment (CE) as a complete
message.
In the frame mode, the serial-processor uses the bus-idle-time parameter to
distinguish between frames. Each frame is encapsulated in a separate UDP|TCP
packet.
UDP
Serial data is encapsulated in UDP/IP frames.
UDP connection mode is a default byte mode configuration for the buffer-mode
service, unless the buffer-mode is set to frame.
TCP
Serial data is encapsulated in TCP/IP frames.
This mode ensures higher end-to-end connection availability and traffic
validation.
TCP connection mode is a default frame mode configuration for the buffer-mode
service, unless the buffer-mode is set to byte.
Rx counters
• Switch 1 – the counter increases when CE1 transmits data. Data is received
by the serial processor via the S1 interface and updates the counters
• Switch 2 – counters are not updated
Tx counters
• Switch 1 – counters are not updated
• Switch 2 – CE1 Data is received via the Ethernet network to Router 2 and to
the serial processor. The serial processor transmits the data to CE2 over the
S1 interface and increases the Tx counters
Allowed Latency
Allowed latency is the maximum period of time, during which the serial processor
accumulate data transmitted from CE1, before closing an Ethernet packet and
send it over the network.
This parameter is measured in milliseconds, and refers to a round-trip delay.
It reflects only the serial processor data collecting time, and does not consider
the network latency.
Tx Delay
Tx delay is set in bits. It determines the serial processor delay before serial data
transmitting to the port.
The Tx delay time is calculated on the basis of the bits number and the baud rate
selected.
• Switch1 – since the serial processor only receives serial data, the Tx delay is
not applicable
• Switch2 - the Ethernet encapsulated serial data is received by the Router 2
serial processor and, when the Tx delay time is expired, is transmitted to CE2
via the S1 interface
Byte Mode
In the byte mode, end of byte is denoted by the stop bits. Bus idle time is not
applicable at this mode.
Frame Mode
• The Switch1 serial processor accumulates serial data transmitted from CE1
until detecting a silence during a time period equal or above the bus idle time.
• The Switch2 serial processor transmits serial frames to CE2 supporting
inter-frame interval equal to the bus idle time.
172.18.212.230 172.18.212.231
B A
RS-232 RS-232
S1 ETH2 Cloud ETH2 S1
SecFlow-1 SecFlow-1 Master
Slave
VLAN 100
Serial Port Local end Point Serial Port Local end Point Serial Master
serial port create slot 1 port 1 baudrate 9600 parity even mode-of-operation
transparent
serial local-end-point create slot 1 port 1 service-id 1 application serial-
tunnel position master
serial port create slot 1 port 1 baudrate 9600 parity even mode-of-operation
transparent
serial local-end-point create slot 1 port 1 service-id 1 application serial-
tunnel position slave
RS-232 RS-232
S1 ETH2 Cloud 0/1 S1
SecFlow-1 Master
Slave
SecFlow-2
VLAN 100
6.2 IP Interfaces
SecFlow-1 supports multiple Layer 3 interfaces to be set for the purposes of:
• Routing
• Management
• Serial services
IP Interfaces
The following services require assignment of an IP interface.
• DHCP client
• Management
• Ping
• Trace route
• OSPF
• RIPv2
• TFTP client
• Serial tunneling
• Terminal server
• Protocol gateway
• L3 DMVPN
• IPSec
IP Interface VLAN ID
When an IP interface is assigned with a VLAN ID, it supports VLAN tagging. Such
interface accepts only e packets tagged with the corresponding VLAN tag.
Packets transmitted by such interface do not have a VLAN tag.
Note Use IP interface VLAN assignment when the network supports VLAN tagging and
service segregation is required.
Command Description
Command Description
Router IP Interface X X X
Serial Port X X X
IEC-101 Gateway X
Terminal Server X
Table 6-4 specifies the relevant configuration options of the different application
modes.
baudrate X X X
databits X X X
stopbits X X X
allowed-latency X X X
bus-idle-time X X X
parity X X X
dtr-dsr X
rts-cts X
local-dsr-delay X
local-cts-delay X
Command Description
serial
Access serial configuration hierarchy.
Configuration for ports, local-end-point, and
remote-end-point are available here.
service show
Provides configuration state of a serial service
local-end-point filter show
Provides detailed configuration state of an
iec101 serial tunneling service
card
Auto-recover: allows automatic recovery when
identifying continuous loss of serial
infrastructure keep alive (between the serial
processor and the Ethernet processor).
• Enable: auto recovery will reboot the
process.
• Disable: no action taken.
• Show : show state
Show : display the version and the provision
state of the serial processor
port slot 1 port <>
Create/update the serial port
clear counters
Clear counters
create | update Slot: 1 (constant)
Port: port number 1-2
Baud rate: 300, 600, 1200, 2400, 4800,
9600, 19200
Parity: no, odd, even
Stopbits: 1,2
admin-status: up| done. Default= up.
Mode of operation: transparent
bus-idle-time: number of total serial bits
received over the local serial link to be
considered as a single message
allowed-latency: given in msec this value
describes the network allowed latency. This
value affects the time to be allowed to delay
before transmitting UDP|TCP packets. The
higher the value is the more serial frames can
accumulate into a single UDP|TCP packets.
Default value is 10msec which corresponds to
max 3 bytes of serial data to be packed at a
single UDP|TCP packet (with 9.6kbps rate)
tx-delay: given in msec, this value describes the
tx-delay allowed.
bus: bus options are RS232 or RS485
Command Description
remove
Slot: 1 (constant)
Port: port number 1-2
show
local-end-point
create
Slot: 1 (constant)
Port: port number 1-2
Service id: numeric value of serial service.
Position:
Master – point to multipoint
Slave – point to multipoint
Application:
Serial-tunnel (default)
Terminal-server
iec101-gw
modbus-gw
buffer mode:
byte (default)
frame
protocol: any (default)
modbus_rtu
iec101
iec101-link-address: set the IEC 101 link
address. Applicable when ‘application’=’ iec101-
gw’ and ‘protocol’=’ iec101’. <0-65535>
iec101-link-address-len: set the IEC 101 link
address length. Applicable when ‘application’=’
iec101-gw’ and ‘protocol’=’ iec101’. <1|2>
bytes. Default is 2.
iec101-originator-address: set if the ‘originator’
i=field is included in the IEC 101 message. This
will reflect on the Cause Of Transmission being
1 byte or 2 byte size. If ‘present’, COT=2. If
‘none’, COT=1.
unit-id: set the IEC 101 unit ASDU address.
Applicable when ‘application’=’ iec101-gw’ and
‘protocol’=’ iec101’. <0-65535>
unit-id-len: set the IEC 101 ASDU length.
Applicable when ‘application’=’ iec101-gw’ and
‘protocol’=’ iec101’. <1|2> bytes. Default is 2.
remove
Slot: 1 (constant)
Port: port number .1-2
Service id: numeric value of serial service.
Position:
Command Description
Master – point to multipoint
Slave – point to multipoint
Application :
Serial-tunnel (default)
Terminal-server
iec101-gw
modbus-gw
show
remote-end-point
Defines the remote end points in a transparent
serial tunneling service.
create
remote-address: IPv4 address A.B.C.D
Service id: numeric value of serial service. <1-
100.
Position:
Master
Slave
Connection mode:
udp – default
tcp
Buffer mode:
byte – default
frame
remove
Address: IPv4 address A.B.C.D
Service id: numeric value of serial service.
show
Port Declaration
The example below shows the serial port declaration:
+ root
serial
Port create slot 1 port 1
Port create slot 1 port 2
..
commit
Default State
The serial ports default state is non-configurable.
+=====+======+======+=====+======+======+======+========+======+=========+==========+===========+
tx | start | stop | admin | svc | sync1 | sync2 | rts-cts | dtr-dsr | local | local |
delay | delim | delim | | id | bits | bits | | | Cts | Dsr |
+=====+======+======+=====+======+======+======+========+======+=========+==========+===========+
+-------+-------+-------+-------+-----+-------+-------+---------+---------+-------+-------+
RS-232 Port
The SecFlow-1 RS-232 ports are terminated with RJ-45 connectors.
For CBL-RJ45/DB9/NULL Cable Pinout refer to Appendix A.
See Appendix A for the serial port pin assignment.
Note The serial control lines are not supported in the current version.
RS-485 Port
The RS-485 ports are RJ-45 ports. Four wires mode is supported.
See Appendix A for serial port pin assignment.
LED State
SecFlow-1 serial port has a LED indicator to display its current status. See
Indicators in Chapter 3 for the serial port LED state description.
Note The quality echo tests are applicable when SIM card status is CONNECTED and the
retry-threshold-reload counter is reset. Quality tests do not affect this counter.
Note If a single SIM card is used, and if the continuous-echo test fails, this triggers the
action of cellular modem refresh. If the modem is in the status of CONNECTED
but the echo test fails to meet the configured criteria (ping loss/rtt..), the router
refreshes the modem.
Note The modems support two SIM cards for redundancy and backup between two
Internet service providers.
LTE Modem
The following two ordering options are available for the LTE modem:
• European type frequencies and bands
• North American frequencies and bands
In both cases, the modem supports LTE (in their respective bands) and
GSM/GPRS/EDGE.
Note The SecFlow-1 unit comes with two antennas. Both antennas must be connected.
The device will not work with only one antenna.
The table below presents the bands supported per ordering option.
GPRS/UMTS Modem
The following cellular modes and radio bands are supported:
• 3G UMTS– HSDPA. cat 5/6
Triple band 2100/1900/900 MHz
NAT
router nat dynamic create interface-name ppp0 description CELL
Method of Operation
On the SecFlow-1 spoke side, a simple cellular modem configuration suffices for
the spoke to connect to the ISP in order to retrieve an IP address using the PPP
protocol. Authentication vis-a-vis the ISP is performed by means of the SIM cards
and PAP protocol. Depending on the ISP service, this IP can either be private
behind NAT or public.
The cellular connection is typically used with the following services:
• DMVPN
• NAT
VPN Application
When the IP address is retrieved and the VPN is configured, the spoke initiates
the NHRP request for registration in the Hub.
The hub must have a static address (not cellular) in the network n that is routable
with the IP addresses allocated by the cellular ISP to the cellular spokes. If the
network cloud is public (for example, www), the hub must have the public static
IP address.
On its interface, the hub listens to NHRP requests from the spoke and allows the
VPN to be established, pending authentication.
A hub must have a fixed connection to the network; it may not be connected
with the cellular modem as a spoke.
2. The status of the cellular modem is enabled, and the properties of the SIM
cards are configured. SIM card 1 is connected and has the status of
CONNECTED . SIM card 2 is configured and has the status of READY.
cellular enable
cellular wan update admin-status enable apn-name internetg sim-slot 1
operator-name radcell user-name guest password guest
Command Description
continuous-echo Configure ICMP traffic test to validate network connectivity to a remote host.
The test sets two options of triggers to be used by the application watchdog:
round trip delay and percentage of lost ICMP messages sent.
A test is determined by a configurable number of ICMP requests. The average RTT
is then calculated.
These two conditions are sufficient triggers for a cellular watchdog.
Command Description
settings update quality check: define time interval in seconds for internal RSSI check of active
SIM.<0-604800>. 0 –disable RSSI check
backoff1: minimum time to stay on a SIM after any fail over
< sec,10-600>
backoff2: minimum time to stay on a SIM if caveat flag is set. This flag is set
in case if there was already failure in the last 2 hours
< sec,10-600>
wait-to-restore: maximum time allowed to stay on non-preferred SIM
default-route: setting the cellular interface to be the default gateway for
the application IP interfaces
{yes | no}
lcp-echo-interval : lcp protocol test of connectivity towards the connected ISP. 1
to 600 seconds interval between tests.0 –disable.
lcp-failure: number of failed lcp echo tests. <1-64>
update retry-threshold-reload <0-30> : sets a router reload after a
configurable number of failed attempts to establish Connected status of the
cellular modem.
Any configuration that was not committed is not saved after the reload.
Command Description
network show Show connection time and RSSI per SIM card
Default Status
The default cellular modem status is disabled. The table below specifies the
default status properties.
The cellular modem has a LED indicator for each SIM slot to represent the SIM
card state. For details on the LED states see Chapter 3.
cellular enable
commit
cellular refresh
Technical Specification
Apply a 6-12 VDC source to the digital input (terminals 6, 4 for channel 1, or
terminals 5, 4 for channel 2).
Digital outputs are the dry relay contacts. Maximum power to be applied to these
contacts is:
• 250 VAC, 37.5W
• 220 VDC, 30W
The maximum current through the contacts is 1A.
Command Description
Modes of Operation
The IEC 101/104 gateway supports two IEC 101 devices operation modes defined
by the standard.
Balanced Mode is illustrated on Figure 8-3. Up to 24 unique IEC-101 servers can
be supported by each single gateway.
Network configuration
• Point-to-point
• Multiple point-to-point
• Multipoint-party line (planned)
Physical layer Monitor and control traffic transmission speed: 300 – 38400 bps
Transmission format
• One octet
• Two octets (with originator address)
Functional Description
The IEC 101/104 gateway can be configured with the systems CLI or as an
IEC 104 network-wide service-group part in the iSIM service management tool.
This configuration includes the following parameters:
• Application IP address – the application module must be configured with an IP
address and associated with the uplink traffic VLAN. This application IP
interface acts in the Ethernet network as the IEC 104 server and represents
all the IEC 101 devices connected locally to the router towards the IEC 104
clients.
• Optional remote IP addresses - when configuring the IEC 104 service-group,
the IEC 104 clients IP addresses should be provided to enable the proper
service-aware firewall rules definition.
• IEC 101 device parameters - the physical link properties (baud-rate, parity,
stop bits) should be configured for the serial interfaces. Besides this, the
IEC 101 addressing information should be provided, and the devices have to
be assigned to the IEC 104/101 gateway.
Command Description
config
Command Description
topology
Balanced (default) – for 101 servers
balanced topology
Ip_addr – IP address of a chosen application IP
interface. The IP interface must be configured
prior to being used by the gateway.
Note: Changing this field requires reloading the
unit.
iec101 create | update | remove Slot ,Port: physical interface where the
101 slave is connected at.
asdu_addr : Common Address of ASDU.
Usually Should be configured as the ASDU
address of the IEC101 Server unless a
translation service is required. In the latter
case, should be configured as the address
which is set at the 104 Client for the server. A
decimal value of 1-255 or 1-65534 is allowed
depending if
‘common_address_field_length’ is set
to one byte or two.
common_address_field_length: length
in bytes of the Common Address of ASDU.
Permissible values are one or two bytes. Should
be identical to the configuration at the IEC 101
server.
translated_cmn_addr – used when a
translation service required for the common
address of asdu. The value should be identical
to the actual common address of the IEC101
Server.
A decimal value of 1-255 or 1-65534 is allowed
depending if
‘common_address_field_length’ is set
to one byte or two.
link_addr: Should be configured as the
Link address of the 101 slave. A decimal value
of 1-255 or 1-65534 is allowed depending if
‘link_address_field_length’ I set to one byte or
two.
link_address_field_length: length in
bytes of the Link Address. Permissible values
are one or two bytes. Should be identical to the
configuration at the 101 slave.
orig_addr: Should be configured as the
Originator address set at the 101 slave.
orig_addr_participate: y|n to indicate if
the 101 slave uses the originator address field.
Command Description
Should be identical to the configuration at the
101 slave.
the Cause Of Transmission (COT) will be
influenced by this configuration.
'y' – COT will be 2 byte in size.
'n' - COT will be 1 byte in size.
dir_bit: y|n are Permissible values. Should
be oposite to the configuration at the 101
slave. Relevant in Balanced mode only.
single_char: y|n are Permissible values.
Should be configured identical to the 101 slave
configuration. Relevant in Balanced mode only.
ioa_len – IO object length. Permissible
values are 1|2|3 bytes. Should be identical to
the configuration at the 101 slave.
2. Configure the serial port properties. The mode-of-operation field must be set
to transparent. The port properties (baud rate, parity, stop bits, data bits
etc.) must be identical to the IEC 101 server port, connected to SecFlow-1.
serial port create slot 1 port 1 mode-of-operation transparent baudrate 9600
parity even
3. Create the port local serial service. The application field must be iec101-gw.
serial local-end-point create slot 1 port 1 service-id 1 application iec101-gw
4. Configure the gateway operation mode and select the ACE interface. The
corresponding IP interface should be prepared before.
iec101-gw config gw update mode balanced ip_addr 192.168.10.11
5. Configure the gateway properties compatible with IEC 101 server settings.
iec101-gw config iec101 create slot 1 port 1 asdu_addr 1 orig_addr 0 link_addr
27 link_address_field_length 2 common_address_field_length 2
orig_addr_participate y
commit
101-104 ROUTER
BALANCED MODE
IEC 104:
+---------------+------------+------------+----------+----+----+----+----+
| IP | ORIG. ADDR | CLOCK SYNC | TIME TAG | T0 | T1 | T2 | T3 |
+===============+============+============+==========+====+====+====+====+
| 192.168.10.11 | 0 | n | n | 30 | 15 | 10 | 20 |
| 192.168.10.10 | 0 | n | n | 30 | 15 | 10 | 20 |
+---------------+------------+------------+----------+----+----+----+----+
IEC 101:
+------+------+-------+----------+---------+--------------+----------+--------
-+---------+---------+---------+----------+
| SLOT | PORT | OP ST | LINK ADR | CMN ADR | CONV CMN ADR | LINK LEN | CMN LEN
| COT LEN | IOA LEN | SRC IOA | CONV IOA |
+======+======+=======+==========+=========+==============+==========+========
=+=========+=========+=========+==========+
| 1 | 1 | UP | 27 | 1 | 0 | 2 | 2
| 2 | 3 | | |
+------+------+-------+----------+---------+--------------+----------+--------
-+---------+---------+---------+----------+
+------+------+-----------+------+---------+---------+---------+----------+---
------+---------+----------+-----------+
| SLOT | PORT | ORIG. ADR | S CH | DIR BIT | TEST FR | GEN INT | TIME TAG |
COT LEN | IOA LEN | CMN (UB) | LINK (UB) |
+======+======+===========+======+=========+=========+=========+==========+===
======+=========+==========+===========+
| 1 | 1 | 0 | y | AUTO | y | n | n |
2 | 3 | 1 | 27 |
+------+------+-----------+------+---------+---------+---------+----------+---
------+---------+----------+-----------+
SecFlow-1#
8.5 IPsec
Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol
(IP) communications by authenticating and/or encrypting each IP packet of a
communication session.
Applications
IPsec should be configured when one of the following VPN is used:
• DMVPN: IPsec is mandatory
• IPsec-VPN: IPsec is mandatory
Authentication Header
The IP Authentication Header (AH) is used to provide connectionless integrity and
data origin authentication for IP datagrams. The AH is supported for IKE phase 2
(transport, tunnel). No specific configuration required.
Security Associations
A Security Association (SA) is a relationship between two or more entities that
describes how the entities utilize security services to communicate securely.
These entities are the VPN Hubs and Spokes.
This relationship is represented by a set of information that can be considered as
a contract between the entities. The information must be agreed and shared
between all the entities.
ISAKMP provides the protocol exchanges to establish a security association
between negotiating entities followed by the establishment of a security
association by these negotiating entities in behalf of ESP/AH.
ISAKMP
ISAKMP provides a framework for authentication and key exchange, and is
designed to be key exchange independent; protocols such as Internet Key
Exchange and Kerberized Internet Negotiation of Keys provide authenticated
keying material for use with ISAKMP.
An initial protocol exchange allows a basic set of security attributes to be agreed
upon. This basic set provides protection for subsequent ISAKMP exchanges. It
also indicates the authentication method and key exchange that will be
performed as part of the ISAKMP protocol. After the basic set of security
attributes has been agreed upon, initial identity authenticated, and required keys
generated, the established SA can be used for the protection of the VPN tunnels.
ISAKMP protects against denial of service, replay/reflection and
man-in-the-middle. These types of attacks are targeted against protocols.
A security association (SA) is a set of policy and key(s) used to protect
information. The ISAKMP SA is the shared policy and key used by the negotiating
peers in this protocol to protect their communication.
ISAKMP uses the Internet Key Exchange (IKEv1) for the authentication and
encryption establishment.
IKE
IKE is the protocol used to set up a security association (SA) in the IPsec protocol
suite. IKE builds upon the Oakley protocol and ISAKMP.
IKE builds upon the Oakley protocol and ISAKMP. IKE uses X.509 certificates for
authentication - either pre-shared or distributed using DNS (preferably with
DNSSEC) and a Diffie–Hellman key exchange to set up a shared session secret
from which cryptographic keys are derived. In addition, a security policy for every
peer which will connect must be manually maintained
ISAKMP Phase 1
In Phase 1 two ISAKMP VPN peers establish a secure, authenticated
communication channel named ISAKMP Security Association (SA) or IKE Security
Association.
The authentication is supported using Pre-Shared Keys or Digital Signatures
(X.509).
Note The use of IPsec with x.509 is only possible when the ike-phase1-mode is set to
aggressive.
Authentication
Note The URL of X.509 certificate should contain no more than 64 characters.
Handling Certificates
SCEP (Simple Certificate Enrollment Protocol) is widely accepted as a simple mean
for handling certificates for large-scale implementation.
The protocol supports the following general operations:
• CA public key distribution
• Certificate enrollment
• Certificate renewal/update
• Certificate query
• CRL query
5. Update the IPsec ISAKMP to use the certificate instead of the PSK.
ipsec isakmp update authentication-method rsasig
Note The IPsec ISAKMP parameter my id is not of importance when using certificates as
the authentication method.
Exchange Modes
Main Mode
Main mode is the Phase 1 option featuring higher security level since it includes
identity protection.
Session process is as follow:
• To start the session the initiator sends a proposal to the responder
describing what encryption and authentication protocols are supported, the
life time of the keys, and necessity to use phase 2 perfect forward secrecy (if
exists). The proposal may contain several offerings.
The responder selects the required options and replies to the initiator.
• The next exchange uses Diffie-Hellman public keys and other data. All further
negotiation is encrypted within the IKE SA.
• The third exchange authenticates the ISAKMP session. Once the IKE SA is
established, IPsec negotiation (Quick Mode) begins.
The IKE Main mode is not applicable to the applications with the dynamic VPN IP
addresses (for example a cellular spoke retrieving dynamic IP from the ISP over its
PPP interface).
In the main mode, the PSK must be in the form of IP address, and use the VPN
network addresses of the parties.
Note In applications with VPN over a cellular link, the Main mode is not applicable. Use
the Aggressive IKE mode in such applications.
Aggressive Mode
In the Aggressive mode, the negotiation is faster since the session is completed
in three messages only. This mode disadvantage is that the peer’s identity is not
protected.
The first two messages negotiate policy, exchange Diffie-Hellman public values
and auxiliary data required for the exchange, and identities. The second message
authenticates the responder. The third message authenticates the initiator and
approves participation in the exchange.
• The initiator sends a request with all required SA information.
• The responder replies with its authentication and ID.
• The initiator authenticates the session in the follow-up message.
In the Aggressive mode, the PSK may be either in the IP address or FQDN form.
The PSK have not to be the actual IP addresses since it is considered as a text (in
the IP format) and not as a valid IP address.
Note In applications with VPN over a cellular link, the Aggressive IKE mode is
mandatory. The PSK may be in IP or FQDN format.
Settings Structure
ISAKMP Phase 1 configuration includes the following parameters:
• Authentication method (PSK ,X.509)
• Diffie–Hellman key exchange group (a.k.a. OAKLY groups)
• IKE exchange mode
Main
Aggressive
• Encryption algorithm
Advanced Encryption Standard (AES)
128 and 256 key size options
symmetric algorithm
Triple Data Encryption Algorithm (3DES)
comprises of three DES keys, K1, K2 and K3, each of 56 bits
• Authentication s HASH algorithms
Secure Hash Algorithm SHA-1 (160 bit)
ISAKMP Phase 2
This phase includes the SA negotiation to secure the VPN GRE data using IPsec.
Modes
SecFlow-1 supports the Transport mode between end-stations running IPsec (the
VPN parties).
Settings Structure
ISAKMP Phase 2 configuration includes the following parameters:
• Supported mode
Transport (yes)
Tunnel (no)
• Authentication s-HASH algorithms
Secure Hash Algorithm SHA-1 (160 bit)
Secure Hash Algorithm SHA-2 (256 |512 bit)
Message Digest (MD5) (128 bit)
• Perfect Forward Secrecy type (PFS)
• Encryption algorithm
Advanced Encryption Standard (AES)
128 and 256 key size options
symmetric algorithm
Triple Data Encryption Algorithm (3DES)
comprises of three DES keys, K1, K2 and K3, each of 56 bits
• Life time
Soft – hard coded. At this threshold value the IKE starts a new phase 2
exchange.
Hard - SA which exceeded this threshold value is discarded.
Phase 1
Authentication method {pre_shared_key | rsasig}
Diffie–Hellman key exchange Group (dh-group)
Internet Key Exchange mode (ike-phase1-mode)
Encryption Algorithm (phase1-encryption-algo)
Hash Algorithm (phase1-hash-algo)
Life Time (phase1-lifetime)
Phase 2
Perfect Forward Secrecy (pfs-group)
Encryption Algorithm (phase2-encryption-algo)
Authentication Algorithm (phase2-auth-algo)
Life Time (phase2-lifetime)
IPsec Policy
Name (notes)
Source address (src-address-prefix)
Destination address (dst-address-prefix)
Source protocol port (src-port)
Destination protocol port (src-port)
Protocol (protocol)
Preshared Keys
Key : (key)
Own PSK id : (id)
Partner PSK id : (id)
Partner PSK id : (id)
Certificates X.509
Import crt file (flush-sa proto)
Import key file (rsA-signature import)
Activate certificate file (rsa-signature activate)
Certificate name (rsa-sig-name)
Command Description
rsa-signature import Import the X.509 certificate file and key file to
the application from a connected USB drive or
TFTP /SFTP servers.
These files are mandatory for IPsec to encrypt
using X.509 certificates.
These files are not required if IPsec is used with
preshared keys.
show rsa-signature list Show the files available
Command Description
Command Description
Permissible range :2-20
(default is 5)
dpd-retry Dead Peer Discovery max retry attempts. A
retry is initiated after a failure at “dpd-maxfail”.
Permissible range : 1-20
(default is 5)
log-level Syslog warnings levels to be logged.
error
warning
notify
info (default)
debug
debug2
my-id Own preshared ID.
Dependent on “id-type” set ,my-id can be in
either domain name format or IPV4 format.
If “id-type” is set to “none”:
No need to set value in “my-id” as it will
automatically use a valid IP address.
If “id-type” is set to “fqdn”:
“my-id” should be set with a domain name
format. for example :
* Spoke.radiflow.com
id-type Set the type of form used for the IPsec local id.
None : the units own preshared ID
will be the default IP interface.
Address : this option is not
supported in current version.
fqdn : the units own preshared ID
is in a domain name format. For
example spoke.radiflow.com
default : none
ike-phase1-mode Internet Key Exchange mode type use for
Phase 1.
Aggressive (default)
main
phase1-encryption-algo Encryption Algorithm used for phase 1.
3des
aes-128 (default)
aes-256
phase1-hash-algo Hash Algorithm used for phase 1.
md5
sha1 (default)
sha256
sha512
phase1-lifetime The lifetime of the key generated between the
stations.
180-946080000 sec.
Command Description
Default is 86400
phase2-auth-algo Authentication Algorithm for phase 2.
hmac_md5 (default)
hmac_sha1
hmac_sha256
hmac_sha512
phase2-encryption-algo Encryption Algorithm for phase 2.
3des (default)
aes-128
aes-256
phase2-lifetime The lifetime of the key generated between the
stations.
180-946080000 sec.
Default is 86400
soft-lifetime When a dynamic IPsec SA is created, two types
of lifetimes are used: hard and soft. The hard
lifetime specifies the lifetime of the SA. The
soft lifetime, which is derived from the hard
lifetime, informs the IPsec key management
system that the SA is about to expire. This
allows the key management system to
negotiate a new SA before the hard lifetime
expires.
Permissible values are 1-99 and represent
percentage.
soft lifetime =
<1-99>*hard lifetime /100
rsa-sig-name The name set by the user for the signature
Command Description
Functional Description
The Modbus gateway is supported between a Modbus TCP and a Modbus RTU.
The Modbus TCP gateway to Modbus ASCII is not implemented.
The gateway translates Modbus frames of the same structure. The Modbus TCP
device is therefore required to have same frame structure as the Modbus RTU
device.
Command Description
modbus-gw
Command Description
timeout-period <500-100,000>
Operation in process
+------+------+----------+----------+----------+----------+
+------+------+----------+----------+----------+----------+
| Slot | Port | Rx valid | Rx error | Tx valid | Tx error |
+======+======+==========+==========+==========+==========+
| 1 | 1 | 477 | 0 | 616 | 0 |
+------+------+----------+----------+----------+----------+
Command Description
Configuring NAT
Figure 8-10 example illustrates the NAT configuration that allows the PC, located
out of the LAN, to connect to the LAN.
The PC can manage SecFlow-1 using the switch private interface, and Telnet
session with the server located in the LAN.
To configure NAT:
1. Set the LAN side interface.
router interface create address-prefix 10.10.10.10/24 physical-interface eth1
description LAN purpose application-host
- write
- exit
- exit
Command Description
Configuring OSPF
Figure 8-11 illustrate the OSPF setup example. This configuration enables L3 OSPF
based protection over the closed network.
Configuring S1
1. Remove the network ports from default VLAN 1.
config
vlan 1
no ports fa 0/1-2 untagged fa 0/1-2
exit
vlan 102
ports fastethernet 0/2
exit
3. Configure OSPF.
router ospf
router-id 10.10.10.101
network 172.18.101.201 255.255.255.0 area 0.0.0.0
network 172.18.102.201 255.255.255.0 area 0.0.0.0
end
commit
Configuring S2
1. Remove the network ports from default VLAN 1.
config
vlan 1
no ports fa 0/2,0/3 untagged fa 0/2-3
exit
vlan 103
ports fastethernet 0/3
exit
3. Configure OSPF.
router ospf
router-id 10.10.10.102
network 172.18.102.202 255.255.255.0 area 0.0.0.0
network 172.18.103.202 255.255.255.0 area 0.0.0.0
end
commit
Configuring S3
1. Remove the network ports from default VLAN 1.
config
vlan 1
no ports fa 0/4,0/3 untagged fa 0/3-4
exit
vlan 104
ports fastethernet 0/4
exit
3. Configure OSPF.
router ospf
router-id 10.10.10.103
network 172.18.104.203 255.255.255.0 area 0.0.0.0
network 172.18.103.203 255.255.255.0 area 0.0.0.0
end
commit
Configuring S4
1. Remove the network ports from default VLAN 1.
config
vlan 1
no ports fa 0/4,0/1 untagged fa 0/1,0/4
exit
vlan 104
ports fastethernet 0/4
exit
3. Configure OSPF.
router ospf
router-id 10.10.10.104
network 172.18.104.204 255.255.255.0 area 0.0.0.0
network 172.18.101.204 255.255.255.0 area 0.0.0.0
end
commit
8.9 RIPv2
RIP (Routing Information Protocol) is a distance-vector routing protocol, which
employs the hop count as a routing metric.
Command Description
Command Description
format aa.bb.cc.dd/xx
VLAN : VLAN ID that the application
engine will use for this IP
interface
The interface will be name
eth1.<vlan id>
router rip enable
Command Description
station to the RTUs by mapping between the Telnet sessions and the serial
services.
In the second option the terminal servers are set in the remote router connected
to the serial devices locally (Figure 8-13). This scenario benefit is TCP sessions
over the IP network and not over the tunnel.
+ tcp-service
- create {remote-address <A.B.C.D>} {service-id <1-100>}
{telnet-port <port num>} [null-cr-mode (off,<off|on>)] [max-
tcp-clients (1,<1-8>)]
- remove service-id <1-100>
- show
+ udp-service
- create {remote-address <A.B.C.D>} {service-id <1-100>} {udp-
server-port <port number>} {udp-client-address <A.B.C.D>}
[null-cr-mode (off,<off|on>)]
- remove service-id <1-100>
- show
+ serial-tunnel
- create remote-address <A.B.C.D> service-id <1-100>
- remove service-id <1-100>
- show
Command Description
Command Description
Parity : no, odd, even
Stopbits : 1,2
Mode of operation : transparent
show
local-end-point
show
Command Description
egress the tcp packet until receiving validation
from the serial local end that a message is
completed. This mode avoids fragmentation of
serial messages to different tcp packets.
byte – serial originated packets will be
egressed without additional buffering at the
terminal server.
Show : display the current tcp port range
Command Description
0x0d). For all other modes of operation,
NULL_CR is ignored. Default - off
show: display the configuration.
Note Use the proper serial cable to connect SecFlow-1 serial port and the customer
equipment. The SecFlow-1 serial port pinout is specified in Appendix A.
+-----+------+------+-------+-------------+------+------+--------+
SecFlow-1#serial local-end-point show
+-------+---------+------+------+-----------------+----------+----------+-----
-----+
| index | service | slot | port | application | position | firewall |
firewall |
| | id | | | | | mode |
protocol |
+=======+=========+======+======+=================+==========+==========+=====
=====+
| 1 | 1 | 1 | 1 | terminal-server | Slave | disable |
any |
+-------+---------+------+------+-----------------+----------+----------+-----
-----+
SecFlow-1# terminal-server settings show
+-------+-------------+------------+---------------+-----------+--------+
| index | telnet-tcp | telnet-udp | serial-tunnel | dead peer | buffer |
| | port-range | port-range | port-range | timeout | mode |
+=======+=============+============+===============+===========+========+
| 1 | 20000:20099 | 2001:2100 | 9850:9949 | 10 | byte |
+-------+-------------+------------+---------------+-----------+--------+
The serial device should be accessible from the Telnet client (PC).
6. Verify the serial connection by the port counters.
SecFlow-1#serial port show briefly port 1
+-----+------+------+-----+-------------+------+------+--------+------+
| idx | slot | port | svc | mode | baud | data | parity | stop |
| | | | id | | rate | bits | | bits |
+=====+======+======+=====+=============+======+======+========+======+
| 1 | 1 | 1 | 1 | Transparent | 9600 | 8 | None | 1 |
+-----+------+------+-----+-------------+------+------+--------+------+
OctetsIn : 20
OctetsOut : 25
TxError : 0
RxError : 0
OctetsTotal : 45
3. Configure the serial port parameters to match the serial slave. The serial port
operation mode must be transparent. The local end-point application type
must be terminal server.
serial port create slot 1 port 1 baudrate 9600 parity no databits 8 mode-of-
operation transparent
serial local-end-point create service-id 1 slot 1 port 1 application terminal-
server
Testing Results
1. Ping between the PC (172.18.212.240) and the application IP interfaces
(172.18.212.230 and 172.18.212.231).
2. From the PC open a telnet session to the router telnet 172.18.212.230
20000.
The serial device should be accessible.
8.11 VPN
When a distributed operational network uses public transport links for the
inter-site connectivity, the traffic must be encrypted to ensure its confidentiality
and its integrity. The SecFlow-1 supports VPN (Virtual Private Network)
connection using GRE tunnels (RFC2 2784) over an IPsec encrypted link. The IPsec
tunnel can use 3DES or AES encryption according to the user configuration.
VPN | IPsec
LAN SecFlow-1 LAN
SecFlow-2
[position <master|slave>]
- remove
{multipoint-gre-name<>}
{nbma-address<A.B.C.D>}
{protocol-address-prefix< A.B.C.D/M>}
- show
- show-status
- cache-flush
- cache-purge
- cache-show
- {enable | disable}
- log-show
- route-show
- show
+ protection-group
- {create|update}
{name<>}
[default-route<yes,no|yes>]
[wait-to-restore<0-1440>]
- remove {name<>}
- show
Command Description
Command Description
cisco-authentication: Relevant only for multi-point. Enables Cisco style
authentication on NHRP packets. This embeds the secret plaintext password to
the outgoing NHRP packets. Incoming NHRP packets on this
interface are discarded unless the secret password is present. Maximum length of
the secret is 8 characters.
cache-purge Purge entries from NHRP cache: cached entries are removed and permanent
entries are forced down, up and finally reregistered.
Command Description
information
protection-group Manage the protection groups of tunnels. Each protection group can contain 2
tunnels.
remove name: Mandatory. String indicating the name of an existing protection group.
Commands Hierarchy
+ date {[YYYY.]MM.DD-hh:mm[:ss] | hh:mm[:ss]}
- date
Commands Description
Command Description
Command Description
sntp This command enters to SNTP configuration mode, which
allows the user to execute all the commands that supports
SNTP configuration mode.
set client admin-status This command either enables or disables SNTP client
module.
Enabled: Sends a request to the host for time
synchronization.
Disabled: Does not send any request to the host for time
synchronization.
Defaults: Disabled.
Command Description
set client version This command sets the operating version of the SNTP for
the client.
v1: Sets the version of SNTP client as 1
v2: Sets the version of SNTP client as 2
v3: Sets the version of SNTP client as 3
v4: Sets the version of SNTP client as 4
Defaults: v4
set client addressing-mode This command sets the addressing mode of SNTP client.
Unicast: Sets the addressing mode of SNTP client as
unicast which operates in a point-to-point fashion. A
unicast client sends a request to a designated server at its
unicast address and expects a reply from which it can
determine the time and, optionally, the roundtrip delay
and local clock offset relative to the server.
Broadcast: Sets the addressing mode of SNTP client as
broadcast which operates in a point-to-multipoint fashion.
The SNTP server uses an IP local broadcast address instead
of a multicast address. The broadcast address is scoped to
a single subnet, while a multicast address has Internet
wide scope.
set client port This command sets the listening port for SNTP client which
refers to a port on a server that is waiting for a client
connection. The value ranges between 1025 and 65535.
The no form of this command deletes the listening port for
SNTP client and sets the default value
Defaults: 123
set client clock-format This command sets the system clock as either AM PM
format or HOURS format. SNTP clock format configuration
in the switch:
Date – Hours, Minutes, Seconds, Date, Month and Year
Month – Jan, Feb, Mar…..
Year - yyyy
ampm: Sets the system clock in am/ pm format
24hours: Sets the system clock in 24 hours’ format
Default: hours
set client time zone This command sets the system time zone with respect to
UTC. The no form of command resets the system time
zone to GMT.
+/-: Sets the client time zone as after or before UTC. Plus
indicates forward time zone and minus indicates backward
time zone.
Default: + 0: 0
set client clock-summer-time This command enables the DST (Daylight Saving Time). DST
is a system of setting clocks ahead so that both sunrise
Command Description
and sunset occur at a later hour. The effect is additional
daylight in the evening. Many countries observe DST,
although most have their own rules and regulations for
when it begins and ends. The dates of DST may change
from year to year. The no form of this command disables
the Daylight Saving Time.
week-day-month: Week – First, Second, Third, Fourth or
Last week of month. Day –Sunday, Monday, Tuesday,
Wednesday, Thursday, Friday or Saturday. Month: January,
February, March, April, May, June, July, August, September,
October, November or December.
hh:mm: Time in hours and minutes
Default: Not set
set client authentication-key This command sets the authentication parameters for the
key. Some SNTP severs requires authentication to be done
before exchanging any data. This authentication key is
used to authenticate the client to the SNTP server to
which it tries to connect. The no form of this command
disables authentication.
<key-id>: Sets a key identifier (integer value) to provide
authentication for the server. The value ranges between 1
and 65535.
md5: Verifies data integrity. MD5 is intended for use with
digital signature applications, which requires that large
files must be compressed by a secure method before
being encrypted with a secret key, under a public key
cryptosystem.
<key>: Sets the authentication code as a key value.
Default: Authentication key ID not set
set unicast server-auto- This command discovers the entire available SNTP client.
discovery
Enabled: Automatically discovers the entire available SNTP
client even if the necessary configuration is not done.
Disabled: Does not discover any SNTP client.
Defaults: Disabled
set unicast-poll-interval This command sets the SNTP client poll interval which is
the maximum interval between successive messages in
seconds. The value ranges between 16 and 16284
seconds.
Default: 64
set unicast max-poll-timeout This command configures SNTP client maximum poll
interval timeout, which is the maximum interval to wait for
the poll to complete. The value ranges between 1 and 30
in seconds.
Default: 5
set unicast max-poll-retry This command configures SNTP client maximum retry poll
Command Description
count, which is the maximum number of unanswered polls
that cause a slave to identify the server as dead. The value
ranges between 1 and 10 in times.
Default: 3
set unicast-server This command configures SNTP unicast server. The no form
of this command deletes the sntp unicast server attributes
and sets to default value.
ipv4 <ucast_addr>: Sets the address type of the unicast
server as Internet Protocol Version 4.
Primary: Sets the unicast server type as primary server.
Secondary: Sets the unicast server type as secondary
server.
version 3: Sets the SNTP version as 3.
version 4: Sets the SNTP version as 4.
Port <integer(1025- 36564)>: Selects the port identifier
numbers in the selected server. The port number ranges
between 1025 and 36564.
set broadcast-mode send-request This command either enables or disables the SNTP to send
status request.
Enabled: Sends the SNTP request packet to broadcast
server to calculate the actual delay.
Disabled: Does not send any SNTP request packet to
broadcast server instead default value for the delay is
taken.
Defaults: disabled
<134>Feb 6 12:26:52 ISS SNTP Old Time:Sat Jan 01 2000 00:01:35 (UTC +00:00)
, New Time:Wed Feb 06 2013 12:26:52 (UTC +00:00 )
, ServerIpAddress:96.47.67.105
set sntp client time-zone +01:00
SecFlow-1# <134>Feb 6 14:34:09 ISS SNTP Old Time:Wed Feb 06 2013 12:34:02
(UTC +00:00 )
, New Time:Wed Feb 06 2013 14:34:09 (UTC +02:00 )
, ServerIpAddress:96.47.67.105
SecFlow-1# sntp show clock
Wed Feb 06 14:35:58 2013
Note
It is mandatory to set the clock source to NTP as shown above.
Commands Hierarchy
+ root
- db import {remote-host <IP, A.B.C.D>} [filename <file-name>]
- db export {remote-host <IP, A.B.C.D>} [filename <file-name>]
Note
System reboot is required to activate the imported database file.
The format of the log file name is the following: log_MM_DD_HH_MM_SS.tar.gz, for
example: log_01_09_08_41_23.tar.gz.
Commands Hierarchy
+ root
+ reload
- now
- schedule
- date-and-time YYYY-MM-DD,HH:MM:SS
- every <180 – 604800 seconds >
- time HH:MM:SS
- in <0 – 604800 seconds >
- cancel
- show
Command Descriptions
Command Description
reload schedule date-and-time
Set specific date and time for router reload.
Time format: YYYY-MM-DD,HH:MM:SS
configuration which was not committed will not
be available after reload!
reload schedule every
Set time interval for cyclic automatic system
reload.
Permissible range in seconds is 180 –
604800.
Configuration which was not committed will not
be available after reload!
reload schedule time
Set specific time for router reload.
Time format: HH:MM:SS
Configuration which was not committed will not
be available after reload!
reload schedule in
Set specific timer for next router reload.
Permissible range in seconds is 180 –
604800.
Configuration which was not committed will not
be available after reload!
reload cancel
Cancels all scheduled automatic reloads
reload show
Shows user set scheduled reloads
reload now
Perform an immediate system reload
Commands Hierarchy
+ root
+ capture
- start –i {eth1.<vlan id> | eth1:<id>} [-C] [-s] [-y] [expression <>]
- stop
- delete
- export remote-address <destination address,A.B.C.D>
- show {captured-packets –c <number>| status}
- help
Commands Description
Command Description
capture
Start: initiate Ethernet traffic capture on a selected ACE IP interface.
-i: mandatory prefix to be followed with the IP interface name eth1.<vlan
id> where “vlan id” is the vlan of the ip interface.
Stop: stop Ethernet traffic capture
Delete: delete capture files
Export remote-address: export file to a TFTP server.
Show captured-packets –C<1-200>: display the captured content up to a
chosen length (1-200) lines.
Show status : display capture configuration
Help: display help on settings options
Capturing Traffic
1. Set a VLAN for the service traffic.
router interface create address-prefix 172.18.212.232/24 vlan 1 purpose
application-host physical-interface eth2
commit
Commit OK…
router interface show
+------+--------+-----+-----------------+------------------+-------------+
| VLAN | Name | Id | IP/Subnet | Purpose | Description |
+======+========+=====+=================+==================+=============+
| 1 | eth2.1 | N/A | 172.18.212.232/24 | application host | |
+------+--------+-----+-----------------+------------------+-------------+
2. Start capturing.
Capture start –i eth2.1
Capture show
[capture/] show status
capture is running
Command Description
Interface ETH1
+---------------+---------+----------------+-------+
| Counter Name | Value | Counter Name | Value |
+===============+=========+================+=======+
| total packets | 58293 | undersize | 0 |
+---------------+---------+----------------+-------+
| total octets | 5087188 | oversize | 0 |
+---------------+---------+----------------+-------+
| broadcast | 1110 | Size 64 | 798 |
+---------------+---------+----------------+-------+
| multicast | 56923 | Size 65-127 | 57227 |
+---------------+---------+----------------+-------+
| align error | 0 | Size 128-255 | 152 |
+---------------+---------+----------------+-------+
| dropped event | 0 | Size 256-511 | 41 |
+---------------+---------+----------------+-------+
| fragmented | 0 | Size 512-1023 | 73 |
+---------------+---------+----------------+-------+
| jabbers | 0 | Size 1024-1518 | 2 |
+---------------+---------+----------------+-------+
Interface ETH1
+------------------------+---------+-------------------------+---------+
| Counter Name | Value | Counter Name | Value |
+========================+=========+=========================+=========+
| In non-unicast packets | 29873 | Out non-unicast packets | 28162 |
+------------------------+---------+-------------------------+---------+
| In unicast packets | 254 | Out unicast packets | 6 |
+------------------------+---------+-------------------------+---------+
| In errors packets | 0 | Out errors packets | 0 |
+------------------------+---------+-------------------------+---------+
| In octets | 2660130 | Out octets | 2427230 |
+------------------------+---------+-------------------------+---------+
| In discards | 0 | Out discards | 0 |
+------------------------+---------+-------------------------+---------+
| In unknown protos | 0 | | |
+------------------------+---------+-------------------------+---------+
11.4 Syslog
Syslog is a standard for network device message logging. It permits separation of
the software that generates messages from the system that stores them and the
software that reports and analyzes them. Syslog can be used to integrate log data
from many systems into a central repository.
Configuring Debug Logging specifies the debug logs displaying method: on the
console or in a file.
The User enables the syslog server and configures the syslog related parameters.
The logging process controls the distribution of logging messages to the various
destinations, such as the logging buffer, logging file, or syslog server.
The existing syslog buffers are not cleared and none of the configured options are
changed, when the syslog feature is disabled.
The severity of logging can be set with its numeric value <0-7> or its name tag.
When configuring a server, a priority tag reflecting the level of the message and
the facility should be set.
Commands Hierarchy
+ root
+ syslog
- level severity { emergencies | alerts | critical |
errors | warnings | notification | informational
|debugging}
- remote {remote-address <a.b.c.d>} [remote-port
(514,<514-9999>)]
- local
- show
Commands Description
Command Description
Priority Indicator
The priority indicator is calculated as follow:
Priority = 8x facility_coefficient + severity_level.
Table 11-2 shows the syslog message priority tags with facility local0.
emergencies 0 16x8+0=128
alerts 1 129
critical 2 130
errors 3 131
warnings 4 132
notification 5 133
informational 6 134
debugging 7 135
Commands Hierarchy
+ root
+ schedule
- add task-name copy-logs [day |hour |minute |month |year]
- remove task-name copy-logs
- show
Commands Description
Command Description
add task-name copy-logs Add a scheduled task to copy system logs to the usb
drive.
Day : <1-31>
Month : <1-12>
year : <2013 -3000>
hour : <1-24>
minute : <1-60>
remove task-name copy-logs Remove a scheduled task to copy system logs to the
usb drive.
Note Before downloading a new OS file, make sure that SecFlow-1 has only one (the
active) file. If needed, delete the unused file before attempting to download a
new one.
You can designate any of the versions as active. The non-active version serves as
a backup that can be used if the active software becomes corrupted.
The information in this chapter includes the following:
• Software packs that can be loaded into each device
• Detailed conditions required for the upgrade
• Any impact the upgrade may have on the system
• Description of downloading options
Software version can be downloaded to SecFlow-1 via SFTP/TFTP with the
download-sw command.
The downloaded version can be installed as the active software with the activate
command.
12.2 Prerequisites
Before starting the upgrade, verify that you have the following:
• For upgrade via SFTP/TFTP:
Operational SecFlow-1 unit with valid IP address
Note The image file name is case-sensitive, so make sure that the downloading
software does not alter the letters case in the file name.
Commands Hierarchy
+ root
- os-image show-list
- os-image download-status
ETH1:1 – 192.168.2.101
RAD SecFlow-1
PWR RUN
C
O
N
S1
Console C1 ETH1
S2
E
T
H
1
SIM1 ETH2
TFTP Server
LASER
192.168.2.240
Note User configuration file is lost when the previous version is restored.
Note This cable can be used when no control lines are needed.
Serial port at the router DB-9 female connector for end device
Caution To avoid the serial port damage, do not use the SecFlow-1 console cable (colored
white) for user serial ports connection.
2 6 6 Tx
3 5 5 Tx
5 4 4 GND
SecFlow-1 serial ports are terminated in RJ45 connectors. The user serial
equipment standard ports have DB-9 connectors. Refer to Table A-2 for the RJ45
connector pinout.
DCD 2
Tx 6
Rx 5
DSR 1
GND 4
DTR 3
CTS 7
RTS 8
1 B (+) Rx
4 GND
5 A (-) RX
6 B (+) Tx
8 A (-) Tx
GND 4 GND 5
GND 5 GND 5
N.C. 7 DTR 4
1 -
2 3
3 2
4 5
5 5
6 -
7 -
8 -
B.1 Introduction
This appendix describes basic verification tests for SecFlow-1. The aim is to
perform a series of short tests that check the following:
• IP connectivity and management
• DHCP client
• VLAN tagging, IP interfaces, static routing
• NAT
• DMVPN
• IEC 101/104 gateway
• OSPF
SecFlow-1 4.1
Test Equipment
SCADA simulator
RTU simulator
Note
All tests should pass if the following procedures are performed precisely.
Estimated Duration
The estimated duration of this test is 10 minutes.
Test Procedure
Table B-1 details the IP connectivity and management test procedure.
Configuring Devices
1. Create an untagged IP interface at eth1.
SecFlow-1#
router interface create address-prefix 192.168.2.101/24 purpose
application-host physical-interface eth1
commit
Viewing Results
1. Verify configuration.
SecFlow-1# router interface show
+----+------+--------+-------------------+------+------------------+--------------+-------------+
| Id | VLAN | Name | IP/Subnet | Mtu | Purpose | Admin status | Description |
+====+======+========+===================+======+==================+==============+=============+
| 1 | N/A | N/A | 192.168.2.101/24 | 1500 | application host | enable | |
+----+------+--------+-------------------+------+------------------+--------------+-------------+
+------------------------+--------+-------------------------+-------+
| In errors packets | 0 | Out errors packets | 0 |
+------------------------+--------+-------------------------+-------+
| In octets | 310371 | Out octets | 22704 |
+------------------------+--------+-------------------------+-------+
| Unknown packets | 0 | | |
+------------------------+--------+-------------------------+-------+
Estimated Duration
The estimated duration of this test is 20 minutes.
Test Procedure
Table B-2 details the DHCP client test procedure.
3 Verify DHCP clients function DHCP clients receive the IP address from the
server pool.
Configuring Devices
SecFlow-2 configuration steps:
• Set the service VLAN and assign the ports.
• Configure GCE interface for the service VLAN.
• Configure the DHCP Server
Set the pool, default gateway and excluded range
Set IP allocation to port 0/1 as port-identifier
Set IP allocation to port 0/2 from the pool
SecFlow-1 configuration steps:
• Enable DHCP on eth1.
Viewing Results
Estimated Duration
The estimated duration of this test is 30 minutes.
Test Procedure
Table B-3 details the VLAN, IP interfaces, and static routing test procedure.
1 Configure SecFlow-2
2 Configure SecFlow-1
Configuring Devices
SecFlow-2 configuration steps:
• Configure VLANs 2,3, and assign the requested port as a member
• Configure VLAN 4 and assign the requested port as a member
• Configure GCE IP interfaces
• Configure GCE static route for 192.168.1.x via 192.168.2.102
SecFlow-1 configuration steps:
• Configure IP interface with no VLAN for eth1
• Configure IP interfaces with VLAN 2, VLAN 3 for eth2
• Configure static route for 192.168.4.x via 192.168.2.101
Set the SecFlow-1 interface 192.168.1.102 as a PC1 default gateway.
Set the SecFlow-2 interface 192.168.4.101 as a PC2 default gateway.
Verify ping connectivity between:
• SecFlow-1 and the SecFlow-2 interface 192.168.4.101
• PC1 and the SecFlow-1 interfaces, SecFlow-2 interfaces, and PC2.
SecFlow-2 Configuration
SecFlow-2#
config
vlan 2
ports fastethernet 0/2
exit
vlan 3
ports fastethernet 0/2
exit
vlan 4
ports fastethernet 0/1 untagged all
exit
interface fast 0/1
switchport pvid 4
exit
interface vlan 2
ip address 192.168.2.101 255.255.255.0
no shutdown
exit
interface vlan 3
ip address 192.168.3.101 255.255.255.0
no shutdown
exit
interface vlan 4
ip address 192.168.4.101 255.255.255.0
no shutdown
exit
ip route 192.168.1.0 255.255.255.0 192.168.2.102 1
end
Viewing IP Interfaces
SecFlow-2# show ip interface
vlan2 is up, line protocol is up
Internet Address is 192.168.2.101/24
Broadcast Address 192.168.2.255
vlan3 is up, line protocol is up
Internet Address is 192.168.3.101/24
Broadcast Address 255.255.255.255
Vlan4 is up, line protocol is up
Internet Address is 192.168.4.101/24
Broadcast Address 255.255.255.255
SecFlow-1 Configuration
SecFlow-1#
router interface create address-prefix 192.168.1.102/24 purpose
application-host physical-interface eth1
router interface create address-prefix 192.168.2.102/24 vlan 2
purpose general physical-interface eth2
router interface create address-prefix 192.168.3.102/24 vlan 3
purpose general physical-interface eth2
router static
router/static> enable
router/static# configure terminal
router/static(config)# ip route 192.168.4.0/24 192.168.2.101
router/static(config)# write memory
router/static(config)# exit
router/static# exit
commit
B.6 NAT
The objective of this test is NAT functionality.
Estimated Duration
The estimated duration of this test is 20 minutes.
Test Procedure
Table B-4 details the VLAN, IP interfaces, and static routing test procedure.
1 Configure SecFlow-1
4 Verify Static Routes Proper ping and SSH connectivity from the PC
Configuring Devices
SecFlow-1 configuration steps:
• Set the WAN port IP interface
• Set the LAN port IP interface
• Configure the Dynamic NAT for the WAN interface
• Configure Static NAT for direct WAN traffic with TCP port 23 towards the
router LAN interface for management
• Configure Static NAT to direct WAN traffic with TCP port 22 towards the LAN
connected server.
Assign the SecFlow-1 LAN interface as the LAN server device default gateway.
The WAN client does not have a route to the private LAN subnet.
Verify ping connectivity:
• Between the WAN client and the SecFlow-1 WAN interface
• Between the LAN server the SecFlow-1 LAN interface.
Open WAN client with port 23 TCP connection for router management.
Open WAN client with port 23 TCP connection for server connection.
B.7 DMVPN
The objective of this test is dynamic multipoint VPN functionality.
Estimated Duration
The estimated duration of this test is 90 minutes.
Test Procedure
Table B-5 details the DMVPN test procedure.
3 Verify connectivity over DMVPN User and management traffic from the both
PCs is transferred properly.
Configuring Devices
SecFlow-2 (Hub) configuration steps:
• Set the network VLAN 20 and assign network ports and application port gi 0/3
• Set the access VLAN 10 and assign access ports and application port gi 0/3
• Configure the GCE and ACE interfaces
• Set the VPN mGRE interface using eth1.20 as its lower layer
• In the GCE set a static route using the ACE interface as default gateway
• In the ACE, set routing:
Option 1: Set a static route, pointing to subnet 192.168.40.x behind the
SPOKE mGRE interface
Option 2: enable OSPF and set OSPF interfaces for the mGRE and eth1.10
• Set IPSec parameters
SecFlow-1 (Spoke) configuration steps:
• Set the access and network IP interfaces
• Set the VPN mGRE interface using eth2.20 as its lower layer
• Set NHRP routing to the HUB eth2.20 interface and its mGRE
• Set routing
Option 1: set a static route directed to the 192.168.10.x subnet behind
the HUB mGRE interface
Option 2: enable OSPF and set OSPF interfaces for the mGRE and
192.168.40.x
• Set IPSec parameters
Define the corresponding router interface as the PCs default gateway.
Verify the following:
• Ping connectivity between the 172.18.20.x interfaces
• IPSec SA is established
• DM VPN NHRP status is UP
• Ping connectivity between the mGRE interfaces
• Ping connectivity between the 192.168.40.x and 192.168.10.x interfaces
• Ping connectivity between the PCs
• Management connectivity between the PCs and the SecFlow units
2. Disable spanning tree and remove the ports used in VPN from the default
VLAN 1.
config terminal
no spanning-tree
vlan 1
no ports fastethernet 0/1,0/8 gigabitethernet 0/3 untagged
fastethernet 0/1,0/8
exit
3. Assign the user and network VLANs and set the untagged ports PVID.
vlan 10
ports fastethernet 0/1 gigabitethernet 0/3 untagged
fastethernet 0/1
exit
vlan 20
ports fastethernet 0/8 gigabitethernet 0/3
exit
interface fastethernet 0/1
alias UNI
switchport pvid 10
exit
4. Assign the GCE IP interface for management (not mandatory).
interface vlan 10
shut
ip address 192.168.10.1 255.255.255.0
no shut
exit
5. Assign static route to make SecFlow-1 management routable over the VPN.
ip route 0.0.0.0 0.0.0.0 192.168.10.10 1
end
6. Assign the ACE IP interface which to route user traffic.
application connect
router interface create address-prefix 192.168.10.10/24 vlan 10
purpose application-host
7. Assign ACE IP interface for networking towards the WAN router.
router interface create address-prefix 172.18.20.10/24 vlan 20
purpose general
8. Assign the GRE tunnel.
vpn gre tunnel create address-prefix 10.10.10.10/24 lower-
layer-dev eth1.20 name mgre1 key 10.0.0.0
vpn gre nhrp disable
vpn gre nhrp enable
9. Assign static routes (option 1) for the remote user network.
router static
enable
configure terminal
ip route 192.168.40.0/24 10.10.10.20
write memory
exit
exit
10. Assign OSPF routes (option 2) for the remote user network.
router ospf
enable
configure terminal
router ospf
router-id 172.18.20.10
network 10.10.10.10/24 area 0.0.0.0
network 192.168.10.10/24 area 0.0.0.0
exit
write memory
exit
exit
11. Configure IPSec.
ipsec isakmp update my-id HUB.radiflow.com
ipsec preshared create id HUB.radiflow.com key secretkey
ipsec preshared create id RTU1.radiflow.com key secretkey
ipsec isakmp update id-type fqdn
ipsec policy create protocol gre
ipsec disable
ipsec enable
exit
write startup-cfg
router ospf
enable
configure terminal
router ospf
ospf router-id 172.18.20.20
network 192.168.40.10/24 area 0.0.0.0
network 10.10.10.20/24 area 0.0.0.0
write memory
exit
exit
6. Configure IPSec.
ipsec isakmp update my-id RTU1.radiflow.com
ipsec preshared create id HUB.radiflow.com key secretkey
ipsec preshared create id RTU1.radiflow.com key secretkey
ipsec isakmp update id-type fqdn
ipsec policy create protocol gre
ipsec disable
ipsec enable
commit
3.
Completed OK
SecFlow-1#
Option 1
Set a QOS rule.
qos mark-rule create dest-ip 192.168.10.250/32 dscp 16
Result
Option 2
Set a TOS value to the DM-VPN tunnel header (value of 30 is given as an
example).
ipsec disable
vpn gre nhrp disable
vpn gre nhrp map remove multipoint-gre-name mgre1
vpn gre tunnel remove name mgre1
commit
vpn gre tunnel create address-prefix 10.10.10.20/24 lower-
layer-dev eth2.20 name mgre1 key 10.0.0.0 admin-status enable
tos 30
vpn gre nhrp map create multipoint-gre-name mgre1 protocol-
address-prefix 10.10.10.10/24 nbma-address 172.18.20.10
vpn gre nhrp enable
ipsec enable
commit
Result
Set a static route, pointing to subnet 192.168.10.x behind the HUB mGRE
interface
Set IPSec parameters
4. Define the corresponding router interface as the PCs default gateway.
Verify the following:
• Ping connectivity between the SecFlow-1 cellular modem and the Hub public
IP
• IPSec SA is established
• DM-VPN NHRP status is UP
• Ping connectivity between the mGRE interfaces
• Ping connectivity between the SecFlow-1 192.168.40.x and SecFlow-2
192.168.10.x interfaces
• Ping connectivity between the PCs
• Management connectivity between the PCs and SecFlow units.
Serial tunneling:
serial port create slot 1 port 2 baudrate 9600 parity even
mode-of-operation transparent
serial local-end-point create slot 1 port 2 service-id 1
application serial-tunnel position slave
serial remote-end-point create remote-address 192.168.10.10
service-id 1 position master
commit
Terminal server:
serial port create slot 1 port 1
serial local-end-point create slot 1 port 1 service-id 2
application terminal-server
terminal-server admin-status enable
terminal-server telnet-service create service-id 2 telnet-port
2050 remote-address 192.168.40.10
commit
Estimated Duration
The estimated duration of this test is 20 minutes.
Test Procedure
Table B-6 details the IEC 101/104 gateway test procedure.
2 Verify connectivity between over Telnet client and IEC 101 device are connected
the serial link over the serial link
Configuring Devices
Configuration steps:
• Set the IP interface for IEC 104 server and SecFlow-1 management
• Configure the serial ports parameters
• Configure the serial local end-point, service-ID and position
• Configure the IEC 101 parameters
• Configure the gateway parameters.
Verify the following:
• Ping connectivity between the PC and gateway interface
• Management connectivity between the PC and SecFlow-1
• IEC 104 connectivity between the client and gateway
• IEC 101 device is in UP status
• RTU can be managed by the SCADA.
SecFlow-1 Configuration
1. Configure an IP interface for the gateway.
SecFlow-1#router interface create address-prefix
192.168.1.101/24 physical-interface eth1 description gateway
purpose application-host
2. Configure the serial port parameters. The mode-of-operation field must be
set to transparent. The port parameters must comply with the IEC 101 server
device parameters (baud rate, parity, stop bits, data bits etc.)
serial port create slot 1 port 1 mode-of-operation transparent
baudrate 9600 parity even
3. Create the local port serial service. The application field must be iec101-gw.
serial local-end-point create slot 1 port 1 service-id 1
application iec101-gw
4. Configure the gateway operation mode and select the ACE interface to be
used (the IP interface must be available).
iec101-gw config gw update mode balanced ip_addr 192.168.1.101
5. Configure the gateway parameters to comply with the IEC 101 server
configuration.
iec101-gw config iec101 create slot 1 port 1 asdu_addr 1
orig_addr 0 link_addr 27 link_address_field_length 2
common_address_field_length 2 orig_addr_participate y
commit
B.9 OSPF
The objective of this test is OSPF (Open Shortest Path First) protocol functionality.
Estimated Duration
The estimated duration of this test is 30 minutes.
Test Procedure
Table B-7 details the IEC 101/104 gateway test procedure.
1 Configure SecFlow-2
2 Configure SecFlow-1
3 Verify connectivity over OSPF Proper connectivity between PC1 and PC2,
SecFlow-1, SecFlow-2
4 Verify OSPF neighborship and OSPF neighborship and the routing table
routing table comply with the configuration
Configuring Devices
Configuration steps:
• Configure VLAN 2 and assign the requested port as a member
• Configure VLAN 4 and assign the requested port as a member
SecFlow-2 Configuration
SecFlow-2#
config
vlan 2
ports fastethernet 0/2
exit
vlan 4
ports fastethernet 0/1 untagged all
exit
interface fast 0/1
switchport pvid 4
exit
interface vlan 2
ip address 192.168.2.101 255.255.255.0
no shutdown
exit
interface vlan 4
ip address 192.168.4.101 255.255.255.0
no shutdown
exit
router ospf
router-id 192.168.4.101
network 192.168.4.101 255.255.255.0 area 0.0.0.0
network 192.168.2.101 255.255.255.0 area 0.0.0.0
passive-interface vlan 4
end
SecFlow-1 Configuration
SecFlow-1#
router interface create address-prefix 192.168.1.102/24 purpose
application-host physical-interface eth1
router interface create address-prefix 192.168.2.102/24 vlan 2
purpose general physical-interface eth2
router ospf
enable
configure terminal
router ospf
network 192.168.1.102/24 area 0.0.0.0
network 192.168.2.102/24 area 0.0.0.0
passive-interface eth1:1
exit
write
end
exit
commit
Viewing SecFlow-2
SecFlow-2# show ip interface
vlan2 is up, line protocol is up
Internet Address is 192.168.2.101/24
Broadcast Address 192.168.2.255
vlan4 is up, line protocol is up
Internet Address is 192.168.4.101/24
Broadcast Address 192.168.4.255
SecFlow-2# show ip ospf neighbor
Vrf default
Neighbor-ID Pri State DeadTime Address Interface He
lper HelperAge HelperExitReason
----------- --- ----- -------- ------- --------- --
------- ------------ -------------
192.168.4.102 1 FULL/DR 34 192.168.2.102 vlan2 N
SecFlow-2# show ip ospf route
OSPF Routing Table Vrf default
Dest/Mask TOS NextHop/Interface Cost Rt.Type
Area
--------- --- -------/--------- ---- -----------
192.168.1.0/255.255.255.0 0 192.168.2.102/vlan2 11 IntraArea
0.0.0.0
192.168.2.0/255.255.255.0 0 0.0.0.0/vlan2 1 IntraArea
0.0.0.0
192.168.4.0/255.255.255.0 0 0.0.0.0/vlan4 1 IntraArea
0.0.0.0
SecFlow-2# show ip route
Codes: C - connected, S - static, R - rip, B - bgp, O - ospf
IA - OSPF inter area, N1 - OSPF NSSA external type 1,
N2 - OSPF NSSA external type 2, E1 - OSPF external type 1,
E2 - OSPF external type 2
Vrf Name: default
---------
C 7.7.7.0/29 is directly connected, vlan4093
Viewing SecFlow-1
SecFlow-1# router interface show
+----+------+--------+------------------+------+------------------+----------
----+-------------+
| Id | VLAN | Name | IP/Subnet | Mtu | Purpose | Admin status | Description |
+====+======+========+==================+======+==================+==========
====+=============+
| 1 | N/A | eth1:1 | 192.168.1.102/24 | 1500 | application host | enable | |
+----+------+--------+------------------+------+------------------+----------
----+-------------+
| 2 | 2 | eth2.2 | 192.168.2.102/24 | 1500 | general | enable | |
+----+------+--------+------------------+------+------------------+----------
----+-------------+
router/ospf# show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL
192.168.4.101 1 Full/Backup 33.167s 192.168.2.101 eth2.2:192.168.2.102 0 0 0
router/ospf# show ip ospf route
============ OSPF network routing table ============
N 192.168.1.0/24 [10] area: 0.0.0.0
directly attached to eth1
N 192.168.2.0/24 [10] area: 0.0.0.0
directly attached to eth2.2
N 192.168.4.0/24 [11] area: 0.0.0.0
via 192.168.2.101, eth2.2
============ OSPF router routing table =============
============ OSPF external routing table ===========
router/ospf# exit
Connection closed by foreign host
SecFlow-1# router route show
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2.2
192.168.4.0 192.168.2.101 255.255.255.0 UG 11 0 0 eth2.2
Completed OK
SecFlow-1# ping 192.168.4.101
PING 192.168.4.101 (192.168.4.101): 56 data bytes
64 bytes from 192.168.4.101: seq=0 ttl=64 time=1.509 ms
64 bytes from 192.168.4.101: seq=1 ttl=64 time=1.227 ms
64 bytes from 192.168.4.101: seq=2 ttl=64 time=1.231 ms
International Headquarters
24 Raoul Wallenberg Street
Tel Aviv 69719, Israel
Tel. 972-3-6458181
Fax 972-3-6498250, 6474436
E-mail market@rad.com
www.rad.com