SecFlow-1 Ver. 4.1

OPERATION MANUAL
INSTALLATION AND
SecFlow-1
Ruggedized SCADA-Aware Router Gateway
Version 4.1
SecFlow1
Ruggedized SCADA-Aware Router Gateway
Version 4.1
Installation and Operation Manual
Notice
This manual contains information that is proprietary to RAD Data Communications Ltd. ("RAD").
No part of this publication may be reproduced in any form whatsoever without prior written
approval by RAD Data Communications.
Right, title and interest, all information, copyrights, patents, know-how, trade secrets and other
intellectual property or other proprietary rights relating to this manual and to the SecFlow1 and
any software components contained therein are proprietary products of RAD protected under
international copyright law and shall be and remain solely with RAD.
The SecFlow-1 product name is owned by RAD. No right, license, or interest to such trademark is
granted hereunder, and you agree that no such right, license, or interest shall be asserted by
you with respect to such trademark. RAD products/technologies are protected by registered
patents. To review specifically which product is covered by which patent, please see ipr.rad.com.
The RAD name, logo, logotype, and the product names MiNID, Optimux, Airmux, IPmux, and
MiCLK are registered trademarks of RAD Data Communications Ltd. All other trademarks are the
property of their respective holders.
You shall not copy, reverse compile or reverse assemble all or any portion of the Manual or the
SecFlow1. You are prohibited from, and shall not, directly or indirectly, develop, market,
distribute, license, or sell any product that supports substantially similar functionality as the
SecFlow1, based on or derived in any way from the SecFlow1. Your undertaking in this
paragraph shall survive the termination of this Agreement.
This Agreement is effective upon your opening of the SecFlow1 package and shall continue until
terminated. RAD may terminate this Agreement upon the breach by you of any term hereof.
Upon such termination by RAD, you agree to return to RAD the SecFlow1 and all copies and
portions thereof.
For further information contact RAD at the address below or contact your local distributor.
International Headquarters North American Headquarters

RAD Data Communications Ltd. RAD Data Communications Inc.
24 Raoul Wallenberg Street 900 Corporate Drive

Tel Aviv 69719, Israel Mahwah, NJ 07430, USA
Tel: 972-3-6458181 Tel: (201) 5291100, Toll free: 1-800-4447234
Fax: 972-3-6498250, 6474436 Fax: (201) 5295777
E-mail: market@rad.com E-mail: market@radusa.com
© 1988–2017 RAD Data Communications Ltd. Publication No. 611-200-07/17

Front Matter Installation and Operation Manual
Limited Warranty
RAD warrants to DISTRIBUTOR that the hardware in the SecFlow1 to be delivered hereunder
shall be free of defects in material and workmanship under normal use and service for a period
of twelve (12) months following the date of shipment to DISTRIBUTOR.
If, during the warranty period, any component part of the equipment becomes defective by
reason of material or workmanship, and DISTRIBUTOR immediately notifies RAD of such defect,
RAD shall have the option to choose the appropriate corrective action: a) supply a replacement
part, or b) request return of equipment to its plant for repair, or c) perform necessary repair at
the equipment's location. In the event that RAD requests the return of equipment, each party
shall pay one-way shipping costs.
RAD shall be released from all obligations under its warranty in the event that the equipment has
been subjected to misuse, neglect, accident or improper installation, or if repairs or
modifications were made by persons other than RAD's own authorized service personnel, unless
such repairs by others were made with the written consent of RAD.
The above warranty is in lieu of all other warranties, expressed or implied. There are no
warranties which extend beyond the face hereof, including, but not limited to, warranties of
merchantability and fitness for a particular purpose, and in no event shall RAD be liable for
consequential damages.
RAD shall not be liable to any person for any special or indirect damages, including, but not
limited to, lost profits from any cause whatsoever arising from or in any way connected with the
manufacture, sale, handling, repair, maintenance or use of the SecFlow1, and in no event shall
RAD's liability exceed the purchase price of the SecFlow1.
DISTRIBUTOR shall be responsible to its customers for any and all warranties which it makes
relating to SecFlow1 and for ensuring that replacements and other adjustments required in
connection with the said warranties are satisfactory.
Software components in the SecFlow1 are provided "as is" and without warranty of any kind.
RAD disclaims all warranties including the implied warranties of merchantability and fitness for a
particular purpose. RAD shall not be liable for any loss of use, interruption of business or
indirect, special, incidental or consequential damages of any kind. In spite of the above RAD
shall do its best to provide error-free software products and shall offer free Software updates
during the warranty period under this Agreement.
RAD's cumulative liability to you or any other party for any loss or damages resulting from any
claims, demands, or actions arising out of or relating to this Agreement and the SecFlow1 shall
not exceed the sum paid to RAD for the purchase of the SecFlow1. In no event shall RAD be
liable for any indirect, incidental, consequential, special, or exemplary damages or lost profits,
even if RAD has been advised of the possibility of such damages.
This Agreement shall be construed and governed in accordance with the laws of the State of
Israel.
Product Disposal
To facilitate the reuse, recycling and other forms of recovery of waste
equipment in protecting the environment, the owner of this RAD product is
required to refrain from disposing of this product as unsorted municipal waste at
the end of its life cycle. Upon termination of the unit’s use, customers should
provide for its collection for reuse, recycling or other form of environmentally
conscientious disposal.
ii SecFlow1
Installation and Operation Manual Front Matter
General Safety Instructions

The following instructions serve as a general guide for the safe installation and operation of
telecommunications products. Additional instructions, if applicable, are included inside the
manual.
Safety Symbols
This symbol may appear on the equipment or in the text. It indicates
potential safety hazards regarding product operation or maintenance to
operator or service personnel.
Warning
Danger of electric shock! Avoid any contact with the marked surface while
the product is energized or connected to outdoor telecommunication lines.
Protective ground: the marked lug or terminal should be connected to the

building protective ground bus.
Some products may be equipped with a laser diode. In such cases, a label
with the laser class and other warnings as applicable will be attached near
the optical transmitter. The laser warning symbol may be also attached.
Warning Please observe the following precautions:
• Before turning on the equipment, make sure that the fiber optic cable is
intact and is connected to the transmitter.
• Do not attempt to adjust the laser drive current.
• Do not use broken or unterminated fiber-optic cables/connectors or look
straight at the laser beam.
• The use of optical devices with the equipment will increase eye hazard.
• Use of controls, adjustments or performing procedures other than those
specified herein, may result in hazardous radiation exposure.
ATTENTION: The laser beam may be invisible!
In some cases, the users may insert their own SFP laser transceivers into the product. Users are
alerted that RAD cannot be held responsible for any damage that may result if non-compliant
transceivers are used. In particular, users are warned to use only agency approved products that
comply with the local laser safety regulations for Class 1 laser products.
Always observe standard safety precautions during installation, operation and maintenance of
this product. Only qualified and authorized service personnel should carry out adjustment,
maintenance or repairs to this product. No installation, adjustment, maintenance or repairs
should be performed by either the operator or the user.
SecFlow1 iii
Handling Energized Products
General Safety Practices

Do not touch or tamper with the power supply when the power cord is connected. Line voltages
may be present inside certain products even when the power switch (if installed) is in the OFF
position or a fuse is blown. For DC-powered products, although the voltages levels are usually
not hazardous, energy hazards may still exist.
Before working on equipment connected to power lines or telecommunication lines, remove
jewelry or any other metallic object that may come into contact with energized parts.
Unless otherwise specified, all products are intended to be grounded during normal use.
Grounding is provided by connecting the mains plug to a wall socket with a protective ground
terminal. If a ground lug is provided on the product, it should be connected to the protective
ground at all times, by a wire with a diameter of 18 AWG or wider. Rack-mounted equipment
should be mounted only in grounded racks and cabinets.
Always make the ground connection first and disconnect it last. Do not connect
telecommunication cables to ungrounded equipment. Make sure that all other cables are
disconnected before disconnecting the ground.
Some products may have panels secured by thumbscrews with a slotted head. These panels may
cover hazardous circuits or parts, such as power supplies. These thumbscrews should therefore
always be tightened securely with a screwdriver after both initial installation and subsequent
access to the panels.
Connecting AC Mains
Make sure that the electrical installation complies with local codes.
Always connect the AC plug to a wall socket with a protective ground.
The maximum permissible current capability of the branch distribution circuit that supplies power
to the product is 16A (20A for USA and Canada). The circuit breaker in the building installation
should have high breaking capacity and must operate at short-circuit current exceeding 35A (40A
for USA and Canada).
Always connect the power cord first to the equipment and then to the wall socket. If a power
switch is provided in the equipment, set it to the OFF position. If the power cord cannot be
readily disconnected in case of emergency, make sure that a readily accessible circuit breaker or
emergency switch is installed in the building installation.
In cases when the power distribution system is IT type, the switch must disconnect both poles
simultaneously.
Connecting DC Power
Unless otherwise specified in the manual, the DC input to the equipment is floating in reference
to the ground. Any single pole can be externally grounded.
Due to the high current capability of DC power systems, care should be taken when connecting
the DC supply to avoid short-circuits and fire hazards.
Make sure that the DC power supply is electrically isolated from any AC source and that the
installation complies with the local codes.
iv SecFlow1
The maximum permissible current capability of the branch distribution circuit that supplies power
to the product is 16A (20A for USA and Canada). The circuit breaker in the building installation
should have high breaking capacity and must operate at short-circuit current exceeding 35A (40A
for USA and Canada).
Before connecting the DC supply wires, ensure that power is removed from the DC circuit. Locate
the circuit breaker of the panel board that services the equipment and switch it to the OFF
position. When connecting the DC supply wires, first connect the ground wire to the
corresponding terminal, then the positive pole and last the negative pole. Switch the circuit
breaker back to the ON position.
A readily accessible disconnect device that is suitably rated and approved should be incorporated
in the building installation.
If the DC power supply is floating, the switch must disconnect both poles simultaneously.
Connecting Data and Telecommunications Cables

Data and telecommunication interfaces are classified according to their safety status.
The following table lists the status of several standard interfaces. If the status of a given port
differs from the standard one, a notice will be given in the manual.
Ports Safety Status

V.11, V.28, V.35, V.36, RS-530, X.21, SELV Safety Extra Low Voltage:
10BaseT, 100BaseT, 1000BaseT, Ports which do not present a safety hazard. Usually
Unbalanced E1, E2, E3, STM, DS-2, up to 30 VAC or 60 VDC.
DS-3, S-Interface ISDN, Analog voice
E&M
xDSL (without feeding voltage), TNV-1 Telecommunication Network Voltage-1:
Balanced E1, T1, Sub E1/T1, POE Ports whose normal operating voltage is within the
limits of SELV, on which overvoltages from
telecommunications networks are possible.
FXS (Foreign Exchange Subscriber) TNV-2 Telecommunication Network Voltage-2:
Ports whose normal operating voltage exceeds the
limits of SELV (usually up to 120 VDC or telephone
ringing voltages), on which overvoltages from
telecommunication networks are not possible. These
ports are not permitted to be directly connected to
external telephone and data lines.
FXO (Foreign Exchange Office), xDSL TNV-3 Telecommunication Network Voltage-3:
(with feeding voltage), U-Interface Ports whose normal operating voltage exceeds the
ISDN limits of SELV (usually up to 120 VDC or telephone
ringing voltages), on which overvoltages from
telecommunication networks are possible.
Always connect a given port to a port of the same safety status. If in doubt, seek the assistance
of a qualified safety engineer.
Always make sure that the equipment is grounded before connecting telecommunication cables.
Do not disconnect the ground connection before disconnecting all telecommunications cables.
Some SELV and non-SELV circuits use the same connectors. Use caution when connecting cables.
Extra caution should be exercised during thunderstorms.
SecFlow1 v
When using shielded or coaxial cables, verify that there is a good ground connection at both
ends. The grounding and bonding of the ground connections should comply with the local codes.
The telecommunication wiring in the building may be damaged or present a fire hazard in case of
contact between exposed external wires and the AC power lines. In order to reduce the risk,
there are restrictions on the diameter of wires in the telecom cables, between the equipment
and the mating connectors.
Caution To reduce the risk of fire, use only No. 26 AWG or larger telecommunication
line cords.
Attention Pour réduire les risques s’incendie, utiliser seulement des conducteurs de
télécommunications 26 AWG ou de section supérieure.
Some ports are suitable for connection to intra-building or non-exposed wiring or cabling only. In
such cases, a notice will be given in the installation instructions.
Do not attempt to tamper with any carrier-provided equipment or connection hardware.
Electromagnetic Compatibility (EMC)

The equipment is designed and approved to comply with the electromagnetic regulations of
major regulatory bodies. The following instructions may enhance the performance of the
equipment and will provide better protection against excessive emission and better immunity
against disturbances.
A good ground connection is essential. When installing the equipment in a rack, make sure to
remove all traces of paint from the mounting points. Use suitable lock-washers and torque. If an
external grounding lug is provided, connect it to the ground bus using braided wire as short as
possible.
The equipment is designed to comply with EMC requirements when connecting it with unshielded
twisted pair (UTP) cables with the exception of 1000BaseT ports that must always use shielded
twisted pair cables of good quality (CAT 5E or higher). However, the use of shielded wires is
always recommended, especially for high-rate data. In some cases, when unshielded wires are
used, ferrite cores should be installed on certain cables. In such cases, special instructions are
provided in the manual.
Disconnect all wires which are not in permanent use, such as cables used for one-time
configuration.
The compliance of the equipment with the regulations for conducted emission on the data lines
is dependent on the cable quality. The emission is tested for UTP with 80 dB longitudinal
conversion loss (LCL).
Unless otherwise specified or described in the manual, TNV-1 and TNV-3 ports provide secondary
protection against surges on the data lines. Primary protectors should be provided in the building
installation.
The equipment is designed to provide adequate protection against electro-static discharge (ESD).
However, it is good working practice to use caution when connecting cables terminated with
plastic connectors (without a grounded metal hood, such as flat cables) to sensitive data lines.
Before connecting such cables, discharge yourself by touching ground or wear an ESD preventive
wrist strap.
vi SecFlow1
FCC-15 User Information

This equipment has been tested and found to comply with the limits of the Class A digital device,
pursuant to Part 15 of the FCC rules. These limits are designed to provide reasonable protection
against harmful interference when the equipment is operated in a commercial environment. This
equipment generates, uses and can radiate radio frequency energy and, if not installed and used
in accordance with the Installation and Operation manual, may cause harmful interference to the
radio communications. Operation of this equipment in a residential area is likely to cause harmful
interference in which case the user will be required to correct the interference at his own
expense.
Canadian Emission Requirements

This Class A digital apparatus meets all the requirements of the Canadian Interference-Causing
Equipment Regulation.
Cet appareil numérique de la classe A respecte toutes les exigences du Règlement sur le matériel
brouilleur du Canada.
Warning per EN 55022 (CISPR-22)

Warning This is a class A product. In a domestic environment, this product may cause
radio interference, in which case the user will be required to take adequate
measures.
Avertissement Cet appareil est un appareil de Classe A. Dans un environnement résidentiel,

cet appareil peut provoquer des brouillages radioélectriques. Dans ces cas, il
peut être demandé à l’utilisateur de prendre les mesures appropriées.
Achtung Das vorliegende Gerät fällt unter die Funkstörgrenzwertklasse A. In

Wohngebieten können beim Betrieb dieses Gerätes Rundfunkströrungen
auftreten, für deren Behebung der Benutzer verantwortlich ist.
SecFlow1 vii
Mise au rebut du produit

Français
Afin de faciliter la réutilisation, le recyclage ainsi que d'autres formes de

récupération d'équipement mis au rebut dans le cadre de la protection de
l'environnement, il est demandé au propriétaire de ce produit RAD de ne pas
mettre ce dernier au rebut en tant que déchet municipal non trié, une fois que le
produit est arrivé en fin de cycle de vie. Le client devrait proposer des solutions
de réutilisation, de recyclage ou toute autre forme de mise au rebut de cette
unité dans un esprit de protection de l'environnement, lorsqu'il aura fini de
l'utiliser.
Instructions générales de sécurité

Les instructions suivantes servent de guide général d'installation et d'opération sécurisées des
produits de télécommunications. Des instructions supplémentaires sont éventuellement
indiquées dans le manuel.
Symboles de sécurité
Ce symbole peut apparaitre sur l'équipement ou dans le texte. Il indique des
risques potentiels de sécurité pour l'opérateur ou le personnel de service,
quant à l'opération du produit ou à sa maintenance.
Avertissement
Danger de choc électrique ! Evitez tout contact avec la surface marquée

tant que le produit est sous tension ou connecté à des lignes externes de
télécommunications.
Mise à la terre de protection : la cosse ou la borne marquée devrait être

connectée à la prise de terre de protection du bâtiment.
viii SecFlow1
Certains produits peuvent être équipés d'une diode laser. Dans de tels cas,
Français
une étiquette indiquant la classe laser ainsi que d'autres avertissements, le
cas échéant, sera jointe près du transmetteur optique. Le symbole
d'avertissement laser peut aussi être joint.
Avertissement
Veuillez observer les précautions suivantes :
• Avant la mise en marche de l'équipement, assurez-vous que le câble de
fibre optique est intact et qu'il est connecté au transmetteur.
• Ne tentez pas d'ajuster le courant de la commande laser.
• N'utilisez pas des câbles ou connecteurs de fibre optique cassés ou sans
terminaison et n'observez pas directement un rayon laser.
• L'usage de périphériques optiques avec l'équipement augmentera le
risque pour les yeux.
• L'usage de contrôles, ajustages ou procédures autres que celles
spécifiées ici pourrait résulter en une dangereuse exposition aux
radiations.
ATTENTION : Le rayon laser peut être invisible !
Les utilisateurs pourront, dans certains cas, insérer leurs propres émetteurs-récepteurs Laser SFP
dans le produit. Les utilisateurs sont avertis que RAD ne pourra pas être tenue responsable de
tout dommage pouvant résulter de l'utilisation d'émetteurs-récepteurs non conformes. Plus
particulièrement, les utilisateurs sont avertis de n'utiliser que des produits approuvés par
l'agence et conformes à la réglementation locale de sécurité laser pour les produits laser de
classe 1.
Respectez toujours les précautions standards de sécurité durant l'installation, l'opération et la
maintenance de ce produit. Seul le personnel de service qualifié et autorisé devrait effectuer
l'ajustage, la maintenance ou les réparations de ce produit. Aucune opération d'installation,
d'ajustage, de maintenance ou de réparation ne devrait être effectuée par l'opérateur ou
l'utilisateur.
Manipuler des produits sous tension
Règles générales de sécurité

Ne pas toucher ou altérer l'alimentation en courant lorsque le câble d'alimentation est branché.
Des tensions de lignes peuvent être présentes dans certains produits, même lorsque le
commutateur (s'il est installé) est en position OFF ou si le fusible est rompu. Pour les produits
alimentés par CC, les niveaux de tension ne sont généralement pas dangereux mais des risques
de courant peuvent toujours exister.
Avant de travailler sur un équipement connecté aux lignes de tension ou de télécommunications,
retirez vos bijoux ou tout autre objet métallique pouvant venir en contact avec les pièces sous
tension.
Sauf s'il en est autrement indiqué, tous les produits sont destinés à être mis à la terre durant
l'usage normal. La mise à la terre est fournie par la connexion de la fiche principale à une prise
murale équipée d'une borne protectrice de mise à la terre. Si une cosse de mise à la terre est
fournie avec le produit, elle devrait être connectée à tout moment à une mise à la terre de
protection par un conducteur de diamètre 18 AWG ou plus. L'équipement monté en châssis ne
devrait être monté que sur des châssis et dans des armoires mises à la terre.
Branchez toujours la mise à la terre en premier et débranchez-la en dernier. Ne branchez pas des
câbles de télécommunications à un équipement qui n'est pas mis à la terre. Assurez-vous que
tous les autres câbles sont débranchés avant de déconnecter la mise à la terre.
SecFlow1 ix
Connexion au courant du secteur

Français
Assurez-vous que l'installation électrique est conforme à la réglementation locale.

Branchez toujours la fiche de secteur à une prise murale équipée d'une borne protectrice de mise
à la terre.
La capacité maximale permissible en courant du circuit de distribution de la connexion alimentant
le produit est de 16A (20A aux Etats-Unis et Canada). Le coupe-circuit dans l'installation du
bâtiment devrait avoir une capacité élevée de rupture et devrait fonctionner sur courant de
court-circuit dépassant 35A (40A aux Etats-Unis et Canada).
Branchez toujours le câble d'alimentation en premier à l'équipement puis à la prise murale. Si un
commutateur est fourni avec l'équipement, fixez-le en position OFF. Si le câble d'alimentation ne
peut pas être facilement débranché en cas d'urgence, assurez-vous qu'un coupe-circuit ou un
disjoncteur d'urgence facilement accessible est installé dans l'installation du bâtiment.
Le disjoncteur devrait déconnecter simultanément les deux pôles si le système de distribution de
courant est de type IT.
Connexion d'alimentation CC
Sauf s'il en est autrement spécifié dans le manuel, l'entrée CC de l'équipement est flottante par
rapport à la mise à la terre. Tout pôle doit être mis à la terre en externe.
A cause de la capacité de courant des systèmes à alimentation CC, des précautions devraient
être prises lors de la connexion de l'alimentation CC pour éviter des courts-circuits et des risques
d'incendie.
Assurez-vous que l'alimentation CC est isolée de toute source de courant CA (secteur) et que
l'installation est conforme à la réglementation locale.
La capacité maximale permissible en courant du circuit de distribution de la connexion alimentant
le produit est de 16A (20A aux Etats-Unis et Canada). Le coupe-circuit dans l'installation du
bâtiment devrait avoir une capacité élevée de rupture et devrait fonctionner sur courant de
court-circuit dépassant 35A (40A aux Etats-Unis et Canada).
Avant la connexion des câbles d'alimentation en courant CC, assurez-vous que le circuit CC n'est
pas sous tension. Localisez le coupe-circuit dans le tableau desservant l'équipement et fixez-le
en position OFF. Lors de la connexion de câbles d'alimentation CC, connectez d'abord le
conducteur de mise à la terre à la borne correspondante, puis le pôle positif et en dernier, le
pôle négatif. Remettez le coupe-circuit en position ON.
Un disjoncteur facilement accessible, adapté et approuvé devrait être intégré à l'installation du
bâtiment.
Le disjoncteur devrait déconnecter simultanément les deux pôles si l'alimentation en courant CC
est flottante.
x SecFlow1
Glossary
Address A coded representation of the origin or destination of data.
Bus A transmission path or channel. A bus is typically an electrical

connection with one or more conductors, where all attached devices
receive all transmissions at the same time.
Carrier A continuous signal at a fixed frequency that is capable of being

modulated with a second (information carrying) signal.
Cellular interface The air interface technology specifies the method for transmitting
information over the air between base stations and mobile units.
Channel A path for electrical transmission between two or more points. Also
called a link, line, circuit or facility.
Data Information represented in digital form, including voice, text, facsimile

and video.
Digital The binary (“1” or “0”) output of a computer or terminal. In data

communications, an alternating, non-continuous (pulsating) signal.
Ethernet A local area network (LAN) technology which has extended into the
wide area networks. Ethernet operates at many speeds, including data
rates of 10 Mbps (Ethernet), 100 Mbps (Fast Ethernet), 1,000 Mbps
(Gigabit Ethernet), 10 Gbps, 40 Gbps, and 100 Gbps.
Firewall A firewall is a network security system that controls the incoming and
outgoing network traffic based on an applied rule set.
Gateway Gateway is a router or a proxy server that routes between networks.
Interface A shared boundary, defined by common physical interconnection

characteristics, signal characteristics, and meanings of exchanged
signals.
IPsec Internet Protocol Security is a protocol suite for securing Internet

Protocol (IP) communications by authenticating and encrypting each IP
packet of a communication session.
Laser A device that transmits an extremely narrow and coherent beam of

electromagnetic energy in the visible light spectrum. Used as a light
source for fiber optic transmission (generally more expensive, shorter
lived, single mode only, for greater distances than LED).
Layer 2 Layer 2 refers to the Data Link layer of the commonly-referenced

multilayered communication model, Open Systems Interconnection
(OSI). The Data Link layer is concerned with moving data across the
physical links in the network.
Layer 3 Layer 3 refers to the Network layer of the commonly-referenced

multilayered communication model, Open Systems Interconnection
(OSI). The Network layer is concerned with knowing the address of
the neighboring nodes in the network, selecting routes and quality of
service, and recognizing and forwarding to the Transport
layer incoming messages for local host domains.
SecFlow1 xi
Link A communications channel that connects two or more communicating

devices.
Link aggregation Link aggregation is a method of using two Ethernet ports in parallel to
provide trunking and network fault tolerance. Link aggregation with
trunking feature enhances connection speed beyond the limits of any
one single cable or port.
MAC A media access control address (MAC address) is a unique

identifier assigned to network interfaces for communications on the
physical network segment.
Multiplexer At one end of a communications link, a device that combines several

lower speed transmission channels into a single high speed channel. A
multiplexer at the other end reverses the process. Sometimes called a
mux. See Bit Interleaving/Multiplexing.
Network (1) An interconnected group of nodes. (2) A series of points, nodes,

or stations connected by communications channels; the collection of
equipment through which connections are made between data
stations.
Path A service defined over network links is referred to as path in RV-
SC/TDM.
Port The physical interface to a computer or multiplexer, for connection of

terminals and modems.
Router An interconnection device that connects individual LANs. Unlike

bridges, which logically connect at OSI Layer 2, routers provide logical
paths at OSI Layer 3. Like bridges, remote sites can be connected
using routers over dedicated or switched lines to create WANs.
SCADA Supervisory control and data acquisition is a system operating with

coded signals over communication channels so as to provide control
of remote equipment (using typically one communication channel per
remote station).
Serial Tunneling A method to exchange serial data with another device using the
internet protocol.
Service A set of related software functionalities that can be used for provision
of a discrete function within a systems environment.
SIM card A subscriber identity module or subscriber identification module (SIM)

is an integrated circuit that securely stores the international mobile
subscriber identity (IMSI) and the related key used to identify and
authenticate subscribers on mobile devices.
Single Mode Describing an optical wave-guide or fiber that is designed to

propagate light of only a single wavelength (typically 5-10 microns in
diameter).
Spanning Tree The Spanning Tree Protocol (STP) is a network protocol that ensures a
loop-free topology for any bridged Ethernet local area network.
VPN A virtual private network (VPN) extends a private network across a

public network, such as the Internet.
xii SecFlow1
Contents
Chapter 1. Introduction
1.1 Overview .............................................................................................................................. 1-1
Product Options ................................................................................................................. 1-1
Applications ....................................................................................................................... 1-1
Features ............................................................................................................................ 1-2
Ethernet ........................................................................................................................ 1-2
VPN Gateway with IPSec ................................................................................................ 1-2
Terminal Server and Serial Tunneling ............................................................................. 1-3
Access Control List ........................................................................................................ 1-3
Network Management ................................................................................................... 1-3
Routing ......................................................................................................................... 1-3
SCADA services ............................................................................................................. 1-3
Firewall ......................................................................................................................... 1-3
Diagnostics ................................................................................................................... 1-4
1.2 New in This Version .............................................................................................................. 1-4
1.3 Physical Description ............................................................................................................. 1-4
1.4 Functional Description .......................................................................................................... 1-5
Serial Traffic ...................................................................................................................... 1-6
Ethernet Traffic ................................................................................................................. 1-6
Cellular Uplink .................................................................................................................... 1-6
1.5 Technical Specifications........................................................................................................ 1-7
Chapter 2. Installation and Setup

2.1 Safety Information ............................................................................................................... 2-1
Grounding .......................................................................................................................... 2-2
2.2 Site Requirements and Prerequisites .................................................................................... 2-3
Power ................................................................................................................................ 2-3
Ambient Requirements ...................................................................................................... 2-3
2.3 Package Contents................................................................................................................. 2-3
2.4 Required Equipment ............................................................................................................. 2-4
2.5 Mounting SecFlow-1 ............................................................................................................. 2-4
Antenna Installation ........................................................................................................... 2-5
2.6 Grounding SecFlow-1 ........................................................................................................... 2-6
2.7 Connecting to Power ............................................................................................................ 2-7
2.8 Connecting to a Terminal ..................................................................................................... 2-8
2.9 Connecting to Ethernet Equipment....................................................................................... 2-8
2.10 Connecting to Serial Equipment............................................................................................ 2-8
2.11 Connecting to Discrete Channel ........................................................................................... 2-9
2.12 Cable Labeling ...................................................................................................................... 2-9
Chapter 3. Operation and Maintenance

3.1 Turning On the Unit ............................................................................................................. 3-1
3.2 Indicators ............................................................................................................................. 3-1
3.3 Startup ................................................................................................................................. 3-4
Default Settings ................................................................................................................. 3-4
Configuration Database ..................................................................................................... 3-4
3.4 Battery Maintenance ............................................................................................................ 3-5
3.5 Turning Off the Unit ............................................................................................................. 3-5
SecFlow-1 i
Table of Contents Installation and Operation Manual
Chapter 4. Management and Security

4.1 Management ........................................................................................................................ 4-1
Setup ................................................................................................................................. 4-1
Login ................................................................................................................................. 4-1
Lost Superuser Password .............................................................................................. 4-2
Default Configuration ........................................................................................................ 4-2
4.2 Command Line Interface ...................................................................................................... 4-2
4.3 Access Control List (ACL) ...................................................................................................... 4-3
Standards .......................................................................................................................... 4-3
Benefits ............................................................................................................................. 4-3
Functional Description ....................................................................................................... 4-3
Access Groups ............................................................................................................... 4-4
ACL Functioning ............................................................................................................ 4-4
Configuring ACL ................................................................................................................. 4-4
ACL Configuration Examples ............................................................................................... 4-6
4.4 Application Aware Firewall.................................................................................................... 4-8
Firewall Service Operation .................................................................................................. 4-8
Software License ............................................................................................................... 4-9
Configuring Firewall Service ............................................................................................... 4-9
4.5 Authentication via TACACS+ Server..................................................................................... 4-11
Standards ........................................................................................................................ 4-11
Benefits ........................................................................................................................... 4-11
Factory Defaults .............................................................................................................. 4-11
Functional Description ..................................................................................................... 4-11
Configuring TACACS Authentication.................................................................................. 4-13
Chapter 5. Services
5.1 Dynamic Multipoint VPN ....................................................................................................... 5-1
5.2 Transparent Serial Tunneling ................................................................................................ 5-2
Transparent Tunneling Operation Concept ......................................................................... 5-4
Network Topologies ........................................................................................................... 5-5
Point-to-Point Application ............................................................................................. 5-5
Point-to-Multipoint Application ..................................................................................... 5-5
Multipoint-to-Multipoint Application.............................................................................. 5-6
Operation Modes ............................................................................................................... 5-7
Port Mode of Operation ................................................................................................ 5-7
Service Buffer Mode ...................................................................................................... 5-7
Service Connection Mode .............................................................................................. 5-8
Serial Traffic Direction ....................................................................................................... 5-8
Serial Ports Counters ......................................................................................................... 5-9
Rx counters ................................................................................................................... 5-9
Tx counters ................................................................................................................... 5-9
Allowed Latency ................................................................................................................. 5-9
Tx Delay ........................................................................................................................... 5-10
Bus Idle Time ................................................................................................................... 5-10
Byte Mode .................................................................................................................. 5-10
Frame Mode ................................................................................................................ 5-10
Configuring Transparent Serial Tunneling ......................................................................... 5-10
Transparent Serial Tunneling between Two SecFlow-1 Routers ................................... 5-11
Transparent Serial Tunneling between SecFlow-1 and SecFlow-2 ................................ 5-12
Chapter 6. Ports
ii SecFlow-1
Installation and Operation Manual Table of Contents
6.1 Ethernet and Serial Ports ..................................................................................................... 6-1

6.2 IP Interfaces ......................................................................................................................... 6-1
IP Interfaces....................................................................................................................... 6-1
Interface Assignment Rules................................................................................................ 6-2
IP Interface VLAN ID ........................................................................................................... 6-2
IP Interface Commands Hierarchy ...................................................................................... 6-3
IP Interface Command Description ..................................................................................... 6-3
Configuring VLAN Aware Interface ..................................................................................... 6-4
IP Retrieving from the DHCP Server .................................................................................... 6-5
6.3 Serial Ports ........................................................................................................................... 6-5
Serial Commands Hierarchy ................................................................................................ 6-7
Serial Commands Description ............................................................................................. 6-8
Port Declaration ............................................................................................................... 6-10
Default State ................................................................................................................... 6-10
RS-232 Port ..................................................................................................................... 6-11
RS-485 Port ..................................................................................................................... 6-11
LED State ......................................................................................................................... 6-11
Chapter 7. Resiliency
7.1 Backup and Redundancy ...................................................................................................... 7-1
Backup of Cellular and Physical Interfaces .......................................................................... 7-1
Modem Conditional Reload ................................................................................................ 7-1
Chapter 8. Traffic Processing

8.1 Cellular Modem .................................................................................................................... 8-1
LTE Modem ........................................................................................................................ 8-2
GPRS/UMTS Modem ........................................................................................................... 8-2
Cellular Interface Name ...................................................................................................... 8-3
Method of Operation ......................................................................................................... 8-3
VPN Application ................................................................................................................. 8-3
SIM Card Status.................................................................................................................. 8-4
Viewing SIM Card Status..................................................................................................... 8-5
Cellular Command Hierarchy............................................................................................... 8-6
Descriptions of Cellular Commands .................................................................................... 8-7
Default Status.................................................................................................................... 8-9
Retrieving Modem IMEI ....................................................................................................... 8-9
Example of SIM Card Status................................................................................................ 8-9
8.2 Discrete IO Channels .......................................................................................................... 8-10
Discrete Channel Interface ............................................................................................... 8-10
Technical Specification ..................................................................................................... 8-11
Discrete IO Channels Commands Hierarchy ...................................................................... 8-11
Discrete IO Channels Commands ...................................................................................... 8-11
8.3 DNP3 Gateway ................................................................................................................... 8-12
Configuring DNP3 Gateway .............................................................................................. 8-12
8.4 IEC 101 to IEC 104 Protocol Gateway ................................................................................. 8-13
Modes of Operation ......................................................................................................... 8-13
IEC 101 Properties ........................................................................................................... 8-14
IEC 101/104 Gateway Configuration Flow ................................................................... 8-16
IEC 101/104 Gateway Commands Hierarchy ................................................................ 8-18
IEC 101/104 Gateway Commands ................................................................................ 8-18
Configuring IEC 101/104 Gateway .................................................................................... 8-21
SecFlow-1 iii
8.5 IPsec .................................................................................................................................. 8-22

Applications ..................................................................................................................... 8-22
Authentication Header ..................................................................................................... 8-22
Encapsulating Security Payload ........................................................................................ 8-23
Security Associations ....................................................................................................... 8-23
ISAKMP ............................................................................................................................ 8-23
IKE ................................................................................................................................... 8-23
ISAKMP Phase 1 .......................................................................................................... 8-24
Handling Certificates ........................................................................................................ 8-26
ISAKMP Phase 2 .......................................................................................................... 8-30
IPsec Command Association ............................................................................................. 8-31
IPsec Commands Hierarchy .............................................................................................. 8-32
IPsec Commands Description ........................................................................................... 8-32
IPsec Default Parameters ................................................................................................. 8-36
8.6 Modbus Gateway ............................................................................................................... 8-37
Modbus Gateway Commands Hierarchy ........................................................................... 8-37
Modbus Gateway Commands Description......................................................................... 8-38
Configuring Modbus Gateway .......................................................................................... 8-39
8.7 Network Address Translation (NAT) ................................................................................... 8-41
Dynamic/Static NAT Configuration ................................................................................... 8-41
NAT Commands Hierarchy ................................................................................................ 8-42
NAT Commands Description ............................................................................................. 8-42
Configuring NAT ............................................................................................................... 8-42
8.8 Open Shortest Path First (OSPF) ........................................................................................ 8-44
OSPF Commands Hierarchy .............................................................................................. 8-44
OSPF Commands Descriptions .......................................................................................... 8-45
Configuring OSPF ............................................................................................................. 8-45
Configuring S1 ............................................................................................................ 8-46
Configuring S2 ............................................................................................................ 8-47
Configuring S3 ............................................................................................................ 8-47
Configuring S4 ............................................................................................................ 8-48
8.9 RIPv2 .................................................................................................................................. 8-49
RIP Commands Hierarchy ................................................................................................. 8-49
RIP Commands Descriptions ............................................................................................. 8-49
8.10 Terminal Server .................................................................................................................. 8-51
Terminal Server Commands Hierarchy .............................................................................. 8-52
Terminal Server Commands .............................................................................................. 8-53
Local Service Configuration .............................................................................................. 8-56
Network Connection Configuration .................................................................................. 8-59
Configuring Telnet Server ............................................................................................ 8-59
Configuring SecFlow-1 (2) ........................................................................................... 8-60
Testing Results............................................................................................................ 8-60
8.11 VPN .................................................................................................................................... 8-60
Dynamic Multipoint VPN ................................................................................................... 8-61
DMVPN Commands Hierarchy ...................................................................................... 8-61
DMVPN Commands Description ................................................................................... 8-62
Layer 3 IPSec VPN ............................................................................................................ 8-64
L3 IPsec-VPN Commands Hierarchy ............................................................................. 8-64
Chapter 9. Timing and Synchronization

9.1 Date and Time...................................................................................................................... 9-1
Commands Hierarchy ......................................................................................................... 9-1
iv SecFlow-1
Installation and Operation Manual Table of Contents
Commands Description ...................................................................................................... 9-1

Setting Date and Time ....................................................................................................... 9-1
9.2 Simple Network Time Protocol (SNTP) .................................................................................. 9-2
SNTP Command Hierarchy .................................................................................................. 9-2
SNTP Command Descriptions ............................................................................................. 9-2
Configuring SNTP Server .................................................................................................... 9-6
Chapter 10. Administration

10.1 File Operations ................................................................................................................... 10-1
Commands Hierarchy ....................................................................................................... 10-1
10.2 Device Information ............................................................................................................. 10-2
10.3 Disk Information ................................................................................................................ 10-2
10.4 License Installation ............................................................................................................. 10-3
10.5 System Reboot................................................................................................................... 10-3
Command Descriptions .................................................................................................... 10-4
Chapter 11. Monitoring and Diagnostics

11.1 Capturing Ethernet Service Traffic ...................................................................................... 11-1
Commands Description .................................................................................................... 11-2
Capturing Traffic .............................................................................................................. 11-2
11.2 Quality of Service (QoS) ..................................................................................................... 11-3
QOS Commands Hierarchy ............................................................................................... 11-3
QOS Commands Description ............................................................................................ 11-3
11.3 Remote Monitoring Counters ............................................................................................. 11-3
11.4 Syslog ................................................................................................................................ 11-5
Priority Indicator .............................................................................................................. 11-5
Syslog Output Example .................................................................................................... 11-6
11.5 System Logs Export ............................................................................................................ 11-7
11.6 Technical Support ............................................................................................................... 11-8
Chapter 12. Software Upgrade

12.1 Compatibility Requirements................................................................................................ 12-1
12.2 Prerequisites ...................................................................................................................... 12-1
12.3 Upgrading SecFlow-1 Software .......................................................................................... 12-2
Upgrading via TFTP........................................................................................................... 12-2
12.4 Verifying Upgrade Results .................................................................................................. 12-3
12.5 Restoring the Previous Version ........................................................................................... 12-4
Appendix A. Connection Data

Appendix B. Test Plan
SecFlow-1 v
vi SecFlow-1
Chapter 1
Introduction
1.1 Overview
The SecFlow product line supports a large variety of capabilities that enhance
cyber security and product resiliency against external cyber attacks.
As an industrial Ethernet router, SecFlow-1 provides a strong set of Ethernet and
IP features with special emphasis on the requirements of critical infrastructure
and industrial environments, high reliability, network resiliency, secured VPN
connectivity, and an authenticated operating system.
The SecFlow-1 service-aware industrial Ethernet router combines a ruggedized
Ethernet platform with a unique application-aware processing engine.
This integrated solution features a simple network architecture that is optimized
for application requirements.
Product Options
SecFlow-1 is available in a variety of configurations. See the data sheet for
SecFlow-1 ordering options.
Applications
In a typical protocol gateway application, SecFlow-1 converts serial-based
industrial protocols to their correlating IP based variant, enabling the deployment
of a mixed network with serial-based and Ethernet-based devices. In this mode,
SecFlow-1 operates as a master on the serial bus and as a server in the IP
network for the correlating protocol.
The gateway allows the transport of legacy serial protocols over IP networks in a
secure way, with optional secure VPN services and integrated firewall on each
port, providing a network-based distributed security solution equivalent to the
use of personal firewalls on all the industrial devices.
A cellular modem (such as LTE) provides a key solution for connectivity to remote
sites. The modem supports dual SIM cards for redundancy and backup between
Internet service providers.
This modem can also be used for link protection. In case of network failure,
traffic will flow over the cellular infrastructure.
SecFlow-1 Overview 1-1

Chapter 1 Introduction Installation and Operation Manual
BTS/eNB
BTS/eNB
BTS/eNB
2nd IPSec
mGRE
PSN
Spoke
Video Camera
Dual-SM
Cellular HUB
Modem
RS-232 ETH 1st IPSec
(T.Server) DNP3 & T.Client
S1 mGRE FO
S4 com
S2 FO RS-232 (Tunneling)
DNP3 SecFlow-1 SecFlow-1
Switch Switch
RS-232
(Tunneling)
RTU
Figure 1-1. Remote Site Access over the Fiber Link with Cellular Network Redundancy
Features
The SecFlow-1 offers the L3 dynamic and static routing, SCADA services, Firewall,
and secure networking.
Ethernet
• Auto Crossing (MDI/MDIX)
• Autonegotiation per IEEE 802.3ab
• VLAN tagging
VPN Gateway with IPSec

SecFlow-1 provides several options for secured interconnection of remote sites
over public networks forming a VPN service:
• Dynamic Multipoint VPN (using IPsec over dynamic multipoint GRE tunnel)
• IPSec VPN
• L3 P2P GRE VPN (using IPsec over static point-to-point GRE tunnel)
The IPSec tunnel within these VPNs can use 3DES or AES encryption.
1-2 Overview SecFlow-1

Installation and Operation Manual Chapter 1 Introduction
Terminal Server and Serial Tunneling

SecFlow-1 enables connection of multiple devices with serial interfaces over IP
transport network providing point-to-point or point-to-multipoint transparent
serial tunneling.
The terminal server feature enables transposing of a TCP session to serial
session.
Access Control List

The enhanced Access Control List mechanism specifies which users or system
processes are granted access to SecFlow-1, as well as what operations are
allowed. ACL filters user traffic according to a variety of Layer 2, 3, and 4 traffic
criteria providing better security and control of authorized traffic.
Network Management
SecFlow-1 can be managed with CLI, or with the iEMS SecFlow Network Manager,
integrated in the RADview server, to provide an end-to-end management system.
Routing
SecFlow-1 incorporates a router for secure and efficient Layer 3 IP connectivity
over packet switched networks.
SecFlow-1 can be set to perform static or dynamic routing using:
• IPv4 (Internet Protocol version 4)
• OSPF (Open Shortest Path First) v2 2
• RIP v2
• NAT
SCADA services
SecFlow-1 provides the secure SCADA networking towards the remote client,
enjoying the optional VPN tagging, or integrated firewall on each port, providing a
network-based distributed security solution equivalent to the use of personal
firewalls on all the industrial devices.
Firewall
Integrated DPI (Deep Packet Inspection) for SCADA IP service provides
network-based distributed security. The firewall implemented is
"application-aware", meaning that it inspects the contents of the data packets of
selected SCADA protocols according to the rules set by the user.
Using the firewall, SecFlow-1 becomes distributed Intrusion Detection System
(IDS) and enables blocking specific SCADA commands that renders SecFlow-1
service-aware.
The supported protocols are IEC 104 and DNP3-TCP.
SecFlow-1 Overview 1-3

Diagnostics
SecFlow-1 provides extensive diagnostic tools to assist operators in fault
management:
• Counters and statistics per port
• LED diagnostics on the main interfaces
• RMON v1
• DDM
• Syslog
1.2 New in This Version

The following features have been added for Version 4.1:
• Management improvements allowing configuration of your own welcome text
and host name.
• Ethernet port counters that allow easy debugging and troubleshooting
• Simple Network Timing Protocol (SNTP) for the distribution of the date and
time. This feature allows users to easily set the date and time.
• Multiuser Terminal Access Controller Access Control System (TACACS), which
facilitates secured authentication and authorization for up five authorized
users.
• Cellular support using Challenge Handshake Authentication Protocol (CHAP),
which enables secured access to the cellular network.
• Digital Signatures X.509 protocol certificates versus CA (SCEP and CRL server)
support.
1.3 Physical Description

Figure 1-2 displays the image of SecFlow-1, with the console port, Ethernet, and
serial ports on the front panel, as well as the SIM card slots. It also displays the
bottom panel with the cellular antenna and digital input/output ports, and an
additional cellular antenna on the top panel.
1-4 Physical Description SecFlow-1

Console
Cellular
Antenna
SIM Card
2 x Serial Ports
Ports 1, 2
FE Port
Dry Contact
(DI/DO)
Figure 1-2. SecFlow-1
Refer to Chapter 2 for a more detailed description of the SecFlow-1 interface

connections.
1.4 Functional Description

This section provides a functional description of the SecFlow-1 system.
Depending on the ordering option, SecFlow-1 may include the following Ethernet
and serial ports:
• Two serial RS-232 ports or single RS-232 + RS-485/4W with RJ-45 connectors
• One 10/100BaseT Ethernet port with RJ-45 connector
• One GbE Ethernet SFP port
Besides this, the system supports the cellular modem, RS-232 console port for
management, two digital input and one digital output lines.
SecFlow-1 Functional Description 1-5

Figure 1-3. SecFlow-1 Block Diagram
Serial Traffic
Incoming serial traffic is encapsulated into IP packets. The packets are transferred
out via the Ethernet ports or the cellular uplink.
Ethernet Traffic
Ethernet ports transfer UNI traffic. User traffic is routed to the network, or
(optionally) to L3 VPN. Ethernet traffic can also be routed to the cellular uplink
using NAT or VPN.
Cellular Uplink
SecFlow-1 has an integrated cellular modem. The cellular uplink transfers traffic
from the device to a remote hub.
1-6 Functional Description SecFlow-1

1.5 Technical Specifications
Ethernet Interface Number of Ports One 10/100BaseT port

One 100/1000BaseFX SFP port
Serial Interface Number of Ports 2 ports
Type RS-232
Cellular Modem Number of SIMs 2 SIM cards
Type GPRS/UMTS/LTE
Bands • 2G GSM - EDGE / GPRS. class 12

Quad band: 850/900/1800/1900 MH
• 3G UMTS– HSDPA. cat 5/6
Triple band: 2100/1900/900 MHz
Triple band: 2100/1900/850 MHz
• HSPA+, WCDMA, GSM
Band 1 (2100 MHz)
Band 2 (1900 MHz)
Band 5 (850 MHz)
Band 6 (800 MHz)
Band 8 (900 MHz)
• LTE North America - DC-HSPA+, EDGE, GPRS,
GSM, CDMA
Band 2 (1900 MHz)
Band 4 AWS (1700/2100 MHZ)
Band 5 (850 MHz)
Band 13 (700 MHz)
Band 17 (700 MHz)
Band 25 (1900 MHz)
• LTE Europe - DC-HSPA+, EDGE, GPRS, GSM
Band 1 (2100 MHz)
Band 3 (1800 MHz)
Band 7 (2600 MHz)
Band 8 (900 MHz)
Band 20 (800 MHz)
Compliance with IEEE 802.3ad, 802.1q

Standards
ITU-T
Management Local RS-232 control port
Inband Via one of the Ethernet ports
Router Type Static routing, OSPF
SecFlow-1 Technical Specifications 1-7

Power DC 9–60 VDC
Power Consumption 8W
Physical Height 106 mm (4.17 in)
Width 44.7 mm (1.76 in)
Depth 120 mm (4.72 in)
Weight 0.6–1.0 kg (1.3 –2.2 lb)
Environment Temperature -40°C to 70°C (-40°F to 158°F)
Humidity Up to 95%
Rugged enclosure Fanless, IP 30-rated
1-8 Technical Specifications SecFlow-1

Chapter 2
Installation and Setup
This chapter provides installation instructions for the SecFlow-1 systems
including:
• General description of the equipment enclosure and its panels
• Mechanical and electrical installation instructions
After the system is installed, it must be configured in accordance with the
specific user's requirements. The preliminary system configuration is always
performed by means of a supervision terminal (procedures for using the terminal
are detailed in Chapter 4). After the preliminary configuration, the system can
also be managed by means of Telnet hosts or SNMP-based network management
stations, e.g., RADview with an integrated SecFlow-1 Network Management tool.
2.1 Safety Information
Danger of electric shock! Avoid any contact with the marked surface while the
product is energized or connected to outdoor telecommunication lines.
Protective earth: the marked lug or terminal should be connected to the building
protective earth bus.
LINE VOLTAGE
Before connecting the product to the power line, make sure the voltage of the
Warning power source matches the requirements of the product, as marked on the label
located near the power connectors.
SecFlow-1 Safety Information 2-1

Chapter 2 Installation and Setup Installation and Operation Manual
SecFlow-1 includes Class 1 lasers. For your safety:

• Do not look directly into the optical connectors while the unit is operating.
The laser beams are invisible.
Warning
• Do not attempt to adjust the laser drive current.
The use of optical instruments with this product will increase eye hazard. Laser
power up to 1 mW at 1300 nm and 1550 nm could be collected by an optical
instrument.
Use of controls or adjustment or performing procedures other than those
specified herein may result in hazardous radiation exposure.
Caution
This equipment contains Electrostatic Discharge (ESD) sensitive components. Use
ESD protection before servicing or installing components of this system.
Caution
Changes or modifications made to this device that are not expressly approved by
the party responsible for compliance could void the user’s authority to operate
the equipment.
Caution
Remove the power cord from a power-supply unit before installing it or remove it
from the device. Otherwise, as a result, the power supply or the device could be
damaged. (The device can be running while a power supply is being installed or
removed, but the power supply itself should not be connected to a power
source.)
Caution The unit is designated to operate in environments of up to 70 degrees ambient

temperature.
For AC units, under some conditions the housing of the unit might get hot and
direct touch should avoid.
Grounding
For your protection and to prevent possible damage to equipment when a fault
condition, e.g., a lightning stroke or contact with high-voltage power lines, occurs
on the lines connected to the equipment, the SecFlow-1 chassis must be properly
grounded (earthed) at any time. Any interruption of the protective (grounding)
Grounding connection inside or outside the equipment, or the disconnection of the
protective ground terminal can make this equipment dangerous. Intentional
interruption is prohibited.
2-2 Safety Information SecFlow-1

Installation and Operation Manual Chapter 2 Installation and Setup
2.2 Site Requirements and Prerequisites
Before connecting this product to a power source, make sure to read the
Handling Energized Products section at the beginning of this manual.
Warning
Caution SecFlow-1 does not have a power switch, and therefore will start operating as
soon as power is applied to one of the power supply inlets.
The external circuit breaker used to protect the input power line can be used as
an ON/OFF power switch, or an external ON/OFF switch may be installed.
Power
Available power input versions and their respective current consumption are
shown in Table 2-1.
Table 2-1. SecFlow-1 Power Inputs and Consumption
Power Input Range Power Consumption

[V] [W]
24 VDC 9-36 8
48 VDC 36-60 8
Ambient Requirements
The ambient operating temperature range of the SecFlow-1 is -40 to 70°C
(-40 to 158°F), humidity up to 95%.
SecFlow-1 has no fans and is cooled mainly by free air convection. Cooling vents
are located in the bottom and upper covers. Do not obstruct these vents. Keep
10 cm distance from top and bottom between SecFlow-1 and any other nearby
device for proper cooling using natural air flow.
2.3 Package Contents

The SecFlow-1 package includes the following items:
• SecFlow-1 unit
• Optional: One/two cellular antennas as per the ordering option
• Optional: CBL-SF-RJ45-CONSOLE – 1x RS-232 console cable
• Optional: CBL-SF-RJ45/DB9/NULL – serial port cable
• Optional: SF1-ACADP – AC/DC DIN-rail power supply
SecFlow-1 Package Contents 2-3

2.4 Required Equipment

SecFlow-1 needs no special tools for installation. You need a screwdriver to
mount the unit in a 19-inch rack or on a wall.
The cables needed to connect to SecFlow-1 depend on your specific application.
You can prepare the appropriate cables yourself in accordance with the
information given in Appendix A, or you can order cables from RAD.
2.5 Mounting SecFlow-1

SecFlow-1 is designed as a fixed unit connected in its rear side to an
industry-standard DIN rail. The DIN-rail mount is the default SecFlow-1 setup.
The following mounting instructions assume that a standard DIN rail has been
previously installed. If one has not, then use the installation instructions that
come with the DIN rail to mount the DIN rail on the wall.
Locate the DIN mounting brackets on the back of the device.
 To mount SecFlow-1:
1. Place the device with the DIN rail guide on the upper edge of the DIN rail.
2. Snap it in with a downward motion.
Step 1
Step 2
Figure 2-1. SecFlow-1 DIN Rail Mounting
 To remove SecFlow-1 from the DIN rail:

1. Loosen the lower clamp with the aid of a screwdriver.
2-4 Mounting SecFlow-1 SecFlow-1

2. Slide the device out and up at the lower edge of the DIN rail.
Caution Product installation must be vertical so that the device bottom side must face
downwards to enable proper natural air flow.
Step 3
Step 2
Step 1
Figure 2-2. SecFlow-1 Dismantling
Antenna Installation
The SecFlow-1 unit comes with two antennas.
For optimal signal performance, it is recommended to connect both the antennas
that come with the box.
The connectors are located on both sides of the device and designated ANT on
the bottom and MI/DV on the top panel. For reference, see Figure 2-3 below.
Note For the ordering option with the LTE North America modem, you must connect
both antennas; otherwise, the device will not work.
Note If you connect only one antenna, verify that it is connected to the bottom panel
(Ant.) connector.
 To install the antenna:

1. Screw the antenna on the appropriate connector.
SecFlow-1 Mounting SecFlow-1 2-5

2.6 Grounding SecFlow-1

Inside the SecFlow-1 housing are the power supply module, main processing unit,
IO interface modules and cellular modem.
The SecFlow-1 external connectors are located on its front, bottom, and top
panels as shown on Figure 2-3.
RAD SecFlow-1
PWR RUN
ANT
C DRY CONT E2 +PWR−
O
ETH2(SFP)
N
S1
C1
S2
E Bottom Panel
T
H
1
SIM1 ETH2
LASER
SIM2 CLASS
1
MI/DV GPS
Front Panel Top Panel
Figure 2-3. SecFlow-1 Connectors
 To install the grounding wire:

1. Prepare a grounding wire terminated by a crimped lug with hole diameter
10 AWG as shown in the below figure.
2. Use a suitable crimping tool to fasten the lug securely to the wire.
3. Adhere to your company’s policy as to the wire gauge and the number of
crimps on the lug.
10 AWG
Figure 2-4. SecFlow-2 Grounding Lug
4. Apply some anti-oxidant onto the metal surface.

5. Mount the lug on the grounding posts, replace the spring-washers and fasten
the bolts. Avoid using excessive torque.
Caution Do not remove the earth connection unless all power supply connections are
disconnected.
2-6 Grounding SecFlow-1 SecFlow-1

Protective earth: the marked lug or terminal should be connected to the building
protective earth bus.
2.7 Connecting to Power

The SecFlow-1 body must be grounded before power connection. A good ground
connection is essential.
Before connecting any cables and before switching on this instrument, the
protective ground terminal of this instrument must be connected to the
Warning protective ground conductor. Any interruption of the protective (grounding)
conductor (inside or outside the instrument) or disconnecting the protective
ground terminal can make this instrument dangerous. Intentional interruption is
prohibited.
SecFlow-1 has the power input, marked as PWR. To wiring the voltage use the
supplied plug connector (see Figure 2-3 and Figure 2-5).
Figure 2-5. DC Power Connectors Wiring
 To connect the device to a DC power source:

1. Strip 7 mm (1/4 inch) of insulation from the leads (copper wire within the
range of 10 to 18 AWG).
Caution Pay attention to polarity. For each source, connect the positive lead first, and the
negative lead second.
2. Release the terminal screw.

3. Push the lead into the terminal up to its insulating sleeve.
4. When the lead is in position, fasten the screw to secure the lead.
5. Verify that the lead is securely held.
6. Insert the plug into the socket.
7. Secure the plug by tightening the two screws.
8. Connect the leads to an external DC power source (color code the wiring
according to local standards to ensure that the input power and ground lines
are easily distinguished).
9. Turn on the power to the feed lines at the supply circuit-breaker.
SecFlow-1 Connecting to Power 2-7

10. Verify that the power supply PWR LED is green.
2.8 Connecting to a Terminal

SecFlow-1 is connected to an ASCII terminal via an 8-pin RJ45 female connector
located on the front panel and designated CON (see Figure 2-3). Console port
pinout is specified in Appendix A.
 To connect the device to a PC using the console port:

1. Connect the RJ45 connector of the console cable to the SecFlow-1 console
port designated CON.
Note The supplied console cable is colored white. Do not connect the serial grey cables
supplied for the user serial port connection to the console port.
2. Connect the other side of the cable to the PC COM port.

3. Configure the PC COM port to 9600-N-8-1 (9600 bps, no parity, 8 data bits, 1
stop bit, no flow control) and connect.
2.9 Connecting to Ethernet Equipment

SecFlow-1 is connected to Ethernet equipment via the fiber optic SFP transceiver
with LC connector or the electrical port with the standard RJ45 connectors.
 To connect to Ethernet equipment with the fiber optic interface:
• Connect SecFlow-1 to the Ethernet equipment at customer premises using
the standard fiber optic cable terminated with LC connector.
 To connect to Ethernet equipment with copper interface:
• Connect SecFlow-1 to the Ethernet equipment at customer premises using
the standard CAT5 cable terminated with RJ45 connector.
2.10 Connecting to Serial Equipment

SecFlow-1 serial ports are terminated in RJ45 connectors. The user serial
equipment standard ports have DB-9 connectors. Refer to Appendix A for the
R-45 connector pinout.
 To connect to serial equipment:
• Connect the RJ45 serial port to serial equipment at customer premises using
CBL-RJ45-DB9/null cable terminated with the RJ45 connector.
2-8 Connecting to Serial Equipment SecFlow-1

2.11 Connecting to Discrete Channel

SecFlow-1 performs discrete IO tunneling via a terminal block located on the
bottom panel (see Figure 2-3). Refer to Figure 2-6 for the terminal block pinout.
Figure 2-6. Discrete Channel Terminal Block
 To connect the discrete channel to digital input/output:

1. Strip the insulation of your power supply wires according to the
dimensions shown Figure 2-7.
Figure 2-7. Terminal Block Wire Stripping
2. Place each wire lead into the appropriate TB plug terminal according
to Figure 2-6.
3. Tighten the terminal screws to close them.
4. Isolate the exposed terminal screws/wire leads using a plastic sleeve
or insulating tape to avoid a short circuit.
2.12 Cable Labeling

Keep your data and power cables organized and clearly labeled according to the
cable management system adopted by your company. RAD recommends adhering
to the relevant EIA standards when designing the cable infrastructure.
SecFlow-1 Cable Labeling 2-9

2-10 Cable Labeling SecFlow-1

Chapter 3
Operation and
Maintenance
3.1 Turning On the Unit

When turning on SecFlow-1, it is useful to monitor the power-up sequence.
Caution
SecFlow-1 does not have a power on/off switch, and will start operating as soon
as power is applied.
 To turn on SecFlow-1:
1. Connect the SecFlow-1 to power (see detailed instructions in Chapter 2). The
PWR and RUN indicators light up and remain lit as long as the SecFlow-1 is
powered. The PWR indicator lights up immediately upon turning on, while the
RUN indicator lights up in about two minutes.
2. After startup ends, you may log in, using the supervision terminal.
3.2 Indicators
Figure 3-1 shows the front panel with serial and Ethernet interfaces. Table 3-1 to
Table 3-3 describe the functions of the SecFlow-1 LED indicators.
SecFlow-1 Indicators 3-1

Chapter 3 Operation and Maintenance Installation and Operation Manual
RAD SecFlow-1
PWR RUN
C
O
N
S1
C1
S2
E
T
H
1
SIM1 ETH2
LASER
SIM2 CLASS
1
Figure 3-1. SecFlow-1 Front Panel
Table 3-1. LED Indicators
Name LED Color Function
PWR Green • On: Power supply is on

• Off: Power supply is off
RUN Green/Red • On (green): Normal operation, system is up

• Blinking (green): Startup is in progress
• On (red): Fault
• Off: No power or at early boot stage
CON Green • On: Terminal is connected

Link LED • Off: Terminal is not connected
CON Yellow • Blinking: Data is being transmitted or received

ACT LED • Off: No traffic
Serial 1-2 Green • On: Port is enabled

Link LED • Off: Port is disabled
Serial 1-2 Yellow • Blinking: Data is being transmitted or

ACT LED received
• Off: No traffic
ETH 1 Green • On: Port is connected to an active Ethernet

Link LED hub or switch
• Off: Port is administratively disabled or
Ethernet link is not detected
3-2 Indicators SecFlow-1

Installation and Operation Manual Chapter 3 Operation and Maintenance
Name LED Color Function
ETH 1 Yellow • On (blinking): Data is being

ACT LED transmitted/received on the corresponding
Ethernet link
• Off: Port is administratively disabled or
Ethernet link is not detected
ETH2 Green/Red • On (green): SFP is connected

• Blinking (green): Data is being transmitted or
received on the corresponding Ethernet link.
• On (red): SFP is not connected
• Off: Port is administratively disabled
SIM1 Green • On: SIM is inserted, GPRS is enabled

SIM2 • Blinking: SIM is connected/Data is being
transmitted or received
• Off: GPRS is disabled
The table below displays the LED states of the serial ports.
Table 3-2. Serial Port LED State
Port Created Port Admin Status Traffic Passing LED State
No (default) N/A N/A OFF
Yes Down N/A OFF
Yes Up (default) No Green
Yes Up (default) Yes Green blinking
The cellular modem has a LED indicator for each SIM slot to represent the SIM
card state. The list of LED states is displayed in the table below.
Table 3-3. SIM Slot LED Indication
Modem Admin State SIM Admin State SIM Operation State LED
Disabled N/A N/A OFF
Enabled Disabled N/A OFF
Enabled Ready ON
Enabled Not present Blink 1 Hz
Enabled Failed Blink 1 Hz
Enabled PIN lock Blink 1 Hz
Enabled PUK lock Blink 1 Hz
Enabled Connecting ON
Enabled Connected ON
SecFlow-1 Indicators 3-3

Modem Admin State SIM Admin State SIM Operation State LED
Enabled Connected - secondary ON
Enabled Connected - alternative ON
Enabled Connected and traffic ON
3.3 Startup
Default Settings
The default SecFlow-1 configuration is held in the issnvram.txt file.
Table 3-4 details the features and interfaces default state.
Table 3-4. Features Default State
Feature Default State
Ethernet Ports All ports are enabled
Serial interfaces Disabled
Cellular modem Disabled
Layer 3 interface No default IP
DHCP Client Disabled
SSH Enabled
Telnet Disabled
Syslog Disabled
ACLs Disabled
Firewall Disabled
VPN Disabled
Configuration Database
User configuration takes effect immediately upon entering. No specific commit
command is required. Use commit command to save configuration changes and
make them available after the system reboot.
3-4 Startup SecFlow-1

Installation and Operation Manual Chapter 3 Operation and Maintenance
 To save user configuration:

SecFlow-1# commit
Building configuration ...
[OK]
 To remove all user configurations and set SecFlow-1 to the factory defaults:
SecFlow-1# delete startup-cfg
Completed OK, reboot to activate
SecFlow-1#
For additional operations with the configuration database, refer to Chapter 10.
3.4 Battery Maintenance

The SecFlow-1 system has an integrated battery used for system parameters
backup.
Caution Battery replacement should be done by the manufacturer or an authorized party

on its behalf. There is a risk of explosion when using the wrong battery type.
3.5 Turning Off the Unit

 To power off the unit:
1. Disconnect the unit from the power source.
SecFlow-1 Turning Off the Unit 3-5

3-6 Turning Off the Unit SecFlow-1

Chapter 4
Management and Security
This chapter provides general operating instructions and preliminary configuration
instructions for SecFlow-1 units.
4.1 Management
SecFlow-1 can be managed via the following methods:
• IP-based
• Serial console port
Setup
SecFlow-1 has a RS-232 port, designated CONTROL, and terminated in an RJ-45
connector. The control port continuously monitors the incoming data stream and
immediately responds to any input string received through this port. You can use
any terminal emulation program (such as HyperTerminal or PuTTY) to manage
SecFlow-1 via the control port. The following procedure shows how to start a
terminal control session using HyperTerminal.
 To start a terminal control session:

1. Connect the RJ-45 connector of the console cable to the SecFlow-1 console
port designated CON.
Note The supplied console cable is colored white. Do not connect the serial grey cables
supplied for the user serial port connection to the console port.
2. Connect the other side of the cable to the PC COM port.

3. Configure the PC COM port to 9600-N-8-1 (9600 bps, no parity, 8 data bits, 1
stop bit, no flow control) and connect.
Login
Configuring the Login Authentication Method sets the authentication method for
user logins.
Default user of the system:
• Name: su
• Password: 1234
• Privileges: all
SecFlow-1 Management 4-1

Chapter 4 Management and Security Installation and Operation Manual
Lost Superuser Password

If your superuser password has been lost, contact RADcare Global Professional
Services.
Default Configuration
Table 4-1 describes the management parameters default state.
Table 4-1. Management Parameters Default State
Feature Default state
Layer 3 interface No default IP
SSH Enabled
Telnet Not available
Console Enabled
User User name : su

Password : 1234
Privilege : all
DHCP Client disabled
4.2 Command Line Interface

The CLI (Command Line Interface) is used to configure SecFlow-1 from a console
attached to the serial port of the router or from a remote terminal using SSH.
The following table lists the CLI environments and modes.
Table 4-2. Command Line Interface
Command Mode Access Method Prompt Exit Method
Application Following user log in, this SecFlow-1# To exit this mode
Configuration mode is available to the user means that you log
Environment (ACE) out from the system.
Use the command
‘exit’
Application Hierarchy From the application root [router/] To exit to the

Configuration you may drill down to application root, type
specific feature sub tree. .. (two dots).
Example is shown here for The commands exit
router configuration sub tree and end are not
using the command “router” applicable at this
subtree mode.
4-2 Command Line Interface SecFlow-1

Installation and Operation Manual Chapter 4 Management and Security
4.3 Access Control List (ACL)

Access control lists are used to flexibly filter and mark incoming and management
traffic.
The router verifies each packet to determine whether to forward it or drop,
based on the criteria specified in the access lists. The criteria can be source
address, destination address, or the higher-layer protocol.
Access lists can be used to restrict the routing update contents, or to provide the
traffic flow control. But the most important access lists ability is to enhance
network security. Access lists can provide a basic level of security for the network
segment allowing or restricting access for the specific hosts.
Standards
Relevant sections of RFC 1812.
Benefits
Service providers use ACLs to maintain network security by preventing malicious
traffic from entering the device. ACLs can be used to save network resources by
dropping unwanted packets.
When management data is marked via ACLs, service providers can apply various
traffic management techniques to the marked packets, such as allocating more
bandwidth to a certain traffic type.
Functional Description
Devices featuring ACLs can flexibly filter management traffic, by denying or
permitting IP packets to enter the host, according to the packet’s
source/destination address, protocol type, or other criteria.
ACL entries are sequentially numbered rules containing statements (Deny, Permit,
or Remark) and conditions. Remarks are free-text ACL entries used for
commenting and visually organizing ACLs.
• Each ACL has a unique identifier, acl number <1001-65535>.
• ACL may include one or more rules.
• Each rule represents a specific condition. Compliance or incompliance with
this condition results in packet forwarding or rejecting.
• Each rule is assigned to a single specific ACL.
• Each rule must have a unique priority number, specified in the range from 1
to 255. The lower priority number represents the higher priority.
• The ACL check packets using the rules in order of priorities, until the first
relevant rule is identified. Then the packet is forwarded/rejected according to
this rule.
• An ACL rule may optionally be set to perform the redirect operation. This
operation redirects the packets comply with the rule to IPS SCADA firewall.
SecFlow-1 Access Control List (ACL) 4-3

Note When creating a new ACL, the system by default adds a rule that permits all
traffic that is not covered by the user configured rules.
Access Groups
• To activate ACL incoming packets filtering, assign it to the interface using the
Port Access Group (ACG) configuration option.
• ACG assigns the specific ACL to the specific interface.
• There is no possibility to assign the same ACL to different ACGs.
• Each ACG has a priority number, specified in the range from 1 to 255.
The lower priority number represents the higher priority.
• In case of multiple ACGs, the incoming packet is processed according to ACG
priorities until the first relevant ACG is identified. Then the packet is
forwarded/rejected (or optionally redirected).
Note The incoming packets that do not match any of the ACG criteria, are forwarded
by default.
ACL Functioning
• The ACL rule that denies ICMP, does not block TCP or UDP traffic.
• The ACL rule that denies TCP, does not block ICMP or UDP traffic.
• The ACL rule that denies UDP, does not block ICMP or TCP traffic.
• ACL cancellation automatically removes the corresponding interface ACGs (if
exists).
• A new rule can be added to the ACL, assigned to the port with ACG, with
immediately effect. There is no need to reassign the ACL to ACG.
• To delete a rule relating to ACL, the entire ACL should be deleted.
Configuring ACL
The ACL configuration tasks are performed at the ip access-list level.
 To configure ACL:
1. Create an access control list.
2. Add deny and permit rules to the ACL.
3. Bind the ACL to a router interface.
4. Configure additional ACL parameters according to Table 4-3, if necessary.
4-4 Access Control List (ACL) SecFlow-1

Table 4-3. ACL Commands
Task Command Comments
Creating and ip access-list extended create {acl-num Creating an ACL is performed by

deleting an ACL <1001-65535>} [acl-name <>] [redirect <off| assigning the main ACL identifier and
on>] an optional name.
ip access-list extended delete {acl-num acl-num <1001-65535>} : the ACL
<1001-65535>} main identifier.
acl-name: optional name to describe
the ACL.
redirect: redirect traffic to the SCADA
firewall. <off| on>
Adding permit rules ip access-list extended permit tcp {acl-num acl-num <1001-65535>} : the ACL
to an ACL <1001-65535>} [rule-name <>] [priority <1- main identifier.
256>] {src-ip [any| <a.b.c.d>]| <a.b.c.d/e>} rule-name: optional name to describe
{dst-ip [any| <a.b.c.d>]| <a.b.c.d/e>} [src-port the rule
<1-65535>] [dst-port <1-65535>] [src-port-
src-ip: Any | <src-ip>| <src-ip/mask>.
range <(1-65535):(1-65535)>] [dst-port-
Source IP address can be: 'any' or
range <(1-65535):(1-65535)>]
the dotted decimal address or the IP
ip access-list extended permit udp {acl-num address of the host that the packet
<1001-65535>} [rule-name <>] [priority <1- is from and the network mask to use
128>] {src-ip [any| <a.b.c.d>]| <a.b.c.d/e>} with the source IP address.
{dst-ip [any| <a.b.c.d>]| <a.b.c.d/e>} [src-port
dst-ip: any|host <dst-ip>|<dest-
<1-65535>] [dst-port <1-65535>] [src-port-
ip/mask>. Destination IP address can
range <(1-65535):(1-65535)>] [dst-port-
be: 'any' or the dotted decimal
range <(1-65535):(1-65535)>]
address or the IP address of the host
ip access-list extended permit icmp {acl-num that the packet is destined for and
<1001-65535>} [rule-name <>] [priority <1- the network mask to use with the
128>] {src-ip [any| <a.b.c.d>]| <a.b.c.d/e>} destination IP address.
{dst-ip [any| <a.b.c.d>]| <a.b.c.d/e>}
src-port: source port number.
Adding deny rules ip access-list extended deny tcp {acl-num dst-port: destination port number.
to an ACL <1001-65535>} [rule-name <>] [priority <1-
src-port-range: source port number
128>] {src-ip [any| <a.b.c.d>]| <a.b.c.d/e>}
range min:max.
dst-port-range: destination port
<1-65535>] [dst-port <1-65535>] [src-port-
range <(1-65535):(1-65535)>] [dst-port- number range min:max.
range <(1-65535):(1-65535)>] priority: this field determines the
rules execution order. Higher value of
ip access-list extended deny udp {acl-num
<1001-65535>} [rule-name <>] [priority <1- filter priority implies it is executed
128>] {src-ip [any| <a.b.c.d>]| <a.b.c.d/e>} first. This value ranges between 1
and 128.
<1-65535>] [dst-port <1-65535>] [src-port-
range <(1-65535):(1-65535)>] [dst-port-
range <(1-65535):(1-65535)>]
ip access-list extended deny icmp {acl-num
<1001-65535>} [rule-name <>] [priority <1-
128>] {src-ip [any| <a.b.c.d>]| <a.b.c.d/e>}
{dst-ip [any| <a.b.c.d>]| <a.b.c.d/e>}

Binding the ACL to ip access-group apply {acl-num <1001-

a router interface 65535>} direction in {interface [eth1| eth2|
and defining the cellular]} {priority <1-128>}
ACL direction
Removing ACL from ip access-group remove {acl-num <1001- acl-num <1001-65535>} : the ACL
an interface 65535>} {interface [eth1| eth2| cellular]} main identifier.
direction: supported direction is ‘in’.
interface: choose the target
interface.
priority: this field determines the ACL
execution order. Higher value of al
priority implies it is executed first.
This value ranges between 1 and
128.
Viewing ACL ip access-group show

assignment to the
interface
Flushing the ACL ip access-group flush interface [all| eth1| eth2|

assignment from a cellular]
specific interface or
from all interfaces.
ACL Configuration Examples

Figure 4-1 illustrates the SecFlow-1 ACL functionality.
Figure 4-1. SecFlow-1 ACL Functionality
PC 1 sends UDP packets to the eth1 interface. ACGs receive and verify the
incoming packets in the following sequence:
• ACG with priority 10 verifies the packet with the ACL 1050 rules:
 Rule 2 with priority 50 verifies the packet first. Since the rule is addressed
to the TCP packets, it does not take effect.
 The packet is verified with Rule 1 addressed to ICMP and irrelevant to UDP
packet.
4-6 Access Control List (ACL) SecFlow-1

• The packet is verified with ACL 1010, Rule 2 (priority 30). Since the rule is
addressed to ICMP, it does not take effect.
• The packet is verified with the next Rule 1 (priority 80). This rule enables UDP
packets forwarding, and the packet is permitted.
The examples below show different ACL configuration methods.

Example 1
SecFlow-1# ip access-list extended create acl-num 1010
SecFlow-1# ip access-list extended permit icmp acl-num 1010 priority 10 src-ip
any dst-ip any
SecFlow-1# ip access-group apply acl-num 1010 interface eth1 direction in
priority 10
Example 2
192.168.1.250 dst-ip 192.168.1.101
SecFlow-11# ip access-list extended deny icmp acl-num 1010 priority 20 src-ip
192.168.1.250 dst-ip 192.168.2.101
SecFlow-1# ip access-list extended permit tcp acl-num 1010 priority 40 src-ip
any dst-ip 192.168.2.101
SecFlow-1# ip access-list extended deny tcp acl-num 1010 priority 30 src-ip
any dst-ip 192.168.1.101

priority 1
Example 3
192.168.1.250 dst-ip 192.168.1.101
any dst-ip 192.168.1.101

any dst-ip any

priority 10
priority 20

4.4 Application Aware Firewall

The integrated SCADA protocol firewall provides a network-based distributed
security.
This firewall is application-aware: it examines the selected SCADA packets content
according to the user-selected rules.
Using the firewall, the SecFlow-1 becomes distributed Intrusion Prevention
System (IPS) realizing detailed service-aware data examination.
Supported protocols are: Modbus TCP, IEC 104, DNP3.
The service-aware firewall checks each packet in details including:
• Protocol validity – the packet structure and all its control fields comply with
the standard and the session follows the expected logic (i.e. session is
initiated by the master, response matches request, session setup sequence is
correct, etc.).
• Application logic – source and destination devices communication is
permitted, performed with the function code and the command parameters
control, and according to the operator-defined values.
Firewall Service Operation

Figure 4-2 illustrates the firewall service operation sequence:
• A designated VLAN is created, and the ports are tagged.
• ACLs are configured in the relevant access and network ports to redirect the
traffic to the service VLAN and application firewall. The ACLs allow traffic
between the service members only. ACLs admit only the TCP/UDP traffic type,
according to the service protocol determined by the user. Other ports are
blocked by default.
• The ACLs also verify the packet direction and block messages that violate the
session rules.
• A file with the allowed messages list is defined by user and downloaded to
SecFlow-1. This file contains the target device addressing parameters comply
the relevant SCADA protocol (for example, Common Address of ASDU in
IEC104), thus not only the packet’s IP header is checked, but its payload as
well.
• A packet, originated and designated to a service member, is directed to the
application processor for deep payload examination before release it to the
network.
4-8 Application Aware Firewall SecFlow-1

Figure 4-2. Firewall Service Process
Software License
The firewall service is available by ordering the enhanced security license
SF-ESEC-LIC.
The license can be added only to the devices with the S ordering option. For
more information, refer to SecFlow-1 Data Sheet.
Configuring Firewall Service

Firewall end-to-end service setup and provision can be performed with the iSIM
management system only.
The user must not interfere in the iSIM configuration process.
Table 4-4. Firewall Commands
Displaying the content firewall profile show

of the firewall.rules file
Importing the firewall firewall profile import tftp {[filename

profile <>] | [remote-host <ip>]}
SecFlow-1 Application Aware Firewall 4-9

Displaying the firewall firewall profile log show [lines-to-

log show(1000,<>)]
Clearing the firewall log firewall profile log clear
Displaying the status of firewall tcp show

the firewall
Showing/clearing the firewall tcp counters {show| clear}

firewall statistics
Activating the firewall firewall tcp activate mode {disabled | disabled: firewall is disabled. Packets
enabled | simulate} are not inspected.
enabled: packets are inspected and
blocked in case of violation. Violations
are logged.
simulate: packets are inspected but
are not blocked in case of violations.
Violations are logged.
Figure 4-3 shows the iSIM firewall configuration screen.
Figure 4-3. Firewall Service Example
 To configure firewall service:

1. Set ACL in the 104 Server ETH1 port to send traffic to the firewall.
ip access-list extended
create acl-num 1101 acl-name fw1 redirect fw
permit tcp acl-num 1101 rule-name fw1 priority 12 src-ip 172.18.212.240/32
dst-ip 172.18.212.241/32
..
..
..
ip access-group apply acl-num 1101 interface eth1 direction in priority 10
2. Set the ACL in the 104 Client ETH1 port to send traffic to the firewall.
ip access-list extended
create acl-num 1102 acl-name fw2 redirect fw
permit tcp acl-num 1101 rule-name fw1 priority 12 src-ip 172.18.212.241/32
dst-ip 172.18.212.240/32
..
..
..
ip access-group apply acl-num 1102 interface eth2 direction in priority 10
4-10 Application Aware Firewall SecFlow-1

3. Create the firewall.rules file.

Done only in iSIM, not available in CLI.
4. Activate the firewall.rules file.
firewall profile import filename firewall.rules
firewall tcp activate mode enabled
commit
4.5 Authentication via TACACS+ Server

TACACS+ (Terminal Access Controller Access Control System), widely used in
network environments, is a client/server protocol that enables remote access
servers to communicate with a central server to authenticate dial-in users and
authorize their access to the requested system or service.
Standards
TACACS+ Protocol Version 1.78 (IETF draft-grant-tacacs-02)
Benefits
Using TACACS allows to:
• Facilitate centralized user administration
• Use TCP for transport to ensure reliable delivery
• Support inbound authentication, outbound authentication, and change
password request for the Authentication service
• Provide some level of protection against an active attacker
Factory Defaults
Parameter Default Value
TCP Port 49
Retries 1
TACACS Server Timeout 5 msec
Login Authentication Local
Operation State Disabled
TACACS+ is a security application that provides centralized validation of users
attempting to gain access to a router or network access server. TACACS+ allows a
client to accept a username and password and sends a query to a TACACS+
authentication server, sometimes called TACACS+ daemon or simply TACACS+D.
SecFlow-1 Authentication via TACACS+ Server 4-11

The TACACS+ server is generally a program running on a host. The host

determines whether to accept or deny the request and sends a response back. A
network access server (NAS) operates as a TACACS+ Client.
TACACS+ services (the user and group profiles with the authentication and the
authorization information) are maintained in a central security database on a
TACACS+ daemon running typically on a UNIX or Windows NT workstation.
TACACS+ is commonly used for embedded network devices such as routers,
modem servers, and switches.
Note SecFlow-1 supports up to five authorized users.
The list of CLI commands for the configuration of TACACS is as follows:

• tacacs-server add host
• tacacs-server default host
• tacacs-server remove host
• tacacs-server show
Table 4-5. TACACS Server Parameters
Selecting the login authentication {local | local: TACACS is not used; authentication is
authentication type tacacs-only | tacacs-local} based on the local database only.
tacacs-only: The TACACS server is used for
authentication. If the server is unreachable,
fallback to local database is not supported.
tacacs-local: TACACS server is used as the
default for authentication. If the server is
unreachable, fallback to local database is
supported.
Viewing login login authentication show

authentication settings
4-12 Authentication via TACACS+ Server SecFlow-1

Configuring the TACACS tacacs-server add {host host <ipv4-address>: Configures the IPv4
server <a.b.c.d.>} {retries (1,<1-10>} address of the server (host).
[timeout <5,(1-255)>] {port port <tcp port (1- 65535)>: Configures the
<49,(1-65535)>} TCP port number in which the multiple
sessions are established. The value ranges
between 1 and 65535; the default is 49.
retries <(1-10)>: The number of retries to
connect to the host; the default is 1.
key <secret key>: Specifies the authentication
and encryption key for all TACACS
communications between the authenticator
and the TACACS server. The value is a string
of the maximum length of 64.
Length: 1-64 characters
May include lower case letters, upper case
letters, and special symbols
Must include numbers
Symbols allowed: @#$%^&*()-+./<\`
Removing the TACACS tacacs-server remove {host host <ipv4-address>:

server <a.b.c.d.>}
Setting the default server tacacs-server default host {host The default server must be preconfigured.
<a.b.c.d.>}
Configuring TACACS Authentication

1. Set the authentication mode to TACACS.
SecFlow-1# login authentication tacacs-local
2. Configure the server list.
SecFlow-1# tacacs-server add host 192.168.1.250 key Ab11#59 retries 5 timeout
50 port 49
SecFlow-1# tacacs-server add host 172.18.212.230 key Ab11#RF
3. Configure a default server.
SecFlow-1# tacacs-server default host 192.168.1.250
SecFlow-1# commit
SecFlow-1# tacacs-server show

+----------------+------+---------+---------+---------+
| server | port | retries | timeout | default |
+================+======+=========+=========+=========+
| 172.18.212.230 | 49 | 1 | 5 | |
+----------------+------+---------+---------+---------+
| 192.168.1.250 | 49 | 5 | 50 | * |
+----------------+------+---------+---------+---------+
SecFlow-1# login authentication show
SecFlow-1 Authentication via TACACS+ Server 4-13

login authentication tacacs-local

SecFlow-1#
4-14 Authentication via TACACS+ Server SecFlow-1

Chapter 5
Services
This chapter presents information on services supported by SecFlow-1.
5.1 Dynamic Multipoint VPN

Figure 5-1 illustrates a typical Ethernet service created between SecFlow-1
(Spoke) and SecFlow-2 (Hub). Table 5-1 details configuration steps required for
service provisioning in SecFlow-1.
HUB SPOKE
SecFlow-2 SecFlow-1
Define Application Define Application

Parameters Parameters
Define VLAN Create router

membership interface for
Create router access IP and
interface for network IP
access IP and Define DMVPN
network IP local tunnel
Define DMVPN end-point
local tunnel
end-point Define SPOKE
remote interface
Define HUB
remote interface
Define IPSec
Define IPSec
Figure 5-1. DMVPN Path
SecFlow-1 Dynamic Multipoint VPN 5-1

Chapter 5 Services Installation and Operation Manual
Table 5-1. DMVPN over Ethernet Service Provisioning
Sequence Step Command Comments
Assign IP interface for router interface create address- The router interface is
user traffic prefix <aa.bb.cc.dd/xx> vlan the source IP of the UDP
<Vlan ID> purpose general packets.
Assign IP interface router interface create address- The router interface can
towards the WAN prefix <aa.bb.cc.dd/xx> vlan <Vlan be associated with
router ID> physical-interface eth2 previously created VLAN
Create DMVPN local vpn gre tunnel create address-prefix Assign:

<aa.bb.cc.dd/xx> lower-layer-dev • Tunnel source IP
eth2.<Vlan ID> name <mgre-name>
• Network router
key <key> holding time 120 interface
• Tunnel name
• Tunnel key
Define device • Holding time
parameters
Create DMVPN remote vpn gre nhrp map create multipoint- Assign:
gre-name <mgre-name> protocol- • Tunnel IP
address-prefix <aa.bb.cc.dd/xx>
• Tunnel name
nbma-address <aa.bb.cc.dd>
• NBMA address
IPsec Configuration ipsec isakmp update my-id

HUB.rad.com
ipsec preshared create id
HUB.rad.com key secretkey
ipsec preshared create id
RTU1.rad.com key secretkey
ipsec isakmp update id-type fqdn
ipsec policy create protocol gre
ipsec enable
5.2 Transparent Serial Tunneling

This section describes how to provision serial tunneling services.
Figure 5-2 illustrates a typical service created between two SecFlow-1 devices.
Table 5-2 details the configuration steps needed for service provisioning.
5-2 Transparent Serial Tunneling SecFlow-1

Installation and Operation Manual Chapter 5 Services
SecFlow-1A SecFlow-1B
Define Application Define Application

Parameters Parameters
Create router Create router

interface or interface or
cellular link cellular link
Define physical Define physical

interface interface
Create serial Create serial

ports ports
Configure serial Configure serial

ports ports
Define serial Define serial

local endpoint local endpoint
Define serial Define serial

remote endpoint remote endpoint
Figure 5-2. Point-to-Point Serial Tunnel
Table 5-2. Serial Tunneling Service Provisioning
Define device Configure router interface create • The router interface is the
parameters router address-prefix vlan_id source IP of the UDP
interface packets.
• The router interface can
be associated with
previously created VLAN.
Create serial serial port create slot id port id

ports
Configure baudrate • 9600

serial port parity • no | even |odd
parameters
stopbits • 1|2
mode-of-operation • Mode of operation:
“Transparent” for
transparent serial
tunneling.
Define application Create serial local-end-point create slot id

parameters local end port id
point
SecFlow-1 Transparent Serial Tunneling 5-3

Define serial service-id # • Service ID: For the local

local end application serial-tunnel and remote end point the
point service ID must be
position (master/slave)
parameters identical.
• Position: For local and
remote end point one
must be “master” and one
must be “slave”
Create serial serial remote-end-point create Remote address: IP of remote

remote end remote-address address endpoint
point
Define serial service-id • Service ID: For the local

remote end position (master/slave) and remote end point the
point service ID must be
parameters identical.
• Position: For local and
remote end point one
must be “master” and one
must be “slave”
Transparent Tunneling Operation Concept

In the transparent tunneling mode, SecFlow-1 encapsulates serial frames into
UDP/TCP packets. The UDP/TCP packet is transmitted by the local IP interface.
Topologies supported are P2P, P2MP and MP2MP over a single unit or IP network.
To use the transparent serial tunneling, SecFlow routers must be install on the
both ends of the network connecting the serial devices.
Transparent tunneling encapsulates the standard serial frames, structured with
start, stop, data, and parity bits.
One of the transparent serial tunneling benefits is its simplicity.
Serial traffic received from the user’s serial device is encapsulated to the UDP or
TCP Ethernet packets by the router. The ACE IP interface routes the packets over
the Ethernet network. The Ethernet cloud may be Layer-2 based, or Layer-3
routing based, and may include any type of network, for example: cellular
connectivity, VPN between the routers, etc.
The serial devices must all be connected to SecFlow routers.
The SecFlow-1 serial port supports a full set of serial parameters.
Each serial port is assigned with a service-id. The service-id groups the serial
devices into a logical network segment where all members can communicate with
each other.
Each service-id group must include at least one device set as a master, and at
least one device set as a slave.
The following communication rules must be adhered to by all members of the
service-id group:

• Traffic sent from the master is received by all slaves

• Traffic sent from the slave is received by all masters
• Traffic between masters is blocked
• Traffic between slaves is blocked
Network Topologies
Transparent serial tunneling can be used in the following topologies:
• Point-to-point
• Point-to-multipoint
• Multipoint-to-multipoint
Point-to-Point Application
Figure 5-3 illustrates point-to-point service with the master and slave units
connected locally to the same router.
Figure 5-3. Point-to-Point Local Service
Figure 5-4 illustrates point-to-point service with the master and slave units
connected to the separate routers.
Figure 5-4. Point-to-Point Remote Service
Point-to-Multipoint Application
Figure 5-5 illustrates point-to-multipoint service with the master and slave units
connected locally to the same router.
Figure 5-5. Point-to-Multipoint Local Service

The figure below illustrates point-to-multipoint service with the service-id group
members distributed on the network.
Figure 5-6. Point-to-Multipoint Remote Service
Multipoint-to-Multipoint Application
Figure 5-7 illustrates a typical multipoint-to-multipoint service.
Figure 5-7. Multipoint-to-Multipoint Mixed Service

Operation Modes
Port Mode of Operation

The port mode-of-operation parameter is a part of serial port configuration. It
defines the serial data collection method.
Transparent Tunneling Mode

In transparent tunneling, the serial data is transmitted with a distinct start bit,
stop bit, and a known number of the data bits.
In this mode, the serial processor collects received data until one of the following
conditions is fulfilled:
• Bus idle time is expired
• Allowed latency is expired
Then the collected serial data is encapsulated to a UDP/TCP packet and
transmitted.
Service Buffer Mode

The service buffer-mode is configured in local-end-point level and defines the
service-id buffer operation mode.
The default configuration is byte mode.
If the user configures the service connection-mode to tcp, the buffer mode is
automatically set to frame.
If the user configures the buffer mode to either byte or frame, the configuration
takes effect for any connection-mode setting (tcp/udp).
Byte Mode
The byte structure includes start-bit, data-bits, parity-bit, stop-bits. The
data-bits number may be from 5 to 8.
In the byte mode, the serial-processor collects received bytes and encapsulates
data in a UDP/TCP Ethernet frame.
The number of bytes collected to a single Ethernet packet is determined by the
following parameters:
• Bus idle time
• Allowed latency
Frame mode
Frame is a group of bytes, sent by the customer equipment (CE) as a complete
message.
In the frame mode, the serial-processor uses the bus-idle-time parameter to
distinguish between frames. Each frame is encapsulated in a separate UDP|TCP
packet.

Service Connection Mode

The service connection-mode is configured in the remote-end-point configuration
level and defines the protocol to be used for the service-id.
UDP
Serial data is encapsulated in UDP/IP frames.
UDP connection mode is a default byte mode configuration for the buffer-mode
service, unless the buffer-mode is set to frame.
TCP
Serial data is encapsulated in TCP/IP frames.
This mode ensures higher end-to-end connection availability and traffic
validation.
TCP connection mode is a default frame mode configuration for the buffer-mode
service, unless the buffer-mode is set to byte.
Service Port Number

The TCP/UDP port number used by a serial tunneling connection is defined by the
values of service-id and the low-border-ip-port set in the serial settings.
Serial Traffic Direction

Serial traffic transmit direction represents the serial processor traffic towards the
CE via the serial port.
Serial traffic receive direction represents the traffic received by the serial
processor from the CE via the serial port.

Figure 5-8. Transparent Serial Tunneling over Ethernet
Serial Ports Counters

The Tx and Rx serial ports counters are controlled by the serial-processor.
Rx counters
• Switch 1 – the counter increases when CE1 transmits data. Data is received
by the serial processor via the S1 interface and updates the counters
• Switch 2 – counters are not updated
Tx counters
• Switch 1 – counters are not updated
• Switch 2 – CE1 Data is received via the Ethernet network to Router 2 and to
the serial processor. The serial processor transmits the data to CE2 over the
S1 interface and increases the Tx counters
Allowed Latency
Allowed latency is the maximum period of time, during which the serial processor
accumulate data transmitted from CE1, before closing an Ethernet packet and
send it over the network.
This parameter is measured in milliseconds, and refers to a round-trip delay.
It reflects only the serial processor data collecting time, and does not consider
the network latency.

Allowed latency is applicable to byte mode only.

• Switch 1 – since CE1 transmits data to the serial processor over the S1
interface, allowed latency is applicable. If it is configured to a value X, the
serial processor collects serial data during X/2 milliseconds and then sends
the collected data enclosed in Ethernet packet.
• Switch 2- since CE2 receive data, the allowed latency is not applicable
Tx Delay
Tx delay is set in bits. It determines the serial processor delay before serial data
transmitting to the port.
The Tx delay time is calculated on the basis of the bits number and the baud rate
selected.
• Switch1 – since the serial processor only receives serial data, the Tx delay is
not applicable
• Switch2 - the Ethernet encapsulated serial data is received by the Router 2
serial processor and, when the Tx delay time is expired, is transmitted to CE2
via the S1 interface
Bus Idle Time

Bus idle time determines the serial line silence period denoting the end of frame.
This parameter is configured in a number of bits. The bus idle time is calculated
on the basis of the bits number and the baud rate selected.
Byte Mode
In the byte mode, end of byte is denoted by the stop bits. Bus idle time is not
applicable at this mode.
Frame Mode
• The Switch1 serial processor accumulates serial data transmitted from CE1
until detecting a silence during a time period equal or above the bus idle time.
• The Switch2 serial processor transmits serial frames to CE2 supporting
inter-frame interval equal to the bus idle time.
Configuring Transparent Serial Tunneling

Transparent serial tunneling in the point-to-point topology can be established
between:
• two SecFlow-1 routers
• a SecFlow-1 router and SecFlow-2 switch

Transparent Serial Tunneling between Two SecFlow-1 Routers

The diagram below illustrates the configuration.
172.18.212.230 172.18.212.231
Local Service-id Remote-address Remote-address Local Services
B A
RS-232 RS-232
S1 ETH2 Cloud ETH2 S1
SecFlow-1 SecFlow-1 Master
Slave
VLAN 100
Serial Port Local end Point Serial Port Local end Point Serial Master
Figure 5-9. Transparent Serial Tunneling in Point-to-Point Application
Configuring Router A (Master)

Configure the serial gateway (all the values are for example only).
router interface create address-prefix 172.18.212.231/24 vlan 100 purpose
application-host physical-interface eth2
serial port create slot 1 port 1 baudrate 9600 parity even mode-of-operation
transparent
serial local-end-point create slot 1 port 1 service-id 1 application serial-
tunnel position master
serial remote-end-point create remote-address 172.18.212.230 service-id 1

position slave
commit
exit
commit
Configuring Router B (Slave)

1. Configure the serial gateway.
serial port create slot 1 port 1 baudrate 9600 parity even mode-of-operation
transparent
serial local-end-point create slot 1 port 1 service-id 1 application serial-
tunnel position slave
serial remote-end-point create remote-address 172.18.212.231 service-id 1

position master
commit
exit
commit
2. Configure the router interface.

router interface show

+------+----------+-------------------+------------------+-------------+
| VLAN | Name | IP/Subnet | Purpose | Description |
+======+==========+===================+==================+=============+
| 100 | eth2.100 | 172.18.212.230/24 | application host | |
+------+----------+-------------------+------------------+-------------+
serial port show
+-----+------+------+-------+-------------+------+------+--------++
| idx | slot | port | bus | mode | baud | data | parity |
| | | | | | rate | bits | |
+=====+======+======+=======+=============+======+======+========+
| 1 | 1 | 1 | RS232 | Transparent | 9600 | 8 | None |
+-----+------+------+-------+-------------+------+------+--------+
serial local-end-point show
+-------+---------+------+------+-----------------+----------+----------+-----
-----+
| index | service | slot | port | application | position | firewall |
firewall |
| | id | | | | | mode |
protocol |
+=======+=========+======+======+=================+==========+==========+=====
=====+
| 1 | 1 | 1 | 1 | serial-tunnel | Master | disable |
any |
+-------+---------+------+------+-----------------+----------+----------+-----
serial remote-end-point show
+-------+---------+-------------+----------+------------+--------+
| index | service | ip | position | connection | buffer |
| | id | address | | mode | mode |
+=======+=========+=============+==========+============+========+
| 1 | 1 | 172.18.212.231 | Master | UDP | Bytes |
+-------+---------+-------------+----------+------------+--------+
Transparent Serial Tunneling between SecFlow-1 and SecFlow-2

The network in the figure below demonstrates a P2P topology of transparent
serial tunneling between SecFlow-1 and SecFlow-2.
ACE: 192.168.1.201 [100]
ETH2.100: 192.168.1.102 GCE: 192.168.1.101 [100]
RS-232 RS-232
S1 ETH2 Cloud 0/1 S1
SecFlow-1 Master
Slave
SecFlow-2
VLAN 100
Figure 5-10. Transparent Serial Tunneling between SecFlow-1 and SecFlow-2
Configuring SecFlow-1 (Slave)

1. Configure the IP interface.
router interface create address-prefix 192.168.1.102/24 vlan
100 purpose application-host physical-interface eth2
2. Configure the serial port and the local end point.

serial port create slot 1 port 1 baudrate 9600 parity no mode-

of-operation transparent
serial local-end-point create slot 1 port 1 service-id 1
application serial-tunnel position slave
3. Configure the remote end point of the service.
serial remote-end-point create remote-address 192.168.1.201
service-id 1 position master
commit
Configuring SecFlow-2 (Master)

1. Configure the network VLAN and management IP interface.
Config
vlan 100
ports gigabitethernet 0/1
ports add gigabitethernet 0/3
exit
interface vlan 100
ip address 192.168.1.101 255.255.255.0
no shutdown
end
write startup-cfg
2. Configure the ACE IP interface.
serial port create slot 1 port 1 baudrate 9600 parity no mode-
of-operation transparent
application serial-tunnel position master
3. Configure the remote end point of the service.
service-id 1 position slave
exit
write startup-cfg


Chapter 6
Ports
6.1 Ethernet and Serial Ports

Depending on the hardware option, SecFlow-1 holds the following Ethernet and
Serial ports:
• Two serial RS-232 ports, RJ 45 connector
• One Ethernet 10/100 FE port, RJ45 connector
• One Ethernet 100/1000 GbE SFP based port
Besides this, SecFlow-1 supports the cellular interface with the dual SIM
GPRS/UMTS modem.
6.2 IP Interfaces
SecFlow-1 supports multiple Layer 3 interfaces to be set for the purposes of:
• Routing
• Management
• Serial services
IP Interfaces
The following services require assignment of an IP interface.
• DHCP client
• Management
• Ping
• Trace route
• OSPF
• RIPv2
• TFTP client
• Serial tunneling
• Terminal server
• Protocol gateway
• L3 DMVPN
SecFlow-1 IP Interfaces 6-1

Chapter 6 Ports Installation and Operation Manual
• IPSec
Interface Assignment Rules

• An IP interface may optionally be configured with a VLAN tag for egress
packets VLAN tagging.
• The interface VLAN tag must be unique.
• If a VLAN tag is not configured, the egress packets do not carry a VLAN tag
• An interface ID is automatically assigned to each IP interface.
• Each interface must be associated with a purpose:
 One (and only one) of the interfaces must be set to the purpose
application-host.
 All other interfaces must be set to the purpose general.
 If the user has not configured a purpose, the interface receives the
general status by default.
• Each interface must be in a unique subnet.
• Each interface must be associated with one of the physical ports (eth1 or
eth2). The interface cannot be associated with both.
• Physical port (eth1, eth2) may be associated with more than one IP interface.
Tagged packets accessing the port are routed to a relevant VLAN IP interface.
Untagged packets accessing the port are routed to the IP interface belongs to
the same subnet as the packets origin (if such is available in this SecFlow-1).
• IP interfaces associated with VLAN are given an automatic name indicating
the VLAN tag they are created with. The name format is: eth<1|2>.<vlan id>
• IP interfaces not associated with VLAN are given an automatic name
indicating the ID they are created with. The name format is: eth<1|2>:<id>
Below is an example of interfaces configured with either a VLAN tag or an ID tag.
SecFlow-1# router interface show
+----+------+---------+-------------------+------+------------------+--------------+-+
| Id | VLAN | Name | IP/Subnet | Mtu | Purpose | Admin status |
Description |
+====+======+=========+===================+======+==================+==============+=+
| 1 | N/A | eth1:1 | 172.17.203.100/24 | 1500 | application host | enable |
|
+----+------+---------+-------------------+------+------------------+--------------+-+
| 2 | 20 | eth2.20 | 172.18.212.200/24 | 1500 | general | enable |
|
+----+------+---------+-------------------+------+------------------+--------------+-+
IP Interface VLAN ID
When an IP interface is assigned with a VLAN ID, it supports VLAN tagging. Such
interface accepts only e packets tagged with the corresponding VLAN tag.
Packets transmitted by such interface do not have a VLAN tag.
Note Use IP interface VLAN assignment when the network supports VLAN tagging and
service segregation is required.
6-2 IP Interfaces SecFlow-1

Installation and Operation Manual Chapter 6 Ports
IP Interface Commands Hierarchy

+ root
+ router
- interface {create | remove | update} address-prefix <IP address>/<netmask>
[vlan <vlan id>] purpose {application-host |general} physical-
interface [eth1 |eth2] [description <>] [mtu <1500,(128-1544)>]
+ static
- enable
- dissable
- show running-cofig
- exit
+ configure terminal
- [no] ip route static <dest network> /<subnet> <Gateway>
- write memory
- exit
+ dhcp {enable | dissable |show}
- enable physical-interface {eth1| eth2}
- disable physical-interface {eth1| eth2}
- show physical-interface {eth1| eth2}
- interface show
- route show
IP Interface Command Description

Table 6-1. IP Interface Commands
Command Description
router Enter the router configuration mode
interface Add or remove an IP interface. The

create | remove | update
configuration should include the following:
• Address-prefix: IP address in the format
aa.bb.cc.dd/xx
• VLAN: VLAN ID for egress packets from
the interface
• Purpose: application-host or general.
• physical-interface: association to the
relevant Ethernet port [eth1 |eth2]
• mtu: set size in bytes. Default is 1500
• description: descriptive text
static Access the router static mode.
• enable: enable configuration
• disable: disable configuration
SecFlow-1 IP Interfaces 6-3

Command Description
• Exit: exit to upper level

• show running-config: static route config
configure terminal
[no] ip route static dest network: a.b.c.d

subnet: 0-32
gateway: a.b.c.d
show Show application engine IP interfaces
Configuring VLAN Aware Interface

1. Create an IP interface with VLAN 1 and static route (default gateway).
SecFlow-1#
commit
Committed OK…
+----+------+--------+-------------------+------+------------------+--------------+-------------+
| Id | VLAN | Name | IP/Subnet | Mtu | Purpose | Admin status | Description |
+====+======+========+===================+======+==================+==============+=============+
| 1 | 5 | eth1.5 | 10.10.10.100/24 | 1500 | application host | enable | |
+----+------+--------+-------------------+------+------------------+--------------+-------------+
[router/] static
router/static> enable
router/static# configure terminal
router/static(config)# ip route 0.0.0.0/0 172.17.212.100
router/static(config)# write
router/static(config)# exit
router/static# exit
commit
router route show

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
172.17.212.0 0.0.0.0 255.255.255.0 U 0 0 0
eth1.100
0.0.0.0 172.17.212.100 0.0.0.0 UG 0 0 0
eth1.100
Completed OK
2. Create an IP interface without VLAN ID.
6-4 IP Interfaces SecFlow-1

SecFlow-1# router interface create address-prefix 172.17.203.100/24 physical-interface

eth2 purpose application-host
commit
Committed OK…
SecFlow-1#router interface show

+----+------+--------+-------------------+------+------------------+--------------+--+
Description |
+====+======+========+===================+======+==================+==============+==+
| 1 | N/A | eth2:1 | 172.17.203.100/24 | 1500 | application host | enable |
|
+----+------+--------+-------------------+------+------------------+--------------+--+
IP Retrieving from the DHCP Server

1. Enable DHCP on the eth1 interface to retrieve an IP from a DHCP server.
SecFlow-1# router dhcp enable physical-interface eth1

+------+------+-----+-----------+---------+-------------+
| VLAN | Name | Id | IP/Subnet | Purpose | Description |
+======+======+=====+===========+=========+=============+
| N/A | eth1 | N/A | N/A | N/A | DHCP |
+------+------+-----+-----------+---------+-------------+

+------+------+-----+-------------------+---------+-------------+
+======+======+=====+===================+=========+=============+
| N/A | eth1 | N/A | 172.18.212.242/28 | N/A | DHCP |
+------+------+-----+-------------------+---------+-------------+
6.3 Serial Ports

The serial interfaces connect legacy serial-based industrial devices to an Ethernet
network. Each of the serial ports can be configured to work in one of the
following operation modes:
• Transparent Tunneling
• Terminal Server
• Protocol Gateway
Two serial interfaces are available in SecFlow-1.
Table 6-2 specifies the relevant configuration areas according to the application
type.
SecFlow-1 Serial Ports 6-5

Table 6-2. Applications Configuration Area
Hierarchy Level Transparent Tunneling Terminal Server 101/104 Gateway
Router IP Interface X X X
Serial Port X X X
Serial Local Endpoint X X X
Serial Remote Required if service is remote

Endpoint
IEC-101 Gateway X
Terminal Server X
Table 6-3 specifies the main configuration parameters according to the

application type.
Table 6-3. Application Parameters
Hierarchy Level Configurable Transparent Terminal Server 101/104

Parameter Tunneling Gateway
Serial Port mode-of-operation transparent transparent transparent
Serial Local Endpoint application serial-tunnel terminal-server iec101-gw
Table 6-4 specifies the relevant configuration options of the different application
modes.
Table 6-4. Application Mode Configurations
Parameter Transparent Tunneling Terminal Server 101/104 Gateway
baudrate X X X
databits X X X
stopbits X X X
allowed-latency X X X
bus-idle-time X X X
parity X X X
dtr-dsr X
rts-cts X
local-dsr-delay X
local-cts-delay X
6-6 Serial Ports SecFlow-1

Serial Commands Hierarchy

+ serial
- service show
- serial local-end-point filter show
+ card
- auto-recover seri{enable |disable |show}
- show
+ port
- clear counters
- create [slot <1>] {port <1-2>} [baudrate <9600,(300-19200)>] [parity
<no,(no | odd | even)>] [stopbits <1,1|2>][bus-idle-time <30 bits (0-
1000>]
[mode-of-operation <transparent>] admin-status [up | down]
[allowed-latency <16 msec,(2-255)>
[tx-delay <msec,(0-255)>] [bus <RS232| RS485>]
- remove [slot <1>] {port <1-2>}
- update [slot <1>] {port <1-2>} [baudrate <>] [parity <no,(no| odd|
even)>] [stopbits <>][bus-idle-time <30 bits (0-1000>]
[mode-of-operation <Serial-tunnel,(serial-tunnel |terminal-server
|iec101-gw |modbus-gw)>] admin-status [up| down]
[allowed-latency <16 msec,(2-255)>
[tx-delay <10 msec,(0-255)>] [bus <RS232| RS485>]
- show
+ local-end-point
- create [slot <1>] {port <1-2>} {service-id <1-100>} {position <master|
slave>} [protocol <any>] [application {serial-tunnel |terminal-server
|iec101-gw |modbus-gw}] [buffer-mode {byte| frame}]
[iec101-link-address <0-65535>] [iec101-link-address-len (2,<1|2>]
[iec101-originator-address {none| present}] [unit-id-len (2,<1|2>]
[unit-id <0-65535>]
- remove [slot <1>] {port <1-2>} {service-id <1-100>}
- show
+ remote-end-point
- create {remote-address <A.B.C.D>} {service-id <1-100>} {position
<master| slave>} [connection-mode [<udp| tcp>] [buffer-mode {byte|
frame}]
- remove {remote-address < A.B.C.D>} {service-id <1-100>}
- show

Serial Commands Description

Table 6-5. Serial Command Description
Command Description
serial
Access serial configuration hierarchy.
Configuration for ports, local-end-point, and
remote-end-point are available here.
service show
Provides configuration state of a serial service
local-end-point filter show
Provides detailed configuration state of an
iec101 serial tunneling service
card
Auto-recover: allows automatic recovery when
identifying continuous loss of serial
infrastructure keep alive (between the serial
processor and the Ethernet processor).
• Enable: auto recovery will reboot the
process.
• Disable: no action taken.
• Show : show state
Show : display the version and the provision
state of the serial processor
port slot 1 port <>
Create/update the serial port
clear counters
Clear counters
create | update Slot: 1 (constant)
Port: port number 1-2
Baud rate: 300, 600, 1200, 2400, 4800,
9600, 19200
Parity: no, odd, even
Stopbits: 1,2
admin-status: up| done. Default= up.
Mode of operation: transparent
bus-idle-time: number of total serial bits
received over the local serial link to be
considered as a single message
allowed-latency: given in msec this value
describes the network allowed latency. This
value affects the time to be allowed to delay
before transmitting UDP|TCP packets. The
higher the value is the more serial frames can
accumulate into a single UDP|TCP packets.
Default value is 10msec which corresponds to
max 3 bytes of serial data to be packed at a
single UDP|TCP packet (with 9.6kbps rate)
tx-delay: given in msec, this value describes the
tx-delay allowed.
bus: bus options are RS232 or RS485

Command Description
remove
Slot: 1 (constant)
show
local-end-point
create
Slot: 1 (constant)
Service id: numeric value of serial service.
Position:
Master – point to multipoint
Slave – point to multipoint
Application:
Serial-tunnel (default)
Terminal-server
iec101-gw
modbus-gw
buffer mode:
byte (default)
frame
protocol: any (default)
modbus_rtu
iec101
iec101-link-address: set the IEC 101 link
address. Applicable when ‘application’=’ iec101-
gw’ and ‘protocol’=’ iec101’. <0-65535>
iec101-link-address-len: set the IEC 101 link
address length. Applicable when ‘application’=’
iec101-gw’ and ‘protocol’=’ iec101’. <1|2>
bytes. Default is 2.
iec101-originator-address: set if the ‘originator’
i=field is included in the IEC 101 message. This
will reflect on the Cause Of Transmission being
1 byte or 2 byte size. If ‘present’, COT=2. If
‘none’, COT=1.
unit-id: set the IEC 101 unit ASDU address.
Applicable when ‘application’=’ iec101-gw’ and
‘protocol’=’ iec101’. <0-65535>
unit-id-len: set the IEC 101 ASDU length.
Applicable when ‘application’=’ iec101-gw’ and
‘protocol’=’ iec101’. <1|2> bytes. Default is 2.
remove
Slot: 1 (constant)
Port: port number .1-2
Position:

Command Description
Master – point to multipoint
Slave – point to multipoint
Application :
Serial-tunnel (default)
Terminal-server
iec101-gw
modbus-gw
show
remote-end-point
Defines the remote end points in a transparent
serial tunneling service.
create
remote-address: IPv4 address A.B.C.D
Service id: numeric value of serial service. <1-
100.
Position:
Master
Slave
Connection mode:
udp – default
tcp
Buffer mode:
byte – default
frame
remove
Address: IPv4 address A.B.C.D
show
Port Declaration
The example below shows the serial port declaration:
+ root
serial
Port create slot 1 port 1
Port create slot 1 port 2
..
commit
Default State
The serial ports default state is non-configurable.

SecFlow-1# serial port show

+-----+------+------+-----+------+------+------+--------+------+---------+----------+-----------
| idx | slot | port | bus | mode | baud | data | parity | stop | latency | max-data | bus |
| | | | | | rate | bits | | bits | | | Idle-Time |
+-----+------+------+-----+------+------+------+--------+------+---------+----------+-----------
+=====+======+======+=====+======+======+======+========+======+=========+==========+===========+
tx | start | stop | admin | svc | sync1 | sync2 | rts-cts | dtr-dsr | local | local |
delay | delim | delim | | id | bits | bits | | | Cts | Dsr |
+=====+======+======+=====+======+======+======+========+======+=========+==========+===========+
+-------+-------+-------+-------+-----+-------+-------+---------+---------+-------+-------+
SecFlow-1# serial local-end-point show

+---------+------+------+-------------+----------+----------+--------+----------+----------+
| service | slot | port | application | protocol | position | buffer | firewall | firewall |
| id | | | | | | mode | mode | protocol |
+=========+======+======+=============+==========+==========+========+==========+==========+
+---------+------+------+-------------+----------+----------+--------+----------+----------+
RS-232 Port
The SecFlow-1 RS-232 ports are terminated with RJ-45 connectors.
For CBL-RJ45/DB9/NULL Cable Pinout refer to Appendix A.
See Appendix A for the serial port pin assignment.
Note The serial control lines are not supported in the current version.
RS-485 Port
The RS-485 ports are RJ-45 ports. Four wires mode is supported.
See Appendix A for serial port pin assignment.
LED State
SecFlow-1 serial port has a LED indicator to display its current status. See
Indicators in Chapter 3 for the serial port LED state description.


Chapter 7
Resiliency
This chapter describes features related to resiliency:
• Backup and Redundancy
7.1 Backup and Redundancy
Backup of Cellular and Physical Interfaces

A cellular link involves higher costs and has significantly lower bandwidth than a
physical channel, which is a copper or fiber line. When the cellular link is to be
used for backup to a physical link, then resilient routing protocols can determine
the primary and backup paths.
Figure 7-1. Layer 3 Protection
Modem Conditional Reload

When the modem is continuously unsuccessful in establishing a connection or in
retrieving an IP address, this serves as a trigger for reloading the modem.
The retry-threshold-reload configuration parameter can be assigned values from
0 (disabled) to 30. The value within the range 1-30 represents the number of
consecutive failures.
The typical flow is as follows:
1. SIM card CONNECTING status results in FAILED status instead of CONNECTED
(connection attempt may take approximately two minutes and is non-
configurable).
SecFlow-1 Backup and Redundancy 7-1

Chapter 7 Resiliency Installation and Operation Manual
2. A counter summarizes the connection attempts for both SIM cards.

3. If the counter reaches the predefined value, the modem reloads.
4. The following statuses reset the counter: CONNECTED, CONNECTED AS
ALTERNATIVE, CONNECTED AS SECONDARY
Note The quality echo tests are applicable when SIM card status is CONNECTED and the
retry-threshold-reload counter is reset. Quality tests do not affect this counter.
Note If a single SIM card is used, and if the continuous-echo test fails, this triggers the
action of cellular modem refresh. If the modem is in the status of CONNECTED
but the echo test fails to meet the configured criteria (ping loss/rtt..), the router
refreshes the modem.
7-2 Backup and Redundancy SecFlow-1

Chapter 8
Traffic Processing
This chapter explains how to configure networking entities in SecFlow-1. It
presents information on the following topics:
• Cellular Modem
• Discrete IO Channels
• DNP3 Gateway
• IEC 101 to IEC 104 Protocol Gateway
• IPsec
• Modbus Gateway
• Network Address Translation (NAT)
• Open Shortest Path First (OSPF)
• RIPv2
• Terminal Server
• VPN
8.1 Cellular Modem

Since cellular coverage has become a quite reliable medium, an integrated cellular
interface is now especially beneficial in utility applications for small sites that
require a backup traffic path in addition to the physical line.
A cellular solution is also advantageous over laying a physical connection to a site
if the customer’s installation is either at a very remote site or not at a permanent
or fixed location.
As listed in the Technical Specifications section, SecFlow-1 supports the following
options for the cellular modem:
• LTE
• GPRS/UMTS
• HSPA+
Note The modems support two SIM cards for redundancy and backup between two
Internet service providers.
For more information on redundancy, refer to Chapter 7.
SecFlow-1 Cellular Modem 8-1

Chapter 8 Traffic Processing Installation and Operation Manual
LTE Modem
The following two ordering options are available for the LTE modem:
• European type frequencies and bands
• North American frequencies and bands
In both cases, the modem supports LTE (in their respective bands) and
GSM/GPRS/EDGE.
Note The SecFlow-1 unit comes with two antennas. Both antennas must be connected.
The device will not work with only one antenna.
The table below presents the bands supported per ordering option.
Topic Type Frequency Band North America Europe
Air Interface LTE Yes Yes
Air Interface HSPA+ Yes Yes
Air Interface GSM Yes Yes
Air Interface GPRS Yes Yes
Air Interface EDGE Yes No
Frequency Bands LTE 2100 1 No Yes
Frequency Bands LTE 1900 2 Yes No
Frequency Bands LTE AWS 4 Yes No
Frequency Bands LTE 2600 38 No No
Frequency Bands LTE 2300 40 No No
Frequency Bands LTE 700 - No No
GPRS/UMTS Modem
The following cellular modes and radio bands are supported:
• 3G UMTS– HSDPA. cat 5/6
 Triple band 2100/1900/900 MHz
8-2 Cellular Modem SecFlow-1

Installation and Operation Manual Chapter 8 Traffic Processing
 Triple band 2100/1900/850 MHz

• 2G GSM- EDGE/GPRS. class 12
 Quad band 850/900/1800/1900 MHz
The maximum data throughput is determined by the cellular service and might be
different for down-stream and up-stream.
The following topologies are supported:
• Point-to-Point: single spoke to a single hub
• Multipoint-to-Point: multiple spokes to a single hub
NAT support with IPsec encryption enables spoke accessibility also when the
private IP is retrieved from the ISP.
Cellular Interface Name

In various applications, the cellular interface is referred to by its name ppp0. Note the following
examples:
DMVPN
vpn gre tunnel create address-prefix 10.10.10.20/24 lower-
layer-dev ppp0 name mgre1 key 10.0.0.0 admin-status enable
NAT
router nat dynamic create interface-name ppp0 description CELL
Method of Operation
On the SecFlow-1 spoke side, a simple cellular modem configuration suffices for
the spoke to connect to the ISP in order to retrieve an IP address using the PPP
protocol. Authentication vis-a-vis the ISP is performed by means of the SIM cards
and PAP protocol. Depending on the ISP service, this IP can either be private
behind NAT or public.
The cellular connection is typically used with the following services:
• DMVPN
• NAT
VPN Application
When the IP address is retrieved and the VPN is configured, the spoke initiates
the NHRP request for registration in the Hub.
The hub must have a static address (not cellular) in the network n that is routable
with the IP addresses allocated by the cellular ISP to the cellular spokes. If the
network cloud is public (for example, www), the hub must have the public static
IP address.
On its interface, the hub listens to NHRP requests from the spoke and allows the
VPN to be established, pending authentication.

A hub must have a fixed connection to the network; it may not be connected
with the cellular modem as a spoke.
Figure 8-1. SecFlow-1 Operation via GPRS/UMTS Modem
SIM Card Status

The GPRS/UMTS modem can use two different SIM cards from the same or
different service providers.
Each SIM card can be configured and enabled/disabled separately. The user can
select one of the SIM cards as a default.
In order to allow redundancy, RSSI measurements and echo tests can be used to
determine which SIM card provides the best performance.
The user can decide whether to select a certain SIM card as preferred for default
connection. The modem can be set to work in a specific technology 2G/3 or can
be set to the auto. In the auto mode, the modem connects to the best available
network.
Each SIM can be individually configured and can be enabled or disabled.
Depending on the configuration and availability, the status of a SIM card may be
one of the following:
• Unknown:
 The SIM card has not been not installed.
 The cellular modem is disabled.
 The cellular modem is refreshing.
 Cellular modem has malfunctioned.
• Disabled – The cellular modem is enabled, but the SIM card has not been
configured.

• Ready – The SIM card is available and has been configured.

• Connecting – The Cellular modem is trying to retrieve an IP address from the
ISP using the SIM card.
• Connected – The cellular modem retrieved the IP address with the selected
SIM card.
• Failed – The connection with the selected SIM card cannot be established.
Connected as Secondary – The modem is connected with the alternative SIM
card (that is, not the SIM card originally selected by the user as the preferred
SIM card).
• Connected as Alternative – The modem is connected with the alternative SIM
card (that is, not the SIM card originally chosen by the user) due to a primary
SIM card failure (secondary SIM card status).
Viewing SIM Card Status

The example below shows the administrative status of the SIM cards. The SIM
card in slot 1 has been enabled, while the SIM card in slot 2 has been disabled.
1. Use cellular wan show command to verify the status of the SIM cards.
2. The status of the cellular modem is enabled, and the properties of the SIM
cards are configured. SIM card 1 is connected and has the status of
CONNECTED . SIM card 2 is configured and has the status of READY.
cellular enable
cellular wan update admin-status enable apn-name internetg sim-slot 1
operator-name radcell user-name guest password guest
cellular wan update admin-status enable apn-name internet.pelephone.net.il

sim-slot 2 operator-name pelephone user-name pcl@3g password pcl
3. The modem retrieves an IP address from the ISP.

Cellular Command Hierarchy

+ root
+ cellular
+ continuous-echo
- {create | update} {name <>} {dest-ip-address <ip address>}
[loss-threshold <50,10-99>] [num-of-requests <3,1-100>]
[rtt-threshold < 5000msec(1,000-20,000)>] [interval (60sec<1-
1440>)] [request-size (100bytes<64-1500>]
- remove {dest-ip-address <ip address>} {name <> }
- show-config
- show-status
+ modem
- power_down
- power-up
- send command at+cgsn]
- get {iccid| imei| model| version}
+ settings
- update [quality check <0,time interval>] [backoff1 < 60sec,10-
600>] [backoff2<300sec,10-600>] [default-route {yes|no}] [lcp-
echo-interval<10sec,0-600>] [lcp-failure<4,1-64>] [preferred-
sim {1|2|none}] [rssi-threshold-dbm<-100dbm ,-144 to -61>]
[wait-to-restore <14400sec,120-86400>] [connection-method <ppp
| direct-IP>]
- update retry-threshold-reload <0-30>
- show
+ wan
- update {sim-slot <slot(1-2>} {admin-status <enable |
disable>} {apn-name <name>} [operator-name <name>] [pin <pin>]
[user-name <name>] [password <password>] [radio-access-
technology {auto |2G |3G |2Gthen3G |3Gthen2G| 4G|
4Gthen3Gthen2G| 4Gthen3G}] [flow-control {enable | disable}]
[dialer-number <number>] [auth-type <none | pap | chap>]
- show
- refresh
- network {show}
- connection {show}
- enable
- disable
- show

Descriptions of Cellular Commands
Command Description
cellular Enter the configuration mode for the Cellular application

Enable: enable application
Disable: disable application
continuous-echo Configure ICMP traffic test to validate network connectivity to a remote host.
The test sets two options of triggers to be used by the application watchdog:
round trip delay and percentage of lost ICMP messages sent.
A test is determined by a configurable number of ICMP requests. The average RTT
is then calculated.
These two conditions are sufficient triggers for a cellular watchdog.
create | update name : name of the test (text)

dest-ip-address: ip address of a reachable (routable) host. Format
aa.bb.cc.dd
rtt-threshold: round trip threshold in msec. <1,000-20,000>
loss-threshold: calculated percentage of icmp requests which were not
responded. <10-99>
interval: time interval in seconds between icmp messages sent. <1-1440>.
num-of-requests: number of icmp messages to send before calculating
results of losses and rrd. <1-100>.
request-size: ICMP message packet size
remove name: name of the test (text)
show-config Show configuration
show-status Show result of loss % and calculated round trip delay
modem Power-up: power the modem

Power-down: shut the modem
Send command at+cgsn: retrieve the IMEI identifier of the modem
• The modem must be enabled for these commands to take
effect.
• get: retrieve the identifiers of the modem. iccid| imei|
model| version

Command Description
settings update quality check: define time interval in seconds for internal RSSI check of active
SIM.<0-604800>. 0 –disable RSSI check
backoff1: minimum time to stay on a SIM after any fail over
< sec,10-600>
backoff2: minimum time to stay on a SIM if caveat flag is set. This flag is set
in case if there was already failure in the last 2 hours
< sec,10-600>
wait-to-restore: maximum time allowed to stay on non-preferred SIM
default-route: setting the cellular interface to be the default gateway for
the application IP interfaces
{yes | no}
lcp-echo-interval : lcp protocol test of connectivity towards the connected ISP. 1
to 600 seconds interval between tests.0 –disable.
lcp-failure: number of failed lcp echo tests. <1-64>
update retry-threshold-reload <0-30> : sets a router reload after a
configurable number of failed attempts to establish Connected status of the
cellular modem.
Any configuration that was not committed is not saved after the reload.
settings show Show: show configured interval time
wan update Sim-slot: location of SIM to be configured, 1 or 2

Admin-status: enable/disable SIM card
Apn-name: as given by the network provider
operator-name : operator name (text)
Pin: as given by the network provider
User-name: as given by the network provider
password: as given by the network provider
Flow-control : enable | disable
radio-access-technology : preferred network to connect to
• Auto – if 3G available it will be chosen over 2G.
• 3G – only 3G will be optional to connect to.
• 2G - only 2G will be optional to connect to.
• 2Gthen3G – 2G is preferred over 3G.
• 3Gthen2G - 3G is preferred over 2G.
• 4G – only 4G will be optional to connect to
• 4Gthen3Gthen2G –4G will be the preferred optional to connect. Fallback to
3G/2G is allowed.
• 4Gthen3G –4G will be the preferred optional to connect. Fallback to 3G is
allowed.
dialer-number: dialing number for the cellular modem connection (optional).
Allowed characters: 0..9, *,#.
auth-type: cellular connection authentication type.
• None – no authentication
• PAP – password authentication protocol
• CHAP – Challenge handshake authentication protocol
wan show Show configuration and status of SIM cards

Command Description
network show Show connection time and RSSI per SIM card
connection show Show cellular connection status
Default Status
The default cellular modem status is disabled. The table below specifies the
default status properties.
The cellular modem has a LED indicator for each SIM slot to represent the SIM
card state. For details on the LED states see Chapter 3.
Retrieving Modem IMEI

The example below shows the retrieval of the IMEI identifier of the modem.
Secflow-1#
cellular disable
cellular modem power-up
Completed OK
cellular modem send command at+cgsn
send : at+cgsn
reply : +cgsn
357524040483438
OK
Example of SIM Card Status

The example below demonstrates the configuration of two SIM cards and their
possible status.
cellular wan update admin-status enable apn-name internetg sim-slot 1
operator-name radcell user-name guest password guest
cellular wan update admin-status enable apn-name internet.pelephone.net.il

sim-slot 2 operator-name pelephone user-name pcl@3g password pcl
cellular enable
commit
cellular refresh

8.2 Discrete IO Channels
Discrete Channel Interface

Discrete signals are widely used in the industrial applications to monitor alarms
and indications from the field side.
The discrete channels connection terminal is shown on the figure below.
8-10 Discrete IO Channels SecFlow-1

Discrete Channels Connector
Technical Specification
Apply a 6-12 VDC source to the digital input (terminals 6, 4 for channel 1, or
terminals 5, 4 for channel 2).
Digital outputs are the dry relay contacts. Maximum power to be applied to these
contacts is:
• 250 VAC, 37.5W
• 220 VDC, 30W
The maximum current through the contacts is 1A.
Caution Power limitations excess may damage the equipment.
Discrete IO Channels Commands Hierarchy

+ root
+ discrete in
- no-shutdown
- shutdown
- set name <>
- clear
- show
Discrete IO Channels Commands
Command Description
discrete in Shutdown: disable the input channels

no-shutdown: enable the input channels
set name Set a name to describe each channel
clear Clear the name configuration back to defaults

names ‘Discrete-in1’, ‘Discrete-in2’.
show Display the channels state. ‘HIGH’, ‘LOW’.

Default: HIGH.
SecFlow-1 Discrete IO Channels 8-11

8.3 DNP3 Gateway

DNP3 (Distributed Network Protocol) is a set of communications protocols used
in SCADA applications.
The SecFlow-1 features gateway functionality between a DNP3 TCP client
(master) and a DNP3 Serial RTU.
A DNP3 gateway is configured with a terminal server using the TCP port 20000
protocol.
See for the configuration structure of the terminal server.
Configuring DNP3 Gateway

Figure 8-2 demonstrates the DNP3 gateway configuration.
Figure 8-2. DNP3 Gateway Example
 To configure the DNP3 gateway:

1. Assign the gateway IP interface.
router interface create address-prefix 192.168.40.10/24 physical-interface
2. Assign serial port for DNP3 RTU slave connection.

serial port create slot 1 port 1 mode-of-operation transparent
serial local-end-point create slot 1 port 1 service-id 1 protocol application
terminal-server
3. Set the gateway using terminal server.

terminal-server admin-status enable
terminal-server settings update low-border-telnet-tcp-port 20000 buffer-mode
frame
terminal-server tcp-service create service-id 1 remote-address 192.168.40.10
telnet-port 20000
commit
8-12 DNP3 Gateway SecFlow-1

8.4 IEC 101 to IEC 104 Protocol Gateway

The SecFlow-1 application module features the IEC 101 to EIC 104 gateway. The
IEC 101 and IEC 104 protocols are fully integrated in the application module
allowing the IEC 101 slave devices to be represented in the IP network as an
IEC 104 server and to be addressed by the IEC 104 clients located in this network.
The gateway implements three functions:
• IEC 104 Server – the application module functions as an IEC 104 server to any
IEC 104 clients connected via the Ethernet network. This functioning includes
full IEC 104 server state-machine implementation, response to keep-alive test
frames, and listening to TCP port 2404 for any client requests.
• IEC 60870 message router – the application module functions as a router
translating the requests received by the IEC 104 server to commands
generated by the IEC 101 master with the proper IEC 101 address, and
translating the IEC 101 responses back to IEC 104 format.
• IEC 101 Master – The application module functions as an IEC 101 master for
the IEC 101 slave devices connected to the assigned router serial interfaces.
This function includes IEC 101 master state-machine full implementation,
IEC 101 bus initialization and arbitration, and generating commands to the
appropriate IEC 101 slave in response to the requests received from the
message router.
The IEC 101 devices are configured with their serial link properties, device address
and ASDU address to be uniquely identified behind the gateway.
Generally, the IEC 101 devices are addressed from the IEC 104 remote client using
the following hierarchical addressing scheme:
• IP address of the application module with IEC 101/104 gateway
• IEC 101 device address
• ASDU (Application Service Data Unit) address
• IOA (Information Object Address), for example, the actual address of the
discrete inputs mapped to the IEC 101 RTU
Modes of Operation
The IEC 101/104 gateway supports two IEC 101 devices operation modes defined
by the standard.
Balanced Mode is illustrated on Figure 8-3. Up to 24 unique IEC-101 servers can
be supported by each single gateway.
SecFlow-1 IEC 101 to IEC 104 Protocol Gateway 8-13

Figure 8-3. IEC 101 Balanced Operation mode
Unbalanced Mode is illustrated on Figure 8-4. Up to 32 ASDU addresses can be

supported by each IEC 101 server.
Figure 8-4. IEC 101 Unbalanced Operation mode
IEC 101 Properties
System layer Station definition control (Master)
Network configuration
• Point-to-point
• Multiple point-to-point
• Multipoint-party line (planned)
8-14 IEC 101 to IEC 104 Protocol Gateway SecFlow-1

Physical layer Monitor and control traffic transmission speed: 300 – 38400 bps
Link layer Link transmission procedure

• Balanced transmission
• Unbalanced transmission
Link address field

• Not present (balanced transmission only)
• One octet
• Two octets
• Structured values translation
• Unstructured
Application layer ASDU common address

• One octet
• Two octets
Information object address

• Two octets
• Three octets
• Structured
• Unstructured
Transmission format
• One octet
• Two octets (with originator address)
The IEC 101/104 gateway can be configured with the systems CLI or as an
IEC 104 network-wide service-group part in the iSIM service management tool.
This configuration includes the following parameters:
• Application IP address – the application module must be configured with an IP
address and associated with the uplink traffic VLAN. This application IP
interface acts in the Ethernet network as the IEC 104 server and represents
all the IEC 101 devices connected locally to the router towards the IEC 104
clients.
• Optional remote IP addresses - when configuring the IEC 104 service-group,
the IEC 104 clients IP addresses should be provided to enable the proper
service-aware firewall rules definition.
• IEC 101 device parameters - the physical link properties (baud-rate, parity,
stop bits) should be configured for the serial interfaces. Besides this, the
IEC 101 addressing information should be provided, and the devices have to
be assigned to the IEC 104/101 gateway.

Figure 8-5. Gateway Service Configuration with iSIM Tools
IEC 101/104 Gateway Configuration Flow

Follow the steps below to configure the IEC 101/104 gateway.
1. Establish Ethernet connectivity towards the IEC 104 Client (SCADA).
a. Set service VLAN and assign the relevant ports.
b. Set ACE IP interface with the service VLAN.
c. Set static or dynamic routing if needed to reach the IEC 104 Client.
d. Verify by the following methods:
• Ping between the IEC 104 client (SCADA) and the SecFlow-1
designated IP interface.
• Verify SecFlow-1 connection using the iec101-gw show all command.
2. Serial connection towards the locally connected IEC 101 server (RTU).
a. Configure a serial port.
• Serial properties (baud rate, parity etc.) must be consistent with
those of the RTU.
• The serial port must be configured with mode-of-operation set to
transparent.
b. Configure a local service (serial local endpoint).

• Create a local endpoint and assign the serial port.

• The local endpoint application field must be set to iec101-gw.
c. Enable the gateway.
• Set the gateway to use the predefined ACE interface.
• Set the desired mode (balanced or unbalanced).
d. Configure the gateway with the RTU IEC 101 properties. The key
parameters are specified below:
• Common ASDU address (CLI field asdu_addr) — identical to the RTU.
• Common ASDU address length in bytes
(common_address_field_length) — identical to the RTU
• Link Address (link_addr) — identical to the RTU
• Link Address length in bytes (link_address_field_length) — identical to
the RTU
• Transmission length in bytes, determined by the originator address
field in the protocol (orig_addr_participate).
• Connect the IEC 101 server (RTU) to the serial port with a proper
serial cable. Control lines are not supported by the gateway
application. Usage of Tx, Rx, and GND lines is allowed.
e. Verify the configuration using the following methods:
• Use the iec101-gw show all command to verify that the operational
status (OP ST) is UP.
• Check the serial port and gateway counters to verify that the serial
traffic is received and transmitted.
Use the following show commands: serial port show slot 1 port <x>
and iec101-gw cnt show.
3. Troubleshooting
a. Most troubleshooting tools refer to the local IEC 101 connection between
gateway and RTU. The IEC 104 connection between gateway and client
(SCADA) is based on direct Ethernet connectivity, easy to establish and
diagnose.
b. If the IEC 101 (OP ST) has a status different from UP, try the following
diagnostics steps:
• Verify your serial physical connection.
• Verify that the RTU is on and properly configured.
• Follow the serial port counters to verify traffic is received and
transmitted at the serial port. If only Rx counters are progressing,
check the serial properties of both the gateway and the RTU (such as
baud rate and parity) again.
• Verify that the IEC properties are consistent between the gateway
and the RTU (CA, LA, CA length, LA length, COT).

IEC 101/104 Gateway Commands Hierarchy

+ root
+ serial
+ port
- clear counters
- create {slot <1>} {port <1-2>} {mode-of-operation < transparent >} [baudrate
<9600,(50-368400)>] [parity {no,no| odd| even}]
[stopbits <1|2>] databits {8,<5-8>}
admin-status [up| down]
- update {slot <1>} {port <1-2>} {mode-of-operation < transparent >} [baudrate
<9600,(50-368400)>] [parity {no,no| odd| even}]
[stopbits <1|2>] databits {8,<5-8>}
- show
- remove
- remove all
+ local-end-point
- create create {slot <1>} {port <1-2>} {application <iec101-gw>}{service-id
<1-100>} [position <slave>]
- remove {slot <1>} {port <1-2>} {service-id <1-100>}
- show
+ iec101-gw
- operation {start | stop}
- cnt show
- show {all| iec101 {log| state} {slot <1>} {port <1-2>} }
+ config
- gw update mode {balanced,(balanced| unbalanced)} ip_addr <A.B.C.D>
- iec101 {create | update}
{slot <1>} {port <1-2>} {asdu_addr {(1-255)| (1-65534)}}
{link_addr {(1-255)| (1-65534)}}
[common_address_field_length <2,(1|2)>]
[translated_cmn_addr {(1-255)| (1-65534)}]
[link_address_field_length <2,(1|2)>]
[ioa_length <3,(1|2|3)>] [orig_address <1-255>]
[orig_addr_participate <y,(y|n)>]
[dir_bit<AUTO,(AUTO|0|1)>] [single_char <y,(n|y)>]
[test_proc <y,(n|y)>] [gen_inter <n,(n|y)>] [time_tag <n,(n|y)>]
- iec101 remove [slot <1>] {port <1-2>}
- iec101 [add_asdu | remove_asdu] port <1-2>
{asdu_addr {(1-255)| (1-65534)}} {link address {(1-255)| (1-65534)}}
- iec101 [add_ioa_trans>| remove_ioa_trans] port <1-2>
src_ioa {a1-a2-a3| a1-a2| a} trans_ioa {a1-a2-a3| a1-a2| a}
- iec104 {update | remove} {ip_addr <>} [clock_sync <n|y>] [orig_addr <>]
[t0 <30sec,[1-255]>] [t1 <15sec,[1-255]>] [t2 <10sec,[1-255]>] [t3
<20sec,[1-255]>]
IEC 101/104 Gateway Commands
Command Description
iec101-gw Configuration mode of 101/104 gateway
operation Start: activate the gateway

Stop: stop the gateway
*Takes effect on all IEC 101 nodes connected
to the switch
config
gw update mode Unbalanced – for 101 servers unbalanced

Command Description
topology
Balanced (default) – for 101 servers
balanced topology
Ip_addr – IP address of a chosen application IP
interface. The IP interface must be configured
prior to being used by the gateway.
Note: Changing this field requires reloading the
unit.
iec101 create | update | remove Slot ,Port: physical interface where the
101 slave is connected at.
asdu_addr : Common Address of ASDU.
Usually Should be configured as the ASDU
address of the IEC101 Server unless a
translation service is required. In the latter
case, should be configured as the address
which is set at the 104 Client for the server. A
decimal value of 1-255 or 1-65534 is allowed
depending if
‘common_address_field_length’ is set
to one byte or two.
common_address_field_length: length
in bytes of the Common Address of ASDU.
Permissible values are one or two bytes. Should
be identical to the configuration at the IEC 101
server.
translated_cmn_addr – used when a
translation service required for the common
address of asdu. The value should be identical
to the actual common address of the IEC101
Server.
A decimal value of 1-255 or 1-65534 is allowed
depending if
‘common_address_field_length’ is set
to one byte or two.
link_addr: Should be configured as the
Link address of the 101 slave. A decimal value
of 1-255 or 1-65534 is allowed depending if
‘link_address_field_length’ I set to one byte or
two.
link_address_field_length: length in
bytes of the Link Address. Permissible values
are one or two bytes. Should be identical to the
configuration at the 101 slave.
orig_addr: Should be configured as the
Originator address set at the 101 slave.
orig_addr_participate: y|n to indicate if
the 101 slave uses the originator address field.

Command Description
Should be identical to the configuration at the
101 slave.
the Cause Of Transmission (COT) will be
influenced by this configuration.
'y' – COT will be 2 byte in size.
'n' - COT will be 1 byte in size.
dir_bit: y|n are Permissible values. Should
be oposite to the configuration at the 101
slave. Relevant in Balanced mode only.
single_char: y|n are Permissible values.
Should be configured identical to the 101 slave
configuration. Relevant in Balanced mode only.
ioa_len – IO object length. Permissible
values are 1|2|3 bytes. Should be identical to
the configuration at the 101 slave.
[add_ioa_trans>| Slot, Port: physical interface where the

remove_ioa_trans] 101 slave is connected at.
src_ioa: value of the 101 server Object
address as set at the 104 client. May be 1/2/3
bytes long depending on the settings of
‘ioa_length’. A value is expected as ‘byte1’-
‘byte2’-‘byte3’ or
‘byte-1’.
Permissible value for each byte is 1-255.
Example for 3 bytes size IOA: 5-212-151.
trans_ioa: value of the 101 server Object
address. May be 1/2/3 bytes long depending on
the settings of ‘ioa_length’. A value is expected
as ‘byte1’-‘byte2’-‘byte3’ or
‘byte-1’.
Permissible value for each byte is 1-255.
Example for 3 bytes size IOA: 5-212-151.
iec104 {update | remove} ip_addr: IP address of the SCADA

orig_addr: originator address of the SCADA.
clock_syn: enable clock-sync functionality
to: Time-out of connection establishment
t1: Time-out of send or test APDUs
t2 : Time-out for acknowledges in case of no
data messages t2 < t1
t3: Time-out for sending test frames in case of
a long idle state

Configuring IEC 101/104 Gateway

Figure 8-6 illustrates IEC 101/104 connection setup using SecFlow-1 as a
gateway.
Figure 8-6. IEC 101/104 Gateway Setup
1. Configure the gateway IP interface.

SecFlow-1#router interface create address-prefix 192.168.10.11/24 physical-
interface eth1 description Network purpose application-host
2. Configure the serial port properties. The mode-of-operation field must be set
to transparent. The port properties (baud rate, parity, stop bits, data bits
etc.) must be identical to the IEC 101 server port, connected to SecFlow-1.
serial port create slot 1 port 1 mode-of-operation transparent baudrate 9600
parity even
3. Create the port local serial service. The application field must be iec101-gw.
serial local-end-point create slot 1 port 1 service-id 1 application iec101-gw
4. Configure the gateway operation mode and select the ACE interface. The
corresponding IP interface should be prepared before.
iec101-gw config gw update mode balanced ip_addr 192.168.10.11
5. Configure the gateway properties compatible with IEC 101 server settings.
iec101-gw config iec101 create slot 1 port 1 asdu_addr 1 orig_addr 0 link_addr
27 link_address_field_length 2 common_address_field_length 2
orig_addr_participate y
commit
6. Verify IEC 101/104 Gateway status.

+----+------+--------+------------------+------+------------------+-----------
---+-------------+
| Id | VLAN | Name | IP/Subnet | Mtu | Purpose | Admin
status | Description |
+====+======+========+==================+======+==================+===========
===+=============+
| 1 | N/A | eth1:1 | 192.168.10.11/24 | 1500 | application host | enable
| WAN |
+----+------+--------+------------------+------+------------------+-----------
---+-------------+
SecFlow-1# iec101-gw show all

101-104 ROUTER
BALANCED MODE
IEC 104:
+---------------+------------+------------+----------+----+----+----+----+
| IP | ORIG. ADDR | CLOCK SYNC | TIME TAG | T0 | T1 | T2 | T3 |
+===============+============+============+==========+====+====+====+====+
| 192.168.10.11 | 0 | n | n | 30 | 15 | 10 | 20 |
| 192.168.10.10 | 0 | n | n | 30 | 15 | 10 | 20 |
+---------------+------------+------------+----------+----+----+----+----+
IEC 101:
+------+------+-------+----------+---------+--------------+----------+--------
-+---------+---------+---------+----------+
| SLOT | PORT | OP ST | LINK ADR | CMN ADR | CONV CMN ADR | LINK LEN | CMN LEN
| COT LEN | IOA LEN | SRC IOA | CONV IOA |
+======+======+=======+==========+=========+==============+==========+========
=+=========+=========+=========+==========+
| 1 | 1 | UP | 27 | 1 | 0 | 2 | 2
| 2 | 3 | | |
+------+------+-------+----------+---------+--------------+----------+--------
-+---------+---------+---------+----------+
+------+------+-----------+------+---------+---------+---------+----------+---
------+---------+----------+-----------+
| SLOT | PORT | ORIG. ADR | S CH | DIR BIT | TEST FR | GEN INT | TIME TAG |
COT LEN | IOA LEN | CMN (UB) | LINK (UB) |
+======+======+===========+======+=========+=========+=========+==========+===
======+=========+==========+===========+
| 1 | 1 | 0 | y | AUTO | y | n | n |
2 | 3 | 1 | 27 |
+------+------+-----------+------+---------+---------+---------+----------+---
------+---------+----------+-----------+
SecFlow-1#
8.5 IPsec
Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol
(IP) communications by authenticating and/or encrypting each IP packet of a
communication session.
Applications
IPsec should be configured when one of the following VPN is used:
• DMVPN: IPsec is mandatory
• IPsec-VPN: IPsec is mandatory
Authentication Header
The IP Authentication Header (AH) is used to provide connectionless integrity and
data origin authentication for IP datagrams. The AH is supported for IKE phase 2
(transport, tunnel). No specific configuration required.
8-22 IPsec SecFlow-1

Authentication and encryption are implemented for ESP.
Encapsulating Security Payload

ESP provides origin authenticity, integrity and confidentiality protection of IP
packets. The ESP supported exchange mode is IKE phase 1 (main, aggressive).
The supported mode is IKE phase 2 (transport, tunnel).
Origin Authentication is supported by IKE phase 1 and phase 2 HASH
Cryptographic.
The encryption is supported by IKE phase 1 and phase 2 algorithms.
Security Associations
A Security Association (SA) is a relationship between two or more entities that
describes how the entities utilize security services to communicate securely.
These entities are the VPN Hubs and Spokes.
This relationship is represented by a set of information that can be considered as
a contract between the entities. The information must be agreed and shared
between all the entities.
ISAKMP provides the protocol exchanges to establish a security association
between negotiating entities followed by the establishment of a security
association by these negotiating entities in behalf of ESP/AH.
ISAKMP
ISAKMP provides a framework for authentication and key exchange, and is
designed to be key exchange independent; protocols such as Internet Key
Exchange and Kerberized Internet Negotiation of Keys provide authenticated
keying material for use with ISAKMP.
An initial protocol exchange allows a basic set of security attributes to be agreed
upon. This basic set provides protection for subsequent ISAKMP exchanges. It
also indicates the authentication method and key exchange that will be
performed as part of the ISAKMP protocol. After the basic set of security
attributes has been agreed upon, initial identity authenticated, and required keys
generated, the established SA can be used for the protection of the VPN tunnels.
ISAKMP protects against denial of service, replay/reflection and
man-in-the-middle. These types of attacks are targeted against protocols.
A security association (SA) is a set of policy and key(s) used to protect
information. The ISAKMP SA is the shared policy and key used by the negotiating
peers in this protocol to protect their communication.
ISAKMP uses the Internet Key Exchange (IKEv1) for the authentication and
encryption establishment.
IKE
IKE is the protocol used to set up a security association (SA) in the IPsec protocol
suite. IKE builds upon the Oakley protocol and ISAKMP.
SecFlow-1 IPsec 8-23

IKE builds upon the Oakley protocol and ISAKMP. IKE uses X.509 certificates for
authentication - either pre-shared or distributed using DNS (preferably with
DNSSEC) and a Diffie–Hellman key exchange to set up a shared session secret
from which cryptographic keys are derived. In addition, a security policy for every
peer which will connect must be manually maintained
ISAKMP Phase 1
In Phase 1 two ISAKMP VPN peers establish a secure, authenticated
communication channel named ISAKMP Security Association (SA) or IKE Security
Association.
The authentication is supported using Pre-Shared Keys or Digital Signatures
(X.509).
Note The use of IPsec with x.509 is only possible when the ike-phase1-mode is set to
aggressive.
Diffie-Hellman Key Exchange

Diffie–Hellman key exchange is a specific method of securely exchanging
cryptographic keys over a public channel.
Diffie-Hellman key agreement requires that both the sender and recipient of a
message have key pairs. The private key of each member is never sent over the
insecure channel. The public key is generated from the private key by each
member and is the one sent over the insecure channel. By combining one's
private key and the other party's public key, both parties can compute the same
shared secret number. This number can then be converted into cryptographic
keying material. That keying material is typically used as a key-encryption key
(KEK) to encrypt the VPN GRE traffic. This key is kept secret and never exchanged
over the insecure channel.
The D-H groups are identified by the length of the keys in bits. The larger the key
(higher group id) the higher is the security, but more resources are required and
performance degradation is possible.
The D-H exchange can be authenticated with RSA signatures or pre-shared keys.
The exchange modes used in ISAKMP Phase 1 are the Main Mode and Aggressive
Mode.
Authentication
Pre-shared Key (PSK)

A PSK is an IKE phase 1 authentication option.
The encryption, hash, and authentication algorithm for use with a pre-shared key
are a part of the state information distributed with the key itself.
Each VPN end point (Hubs, Spokes) must have a unique ID and a common shared
key known to the remote VPN partner. Together they form the PSK station.
When a pre-shared key is used to generate an authentication payload
• the certification authority is None
• the Authentication Type is Preshared

• payload contains the ID, encoded as two 64-bit quantities

• the result of applying the pseudorandom hash function to the message body
with the KEY forms the function key.
The PSK can be set as one of the following forms:
• IP address form A.B.C.D.
 Allowed in both Main and Aggressive IKE modes
 The PSK of all members should be taken as their VPN network IP address
• Fully qualified domain name (FQDN), allowed only when Aggressive IKE mode
is used.
Note The URL of X.509 certificate should contain no more than 64 characters.
Below is an example of PSK configuration.

1. Detail the VPN members preshared IDs and specify the local unit ID.
SecFlow-1#
ipsec isakmp update authentication-method pre_shared_key
ipsec isakmp update my-id SA.radiflow.com
ipsec preshared create id SA.radiflow.com key secretkey
ipsec preshared create id SB.radiflow.com key secretkey
ipsec enable
commit
2. Verify the configuration result by the show output.

RSA Signatures (X.509)

RSA (Rivest, Shamir, Adleman) is the public-key cryptosystems widely used for
secure data transmission. In such a cryptosystem, the encryption key is public
and differs from the decryption key which is kept secret. In RSA, this asymmetry
is based on the practical difficulty of factoring the product of two large prime
numbers, the factoring problem.
The algorithm uses a digital certificate authenticated by an RSA signature.
The user generates certificates from a trusted source and imports these to the
VPN parties (Hubs, Spokes). Two files are required, one is the certificate itself
and the other is the key. The files should have extensions of .crt and .key.
Figure 8-7 shows a screenshot of such two files placed on a PC with TFTP client.
Figure 8-7. Certificate Files
Handling Certificates
SCEP (Simple Certificate Enrollment Protocol) is widely accepted as a simple mean
for handling certificates for large-scale implementation.
The protocol supports the following general operations:
• CA public key distribution
• Certificate enrollment
• Certificate renewal/update
• Certificate query
• CRL query

The SCEP mechanism is implemented by Microsoft NDES (Network Device

Enrollment Service). For more information, refer to NDES page on Miscrosoft
website.
Below is an example of these files import using CLI.

1. Import the key file.
SecFlow-1# rsA-signature import tftp://172.17.203.31/IPsec.key
RSA signature file (IPsec.key) imported successfully
2. Import the certificate file.

SecFlow-1# rsA-signature import tftp://172.17.203.31/IPsec.crt
RSA signature file (IPsec.crt) imported successfully
3. Validate successful import.

SecFlow-1# show rsA-signature list
IPsec.crt
IPsec.key
4. Activate the certificate.

SecFlow-1# ipsec rsa-signature activate crt-file IPsec.crt key-file IPsec.key
rsa-sig-name test_1
5. Update the IPsec ISAKMP to use the certificate instead of the PSK.
ipsec isakmp update authentication-method rsasig
Note The IPsec ISAKMP parameter my id is not of importance when using certificates as
the authentication method.
The above configuration result is presented by the following show output.

Exchange Modes
Main Mode
Main mode is the Phase 1 option featuring higher security level since it includes
identity protection.
Session process is as follow:
• To start the session the initiator sends a proposal to the responder
describing what encryption and authentication protocols are supported, the
life time of the keys, and necessity to use phase 2 perfect forward secrecy (if
exists). The proposal may contain several offerings.
The responder selects the required options and replies to the initiator.
• The next exchange uses Diffie-Hellman public keys and other data. All further
negotiation is encrypted within the IKE SA.
• The third exchange authenticates the ISAKMP session. Once the IKE SA is
established, IPsec negotiation (Quick Mode) begins.

The IKE Main mode is not applicable to the applications with the dynamic VPN IP
addresses (for example a cellular spoke retrieving dynamic IP from the ISP over its
PPP interface).
In the main mode, the PSK must be in the form of IP address, and use the VPN
network addresses of the parties.
Note In applications with VPN over a cellular link, the Main mode is not applicable. Use
the Aggressive IKE mode in such applications.
Aggressive Mode
In the Aggressive mode, the negotiation is faster since the session is completed
in three messages only. This mode disadvantage is that the peer’s identity is not
protected.
The first two messages negotiate policy, exchange Diffie-Hellman public values
and auxiliary data required for the exchange, and identities. The second message
authenticates the responder. The third message authenticates the initiator and
approves participation in the exchange.
• The initiator sends a request with all required SA information.
• The responder replies with its authentication and ID.
• The initiator authenticates the session in the follow-up message.
In the Aggressive mode, the PSK may be either in the IP address or FQDN form.
The PSK have not to be the actual IP addresses since it is considered as a text (in
the IP format) and not as a valid IP address.
Note In applications with VPN over a cellular link, the Aggressive IKE mode is
mandatory. The PSK may be in IP or FQDN format.
Settings Structure
ISAKMP Phase 1 configuration includes the following parameters:
• Authentication method (PSK ,X.509)
• Diffie–Hellman key exchange group (a.k.a. OAKLY groups)
• IKE exchange mode
 Main
 Aggressive
• Encryption algorithm
 Advanced Encryption Standard (AES)
 128 and 256 key size options
 symmetric algorithm
 Triple Data Encryption Algorithm (3DES)
 comprises of three DES keys, K1, K2 and K3, each of 56 bits
• Authentication s HASH algorithms
 Secure Hash Algorithm SHA-1 (160 bit)

 Secure Hash Algorithm SHA-2 (256 |512 bit)

 Message Digest (MD5) (128 bit)
• Life time and Dead Peer Discovery settings
ISAKMP Phase 2
This phase includes the SA negotiation to secure the VPN GRE data using IPsec.
Modes
SecFlow-1 supports the Transport mode between end-stations running IPsec (the
VPN parties).
Perfect Forward Secrecy (PFS)

The PFS is a part of the key agreement session and assigned to ensure that a
session key derived from the long-term public and private keys are not
compromised if one of the private keys (long-term) is compromised. The VPN
(GRE, IPSEC) sessions can negotiate new keys for every connection and if a key is
compromised, only the specific session protected by this key is revealed.
PFS uses also the D-H groups, but differently than in Phase 1.
Settings Structure
ISAKMP Phase 2 configuration includes the following parameters:
• Supported mode
 Transport (yes)
 Tunnel (no)
• Authentication s-HASH algorithms
 Secure Hash Algorithm SHA-1 (160 bit)
 Secure Hash Algorithm SHA-2 (256 |512 bit)
 Message Digest (MD5) (128 bit)
• Perfect Forward Secrecy type (PFS)
• Encryption algorithm
 Advanced Encryption Standard (AES)
 128 and 256 key size options
 symmetric algorithm
 Triple Data Encryption Algorithm (3DES)
 comprises of three DES keys, K1, K2 and K3, each of 56 bits
• Life time
 Soft – hard coded. At this threshold value the IKE starts a new phase 2
exchange.
 Hard - SA which exceeded this threshold value is discarded.

IPsec Command Association

Below are the IPsec configuration fields used in ISAKMP structure.
The configurable fields CLI names are given in brackets.
Enable IPsec
{enable |disable}
Settings
Log level (log-level)
Dead Peer Discovery
delay (dpd-delay)
max failure (dpd-maxfail)
max retires (dpd-retry)
flush Security Association (flush-sa proto)
id-type (id-type)
soft timer (soft-lifetime)
Phase 1
Authentication method {pre_shared_key | rsasig}
Diffie–Hellman key exchange Group (dh-group)
Internet Key Exchange mode (ike-phase1-mode)
Encryption Algorithm (phase1-encryption-algo)
Hash Algorithm (phase1-hash-algo)
Life Time (phase1-lifetime)
Phase 2
Perfect Forward Secrecy (pfs-group)
Encryption Algorithm (phase2-encryption-algo)
Authentication Algorithm (phase2-auth-algo)
Life Time (phase2-lifetime)
IPsec Policy
Name (notes)
Source address (src-address-prefix)
Destination address (dst-address-prefix)
Source protocol port (src-port)
Destination protocol port (src-port)
Protocol (protocol)
Preshared Keys
Key : (key)
Own PSK id : (id)
Partner PSK id : (id)
Partner PSK id : (id)
Certificates X.509
Import crt file (flush-sa proto)
Import key file (rsA-signature import)
Activate certificate file (rsa-signature activate)
Certificate name (rsa-sig-name)

IPsec Commands Hierarchy

+ root
- rsA-signature import {flash:<file name> | sftp://<user:password@<ip>/<file_name> |
tftp://<ip>/<file_name> }
- show rsA-signature list
+ ipsec {enable | disable}
- flush-sa proto {ah | esp | IPsec | isakmp}
- rsa-signature activate {crt-file <file name> | key-file <file name> |rsa-
sig-name <name>}
+ isakmp update
- authentication-method {pre_shared_key | rsasig}
- dh-group <none | modp768 | modp1024 | modp1536 | modp2048 | modp3072
|modp4096 | modp6144>
- pfs-group < none | modp768 | modp1024 | modp1536 | modp2048 |
modp3072 |modp4096 | modp6144 |modp8192>
- dpd-delay <5,0-120> dpd-maxfail <5,2-20> dpd-retry <5,1-20>
- log-level <error |warning |notify |info |debug |debug2>
- my-id <>
- soft-lifetime <1-99>
- id-type {none| fqdn}
- ike-phase1-mode <aggressive |main> phase1-encryption-algo <3des |
aes-128 | aes-256> phase1-hash-algo <md5 |sha1 |sha256 |sha512>
- phase2-auth-algo < hmac_md5 | hmac_sha1 | hmac_sha256 | hmac_sha512>
phase2-encryption-algo <3des |aes-128 |aes-256>
- phase1-lifetime <86400,(180-946080000)> phase2-lifetime <86400,(180-
946080000)>
- rsa-sig-name <name>
+ policy {create | remove | show}
src-address-prefix <A.B.C.D/E> dst-address-prefix < A.B.C.D/E > src-
port <> dst-port <> protocol [gre |tcp |udp] notes [text]
+ preshared {create | remove} key <> id <>
+ show
- log {grep| num-of-lines }
- global-defs
- policy
- preshared
- rsa-signature-file
- sa [proto {ah | esp | IPsec | isakmp}]
IPsec Commands Description
Command Description
rsa-signature import Import the X.509 certificate file and key file to
the application from a connected USB drive or
TFTP /SFTP servers.
These files are mandatory for IPsec to encrypt
using X.509 certificates.
These files are not required if IPsec is used with
preshared keys.
show rsa-signature list Show the files available
ipsec Enter the IPsec configuration mode
enable | disable Default is disable
rsa-signature activate Activation of the available certificate and key

files.
Crt-file : name of the certificate
file.

Command Description
Key-file : name of the key file.

rsa-sig-name : user configurable
name for the signature.
isakmp update
authentication-method pre_shared_key : preshared keys are

used (default)
Rsasig : X.509 certificates are
used.
dh-group Diffie–Hellman key exchange Group.
Relates to phase 1.
Determines the strength of the key used in the
key exchange process. The higher the group
number, the stronger the key and security
increases.
Options :
• none
• modp768 (DH group 1)
• modp1024 (default) (DH group 2)
• modp1536 (DH group 3 and 5)
pfs-group Perfect Forward Secrecy type. Relates to phase

2.
Determines the strength of the key used in the
key exchange process. The higher the group
number, the stronger the key and security
increases.
Options:
• none
• modp768
• modp1024 (default)
• modp1536
• modp2048
• modp3072
• modp4096
• modp6144
• modp8192
dpd-delay Dead Peer Discovery delay. Defines the interval

between following keep alive messages.
Permissible range : 0-120
(default is 5)
dpd-maxfail Dead Peer Discovery max attempts to
determine failure.

Command Description
Permissible range :2-20
(default is 5)
dpd-retry Dead Peer Discovery max retry attempts. A
retry is initiated after a failure at “dpd-maxfail”.
Permissible range : 1-20
(default is 5)
log-level Syslog warnings levels to be logged.
error
warning
notify
info (default)
debug
debug2
my-id Own preshared ID.
Dependent on “id-type” set ,my-id can be in
either domain name format or IPV4 format.
If “id-type” is set to “none”:
No need to set value in “my-id” as it will
automatically use a valid IP address.
If “id-type” is set to “fqdn”:
“my-id” should be set with a domain name
format. for example :
* Spoke.radiflow.com
id-type Set the type of form used for the IPsec local id.
None : the units own preshared ID
will be the default IP interface.
Address : this option is not
supported in current version.
fqdn : the units own preshared ID
is in a domain name format. For
example spoke.radiflow.com
default : none
ike-phase1-mode Internet Key Exchange mode type use for
Phase 1.
Aggressive (default)
main
phase1-encryption-algo Encryption Algorithm used for phase 1.
3des
aes-128 (default)
aes-256
phase1-hash-algo Hash Algorithm used for phase 1.
md5
sha1 (default)
sha256
sha512
phase1-lifetime The lifetime of the key generated between the
stations.
180-946080000 sec.

Command Description
Default is 86400
phase2-auth-algo Authentication Algorithm for phase 2.
hmac_md5 (default)
hmac_sha1
hmac_sha256
hmac_sha512
phase2-encryption-algo Encryption Algorithm for phase 2.
3des (default)
aes-128
aes-256
phase2-lifetime The lifetime of the key generated between the
stations.
180-946080000 sec.
Default is 86400
soft-lifetime When a dynamic IPsec SA is created, two types
of lifetimes are used: hard and soft. The hard
lifetime specifies the lifetime of the SA. The
soft lifetime, which is derived from the hard
lifetime, informs the IPsec key management
system that the SA is about to expire. This
allows the key management system to
negotiate a new SA before the hard lifetime
expires.
Permissible values are 1-99 and represent
percentage.
soft lifetime =
<1-99>*hard lifetime /100
rsa-sig-name The name set by the user for the signature
policy create Configure the policy to determine the type of

traffic to encrypt:
src-ip : A.B.C.D form IP address of
the packet source.
dst-ip : A.B.C.D form IP address of
the packet destination.
src-port : port number of the
packet source.
dst-port : port number of the
packet destination.
protocol : the type of protocol
,for example TCP ,UDP,GRE.
preshared Configuration of pre shared identifiers for local

{create | remove} node and all remote IPsec nodes.
ID: unique identifier for the IPsec participant
node Can be in either domain name format or
IPV4 format.)
Key: preshared key which should be common
for all nodes participating.
text, numerical or combination string.
notes : name of the policy

Command Description
show Show IPsec
IPsec Default Parameters

8.6 Modbus Gateway

SecFlow-1 can serve as an Ethernet gateway between RS232 Modbus RTU and
Modbus TCP client (SCADA).
Modbus TCP to Modbus ASCII gateway is not available.
The Modbus RTU slave is connected to the router RS-232 serial port via an
RS-232 link. The Modbus TCP client (SCADA) may be connected directly to the
router Ethernet port or via an IP cloud. The router gateway encapsulates Modbus
RTU traffic to a TCP packet with port 502.
The Modbus gateway is assigned using the connected Modbus RTU stations ID.
The gateway ACE IP interface is used as its TCP traffic source.
Packet sent from the Modbus TCP client contains the gateway IP (source) and the
Modbus RTU station ID (target). The gateway listens to incoming packets and
forwards the message in a serial format to the relevant Modbus RTU using the
station ID as an identifier.
Up to five gateways can operate simultaneously. Each must use a different ACE IP
interface and have a unique gateway ID.
A serial port connecting a Modbus RTU device can be associated with a single
gateway unit. Modbus RTU device must have at least one unique ID.
The Modbus gateway is supported between a Modbus TCP and a Modbus RTU.
The Modbus TCP gateway to Modbus ASCII is not implemented.
The gateway translates Modbus frames of the same structure. The Modbus TCP
device is therefore required to have same frame structure as the Modbus RTU
device.
Modbus Gateway Commands Hierarchy

+ root
+ serial
+ port
- create {slot <1>} {port <1-4>} {mode-of-operation <transparent>}
[baudrate <>] [parity <>] [stopbits <>] admin-status [up| down]
- show
+ local-end-point
- create create {slot <1>} {port <1-4>} {application < modbus-gw
>}{service-id <>} [position <>] [protocol <>]
- show
+ modbus-gw
- show-gw-list
- connection [clear | show]
- counters
- clear-id {gw-id <1-5>} {unit-id <1-255>}
- clear-port {slot 1 port <1-4>}
- show-by-id gw-id <1-5>} {unit-id <1-255>}
- show-by-port {slot 1 port <1-4>}
+ debug
- map-units-on-bus-show slot 1 port <1-4>
- map-units-on-bus-start slot 1 port <1-4>
SecFlow-1 Modbus Gateway 8-37

- show-serial-points slot 1 port <1-4>

- show-server-points slot 1 port <1-4>
- show-tcp-points
+ history
- clear {gw-id <1-5>}
- show {gw-id <1-5>}
+ mapping
- add-gw {address-prefix <a.b.c.d/e>} {admin-status (enable|
diable} {gw-id <1-5>} [timeout-period <500-100,000>]
- add-id {slot 1 port <1-4>} {gw-id <1-5>} {unit-id <1-255>}
- remove-gw {gw-id <1-5>}
- show-ids [gw-id <1-5>]
+ update [admin-status (enable| diable} | timeout {gw-id <1-5>
timeout-period <500-100,000>} ]
Modbus Gateway Commands Description
Command Description
modbus-gw
show-gw-list Display the list of available gateway
connection Clear| show live and history TCP connections
counters Clear| show counters per gateway id and unit id
debug map-units-on-bus-start : initiate

mapping of connected station ids behind a
serial port.
map-units-on-bus-show : show to
station ids identified behind the serial port.
history Show: Show latest reply from each unit and
the time in seconds from that connection. Per
gateway instance.
Clear: Clear history table. Per gateway
instance.
mapping Map a new gateway instance
address-prefix: an IP address of an
available ACE interface. A.b.c.d/e
admin-status: (enable| diable)
gw-id: unique gateway instance identifier.
<1-5>
timeout-period: set the maximum time
allowed between incoming packets over the
TCP session before dropping it <500-
100,000> msec.
add-gw Add a gateway instance.
add-id Add a Modbus RTU station id to a serial port

and a gateway instance.
Remove-gw Remove a gateway instance.
show-ids Show Modbus RTU station ids behind a

gateway instance.
update Update a gateway instance properties.
admin-status (enable| diable.
8-38 Modbus Gateway SecFlow-1

Command Description
timeout-period <500-100,000>
Configuring Modbus Gateway

Figure 8-8 demonstrates Modbus gateway configuration.
Figure 8-8. Modbus Gateway Setup
 To configure the Modbus gateway:

1. Assign IP interface.
eth1 description client admin-status enable purpose application-host
2. Assign a serial port to connect the Modbus RTU slave.

serial port create slot 1 port 1
serial local-end-point create slot 1 port 1 service-id 1 protocol modbus_rtu
application modbus-gw
3. Set the gateway parameters.

modbus-gw mapping add-gw address-prefix 192.168.40.10/24 gw-id 4 admin-status
enable
modbus-gw mapping add-id slot 1 port 1 gw-id 4 unit-id 3
4. Verify gateway status.

[/] modbus-gw connection show
+-------+-------+-------------------+----------------+----------+
| Index | GW id | GW IP/Subnet | ip addr | src port |
+=======+=======+===================+================+==========+
| 1 | 4 | 192.168.40.11/24 | 192.168.40.11 | 55132 |
+-------+-------+-------------------+----------------+----------+
Completed OK
[modbus-gw/] debug map-units-on-bus-start port 1 slot 1

Port mapping started
Operation in process
[modbus-gw/] counters show-by-port

+------+------+----------+----------+----------+----------+
| Slot | Port | Rx valid | Rx error | Tx valid | Tx error |
+======+======+==========+==========+==========+==========+
| 1 | 1 | 477 | 0 | 582 | 0 |
SecFlow-1 Modbus Gateway 8-39

+------+------+----------+----------+----------+----------+
[modbus-gw/] counters show-by-id gw-id 4

gwid:4 unit id:65535
+----+---------+----------+----------+----------+----------+
| Gw | Unit Id | Rx valid | Rx error | Tx valid | Tx error |
+====+=========+==========+==========+==========+==========+
| 4 | 3 | 477 | 0 | 599 | 0 |
+----+---------+----------+----------+----------+----------+
+------+------+----------+----------+----------+----------+
| Slot | Port | Rx valid | Rx error | Tx valid | Tx error |
+======+======+==========+==========+==========+==========+
| 1 | 1 | 477 | 0 | 616 | 0 |
+------+------+----------+----------+----------+----------+
[modbus-gw/] debug map-units-on-bus-show

Operation in process
[modbus-gw/] history show gw-id 4

Units connected to Gw 4:
+----+-----------------+
| id | seconds elapsed |
+====+=================+
| 3 | 153 |
+----+-----------------+[modbus-gw/] mapping show-ids
+----------+------------------+---------+------+------+-------+
| GW index | GW IP/Subnet | Unit Id | slot | port | bus |
+==========+==================+=========+======+======+=======+
| 4 | 192.168.40.10/24 | 3 | 1 | 1 | RS232 |
+----------+------------------+---------+------+------+-------+
[modbus-gw/] debug show-serial-points

Serial points:
slot:1, port:1, pointer:0x1007c408
[modbus-gw/] debug show-server-points

Server points:
IP addr:192.168.40.10, GwId:4, Subnet mask:255.255.255.0, pointer:0x10081580,
[modbus-gw/] debug map-units-on-bus-show

List of units for slot[1] port[1]:
Port mapping ended
8-40 Modbus Gateway SecFlow-1

8.7 Network Address Translation (NAT)

SecFlow-1 supports both static and dynamic settings of Network Address
Translation (NAT).
Dynamic NAT settings allow LAN members to initiate sessions with targets
located at the WAN. The NAT router uses its WAN IP interface as the new source
IP for the session request, hiding the initiating LAN device original private IP. The
NAT router can use a single WAN IP interface to translate the multiple private IP
addresses of its LAN, thus limiting the required public IP addresses to a single
one.
Static NAT directs incoming WAN traffic to a particular target LAN client. Usually
the WAN station does not have a route to the private LAN, but only to the router
WAN IP address, the static NAT settings have to be able to initiate sessions
towards the LAN targets.
The NAT router serves both a routing function and security layer, providing WAN
traffic access to the LAN.
Dynamic/Static NAT Configuration

Figure 8-9 illustrates SecFlow-1 dynamic/static NAT configuration.
Figure 8-9. NAT Networking
PC communication towards the server depends on the SecFlow-1 router NAT

configuration:
• Static NAT only: the PC is not able to initiate a session towards the server.
Sessions initiated by the server are not received by the PC, but its replies are
received by the Server.
• Dynamic NAT only: the PC is able to initiate sessions towards the Server and
the Server replies are received by the PC. Sessions initiated by the Server
towards the PC are not received by the PC.
• Dynamic and Static NAT together
Both the server and the PC can initiate sessions and receive replies.
SecFlow-1 Network Address Translation (NAT) 8-41

NAT Commands Hierarchy

+ router
+ nat
+ dynamic
- create {interface-name {eth1.<vlan-id>| eth2.<vlan id>| eth1:<id>|
eth2:<id>| ppp0}} [description <text>]
- remove {interface-name {eth1.<vlan-id>| eth2.<vlan id>| eth1:<id>|
eth2:<id>| ppp0}}}
- show
+ static
- create {original-ip <A.B.C.D>} {modified-ip <>}
[original-port <1-65535>] [modified-port <1-65535>]
[protocol <tcp |udp| all>] [description <text>]
- remove {[rule-id <>] | [{original-ip < A.B.C.D >}
{modified-ip < A.B.C.D >} {protocol <tcp |udp| all>}]}
- show
NAT Commands Description
Command Description
nat Access the NAT configuration mode
dynamic Create| remove| show dynamic NAT interface.

Interface name: the IP interface on which to enable the dynamic NAT.
LAN packets egressing the route rover this interface will have their source
IP replaced with the interface IP.
The interface may be one which is associated with a physical port or the
cellular ppp0 interface.
Description: text describing the interface. Optional.
static Create| remove| show static nat entries.
Original-ip: the original ‘destination IP’ at the incoming packet IP header.
Modified-ip: the IP to which the NAT should traverse the original-IP to.
Original-port: the original protocol ‘destination port’ at the incoming
packet IP header.
Modified-port: the protocol port to which the NAT should traverse the
original-port to.
Protocol: define the protocol, which the incoming packet uses, for which
the NAT should translate. Packets which do not meet this condition are
not translated.
Rule-id: an identifier given automatically by the system for each static
NAT entry. The rule-id is a sufficient parameter to remove an entry.
Configuring NAT
Figure 8-10 example illustrates the NAT configuration that allows the PC, located
out of the LAN, to connect to the LAN.
The PC can manage SecFlow-1 using the switch private interface, and Telnet
session with the server located in the LAN.
8-42 Network Address Translation (NAT) SecFlow-1

Figure 8-10. NAT Configuration
 To configure NAT:
1. Set the LAN side interface.
router interface create address-prefix 10.10.10.10/24 physical-interface eth1
description LAN purpose application-host
2. Set the WAN side ACE Interface.

eth2 description WAN purpose general
3. Set the WAN ACE interface dynamic NAT.

router nat dynamic create interface-name eth2:2 description wan
4. Configure static NAT to direct WAN traffic targeted to 192.168.10.11 with

port Telnet (23) towards 10.10.10.10. This configuration allows the PC to
manage SecFlow-1.
router nat static create original-ip 192.168.10.11 modified-ip 10.10.10.10
original-port 23 modified-port 23 protocol tcp
5. Configure static NAT to direct WAN traffic targeted to 192.168.10.11 towards

10.10.10.100 with port 20000 (DNP3). This configuration allows the PC to
establish DNP3 session with the server.
router nat static create original-ip 192.168.10.11 modified-ip 10.10.10.100
original-port 20000 modified-port 20000 protocol tcp
6. Commit the configuration.

Commit
7. View the output.

+----+------+--------+------------------+------+---------+--------------+----+
Description |
+====+======+========+==================+======+=========+==============+===+
| 1 | N/A | eth1:1 | 10.10.10.10/24 | 1500 | general | enable |
LAN |
+----+------+--------+------------------+------+---------+--------------+-----
--------+
| 2 | N/A | eth2:2 | 192.168.10.11/24 | 1500 | general | enable |
WAN |
+----+------+--------+------------------+------+---------+--------------+-----
--------+
SecFlow-1 Network Address Translation (NAT) 8-43

[router/]nat dynamic show

+---------+---------+-------------+
| Rule-Id | If-Name | Description |
+=========+=========+=============+
| 1 | eth2:2 | wan |
+---------+---------+-------------+
SecFlow-1#router nat static show
+---------+-----------------+-------------------+----------+-----------------
+-------------------+
| Rule-Id | Original-Dst-IP | Original-Dst-Port | Protocol | Modified-Dst-IP |
Modified-Dst-Port |
+=========+=================+===================+==========+=================+
===================+
| 1 | 192.168.10.11 | 23 | tcp | 10.10.10.10 |
23 |
+---------+-----------------+-------------------+----------+-----------------
+-------------------+
| 2 | 192.168.10.11 | 20000 | tcp | 10.10.10.100 |
20000 |
+---------+-----------------+-------------------+----------+-----------------
+-------------------+
8.8 Open Shortest Path First (OSPF)

OSPF (Open Shortest Path First) protocol is an Interior Gateway Protocol used to
distribute routing information within a single Autonomous System. Routers use
the link-state algorithms to send routing information to all nodes in an
inter-network by calculating the shortest path to each node based on topography
of the Internet constructed by each node. Each router sends:
• Its portion of the routing table (keeps track of routes to particular network
destinations), which describes its own links status
• Complete routing structure (topography)
The advantage of the SPF algorithms is providing the compact and more frequent
updates everywhere. They converge quickly, preventing the problems of routing
loops and Count-to-Infinity problems (when routers continuously increment the
hop count to a particular network).
OSPF Commands Hierarchy

+ root
+ router ospf
- enable
- exit
+ router ospf
- [no] area { A.B.C.D | < metric id ,(0-4294967295)> }
- [no] router-id < A.B.C.D >
- [no] network { A.B.C.D/M | <interface name ,eth1.(id)> }
- [no] passive-interface <interface name,eth1.(id)>
- [no] redistribute {connected | static}
- [no] neighbor A.B.C.D
8-44 Open Shortest Path First (OSPF) SecFlow-1

- write
- exit
- exit
OSPF Commands Descriptions
Command Description
router interface Add or Remove an IP interface for the application engine.

create | remove The configuration should include:
Address-prefix : IP address in the format
aa.bb.cc.dd/xx
VLAN : VLAN ID that the application engine
will use for this IP interface
The interface will be name eth1.<vlan id>
router ospf enable
configure terminal Enter configuration mode
router ospf area – OSPF area parameters given in A.B.C.D format or

as a metric id (0-4294967295).
router-id – router-id for the OSPF process given in

A.B.C.D format.
network – Enable routing on an IP network .
Network can be given as A.B.C.D/M or as a name of a
preconfigured interface eth1.<vlan id>.
passive-interface – Suppress routing updates on an

interface given as a name of a preconfigured interface
eth1.<vlan id>.
redistribute – Redistribute information from another

routing protocol.
neighbor – Specify a neighbor router. given as

A.B.C.D/M .
write – commit and preserve configuration
Configuring OSPF
Figure 8-11 illustrate the OSPF setup example. This configuration enables L3 OSPF
based protection over the closed network.
SecFlow-1 Open Shortest Path First (OSPF) 8-45

Figure 8-11. OSPF Setup
Configuring S1
1. Remove the network ports from default VLAN 1.
config
vlan 1
no ports fa 0/1-2 untagged fa 0/1-2
exit
2. Assign VLANs and corresponding IP interfaces.

vlan 101
ports fastethernet 0/1
exit
vlan 102
exit
interface vlan 101

shutdown
ip address 172.18.101.201 255.255.255.0
no shutdown
exit
interface vlan 102

shutdown
ip address 172.18.102.201 255.255.255.0
no shutdown
exit
3. Configure OSPF.

router ospf
router-id 10.10.10.101
network 172.18.101.201 255.255.255.0 area 0.0.0.0
network 172.18.102.201 255.255.255.0 area 0.0.0.0
end
commit
Configuring S2
config
vlan 1
no ports fa 0/2,0/3 untagged fa 0/2-3
exit
2. Assign VLANS and the corresponding IP interfaces.

vlan 102
exit
vlan 103
exit
interface vlan 102

shutdown
ip address 172.18.102.202 255.255.255.0
no shutdown
exit
interface vlan 103

shutdown
ip address 172.18.103.202 255.255.255.0
no shutdown
exit
3. Configure OSPF.
router ospf
router-id 10.10.10.102
network 172.18.102.202 255.255.255.0 area 0.0.0.0
network 172.18.103.202 255.255.255.0 area 0.0.0.0
end
commit
Configuring S3
config
vlan 1
no ports fa 0/4,0/3 untagged fa 0/3-4
exit
SecFlow-1 Open Shortest Path First (OSPF) 8-47

2. Assign VLANs and the corresponding IP interfaces.

vlan 103
exit
vlan 104
exit
interface vlan 103

shutdown
ip address 172.18.103.203 255.255.255.0
no shutdown
exit
interface vlan 104

shutdown
ip address 172.18.104.203 255.255.255.0
no shutdown
exit
3. Configure OSPF.
router ospf
router-id 10.10.10.103
network 172.18.104.203 255.255.255.0 area 0.0.0.0
network 172.18.103.203 255.255.255.0 area 0.0.0.0
end
commit
Configuring S4
config
vlan 1
no ports fa 0/4,0/1 untagged fa 0/1,0/4
exit
2. Assign VLANs and the corresponding IP interfaces.

vlan 101
exit
vlan 104
exit
interface vlan 101

shutdown
ip address 172.18.101.204 255.255.255.0
no shutdown
exit

interface vlan 104

shutdown
ip address 172.18.104.204 255.255.255.0
no shutdown
exit
3. Configure OSPF.
router ospf
router-id 10.10.10.104
network 172.18.104.204 255.255.255.0 area 0.0.0.0
network 172.18.101.204 255.255.255.0 area 0.0.0.0
end
commit
8.9 RIPv2
RIP (Routing Information Protocol) is a distance-vector routing protocol, which
employs the hop count as a routing metric.
RIP Commands Hierarchy

+root
- router interface {create | remove} <IP address> [netmask] [vlan id]
+ router rip
- enable
- exit
- show ip rip
+ [no] router rip
- [no] network { A.B.C.D/M | <interface name ,eth1.(id)> }
- [no] passive-interface <interface name,eth1.(id)>
- [no] redistribute {connected | static}
- [no] neighbor A.B.C.D
- version {1 |2}
- write
- exit
- show running-config
+ [no] interface < IFNAME>
- [no] ip rip
- authentication {key-chain <key>| mode {md5 |text}|string <string>}
- send version {1 |2| 1 2}
- receive version {1 |2| 1 2}
- split-horizon
- show running-config
- exit
RIP Commands Descriptions
Command Description
router interface Add or Remove an IP interface for the

create | remove application engine. The configuration should
include:
Address-prefix : IP address in the
SecFlow-1 RIPv2 8-49

Command Description
format aa.bb.cc.dd/xx
VLAN : VLAN ID that the application
engine will use for this IP
interface
The interface will be name
eth1.<vlan id>
router rip enable
configure terminal Enter configuration mode
router rip network – Enable routing on an IP network .

Network can be given as A.B.C.D/M or as a
name of a preconfigured interface eth1.<vlan
id>.
passive-interface – Suppress routing
updates on an interface. given as a name of a
preconfigured interface eth1.<vlan id>.
redistribute – Redistribute information
from another routing protocol.
neighbor – Specify a neighbor router. given as
A.B.C.D/M .
version – 1 |2.
The default is to send RIPv2 while accepting
both RIPv1 and RIPv2 (and replying with packets
of the appropriate version for REQUESTS /
triggered updates). The version to receive and
sendcan be specified globally, and further
overridden on a per-interface basis if needs be
for send and receive separately (see below).
It is important to note that RIPv1 cannot be
authenticated. Further, if RIPv1 is enabled then
RIP will reply to REQUEST packets, sending the
state of its RIP routing table to any remote
routers that ask on demand.
write – commit and preserve configuration
interface < IFNAME> Enter the interface level.
IFNAME can be for example eth1.x whereas x is
the VLAN identifier.
Set a RIP enabled interface by ifname. Both the
sending and receiving of RIP packets will be
enabled on the port specified in the network
ifname command. The no network ifname
command will disable RIP on the specified
interface
ip rip authentication Key-chain : Specify Keyed MD5 chain.
Mode : Set the interface with
authentication method.
md5- Set the interface with RIPv2 MD5
authentication.
text - Set the interface with RIPv2 simple
password authentication.
8-50 RIPv2 SecFlow-1

Command Description
String - sets authentication string. The

string must be shorter than 16 characters.
ip rip send |receive This interface command overrides the global rip
version setting, and selects which version of RIP
to send /receive packets with, for this interface
specifically. Choice of RIP Version 1, RIP Version
2, or both versions. In the latter case, where ‘1
2’ is specified, packets will be both broadcast
and multicast.
Default: Send packets according to the global
version (version 2)
ip rip split-horizon Control split-horizon on the interface. Default is
ip split-horizon. If you do not perform split-
horizon on the interface, please specify no IP
split-horizon.
8.10 Terminal Server

SecFlow-1 allows a special service to convert a TCP session to serial session.
A router acting as the terminal server can be connected to the Telnet client
(management station) via local connection to its ports, or via an IP network. In
both cases the connection is TCP based.
A router acting as the terminal server can be connected to the serial end device
(managed station) via local connection to its RS-232 ports, or via UDP connection
to a remote SecFlow-1 connected to the serial device. In this case, the
transparent serial tunneling over the IP network (encapsulation of serial data in
UDP/TCP packets) is used.
An example of the terminal server use is the remote device console ports
accessible from any PC with Ethernet link.
On Figure 8-12, the management station (PC) is a Telnet client assigned to
manage the remote RTUs with a text based shell method.
The PC is connected locally to the router A, operates as a Telnet server, thus a
Telnet session is established between the PC and the router A.
Up to 100 simultaneously supported sessions can be uniquely identified by their
TCP Port numbers.
The point-to-multipoint topology can be supported in two ways:
• Over the same service using the same TCP port
• Over the different services using separate TCP sessions with the different
TCP ports.
The user determines which RTU is addressed via the specific Telnet session.
In the bellow example (Figure 8-12), a serial transparent tunnel (UDP/TCP traffic)
is configured between the SecFlow-1 devices to establish the paths between the
serial RTUs and router A. The application directs traffic from the management
SecFlow-1 Terminal Server 8-51

station to the RTUs by mapping between the Telnet sessions and the serial
services.
Figure 8-12. Terminal Server Connected via Transparent Tunnel
In the second option the terminal servers are set in the remote router connected
to the serial devices locally (Figure 8-13). This scenario benefit is TCP sessions
over the IP network and not over the tunnel.
Figure 8-13. Terminal Server Connected via IP Network
Terminal Server Commands Hierarchy

+ root
+ serial
+ port
- clear counters
8-52 Terminal Server SecFlow-1

- create slot <1> port <1-2> [baudrate <9600,(50-368400)>]

databits {8,<5-8>} [parity {no,no| odd| even}] [stopbits <1,1|2>]
[bus-idle-time <bits (30-1000>]
[mode-of-operation <transparent>]
- remove slot <1> port <1-2>
- show [slot <1> port <1-2>]
+ local-end-point
- create slot <1> port <1-2> service-id <1-100> position <slave>
application <terminal-server>
- remove slot <1> port <1-2> service-id <1-100>
- show
+ terminal-server
- admin-status [enable | disable | show]
- services show [service-id <>]
+ connections
- dissconnect service-id <>
- show service-id <>
+ counters [clear | show]
+ settings
- restore
- update [low-border-telnet-tcp-port (2001,<2001-65434>]
[low-border-telnet-udp-port (2001,<2001-65434>]
[low-border-serial-tunnel-port (9850,<1025- 65434>]
[dead-peer-timeout <min,10 (0-1440)>] [buffer-mode
(frame,<frame |byte>)]
- show
+ tcp-service
- create {remote-address <A.B.C.D>} {service-id <1-100>}
{telnet-port <port num>} [null-cr-mode (off,<off|on>)] [max-
tcp-clients (1,<1-8>)]
- remove service-id <1-100>
- show
+ udp-service
- create {remote-address <A.B.C.D>} {service-id <1-100>} {udp-
server-port <port number>} {udp-client-address <A.B.C.D>}
[null-cr-mode (off,<off|on>)]
- show
+ serial-tunnel
- create remote-address <A.B.C.D> service-id <1-100>
- show
Terminal Server Commands
Command Description
serial port Create/update the serial port
clear counters Clear counters
create Slot : 1 (constant)

Port : port number .1-4
Baud rate :
50,75,100,110,134,150,200,300,
600,1200,2400,4800,9600,19200,
38400,57600,115200,230400,
460800,921600

Command Description
Parity : no, odd, even
Stopbits : 1,2
Mode of operation : transparent
remove Slot : 1 (constant)

show
local-end-point
create Slot : 1 (constant)

Service id : numeric value of serial service.
Application : Terminal-server
remove Slot : 1 (constant)

Service id : numeric value of serial service.
show
terminal-server Enter terminal server configuration
admin-status Enable / disable terminal server
connections [disconnect | Manage the tcp connections to the terminal

show] server
service-id : serial service-id number
assigned to the terminal server
counters Display counters
settings Manage the range of TCP ports used for the

terminal server to respond to.
By default the allowed range is 2001-2100.
Restore : restore to the default range.
Update low-border-telnet-tcp-port
<>: a numeric value for the tcp port range low
border. The value must be >10,001. The
allowed range will be the entered value (x) to
x+100
Update dead-peer-timeout <0-1440> :
this parameter will release the open TCP socket
after the configurable time so a new
connection could be established.
Setting the value 0 will disable the timeout and
keep the session open until administratively
release or ended by the client.
Update buffer-mode : default –frame.
frame – the terminal server will hold from

Command Description
egress the tcp packet until receiving validation
from the serial local end that a message is
completed. This mode avoids fragmentation of
serial messages to different tcp packets.
byte – serial originated packets will be
egressed without additional buffering at the
terminal server.
Show : display the current tcp port range
serial-tunnel Configuration options to be used at the router

where the serial port is connected at. These
fields will determine the remote side to where
to draw the serial service to (the remote side is
the router at which the terminal server is
established).
If the terminal server is configured on a local
router which as well accommodates the serial
port then this configuration of “serial-tunnel”
should not be used!.
Remote-address : the IP address of the
terminal server .this would be the address of
the application interface at the remote router
acting as the terminal server.
Service-id : the local serial service-id to be
mapped to the terminal server.
show : display the configuration.
tcp-service Configuration options to be used at the router

where the terminal server is set. This option
relates to TCP service settings.
Remote-address: the router own ACE
‘application-host’ interface IP address.
Service-id: the serial service-id to which the
terminal server service relates to. the ‘service-
id’ is created at the ‘serial’ ‘local-end-point’ and
must be set to ‘application’= ‘terminal-server’.
telnet-port: the tcp port to be used for the
connection. Incoming tcp traffic with this port
will be directed to the terminal server. Serial
traffic will be encapsulated to udp and send to
the udp client with this port.
mmax-tcp-clients: define how many tcp clients
can open a connection at the specified service.
null-cr-mode: this field settings (on|off) allows
flexability in working with different types of
terminals (as PuTTY, hyper terminal, CRT) as
each handles the CR bit differently. When set
to On the switch drops <NULL> character only
if it arrives immediately after the <CR> (^M,

Command Description
0x0d). For all other modes of operation,
NULL_CR is ignored. Default - off
show: display the configuration.
udp-service Configuration options to be used at the router

where the terminal server is set. This option
relates to a UDP service settings.
remote-address: the router own ACE
‘application-host’ interface IP address.
service-id: the serial service-id to which the
terminal server service relates to. the ‘service-
id’ is created at the ‘serial’ ‘local-end-point’ and
must be set to ‘application’= ‘terminal-server’.
udp-server-port: the udp port to be used for
the connection. Incoming udp traffic with this
port will be directed to the terminal server.
Serial traffic will be encapsulated to udp and
send to the udp client with this port.
udp-client-address: an IPv4 address of the
target UDP client to which the terminal server
will reply to.
null-cr-mode: this field settings (on|off) allows
flexibility in working with different types of
terminals (as PUTTY, hyper terminal, CRT)as
each handles the CR bit differently. When set
to On the switch will drop <NULL> character
only if it arrives immediately after the <CR>
(^M, 0x0d). For all other modes of operation,
NULL_CR is ignored. default - off
show : display the configuration.
remove Address: IP address in the form of

aa.bb.cc.dd.
The IP is of the Application interface at the
router at which the serial port is connected at.
Telnet-port: tcp port number in the range
of 2000-2100.
Service-id: serial service id number which
the designated serial port is configured as a
member in ("local end point).
Slot : 1 (constant)
show Show port mapping
Local Service Configuration

The below example demonstrates terminal service with local connection: both
telnet client and the serial slave are connected directly to the router.

SecFlow-1 operates as a terminal server.
Figure 8-14. Local Terminal Server Connection
1. Assign the SecFlow-1 IP address.

2. Configure the serial port parameters equally to the serial slave.

The serial port operation mode must be transparent.
The local end-point application type must be terminal server.
serial port create slot 1 port 1 baudrate 9600 parity no databits 8 mode-of-
operation transparent
serial local-end-point create slot 1 port 1 service-id 1 application
terminal-server
3. Configure the terminal server to listen to port 20000.

byte
terminal-server tcp-service create service-id 1 remote-address 172.18.212.230
telnet-port 20000
commit
Note Use the proper serial cable to connect SecFlow-1 serial port and the customer
equipment. The SecFlow-1 serial port pinout is specified in Appendix A.
Testing the setup

1. Verify the configuration using the show commands.
+------+---------+----+----------------+------------------+-------------+
+======+=========+====+================+==================+=============+
| N/A | eth1:1 | 1 |172.18.212.230/24|application host | |
+------+---------+----+----------------+------------------+-------------+
SecFlow-1#serial port show
+-----+------+------+-------+-------------+------+------+--------++
| idx | slot | port | bus | mode | baud | data | parity |
| | | | | | rate | bits | |
+=====+======+======+=======+=============+======+======+========+
| 1 | 1 | 1 | RS232 | Transparent | 9600 | 8 | None |

+-----+------+------+-------+-------------+------+------+--------+
SecFlow-1#serial local-end-point show
+-------+---------+------+------+-----------------+----------+----------+-----
-----+
| index | service | slot | port | application | position | firewall |
firewall |
| | id | | | | | mode |
protocol |
+=======+=========+======+======+=================+==========+==========+=====
=====+
| 1 | 1 | 1 | 1 | terminal-server | Slave | disable |
any |
+-------+---------+------+------+-----------------+----------+----------+-----
-----+
SecFlow-1# terminal-server settings show
+-------+-------------+------------+---------------+-----------+--------+
| index | telnet-tcp | telnet-udp | serial-tunnel | dead peer | buffer |
| | port-range | port-range | port-range | timeout | mode |
+=======+=============+============+===============+===========+========+
| 1 | 20000:20099 | 2001:2100 | 9850:9949 | 10 | byte |
+-------+-------------+------------+---------------+-----------+--------+
SecFlow-1#terminal-server tcp-service show

+-------+------------+-------------+---------+--------------+----------------+
| index | service id | telnet port | dest ip | null cr mode | max ip clients |
+=======+============+=============+=========+==============+================+
| 1 | 1 | 20000 | 172.18.212.230 | off | 1 |
+-------+------------+-------------+----------------+--------+---------------+
2. Check ping connectivity between the PC (172.18.212.240) and SecFlow-1

(172.18.212.230).
3. Open a Telnet session from the PC to the router: telnet 172.18.212.230
20000 (see below).
4. Verify that the connection is indicated in the following show output.

terminal-server connections show
+-------+---------+--------+----------------+----------------+---------+------
-----+-----------
| index | service | telnet | client | client | service |
client | client |
| | id | port | source IP | dest IP | id | dest
slot | dest port |
+=======+=========+========+================+================+=========+======
=====+-----------
| 1 | 1 | 20000 | 172.18.212.240 | 172.18.212.230 | 1 | 1
| 1 |
+-------+---------+--------+----------------+----------------+---------+------
-----+-----------
5. Connect the serial device to port S1.

The serial device should be accessible from the Telnet client (PC).
6. Verify the serial connection by the port counters.
SecFlow-1#serial port show briefly port 1
+-----+------+------+-----+-------------+------+------+--------+------+
| idx | slot | port | svc | mode | baud | data | parity | stop |
| | | | id | | rate | bits | | bits |
+=====+======+======+=====+=============+======+======+========+======+
| 1 | 1 | 1 | 1 | Transparent | 9600 | 8 | None | 1 |
+-----+------+------+-----+-------------+------+------+--------+------+
OctetsIn : 20
OctetsOut : 25
TxError : 0
RxError : 0
OctetsTotal : 45
Network Connection Configuration
Figure 8-15. Terminal Server Connection via IP Network
Configuring Telnet Server

1. Assign an IP interface.
router interface create address-prefix 172.18.212.230/24 vlan 100 physical-
interface eth2 purpose application-host
2. Assign routing to the remote router LAN subnet 172.17.203.x

router static
enable
configure terminal
ip route 172.17.203.0/24 172.18.212.200
write memory
exit
exit
3. Configure the serial port parameters to match the serial slave. The serial port
operation mode must be transparent. The local end-point application type
must be terminal server.
serial port create slot 1 port 1 baudrate 9600 parity no databits 8 mode-of-
operation transparent
serial local-end-point create service-id 1 slot 1 port 1 application terminal-
server
4. Configure the terminal server.


byte
terminal-server serial-tunnel create service-id 1 remote-address
172.18.212.230 telnet-port 20000
commit
Configuring SecFlow-1 (2)

1. Assign the IP interface for the LAN connection.
eth1 purpose general
1. Assign the IP interface for the WAN connection.

router interface create address-prefix 172.18.212.200/24 vlan 100 physical-
commit
Testing Results
1. Ping between the PC (172.18.212.240) and the application IP interfaces
(172.18.212.230 and 172.18.212.231).
2. From the PC open a telnet session to the router telnet 172.18.212.230
20000.
The serial device should be accessible.
8.11 VPN
When a distributed operational network uses public transport links for the
inter-site connectivity, the traffic must be encrypted to ensure its confidentiality
and its integrity. The SecFlow-1 supports VPN (Virtual Private Network)
connection using GRE tunnels (RFC2 2784) over an IPsec encrypted link. The IPsec
tunnel can use 3DES or AES encryption according to the user configuration.
Remote Site Central Site

Spoke Hub
VPN | IPsec
LAN SecFlow-1 LAN
SecFlow-2
Figure 8-16. SecFlow-1 in VPN Application
8-60 VPN SecFlow-1

SecFlow-1 supports the following modes:

• Dynamic Multipoint VPN (using IPsec over dynamic multipoint GRE tunnel)
• IPSec VPN
• L3 P2P GRE VPN (using IPsec over static point-to-point GRE tunnel)
The IPSec tunnel within these VPNs can use 3DES or AES encryption.
Dynamic Multipoint VPN

The Layer 3 mGRE tunneling enables to support more complicated networking
and protection:
• Multiple hubs vs multiple spokes
• Multiple clouds
• Multiple tunnels allowed in a hub
• Multiple tunnels allowed in each spoke towards different hubs or towards the
same hub via different clouds
• L3 DM VPN over fixed or cellular uplink
• Static routing and OSPF
• Layer 3 protection
Main layer 3 DM VPN advantages:
• Robust and supports large scale networks
• Spokes addition does not require additional Hub configuration
DMVPN Commands Hierarchy

+ root
+ vpn gre
+ tunnel
- create | update
{name <>}
{address-prefix <A.B.C.D/M>}
{admin-status}
{lower-layer-dev <ppp0| ETH1.(vlan-id)>}
{mode}
{key <0.0.0.0,<a.b.c.d>}
[ttl <64,0-255>]
[holding-time<7200,1-65535>]
[mtu (1418,<128-9600>)]
[tos (inherint,<hex(0-255)>)]
{tunnel-destinaton <A.B.C.D> }
{tunnel-source <A.B.C.D> }
[cisco-authentication <>]
- remove {name<>}
- show [name<>]
+ nhrp
+ map
- {create | update}
{multipoint-gre-name<>}
{nbma-address<A.B.C.D>}
{protocol-address-prefix< A.B.C.D/M>}
[initial-register <no|yes>]
[is-cisco <no|yes>]
[protection-group<>]
SecFlow-1 VPN 8-61

[position <master|slave>]
- remove
{multipoint-gre-name<>}
{nbma-address<A.B.C.D>}
{protocol-address-prefix< A.B.C.D/M>}
- show
- show-status
- cache-flush
- cache-purge
- cache-show
- {enable | disable}
- log-show
- route-show
- show
+ protection-group
- {create|update}
{name<>}
[default-route<yes,no|yes>]
[wait-to-restore<0-1440>]
- remove {name<>}
- show
DMVPN Commands Description
Command Description
vpn gre Enter the DM VPN configuration
tunnel Tunnel management commands
create | update Creates a new tunnel or updates an existing one.

Name: Unique tunnel name. Mandatory. String, 2-16 chars. Special characters
allowed except ‘!’ (exclamation mark).
address-prefix: an IPv4 address and subnet mask for the tunnel local end point
<A.B.C.D/M>. Mandatory field.
admin-status: Optional. Values : enable, disable. Enables or disables the tunnel.
holding-time: Optional. Specifies the holding time for the NHRP Registration
Requests and Resolution Replies sent from this interface. Values: 1-65535.
Default: 7200.
key: Mandatory. Unique Key assigned to the interface- must match the peer's
key. <0.0.0.0,<a.b.c.d>.
lower-layer-dev: Mandatory. Local ACE or cellular interface used as the network
uplink. ppp0 or eth1.<vlan id>. Cellular may be used only at the spoke and only if
a static, routable IP is provided by the ISP to the SIM card. The interface must be
pre-configured before creating the tunnel.
mode: Optional. Values: point-to-point/multipoint. default=multipoint. Multipoint
option requires NHRP configuration, as specified below.
mtu: Optional. Sets MTU for the tunnel. Values: 128-9600 bytes. Default 1418.
ttl: Optional. Sets TTL for the tunnel’s IP headers. 0-255. Default 64.
tos: set type of service for the tunnel’s IP header. Values: 0-255. Default is
‘inherint’, sets the tunnel header to use the TOS value of the encapsulated
packet.
tunnel-destination: NBMA IPv4 address of the peer (N/A for multipoint).
tunnel-source: IP Address for use as source in tunnel IP Header. N/A if lower-
layer-dev is provided.
8-62 VPN SecFlow-1

Command Description
cisco-authentication: Relevant only for multi-point. Enables Cisco style
authentication on NHRP packets. This embeds the secret plaintext password to
the outgoing NHRP packets. Incoming NHRP packets on this
interface are discarded unless the secret password is present. Maximum length of
the secret is 8 characters.
remove Delete a tunnel.

Name: tunnel name.
show Show the tunnels configuration.

Name: tunnel name. An optional field. All tunnels are shown if not specified.
nhrp Enter NHRP configuration.
map Enter NHRP map configuration.
create | update Creates/updates static peer mapping of protocol-address to NBMA-address. If the

prefix parameter is present, it directs OpenNHRP to use this peer as a next hop
server when sending Resolution Requests matching this subnet. The optional
parameter register specifies that Registration Request should be sent to this peer
on startup.
multipoint-gre-name: Mandatory. Tunnel interface this mapping belongs to.
nbma-address: Mandatory. <A.B.C.D>. NBMA IPv4 address of the peer.
protocol-address-prefix< A.B.C.D/M>: Mandatory. Inner masked IPv4 address.
initial-register <no|yes>: Optional. Defines whether to send registration request
at start-up (that is before any traffic).
is-cisco <no|yes>: Optional.
protection-group<>: Optional. Name of the protection group this tunnel belongs
to.
position <master|slave>: Optional. Relevant only when aggregating 2 tunnels into
a protection group.
remove Removes static peer mapping of protocol-address to NBMA-address. One

parameter must be specified.
multipoint-gre-name<>: Optional.
nbma-address<A.B.C.D>: Optional.
protocol-address-prefix< A.B.C.D/M>: Optional.
show Shows configured static peer mapping of protocol-address to NBMA-address.
show-status Shows dynamic status of static peer mapping of protocol-address to NBMA-

address.
cache-flush Clear all non-permanent entries.
cache-purge Purge entries from NHRP cache: cached entries are removed and permanent
entries are forced down, up and finally reregistered.
cache-show Show contents of next hop cache(configured and resolved entries).
enable | disable Enable/disable NHRP protocol.
log-show Show NHRP related logs
route-show Show the contents of locally cached kernel routing
SecFlow-1 VPN 8-63

Command Description
information
show Show NHRP status (enabled/disabled)
protection-group Manage the protection groups of tunnels. Each protection group can contain 2
tunnels.
create | update name: Mandatory.

default-route: Optional. Values: yes , no. Default: yes. Determines whether to
use the next hop NHRP servers as default gateway.
wait-to-restore <0-1440>: Optional.
remove name: Mandatory. String indicating the name of an existing protection group.
show Show configured protection groups.
Layer 3 IPSec VPN

IPSec VPN is designated for simple point-to-point networking where encryption is
required.
The supported mode is ‘transport’, which is route-based. A logical tunnel
interface is created in the routing table. User traffic that should be encrypted is
routed over the tunnel interface.
The following topologies are supported:
• Point-to-Point, hub vs spoke
• Single tunnel is allowed in a hub
• Single tunnel is allowed in a spoke
The hub must be connected to the network using one of its Ethernet ports. It is
recommended to connect the spoke to the network using one of its Ethernet
ports.
The spoke can use a cellular connection only, if a SIM card is allocated by the ISP
with a public static IP address, without NAT.
Layer 3 protection to a second uplink is supported.
The hub must hold a static IP address which is routable over the network.
The spoke must hold a static IP address which is routable over the network.
L3 IPsec-VPN Commands Hierarchy

+ root
+ vpn ipsec
+ tunnel
- create {name <>} {address-prefix <A.B.C.D/M>}
{lower-layer-dev <ETH1.<vlan id> >}
{remote-address<A.B.C.D>} [mtu<1400,128-1500>]
[tos (inherint,<hex(0-255)>)] [ttl <64,0-255>]
- remove {name<>}
- show [name<>]
8-64 VPN SecFlow-1

Chapter 9
Timing and
Synchronization
You can set the date and time for the SecFlow-1 internal real-time clock or
receive the SNTP server clock signal.
9.1 Date and Time

Local time set and update is available in SecFlow-1.
Commands Hierarchy
+ date {[YYYY.]MM.DD-hh:mm[:ss] | hh:mm[:ss]}
- date
Commands Description
Command Description
date {[YYYY.]MM.DD-hh:mm[:ss] | hh:mm[:ss]} Sets the current time and date.
date Show the system time
Setting Date and Time

 To configure date and time:
SecFlow-1#date 2014.02.02-10:01:30
Sun Feb 2 10:01:30 UTC 2014
Current RTC date/time is 2-2-2014, 10:01:30.
SecFlow-1# date
Sun Feb 2 10:01:34 UTC 2014
SecFlow-1 Date and Time 9-1

Chapter 9 Timing and Synchronization Installation and Operation Manual
9.2 Simple Network Time Protocol (SNTP)

The SNTP (Simple Network Time Protocol) is a simplified version or subnet of the
NTP protocol. It is used to synchronize the time and date in SecFlow-1 by
contacting the SNTP Server. The administrator can choose whether to set the
system clock manually or to enable SNTP. If SNTP is enabled, the SNTP
implementation discovers the SNTP server and gets the time from the server. The
SNTP implementation also has callouts to set the system time based on the time
received from the SNTP server. It supports different time zones. The user can set
the required time zone.
SNTP Command Hierarchy

+root
+ sntp
+ set
+ client
- admin-status{enabled | disabled}
- version {v1 | v2 | v3 | v4}
- addressing-mode {unicast | broadcast}
- [no] port <integer (1025-65535)>
- clock-format {ampm | 24hours}
- [no] time-zone <UTC-offset(+HH:MM/-HH:MM)(+00:00 to+14:00)/(-00:00 to-12:00)>
- [no] clock-summer-time <week-day-month,hh:mm>..<week-day-
month,hh:mm>
- [no] authentication-key key-id <int 1-65535> key-type md5|des key <string(16)>
+ unicast
- server auto-discovery {enabled | disabled}
- poll-interval <integer (16-16284) seconds>
- max-poll-timeout <integer (1-30) seconds>
- max-poll-retry <integer (1-10) times>
- [no] server {ipv4 <ucast_addr> | domain-name <string(64)>} [{primary |
secondary}] [version { 3 | 4 }] [port <integer(1025-36564)>]
+ show
- clock
- status
- unicast-mode-status
- broadcast-mode-status
- statistics
SNTP Command Descriptions
Command Description
sntp This command enters to SNTP configuration mode, which
allows the user to execute all the commands that supports
SNTP configuration mode.
set client admin-status This command either enables or disables SNTP client
module.
Enabled: Sends a request to the host for time
synchronization.
Disabled: Does not send any request to the host for time
synchronization.
Defaults: Disabled.
9-2 Simple Network Time Protocol (SNTP) SecFlow-1

Installation and Operation Manual Chapter 9 Timing and Synchronization
Command Description
set client version This command sets the operating version of the SNTP for
the client.
v1: Sets the version of SNTP client as 1
Defaults: v4
set client addressing-mode This command sets the addressing mode of SNTP client.
Unicast: Sets the addressing mode of SNTP client as
unicast which operates in a point-to-point fashion. A
unicast client sends a request to a designated server at its
unicast address and expects a reply from which it can
determine the time and, optionally, the roundtrip delay
and local clock offset relative to the server.
Broadcast: Sets the addressing mode of SNTP client as
broadcast which operates in a point-to-multipoint fashion.
The SNTP server uses an IP local broadcast address instead
of a multicast address. The broadcast address is scoped to
a single subnet, while a multicast address has Internet
wide scope.
set client port This command sets the listening port for SNTP client which
refers to a port on a server that is waiting for a client
connection. The value ranges between 1025 and 65535.
The no form of this command deletes the listening port for
SNTP client and sets the default value
Defaults: 123
set client clock-format This command sets the system clock as either AM PM
format or HOURS format. SNTP clock format configuration
in the switch:
Date – Hours, Minutes, Seconds, Date, Month and Year
Month – Jan, Feb, Mar…..
Year - yyyy
ampm: Sets the system clock in am/ pm format
24hours: Sets the system clock in 24 hours’ format
Default: hours
set client time zone This command sets the system time zone with respect to
UTC. The no form of command resets the system time
zone to GMT.
+/-: Sets the client time zone as after or before UTC. Plus
indicates forward time zone and minus indicates backward
time zone.
Default: + 0: 0
set client clock-summer-time This command enables the DST (Daylight Saving Time). DST
is a system of setting clocks ahead so that both sunrise
SecFlow-1 Simple Network Time Protocol (SNTP) 9-3

Command Description
and sunset occur at a later hour. The effect is additional
daylight in the evening. Many countries observe DST,
although most have their own rules and regulations for
when it begins and ends. The dates of DST may change
from year to year. The no form of this command disables
the Daylight Saving Time.
week-day-month: Week – First, Second, Third, Fourth or
Last week of month. Day –Sunday, Monday, Tuesday,
Wednesday, Thursday, Friday or Saturday. Month: January,
February, March, April, May, June, July, August, September,
October, November or December.
hh:mm: Time in hours and minutes
Default: Not set
set client authentication-key This command sets the authentication parameters for the
key. Some SNTP severs requires authentication to be done
before exchanging any data. This authentication key is
used to authenticate the client to the SNTP server to
which it tries to connect. The no form of this command
disables authentication.
<key-id>: Sets a key identifier (integer value) to provide
authentication for the server. The value ranges between 1
and 65535.
md5: Verifies data integrity. MD5 is intended for use with
digital signature applications, which requires that large
files must be compressed by a secure method before
being encrypted with a secret key, under a public key
cryptosystem.
<key>: Sets the authentication code as a key value.
Default: Authentication key ID not set
set unicast server-auto- This command discovers the entire available SNTP client.
discovery
Enabled: Automatically discovers the entire available SNTP
client even if the necessary configuration is not done.
Disabled: Does not discover any SNTP client.
Defaults: Disabled
set unicast-poll-interval This command sets the SNTP client poll interval which is
the maximum interval between successive messages in
seconds. The value ranges between 16 and 16284
seconds.
Default: 64
set unicast max-poll-timeout This command configures SNTP client maximum poll
interval timeout, which is the maximum interval to wait for
the poll to complete. The value ranges between 1 and 30
in seconds.
Default: 5
set unicast max-poll-retry This command configures SNTP client maximum retry poll

Installation and Operation Manual Chapter 9 Timing and Synchronization
Command Description
count, which is the maximum number of unanswered polls
that cause a slave to identify the server as dead. The value
ranges between 1 and 10 in times.
Default: 3
set unicast-server This command configures SNTP unicast server. The no form
of this command deletes the sntp unicast server attributes
and sets to default value.
ipv4 <ucast_addr>: Sets the address type of the unicast
server as Internet Protocol Version 4.
Primary: Sets the unicast server type as primary server.
Secondary: Sets the unicast server type as secondary
server.
version 3: Sets the SNTP version as 3.
version 4: Sets the SNTP version as 4.
Port <integer(1025- 36564)>: Selects the port identifier
numbers in the selected server. The port number ranges
between 1025 and 36564.
set broadcast-mode send-request This command either enables or disables the SNTP to send
status request.
Enabled: Sends the SNTP request packet to broadcast
server to calculate the actual delay.
Disabled: Does not send any SNTP request packet to
broadcast server instead default value for the delay is
taken.
Defaults: disabled
set broadcast-poll-timeout This command configures SNTP client poll interval in

broadcast mode, which is the maximum interval to wait for
a poll to complete. The value ranges between 1 and 30
seconds.
Default: 5
set broadcast-delay-time This command configures SNTP delay time in broadcast

mode which is the time interval the SNTP client needs to
wait for a response from the server. The value ranges
between 1000 and 15000 in microseconds.
Default: 8000
show clock This command displays the current time.
show status This command displays SNTP status.
show unicast-mode-status This command displays the status of SNTP in unicast

mode.
show broadcast-mode-status This command displays the status of SNTP in broadcast

mode.
show statistics This command displays the SNTP statistics.
SecFlow-1 Simple Network Time Protocol (SNTP) 9-5

Configuring SNTP Server

 To configure an SNTP sever:
SecFlow-1# show clock
Sat Jan 01 02:00:33 2000
sntp set unicast-poll-interval 16

sntp set client time-zone +01:00
sntp set unicast-server ipv4 96.47.67.105 primary
sntp set unicast-server ipv4 165.193.126.229 secondary
sntp set client admin-status enable
<134>Feb 6 12:26:52 ISS SNTP Old Time:Sat Jan 01 2000 00:01:35 (UTC +00:00)
, New Time:Wed Feb 06 2013 12:26:52 (UTC +00:00 )
, ServerIpAddress:96.47.67.105
set sntp client time-zone +01:00
SecFlow-1# <134>Feb 6 14:34:09 ISS SNTP Old Time:Wed Feb 06 2013 12:34:02
(UTC +00:00 )
, New Time:Wed Feb 06 2013 14:34:09 (UTC +02:00 )
, ServerIpAddress:96.47.67.105
SecFlow-1# sntp show clock
Wed Feb 06 14:35:58 2013
 To remove the configuration:

sntp no unicast-server ipv4 96.47.67.105
Note
It is mandatory to set the clock source to NTP as shown above.

Chapter 10
Administration
This section describes administrative features:
• File Operations
• Device Information
• Disk Information
• License Installation
• System Reboot
10.1 File Operations

You can export your running configuration to a TFTP server as a file with a
selected name. Later on, you can import this file to boot the system.
In the database export, the filename is the destination file name and it is
optional. If no file name is specified, the default name (issnvram.txt) is used.
Commands Hierarchy
+ root
- db import {remote-host <IP, A.B.C.D>} [filename <file-name>]
- db export {remote-host <IP, A.B.C.D>} [filename <file-name>]
 To export the configuration database:

SecFlow-1# db export remote-host 172.18.212.240 filename db-
May-14
Completed OK
 To import the configuration database:

SecFlow-1# db import remote-host 172.18.212.240 filename db-
May-14
Note
System reboot is required to activate the imported database file.
 To export system logs:

SecFlow-1# trace export remote-address 172.17.170.200
Completed OK
The format of the log file name is the following: log_MM_DD_HH_MM_SS.tar.gz, for
example: log_01_09_08_41_23.tar.gz.
SecFlow-1 File Operations 10-1

Chapter 10 Administration Installation and Operation Manual
For information on the configuration database, refer to Chapter 3.

For information on the system upgrade, refer to Chapter 12.
10.2 Device Information

You can check the device information by viewing the details of the operating
system, including its version. The following information is displayed:
• Date of the image build
• Operating system
• Host name
• Operating system kernel number
• Kernel configuration
• CPU type
 To check the device information:

SecFlow-1# version
Application S/W release: 4.1.01.08
File System built: Mon Aug 15 17:39:46 IDT 2016
Kernel: Linux
Nodename:SmartSwitch
Release:3.4.52
Version:#1 PREEMPT Mon Aug 15 17:47:30 IDT 2016
Machine:ppc
SecFlow-1#
10.3 Disk Information

You can check the disk information by displaying the details on the mounted
flash storage. The following information is displayed:
• Logs size
• Diagnostics size
• Total size (occupied/available)
10-2 Disk Information SecFlow-1

Installation and Operation Manual Chapter 10 Administration
 To check the disk information:

SecFlow-1# show disk info
+------------+------------------+------------------+
| Logs size | Diagnostics size | Total Disk usage |
+============+==================+==================+
| 638 kB | 24 MB | 114 MB / 391 MB |
+------------+------------------+------------------+
10.4 License Installation

Enhanced security features are available only within the security license
SF-ESEC-LIC.
 To install the license:

SecFlow-1# license install key <48-bit key>
 To check the current license:

SecFlow-1# license show
General License Example

Installed license KEY : ▒▒▒▒▒▒▒▒▒▒▒▒
License Type : General
Valid : No
Restart Required : No
Completed OK
Enhanced License Example

Installed license KEY : 3778CBC2358E
License Type : Enhanced
Valid : Yes
Restart Required : No
Completed OK
10.5 System Reboot

You can set up an immediate reboot of SecFlow-1 or schedule the system reload
in a particular time period.
SecFlow-1 System Reboot 10-3

Chapter 10 Administration Installation and Operation Manual
Commands Hierarchy
+ root
+ reload
- now
- schedule
- date-and-time YYYY-MM-DD,HH:MM:SS
- every <180 – 604800 seconds >
- time HH:MM:SS
- in <0 – 604800 seconds >
- cancel
- show
Command Descriptions
Command Description
reload schedule date-and-time
Set specific date and time for router reload.
Time format: YYYY-MM-DD,HH:MM:SS
configuration which was not committed will not
be available after reload!
reload schedule every
Set time interval for cyclic automatic system
reload.
Permissible range in seconds is 180 –
604800.
Configuration which was not committed will not
reload schedule time
Set specific time for router reload.
Time format: HH:MM:SS
reload schedule in
Set specific timer for next router reload.
Permissible range in seconds is 180 –
604800.
reload cancel
Cancels all scheduled automatic reloads
reload show
Shows user set scheduled reloads
reload now
Perform an immediate system reload
10-4 System Reboot SecFlow-1

Chapter 11
Monitoring and
Diagnostics
The following topics are covered in this chapter:
• Capturing Ethernet Service Traffic
• Quality of Service (QoS)
• Remote Monitoring Counters
• Syslog
• System Logs Export
11.1 Capturing Ethernet Service Traffic

The SecFlow-1 system supports the selected service IP interface Ethernet traffic
sniffing and capturing. This feature enables network traffic diagnostics and
debugging.
Traffic capturing is available to the IP interfaces specified in the Access Control
Entry (ACE) list.
Captures can be displayed on a terminal, or exported to a user TFTP server.
Commands Hierarchy
+ root
+ capture
- start –i {eth1.<vlan id> | eth1:<id>} [-C] [-s] [-y] [expression <>]
- stop
- delete
- export remote-address <destination address,A.B.C.D>
- show {captured-packets –c <number>| status}
- help
SecFlow-1 Capturing Ethernet Service Traffic 11-1

Chapter 11 Monitoring and Diagnostics Installation and Operation Manual
Command Description
capture
Start: initiate Ethernet traffic capture on a selected ACE IP interface.
-i: mandatory prefix to be followed with the IP interface name eth1.<vlan
id> where “vlan id” is the vlan of the ip interface.
Stop: stop Ethernet traffic capture
Delete: delete capture files
Export remote-address: export file to a TFTP server.
Show captured-packets –C<1-200>: display the captured content up to a
chosen length (1-200) lines.
Show status : display capture configuration
Help: display help on settings options
Capturing Traffic
1. Set a VLAN for the service traffic.
commit
Commit OK…
router interface show
+------+--------+-----+-----------------+------------------+-------------+
+======+========+=====+=================+==================+=============+
| 1 | eth2.1 | N/A | 172.18.212.232/24 | application host | |
+------+--------+-----+-----------------+------------------+-------------+
2. Start capturing.
Capture start –i eth2.1
Capture show
[capture/] show status
capture is running
3. Stop capturing and display the output.

Capture stop
capture show captured-packets -c 10
16:55:07.370814 IP 172.18.212.240.netbios-ns > 172.18.212.232.netbios-ns: NBT
UDP PACKET(137): QUERY; POSITIVE; RESPONSE; UNICAST
16:55:07.616319 IP 172.18.212.240.17500 > 255.255.255.255.17500: UDP, length
112
16:55:07.616628 IP 172.18.212.240.17500 > 172.18.212.255.17500: UDP, length
112
16:55:07.926503 arp who-has 172.18.212.232 tell 172.18.212.64
16:55:08.122046 IP 172.18.212.240.netbios-ns > 172.18.212.232.netbios-ns: NBT
UDP PACKET(137): QUERY; POSITIVE; RESPONSE; UNICAST
16:55:08.258801 arp who-has 172.18.212.232 tell 172.18.212.40
16:55:08.602306 IP 172.18.212.40.17500 > 255.255.255.255.17500: UDP, length
112
11-2 Capturing Ethernet Service Traffic SecFlow-1

Installation and Operation Manual Chapter 11 Monitoring and Diagnostics
16:55:08.604927 IP 172.18.212.40.17500 > 255.255.255.255.17500: UDP, length

112
16:55:08.605016 IP 172.18.212.40.17500 > 172.18.212.255.17500: UDP, length 112
16:55:08.680664 CDPv2, ttl: 180s, Device-ID 'Router'[|cdp]
11.2 Quality of Service (QoS)

The SCADA serial services can play a very important role in the utility process and
require high network availability. QoS allows setting priority for serial services.
QOS Commands Hierarchy

+ qos
- mark-rule create {[src-ip <A.B.C.D/E>]| [dest-ip <A.B.C.D/E>]}
[{protocol {tcp| udp}} [src-port <1-65535>] [dest-port <1-65535>]]
{dscp <0-63>}
- mark-rule remove {src-ip <A.B.C.D/E>} [dest-ip <A.B.C.D/E>}
- mark-rule show
- show
QOS Commands Description
Command Description
qos This command enters the quality of service configuration

mode.
mark-rule Create| update| show

src-ip: IPv4 source IP of the packet. Should be one of the
SecFlow-1 IP interfaces. A.B.C.D/E
dest-ip: IPv4 destination IP of the packet.
Protocol: tcp|udp protocol used at the packet.
src-port: protocol source port used at the packet
dest-port: protocol source port used at the packet
11.3 Remote Monitoring Counters

Remote Monitoring (RMON) is a standard monitoring specification that enables
various network monitors and console systems to exchange network monitoring
data.
The RMON specification defines a set of statistics and functions that can be
exchanged between RMON-compliant console managers and network probes.
RMON provides network administrators with comprehensive network-fault
diagnosis, planning, and performance-tuning information.
SecFlow-1 Remote Monitoring Counters 11-3

RMON counters present the statistics for a given port.
 To display the RMON counters:

SF1# port show rmon-etherstat-table port eth1
Interface ETH1
+---------------+---------+----------------+-------+
| Counter Name | Value | Counter Name | Value |
+===============+=========+================+=======+
| total packets | 58293 | undersize | 0 |
+---------------+---------+----------------+-------+
| total octets | 5087188 | oversize | 0 |
+---------------+---------+----------------+-------+
| broadcast | 1110 | Size 64 | 798 |
+---------------+---------+----------------+-------+
| multicast | 56923 | Size 65-127 | 57227 |
+---------------+---------+----------------+-------+
| align error | 0 | Size 128-255 | 152 |
+---------------+---------+----------------+-------+
| dropped event | 0 | Size 256-511 | 41 |
+---------------+---------+----------------+-------+
| fragmented | 0 | Size 512-1023 | 73 |
+---------------+---------+----------------+-------+
| jabbers | 0 | Size 1024-1518 | 2 |
+---------------+---------+----------------+-------+
SF1# port show interface-table port eth1

Interface ETH1
Interface ETH1
+------------------------+---------+-------------------------+---------+
+========================+=========+=========================+=========+
| In non-unicast packets | 29873 | Out non-unicast packets | 28162 |
+------------------------+---------+-------------------------+---------+
| In unicast packets | 254 | Out unicast packets | 6 |
+------------------------+---------+-------------------------+---------+
| In errors packets | 0 | Out errors packets | 0 |
+------------------------+---------+-------------------------+---------+
| In octets | 2660130 | Out octets | 2427230 |
+------------------------+---------+-------------------------+---------+
| In discards | 0 | Out discards | 0 |
+------------------------+---------+-------------------------+---------+
| In unknown protos | 0 | | |
+------------------------+---------+-------------------------+---------+
11-4 Remote Monitoring Counters SecFlow-1

11.4 Syslog
Syslog is a standard for network device message logging. It permits separation of
the software that generates messages from the system that stores them and the
software that reports and analyzes them. Syslog can be used to integrate log data
from many systems into a central repository.
Configuring Debug Logging specifies the debug logs displaying method: on the
console or in a file.
The User enables the syslog server and configures the syslog related parameters.
The logging process controls the distribution of logging messages to the various
destinations, such as the logging buffer, logging file, or syslog server.
The existing syslog buffers are not cleared and none of the configured options are
changed, when the syslog feature is disabled.
The severity of logging can be set with its numeric value <0-7> or its name tag.
When configuring a server, a priority tag reflecting the level of the message and
the facility should be set.
Commands Hierarchy
+ root
+ syslog
- level severity { emergencies | alerts | critical |
errors | warnings | notification | informational
|debugging}
- remote {remote-address <a.b.c.d>} [remote-port
(514,<514-9999>)]
- local
- show
Command Description
syslog show Display tasks
Priority Indicator
The priority indicator is calculated as follow:
Priority = 8x facility_coefficient + severity_level.
SecFlow-1 Syslog 11-5

Table 11-1. Priority Indicator
Facility coefficient Facility Priority
16 Local0 16x8 + level
Table 11-2 shows the syslog message priority tags with facility local0.
Table 11-2. Syslog Message Priority
Level Purpose Numeric Level Priority (w. local0)
emergencies 0 16x8+0=128
alerts 1 129
critical 2 130
errors 3 131
warnings 4 132
notification 5 133
informational 6 134
debugging 7 135
Syslog Output Example

An example below shows a typical syslog output on the console interface.
May 18 19:27:48 SmartSwitch user.warn kernel: Speed 100 Duplex 1 pause 0
May 18 19:27:48 SmartSwitch user.warn kernel: adjust_link Addr 1 link 0 speed
100 o 100 dup 1 o 1
May 18 19:27:48 SmartSwitch user.info kernel: PHY: mdio@ff724000:01 - Link is
Down
May 18 19:27:50 SmartSwitch user.warn kernel: adjust_link Addr 1 link 1 speed
100 o 0 dup 1 o -1
May 18 19:27:50 SmartSwitch user.info kernel: PHY: mdio@ff724000:01 - Link is
Up - 100/Full
11-6 Syslog SecFlow-1

11.5 System Logs Export

The SecFlow-1 system logs can be exported to the flash drive as a time
conditioned task using the below commands.
Commands Hierarchy
+ root
+ schedule
- add task-name copy-logs [day |hour |minute |month |year]
- remove task-name copy-logs
- show
Command Description
schedule Manages scheduled task to copy system logs to the

USB drive. To load a USB drive, insert it to the router
USB port and reboot the router.
add task-name copy-logs Add a scheduled task to copy system logs to the usb
drive.
Day : <1-31>
Month : <1-12>
year : <2013 -3000>
hour : <1-24>
minute : <1-60>
remove task-name copy-logs Remove a scheduled task to copy system logs to the
usb drive.
show Display tasks
SecFlow-1 System Logs Export 11-7

11.6 Technical Support

Technical support for this product can be obtained from the local partner from
whom it was purchased.
RADcare Global Professional Services offers a wide variety of service, support and
training options, including expert consulting and troubleshooting assistance,
online tools, regular training programs, and various equipment coverage options.
For further information, please contact the RAD partner nearest you or one of
RAD's offices worldwide.
RAD Data Communications would like your help in improving its product
documentation. Please send us an e-mail with your comments.
Thank you for your assistance!
11-8 Technical Support SecFlow-1

Chapter 12
Software Upgrade
This chapter explains how to upgrade SecFlow-1 for software version 4.1.
Software upgrade is required to fix product limitations, enable new features, or
to make the unit compatible with other devices that are already running the new
software version.
The device can store up to two software images, referred to as OS versions, that
cannot be overwritten.
Note Before downloading a new OS file, make sure that SecFlow-1 has only one (the
active) file. If needed, delete the unused file before attempting to download a
new one.
You can designate any of the versions as active. The non-active version serves as
a backup that can be used if the active software becomes corrupted.
The information in this chapter includes the following:
• Software packs that can be loaded into each device
• Detailed conditions required for the upgrade
• Any impact the upgrade may have on the system
• Description of downloading options
Software version can be downloaded to SecFlow-1 via SFTP/TFTP with the
download-sw command.
The downloaded version can be installed as the active software with the activate
command.
12.1 Compatibility Requirements

Following are the software releases that can be upgraded to version 4.1:
• Software – Ver. 4.0
12.2 Prerequisites
Before starting the upgrade, verify that you have the following:
• For upgrade via SFTP/TFTP:
 Operational SecFlow-1 unit with valid IP address
SecFlow-1 Prerequisites 12-1

Chapter 12 Software Upgrade Installation and Operation Manual
 Connection to a PC with an SFTP/TFTP server application and a valid IP

address
 Software image stored on the PC. The image file (and exact name) can be
obtained from the local RAD business partner from whom the device was
purchased
Note The image file name is case-sensitive, so make sure that the downloading
software does not alter the letters case in the file name.
12.3 Upgrading SecFlow-1 Software

System software can be upgraded via a TFTP/SFTP server.
Commands Hierarchy
+ root
- os-image show-list
- os-image activate version-name <file_name
- os-image delete version-name <file_name>
- os-image download download-sw sftp://user:password@aa.bb.cc.dd/file_name
- os-image download download-sw tftp://aa.bb.cc.dd/file_name
- os-image download-status
Upgrading via TFTP

Remote upgrade process includes the following steps:
• Establishing management channel via IP or console
• Establishing IP connectivity with the TFTP or SFTP server
• Removing unused OS-image files
• Downloading OS image
• Activating OS image
Figure 12-1 illustrates the SecFlow-1 OS image file upgrade.
ETH1:1 – 192.168.2.101
RAD SecFlow-1
PWR RUN
C
O
N
S1
Console C1 ETH1
S2
E
T
H
1
SIM1 ETH2
TFTP Server
LASER
CRT I PuTTy SIM2 CLASS

1
192.168.2.240
Figure 12-1. SecFlow-1 System Upgrade
12-2 Upgrading SecFlow-1 Software SecFlow-1

Installation and Operation Manual Chapter 12 Software Upgrade
 To upgrade the SecFlow-1 OS file:

1. Connect your PC via the serial console cable to the SecFlow-1 console port.
2. Create an IP interface over the eth1 port.
SecFlow-1#router interface create address-prefix 192.168.2.101/24 physical-
3. Check connectivity with the TFTP server.

PING 192.168.2.240 (192.168.2.240): 56 data bytes
64 bytes from 192.168.2.240: seq=0 ttl=64 time=1.026 ms
4. Display the available OS files.

SecFlow-1# os-image show-list
Versions list:
SF_0290_4.1.01.17.tar (active)
SF_0290_4.1.01.12.tar
5. Delete the unused OS files.

SecFlow-1# os-image delete version-name SF_0290_4.1.01.12.tar
Versions list:
SF_0290_4.1.01.17.tar (active)
SecFlow-1#
6. Download the new OS file from the TFTP server.

Command syntax:
SecFlow-1# os-image download download-sw tftp://aa.bb.cc.dd/file_name
Example:
os-image download download-sw tftp://192.168.2.240/SF_0290_4.1.01.70.tar
7. Follow the download progress.

SecFlow-1#os-image download-status
In progress 3 MB
In progress 10 MB
In progress 16 MB
Finished Download
8. Activate the desired OS file.

The device automatically reboots after activation.
SecFlow-1# os-image activate version-name SF_0290_4.1.01.70.tar
SecFlow-1 Upgrading SecFlow-1 Software 12-3

Chapter 12 Software Upgrade Installation and Operation Manual
12.4 Verifying Upgrade Results

To verify that the upgrade was successful, use the os-image show-list command.
 To verify the upgrade result:

1. Type os-image show-list in the root.
The versions lists is displayed. Running OS file is marked as active.
Versions list:
SF_0290_4.1.01.17.tar (active)
12.5 Restoring the Previous Version

SecFlow-1 can be rolled back to the previous version. Install the version according
to the procedure described above, as if it were a new version.
Note User configuration file is lost when the previous version is restored.
12-4 Restoring the Previous Version SecFlow-1

Appendix A
Connection Data
A.1 RS-232 Port

The SecFlow-1 RS-232 ports are terminated with RJ45 connectors.
CBL-RJ45/DB9/NULL adapter cable with RJ45 male connector on one side and
DB-9 female connector on another side (Figure A-1) can be ordered from RAD.
Note This cable can be used when no control lines are needed.
Serial port at the router DB-9 female connector for end device
Figure A-1. CBL-RJ45/DB9/NULL Cable Connectors
Caution To avoid the serial port damage, do not use the SecFlow-1 console cable (colored
white) for user serial ports connection.
Table A-1. CBL-RJ45/DB9/NULL Cable Pinout
Cross Cable Pin SecFlow-1 Port Pin
Female DB-9 (DTE) Male RJ45 Female RJ45
2 6 6 Tx
3 5 5 Tx
5 4 4 GND
SecFlow-1 serial ports are terminated in RJ45 connectors. The user serial
equipment standard ports have DB-9 connectors. Refer to Table A-2 for the RJ45
connector pinout.
SecFlow-1 RS-232 Port A-1

Appendix A Connection Data Installation and Operation Manual
Table A-2. SecFlow-1 Serial Port Pin Assignment
Line RJ45 Connector Pin
DCD 2
Tx 6
Rx 5
DSR 1
GND 4
DTR 3
CTS 7
RTS 8
A.2 RS-485 Port

The RS-485 port is a RJ45 port. Four wires mode is supported.
Table A-3. RS-485 Port Pin Assignment
RF-45 Female Router Port Direction
1 B (+) Rx
4 GND
5 A (-) RX
6 B (+) Tx
8 A (-) Tx
A.3 Console Port

SecFlow-1 is connected to an ASCII terminal via an 8-pin RJ45 female connector
located on the front panel.
Figure A-2. SecFlow-1 Console Port
Console port pinout is specified in Table A-4.
A-2 Console Port SecFlow-1

Installation and Operation Manual Appendix A Connection Data
Table A-4. Console Port Pinout
Device Side PC Side
RJ45 Pinout DB-9 Pinout
TOD RX (Input) 1 CTS 8
CLI RX (Input 2 DSR 6
CLI TX (Output) 3 RXD 2
GND 4 GND 5
GND 5 GND 5
CLI RX (Input) 6 TXD 3
N.C. 7 DTR 4
TOD TX (Output) 8 RTS 7
The table below displays the console cable pinout.
Table A-5. Console Cable Pinout
RJ45 Male Connector DB9 Female Connector
1 -
2 3
3 2
4 5
5 5
6 -
7 -
8 -
SecFlow-1 Console Port A-3

Appendix A Connection Data Installation and Operation Manual
A-4 Console Port SecFlow-1

Appendix B
Test Plan
B.1 Introduction
This appendix describes basic verification tests for SecFlow-1. The aim is to
perform a series of short tests that check the following:
• IP connectivity and management
• DHCP client
• VLAN tagging, IP interfaces, static routing
• NAT
• DMVPN
• IEC 101/104 gateway
• OSPF
B.2 Required Equipment
Devices Used for Testing
Function Product HW Version SW Version
DFT SecFlow-2 4.1
Third Party Test Equipment
Devices under Test
Function HW Version SW Version
SecFlow-1 4.1
Test Equipment
Function Requirements Unit Notes
PC PC with COM port
SecFlow-1 Required Equipment B-1

Appendix B Test Plan Installation and Operation Manual
Function Requirements Unit Notes
ETH Cable Straight Standard straight Ethernet

cable
Serial testing device HBT/Fireberd
SCADA simulator
RTU simulator
Note
All tests should pass if the following procedures are performed precisely.
B.3 IP Connectivity and Management Test

The objective of this test is to establish IP connectivity between a PC and the
router over the copper Ethernet port.
Preparing the Test Layout
Figure B-1. IP Connectivity Test
Estimated Duration
The estimated duration of this test is 10 minutes.
Test Procedure
Table B-1 details the IP connectivity and management test procedure.
Table B-1. IP Connectivity and Management Test Procedure
# Action Expected Result Result
1 Establish management via the

terminal
2 Assign IP interface to eth1
B-2 IP Connectivity and Management Test SecFlow-1

Installation and Operation Manual Appendix B Test Plan
3 Connect the PC to eth1 port. Set

the PC IP address belongs to the
router subnet.
4 Check the following: Stable ping response, SHH connectivity, Telnet,

• Ping between PC and router EMS connectivity, router counters increase
• SSH between PC and router

• Telnet between PC and router
• EMS connectivity
• Router counters
Configuring Devices
1. Create an untagged IP interface at eth1.
SecFlow-1#
router interface create address-prefix 192.168.2.101/24 purpose
commit
Viewing Results
1. Verify configuration.
+----+------+--------+-------------------+------+------------------+--------------+-------------+
+====+======+========+===================+======+==================+==============+=============+
| 1 | N/A | N/A | 192.168.2.101/24 | 1500 | application host | enable | |
+----+------+--------+-------------------+------+------------------+--------------+-------------+
2. Verify eth1 port synchronization.

SecFlow-1# port show status
+-----+------+------+------+---------+-------------+-------+--------+---------+------+
| idx | slot | port | link | admin | auto | speed | duplex | sfp | sfp |
| | | | | status | negotiation | | | present | type |
+=====+======+======+======+=========+=============+=======+========+=========+======+
| 1 | 1 | eth1 | UP | enabled | on | 100M | half | | |
+-----+------+------+------+---------+-------------+-------+--------+---------+------+
| 2 | 1 | eth2 | DOWN | enabled | on | 10M | half | No | |
+-----+------+------+------+---------+-------------+-------+--------+---------+------+
3. Verify SSH from the PC to the router.

4. Verify counters progressing in eth1 port.
SecFlow-1# port show interface-table port eth1
Interface ETH1
+------------------------+--------+-------------------------+-------+
+========================+========+=========================+=======+
| In non-unicast packets | 4392 | Out non-unicast packets | 233 |
+------------------------+--------+-------------------------+-------+
| In unicast packets | 51 | Out unicast packets | 42 |
SecFlow-1 IP Connectivity and Management Test B-3

+------------------------+--------+-------------------------+-------+
| In errors packets | 0 | Out errors packets | 0 |
+------------------------+--------+-------------------------+-------+
| In octets | 310371 | Out octets | 22704 |
+------------------------+--------+-------------------------+-------+
| Unknown packets | 0 | | |
+------------------------+--------+-------------------------+-------+
B.4 DHCP Client

The objective of this test is DHCP client functionality.
Figure B-2. DHCP Client Test
Estimated Duration
Test Procedure
Table B-2 details the DHCP client test procedure.
Table B-2. DHCP Client Test Procedure
1 Establish DHCP server (SecFlow-2)
2 Configure SecFlow-1 as DHCP client
B-4 DHCP Client SecFlow-1

3 Verify DHCP clients function DHCP clients receive the IP address from the
server pool.
Configuring Devices
SecFlow-2 configuration steps:
• Set the service VLAN and assign the ports.
• Configure GCE interface for the service VLAN.
• Configure the DHCP Server
 Set the pool, default gateway and excluded range
 Set IP allocation to port 0/1 as port-identifier
 Set IP allocation to port 0/2 from the pool
• Enable DHCP on eth1.
DHCP Server Configuration (SecFlow-2)

set host-name dhcp-server
config
interface vlan 1
ip address 172.17.203.100 255.255.255.0
no shutdown
exit
no service dhcp-relay
service dhcp-server
ip dhcp pool 1
network 172.17.203.0 255.255.255.0
excluded-address 172.17.203.1 172.17.203.10
default-router 172.17.203.100
host hardware-type 1 port-identifier interface fast 0/1 ip
172.17.203.110
end
DHCP Client Configuration (SecFlow-1)

SecFlow-1# router dhcp enable physical-interface eth1
Completed OK
Viewing Results
Server View (SecFlow-2)

dhcp-server# show ip dhcp server binding
Ip Hw Hw Hw Binding Expire
Address Type Address Port State Time
------- ------- ------- ------ -------- ----------
SecFlow-1 DHCP Client B-5

172.17.203.11 Ethernet 60:64:a1:01:19:90 Assigned Nov 25

02:20:5
2 2000
172.17.203.110 Ethernet 54:53:ed:2b:19:86 1 Assigned Nov 25
02:18:5
9 2000
dhcp-server# show ip dhcp server pools
Pool Id : 1
-------------------------------------------
Subnet : 172.17.203.0
Subnet Mask : 255.255.255.0
Lease time : 3600 secs
Utilization threshold : 75%
Start Ip : 172.17.203.1
End Ip : 172.17.203.254
Exclude Address Start IP : 172.17.203.1
Exclude Address End IP : 172.17.203.10
Host Configurations
-------------------
Client Identifier IP address
54:53:ed:2b:19:86 172.17.203.110
Port Identifier IP address
Fa0/1 172.17.203.110 ----
Client View (SecFlow-1)

+-----+------+------+------------------+-----+---------+-------
-------+-------------+
Description |
+=====+======+======+==================+=====+=========+=======
=======+=============+
| N/A | N/A | eth1 | 172.17.203.11/24 | N/A | N/A | N/A | DHCP
|
+-----+------+------+------------------+-----+---------+-------
-------+-------------+
SecFlow-1#
SecFlow-1# router route show
0.0.0.0 172.17.203.100 0.0.0.0 UG 0 0 0 eth1 ---
172.17.203.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
Completed OK
SecFlow-1#
B-6 DHCP Client SecFlow-1

Client View (PC)
Figure B-3. PC DHCP Client View
B.5 VLAN Tagging, IP Interfaces, Static Routing

The objective of this test is VLAN, IP interfaces, and static routing functionality.
Figure B-4. VLAN, IP Interfaces, and Static Routing Test
Estimated Duration
Test Procedure
Table B-3 details the VLAN, IP interfaces, and static routing test procedure.
Table B-3. VLAN, IP Interfaces, and Static Routing Test Procedure
1 Configure SecFlow-2
SecFlow-1 VLAN Tagging, IP Interfaces, Static Routing B-7

3 Verify IP interfaces All IP interfaces are assigned to the proper

VLANs
4 Verify Static Routes The static routing table is correct
Configuring Devices
• Configure VLANs 2,3, and assign the requested port as a member
• Configure VLAN 4 and assign the requested port as a member
• Configure GCE IP interfaces
• Configure GCE static route for 192.168.1.x via 192.168.2.102
• Configure IP interface with no VLAN for eth1
• Configure IP interfaces with VLAN 2, VLAN 3 for eth2
• Configure static route for 192.168.4.x via 192.168.2.101
Set the SecFlow-1 interface 192.168.1.102 as a PC1 default gateway.
Set the SecFlow-2 interface 192.168.4.101 as a PC2 default gateway.
Verify ping connectivity between:
• SecFlow-1 and the SecFlow-2 interface 192.168.4.101
• PC1 and the SecFlow-1 interfaces, SecFlow-2 interfaces, and PC2.
SecFlow-2 Configuration
SecFlow-2#
config
vlan 2
exit
vlan 3
exit
vlan 4
ports fastethernet 0/1 untagged all
exit
interface fast 0/1
switchport pvid 4
exit
interface vlan 2
ip address 192.168.2.101 255.255.255.0
no shutdown
exit
interface vlan 3
ip address 192.168.3.101 255.255.255.0
no shutdown
exit
B-8 VLAN Tagging, IP Interfaces, Static Routing SecFlow-1

interface vlan 4
ip address 192.168.4.101 255.255.255.0
no shutdown
exit
ip route 192.168.1.0 255.255.255.0 192.168.2.102 1
end
Viewing IP Interfaces
SecFlow-2# show ip interface
vlan2 is up, line protocol is up
Internet Address is 192.168.2.101/24
Broadcast Address 192.168.2.255
Vlan4 is up, line protocol is up
SecFlow-1#
router interface create address-prefix 192.168.2.102/24 vlan 2
purpose general physical-interface eth2
router static
router/static> enable
router/static# configure terminal
router/static(config)# ip route 192.168.4.0/24 192.168.2.101
router/static(config)# write memory
router/static(config)# exit
router/static# exit
commit
Viewing Static Routing

+----+------+--------+------------------+------+------------------+----------
----+-------------+
+====+======+========+==================+======+==================+==========
====+=============+
| 1 | N/A | eth1:1 | 192.168.1.102/24 | 1500 | application host | enable | |
+----+------+--------+------------------+------+------------------+----------
----+-------------+
| 2 | 2 | eth2.2 | 192.168.2.102/24 | 1500 | general | enable | |
+----+------+--------+------------------+------+------------------+----------
----+-------------+
+----+------+--------+------------------+------+------------------+----------
----+-------------+
SecFlow-1 VLAN Tagging, IP Interfaces, Static Routing B-9


192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2.2
192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2.3
192.168.4.0 192.168.2.101 255.255.255.0 UG 0 0 0 eth2.2
Completed OK
B.6 NAT
The objective of this test is NAT functionality.
Figure B-5. NAT Test
Estimated Duration
Test Procedure
Table B-4 details the VLAN, IP interfaces, and static routing test procedure.
Table B-4. NAT Test Procedure
2 Configure the NAT server

(SecFlow-2)
3 Verify SecFlow-1 IP connectivity SecFlow-1 receives the correct IP addresses
4 Verify Static Routes Proper ping and SSH connectivity from the PC
B-10 NAT SecFlow-1

Configuring Devices
• Set the WAN port IP interface
• Set the LAN port IP interface
• Configure the Dynamic NAT for the WAN interface
• Configure Static NAT for direct WAN traffic with TCP port 23 towards the
router LAN interface for management
• Configure Static NAT to direct WAN traffic with TCP port 22 towards the LAN
connected server.
Assign the SecFlow-1 LAN interface as the LAN server device default gateway.
The WAN client does not have a route to the private LAN subnet.
Verify ping connectivity:
• Between the WAN client and the SecFlow-1 WAN interface
• Between the LAN server the SecFlow-1 LAN interface.
Open WAN client with port 23 TCP connection for router management.
Open WAN client with port 23 TCP connection for server connection.
Router (SecFlow-1) Configuration

router interface create address-prefix 10.10.10.10/24,
physical-interface eth1 description LAN purpose application-
host
2. Set the WAN side ACE Interface.
router interface create address-prefix 192.168.10.11/24
physical-interface eth2 description WAN purpose general
3. Set the dynamic NAT using the WAN ACE interface.
router nat dynamic create interface-name eth2:2 description wan
4. Set the static NAT directing WAN traffic targeted to 192.168.10.11 with
port Telnet (2500) towards 10.10.10.10. This enables SecFlow-1
management from the PC.
router nat static create original-ip 192.168.10.11 modified-ip
10.10.10.10 original-port 2500 modified-port 23 protocol tcp
5. Set the Static NAT directing WAN traffic targeted to 192.168.10.11 towards
10.10.10.100 with port 22 (SSH). This enables PC SSH session with the
server.
router nat static create original-ip 192.168.10.11 modified-ip
10.10.10.100 original-port 22 modified-port 22 protocol tcp
6. Commit settings.
Commit
SecFlow-1 NAT B-11

Server (SecFlow-2) Configuration

set host-name server
config
interface vlan 1
ip address 10.10.10.100 255.255.255.0
no shutdown
exit
2. Set the SecFlow-1 router interface as default gateway.
ip route 0.0.0.0 0.0.0.0 10.10.10.10
end
write startup-cfg
Viewing SecFlow-1 Connectivity

+----+------+--------+------------------+------+---------+--------------+----
---------+
+====+======+========+==================+======+=========+==============+====
=========+
| 1 | N/A | eth1:1 | 10.10.10.10/24 | 1500 | general | enable | LAN |
+----+------+--------+------------------+------+---------+--------------+----
---------+
| 2 | N/A | eth2:2 | 192.168.10.11/24 | 1500 | general | enable | WAN |
+----+------+--------+------------------+------+---------+--------------+----
---------+
[router/]nat dynamic show
+---------+---------+-------------+
| Rule-Id | If-Name | Description |
+=========+=========+=============+
| 1 | eth2:2 | wan |
+---------+---------+-------------+
SecFlow-1#router nat static show
+---------+-----------------+-------------------+----------+-----------------
+-------------------+
| Rule-Id | Original-Dst-IP | Original-Dst-Port | Protocol | Modified-Dst-IP
| Modified-Dst-Port |
+=========+=================+===================+==========+=================
+===================+
| 1 | 192.168.10.11 | 2500 | tcp | 10.10.10.10 | 23 |
+---------+-----------------+-------------------+----------+-----------------
+-------------------+
| 2 | 192.168.10.11 | 22 | tcp | 10.10.10.100 | 22 |
+---------+-----------------+-------------------+----------+-----------------
+-------------------+
Viewing Server (SecFlow-2) Connectivity

1. Verify ping connectivity to the PC over the dynamic NAT.
server# ping 192.168.10.12
Reply Received From :192.168.10.12, TimeTaken : 2 msecs
B-12 NAT SecFlow-1


2. Verify management SSH connection from the PC over the static NAT.
server# show users
Line User Peer-Address
0 con su Local Peer
2 ssh su 10.10.10.10 TCP 22 from the PC
server#
B.7 DMVPN
The objective of this test is dynamic multipoint VPN functionality.
Figure B-6. DM VPN Test
Estimated Duration
Test Procedure
Table B-5 details the DMVPN test procedure.
Table B-5. DM VPN Test Procedure
1 Configure the HUB (SecFlow-2)
2 Configure the SPOKE (SecFlow-1)
SecFlow-1 DMVPN B-13

3 Verify connectivity over DMVPN User and management traffic from the both
PCs is transferred properly.
Configuring Devices
SecFlow-2 (Hub) configuration steps:
• Set the network VLAN 20 and assign network ports and application port gi 0/3
• Set the access VLAN 10 and assign access ports and application port gi 0/3
• Configure the GCE and ACE interfaces
• Set the VPN mGRE interface using eth1.20 as its lower layer
• In the GCE set a static route using the ACE interface as default gateway
• In the ACE, set routing:
 Option 1: Set a static route, pointing to subnet 192.168.40.x behind the
SPOKE mGRE interface
 Option 2: enable OSPF and set OSPF interfaces for the mGRE and eth1.10
• Set IPSec parameters
SecFlow-1 (Spoke) configuration steps:
• Set the access and network IP interfaces
• Set the VPN mGRE interface using eth2.20 as its lower layer
• Set NHRP routing to the HUB eth2.20 interface and its mGRE
• Set routing
 Option 1: set a static route directed to the 192.168.10.x subnet behind
the HUB mGRE interface
 Option 2: enable OSPF and set OSPF interfaces for the mGRE and
192.168.40.x
• Set IPSec parameters
Define the corresponding router interface as the PCs default gateway.
Verify the following:
• Ping connectivity between the 172.18.20.x interfaces
• IPSec SA is established
• DM VPN NHRP status is UP
• Ping connectivity between the mGRE interfaces
• Ping connectivity between the 192.168.40.x and 192.168.10.x interfaces
• Ping connectivity between the PCs
• Management connectivity between the PCs and the SecFlow units
Hub (SecFlow-2) Configuration

1. Set router host name (not mandatory).
set host-name hub
B-14 DMVPN SecFlow-1

2. Disable spanning tree and remove the ports used in VPN from the default
VLAN 1.
config terminal
no spanning-tree
vlan 1
no ports fastethernet 0/1,0/8 gigabitethernet 0/3 untagged
fastethernet 0/1,0/8
exit
3. Assign the user and network VLANs and set the untagged ports PVID.
vlan 10
ports fastethernet 0/1 gigabitethernet 0/3 untagged
fastethernet 0/1
exit
vlan 20
ports fastethernet 0/8 gigabitethernet 0/3
exit
interface fastethernet 0/1
alias UNI
switchport pvid 10
exit
4. Assign the GCE IP interface for management (not mandatory).
interface vlan 10
shut
ip address 192.168.10.1 255.255.255.0
no shut
exit
5. Assign static route to make SecFlow-1 management routable over the VPN.
ip route 0.0.0.0 0.0.0.0 192.168.10.10 1
end
6. Assign the ACE IP interface which to route user traffic.
application connect
purpose application-host
7. Assign ACE IP interface for networking towards the WAN router.
purpose general
8. Assign the GRE tunnel.
layer-dev eth1.20 name mgre1 key 10.0.0.0
vpn gre nhrp disable
vpn gre nhrp enable
9. Assign static routes (option 1) for the remote user network.
router static
enable
configure terminal
ip route 192.168.40.0/24 10.10.10.20
write memory
exit

exit
10. Assign OSPF routes (option 2) for the remote user network.
router ospf
enable
configure terminal
router ospf
router-id 172.18.20.10
network 10.10.10.10/24 area 0.0.0.0
network 192.168.10.10/24 area 0.0.0.0
exit
write memory
exit
exit
11. Configure IPSec.
ipsec isakmp update my-id HUB.radiflow.com
ipsec preshared create id HUB.radiflow.com key secretkey
ipsec preshared create id RTU1.radiflow.com key secretkey
ipsec disable
ipsec enable
exit
write startup-cfg
Spoke (SecFlow-1) Configuration

1. Assign IP interface to route user traffic.
physical-interface eth1 description UNI purpose application-
host admin-status enable
2. Assign IP interface towards the WAN router.
physical-interface eth2 description NNI purpose general admin-
status enable
3. Assign the local GRE tunnel and the NHRP address towards the Hub.
layer-dev eth2.20 name mgre1 key 10.0.0.0 admin-status enable
vpn gre nhrp map create multipoint-gre-name mgre1 protocol-
address-prefix 10.10.10.10/24 nbma-address 172.18.20.10
vpn gre nhrp enable
4. Assign static route (option 1) for the remote user network.
router static
enable
configure terminal
ip route 192.168.10.0/24 10.10.10.10
write memory
exit
exit
5. Assign OSPF routes (option 2) for the remote user network.

router ospf
enable
configure terminal
router ospf
ospf router-id 172.18.20.20
network 192.168.40.10/24 area 0.0.0.0
network 10.10.10.20/24 area 0.0.0.0
write memory
exit
exit
6. Configure IPSec.
ipsec isakmp update my-id RTU1.radiflow.com
ipsec disable
ipsec enable
commit
Viewing the Hub

1. Verify connectivity to the SecFlow-1 over the network.
[/] ping 172.18.20.20
PING 172.18.20.20 (172.18.20.20): 56 data bytes
--- 172.18.20.20 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.374/0.456/0.522 ms
Completed OK
2. Verify IPSec is established properly.
[/] ipsec show sa
172.18.20.10 172.18.20.20
esp mode=transport spi=18115065(0x011469f9) reqid=0(0x00000000)
E: 3des-cbc 71f552c7 3b6cd19a 15ceeb14 066b75a9 dc1ba128
3637e009
A: hmac-md5 27c40995 fe925f42 b083f33d 2da492b8
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Nov 25 03:51:24 2000 current: Nov 25 03:55:28 2000
diff: 244(s) hard: 86400(s) soft: 69120(s)
last: Nov 25 03:51:24 2000 hard: 0(s) soft: 0(s)
current: 728(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 9 hard: 0 soft: 0
sadb_seq=1 pid=9758 refcnt=0
172.18.20.20 172.18.20.10
esp mode=transport spi=24577061(0x01770425) reqid=0(0x00000000)
E: 3des-cbc cba46f76 4a82acdf 1b0ce829 a8e21961 0170528c
b0d42140
A: hmac-md5 3c2635ed db679013 8850c825 9b9fb53b


172.18.20.10 172.18.20.20
esp mode=transport spi=249228438(0x0edaec96)
reqid=0(0x00000000)
E: 3des-cbc dc654725 37b9b9f6 52f98873 e022e294 9f2f1b2c
0a862df6
A: hmac-md5 4736a293 93850813 3814bcf4 2942144f
last: hard: 0(s) soft: 0(s)
172.18.20.20 172.18.20.10
esp mode=transport spi=155193817(0x094011d9)
reqid=0(0x00000000)
E: 3des-cbc 151d2108 58e1882a 7b84f10d 9d313a4a af6e10c4
699c2c73
A: hmac-md5 95b8b821 43de3f8d c596fd6a cb95b7b8
[/]
3. Verify that 192.168.40.x route is added to the routing table.
[/] router route show
7.7.7.0 0.0.0.0 255.255.255.248 U 0 0 0 eth1.4093
172.18.20.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1.20
10.10.10.0 0.0.0.0 255.255.255.0 U 0 0 0 mgre1
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1.10
192.168.40.0 10.10.10.20 255.255.255.0 UG 0 0 0 mgre1 ------
Completed OK
4. Verify that the neighbor state and routes are established for OSPF (option 2).
router/ospf# show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL
DBsm L
172.18.20.20 1 Full/DR 37.376s 10.10.10.20 mgre1:10.10.10.10 0
0 0
router/ospf# show ip ospf route
============ OSPF network routing table ============
N 10.10.10.0/24 [10] area: 0.0.0.0
directly attached to mgre1
N 192.168.10.0/24 [10] area: 0.0.0.0
directly attached to eth1.10

N 192.168.40.0/24 [20] area: 0.0.0.0

via 10.10.10.20, mgre1 ------
router/ospf# exit
Connection closed by foreign host
[/]
5. Verify connectivity to the 192.168.40.x remote subnet.
[/] ping 192.168.40.10
PING 192.168.40.10 (192.168.40.10): 56 data bytes
--- 192.168.40.10 ping statistics ---
Completed OK
[/]
6. Verify GCE route to the 192.168.40.x remote subnet.
hub# show ip route
S 0.0.0.0/0 [1] via 192.168.10.10
C 7.7.7.0/29 is directly connected, vlan4093
hub# ping 192.168.40.10

--- 192.168.40.10 Ping Statistics ---
3 Packets Transmitted, 3 Packets Received, 0% Packets Loss
Viewing the Spoke

1. Verify connectivity to the SecFlow-1 over the network.
SecFlow-1# ping 172.18.20.10
PING 172.18.20.10 (172.18.20.10): 56 data bytes
--- 172.18.20.10 ping statistics ---
Completed OK
2. Verify that IPSec is established.
SecFlow-1# ipsec show sa
172.18.20.10 172.18.20.20
esp mode=transport spi=18115065(0x011469f9) reqid=0(0x00000000)
E: 3des-cbc 71f552c7 3b6cd19a 15ceeb14 066b75a9 dc1ba128
3637e009
A: hmac-md5 27c40995 fe925f42 b083f33d 2da492b8


172.18.20.20 172.18.20.10
esp mode=transport spi=24577061(0x01770425) reqid=0(0x00000000)
E: 3des-cbc cba46f76 4a82acdf 1b0ce829 a8e21961 0170528c
b0d42140
A: hmac-md5 3c2635ed db679013 8850c825 9b9fb53b
172.18.20.10 172.18.20.20
esp mode=transport spi=249228438(0x0edaec96)
reqid=0(0x00000000)
E: 3des-cbc dc654725 37b9b9f6 52f98873 e022e294 9f2f1b2c
0a862df6
A: hmac-md5 4736a293 93850813 3814bcf4 2942144f
last: hard: 0(s) soft: 0(s)
172.18.20.20 172.18.20.10
esp mode=transport spi=155193817(0x094011d9)
reqid=0(0x00000000)
E: 3des-cbc 151d2108 58e1882a 7b84f10d 9d313a4a af6e10c4
699c2c73
A: hmac-md5 95b8b821 43de3f8d c596fd6a cb95b7b8

[/]
3. Verify that the VPN is UP.
SecFlow-1# vpn gre nhrp map show-status
+--------+----------------+---------+--------+-----------+
| Tunnel | Protocol | Changes | Oper | Last |
| Name | address/prefix | | Status | change |
| | | | | (sec.ago) |
+========+================+=========+========+===========+
| mgre1 | 10.10.10.10/24 | 1 | up | 3697 |
+--------+----------------+---------+--------+-----------+
4. Verify that the 192.168.40.x route is added to the routing table.


10.10.10.0 0.0.0.0 255.255.255.0 U 0 0 0 mgre1
172.18.20.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2.20
192.168.10.0 10.10.10.10 255.255.255.0 UG 0 0 0 mgre1 ------
192.168.40.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
Completed OK
5. Verify that the OSPF (option 2) neighbor state and routes are established.
Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL
DBsmL
172.18.20.10 1 Full/Backup 37.257s 10.10.10.10
mgre1:10.10.10.20 0 0 0
N 10.10.10.0/24 [10] area: 0.0.0.0
directly attached to mgre1
N 192.168.10.0/24 [20] area: 0.0.0.0
via 10.10.10.10, mgre1 ------
N 192.168.40.0/24 [10] area: 0.0.0.0
directly attached to eth1
router/ospf# exit
[/]
6. Verify connectivity to the remote subnet 192.168.40.x.
SecFlow-1# ping 192.168.10.10
PING 192.168.10.10 (192.168.10.10): 56 data bytes
--- 192.168.10.10 ping statistics ---
Completed OK
[/]
Adding Terminal Server

To add the terminal server, perform the following steps:
• Configure the serial ports
• Configure the serial local end-point, service-id, and position
• Configure the terminal server

Figure B-7. Terminal Server Test

1. Configure the serial port to be consistent with the serial slave properties. The
serial port operation mode must be transparent. The local end-point
application type must be terminal server.
serial port create slot 1 port 1 baudrate 9600 parity no
databits 8 mode-of-operation transparent
application terminal-server
2. Configure the terminal server to listen port 20000
terminal-server settings update low-border-telnet-tcp-port
20000 buffer-mode byte
terminal-server tcp-service create service-id 1 remote-address
192.168.40.10 telnet-port 20000
commit
Viewing SecFlow-1 Connectivity

1. Verify connectivity between the PC 192.168.10.250 and the SecFlow-1
terminal server 192.168.40.10.
2. Open TCP connection with port 20000.
3.

Figure B-8. TCP Connection
3. Verify connection established.

SecFlow-1# terminal-server services show
---- 'Telnet server' service -----
+---------+--------+---------------+-------------+-------------+-------------
+-----------------+-----------------+
| service | telnet | unit type | serial slot | serial port | tunnel's IP |
telnet client's | telnet client's |
| id | port | | (local EP) | (local EP) | (remote EP) | IP address | tcp port
|
+=========+========+===============+=============+=============+=============
+=================+=================+
| 2 | 20000 | Local slave | 1 | 2 | - | - | - |
+---------+--------+---------------+-------------+-------------+-------------
+-----------------+-----------------+
| - | - | telnet client | - | - | - | 192.168.10.250 | 0 |
+---------+--------+---------------+-------------+-------------+-------------
+-----------------+-----------------+
Completed OK
SecFlow-1# terminal-server tcp-service show
+-------+------------+-------------+---------------+--------------+----------
------+
| index | service id | telnet port | dest ip | null cr mode | max ip clients
|
+=======+============+=============+===============+==============+==========
======+
| 1 | 2 | 20000 | 192.168.40.10 | off | 1 |
+-------+------------+-------------+---------------+--------------+----------
------+

Completed OK
SecFlow-1#
Adding QoS to Terminal Server Traffic

There are two options to use QOS in the terminal server (SecFlow-1):
• Option 1: Set the DSCP value 16 to traffic assigned for the Telnet client
192.168.10.250 and keep the VPN tunnel at the inherit mode.
• Option 2: Change the gre Tunnel from inherit mode to TOS.
Figure B-9. Terminal Server QOS Test
Option 1
Set a QOS rule.
qos mark-rule create dest-ip 192.168.10.250/32 dscp 16

Result
Figure B-10. Backbone Traffic with QOS DSCP Assignment
Option 2
Set a TOS value to the DM-VPN tunnel header (value of 30 is given as an
example).
ipsec disable
vpn gre nhrp map remove multipoint-gre-name mgre1
vpn gre tunnel remove name mgre1
commit
layer-dev eth2.20 name mgre1 key 10.0.0.0 admin-status enable
tos 30
vpn gre nhrp enable
ipsec enable
commit

Result
Figure B-11. Backbone Traffic with Tunnel TOS Assignment
Adding Cellular Link

To add the cellular link, perform the following steps:
1. Configure SecFlow-1 with the requested VLANs and interfaces.
2. In the HUB (SecFlow-2):
 Set the network VLAN 20 and assign the network ports, and the
application port gi 0/3
 Set the access VLAN 10 and assign access ports, and the application port
gi 0/3
 Set the GCE and ACE IP interfaces
 Set the DM mGRE interface using the eth1.20 port as its lower layer
 Set a static route in the ACE pointing to subnet 192.168.40.x behind the
SPOKE mGRE interface, and assign NAT router as the subnet
172.18.212.x default gateway
 Set IPSec parameters
3. In the Spoke (SecFlow-1):
 Set the IP interfaces for the LAN port
 Configure the cellular modem
 Set a DM-mGRE interface using the PPP0 as its lower layer
 Set NHRP route pointing to the HUB public IP and its mGRE

 Set a static route, pointing to subnet 192.168.10.x behind the HUB mGRE
interface
 Set IPSec parameters
4. Define the corresponding router interface as the PCs default gateway.
• Ping connectivity between the SecFlow-1 cellular modem and the Hub public
IP
• IPSec SA is established
• DM-VPN NHRP status is UP
• Ping connectivity between the mGRE interfaces
• Ping connectivity between the SecFlow-1 192.168.40.x and SecFlow-2
192.168.10.x interfaces
• Ping connectivity between the PCs
• Management connectivity between the PCs and SecFlow units.
Figure B-12. Cellular Link Test
Hub (SecFlow-2) Configuration

set host-name HUB
application connect
purpose general
router interface create address-prefix 172.18.212.230/24 vlan
20 purpose application-host

vpn gre nhrp enable

router static
enable
configure terminal
ip route 192.168.40.0/24 10.10.10.20
ip route 0.0.0.0/0 172.18.212.100
write
exit
exit
ipsec isakmp update my-id HUB.radiflow.com
ipsec enable
Serial tunneling:
serial port create slot 1 port 1 baudrate 9600 parity even
mode-of-operation transparent
application serial-tunnel position master
service-id 1 position slave
exit
write startup-cfg
Spoke (SecFlow-1) Configuration

cellular wan update sim-slot 1 admin-status enable operator-
name cellcom apn-name internetg user-name guest password guest
cellular settings update default-route yes
cellular enable
physical-interface eth1 description UNI purpose general admin-
status enable
vpn gre nhrp enable
router static
enable
configure terminal
ip route 192.168.10.0/24 10.10.10.10
write
exit
exit
ipsec isakmp update my-id RTU1.radiflow.com
ipsec enable
commit

Serial tunneling:
serial port create slot 1 port 2 baudrate 9600 parity even
mode-of-operation transparent
application serial-tunnel position slave
service-id 1 position master
commit
Terminal server:
serial port create slot 1 port 1
application terminal-server
terminal-server telnet-service create service-id 2 telnet-port
2050 remote-address 192.168.40.10
commit
B.8 IEC 101/104 Gateway

The objective of this test is IEC 101/104 gateway functionality.
Figure B-13. IEC 101/104 Gateway Test
Estimated Duration
Test Procedure
Table B-6 details the IEC 101/104 gateway test procedure.
Table B-6. IEC 101/104 Gateway Test Procedure
1 Configure the gateway (SecFlow-1)
SecFlow-1 IEC 101/104 Gateway B-29

2 Verify connectivity between over Telnet client and IEC 101 device are connected
the serial link over the serial link
Configuring Devices
Configuration steps:
• Set the IP interface for IEC 104 server and SecFlow-1 management
• Configure the serial ports parameters
• Configure the serial local end-point, service-ID and position
• Configure the IEC 101 parameters
• Configure the gateway parameters.
• Ping connectivity between the PC and gateway interface
• Management connectivity between the PC and SecFlow-1
• IEC 104 connectivity between the client and gateway
• IEC 101 device is in UP status
• RTU can be managed by the SCADA.
1. Configure an IP interface for the gateway.
SecFlow-1#router interface create address-prefix
192.168.1.101/24 physical-interface eth1 description gateway
purpose application-host
2. Configure the serial port parameters. The mode-of-operation field must be
set to transparent. The port parameters must comply with the IEC 101 server
device parameters (baud rate, parity, stop bits, data bits etc.)
serial port create slot 1 port 1 mode-of-operation transparent
baudrate 9600 parity even
3. Create the local port serial service. The application field must be iec101-gw.
application iec101-gw
4. Configure the gateway operation mode and select the ACE interface to be
used (the IP interface must be available).
iec101-gw config gw update mode balanced ip_addr 192.168.1.101
5. Configure the gateway parameters to comply with the IEC 101 server
configuration.
iec101-gw config iec101 create slot 1 port 1 asdu_addr 1
orig_addr 0 link_addr 27 link_address_field_length 2
common_address_field_length 2 orig_addr_participate y
commit
B-30 IEC 101/104 Gateway SecFlow-1

Viewing the Results

1. Verify connectivity between 192.168.1.250 Telnet client and the SecFlow-1
gateway server 192.168.1.101.
2. Open connection from the Telnet client to the IEC 104 device.
3. Verify that the connection over the serial port operates properly.
+----+------+--------+------------------+------+---------------
---+--------------+-------------+
Description |
+====+======+========+==================+======+===============
===+==============+=============+
| 1 | N/A | eth1:1 | 192.168.1.101/24 | 1500 | application host
| enable | WAN |
+----+------+--------+------------------+------+---------------
---+--------------+-------------+
SecFlow-1# iec101-gw show all
101-104 ROUTER
BALANCED MODE
IEC 104:
+---------------+------------+------------+----------+----+----
+----+----+
| IP | ORIG. ADDR | CLOCK SYNC | TIME TAG | T0 | T1 | T2 | T3 |
+===============+============+============+==========+====+====
+====+====+
| 192.168.1.101 | 0 | n | n | 30 | 15 | 10 | 20 |
| 192.168.1.250 | 0 | n | n | 30 | 15 | 10 | 20 |
+---------------+------------+------------+----------+----+----
+----+----+
IEC 101:
+------+------+-------+----------+---------+--------------+----
------+---------+---------+---------+---------+----------+
| SLOT | PORT | OP ST | LINK ADR | CMN ADR | CONV CMN ADR |
LINK LEN | CMN LEN | COT LEN | IOA LEN | SRC IOA | CONV IOA |
+======+======+=======+==========+=========+==============+====
======+=========+=========+=========+=========+==========+
| 1 | 1 | UP | 27 | 1 | 0 | 2 | 2 | 2 | 3 | | |
+------+------+-------+----------+---------+--------------+----
------+---------+---------+---------+---------+----------+
+------+------+-----------+------+---------+---------+---------
+----------+---------+---------+----------+-----------+
| SLOT | PORT | ORIG. ADR | S CH | DIR BIT | TEST FR | GEN INT
| TIME TAG | COT LEN | IOA LEN | CMN (UB) | LINK (UB) |
+======+======+===========+======+=========+=========+=========
+==========+=========+=========+==========+===========+
| 1 | 1 | 0 | y | AUTO | y | n | n | 2 | 3 | 1 | 27 |
+------+------+-----------+------+---------+---------+---------
+----------+---------+---------+----------+-----------+
SecFlow-1#
SecFlow-1 IEC 101/104 Gateway B-31

B.9 OSPF
The objective of this test is OSPF (Open Shortest Path First) protocol functionality.
Figure B-14. OSPF Test
Estimated Duration
Test Procedure
Table B-7 details the IEC 101/104 gateway test procedure.
Table B-7. OSPF Test Procedure
3 Verify connectivity over OSPF Proper connectivity between PC1 and PC2,
SecFlow-1, SecFlow-2
4 Verify OSPF neighborship and OSPF neighborship and the routing table
routing table comply with the configuration
Configuring Devices
Configuration steps:
B-32 OSPF SecFlow-1

• Configure GCE IP interfaces

• Configure OSPF
• Configure SecFlow-1:
 Configure VLAN unaware IP interface for the eth1 port
 Assign eth2 IP interfaces to VLAN 2
 Configure OSPF
• Set SecFlow-1 interface 192.168.1.102 as the PC1 default gateway
• Set SecFlow-2 interface 192.168.4.101 as the PC2 default gateway
SecFlow-2#
config
vlan 2
exit
vlan 4
ports fastethernet 0/1 untagged all
exit
interface fast 0/1
switchport pvid 4
exit
interface vlan 2
ip address 192.168.2.101 255.255.255.0
no shutdown
exit
interface vlan 4
ip address 192.168.4.101 255.255.255.0
no shutdown
exit
router ospf
router-id 192.168.4.101
network 192.168.4.101 255.255.255.0 area 0.0.0.0
network 192.168.2.101 255.255.255.0 area 0.0.0.0
passive-interface vlan 4
end
SecFlow-1#
router ospf
enable
configure terminal
router ospf
network 192.168.1.102/24 area 0.0.0.0
network 192.168.2.102/24 area 0.0.0.0
passive-interface eth1:1
SecFlow-1 OSPF B-33

exit
write
end
exit
commit
Viewing the Results

• Ping connectivity between SecFlow-1 and SecFlow-2 over the shared subnet
interface 192.168.2.x
• OSPF neighborship and routing table
• Ping connectivity between PC1 and:
 The SecFlow-1 interfaces
 The SecFlow-2 interfaces
 PC2
Viewing SecFlow-2
SecFlow-2# show ip interface
SecFlow-2# show ip ospf neighbor
Vrf default
Neighbor-ID Pri State DeadTime Address Interface He
lper HelperAge HelperExitReason
----------- --- ----- -------- ------- --------- --
------- ------------ -------------
192.168.4.102 1 FULL/DR 34 192.168.2.102 vlan2 N
SecFlow-2# show ip ospf route
OSPF Routing Table Vrf default
Dest/Mask TOS NextHop/Interface Cost Rt.Type
Area
--------- --- -------/--------- ---- -----------
192.168.1.0/255.255.255.0 0 192.168.2.102/vlan2 11 IntraArea
0.0.0.0
192.168.2.0/255.255.255.0 0 0.0.0.0/vlan2 1 IntraArea
0.0.0.0
192.168.4.0/255.255.255.0 0 0.0.0.0/vlan4 1 IntraArea
0.0.0.0
SecFlow-2# show ip route
Codes: C - connected, S - static, R - rip, B - bgp, O - ospf
IA - OSPF inter area, N1 - OSPF NSSA external type 1,
N2 - OSPF NSSA external type 2, E1 - OSPF external type 1,
E2 - OSPF external type 2
Vrf Name: default
---------
B-34 OSPF SecFlow-1


O 192.168.1.0/24 [11] via 192.168.2.102
Viewing SecFlow-1
+----+------+--------+------------------+------+------------------+----------
----+-------------+
+====+======+========+==================+======+==================+==========
====+=============+
| 1 | N/A | eth1:1 | 192.168.1.102/24 | 1500 | application host | enable | |
+----+------+--------+------------------+------+------------------+----------
----+-------------+
+----+------+--------+------------------+------+------------------+----------
----+-------------+
Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL
192.168.4.101 1 Full/Backup 33.167s 192.168.2.101 eth2.2:192.168.2.102 0 0 0
N 192.168.1.0/24 [10] area: 0.0.0.0
directly attached to eth1
N 192.168.2.0/24 [10] area: 0.0.0.0
directly attached to eth2.2
N 192.168.4.0/24 [11] area: 0.0.0.0
via 192.168.2.101, eth2.2
============ OSPF router routing table =============
============ OSPF external routing table ===========
router/ospf# exit
Connection closed by foreign host
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2.2
192.168.4.0 192.168.2.101 255.255.255.0 UG 11 0 0 eth2.2
Completed OK
SecFlow-1# ping 192.168.4.101
PING 192.168.4.101 (192.168.4.101): 56 data bytes
SecFlow-1 OSPF B-35

B-36 OSPF SecFlow-1

Publication No. 611-200-07/17
International Headquarters
24 Raoul Wallenberg Street
Tel Aviv 69719, Israel
Tel. 972-3-6458181
Fax 972-3-6498250, 6474436
E-mail market@rad.com
North American Headquarters

900 Corporate Drive
Mahwah, NJ 07430, USA
Tel. 201-5291100
Toll free 1-800-4447234
Fax 201-5295777
E-mail market@radusa.com
www.rad.com

SecFlow-1 Ver. 4.1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SecFlow-1 Ver. 4.1

Uploaded by

Copyright:

Available Formats

OPERATION MANUAL

International Headquarters North American Headquarters

24 Raoul Wallenberg Street 900 Corporate Drive

© 1988–2017 RAD Data Communications Ltd. Publication No. 611-200-07/17

General Safety Instructions

Protective ground: the marked lug or terminal should be connected to the

Handling Energized Products

General Safety Practices

Connecting Data and Telecommunications Cables

Ports Safety Status

Electromagnetic Compatibility (EMC)

FCC-15 User Information

Canadian Emission Requirements

Warning per EN 55022 (CISPR-22)

Avertissement Cet appareil est un appareil de Classe A. Dans un environnement résidentiel,

Achtung Das vorliegende Gerät fällt unter die Funkstörgrenzwertklasse A. In

Mise au rebut du produit

Afin de faciliter la réutilisation, le recyclage ainsi que d'autres formes de

Instructions générales de sécurité

Danger de choc électrique ! Evitez tout contact avec la surface marquée

Mise à la terre de protection : la cosse ou la borne marquée devrait être

Manipuler des produits sous tension

Règles générales de sécurité

Connexion au courant du secteur

Assurez-vous que l'installation électrique est conforme à la réglementation locale.

Bus A transmission path or channel. A bus is typically an electrical

Carrier A continuous signal at a fixed frequency that is capable of being

Data Information represented in digital form, including voice, text, facsimile

Digital The binary (“1” or “0”) output of a computer or terminal. In data

Gateway Gateway is a router or a proxy server that routes between networks.

Interface A shared boundary, defined by common physical interconnection

IPsec Internet Protocol Security is a protocol suite for securing Internet

Laser A device that transmits an extremely narrow and coherent beam of

Layer 2 Layer 2 refers to the Data Link layer of the commonly-referenced

Layer 3 Layer 3 refers to the Network layer of the commonly-referenced

Link A communications channel that connects two or more communicating

MAC A media access control address (MAC address) is a unique

Multiplexer At one end of a communications link, a device that combines several

Network (1) An interconnected group of nodes. (2) A series of points, nodes,

Port The physical interface to a computer or multiplexer, for connection of

Router An interconnection device that connects individual LANs. Unlike

SCADA Supervisory control and data acquisition is a system operating with

SIM card A subscriber identity module or subscriber identification module (SIM)

Single Mode Describing an optical wave-guide or fiber that is designed to

VPN A virtual private network (VPN) extends a private network across a

Chapter 2. Installation and Setup

Chapter 3. Operation and Maintenance

Chapter 4. Management and Security

6.1 Ethernet and Serial Ports ..................................................................................................... 6-1

Chapter 8. Traffic Processing

8.5 IPsec .................................................................................................................................. 8-22

Chapter 9. Timing and Synchronization

Commands Description ...................................................................................................... 9-1

Chapter 10. Administration

Chapter 11. Monitoring and Diagnostics

Chapter 12. Software Upgrade

Appendix A. Connection Data

SecFlow-1 Overview 1-1

VPN Gateway with IPSec

1-2 Overview SecFlow-1

Terminal Server and Serial Tunneling

Access Control List

SecFlow-1 Overview 1-3